H3C S5120-HI Security Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. S5120-HI Series
  6. Security configuration manual

H3C S5120-HI Security Configuration Manual

Hide thumbs Also See for S5120-HI:
Table of Contents

Advertisement

Quick Links

Download this manual
H3C S5120-HI Switch Series
Security Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 52xx
Document version: 6W101-20140523

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5120-HI and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C S5120-HI

Summary of Contents for H3C S5120-HI

  • Page 1 H3C S5120-HI Switch Series Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 52xx Document version: 6W101-20140523...
  • Page 2 Copyright © 2013-2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
  • Page 3 Preface The H3C S5120-HI documentation set includes 1 1 configuration guides, which describe the software features for the H3C S5120-HI Switch Series, and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 4 Configuration guide Added and modified features Added features: • Setting a DSCP value for an ISP domain. • Setting the DSCP value for RADIUS protocol packets. • Configuring status detection for RADIUS authentication/authorization servers • RADIUS/HWTACACS authentication, authorization, and accounting support ciphertext shared key configuration.
  • Page 5 Configuration guide Added and modified features ND attack defense SAVI Added feature: Setting the deletion delay time for SAVI. Black list FIPS FIPS is a newly added feature. Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface...
  • Page 6 Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. About the H3C S5120-HI documentation set The H3C S5120-HI documentation set includes: Category...
  • Page 7 Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...

  • Page 8: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   AAA overview ··································································································································································· 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   Domain-based user management ··························································································································· 9   RADIUS server feature of the switch ···················································································································· 10   Protocols and standards ······································································································································· 11   RADIUS attributes ··················································································································································...
  • Page 9 EAP relay ································································································································································ 72   EAP termination ····················································································································································· 75   Configuring 802.1X ·················································································································································· 76   H3C implementation of 802.1X ··································································································································· 76   Access control methods ········································································································································ 76   Using 802.1X authentication with other features ······························································································ 76   Configuration prerequisites ··········································································································································· 81  ...
  • Page 10 802.1X with ACL assignment configuration example ····························································································· 100   Network requirements ········································································································································· 100   Configuration procedure ···································································································································· 100   Verifying the configuration ································································································································· 101   Configuring EAD fast deployment ························································································································· 102   Overview ······································································································································································· 102   Free IP ··································································································································································· 102  ...
  • Page 11 Configuring the local portal server ···························································································································· 127   Customizing authentication pages ···················································································································· 127   Configuring the local portal server ···················································································································· 130   Enabling portal authentication ···································································································································· 131   Controlling access of portal users ······························································································································ 132   Configuring a portal-free rule····························································································································· 132  ...
  • Page 12 Configuring the macAddressElseUserLoginSecure mode ················································································ 169   Troubleshooting port security ······································································································································ 171   Cannot set the port security mode ····················································································································· 171   Cannot configure secure MAC addresses ········································································································ 172   Cannot change port security mode when a user is online ·············································································· 172  ...
  • Page 13 Configuring a PKI domain ··········································································································································· 207   Configuration guidelines ···································································································································· 208   Configuration procedure ···································································································································· 208   Submitting a PKI certificate request ···························································································································· 208   Submitting a certificate request in auto mode ·································································································· 209   Submitting a certificate request in manual mode ····························································································· 209  ...
  • Page 14 Configuring an IKE proposal ······································································································································ 242   Configuring an IKE peer ·············································································································································· 243   Setting keepalive timers ··············································································································································· 245   Setting the NAT keepalive timer ································································································································· 245   Configuring a DPD detector ········································································································································ 246   Disabling next payload field checking ······················································································································ 246  ...
  • Page 15 SFTP client configuration example ····························································································································· 281   SFTP server configuration example ···························································································································· 285   Configuring SCP ······················································································································································ 288   Overview ······································································································································································· 288   FIPS compliance ··························································································································································· 288   Configuring the switch as an SCP server ·················································································································· 288   Configuring the switch as the SCP client ··················································································································· 289  ...
  • Page 16 Enabling ARP black hole routing ······················································································································· 321   Displaying and maintaining ARP defense against IP packet attacks ····························································· 321   Configuration example ······································································································································· 321   Configuring ARP packet rate limit ······························································································································ 322   Introduction ·························································································································································· 322   Configuration procedure ···································································································································· 322  ...
  • Page 17 Configuration considerations ····························································································································· 345   Packet check principles ······································································································································· 346   Configuration procedure ···································································································································· 346   SAVI configuration in SLAAC-only address assignment scenario ··········································································· 347   Network requirements ········································································································································· 347   Configuration considerations ····························································································································· 347   Packet check principles ······································································································································· 348  ...

  • Page 18: Configuring Aaa

    Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 19: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.
  • Page 20 Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 21 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
  • Page 22 The Attributes field (variable in length) carries the specific authentication, authorization, and • accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
  • Page 23 Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1700. The vendor ID of H3C is 25506. For more information about the proprietary RADIUS sub-attributes of H3C, see "H3C proprietary RADIUS...

  • Page 24: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute Type Length Vendor-ID Vendor-ID (continued) Vendor-Type Vendor-Length Vendor-Data (Specified attribute value……) …… HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
  • Page 25 Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 26: Domain-Based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user an authorization request packet to the HWTACACS server.

  • Page 27: Radius Server Feature Of The Switch

    Portal users—Users who must pass portal authentication to access the network. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.

  • Page 28: Protocols And Standards

    A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an H3C switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an H3C switch as the RADIUS server.
  • Page 29 Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access service Calling-Station-Id provided by an H3C device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.
  • Page 30 Access-Requests. This attribute is used when RADIUS supports EAP ator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. H3C proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

  • Page 31: Fips Compliance

    Sub-attribute Description Result of the Trigger-Request or SetPolicy operation. A value of zero Result_Code means the operation succeeded. Any other value means the operation failed. Connect_ID Index of the user connection. Working directory of the FTP user. Ftp_Directory For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client.
  • Page 32 Local authentication—Configure local users and the related attributes, including the usernames and passwords of the users to be authenticated. Remote authentication—Configure the required RADIUS and HWTACACS schemes. You must configure user attributes on the servers accordingly. Configure AAA methods for the users’ ISP domains. Authentication method—No authentication (none), local authentication (local), or remote authentication (scheme) Authorization method—No authorization (none), local authorization (local), or remote...

  • Page 33: Configuring Aaa Schemes

    Task Remarks Tearing down user connections Optional. Configuring a NAS ID-VLAN binding Optional. Configuring a switch as a RADIUS server Optional. NOTE: To use AAA methods to control access of login users, you must configure the user interfaces to use AAA by using the authentication-mode command.
  • Page 34 password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control." Binding attributes. • Binding attributes are used to control the scope of users. They are checked during local authentication of a user.
  • Page 35 Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name No local user exists by default. local user view. Optional. A local user with no password configured passes authentication after providing the valid local • In non-FIPS mode: username and attributes.
  • Page 36 Step Command Remarks bind-attribute { ip ip-address | Optional. Configure the binding location port slot-number By default, no binding attribute is attributes for the local user. subslot-number port-number | mac configured for a local user. mac-address | vlan vlan-id } * Optional.

