H3C S5500-EI Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. S5500-EI series
  6. Security configuration manual
H3C S5500-EI Series Security Configuration Manual

H3C S5500-EI Series Security Configuration Manual

Hide thumbs Also See for S5500-EI Series:
1
2
3
4
5
6
7
8
Table Of Contents
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
Table of Contents

Advertisement

Quick Links

Download this manual
H3C S5500-EI & S5500-SI Switch Series
Security Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 2220
Document version: 6W100-20130527

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5500-EI Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C S5500-EI Series

Summary of Contents for H3C S5500-EI Series

  • Page 1 H3C S5500-EI & S5500-SI Switch Series Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2220 Document version: 6W100-20130527...
  • Page 2 Copyright © 2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
  • Page 3 The H3C S5500-EI & S5500-SI documentation set includes 10 configuration guides, which describe the software features for the H3C S5500-EI & S5500-SI Switch Series Release 2220, and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 4 Configuring a MAC authentication critical VLAN. • Configuring MAC authentication delay. Added features: • Portal Configuring IPv6 portal. (Available only on the S5500-EI series) • Setting a ciphertext shared key. Triple authentication Port security User profile Modified features: Clearing all users from the password control blacklist.
  • Page 5 Configuration guide Added and modified features TCP attack protection IP source guard ARP attack protection Added feature: Configuring a user validity check rule. ND attack defense URPF SAVI Added feature: Setting the deletion delay time for SAVI. Black list FIPS FIPS is a newly added feature.
  • Page 6 Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. About the S5500-EI & S5500-SI documentation set The H3C S5500-EI & S5500-SI documentation set includes: Category Documents Purposes Marketing brochure Describe product specifications and benefits.
  • Page 7 Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
  • Page 8 Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.

  • Page 9: Table Of Contents

    Tearing down user connections ···································································································································· 47   Configuring a NAS ID-VLAN binding ·························································································································· 47   Specifying the device ID used in stateful failover mode (available only on the S5500-EI series) ························· 48   Configuring a switch as a RADIUS server ··················································································································· 48  ...
  • Page 10 EAP relay ································································································································································ 83   EAP termination ····················································································································································· 86   Configuring 802.1X ·················································································································································· 87   H3C implementation of 802.1X ··································································································································· 87   Access control methods ········································································································································ 87   Using 802.1X authentication with other features ······························································································ 87   Configuration prerequisites ··········································································································································· 92  ...
  • Page 11 Portal system components ··································································································································· 132   Portal system using the local portal server ········································································································ 134   Portal authentication modes ······························································································································· 135   Portal support for EAP (available only on the S5500-EI series) ····································································· 136   Layer 2 portal authentication process ··············································································································· 137  ...
  • Page 12   Specifying the local portal server for Layer 2 portal authentication ······························································ 145   Specifying a portal server for Layer 3 portal authentication (available only on the S5500-EI series) ······· 146   Configuring the local portal server ···························································································································· 146  ...
  • Page 13 Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ·············· 202   Configuring port security ········································································································································ 208   Overview ······································································································································································· 208   Port security features ··········································································································································· 208   Port security modes ············································································································································· 208   Working with guest VLAN and Auth-Fail VLAN ······························································································ 211  ...
  • Page 14 Configuring the HABP server ····························································································································· 245   Configuring an HABP client ······························································································································· 245   Displaying and maintaining HABP ····························································································································· 246   HABP configuration example ······································································································································ 246   Managing public keys ············································································································································ 249   Overview ······································································································································································· 249   FIPS compliance ··························································································································································· 249  ...
  • Page 15 Configuring SSH2.0 ··············································································································································· 314   Overview ······································································································································································· 314   SSH operation ····················································································································································· 314   SSH connection across VPNs (Available only on the S5500-EI series) ························································· 316   FIPS compliance ··························································································································································· 317   Configuring the switch as an SSH server ·················································································································· 317  ...
  • Page 16 Setting the SSH management parameters ········································································································ 321   Setting the DSCP value for packets sent by the SSH server ············································································ 322   Configuring the switch as an SSH client ··················································································································· 322   SSH client configuration task list ························································································································ 322   Specifying a source IP address/interface for the SSH client ··········································································...
  • Page 17 Displaying and maintaining TCP attack protection ·································································································· 362   Configuring IP source guard ·································································································································· 364   Overview ······································································································································································· 364   Static IP source guard entries ····························································································································· 364   Dynamic IP source guard entries ······················································································································· 365   Configuration task list ·················································································································································· 365  ...
  • Page 18 ARP restricted forwarding configuration example ··························································································· 394   Configuring ARP automatic scanning and fixed ARP ······························································································· 396   Configuration guidelines ···································································································································· 396   Configuration procedure ···································································································································· 397   Configuring ARP gateway protection ························································································································ 397   Configuration guidelines ···································································································································· 397   Configuration procedure ····································································································································...
  • Page 19 Blacklist configuration example ·································································································································· 420   Network requirements ········································································································································· 420   Configuration procedure ···································································································································· 420   Verifying the configuration ································································································································· 420   Configuring FIPS······················································································································································ 422   Overview ······································································································································································· 422   FIPS self-tests ································································································································································· 422   Power-up self-test ················································································································································· 422   Conditional self-tests ············································································································································...

  • Page 20: Configuring Aaa

    Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 21: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.
  • Page 22 Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 23 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
  • Page 24 The Attributes field (variable in length) carries the specific authentication, authorization, and • accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
  • Page 25 Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1700. The vendor ID of H3C is 25506. For more information about the proprietary RADIUS sub-attributes of H3C, see "H3C proprietary RADIUS...

  • Page 26: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute Type Length Vendor-ID Vendor-ID (continued) Vendor-Type Vendor-Length Vendor-Data (Specified attribute value……) …… HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
  • Page 27 Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 28: Domain-Based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user an authorization request packet to the HWTACACS server.

  • Page 29: Radius Server Feature Of The Switch

    Portal users—Users who must pass portal authentication to access the network. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.

  • Page 30: Aaa For Mpls L3Vpns (Available Only On The S5500-Ei Series)

    A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an H3C switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an H3C switch as the RADIUS server.

  • Page 31: Radius Attributes

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access service Calling-Station-Id provided by an H3C device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...
  • Page 32 Access-Requests. This attribute is used when RADIUS supports EAP ator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. H3C proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 33 Sub-attribute Description Remaining, available total traffic of the connection, in different units for Remanent_Volume different server types. Operation for the session, used for session control. It can be: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.

  • Page 34: Fips Compliance

    Sub-attribute Description Output-Interval-Gigawords Result of bytes output within an accounting interval divided by 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

  • Page 35: Configuring Aaa Schemes

    Configuring a NAS ID-VLAN binding Optional. Specifying the device ID used in stateful failover mode (available only on Optional. the S5500-EI series) Configuring a switch as a RADIUS server Optional. NOTE: To use AAA methods to control access of login users, you must configure the user interfaces to use AAA by using the authentication-mode command.
  • Page 36 Indicates how many users can use the same local user account for local authentication. • Validity time and expiration time. Indicates the validity time and expiration time of a local user account. A user must use a valid local user account to pass local authentication. For temporary network access requirements, you can create a guest account and specify a validity time and an expiration time for the account to control the validity of the account.
  • Page 37 Configuring local user attributes Follow these guidelines when you configure local user attributes: • If the user interface authentication mode (set by the authentication-mode command in user interface view) is AAA (scheme), which commands a login user can use after login depends on the privilege level authorized to the user.
  • Page 38 Step Command Remarks Optional. By default, there is no limit to the Set the maximum number of maximum number of concurrent concurrent users of the local access-limit max-user-number users of a local user account. user account. The limit is effective only for local accounting, and is not effective for FTP users.
  • Page 39 Configuring user group attributes User groups simplify local user configuration and management. A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group.

  • Page 40: Configuring Radius Schemes

    Specifying the RADIUS accounting servers and the relevant parameters Optional Specifying the shared keys for secure RADIUS communication Optional Specifying the VPN to which the servers belong (available only on the S5500-EI series) Optional Setting the username format and traffic statistics units Optional...
  • Page 41 Step Command Remarks Enter system view. system-view Create a RADIUS scheme and radius scheme No RADIUS scheme exists by enter RADIUS scheme view. radius-scheme-name default. NOTE: A RADIUS scheme can be referenced by multiple ISP domains at the same time. Specifying the RADIUS authentication/authorization servers You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme.
  • Page 42 Step Command Remarks • Specify the primary RADIUS authentication/authorization server: primary authentication { ip-address | ipv6 ipv6-address } [ port-number | key Configure at least one [ cipher | simple ] key | probe command. username name [ interval interval ] | Specify RADIUS vpn-instance vpn-instance-name ] * authentication/authorization...
  • Page 43 A shared key configured on the switch must be the same as that configured on the RADIUS server. Specifying the VPN to which the servers belong (available only on the S5500-EI series) After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers specified for the scheme belong to the VPN.
  • Page 44 The supported RADIUS server type determines the type of the RADIUS protocol that the switch uses to communicate with the RADIUS server. It can be standard or extended: Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • • Extended—Uses the proprietary RADIUS protocol of H3C.
  • Page 45 When the RADIUS server runs on CAMS or IMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies. For the switch to function as a RADIUS server to authenticate login users, you must set the RADIUS server type to standard.
  • Page 46 are no longer available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers. Generally, the switch chooses servers based on these rules: • When the primary server is in active state, the switch communicates with the primary server.
  • Page 47 Step Command Remarks • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } Optional. •...
  • Page 48 To specify a source IP address for a specific RADIUS scheme: Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the IP address of the Specify a source IP address nas-ip { ip-address | ipv6 outbound interface is used as the for outgoing RADIUS packets.
  • Page 49 NOTE: The backup source IP address specified for outgoing RADIUS packets takes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is configured on the standby switch. Setting timers for controlling communication with RADIUS servers The switch uses the following types of timers to control the communication with a RADIUS server: •...
  • Page 50 Configuring the IP address of the security policy server The core of the H3C EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 51 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. Specify a security policy No security policy server is security-policy-server ip-address server. specified by default. Configuring interpretation of RADIUS class attribute as CAR parameters According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS client.
  • Page 52 Step Command Remarks Enter system view. system-view radius trap { accounting-server-down | Enable the trap authentication-error-threshold | Disabled by default. function for RADIUS. authentication-server-down } Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.