  • Page 37: Configuring Radius Schemes

    Step Command Remarks • Set the password aging time: password-control aging Optional. aging-time By default, the user group uses • Set the minimum password global password control attribute length: Configure password control settings. password-control length length attributes for the user group. For more information about •...
  • Page 38 Task Remarks Specifying the RADIUS accounting servers and the relevant parameters Optional Specifying the shared keys for secure RADIUS communication Optional Setting the username format and traffic statistics units Optional Setting the supported RADIUS server type Optional Setting the maximum number of RADIUS request transmission attempts Optional Setting the status of RADIUS servers Optional...
  • Page 39 can trigger 802.1X authentication for users in the critical VLAN immediately on detection of a reachable RADIUS authentication/authorization server. Follow these guidelines when you specify RADIUS authentication/authorization servers: The IP addresses of the primary and secondary authentication/authorization servers for a scheme •...
  • Page 40 If you delete an accounting server that is serving users, the switch can no longer send real-time • accounting requests and stop-accounting requests for the users to that server, or buffer the stop-accounting requests. • You can specify a RADIUS accounting server as the primary accounting server for one scheme and as the secondary accounting server for another scheme at the same time.
  • Page 41 • Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. Extended—Uses the proprietary RADIUS protocol of H3C. • When the RADIUS server runs on CAMS or IMC, you must set the RADIUS server type to extended.
  • Page 42 To set the RADIUS server type: Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Optional. server-type { extended | Set the RADIUS server type. The default RADIUS server type is standard } standard. NOTE: Changing the RADIUS server type restores the unit for data flows and that for packets that are sent to the RADIUS server to the defaults.
  • Page 43 When the primary server is in active state, the switch communicates with the primary server. If the • primary server fails, the switch changes the server’s status to blocked and starts a quiet timer for the server, and then turns to a secondary server in active state (a secondary server configured earlier has a higher priority).
  • Page 44 Step Command Remarks • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } Optional. •...
  • Page 45 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the IP address of the Specify a source IP address nas-ip { ip-address | ipv6 outbound interface is used as the for outgoing RADIUS packets. ipv6-address } source IP address.
  • Page 46 Configuring the IP address of the security policy server The core of the H3C EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 47 To configure the IP address of the security policy server for a scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. Specify a security policy No security policy server is security-policy-server ip-address server. specified by default. Configuring interpretation of RADIUS class attribute as CAR parameters According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS client.
  • Page 48 Step Command Remarks Enter system view. system-view radius trap { accounting-server-down | Enable the trap authentication-error-threshold | Disabled by default. function for RADIUS. authentication-server-down } Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.

  • Page 49: Configuring Hwtacacs Schemes

    Task Command Remarks reset stop-accounting-buffer Clear the buffered stop-accounting { radius-scheme radius-scheme-name | requests for which no responses have session-id session-id | time-range Available in user view been receive. start-time stop-time | user-name user-name } [ slot slot-number ] Configuring HWTACACS schemes NOTE: You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use.
  • Page 50 Specifying the HWTACACS authentication servers For versions earlier than Release 5206, you can specify one primary authentication server and one secondary authentication server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. For Release 5206 and later versions, you can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme.
  • Page 51 The IP addresses of the primary and secondary authorization servers cannot be the same. • Otherwise, the configuration fails. You can remove an authorization server only when no active TCP connection for sending • authorization packets is using it. To specify HWTACACS authorization servers for an HWTACACS scheme: Step Command Remarks...
  • Page 52 Step Command Remarks Enter system view. system-view hwtacacs scheme Enter HWTACACS scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: Configure at least one primary accounting ip-address command. [ port-number | key [ cipher | No accounting server is simple ] key ] * Specify HWTACACS specified by default.
  • Page 53 The switch periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows and that for packets on the switch are consistent with those configured on the HWTACACS servers. Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme: If an HWTACACS server does not support a username that carries the domain name, configure the...
  • Page 54 Step Command Remarks By default, the IP address of the Specify a source IP address for hwtacacs nas-ip ip-address outbound interface is used as the outgoing HWTACACS packets. source IP address. To specify a source IP address for a specific HWTACACS scheme: Step Command Remarks...

  • Page 55: Configuring Aaa Methods For Isp Domains

    NOTE: Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. A shorter interval requires higher performance. Displaying and maintaining HWTACACS Task Command Remarks display hwtacacs Display the configuration information [ hwtacacs-server-name [ statistics ] ] Available in any view or statistics of HWTACACS schemes.

  • Page 56: Configuring Isp Domain Attributes

    The switch can accommodate up to 16 ISP domains, including the system-defined ISP domain system. You can specify one of the ISP domains as the default domain. On the switch, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the switch considers the user belongs to the default ISP domain.

  • Page 57: Configuring Aaa Authentication Methods For An Isp Domain

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name Optional. Place the ISP domain to the By default, an ISP domain is in active state { active | block } state of active or blocked. state, and users in the domain can request network services.
  • Page 58 Before configuring authentication methods, complete the following tasks: For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication methods do not require a scheme. Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type, limiting the authentication protocols that can be used for access.

  • Page 59: Configuring Aaa Authorization Methods For An Isp Domain

    Step Command Remarks Optional. Specify the authentication portal { local | none | authentication method The default authentication radius-scheme radius-scheme-name [ local ] } for portal users. method is used by default. Specify the Optional. authentication super { hwtacacs-scheme authentication method hwtacacs-scheme-name | radius-scheme The default authentication for privilege level...

  • Page 60: Configuring Aaa Accounting Methods For An Isp Domain

    authorization or no authorization is the backup method and is used only when the remote server is not available. If you specify only the local or none keyword in an authorization method configuration command, • the switch has no backup authorization method and performs only local authorization or does not perform any authorization.
  • Page 61 For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none accounting methods do not require a scheme. Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service type, limiting the accounting protocols that can be used for access.

  • Page 62: Tearing Down User Connections

    Step Command Remarks Optional. accounting portal { local | none | Specify the accounting radius-scheme radius-scheme-name The default accounting method method for portal users. [ local ] } is used by default. Tearing down user connections Step Command Remarks Enter system view. system-view cut connection { access-type { dot1x | mac-authentication | portal } | all | domain...

  • Page 63: Configuring A Radius User

    Configuring a RADIUS user This task is to create a RADIUS user and configure a set of attributes for the user on a switch that serves as the RADIUS server. The user attributes include the password, authorization attribute, expiration time, and user description.

  • Page 64: Displaying And Maintaining Aaa

    NOTE: The IP address of a RADIUS client specified on the RADIUS server must be consistent with the source IP • address of outgoing RADIUS packets configured on the RADIUS client. The shared key configured on the RADIUS server must be consistent with that configured on the RADIUS •...

  • Page 65: Aaa For Telnet Users By Separate Servers

    Configuration procedure Configure the switch: # Assign IP addresses to the interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit # Create HWTACACS scheme hwtac.
  • Page 66 Figure 11 Network diagram Configuration procedure Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...

  • Page 67: Authentication/Authorization For Ssh/Telnet Users By A Radius Server

    Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select H3C as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
  • Page 68 NOTE: The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is the IP address of the outbound interface by default, or otherwise the IP address specified with the nas-ip or radius nas-ip command on the switch.
  • Page 69 Figure 14 Adding an account for device management Configuring the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 70: Aaa For 802.1X Users By A Radius Server

    # Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on CAMS or IMC.
  • Page 71 Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select H3C as the access device type. Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2.
  • Page 72 Figure 16 Adding the switch to IMC as an access device Define a charging policy: Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree. Click Add. Configure the following parameters: Enter UserAcct as the plan name. Select Flat rate as the charging template.
  • Page 73 Figure 17 Defining a charging policy Add a service: Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Click Add. Configure the following parameters: Enter Dot1x auth as the service name and bbb as the service suffix. The service suffix indicates the authentication domain for 802.1X users.
  • Page 74 Figure 18 Adding a service Create an account for 802.1X users: Click the User tab, and select All Access Users from the navigation tree. Click Add. Configure the following parameters: Select the user test, or add the user if it does not exist. Enter dot1x as the account name and set the password.
  • Page 75 Figure 19 Creating an account for 802.1X users Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When you use CAMS or IMC, set the server type to extended.
  • Page 76 [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration When you use H3C iNode client, no advanced authentication options are required, and the user can pass authentication after entering username dot1x@bbb and the correct password in the client property page.

  • Page 77: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 20, configure the switch to: Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the •...
  • Page 78 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service. [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
  • Page 79 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ******************************************************************************...

  • Page 80: Radius Authentication And Authorization For Telnet Users By A Switch

    Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass...
  • Page 81 Figure 22 Network diagram RADIUS server Vlan-int3 Vlan-int2 Vlan-int2 192.168.1.1/24 10.1.1.1/24 10.1.1.2/24 Telnet user Switch A Switch B 192.168.1.2 Configuration procedure Assign an IP address to each interface as shown in Figure 22. (Details not shown.) Configure the NAS: # Enable the Telnet server on Switch A. <SwitchA>...

  • Page 82: Troubleshooting Aaa

    <SwitchB> system-view [SwitchB] radius-server user aaa # Configure plaintext password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key simple abc Verify the configuration: After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.

  • Page 83: Troubleshooting Hwtacacs

    Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications.

  • Page 84: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 85: 802.1X-Related Protocols

    Performs bidirectional traffic control to deny traffic to and from the client. Performs unidirectional traffic control to deny traffic from the client. • The H3C devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.

  • Page 86: Packet Formats

    • Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by H3C • implementation of 802.1X. Table 5 EAPOL packet types Value Type...

  • Page 87: Eap Over Radius

    Value Type Description The client sends an EAPOL-Logoff message to tell the 0x02 EAPOL-Logoff network access device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.

  • Page 88: Access Device As The Initiator

    802.1X client, the H3C iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.

  • Page 89: A Comparison Of Eap Relay And Eap Termination

    EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP authentication. H3C iNode 802.1X client. • The processing is complex on the network access device. EAP relay Figure 31 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5...
  • Page 90 Figure 31 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
  • Page 91 The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.

  • Page 92: Eap Termination

    EAP termination Figure 32 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 32 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).

  • Page 93: Configuring 802.1X

    H3C implementation of 802.1X Access control methods H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent •...
  • Page 94 Table 7 VLAN assignment in MAC-based access control mode Link type VLAN assignment Sets the VLAN ID assigned through the Tunnel attributes to the first authenticated user as the PVID on the port. Access If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication.
  • Page 95 For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. On a port that performs port-based access control Authentication status VLAN manipulation Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on No 802.1X user has this port can access only resources in the guest VLAN.
  • Page 96 Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
  • Page 97 Critical VLAN You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration. The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers.

  • Page 98: Configuration Prerequisites

    Authentication status VLAN manipulation A user in the 802.1X critical VLAN fails authentication because all the RADIUS The user is still in the critical VLAN. servers are unreachable. A user in the critical VLAN fails 802.1X If an Auth-Fail VLAN has been configured, re-maps the MAC authentication for any other reason than address of the user to the Auth-Fail VLAN ID.

  • Page 99: 802.1X Configuration Task List

    If RADIUS authentication is used, create user accounts on the RADIUS server. • • If local authentication is used, create local user accounts on the access device and set the service type to lan-access. 802.1X configuration task list Task Remarks Enabling 802.1X Required Enabling EAP relay or EAP termination...

  • Page 100: Configuration Procedure

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 101: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: authorized-force—Places the port in the authorized state, enabling users on the port to access the •...

  • Page 102: Setting The Maximum Number Of Concurrent 802.1X Users On A Port

    Step Command Remarks • In system view: dot1x port-method { macbased | Optional. portbased } [ interface interface-list ] • In Ethernet interface view: Specify an access Use either method. control method. interface interface-type By default, MAC-based access interface-number control applies. dot1x port-method { macbased | portbased } Setting the maximum number of concurrent 802.1X...

  • Page 103: Setting The 802.1X Authentication Timeout Timers

    To use the online handshake security function, make sure the online user handshake function is • enabled. H3C recommends that you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.

  • Page 104: Configuration Procedure

    If the network has 802.1X clients that cannot exchange handshake packets with the network access • device, disable the online user handshake function to prevent their connections from being inappropriately torn down. Configuration procedure To configure the online user handshake function: Step Command Remarks...

  • Page 105: Configuration Procedure

    Configuration procedure To configure the authentication trigger function on a port: Step Command Remarks Enter system view. system-view Optional. Set the username request dot1x timer tx-period timeout timer. tx-period-value The default is 30 seconds. interface interface-type Enter Ethernet interface view. interface-number Required if you want to enable the unicast trigger.

  • Page 106: Enabling The Periodic Online User Re-Authentication Function

    Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. Optional. dot1x timer quiet-period Set the quiet timer. quiet-period-value The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.

  • Page 107: Configuring A Port To Send Eapol Frames Untagged

    Configuring a port to send EAPOL frames untagged EAPOL frames exchanged between the 802.1X client and the network access device must not contain VLAN tags. If any 802.1X user attached to a port is assigned a tagged VLAN, you must enable the port to send EAPOL frames untagged to 802.1X clients.

  • Page 108: Configuring An 802.1X Guest Vlan

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The H3C iNode client does not have this problem. Table 8 when configuring multiple security features on a port.

  • Page 109: Configuration Procedure

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The H3C iNode client does not have this problem. Table 9 when configuring multiple security features on a port.

  • Page 110: Configuration Prerequisites

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The H3C iNode client does not have this problem. Configuration prerequisites •...

  • Page 111: Configuration Procedure

    Configuration procedure To configure an 802.1X critical VLAN: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure an 802.1X critical By default, no critical VLAN is dot1x critical vlan vlan-id VLAN on the port. configured.

  • Page 112: Displaying And Maintaining 802.1X

    Figure 33 Network diagram Configuration procedure Configure the 802.1X client. If H3C iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
  • Page 113 Assign an IP address to each interface on the access device. (Details not shown.) Configure user accounts for the 802.1X users on the access device: # Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.) <Device>...

  • Page 114: Verifying The Configuration

    [Device-isp-aabbcc.net] quit # Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain. [Device] domain default enable aabbcc.net Configure 802.1X: # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on port GigabitEthernet 1/0/1.

  • Page 115: Configuration Procedure

    Figure 34 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.

  • Page 116: Verifying The Configuration

    Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc...

  • Page 117: With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 35, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 118: Verifying The Configuration

    # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Device] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on the weekdays during business hours.

  • Page 119: Configuring Ead Fast Deployment

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an H3C integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 120: Configuring The Redirect Url

    To configure a free IP: Step Command Remarks Enter system view. system-view dot1x free-ip ip-address Configure a free IP. By default, no free IP is configured. { mask-address | mask-length } Configuring the redirect URL Follow these guidelines when you configure the redirect URL: •...

  • Page 121: Displaying And Maintaining Ead Fast Deployment

    Displaying and maintaining EAD fast deployment Task Command Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information. exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements As shown in...

  • Page 122: Configuration Procedure

    Configure the DHCP server so that the host can obtain an IP address on the segment of • 192.168.1.0/24. Configure the web server so that users can log in to the web page to download 802.1X clients. • Configure the authentication server to provide authentication, authorization, and accounting •...

  • Page 123: Troubleshooting Ead Fast Deployment

    Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication.

  • Page 124: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 125: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle.

  • Page 126: Critical Vlan

    If a user in the guest VLAN passes MAC authentication, that user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

  • Page 127: Configuring Mac Authentication Globally

    MAC authentication can take effect on a port only when it is enabled globally and on the port. Configuring MAC authentication globally Step Command Remarks Enter system view. system-view Enable MAC mac-authentication Disabled by default. authentication globally. Optional. mac-authentication timer By default, the offline detect timer is Configure MAC { offline-detect offline-detect-value |...

  • Page 128: Specifying A Mac Authentication Domain

    Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view. This domain setting applies to all ports. •...

  • Page 129: Configuring A Mac Authentication Critical Vlan

    authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete. Before you configure a MAC authentication guest VLAN on a port, complete the following tasks: Enable MAC authentication. • Enable MAC-based VLAN on the port.

  • Page 130: Configuring Mac Authentication Delay

    Enable MAC-based VLAN on the port. • • Create the VLAN to be specified as the MAC authentication critical VLAN. To configure a MAC authentication critical VLAN: Step Command Remarks Enter system view. system-view interface interface-type Enter Layer 2 Ethernet port view.

  • Page 131: Displaying And Maintaining Mac Authentication

    re-authentication. The multi-VLAN mode improves the transmission quality of data that is vulnerable to delay and interference. To enable MAC authentication multi-VLAN mode: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, a MAC authentication-enabled port forwards packets for an authenticated user only in the...
  • Page 132 Figure 37 Network diagram Configuration procedure # Add a local user account, set both the username and password to 00-e0-fc- 1 2-34-56, the MAC address of the user host, and enable LAN access service for the account. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit...

  • Page 133: Radius-Based Mac Authentication Configuration Example

    MAC Addr From Port Port Index Gigabitethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 256 Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After the user passes authentication, use the display connection command to display the online user information.
  • Page 134 # Configure a RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.