  • Page 53: Configuring Hwtacacs Schemes

    Specifying the shared keys for secure HWTACACS communication Required Specifying the VPN to which the servers belong (available only on the Optional S5500-EI series) Setting the username format and traffic statistics units Optional Specifying a source IP address for outgoing HWTACACS packets...
  • Page 54 Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to one secondary authentication server for an HWTACACS scheme. When the primary server is not available, any secondary server is used. In a scenario where redundancy is not required, specify only the primary server. Follow these guidelines when you specify HWTACACS authentication servers: An HWTACACS server can function as the primary authentication server of one scheme and as the •...
  • Page 55 Step Command Remarks • Specify the primary HWTACACS authorization server: primary authorization ip-address [ port-number | vpn-instance Configure at least one command. vpn-instance-name ] * Specify HWTACACS No authorization server is authorization servers. • Specify the secondary HWTACACS specified by default. authorization server: secondary authorization ip-address [ port-number | vpn-instance...
  • Page 56 A shared key configured on the switch must be the same as that configured on the HWTACACS server. Specifying the VPN to which the servers belong (available only on the S5500-EI series) After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and accounting servers specified for the scheme belong to the VPN.
  • Page 57 The switch periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows and that for packets on the switch are consistent with those configured on the HWTACACS servers. Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme: If an HWTACACS server does not support a username that carries the domain name, configure the...
  • Page 58 Step Command Remarks Enter system view. system-view By default, the IP address of the Specify a source IP address hwtacacs nas-ip ip-address for outgoing HWTACACS outbound interface is used as the [ vpn-instance vpn-instance-name ] packets. source IP address. To specify a source IP address for a specific HWTACACS scheme: Step Command Remarks...

  • Page 59: Configuring Aaa Methods For Isp Domains

    Step Command Remarks Optional. Set the real-time accounting timer realtime-accounting minutes The default real-time accounting interval. interval is 12 minutes. NOTE: Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. A shorter interval requires higher performance. Displaying and maintaining HWTACACS Task Command...

  • Page 60: Creating An Isp Domain

    Creating an ISP domain In a networking scenario with multiple ISPs, the switch may connect users of different ISPs, and users of different ISPs may have different user attributes, such as different username and password structures, different service types, and different rights. To distinguish the users of different ISPs, configure ISP domains, and configure different AAA methods and domain attributes for the ISP domains.

  • Page 61: Configuring Aaa Authentication Methods For An Isp Domain

    ISP domain. Available only on the S5500-EI series Configuring AAA authentication methods for an ISP domain In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request.
  • Page 62 capacity, high reliability, and support for centralized authentication service for multiple NASs. You can configure local or no authentication as the backup method, which is used when the remote server is not available. No authentication can only be configured for LAN users as the backup method of remote authentication.

  • Page 63: Configuring Aaa Authorization Methods For An Isp Domain

    Step Command Remarks Optional. Specify the authentication lan-access { local | none | authentication method radius-scheme radius-scheme-name [ local | The default authentication for LAN users. none ] } method is used by default. authentication login { hwtacacs-scheme Optional. Specify the hwtacacs-scheme-name [ local ] | local | authentication method The default authentication...

  • Page 64: Configuring Aaa Accounting Methods For An Isp Domain

    If you configure an authentication method and an authorization method that use RADIUS schemes • for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication. If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also fails.
  • Page 65 Remote accounting (scheme)—The NAS works with a RADIUS server or HWTACACS server for • accounting. You can configure local or no accounting as the backup method, which is used when the remote server is not available. By default, an ISP domain uses the local accounting method. Before configuring accounting methods, complete the following tasks: For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be referenced first.

  • Page 66: Tearing Down User Connections

    Step Command Remarks Optional. accounting lan-access { local | none | Specify the accounting radius-scheme radius-scheme-name The default accounting method method for LAN users. [ local | none ] } is used by default. accounting login { hwtacacs-scheme Optional. Specify the accounting hwtacacs-scheme-name [ local ] | local The default accounting method method for login users.

  • Page 67: Specifying The Device Id Used In Stateful Failover Mode (Available Only On The S5500-Ei Series)

    Follow these guidelines when you specify the device ID used in stateful failover mode: • Configuring or changing the device ID of a switch logs out all online users of the switch. H3C recommends to save the configuration and reboot the switch after configuring or changing the • device ID.

  • Page 68: Specifying A Radius Client

    Step Command Remarks Enter system view. system-view Create a RADIUS user and enter RADIUS server user radius-server user user-name No RADIUS user exists by default. view. Optional. Configure a password for the password [ cipher | simple ] By default, no password is RADIUS user.

  • Page 69: Aaa Configuration Examples

    Task Command Remarks display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type Display information about user interface-number | ip ip-address | mac Available in any view connections. mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]...

  • Page 70: Aaa For Telnet Users By Separate Servers

    [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys for secure authentication, authorization, and accounting communication to expert.

  • Page 71: Authentication/Authorization For Ssh/Telnet Users By A Radius Server

    Configuration procedure Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme.
  • Page 72 Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select H3C as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
  • Page 73 Figure 14 Adding the switch to IMC as an access device Add a user for device management: Click the User tab, and select Device Management User from the navigation tree. Click Add. Configure the following parameters: Enter hello@bbb as the username and set the password. Select SSH as the service type.
  • Page 74 Figure 15 Adding an account for device management Configuring the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 75: Aaa For Portal Users By A Radius Server

    [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on CAMS or IMC.
  • Page 76 Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select H3C as the access device type. Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2.
  • Page 77 Figure 17 Adding the switch to IMC as an access device Define a charging policy: Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree. Click Add. Configure the following parameters: Enter UserAcct as the plan name. Select Flat rate as the charging template.
  • Page 78 Figure 18 Defining a charging policy Add a service: Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Click Add. Configure the following parameters: Enter Portal-auth/acct as the service name and dm1 as the service suffix. The service suffix indicates the authentication domain for portal users.
  • Page 79 Create an account for portal users: Click the User tab, and select All Access Users from the navigation tree. Click Add. Configure the following parameters: Select the user hello, or add the user if it does not exist. Enter portal as the account name and set the password. Select the access service Portal-auth/acct.
  • Page 80 Figure 21 Portal server configuration Configure an IP address group permitted for portal access: Select User Access Manager > Portal Service Management > IP Group from the navigation tree. Click Add. Configure the following parameters: Enter Portal_user as the IP group name. Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255.
  • Page 81 Add the switch to IMC as a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure Click Add.
  • Page 82 Figure 24 Portal device list Figure 25 Port group configuration Validate the configuration: Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 83 [Switch-Vlan-interface2] quit Verifying the configuration The user can initiate portal authentication by using H3C iNode client or by accessing a Web page. All initiated Web requests are redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page. After passing portal authentication, the user can access the Internet.

  • Page 84: Aaa For 802.1X Users By A Radius Server

    Index=20 ,Username=portal@dm1 IP=192.168.1.58 IPv6=N/A MAC=00-15-E9-A6-7C-FE Total 1 connection(s) matched. AAA for 802.1X users by a RADIUS server Network requirements As shown in Figure 26, configure the switch to: • Use the RADIUS server for authentication, authorization, and accounting of 802.1X users. Use MAC-based access control on GigabitEthernet 1/0/1 to authenticate all 802.1X users on the •...
  • Page 85 Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select H3C as the access device type. Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2.
  • Page 86 Figure 28 Defining a charging policy Add a service: Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Click Add. Configure the following parameters: Enter Dot1x auth as the service name and bbb as the service suffix. The service suffix indicates the authentication domain for 802.1X users.
  • Page 87 Figure 29 Adding a service Create an account for 802.1X users: Click the User tab, and select All Access Users from the navigation tree. Click Add. Configure the following parameters: Select the user test, or add the user if it does not exist. Enter dot1x as the account name and set the password.
  • Page 88 Figure 30 Creating an account for 802.1X users Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When you use CAMS or IMC, set the server type to extended.
  • Page 89 [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration When you use H3C iNode client, no advanced authentication options are required, and the user can pass authentication after entering username dot1x@bbb and the correct password in the client property page.

  • Page 90: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 31, configure the switch to: Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the •...
  • Page 91 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service. [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
  • Page 92 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ******************************************************************************...

  • Page 93: Radius Authentication And Authorization For Telnet Users By A Switch

    Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass...
  • Page 94 Figure 33 Network diagram RADIUS server Vlan-int3 Vlan-int2 Vlan-int2 192.168.1.1/24 10.1.1.1/24 10.1.1.2/24 Telnet user Switch A Switch B 192.168.1.2 Configuration procedure Assign an IP address to each interface as shown in Figure 33. (Details not shown.) Configure the NAS: # Enable the Telnet server on Switch A. <SwitchA>...

  • Page 95: Troubleshooting Aaa

    <SwitchB> system-view [SwitchB] radius-server user aaa # Configure plaintext password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key simple abc Verify the configuration: After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.

  • Page 96: Troubleshooting Hwtacacs

    Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications.

  • Page 97: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 98: 802.1X-Related Protocols

    Performs bidirectional traffic control to deny traffic to and from the client. Performs unidirectional traffic control to deny traffic from the client. • The H3C devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.

  • Page 99: Packet Formats

    • Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by H3C • implementation of 802.1X. Table 5 EAPOL packet types Value Type...

  • Page 100: Eap Over Radius

    Value Type Description The client sends an EAPOL-Logoff message to tell the 0x02 EAPOL-Logoff network access device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.

  • Page 101: Access Device As The Initiator

    802.1X client, the H3C iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.

  • Page 102: A Comparison Of Eap Relay And Eap Termination

    EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP authentication. H3C iNode 802.1X client. • The processing is complex on the network access device. EAP relay Figure 42 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5...
  • Page 103 Figure 42 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
  • Page 104 The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.

  • Page 105: Eap Termination

    EAP termination Figure 43 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 43 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).

  • Page 106: Configuring 802.1X

    H3C implementation of 802.1X Access control methods H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent •...
  • Page 107 Table 7 VLAN assignment in MAC-based access control mode Link type VLAN assignment Sets the VLAN ID assigned through the Tunnel attributes to the first authenticated user as the PVID on the port. Access If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication.
  • Page 108 For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. On a port that performs port-based access control Authentication status VLAN manipulation Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on No 802.1X user has this port can access only resources in the guest VLAN.
  • Page 109 Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
  • Page 110 Critical VLAN You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration. The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers.

  • Page 111: Configuration Prerequisites

    Authentication status VLAN manipulation A user in the 802.1X critical VLAN fails authentication because all the RADIUS The user is still in the critical VLAN. servers are unreachable. A user in the critical VLAN fails 802.1X If an Auth-Fail VLAN has been configured, re-maps the MAC authentication for any other reason than address of the user to the Auth-Fail VLAN ID.

  • Page 112: 802.1X Configuration Task List

    If RADIUS authentication is used, create user accounts on the RADIUS server. • • If local authentication is used, create local user accounts on the access device and set the service type to lan-access. 802.1X configuration task list Task Remarks Enabling 802.1X Required Enabling EAP relay or EAP termination...

  • Page 113: Configuration Procedure

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 114: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: authorized-force—Places the port in the authorized state, enabling users on the port to access the •...