  • Page 135: Acl Assignment Configuration Example

    Max number of on-line users is 256 Current online user number is 1 MAC ADDR Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After a user passes MAC authentication, use the display connection command to display online user information. <Device> display connection Slot: Index=29 ,Username=aaa@2000...
  • Page 136 Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication simple abc [Sysname-radius-2000] key accounting simple abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
  • Page 137 Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),...

  • Page 138: Configuring Portal Authentication

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...
  • Page 139 Figure 40 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 140: Portal System Using The Local Portal Server

    To implement security check, the client must be the H3C iNode client. Portal authentication supports NAT traversal whether it is initiated by a Web client or an H3C iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.

  • Page 141: Portal Authentication Modes

    Portal authentication modes Portal authentication may work at Layer 2 or Layer 3 of the OSI model. The H3C S5120-HI Switch Series supports only Layer 2 authentication mode. You can enable Layer 2 portal authentication on an access device’s Layer 2 ports that connect authentication clients, so that only clients whose MAC addresses pass authentication can access the external network.

  • Page 142: Portal Configuration Task List

    If the user passes RADIUS authentication, the local portal server pushes a logon success page to the authentication client. Authorized VLAN Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes portal authentication, if the authentication server is configured with an authorized VLAN for the user, the authentication server assigns the authorized VLAN to the access device.

  • Page 143: Configuration Prerequisites

    Task Remarks Customizing authentication pages Optional Configuring the local portal server Configuring the local portal server Required Enabling portal authentication Required Configuring a portal-free rule Setting the maximum number of online portal users Specifying an authentication domain for portal Controlling access of portal users Optional users...

  • Page 144: Specifying The Portal Server

    Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. H3C recommends using the IP address of a loopback interface, because: The status of a loopback interface is stable.
  • Page 145 Table 12 Main authentication page file names Main authentication page File name Logon page logon.htm Logon success page logonSuccess.htm Logon failure page logonFail.htm Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm...
  • Page 146 The following example shows part of the script in page online.htm. <form action=logon.cgi method = post > <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Rules on page file compression and saving A set of authentication page files must be compressed into a standard zip file. The name of a zip •...

  • Page 147: Configuring The Local Portal Server

    </body> </html> H3C recommends using Microsoft IE 6.0 or above on the authentication clients. Make sure the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.

  • Page 148: Enabling Portal Authentication

    When you specify the protocol for the local portal server to support, the local portal server will load the default authentication page file, which is supposed to be saved in the root directory of the device. Therefore, to make sure that the local portal server uses the user-defined default authentication pages, you must edit and save them properly.

  • Page 149: Controlling Access Of Portal Users

    Controlling access of portal users Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the source and destination IP address, source MAC address, inbound interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so that users sending the packets can directly access the specified external websites.

  • Page 150: Specifying An Authentication Domain For Portal Users

    NOTE: The maximum number of online portal users the switch actually assigns depends on the ACL resources on the switch. Specifying an authentication domain for portal users After you specify an authentication domain for portal users on an interface, the device uses the authentication domain for authentication, authorization, and accounting (AAA) of all portal users on the interface, ignoring the domain names carried in the usernames.

  • Page 151: Enabling Support For Portal User Moving

    Enabling support for portal user moving In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled port of the device without logging off, the user cannot get online when the original port is still up. The reason is that the original port is still maintaining the authentication information of the user and the device does not permit such a user to get online from another port by default.

  • Page 152: Specifying An Auto Redirection Url For Authenticated Portal Users

    Step Command Remarks Specify an Auth-Fail VLAN for portal authentication on the portal auth-fail vlan authfail-vlan-id Not specified by default port. After you specify an Auth-Fail VLAN for portal authentication on a port, you must also enable the MAC-based VLAN function on the port to make the specified Auth-Fail VLAN take effect. For information about MAC VLAN, see Layer 2—LAN Switching Configuration Guide.

  • Page 153: Logging Off Portal Users

    Step Command Remarks interface interface-type Enter interface view. interface-number Set the Layer 2 portal user portal offline-detect interval 300 seconds by default detection interval. offline-detect-interval Logging off portal users Logging off a user terminates the authentication process for the user or removes the user from the authenticated users list.

  • Page 154: Portal Configuration Examples

    Portal configuration examples Network requirements As shown in Figure 43, a host is directly connected to a switch. The switch performs Layer 2 portal authentication on users connected to port GigabitEthernet 1/0/1. More specifically, Use the remote RADIUS server for authentication, authorization and accounting. •...
  • Page 155 update server's address 2.2.2.2 from the address ranges for address allocation, specify the leases for the assigned IP addresses and make sure there is a route to the host. To shorten the IP address update time in case of an authentication state change, set a short lease for each address. •...

  • Page 156: Verifying The Configuration

    [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key accounting simple radius [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] quit Configure an authentication domain: # Create and enter ISP domain triple. [Switch] domain triple # Configure AAA methods for the ISP domain. [Switch-isp-triple] authentication portal radius-scheme rs1 [Switch-isp-triple] authorization portal radius-scheme rs1 [Switch-isp-triple] accounting portal radius-scheme rs1 [Switch-isp-triple] quit...

  • Page 157: Troubleshooting Portal

    move the user from VLAN 8 to VLAN 3, the authorized VLAN. You can use the display connection ucibindex command to view the online user information <Switch> display connection ucibindex 30 Slot: Index=30 , Username=userpt@triple MAC=0015-e9a6-7cfe IP=192.168.1.2 IPv6=N/A Access=PORTAL ,AuthMethod=PAP Port Type=Ethernet,Port Name=GigabitEthernet1/0/1 Initial VLAN=8, Authorization VLAN=3 ACL Group=Disable...

  • Page 158: Incorrect Server Port Number On The Access Device

    Incorrect server port number on the access device Symptom After a user passes the portal authentication, you cannot force the user to log off by executing the portal delete-user command on the access device, but the user can log off by using the disconnect attribute on the authentication client.

  • Page 159: Configuring Triple Authentication

    Configuring triple authentication Overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services.

  • Page 160: Using Triple Authentication With Other Features

    If a terminal passes 802.1X or portal authentication, no other types of authentication will be • triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the • terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal.

  • Page 161: Triple Authentication Configuration Examples

    Step Command Remarks MAC-based access control. Configure Layer-2 portal "Configuring portal H3C does not recommend you authentication. authentication" configure 802.1X guest VLANs for triple authentication. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in Figure 45, the terminals are connected to a switch to access the IP network.
  • Page 162 # Configure the local portal server to support HTTP. <Switch> system-view [Switch] portal local-server http # Configure the IP address of interface loopback 0 as 4.4.4.4. [Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit # Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4.

  • Page 163: Triple Authentication Supporting Vlan Assignment And Auth-Fail Vlan Configuration Example

    [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.
  • Page 164 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP • addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24. • After passing authentication, the printer obtains the IP address 3.3.3.1 1 1/24 that is bound with its MAC address through DHCP.
  • Page 165 # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Enable DHCP. <Switch> system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address.
  • Page 166 [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added.
  • Page 167 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain.
  • Page 168 0002-0002-0001 ffff-ffff-ffff 0015-88f8-0dd7 ffff-ffff-ffff Total MAC VLAN address count:3 Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users. [Switch] display dhcp server ip-in-use all Pool utilization: 0.59% IP address Client-identifier/ Lease expiration Type Hardware address 3.3.3.111 0015-88f8-0dd7...

  • Page 169: Configuring Port Security

    NOTE: For scenarios that require only 802.1X authentication or MAC authentication, H3C recommends you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
  • Page 170 MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
  • Page 171 Controlling MAC address learning autoLearn • A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 172: Working With Guest Vlan And Auth-Fail Vlan

    This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. macAddressElseUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs MAC authentication and then, if the authentication fails, 802.1X authentication upon receiving 802.1X frames.

  • Page 173: Enabling Port Security

    Enabling port security Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. • When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state.

  • Page 174: Setting The Port Security Mode

    Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.

  • Page 175: Configuring Port Security Features

    Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, Table The NTK feature supports the following modes: ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.

  • Page 176: Enabling Port Security Traps

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number port-security intrusion-mode Configure the intrusion By default, intrusion protection is { blockmac | disableport | protection feature. disabled. disableport-temporarily } Return to system view. quit Set the silence timeout period Optional.