  • Page 115: Setting The Maximum Number Of Concurrent 802.1X Users On A Port

    Step Command Remarks • In system view: dot1x port-method { macbased | Optional. portbased } [ interface interface-list ] • In Ethernet interface view: Specify an access Use either method. control method. interface interface-type By default, MAC-based access interface-number control applies. dot1x port-method { macbased | portbased } Setting the maximum number of concurrent 802.1X...

  • Page 116: Setting The 802.1X Authentication Timeout Timers

    To use the online handshake security function, make sure the online user handshake function is • enabled. H3C recommends that you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.

  • Page 117: Configuration Procedure

    If the network has 802.1X clients that cannot exchange handshake packets with the network access • device, disable the online user handshake function to prevent their connections from being inappropriately torn down. Configuration procedure To configure the online user handshake function: Step Command Remarks...

  • Page 118: Configuration Procedure

    Configuration procedure To configure the authentication trigger function on a port: Step Command Remarks Enter system view. system-view Optional. Set the username request dot1x timer tx-period timeout timer. tx-period-value The default is 30 seconds. interface interface-type Enter Ethernet interface view. interface-number Required if you want to enable the unicast trigger.

  • Page 119: Enabling The Periodic Online User Re-Authentication Function

    Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. Optional. dot1x timer quiet-period Set the quiet timer. quiet-period-value The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.

  • Page 120: Configuring A Port To Send Eapol Frames Untagged

    Configuring a port to send EAPOL frames untagged EAPOL frames exchanged between the 802.1X client and the network access device must not contain VLAN tags. If any 802.1X user attached to a port is assigned a tagged VLAN, you must enable the port to send EAPOL frames untagged to 802.1X clients.

  • Page 121: Configuring An 802.1X Guest Vlan

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The H3C iNode client does not have this problem. Table 8 when configuring multiple security features on a port.

  • Page 122: Configuration Prerequisites

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The H3C iNode client does not have this problem. •...

  • Page 123: Configuration Prerequisites

    Feature Relationship description Reference MAC authentication guest VLAN The 802.1X Auth-Fail VLAN has a high "Configuring MAC on a port that performs priority. authentication" MAC-based access control The 802.1X Auth-Fail VLAN function has Port intrusion protection on a port higher priority than the block MAC action "Configuring port that performs MAC-based access but lower priority than the shut down port...

  • Page 124: Configuration Prerequisites

    IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The H3C iNode client does not have this problem. Configuration prerequisites • Create the VLAN to be specified as a critical VLAN.

  • Page 125: Displaying And Maintaining 802.1X

    Step Command Remarks Optional. Specify a set of domain name dot1x domain-delimiter string By default, only the at sign (@) delimiters for 802.1X users. delimiter is supported. NOTE: If you configure the access device to include the domain name in the username sent to the RADIUS server, make sure the domain delimiter in the username can be recognized by the RADIUS server.

  • Page 126: Configuration Procedure

    Figure 44 Network diagram Configuration procedure Configure the 802.1X client. If H3C iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

  • Page 127: Verifying The Configuration

    [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain aabbcc.net and enter its view.

  • Page 128: With Guest Vlan And Vlan Assignment Configuration Example

    802.1X with guest VLAN and VLAN assignment configuration example Network requirements As shown in Figure A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X • authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. •...

  • Page 129: Configuration Procedure

    Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.

  • Page 130: Verifying The Configuration

    # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. [Device-GigabitEthernet1/0/2] dot1x port-control auto [Device-GigabitEthernet1/0/2] quit # Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2.

  • Page 131: Configuration Procedure

    Configuration procedure The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference.
  • Page 132 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.

  • Page 133: Configuring Ead Fast Deployment

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an H3C integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 134: Configuring The Redirect Url

    To configure a free IP: Step Command Remarks Enter system view. system-view dot1x free-ip ip-address Configure a free IP. By default, no free IP is configured. { mask-address | mask-length } Configuring the redirect URL Follow these guidelines when you configure the redirect URL: •...

  • Page 135: Ead Fast Deployment Configuration Example

    Task Command Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information. exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements As shown in Figure...

  • Page 136: Configuration Procedure

    Configure the authentication server to provide authentication, authorization, and accounting • services. Configuration procedure Configure an IP address for each interface. (Details not shown.) Configure DHCP relay: # Enable DHCP. <Device> system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2.

  • Page 137: Troubleshooting Ead Fast Deployment

    Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service.

  • Page 138: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 139: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle.

  • Page 140: Critical Vlan

    If a user in the guest VLAN passes MAC authentication, that user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

  • Page 141: Configuring Mac Authentication Globally

    Configuring MAC authentication globally Step Command Remarks Enter system view. system-view Enable MAC mac-authentication Disabled by default. authentication globally. Optional. mac-authentication timer By default, the offline detect timer is Configure MAC { offline-detect offline-detect-value | 300 seconds, the quiet timer is 60 authentication timers.

  • Page 142: Specifying A Mac Authentication Domain

    Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view. This domain setting applies to all ports. •...

  • Page 143: Configuring A Mac Authentication Critical Vlan

    If MAC authentication clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the MAC authentication users cannot access authorized network resources immediately after a MAC authentication is complete. As a solution, remind the MAC authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete.

  • Page 144: Configuring Mac Authentication Delay

    resources immediately after a MAC authentication is complete. As a solution, remind the MAC authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete. Before you configure a MAC authentication critical VLAN on a port, complete the following tasks: Enable MAC authentication.

  • Page 145: Mac Authentication Configuration Examples

    MAC authentication configuration examples Local MAC authentication configuration example Network requirements In the network in Figure 48, perform local MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that: All users belong to domain aabbcc.net. • • Local users use their MAC address as the username and password for MAC authentication.

  • Page 146: Radius-Based Mac Authentication Configuration Example

    Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC address authentication is enabled. User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx Fixed username:mac Fixed password:not configured Offline detect period is 180s Quiet period is 180s. Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1...
  • Page 147 Figure 49 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 IP network Host Device Configuration procedure Make sure the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account.

  • Page 148: Acl Assignment Configuration Example

    Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password: ****** Offline detect period is 180s Quiet period is 180s. Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is 2000...
  • Page 149 Figure 50 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Configure the ACL assignment: # Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.
  • Page 150 Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration After the host passes authentication, perform the display connection command on the device to view online user information.

  • Page 151: Configuring Portal Authentication

    Configuring portal authentication The IPv6 portal configuration is available only on the S5500-EI switch series. Overview Portal authentication helps control access to the Internet. It is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page.
  • Page 152 A portal server can be an entity independent of the access device or an entity embedded in the access device. In this document, the term portal server refers to an independent portal server, and the term local portal server refers to an embedded portal server. Only the S5500-EI series supports an independent portal server.

  • Page 153: Portal System Using The Local Portal Server

    To implement security check, the client must be the H3C iNode client. Portal authentication supports NAT traversal whether it is initiated by a Web client or an H3C iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.

  • Page 154: Portal Authentication Modes

    VLAN. If a client fails authentication, the authentication server can assign an Auth-Fail VLAN. Layer 3 portal authentication does not support VLAN assignment. Layer 3 portal authentication (available only on the S5500-EI series) You can enable Layer 3 authentication on an access device's Layer 3 interfaces that connect authentication clients.

  • Page 155: Portal Support For Eap (Available Only On The S5500-Ei Series)

    MAC addresses, and can enhance the capability of controlling packet forwarding by also using the learned MAC addresses. Portal support for EAP (available only on the S5500-EI series) Authentication by using the username and password is less secure. Digital certificate authentication is usually used to ensure higher security.

  • Page 156: Layer 2 Portal Authentication Process

    Layer 2 portal authentication process Figure 54 Local Layer 2 portal authentication process Local Layer 2 portal authentication takes the following procedure: The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which supports HTTP and HTTPS requests.

  • Page 157: Layer 3 Portal Authentication Process (Available Only On The S5500-Ei Series)

    ACL on the device. Layer 3 portal authentication process (available only on the S5500-EI series) Direct authentication and cross-subnet authentication share the same authentication process, while re-DHCP authentication has a different process because of the presence of two address allocation procedures.
  • Page 158 The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication acknowledgment message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. The access device sends an authentication reply to the portal server.
  • Page 159 The portal server notifies the authentication client of logon success. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.

  • Page 160: Portal Stateful Failover (Available Only On The S5500-Ei Series)

    The remaining steps are for extended portal authentication. For more information about the steps, see the portal authentication process with CHAP/PAP authentication. Portal stateful failover (available only on the S5500-EI series) Overview The stateful failover feature supports hot backup of services on two devices. It can be configured on key devices to avoid service interruptions caused by single point failures.
  • Page 161 Figure 58 Network diagram for portal stateful failover configuration As shown in Figure 58, users have to pass portal authentication to access the Internet. To avoid portal service interruption caused by single point failures, you can deploy two access devices (Gateway A and Gateway B) and configure the portal stateful failover function on them, so that they back up the portal online user information of each other through the failover link.

  • Page 162: Portal Authentication Across Vpns (Available Only On The S5500-Ei Series)

    Portal authentication across VPNs (available only on the S5500-EI series) This feature is not applicable to VPNs with overlapping address spaces. In a scenario where the branches belong to different VPNs that are isolated from each other and all portal users in the branches need to be authenticated by the server at the headquarters, you can deploy portal authentication across MPLS VPNs.
  • Page 163 Remarks Specifying a portal server for Layer 3 portal authentication (available only on the Required S5500-EI series) Enabling Layer 3 portal authentication (available only on the S5500-EI series) Required Configuring a portal-free rule Configuring an authentication source subnet (available only on the S5500-EI series)

  • Page 164: Configuration Prerequisites

    Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. H3C recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: The status of a loopback interface is stable.

  • Page 165: Specifying A Portal Server For Layer 3 Portal Authentication (Available Only On The S5500-Ei Series)

    Specifying a portal server for Layer 3 portal authentication (available only on the S5500-EI series) This task allows you to specify the portal server parameters for Layer 3 portal authentication, including the portal server IP address, shared encryption key, server port, and the URL address for Web authentication.

  • Page 166: Customizing Authentication Pages

    Customizing authentication pages Customized authentication pages exist in the form of HTML files. You can compress them and then save them in the storage medium of the access device. A set of authentication pages includes six main authentication pages and their page elements. The six main authentication pages are the logon page, the logon success page, the logon failure page, the online page, the system busy page, and the logoff success page.
  • Page 167 Attribute PtButton is required to indicate the action that the user requests, which can be Logon or Logoff. A logon Post request must contain PtUser, PtPwd, and PtButton attributes. A logoff Post request must contain the PtButton attribute. Authentication pages logon.htm and logonFail.htm must contain the logon Post request. The following example shows part of the script in page logon.htm.
  • Page 168 </body> </html> H3C recommends using Microsoft IE 6.0 or above on the authentication clients. Make sure the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back...