  • Page 177: Configuration Prerequisites

    Table 14 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. They never age out unless you manually remove Static Manually added Yes. them, change the port security mode, or disable the port security feature.

  • Page 178: Ignoring Authorization Information

    Step Command Remarks • In system view: port-security mac-address security [ sticky] mac-address interface interface-type interface-number vlan vlan-id Use either method. • In interface view: Configure a secure MAC No secure MAC address exists by address. interface interface-type default. interface-number port-security mac-address security [ sticky] mac-address vlan vlan-id...

  • Page 179: Displaying And Maintaining Port Security

    Displaying and maintaining port security Task Command Remarks Display port security configuration display port-security [ interface information, operation interface-list ] [ | { begin | exclude Available in any view information, and statistics about | include } regular-expression ] one or more ports or all ports. display port-security mac-address security [ interface interface-type Display information about secure...
  • Page 180 # Enable intrusion protection traps on port GigabitEthernet 1/0/1. [Device] port-security trap intrusion [Device] interface gigabitethernet 1/0/1 # Set port security's limit on the number of MAC addresses to 64 on the port. [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Device-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.

  • Page 181: Configuring The Userloginwithoui Mode

    port-security mac-address security sticky 0002-0000-0012 vlan 1 port-security mac-address security sticky 0002-0000-0011 vlan 1 Execute the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message.
  • Page 182 Configure port GigabitEthernet 1/0/1 of the Device to: • Allow only one 802.1X user to be authenticated. Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values • to access the port in addition to an 802.1X user. Figure 48 Network diagram Configuration procedure Configurations on the host and RADIUS servers are not shown.
  • Page 183 Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. [Device] port-security oui 1234-0100-1111 index 1 [Device] port-security oui 1234-0200-1111 index 2 [Device] port-security oui 1234-0300-1111 index 3 [Device] port-security oui 1234-0400-1111 index 4 [Device] port-security oui 1234-0500-1111 index 5 [Device] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.
  • Page 184 Data flow unit : Byte Packet unit : one # Display the configuration of the ISP domain sun. <Device> display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme...
  • Page 185 The maximal retransmitting times EAD quick deploy configuration: EAD timeout: The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator...

  • Page 186: Configuring The Macaddresselseuserloginsecure Mode

    Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 48, a client is connected to the Device through GigabitEthernet 1/0/1. The Device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the Device: Allow more than one MAC authenticated user to log on.
  • Page 187 Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute # Display MAC authentication information.

  • Page 188: Troubleshooting Port Security

    Supp Timeout 30 s, Server Timeout 100 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled...

  • Page 189: Cannot Configure Secure Mac Addresses

    Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly. Solution Set the port security mode to noRestrictions first.
  • Page 190 [Device-GigabitEthernet1/0/1] undo port-security port-mode...

  • Page 191: Configuring A User Profile

    Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.

  • Page 192: Applying A Qos Policy

    Step Command Remarks Enter system view. system-view Create a user profile, You can use the command to enter the view of user-profile profile-name and enter its view. an existing user profile. Applying a QoS policy You can apply QoS policies in user profile view to implement traffic management functions. Follow these guidelines when you apply a QoS policy: After a user profile is created, apply a QoS policy in user profile view to implement restrictions on •...

  • Page 193: Displaying And Maintaining User Profiles

    Step Command Remarks Enter system view. system-view A user profile is disabled by Enable a user profile. user-profile profile-name enable default. Displaying and maintaining user profiles Task Command Remarks Display information about all the display user-profile [ | { begin | exclude Available in any view created user profiles.

  • Page 194: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length •...
  • Page 195 You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.

  • Page 196: Fips Compliance

    Depending on the system security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters that are from each type in the password. There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing the number of character types that a password must at least contain.

  • Page 197: Password Control Configuration Task List

    Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: Global settings in system view apply to all local user passwords and super passwords. •...

  • Page 198: Setting Global Password Control Parameters

    Step Command Remarks Enter system view. system-view Enable the password control password-control enable Disabled by default. feature. Optional. password-control { aging | Enable a password control composition | history | length } All of the four password control function individually. enable functions are enabled by default.
  • Page 199 Step Command Remarks Optional. Set the minimum password password-control length length length. 10 characters by default. Optional. • In non-FIPS mode, by default, a password must contain at least one type of characters and password-control composition each type must contain at least Configure the password type-number type-number one character.

  • Page 200: Setting User Group Password Control Parameters

    Setting user group password control parameters Step Command Remarks Enter system view. system-view Create a user group and enter user-group group-name user group view. Optional Configure the password By default, the aging time of the password-control aging aging-time aging time for the user group. user group is the same as the global password aging time.

  • Page 201: Setting Super Password Control Parameters

    Step Command Remarks Optional By default, the settings equal those Configure the password password-control composition for the user group to which the composition policy for the type-number type-number local user belongs. If no password local user. [ type-length type-length ] composition policy is configured for the user group, the global settings apply to the local user.

  • Page 202: Displaying And Maintaining Password Control

    Step Command Set the password for the local user in interactive password mode. Displaying and maintaining password control Task Command Remarks display password-control [ super ] Display password control [ | { begin | exclude | include } Available in any view configuration information.
  • Page 203 The password must consist of at least two types of valid characters, five or more of each type. • • The password aging time is 20 days. Configuration procedure # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable # Prohibit the user from logging in forever after two successive login failures.
  • Page 204 Verifying the configuration # Display the global password control configuration information. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days...

  • Page 205: Configuring Habp

    Configuring HABP Overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 49, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.

  • Page 206: Configuring Habp

    Otherwise, the cluster management device will not be able to manage the devices attached to this member switch. For more information about the cluster function, see Network Management and Monitoring Configuration Guide. Configuring HABP Configuring the HABP server An HABP server is usually configured on the authentication device enabled with 802.1X authentication or MAC address authentication.

  • Page 207: Displaying And Maintaining Habp

    Step Command Remarks Optional By default, an HABP client belongs to VLAN 1. Specify the VLAN to which the habp client vlan vlan-id HABP client belongs. The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for transmitting HABP packets.
  • Page 208 Figure 50 Network diagram Configuration procedure Configure Switch A: # Perform 802.1X related configurations on Switch A (see "Configuring 802.1X"). # Enable HABP. (HABP is enabled by default. This configuration is optional.) <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. [SwitchA] habp server vlan 1 # Set the interval at which the switch sends HABP request packets to 50 seconds.
  • Page 209 <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA> display habp table Holdtime Receive Port 001f-3c00-0030 GigabitEthernet1/0/2 001f-3c00-0031 GigabitEthernet1/0/1...

  • Page 210: Managing Public Keys

    Managing public keys Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key (a character string) to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 51 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...

  • Page 211: Configuration Task List

    Configuration task list Public key configuration tasks enable you to manage the local asymmetric key pairs, and configure the peer host public keys on the local device. By completing these tasks, the local device is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature. Complete these tasks to configure public keys: Task Remarks...

  • Page 212: Displaying Or Exporting The Local Host Public Key

    Displaying or exporting the local host public key In some applications, such as SSH, to allow your local device to be authenticated by a peer device through digital signature, you must display or export the local host public key, which will then be specified on the peer device.

  • Page 213: Destroying A Local Asymmetric Key Pair

    Exporting the host public key in a specific format to a file After you export and save the host public key in a specify format to a file, transfer the file to the peer device. To export and save the local host public key to a file: Step Command Remarks...
  • Page 214 Otherwise, the manual • If the peer device is an H3C configuration of a device, use the display format-incompliant public key Manually configure the public public-key local public will fail.

  • Page 215: Displaying And Maintaining Public Keys

    Displaying and maintaining public keys Task Command Remarks display public-key local { dsa | rsa } public Display the local public keys. [ | { begin | exclude | include } Available in any view regular-expression ] display public-key peer [ brief | name Display the specified or all peer publickey-name ] [ | { begin | exclude | Available in any view...
  • Page 216 ===================================================== Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44...

  • Page 217: Importing A Peer Public Key From A Public Key File

    66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A. Importing a peer public key from a public key file Network requirements As shown in Figure 53, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature.
  • Page 218 ===================================================== Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0 203010001 # Export the RSA host public key HOST_KEY to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub On Device A, enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3.
  • Page 219 ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A.

  • Page 220: Configuring Pki

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. H3C's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms •...

  • Page 221: Pki Architecture

    such as phone, disk, and email. As different CAs might use different methods to examine the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.

  • Page 222: Pki Applications

    An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution point to provide directory navigation service, and notifies the entity that the certificate is successfully issued.

  • Page 223: Configuring An Entity Dn

    Task Remarks Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA identifies a certificate applicant uniquely by entity DN.

  • Page 224: Configuring A Pki Domain

    Step Command Remarks Optional. Configure the locality for the locality locality-name entity. No locality is specified by default. Optional. Configure the organization organization org-name No organization is specified by name for the entity. default. Optional. Configure the unit name for organization-unit org-unit-name the entity.

  • Page 225: Configuration Guidelines

    Configuration guidelines Up to two PKI domains can be created on a switch. • The CA name is required only when you retrieve a CA certificate. It is not used when in local • certificate request. The certificate request URL does not support domain name resolution. •...

  • Page 226: Submitting A Certificate Request In Auto Mode

    An online certificate request can be submitted in manual mode or auto mode. Submitting a certificate request in auto mode IMPORTANT: In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is expiring or has expired. After the certificate expires, the service using the certificate might be interrupted. In auto mode, an entity automatically requests a certificate from the CA server through SCEP if it has no local certificate for an application working with PKI, and then retrieves the certificate and saves the certificate locally.

  • Page 227: Retrieving A Certificate Manually

    request-certificate domain command with the pkcs10 keyword. To save the request information to a local file, use the pki request-certificate domain command with the pkcs10 filename filename option. • Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal.

  • Page 228: Configuration Procedure

    The configuration made by the pki retrieval-certificate configuration is not saved in the • configuration file. Make sure the switch’s system time falls in the validity period of the certificate so that the certificate • is valid. Configuration procedure To retrieve a certificate manually: Step Command Remarks...

  • Page 229: Configuring Crl-Checking-Disabled Pki Certificate Verification

    Step Command Remarks Optional. By default, the CRL update period Set the CRL update period. crl update-period hours depends on the next update field in the CRL file. Optional. Enable CRL checking. crl check enable Enabled by default. Return to system view. quit "Retrieving a certificate Retrieve the CA certificate.

  • Page 230: Deleting A Certificate

    For more information about the public-key local destroy command, see Security Command Reference. Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. To delete a certificate: Step Command...

  • Page 231: Pki Configuration Examples

    Task Command Remarks display pki crl domain domain-name [ | { begin Display CRLs. Available in any view | exclude | include } regular-expression ] display pki certificate attribute-group Display information about { group-name | all } [ | { begin | exclude | Available in any view certificate attribute groups.
  • Page 232 After completing the configuration, you must perform CRL related configurations. In this example, select the local CRL distribution mode of Hypertext Transfer Protocol (HTTP) and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the switch is synchronous to that of the CA, so that the switch can request certificates and retrieve CRLs properly.
  • Page 233 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Retrieve CRLs and save them locally. [Device] pki retrieval-crl domain torsa Connecting to server for retrieving CRL.

  • Page 234: Certificate Request From A Windows 2003 Ca Server

    D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B...
  • Page 235 If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. Right-click the CA server in the navigation tree and select Properties > Policy Module. Click Properties and select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.
  • Page 236 ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 237: Certificate Attribute Access Control Policy Configuration Example

    10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl...
  • Page 238 Figure 57 Network diagram Configuration procedure The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see Fundamentals Configuration Guide. The PKI domain to be referenced by the SSL policy must exist. For how to configure a PKI domain, see "Configure the PKI domain:."...

  • Page 239: Troubleshooting Pki

    Apply the SSL server policy and certificate attribute access control policy to HTTPS service and enable HTTPS service: # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service.

  • Page 240: Failed To Retrieve Crls

    Solution Make sure the network connection is physically proper. • • Retrieve a CA certificate. Regenerate a key pair. • Specify a trusted CA. • Use the ping command to verify that the RA server is reachable. • Specify the authority for certificate request. •...

  • Page 241: Configuring Ipsec

    Configuring IPsec The term "router" in this document refers to both routers and switches. A switch in IRF mode does not support IPsec automatic negotiation. IPsec configuration is available only for the switches in FIPS mode. For more information about FIPS mode, "Configuring FIPS."...
  • Page 242 Standard (AES), and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.
  • Page 243 Figure 58 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.

  • Page 244: Protocols And Standards

    Protocols and standards Protocols and standards relevant to IPsec are as follows: RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • Configuring IPsec IPsec can be implemented based on only ACLs. ACL-based IPsec uses ACLs to identify the data flows to be protected.

  • Page 245: Configuring Acls

    Task Remarks Configuring the IPsec session idle timeout Optional. Enabling ACL checking of de-encapsulated IPsec packets Optional. Configuring the IPsec anti-replay function Optional. Configuring packet information pre-extraction Optional. CAUTION: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50 respectively.

  • Page 246: Configuring An Ipsec Proposal

    a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal packets; if they match a permit statement at the receiving end, they will be dropped by IPsec. An ACL can be specified for only one IPsec policy. ACLs referenced by IPsec policies cannot be used •...

  • Page 247: Configuring An Ipsec Policy

    Step Command Remarks Optional. • Specify the encryption algorithm for ESP: For ESP, the default esp encryption-algorithm aes [ key-length ] encryption algorithm is Specify the security • Specify the authentication algorithm for ESP: AES-128. algorithms esp authentication-algorithm sha1 For ESP and AH, the •...
  • Page 248 The keys for the local and remote inbound and outbound SAs must be in the same format. For • example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters. Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and IPsec transform sets.
  • Page 249 NOTE: You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec policy.

  • Page 250: Applying An Ipsec Policy Group To An Interface

    Step Command Remark An IPsec policy cannot reference any IKE Specify an IKE peer for ike-peer peer-name peer that is already referenced by an IPsec the IPsec policy. profile, and vice versa. Optional. Enable and configure the By default, the PFS feature is not used for pfs { dh-group2 | dh-group5 | perfect forward secrecy negotiation.

  • Page 251: Configuring The Ipsec Session Idle Timeout

    Step Command Enter system view. system-view Enter interface view. interface interface-type interface-number Apply an IPsec policy group to the ipsec policy policy-name interface. NOTE: • IPsec policies can be applied only to VLAN interfaces on the switch. An interface can reference only one IPsec policy group. An IPsec policy can be applied to only one •...

  • Page 252: Configuring The Ipsec Anti-Replay Function

    Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This function checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window. If the sequence number is not in the current sequence number range, the packet is considered a replayed packet and is discarded.

  • Page 253: Displaying And Maintaining Ipsec

    Step Command Remarks ipsec policy policy-name Enter IPsec policy view. Configure either command. seq-number [ isakmp | manual ] Enable packet information qos pre-classify Disabled by default. pre-extraction. Displaying and maintaining IPsec To do… Use the command… Remarks display ipsec policy [ brief | name Display IPsec policy information policy-name [ seq-number ] ] [ | { begin | Available in any view.
  • Page 254 Figure 59 Network diagram Configuration procedure Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows from Switch A to Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] rule 5 permit ip source 2.2.3.1 0 destination 2.2.2.1 0...
  • Page 255 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0 [SwitchB-Vlan-interface1] quit # Define an ACL to identify data flows from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0 [SwitchB-acl-adv-3101] rule 5 permit ip source 2.2.2.1 0 destination 2.2.3.1 0...

  • Page 256: Configuring Ike

    Configuring IKE This feature is applicable only to the switches in FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 257: Ike Functions

    Figure 60 IKE exchange process in main mode As shown in Figure 60, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange, used for negotiating the security policy. • Key exchange, used for exchanging the Diffie-Hellman public value and other values like the •...

  • Page 258: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 61 Relationship between IKE and IPsec Figure 61 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...

  • Page 259: Configuring A Name For The Local Security Gateway

    Task Remarks Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional. Configuring a name for the local security gateway If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the id-type name or id-type user-fqdn command is configured on the initiator), configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.