  • Page 169: Configuring The Local Portal Server

    If a user refreshes the logon success or online page, or jumps to another website from either of the pages, the device also logs off the user. Only Microsoft IE, Mozilla Firefox, and Apple Safari browsers support the device to log off the user when the user closes the logon success or online page.

  • Page 170: Enabling Layer 3 Portal Authentication (Available Only On The S5500-Ei Series)

    Not enabled by default. authentication on the port. Enabling Layer 3 portal authentication (available only on the S5500-EI series) Before enabling Layer 3 portal authentication on an interface, make sure: An IP address is configured for the interface. •...

  • Page 171: Controlling Access Of Portal Users

    Step Command Remarks Enable Layer 3 portal portal server server-name method authentication on the Not enabled by default. { direct | layer3 | redhcp } interface. NOTE: The portal server and its parameters can be deleted or modified only when the portal server is not referenced by any interface.

  • Page 172: Configuring An Authentication Source Subnet (Available Only On The S5500-Ei Series)

    Regardless of whether portal authentication is enabled or not, you can only add or remove a portal-free rule. You cannot modify it. Configuring an authentication source subnet (available only on the S5500-EI series) Only Layer 3 portal authentication supports this feature. By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication.

  • Page 173: Setting The Maximum Number Of Online Portal Users

    Remarks Enter system view. system-view By default, the maximum number is Set the maximum number of 3000 on the S5500-EI series and portal max-user max-number online portal users. 1000 on the S5500-SI series. NOTE: The maximum number of online portal users the switch actually assigns depends on the ACL resources on the switch.

  • Page 174: Configuring Layer 2 Portal Authentication To Support Web Proxy

    and the system default authentication domain. For information about the default authentication domain, "Configuring AAA." Configuring Layer 2 portal authentication to support Web proxy By default, proxied HTTP requests cannot trigger Layer 2 portal authentication but are silently dropped. To allow such HTTP requests to trigger portal authentication, configure the port numbers of the Web proxy servers on the switch.

  • Page 175: Specifying An Auth-Fail Vlan For Portal Authentication

    Step Command Remarks Enter system view. system-view Enable support for portal portal move-mode auto Disabled by default user moving. For a user with authorization information (such as authorized VLAN) configured, after the user moves from a port to another, the switch tries to assign the authorization information to the new port. If the operation fails, the switch deletes the user's information from the original port and re-authenticates the user on the new port.

  • Page 176: Specifying A Nas Id Profile For An Interface

    NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server. If NAS-Port-Type is not specified, the device uses the access port type obtained. If there are multiple network devices between the Broadband Access Server (BAS, the portal authentication access device) and a portal client, the BAS may not be able to obtain a user's correct access port information.

  • Page 177: Specifying A Source Ip Address For Outgoing Portal Packets (Available Only On The S5500-Ei Series)

    Specifying a source IP address for outgoing portal packets (available only on the S5500-EI series) After you specify a source IP address for outgoing portal packets on an interface, the IP address is used as the source IP address of packets that the access device sends to the portal server, and the destination IP address of packets that the portal server sends to the access device.
  • Page 178 After the working state of the two devices changes from independence to synchronization and the portal group takes effect, the two devices start to back up the data of online portal users for each other. The AAA and portal configuration must be consistent on the two devices that back up each other. For example, you must configure the same portal server on the two devices.

  • Page 179: Specifying An Auto Redirection Url For Authenticated Portal Users

    Do not delete the configured backup source IP addresses. Otherwise, online users on the backup • device may not be able to receive packets from the server. Specifying an auto redirection URL for authenticated portal users After a user passes portal authentication, if the access device is configured with an auto redirection URL, it redirects the user to the URL after a specified period of time.

  • Page 180: Configuring The Portal Server Detection Function (Available Only On The S5500-Ei Series)

    Configuring the portal server detection function (available only on the S5500-EI series) Only Layer 3 portal authentication supports this feature. During portal authentication, if the communication between the access device and portal server is broken, new portal users are not able to log on and the online portal users are not able to log off normally.

  • Page 181: Configuring Portal User Information Synchronization (Available Only On The S5500-Ei Series)

    IMC portal server and make sure that the product of interval and retry is greater than or equal to the portal server heartbeat interval. H3C recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server.

  • Page 182: Logging Off Portal Users

    H3C recommends that you configure the interval to be greater than the portal user heartbeat interval configured on the portal server.

  • Page 183: Portal Configuration Examples

    Available in user view Portal configuration examples The S5500-EI series supports Layer 2 and Layer 3 portal authentication. The S5500-SI series supports only Layer 2 portal authentication. Therefore, only the example "Configuring Layer 2 portal authentication" is applicable to the S5500-SI series.
  • Page 184 The host is directly connected to the switch and the switch is configured for direct authentication. The • host is assigned with a public network IP address either manually or through DHCP. Before passing portal authentication, users can access only the portal server. After passing portal authentication, users can access Internet resources.
  • Page 185 Figure 61 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.
  • Page 186 Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Enter the device name NAS. • Enter the IP address of the switch's interface connected to the user. •...
  • Page 187 Figure 65 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 188: Configuring Re-Dhcp Portal Authentication

    # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure portal authentication: # Configure a portal server on the switch, making sure the IP address, port number and URL match those of the actual portal server.
  • Page 189 IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide. Make sure the IP address of the portal device added on the portal server is the public IP address of • the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP address group associated with the portal device is the private network segment where the users reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public network segment 20.20.20.0/24.

  • Page 190: Configuring Cross-Subnet Portal Authentication

    Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub...
  • Page 191 Make sure the IP address of the portal device added on the portal server is the IP address of the • interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Perform the following configuration to configure cross-subnet portal authentication on Switch A: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.

  • Page 192: Configuring Direct Portal Authentication With Extended Functions

    [SwitchA–Vlan-interface4] quit On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring direct portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for direct extended portal •...
  • Page 193 [Switch-radius-rs1] key accounting simple radius [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.113 [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.

  • Page 194: Configuring Re-Dhcp Portal Authentication With Extended Functions

    Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for re-DHCP authentication. • The host is assigned with an IP address through the DHCP server. Before passing portal authentication, the host uses an assigned private IP address.
  • Page 195 Perform the following configuration to configure re-DHCP portal authentication with extended functions on the switch: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the CAMS/IMC server, set the server type to extended.

  • Page 196: Configuring Cross-Subnet Portal Authentication With Extended Functions

    IP address: 192.168.0.1 1 1 Key: portal in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100...
  • Page 197 Configuration procedure Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Configure IP addresses for the host, switches, and servers as shown in Figure 70 and make sure that they...

  • Page 198: Configuring Portal Stateful Failover

    [SwitchA-acl-adv-3001] quit On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. Configure portal authentication # Configure the portal server as follows: Name: newpt IP address: 192.168.0.1 1 1 Key: portal in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [SwitchA] portal server newpt ip 192.168.0.111 key portal port 50100 url...
  • Page 199 Figure 71 Network diagram Configure IP addresses for the host, server, and switches as shown in Figure 71 and make sure that they can reach to each other. Make sure that Host can access the authentication server through Switch A and Switch B. Configure VRRP group 1 and VRRP group 2 to implement backup for downstream and upstream links, respectively.
  • Page 200 Figure 72 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.
  • Page 201 Enter the device name NAS. • • Enter the virtual IP address of the VRRP group that holds the portal-enabled interface. Enter the key, which must be the same as that configured on the switch. • Set whether to enable IP address reallocation. This example uses direct portal authentication, and •...
  • Page 202 Figure 76 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring Switch A Configure VRRP: # Create VRRP group 1, and configure the virtual IP address of the VRRP group 1 as 9.9.1.1. <SwitchA>...
  • Page 203 # Configure the server type for the RADIUS scheme. When using the CAMS/IMC server, configure the RADIUS server type as extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key authentication simple expert...
  • Page 204 Configure the stateful failover function: # Configure the VLAN for stateful failover as VLAN 8. [SwitchA] dhbk vlan 8 # Enable stateful failover and configure it to support the symmetric path. [SwitchA] dhbk enable backup-type symmetric-path Configuring Switch B Configure VRRP: # Create VRRP group 1, and configure the virtual IP address of the VRRP group 1 as 9.9.1.1.
  • Page 205 # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [SwitchB] domain default enable dm1 Enable portal authentication on the interface connecting the host: # Configure the portal server as needed.

  • Page 206: Configuring Portal Server Detection And Portal User Information Synchronization

    State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 Vlan-interface10 Total 1 user(s) matched, 1 listed. The output shows that the information of user Host is saved on both Switch A and Switch B. The user's working mode on Switch A is primary, and that on Switch B is secondary, which indicate that the user logged in through Switch A and the user information on Switch B was synchronized from Switch A.
  • Page 207 Configure direct portal authentication on interface VLAN-interface 100, which is connected with the user host. Configure the portal server detection function on the access device, so that the access device can detect the status of the portal server by cooperating with the portal server heartbeat function. Configure the portal user information synchronization function, so that the access device can synchronize portal user information with the portal server by cooperating with the portal user heartbeat function.
  • Page 208 Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is • in the IP group. Select a service group. By default, the group Ungrouped is used. • Select the IP group type Normal. •...
  • Page 209 # Associate the portal device with the IP address group. As shown in Figure 64, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 81 Device list On the port group configuration page, click Add to enter the page shown in Figure 65.
  • Page 210 40 retry 2 The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and H3C recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.

  • Page 211: Configuring Layer 2 Portal Authentication

    [Switch] portal server newpt user-sync interval 600 retry 2 The product of interval and retry must be greater than or equal to the portal user heartbeat interval, and H3C recommends configuring the interval as a value greater than the portal user heartbeat interval configured on the portal server.
  • Page 212 Figure 83 Network diagram DHCP server RADIUS server 1.1.1.3/24 1.1.1.2/24 Vlan-int1 1.1.1.1 Vlan-int8 Switch (DHCP relay) 192.168.1.1/24 IP network Vlan-int3 GE1/0/1 3.3.3.1 Vlan-int2 Host 2.2.2.1/24 Update server 2.2.2.2/24 Configuration procedures Follow these guidelines to configure Layer 2 portal authentication: • Make sure that the host, switch, and servers can reach each other before portal authentication is enabled.
  • Page 213 # Configure the local portal server to support HTTPS and reference SSL server policy sslsvr. [Switch] portal local-server https server-policy sslsvr # Configure the IP address of loopback interface 12 as 4.4.4.4. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal authentication.
  • Page 214 # Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. [Switch] dhcp relay server-group 1 ip 1.1.1.3 # Enable the DHCP relay agent on VLAN-interface 8. [Switch] interface vlan-interface 8 [Switch-Vlan-interface8] dhcp select relay # Correlate DHCP server group 1 with VLAN-interface 8. [Switch-Vlan-interface8] dhcp relay server-select 1 [Switch-Vlan-interface8] quit # Enable the DHCP relay agent on VLAN-interface 2.

  • Page 215: Troubleshooting Portal

    S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE -------------------------------------------------------- 0015-e9a6-7cfe ffff-ffff-ffff Total MAC VLAN address count:1 If a client fails authentication, it is added to VLAN 2. Use the previously mentioned commands to view the assigned IP address and the generated MAC-VLAN entry for the client. Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom...
  • Page 216 Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to make sure that it is the actual listening port of the portal server.

  • Page 217: Configuring Triple Authentication

    Configuring triple authentication Overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services.

  • Page 218: Using Triple Authentication With Other Features

    If a terminal passes 802.1X or portal authentication, no other types of authentication will be • triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the • terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal.

  • Page 219: Triple Authentication Configuration Examples

    Step Command Remarks MAC-based access control. Configure Layer-2 portal "Configuring portal H3C does not recommend you authentication. authentication" configure 802.1X guest VLANs for triple authentication. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in Figure 85, the terminals are connected to a switch to access the IP network.
  • Page 220 # Configure the local portal server to support HTTP. <Switch> system-view [Switch] portal local-server http # Configure the IP address of interface loopback 0 as 4.4.4.4. [Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit # Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4.

  • Page 221: Triple Authentication Supporting Vlan Assignment And Auth-Fail Vlan Configuration Example

    [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.
  • Page 222 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP • addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24. • After passing authentication, the printer obtains the IP address 3.3.3.1 1 1/24 that is bound with its MAC address through DHCP.
  • Page 223 # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Enable DHCP. <Switch> system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address.
  • Page 224 [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added.
  • Page 225 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain.
  • Page 226 0002-0002-0001 ffff-ffff-ffff 0015-88f8-0dd7 ffff-ffff-ffff Total MAC VLAN address count:3 Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users. [Switch] display dhcp server ip-in-use all Pool utilization: 0.59% IP address Client-identifier/ Lease expiration Type Hardware address 3.3.3.111 0015-88f8-0dd7...

  • Page 227: Configuring Port Security

    NOTE: For scenarios that require only 802.1X authentication or MAC authentication, H3C recommends you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
  • Page 228 MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
  • Page 229 Controlling MAC address learning autoLearn • A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 230: Working With Guest Vlan And Auth-Fail Vlan

    This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. macAddressElseUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs MAC authentication and then, if the authentication fails, 802.1X authentication upon receiving 802.1X frames.

  • Page 231: Enabling Port Security

    Enabling port security Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. • When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state.

  • Page 232: Setting The Port Security Mode

    Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.

  • Page 233: Configuring Port Security Features

    Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, Table 13.

  • Page 234: Enabling Port Security Traps

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number port-security intrusion-mode Configure the intrusion By default, intrusion protection is { blockmac | disableport | protection feature. disabled. disableport-temporarily } Return to system view. quit Set the silence timeout period Optional.

  • Page 235: Configuration Prerequisites

    Table 14 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. They never age out unless you manually remove Static Manually added Yes. them, change the port security mode, or disable the port security feature.

  • Page 236: Ignoring Authorization Information

    Step Command Remarks • In system view: port-security mac-address security [ sticky] mac-address interface interface-type interface-number vlan vlan-id Use either method. • In interface view: Configure a secure MAC No secure MAC address exists by address. interface interface-type default. interface-number port-security mac-address security [ sticky] mac-address vlan vlan-id...

  • Page 237: Port Security Configuration Examples

    Task Command Remarks Display port security configuration display port-security [ interface information, operation interface-list ] [ | { begin | exclude Available in any view information, and statistics about | include } regular-expression ] one or more ports or all ports. display port-security mac-address security [ interface interface-type Display information about secure...
  • Page 238 # Set port security's limit on the number of MAC addresses to 64 on the port. [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Device-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Device-GigabitEthernet1/0/1] quit [Device] port-security timer disableport 30...

  • Page 239: Configuring The Userloginwithoui Mode

    Execute the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message.
  • Page 240 Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values • to access the port in addition to an 802.1X user. Figure 88 Network diagram Configuration procedure Configurations on the host and RADIUS servers are not shown. The following configuration steps cover some AAA/RADIUS configuration commands.
  • Page 241 [Device] port-security enable # Add five OUI values. [Device] port-security oui 1234-0100-1111 index 1 [Device] port-security oui 1234-0200-1111 index 2 [Device] port-security oui 1234-0300-1111 index 3 [Device] port-security oui 1234-0400-1111 index 4 [Device] port-security oui 1234-0500-1111 index 5 [Device] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.
  • Page 242 # Display the configuration of the ISP domain sun. <Device> display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Self-service : Disabled...
  • Page 243 EAD timeout: The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based...

  • Page 244: Configuring The Macaddresselseuserloginsecure Mode

    Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 88, a client is connected to the Device through GigabitEthernet 1/0/1. The Device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the Device: Allow more than one MAC authenticated user to log on.
  • Page 245 Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute # Display MAC authentication information.

  • Page 246: Troubleshooting Port Security

    Supp Timeout 30 s, Server Timeout 100 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled...

  • Page 247: Cannot Configure Secure Mac Addresses

    Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly. Solution Set the port security mode to noRestrictions first.
  • Page 248 [Device-GigabitEthernet1/0/1] undo port-security port-mode...

  • Page 249: Configuring A User Profile

    Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.

  • Page 250: Applying A Qos Policy

    { inbound | outbound } switch (traffic sent to online users). The outbound option is available on only the S5500-EI series. Enabling a user profile Enable a user profile so that configurations in the profile can be applied by the device to restrict user behaviors.

  • Page 251: Displaying And Maintaining User Profiles

    Step Command Remarks Enter system view. system-view A user profile is disabled by Enable a user profile. user-profile profile-name enable default. Displaying and maintaining user profiles Task Command Remarks Display information about all the display user-profile [ | { begin | exclude Available in any view created user profiles.

  • Page 252: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length •...
  • Page 253 You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.

  • Page 254: Fips Compliance

    Depending on the system security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters that are from each type in the password. There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing the number of character types that a password must at least contain.

  • Page 255: Password Control Configuration Task List

    Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: Global settings in system view apply to all local user passwords and super passwords. •...

  • Page 256: Setting Global Password Control Parameters

    Step Command Remarks Enter system view. system-view Enable the password control password-control enable Disabled by default. feature. Optional. password-control { aging | Enable a password control composition | history | length } All of the four password control function individually. enable functions are enabled by default.

  • Page 257: Setting User Group Password Control Parameters

    Step Command Remarks Optional. Set the minimum password password-control length length length. 10 characters by default. Optional. • In non-FIPS mode, by default, a password must contain at least one type of characters and password-control composition each type must contain at least Configure the password type-number type-number one character.

  • Page 258: Setting Local User Password Control Parameters

    Step Command Remarks Enter system view. system-view Create a user group and enter user-group group-name user group view. Optional Configure the password By default, the aging time of the password-control aging aging-time aging time for the user group. user group is the same as the global password aging time.

  • Page 259: Setting Super Password Control Parameters

    Setting super password control parameters CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels.

  • Page 260: Password Control Configuration Example

    Task Command Remarks display password-control blacklist [ user-name name | ip Display information about users in ipv4-address | ipv6 ipv6-address ] Available in any view the password control blacklist. [ | { begin | exclude | include } regular-expression ] Delete users from the password reset password-control blacklist Available in user view...
  • Page 261 [Sysname] password-control aging 30 # Set the minimum password update interval to 36 hours. [Sysname] password-control password update interval 36 # Specify that a user can log in five times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days.
  • Page 262 User authentication timeout: 60 seconds Maximum failed login attempts: 2 times Login attempt-failed action: Lock Minimum password update time: 36 hours User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration information for super passwords.

  • Page 263: Configuring Habp

    Configuring HABP Overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 89, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.

  • Page 264: Configuring Habp

    Otherwise, the cluster management device will not be able to manage the devices attached to this member switch. For more information about the cluster function, see Network Management and Monitoring Configuration Guide. Configuring HABP Configuring the HABP server An HABP server is usually configured on the authentication device enabled with 802.1X authentication or MAC address authentication.

  • Page 265: Displaying And Maintaining Habp

    Step Command Remarks Optional By default, an HABP client belongs to VLAN 1. Specify the VLAN to which the habp client vlan vlan-id HABP client belongs. The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for transmitting HABP packets.
  • Page 266 Figure 90 Network diagram Configuration procedure Configure Switch A: # Perform 802.1X related configurations on Switch A (see "Configuring 802.1X"). # Enable HABP. (HABP is enabled by default. This configuration is optional.) <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. [SwitchA] habp server vlan 1 # Set the interval at which the switch sends HABP request packets to 50 seconds.
  • Page 267 <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA> display habp table Holdtime Receive Port 001f-3c00-0030 GigabitEthernet1/0/2 001f-3c00-0031 GigabitEthernet1/0/1...

  • Page 268: Managing Public Keys

    Managing public keys Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key (a character string) to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 91 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...

  • Page 269: Configuration Task List

    Configuration task list Public key configuration tasks enable you to manage the local asymmetric key pairs, and configure the peer host public keys on the local device. By completing these tasks, the local device is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature. Complete these tasks to configure public keys: Task Remarks...

  • Page 270: Displaying Or Exporting The Local Host Public Key

    Displaying or exporting the local host public key In some applications, such as SSH, to allow your local device to be authenticated by a peer device through digital signature, you must display or export the local host public key, which will then be specified on the peer device.

  • Page 271: Destroying A Local Asymmetric Key Pair

    Exporting the host public key in a specific format to a file After you export and save the host public key in a specify format to a file, transfer the file to the peer device. To export and save the local host public key to a file: Step Command Remarks...

  • Page 272: Displaying And Maintaining Public Keys

    Otherwise, the manual • If the peer device is an H3C configuration of a device, use the display format-incompliant public key Manually configure the public public-key local public will fail.

  • Page 273: Public Key Configuration Examples

    Task Command Remarks display public-key local { dsa | rsa } public Display the local public keys. [ | { begin | exclude | include } Available in any view regular-expression ] display public-key peer [ brief | name Display the specified or all peer publickey-name ] [ | { begin | exclude | Available in any view public keys on the local device.
  • Page 274 Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0...

  • Page 275: Importing A Peer Public Key From A Public Key File

    The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A. Importing a peer public key from a public key file Network requirements As shown in Figure 93, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature.
  • Page 276 Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0 203010001 # Export the RSA host public key HOST_KEY to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub On Device A, enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3.
  • Page 277 Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A.

  • Page 278: Configuring Pki

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. H3C's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms •...

  • Page 279: Pki Architecture

    such as phone, disk, and email. As different CAs might use different methods to examine the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.

  • Page 280: Pki Applications

    An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution point to provide directory navigation service, and notifies the entity that the certificate is successfully issued.

  • Page 281: Configuring An Entity Dn

    Task Remarks Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA identifies a certificate applicant uniquely by entity DN.