  • Page 260: Configuring An Ike Peer

    Step Command Remarks Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] The default is AES-CBC-128. proposal. Optional. Specify an authentication authentication-method { pre-share method for the IKE proposal. | rsa-signature } Pre-shared key by default. Specify an authentication Optional.
  • Page 261 Step Command Remarks Enter system view. system-view Create an IKE peer and enter ike peer peer-name IKE peer view. Optional. Specify the IKE negotiation exchange-mode main mode for phase 1. The default is main. Optional. By default, an IKE peer references Specify the IKE proposals for no IKE proposals, and, when proposal proposal-number&<1-6>...

  • Page 262: Setting Keepalive Timers

    Step Command Remarks Optional. No DPD detector is applied to an Apply a DPD detector to the IKE peer by default. dpd dpd-name IKE peer. For more information about DPD configuration, see "Configuring a detector." NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs.

  • Page 263: Configuring A Dpd Detector

    Step Command Remarks Set the NAT keepalive ike sa nat-keepalive-timer interval 20 seconds by default. interval. seconds Configuring a DPD detector Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

  • Page 264: Displaying And Maintaining Ike

    Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | { begin | Display IKE DPD information Available in any view. exclude | include } regular-expression ] display ike peer [ peer-name ] [ | { begin | Display IKE peer information Available in any view.
  • Page 265 [SwitchA] ipsec proposal tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel # Use security protocol ESP. [Switch-ipsec-proposal-tran1] transform esp # Specify encryption and authentication algorithms. [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm aes 128 [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit # Create an IKE proposal numbered 10.
  • Page 266 [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchB-acl-adv-3101] quit # Create IPsec proposal tran1.

  • Page 267: Troubleshooting Ike

    # Reference IKE peer peer. [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet.

  • Page 268: Failing To Establish An Ipsec Tunnel

    Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether the referred IPsec proposals have a match in protocol, encryption and authentication algorithms. Failing to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established.

  • Page 269: Configuring Ssh2.0

    Configuring SSH2.0 Overview Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
  • Page 270 After receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the server’s protocol version is lower and supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version. In either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use.

  • Page 271: Fips Compliance

    In the interaction stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be within 2000 bytes. H3C recommends you to paste commands in the same view. Otherwise, the server might not be able to execute the commands correctly.

  • Page 272: Configuring The Switch As An Ssh Server

    Configuring the switch as an SSH server SSH server configuration task list Task Remarks Generating DSA or RSA key pairs Optional Enabling the SSH server function Required Configuring the user interfaces for SSH clients Required Required for publickey authentication users and Configuring a client public key optional for password authentication users Configuring an SSH user...

  • Page 273: Enabling The Ssh Server Function

    Enabling the SSH server function Step Command Remarks Enter system view. system-view Enable the SSH server ssh server enable Disabled by default function. NOTE: When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time.

  • Page 274: Configuring An Ssh User

    Before importing the public key, you must upload the public key file (in binary) to the server through FTP or TFTP. NOTE: H3C recommends you to configure a client public key by importing it from a public key file. For more information about client public key configuration, see "Managing public keys."...
  • Page 275 Configuration guidelines When you perform the procedure in this section to configure an SSH user, follow these guidelines: You can set the service type to Stelnet, SFTP, and SCP (Secure copy). For more information about Stelnet, see "Overview." For more information about SFTP, see "Configuring SFTP."...

  • Page 276: Setting The Ssh Management Parameters

    Step Command Remarks • For Stelnet users: In non-FIPS mode: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } In FIPS mode: Create an SSH ssh user username service-type stelnet authentication-type user, and { password | password-publickey assign publickey keyname } Use one of...

  • Page 277: Setting The Dscp Value For Packets Sent By The Ssh Server

    Step Command Remarks Optional. By default, the interval is 0, and the Set the RSA server key pair ssh server rekey-interval hours RSA server key pair is not updated. update interval. This command is not available in FIPS mode. Optional. Set the SSH user ssh server authentication-timeout authentication timeout period.

  • Page 278: Specifying A Source Ip Address/Interface For The Ssh Client

    Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability. To specify a source IP address or interface for the client: Step Command Remarks...

  • Page 279: Establishing A Connection Between The Ssh Client And Server

    Step Command Remarks Disable first-time By default, first-time authentication undo ssh client first-time authentication support. is supported on a client. The method for configuring the Configure the server host "Configuring a client public server host public key on the client public key.

  • Page 280: Displaying And Maintaining Ssh

    To set the DSCP value for packets sent by the SSH client: Step Command Remarks Enter system view. system-view • Set the DSCP value for IPv4 Optional. packets sent by the SSH client: By default, the DSCP value is 16 in ssh client dscp dscp-value Set the DSCP value for IPv4 packets sent by the SSH client...

  • Page 281: When The Switch Acts As A Server For Password Authentication

    When the switch acts as a server for password authentication Network requirements As shown in Figure 63, a host (the SSH client) and a switch (the SSH server) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after passing password authentication.
  • Page 282 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh [Switch-ui-vty0-15] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as stelnet, and the authentication method as password.

  • Page 283: When The Switch Acts As A Server For Publickey Authentication

    If the connection is normal, you will be prompted to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server. When the switch acts as a server for publickey authentication Network requirements As shown in Figure...
  • Page 284 When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 67. Otherwise, the progress bar stops moving and the key pair generating process will be stopped. Figure 67 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
  • Page 285 Figure 68 Saving the key pair on the client Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.
  • Page 286 Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [Switch] ssh server enable # Configure an IP address for VLAN-interface 1. This address will serve as the destination of the SSH connection.
  • Page 287 Figure 69 Specifying the host name (or IP address) Select Connection > SSH > Auth from the navigation tree. The window as shown in Figure 70 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk) and click OK.

  • Page 288: Ssh Client Configuration Examples

    Figure 70 Specifying the private key file Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode.
  • Page 289 # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 290 # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit # Establish a connection between the SSH client and the SSH server: If the client supports first-time authentication, you can directly establish a connection from the client to the server.

  • Page 291: When Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server 10.165.87.136 as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
  • Page 292 +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server: # Generate the RSA key pairs. <SwitchB>...
  • Page 293 # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish an SSH connection to the server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client002 Trying 10.165.87.136 ...

  • Page 294: Configuring Sftp

    Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.

  • Page 295: Configuring The Sftp Connection Idle Timeout Period

    Step Command Remarks Enter system view. system-view Enable the SFTP server. sftp server enable Disabled by default. Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down. To configure the SFTP connection idle timeout period: Step Command...

  • Page 296: Working With Sftp Directories

    Task Command Remarks • Establish a connection to the remote IPv4 SFTP server and enter SFTP client view: In non-FIPS mode: sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *...

  • Page 297: Working With Sftp Files

    Step Command Remarks Optional. • dir [ -a | -l ] [ remote-path ] Display files under a The dir command functions as the directory. • ls [ -a | -l ] [ remote-path ] ls command. Change the name of a rename oldname newname Optional.

  • Page 298: Terminating The Connection To The Remote Sftp Server

    Step Command Remarks For more information, see Enter SFTP client view. "Establishing a connection to the Execute the command in user view. SFTP server." Display a list of all commands or the help information of an help [ all | command-name ] SFTP client command.
  • Page 299 Network requirements As shown in Figure 73, an SSH connection is required between Switch A and Switch B. Switch A, an SFTP client, needs to log in to Switch B for file management and file transfer. Use publickey authentication and the RSA public key algorithm.
  • Page 300 ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
  • Page 301 sftp-client> # Display files under the current directory of the server, delete the file named z, and check if the file has been deleted successfully. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone...

  • Page 302: Sftp Server Configuration Example

    # Upload the local file pu to the server, save it as puk, and check if the file has been uploaded successfully. sftp-client> put pu puk Local file:pu ---> Remote file: /puk Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx...
  • Page 303 +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 304 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 75 SFTP client interface...

  • Page 305: Configuring Scp

    Configuring SCP Overview Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. SCP uses SSH connections for copying files. The switch can act as the SCP server, allowing a user to log in to the switch for file upload and download. The switch can also act as an SCP client, enabling a user to log in from the switch to a remote server for secure file transfer.