  • Page 282: Configuring A Pki Domain

    Step Command Remarks Optional. Configure the locality for the locality locality-name entity. No locality is specified by default. Optional. Configure the organization organization org-name No organization is specified by name for the entity. default. Optional. Configure the unit name for organization-unit org-unit-name the entity.

  • Page 283: Configuration Guidelines

    Configuration guidelines Up to two PKI domains can be created on a switch. • The CA name is required only when you retrieve a CA certificate. It is not used when in local • certificate request. The certificate request URL does not support domain name resolution. •...

  • Page 284: Submitting A Certificate Request In Auto Mode

    An online certificate request can be submitted in manual mode or auto mode. Submitting a certificate request in auto mode IMPORTANT: In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is expiring or has expired. After the certificate expires, the service using the certificate might be interrupted. In auto mode, an entity automatically requests a certificate from the CA server through SCEP if it has no local certificate for an application working with PKI, and then retrieves the certificate and saves the certificate locally.

  • Page 285: Retrieving A Certificate Manually

    request-certificate domain command with the pkcs10 keyword. To save the request information to a local file, use the pki request-certificate domain command with the pkcs10 filename filename option. • Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal.

  • Page 286: Configuration Procedure

    The configuration made by the pki retrieval-certificate configuration is not saved in the • configuration file. Make sure the switch’s system time falls in the validity period of the certificate so that the certificate • is valid. Configuration procedure To retrieve a certificate manually: Step Command Remarks...

  • Page 287: Configuring Crl-Checking-Disabled Pki Certificate Verification

    Step Command Remarks Optional. By default, the CRL update period Set the CRL update period. crl update-period hours depends on the next update field in the CRL file. Optional. Enable CRL checking. crl check enable Enabled by default. Return to system view. quit "Retrieving a certificate Retrieve the CA certificate.

  • Page 288: Deleting A Certificate

    For more information about the public-key local destroy command, see Security Command Reference. Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. To delete a certificate: Step Command...

  • Page 289: Pki Configuration Examples

    Task Command Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view status of a certificate. exclude | include } regular-expression ] display pki crl domain Display CRLs.
  • Page 290 Configure extended attributes: After configuring the basic attributes, perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. Configure the CRL distribution behavior: After completing the configuration, you must perform CRL related configurations.
  • Page 291 Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 292: Certificate Request From A Windows 2003 Ca Server

    00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE...
  • Page 293 After the SCEP add-on installation completes, a URL is displayed, which you must configure on the switch as the URL of the server for certificate registration. Modify the certificate service attributes: Select Control Panel > Administrative Tools > Certificate Authority from the start menu. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.
  • Page 294 Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4...

  • Page 295: Certificate Attribute Access Control Policy Configuration Example

    Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier:...
  • Page 296 Figure 97 Network diagram Configuration procedure The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see Fundamentals Configuration Guide. The PKI domain to be referenced by the SSL policy must exist. For how to configure a PKI domain, see "Configure the PKI domain:."...

  • Page 297: Troubleshooting Pki

    Apply the SSL server policy and certificate attribute access control policy to HTTPS service and enable HTTPS service: # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service.

  • Page 298: Failed To Retrieve Crls

    Solution Make sure the network connection is physically proper. • • Retrieve a CA certificate. Regenerate a key pair. • Specify a trusted CA. • Use the ping command to verify that the RA server is reachable. • Specify the authority for certificate request. •...

  • Page 299: Configuring Ipsec

    Configuring IPsec The term "router" in this document refers to both routers and switches. A switch in IRF mode does not support IPsec automatic negotiation. IKE configuration is available only for the switches in FIPS mode. For more information about FIPS mode, "Configuring FIPS."...
  • Page 300 Standard (AES), and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.
  • Page 301 Figure 98 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.

  • Page 302: Ipsec For Ipv6 Routing Protocols

    IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for IPv6 routing protocols. The S5500-EI switches support using IPsec for OSPFv3, IPv6 BGP, and RIPng; the S5500-SI switches only support using IPsec for RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.

  • Page 303: Feature Restrictions And Guidelines

    Feature restrictions and guidelines ACL-based IPsec can protect only traffic that is generated by the device and traffic that is destined for the device. You cannot use an ACL-based IPsec tunnel to protect user traffic. In the ACL that is used to identify IPsec protected traffic, ACL rules that match traffic forwarded through the device do not take effect.
  • Page 304 Each ACL rule matches both the outbound traffic and the returned inbound traffic. For the outbound • traffic, IPsec uses the source and destination IP addresses specified in the rule to match the source and destination IP addresses of the traffic. For the returned inbound traffic, IPsec uses the destination IP address and the source IP address specified in the rule to match the source IP address and the destination IP address of the traffic.

  • Page 305: Configuring An Ipsec Proposal

    For more information about ACL configuration, see ACL and QoS Configuration Guide. NOTE: To use IPsec in combination with QoS, make sure IPsec's ACL classification rules match the QoS classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different queues, causing packets to be sent out of order.

  • Page 306: Configuring An Ipsec Policy

    Step Command Remarks Optional. Tunnel mode by default. Transport mode applies only when the source Specify the IP packet and destination IP encapsulation mode encapsulation-mode { transport | tunnel } addresses of data flows for the IPsec proposal match those of the IPsec tunnel.
  • Page 307 Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol: • You do not need to configure ACLs or IPsec tunnel addresses. Within a certain routed network scope, the SAs on all devices must use the same SPI and keys. For •...
  • Page 308 Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher string-key | simple hex-key ] • Configure an authentication key in characters for AH: Configure keys properly for the security sa string-key { inbound | protocol (AH or ESP) you have specified.
  • Page 309 An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy • view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer, whichever are smaller. •...

  • Page 310: Applying An Ipsec Policy Group To An Interface

    the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be protected will be dropped. During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same DH group.

  • Page 311: Enabling Acl Checking Of De-Encapsulated Ipsec Packets

    according to the original IPsec process: search the policy group or policy at the interface, and then the matched tunnel. The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec forwarding efficiency. To set the IPsec session idle timeout: Step Command Remark...

  • Page 312: Configuring Packet Information Pre-Extraction

    Step Command Remarks Enter system view. system-view Optional. Enable IPsec anti-replay ipsec anti-replay check checking. Enabled by default. Optional. Set the size of the IPsec ipsec anti-replay window width anti-replay window. 32 by default. CAUTION: IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. •...

  • Page 313: Displaying And Maintaining Ipsec

    Task Remarks Required Applying an IPsec policy to an IPv6 routing protocol See Layer 3—IP Routing Configuration Guide. Displaying and maintaining IPsec To do… Use the command… Remarks display ipsec policy [ brief | name Display IPsec policy information policy-name [ seq-number ] ] [ | { begin | Available in any view.
  • Page 314 Figure 99 Network diagram Configuration procedure Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] rule 5 permit ip source 2.2.3.1 0 destination 2.2.2.1 0...
  • Page 315 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0 [SwitchB-Vlan-interface1] quit # Define an ACL to identify data flows between Switch B and Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0 [SwitchB-acl-adv-3101] rule 5 permit ip source 2.2.2.1 0 destination 2.2.3.1 0...

  • Page 316: Ipsec For Ripng Configuration Example

    IPsec for RIPng configuration example The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3—IP Routing Configuration Guide. Only the S5500-EI switches support IPsec for OSPFv3 and IPv6 BGP. Network requirements As shown in Figure...
  • Page 317 [SwitchA] ipsec policy policy001 10 manual [SwitchA-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [SwitchA] ripng 1 [SwitchA-ripng-1] enable ipsec-policy policy001 [SwitchA-ripng-1] quit...
  • Page 318 # Assign an IPv6 address to each interface. (Details not shown) # Create a RIPng process and enable it on VLAN-interface 200. <SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
  • Page 319 IPsec policy name: policy001, SPI: 123456 Using the display ipsec sa command on Switch A, you will see the information about the inbound and outbound SAs. <SwitchA> display ipsec sa =============================== Protocol: RIPng =============================== ----------------------------- IPsec policy name: "policy001" sequence number: 10 mode: manual ----------------------------- connection id: 1...

  • Page 320: Configuring Ike

    Configuring IKE This feature is applicable only to the switches in FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 321: Ike Functions

    Figure 101 IKE exchange process in main mode As shown in Figure 101, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange, used for negotiating the security policy. • Key exchange, used for exchanging the Diffie-Hellman public value and other values like the •...

  • Page 322: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 102 Relationship between IKE and IPsec Figure 102 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...

  • Page 323: Configuring A Name For The Local Security Gateway

    Task Remarks Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional. Configuring a name for the local security gateway If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the id-type name or id-type user-fqdn command is configured on the initiator), configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.

  • Page 324: Configuring An Ike Peer

    Step Command Remarks Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] The default is AES-CBC-128. proposal. Optional. Specify an authentication authentication-method { pre-share method for the IKE proposal. | rsa-signature } Pre-shared key by default. Specify an authentication Optional.
  • Page 325 Step Command Remarks Enter system view. system-view Create an IKE peer and enter ike peer peer-name IKE peer view. Optional. Specify the IKE negotiation exchange-mode main mode for phase 1. The default is main. Optional. By default, an IKE peer references Specify the IKE proposals for no IKE proposals, and, when proposal proposal-number&<1-6>...

  • Page 326: Setting Keepalive Timers

    Step Command Remarks Optional. No DPD detector is applied to an Apply a DPD detector to the IKE peer by default. dpd dpd-name IKE peer. For more information about DPD configuration, see "Configuring a detector." NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs.

  • Page 327: Configuring A Dpd Detector

    Step Command Remarks Set the NAT keepalive ike sa nat-keepalive-timer interval 20 seconds by default. interval. seconds Configuring a DPD detector Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

  • Page 328: Displaying And Maintaining Ike

    Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | { begin | Display IKE DPD information Available in any view. exclude | include } regular-expression ] display ike peer [ peer-name ] [ | { begin | Display IKE peer information Available in any view.
  • Page 329 [SwitchA] ipsec proposal tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel # Use security protocol ESP. [Switch-ipsec-proposal-tran1] transform esp # Specify encryption and authentication algorithms. [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm aes 128 [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit # Create an IKE proposal numbered 10.
  • Page 330 [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchB-acl-adv-3101] quit # Create IPsec proposal tran1.

  • Page 331: Troubleshooting Ike

    # Reference IKE peer peer. [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet.

  • Page 332: Failing To Establish An Ipsec Tunnel

    Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether the referred IPsec proposals have a match in protocol, encryption and authentication algorithms. Failing to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established.

  • Page 333: Configuring Ssh2.0

    Configuring SSH2.0 Overview Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
  • Page 334 After receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the server’s protocol version is lower and supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version. In either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use.

  • Page 335: Ssh Connection Across Vpns (Available Only On The S5500-Ei Series)

    In the interaction stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be within 2000 bytes. H3C recommends you to paste commands in the same view. Otherwise, the server might not be able to execute the commands correctly.

  • Page 336: Fips Compliance

    As shown in Figure 104, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the services of the two VPNs isolated. After a PE is enabled with the SSH client function, it can establish SSH connections with CEs in different VPNs that are enabled with the SSH server function to implement secure access to the CEs and secure transfer of log file.

  • Page 337: Enabling The Ssh Server Function

    Configuration guidelines To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs • on the SSH server. • When an SSH user logs in to the switch, RSA key pairs can be automatically generated if no local DSA or RSA key pairs are configured on the switch.

  • Page 338: Configuring A Client Public Key

    Before importing the public key, you must upload the public key file (in binary) to the server through FTP or TFTP. NOTE: H3C recommends you to configure a client public key by importing it from a public key file. For more information about client public key configuration, see "Managing public keys."...

  • Page 339: Configuring An Ssh User

    Step Command Remarks Return to public key view and When you exit public key code save the configured host public-key-code end view, the system automatically public key. saves the public key. Return to system view. peer-public-key end Importing a client public key from a public key file Step Command Enter system view.

  • Page 340: Setting The Ssh Management Parameters

    If publickey authentication is used, either with or without password authentication, the working folder is set by using the ssh user command. If you change the authentication mode or public key for an SSH user that has been logged in, the •...

  • Page 341: Setting The Dscp Value For Packets Sent By The Ssh Server

    Step Command Remarks Enter system view. system-view Optional. By default, the SSH server supports Enable the SSH server to ssh server compatible-ssh1x SSH1 clients. support SSH1 clients. [ enable ] This command is not available in FIPS mode. Optional. By default, the interval is 0, and the Set the RSA server key pair ssh server rekey-interval hours RSA server key pair is not updated.

  • Page 342: Specifying A Source Ip Address/Interface For The Ssh Client

    Task Remarks Configuring whether first-time authentication is supported Optional Establishing a connection between the SSH client and server Required Setting the DSCP value for packets sent by the SSH client Optional Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability.

  • Page 343: Establishing A Connection Between The Ssh Client And Server

    In non-FIPS mode: algorithm, on only the ssh2 ipv6 server [ port-number ] [ vpn-instance preferred HMAC S5500-EI series. vpn-instance-name ] [ identity-key { dsa | rsa } | algorithm and prefer-ctos-cipher { 3des | aes128 | des } | preferred key...

  • Page 344: Setting The Dscp Value For Packets Sent By The Ssh Client

    Setting the DSCP value for packets sent by the SSH client A field in an IPv4 or IPv6 header contains 8 bits and is used to identify the service type of an IP packet. In an IPv4 packet, this field is called "Type of Service (ToS)." In an IPv6 packet, this field is called "Traffic class."...

  • Page 345: Ssh Server Configuration Examples

    For more information about the display public-key local and display public-key peer commands, see Security Command Reference. SSH server configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode. When the switch acts as a server for password authentication Network requirements As shown in Figure...
  • Page 346 # Configure an IP address for VLAN-interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH.

  • Page 347: When The Switch Acts As A Server For Publickey Authentication

    Figure 106 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server.
  • Page 348 Generate the RSA key pairs on the SSH client: Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 108 Generating the key pair on the client When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 109.
  • Page 349 Figure 109 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 110 Saving the key pair on the client...
  • Page 350 Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.
  • Page 351 # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Specify the private key file and establish a connection to the SSH server: Launch PuTTY.exe to enter the interface as shown in Figure 111.

  • Page 352: Ssh Client Configuration Examples

    Figure 112 Specifying the private key file Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode.
  • Page 353 # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 354 # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit # Establish a connection between the SSH client and the SSH server: If the client supports first-time authentication, you can directly establish a connection from the client to the server.

  • Page 355: When Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server 10.165.87.136 as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
  • Page 356 +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server: # Generate the RSA key pairs. <SwitchB>...
  • Page 357 # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish an SSH connection to the server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client002 Trying 10.165.87.136 ...

  • Page 358: Configuring Sftp

    Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.

  • Page 359: Configuring The Sftp Connection Idle Timeout Period

    To enable the SFTP server: Step Command Remarks Enter system view. system-view Enable the SFTP server. sftp server enable Disabled by default. Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.

  • Page 360: Working With Sftp Directories

    Task Command Remarks • Establish a connection to the remote IPv4 SFTP server and enter SFTP client view: In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |...

  • Page 361: Working With Sftp Files

    Step Command Remarks Display the current working directory of the remote SFTP Optional. server. Optional. • dir [ -a | -l ] [ remote-path ] Display files under a The dir command functions as the directory. • ls [ -a | -l ] [ remote-path ] ls command.

  • Page 362: Displaying Help Information

    Displaying help information This configuration task will display a list of all commands or the help information of an SFTP client command, such as the command format and parameters. To display a list of all commands or the help information of an SFTP client command: Step Command Remarks...

  • Page 363: Sftp Client Configuration Example

    SFTP client configuration example Unless otherwise noted, devices in the configuration example are operating in non-FIPS mode. Network requirements As shown in Figure 1 15, an SSH connection is required between Switch A and Switch B. Switch A, an SFTP client, needs to log in to Switch B for file management and file transfer. Use publickey authentication and the RSA public key algorithm.
  • Page 364 Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
  • Page 365 The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp-client> # Display files under the current directory of the server, delete the file named z, and check if the file has been deleted successfully. sftp-client>...

  • Page 366: Sftp Server Configuration Example

    Remote file:/pubkey2 ---> Local file: public Downloading file successfully ended # Upload the local file pu to the server, save it as puk, and check if the file has been uploaded successfully. sftp-client> put pu puk Local file:pu ---> Remote file: /puk Uploading file successfully ended sftp-client>...
  • Page 367 Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
  • Page 368 Run the psftp.exe to launch the client interface as shown in Figure 117, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 117 SFTP client interface...

  • Page 369: Configuring Scp

    Configuring SCP Overview Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. SCP uses SSH connections for copying files. The switch can act as the SCP server, allowing a user to log in to the switch for file upload and download. The switch can also act as an SCP client, enabling a user to log in from the switch to a remote server for secure file transfer.

  • Page 370: Configuring The Switch As The Scp Client

    Configuring the switch as the SCP client To upload or download files to or from an SCP server: Step Command Remarks • Upload a file to the IPv4 SCP server: In non-FIPS mode: scp server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 371: Scp Client Configuration Example

    Step Command Remarks • Download a file from the remote IPv4 SCP server: In non-FIPS mode: scp server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac...

  • Page 372: Scp Server Configuration Example

    Configuration procedure # Create VLAN-interface 1 and assign an IP address to it. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Download the file remote.bin from the SCP server, save it locally and change the file name to local.bin. <SwitchA>...
  • Page 373 # Generate the DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 374: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the key...

  • Page 375: Fips Compliance

    Figure 121 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
  • Page 376 Step Command Remarks Enter system view. system-view Create an SSL server policy ssl server-policy policy-name and enter its view. Optional. By default, no PKI domain is specified for an SSL server policy. The SSL server generates a certificate itself instead of requesting one from the CA.

  • Page 377: Ssl Server Policy Configuration Example

    Step Command Remarks Enable the SSL server to Optional. perform digital client-verify enable By default, the SSL server does not certificate-based require clients to be authenticated. authentication for SSL clients. Optional. Disabled by default. Enable SSL client weak client-verify weaken This command takes effect only authentication.
  • Page 378 [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en. [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca server [Device-pki-domain-1] certificate request url...

  • Page 379: Configuring An Ssl Client Policy

    Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. To configure an SSL client policy: Step Command...

  • Page 380: Troubleshooting Ssl

    Task Command Remarks display ssl server-policy Display SSL server policy { policy-name | all } [ | { begin | Available in any view information. exclude | include } regular-expression ] display ssl client-policy Display SSL client policy { policy-name | all } [ | { begin | Available in any view information.

  • Page 381: Configuring Tcp Attack Protection

    Configuring TCP attack protection Overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.
  • Page 382 Task Command Remarks display tcp status [ | { begin | exclude | Display current TCP connection state. Available in any view include } regular-expression ]...

  • Page 383: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address, and source MAC address. IP source guard entries fall into the following types: •...

  • Page 384: Dynamic Ip Source Guard Entries

    Global static binding entry A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a global static binding entry or a static binding entry configured on the port.

  • Page 385: Configuring The Ipv4 Source Guard Function

    Configuring the IPv4 source guard function You cannot enable IPv4 source guard on a link aggregation member port or a service loopback group. If IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group.

  • Page 386: Configuring A Static Ipv4 Source Guard Entry

    Configuring a static IPv4 source guard entry Static IPv4 binding entries take effect only on the ports configured with the IPv4 source guard function (see "Configuring IPv4 source guard on a port"). Port-based static IPv4 source guard entries and dynamic IPv4 source guard entries take precedence over global static IPv4 source guard entries.

  • Page 387: Setting The Maximum Number Of Ipv4 Source Guard Entries

    By default, the maximum number is number of IPv4 binding number 1500 on the S5500-EI series and entries allowed on the port. 640 on the S5500-SI series. Configuring the IPv6 source guard function You cannot enable IPv6 source guard on a link aggregation member port or a service loopback port. If IPv6 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group.

  • Page 388: Configuring A Static Ipv6 Source Guard Entry

    To obtain dynamic IPv6 source guard entries, make sure that DHCPv6 snooping or ND snooping is • configured and works normally. For DHCPv6 and ND snooping configuration information, see Layer 3—IP Services Configuration Guide. • If you configure both ND snooping and DHCPv6 snooping on the device, IPv6 source guard uses the type of entries that generated first.

  • Page 389: Setting The Maximum Number Of Ipv6 Source Guard Entries

    Step Command Remarks ipv6 source binding ipv6-address Configure a global static IPv6 No global static IPv6 binding entry ipv6-address mac-address binding entry. is configured by default. mac-address Configuring port-based static IPv6 binding entries Follow these guidelines to configure port-based static IPv6 source guard entries: You cannot configure the same static binding entry on one port repeatedly, but you can configure •...

  • Page 390: Displaying And Maintaining Ip Source Guard

    By default, the maximum number is number of IPv6 binding number 1500 on the S5500-EI series and entries allowed on the port. 640 on the S5500-SI series. Displaying and maintaining IP source guard For IPv4 source guard:...
  • Page 391 Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A. All hosts use static IP addresses. Configure static IPv4 source guard entries on Device A and Device B to meet the following requirements: On port GigabitEthernet 1/0/2 of Device A, only IP packets from Host C can pass. •...

  • Page 392: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
  • Page 393 For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Figure 125 Network diagram Configuration procedure Configure DHCP snooping. # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port.

  • Page 394: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 126, the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200 respectively. DHCP relay is enabled on the switch. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP server through the DHCP relay agent.

  • Page 395: Static Ipv6 Source Guard Configuration Example

    Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 Vlan100 DHCP-RLY Static IPv6 source guard configuration example Network requirements As shown in Figure 127, the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard entry for GigabitEthernet 1/0/1 of the device to allow only packets from the host to pass.
  • Page 396 Enable IPv6 source guard function on the device’s port GigabitEthernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the DHCP server to pass. Figure 128 Network diagram Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally.

  • Page 397: Dynamic Ipv6 Source Guard Using Nd Snooping Configuration Example

    Dynamic IPv6 source guard using ND snooping configuration example Network requirements As shown in Figure 129, the client is connected to the device through port GigabitEthernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.

  • Page 398: Global Static Ip Source Guard Configuration Example

    Global static IP source guard configuration example Network requirements As shown in Figure 130, Device A is a distribution layer device. Device B is an access device. Host A in VLAN 10 and Host B in VLAN 20 communicate with each other through Device A. Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A •...

  • Page 399: Troubleshooting Ip Source Guard

    [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/3] quit # Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC address of Host A and Host B from being forwarded.

  • Page 400: Configuring Arp Attack Protection

    Configuring ARP attack protection Only the S5500-EI switches support Layer 3 Ethernet port configuration. The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).

  • Page 401: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional. Configuring ARP active acknowledgement Configure this function on gateways (recommended). Optional. Configuring ARP detection Configure this function on access devices (recommended). Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional. Configuring ARP gateway protection Configure this function on access devices (recommended).

  • Page 402: Enabling Arp Black Hole Routing

    Enabling ARP black hole routing Step Command Remarks Enter system view. system-view Optional. Enable ARP black hole routing. arp resolving-route enable Enabled by default. Displaying and maintaining ARP defense against IP packet attacks Task Command Remarks display arp source-suppression [ | Display ARP source suppression { begin | exclude | include } Available in any view...

  • Page 403: Configuring Arp Packet Rate Limit

    Figure 131 Network diagram IP network ARP attack protection Gateway Device VLAN 10 VLAN 20 Host A Host B Host C Host D R&D Office Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: Enable ARP source suppression.

  • Page 404: Configuration Procedure

    enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. To solve this problem, you can configure ARP packet rate limit. Enable this feature after the ARP detection, or ARP snooping feature is configured, or use this feature to prevent ARP flood attacks.

  • Page 405: Configuring Source Mac Address Based Arp Attack Detection

    Configuring source MAC address based ARP attack detection With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in 5 seconds than the specified threshold.

  • Page 406: Configuration Example

    Task Command Remarks display arp anti-attack source-mac { slot Display attacking MAC addresses slot-number | interface interface-type detected by source MAC address based Available in any view interface-number } [ | { begin | exclude | ARP attack detection. include } regular-expression ] Configuration example Network requirements As shown in...

  • Page 407: Configuring Arp Packet Source Mac Address Consistency Check

    [Device] arp anti-attack source-mac filter # Set the threshold to 30. [Device] arp anti-attack source-mac threshold 30 # Set the age timer for detection entries to 60 seconds. [Device] arp anti-attack source-mac aging-time 60 # Configure 0012-3f86-e94c as a protected MAC address. [Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC address consistency check...

  • Page 408: Configuring Arp Detection

    Step Command Remarks Enable the ARP active acknowledgement arp anti-attack active-ack enable Disabled by default function. Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions.

  • Page 409: Configuring Arp Packet Validity Check

    At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or • 802.1X security entries must be available for user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled.

  • Page 410: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable ARP detection for the arp detection enable Disabled by default. VLAN. Return to system view. quit Enable ARP packet validity arp detection validate { dst-mac | ip | check and specify the objects to Disabled by default.

  • Page 411: User Validity Check Configuration Example

    User validity check configuration example Network requirements As shown in Figure 133, configure Switch B to perform user validity check based on 802.1X security entries for connected hosts. Figure 133 Network diagram Configuration procedure Add all ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A.

  • Page 412: User Validity Check And Arp Packet Validity Check Configuration Example

    [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit...

  • Page 413: Arp Restricted Forwarding Configuration Example

    Configure Host A as DHCP client, and Host B as user. (Details not shown.) Configure Switch B: # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default).
  • Page 414 Figure 135 Network diagram Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 131. (Details not shown.) Configure DHCP address pool 0 on Switch A as a DHCP server. <SwitchA>...

  • Page 415: Configuring Arp Automatic Scanning And Fixed Arp

    ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. H3C recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe.

  • Page 416: Configuration Procedure

    The number of static ARP entries changed from dynamic ARP entries is restricted by the number of • static ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries into static ARP entries. •...

  • Page 417: Configuration Example

    Step Command Remarks Enable ARP gateway protection for a arp filter source ip-address Disabled by default specific gateway. Configuration example Network requirements As shown in Figure 136, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.

  • Page 418: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure ARP filtering: You can configure up to eight ARP filtering entries on a port. • Commands arp filter source and arp filter binding cannot be both configured on a port. • If ARP filtering works with ARP detection, and ARP snooping, ARP filtering applies first. •...
  • Page 419 [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets. GigabitEthernet 1/0/2 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.9 and 000f-e349- 1 233 and discard other ARP packets.

  • Page 420: Configuring Nd Attack Defense

    Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 421: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, H3C developed the source MAC consistency check and ND detection features. Enabling source MAC consistency check for ND...

  • Page 422: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure ND detection: To create IPv6 static bindings with IP source guard, use the ipv6 source binding command. For more • information, see "Configuring IP source guard." • The DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more information, see Layer 3—IP Services Configuration Guide.

  • Page 423: Nd Detection Configuration Example

    ND detection configuration example Network requirements As shown in Figure 139, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.
  • Page 424 [SwitchA-Vlan-interface10] ipv6 address 10::1/64 [SwitchA-Vlan-interface10] quit Configuring Switch B: # Enable IPv6 forwarding. <SwitchB> system-view [SwitchB] ipv6 # Create VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] quit # Add ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port access vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2...

  • Page 425: Configuring Urpf

    Configuring URPF The term "router" in this feature refers to both routers and Layer 3 switches. NOTE: The S5500-SI switch series does not support configuring URPF. Overview Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
  • Page 426 Figure 141 URPF work flow Check the source address of the received packet A broadcast source address? An all-zone source address? A broadcast destination Discard addres? Does the FIB Is there a default entry match the route? source address? Loose URPF? Loose URPF? Does Is the matching...
  • Page 427 For other packets, proceeds to step 2. URPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. URPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, URPF checks whether the matching route is a direct route: if yes, proceeds to step 5;...

  • Page 428: Network Application

    Enable URPF check globally. ip urpf { loose | strict } Disabled by default NOTE: The routing table size decreases by half when URPF is enabled on the H3C S5500-EI&S5500-SI • switches. • To prevent loss of routes and packets, URPF cannot be enabled if the number of route entries the switch maintains exceeds half the routing table size.
  • Page 429 Figure 143 Network diagram Configuration procedure Enable strict URPF check on Switch A. <SwitchA> system-view [SwitchA] ip urpf strict Enable strict URPF check on Switch B. <SwitchB> system-view [SwitchB] ip urpf strict...

  • Page 430: Configuring Savi

    Configuring SAVI Overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.

  • Page 431: Savi Configuration In Dhcpv6-Only Address Assignment Scenario

    Step Command Remarks Optional One second by default. This command is used with the DHCPv6 snooping function. After DHCPv6 snooping Set the time to wait for a ipv6 savi dad-preparedelay detects that a client obtains an IPv6 address, it DAD NS from a [ value ] monitors whether the client detects IP address DHCPv6 client.

  • Page 432: Packet Check Principles

    Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see "Configuring ND attack defense." Configure a static IPv6 source guard binding entry on each interface connected to a client. This step is optional.

  • Page 433: Savi Configuration In Slaac-Only Address Assignment Scenario

    [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 145 Network diagram Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1...

  • Page 434: Packet Check Principles

    Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."...

  • Page 435: Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario

    [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 146 Network diagram As shown in Figure 146, Switch B connects to the DHCPv6 server through interface GigabitEthernet 1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3.

  • Page 436: Packet Check Principles

    For more information about static IPv6 source guard binding entries, see "Configuring IP source guard." Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see "Configuring IP source guard."...
  • Page 437 # Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/3 through GigabitEthernet 1/0/5. [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/4 [SwitchB-GigabitEthernet1/0/4] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] ipv6 verify source ipv6-address mac-address...

  • Page 438: Configuring Blacklist

    Configuring blacklist Overview The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature.

  • Page 439: Blacklist Configuration Example

    Blacklist configuration example Network requirements As shown in Figure 147, Host A, Host B, and Host C are internal users, and external user Host D is considered an attacker. Configure Device to always filter packets from Host D, and to prevent internal users from guessing passwords.
  • Page 440 Host D and Host C are on the blacklist. Host C will stay on the list for 10 minutes, and will then be able to try to log in again. The entry for Host D will never age out. When you do not consider Host D an attacker anymore, you can use the undo blacklist ip 5.5.5.5 command to remove the entry.

  • Page 441: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch supports Level 2.

  • Page 442: Configuration Procedure

    Configuration procedure To configure FIPS, complete the following tasks: Remove the existing key pairs and certificates. Enable the FIPS mode. Enable the password control function. Configure local user attributes (including local username, service type, password, and so on) on the switch. Save the configuration.

  • Page 443: Triggering A Self-Test

    Triggering a self-test To examine whether the cryptography modules operate normally, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. To trigger a self-test: Step Command...

  • Page 444: Verifying The Configuration

    [Sysname-luser-test] service-type terminal [Sysname-luser-test] authorization-attribute level 3 [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.
  • Page 445 <Sysname> display fips status FIPS mode is enabled...

  • Page 446: Index

    Index A B C D E F H I L M N O P R S T U Configuring an IKE peer,305 Configuring an IKE proposal,304 AAA configuration considerations and task list,15 Configuring an SSL client policy,360 AAA configuration examples,50 Configuring an SSL server policy,356 overview,1...
  • Page 447 FIPS self-tests,422 Destroying a local RSA key pair,268 Disabling next payload field checking,308 Displaying and maintaining 802.1X,106 H3C implementation of 802.1X,87 Displaying and maintaining AAA,49 HABP configuration example,246 Displaying and maintaining EAD fast deployment,1 15 Displaying and maintaining FIPS,424...
  • Page 448 Overview (Configuring PKI),259 Setting the maximum number of authentication request attempts,96 Overview (Configuring IPsec),280 Setting the maximum number of concurrent 802.1X Overview (Managing public keys),249 users on a port,96 Overview (Configuring port security),208 Setting the NAT keepalive timer,307 Overview (Configuring HABP),244 Setting the port authorization state,95...

This manual is also suitable for:

S5500-si series

Table of Contents