  • Page 306: Configuring The Switch As The Scp Client

    Configuring the switch as the SCP client To upload or download files to or from an SCP server: Step Command Remarks • Upload a file to the IPv4 SCP server: In non-FIPS mode: scp server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 307: Scp Client Configuration Example

    Step Command Remarks • Download a file from the remote IPv4 SCP server: In non-FIPS mode: scp server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac...

  • Page 308: Scp Server Configuration Example

    Configuration procedure # Create VLAN-interface 1 and assign an IP address to it. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Download the file remote.bin from the SCP server, save it locally and change the file name to local.bin. <SwitchA>...
  • Page 309 # Generate the DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 310: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the key...

  • Page 311: Fips Compliance

    Figure 79 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
  • Page 312 Step Command Remarks Enter system view. system-view Create an SSL server policy ssl server-policy policy-name and enter its view. Optional. By default, no PKI domain is specified for an SSL server policy. The SSL server generates a certificate itself instead of requesting one from the CA.

  • Page 313: Ssl Server Policy Configuration Example

    Step Command Remarks Enable the SSL server to Optional. perform digital client-verify enable By default, the SSL server does not certificate-based require clients to be authenticated. authentication for SSL clients. Optional. Disabled by default. Enable SSL client weak client-verify weaken This command takes effect only authentication.
  • Page 314 [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en. [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca server [Device-pki-domain-1] certificate request url...

  • Page 315: Configuring An Ssl Client Policy

    Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. To configure an SSL client policy: Step Command...

  • Page 316: Displaying And Maintaining Ssl

    Displaying and maintaining SSL Task Command Remarks display ssl server-policy Display SSL server policy { policy-name | all } [ | { begin | Available in any view information. exclude | include } regular-expression ] display ssl client-policy Display SSL client policy { policy-name | all } [ | { begin | Available in any view information.

  • Page 317: Configuring Tcp Attack Protection

    Configuring TCP attack protection Overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.

  • Page 318: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address. IP source guard entries fall into the following types: •...

  • Page 319: Dynamic Ip Source Guard Binding Entries

    Global static binding entry A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a global static binding entry or a static binding entry configured on the port.

  • Page 320: Configuring The Ipv4 Source Guard Function

    Task Remarks Configuring IPv4 source guard on a port Required Configuring a static IPv4 source guard entry Optional Setting the maximum number of IPv4 source guard entries Optional Complete the following tasks to configure IPv6 source guard: Task Remarks Configuring IPv6 source guard on a port Required Configuring a static IPv6 source guard entry Optional...

  • Page 321: Configuring A Static Ipv4 Source Guard Entry

    Step Command Remarks The term "interface" collectively refers to the following types of interface interface-type Enter interface view. ports and interfaces: Bridge mode interface-number (Layer 2) Ethernet ports, VLAN interfaces, and port groups. Optional. By default, this function is disabled. A port saves the IP Enable the 802.1X IP freezing addresses of 802.1X users and dot1x user-ip freeze...

  • Page 322: Setting The Maximum Number Of Ipv4 Source Guard Entries

    Step Command Remarks Enter system view. system-view ip source binding ip-address Configure a global static IPv4 No global static IPv4 binding entry ip-address mac-address binding entry. is configured by default. mac-address Configuring port-based static IPv4 binding entries Follow these guidelines to configure port-based static IPv4 source guard entries: You cannot repeatedly configure the same static binding entry on one port, but you can configure •...

  • Page 323: Configuring The Ipv6 Source Guard Function

    Step Command Remarks Configure the maximum Optional. ip verify source max-entries number of IPv4 binding number 640 by default. entries allowed on the port. Configuring the IPv6 source guard function You cannot enable IPv6 source guard on a link aggregation member port or a service loopback port. If IPv6 source guard is enabled on a port, you cannot assign the port to a link aggregation group.

  • Page 324: Configuring A Static Ipv6 Source Guard Entry

    Step Command Remarks Not configured by default. The keyword specified in the ipv6 verify source command is only for instructing the generation of ipv6 verify source { ipv6-address | Configure the IPv6 source dynamic IPv6 source guard entries. ipv6-address mac-address | guard function on the port.

  • Page 325: Setting The Maximum Number Of Ipv6 Source Guard Entries

    When the ND detection function is configured, be sure to specify the VLAN where ND detection is • configured in static binding entries. Otherwise, ND packets will be discarded because they cannot match any static IPv6 binding entry. • If a static binding entry to be added denotes the same binding as an existing dynamic binding entry, the new static binding entry overwrites the dynamic binding entry.

  • Page 326: Ip Source Guard Configuration Examples

    Task Command Remarks display ip source binding static [ interface interface-type interface-number | Display static IPv4 source guard ip-address ip-address | mac-address Available in any view entries. mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number | Display IPv4 source guard entries.
  • Page 327 Figure 82 Network diagram Configuration procedure Configure Device A: # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.

  • Page 328: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    # Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.

  • Page 329: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.

  • Page 330: Static Ipv6 Source Guard Configuration Example

    Figure 84 Network diagram Configuration procedure Configure the IPv4 source guard function: # Configure the IP addresses of the interfaces. (Details not shown.) # Configure the IPv4 source guard function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address. <Switch>...

  • Page 331: Dynamic Ipv6 Source Guard Using Dhcpv6 Snooping Configuration Example

    Figure 85 Network diagram Configuration procedure # Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address # Configure GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.

  • Page 332: Dynamic Ipv6 Source Guard Using Nd Snooping Configuration Example

    Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Device-GigabitEthernet1/0/2] quit...

  • Page 333: Global Static Ip Source Guard Configuration Example

    Figure 87 Network diagram Configuration procedure Configure ND snooping: # In VLAN 2, enable ND snooping. <Device> system-view [Device] vlan 2 [Device-vlan2] ipv6 nd snooping enable [Device-vlan2] quit Configure the IPv6 source guard function: # Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
  • Page 334 Figure 88 Network diagram Configuration procedure # Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10. <DeviceB> system-view [DeviceB] vlan 10 [DeviceB-vlan10] port gigabitethernet 1/0/2 [DeviceB-vlan10] quit # Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20. [DeviceB] vlan 20 [DeviceB-vlan20] port gigabitethernet 1/0/3 [DeviceB-vlan20] quit...

  • Page 335: Troubleshooting Ip Source Guard

    [DeviceB] ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0407 Verifying the configuration # Display static IPv4 binding entries on Device B. [DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.2 Static 0001-0203-0407 192.168.1.2 Static...

  • Page 336: Configuring Arp Attack Protection

    Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP •...

  • Page 337: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional. Configuring ARP gateway protection Configure this function on access devices (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended). Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host addressed to unreachable destinations: •...

  • Page 338: Enabling Arp Black Hole Routing

    Enabling ARP black hole routing Step Command Remarks Enter system view. system-view Optional. Enable ARP black hole routing. arp resolving-route enable Enabled by default. Displaying and maintaining ARP defense against IP packet attacks Task Command Remarks display arp source-suppression [ | Display ARP source suppression { begin | exclude | include } Available in any view...

  • Page 339: Configuring Arp Packet Rate Limit

    Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: Enable ARP source suppression. Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in 5 seconds exceeds 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following 5 seconds.

  • Page 340: Configuring Source Mac Address Based Arp Attack Detection

    If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and log messages are sent when the ARP packet rate of a member port exceeds the preset threshold rate. To configure ARP packet rate limit: Step Command Remarks Enter system view.

  • Page 341: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Step Command Remarks Enable source MAC address based ARP attack detection arp anti-attack source-mac { filter | Disabled by default. and specify the detection monitor } mode. Optional. arp anti-attack source-mac threshold Configure the threshold. threshold-value 50 by default. Configure the age timer for Optional.
  • Page 342 Figure 90 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.

  • Page 343: Configuring Arp Packet Source Mac Address Consistency Check

    Configuring ARP packet source MAC address consistency check Introduction The ARP packet source MAC address consistency check feature enables a gateway device to filter out ARP packets that have a different source MAC address in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries.

  • Page 344: Configuring Arp Detection

    Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the following functions: User validity check. • ARP packet validity check. • • ARP restricted forwarding.

  • Page 345: Configuring Arp Packet Validity Check

    At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or • 802.1X security entries must be available for user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled.

  • Page 346: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable ARP detection for the arp detection enable Disabled by default. VLAN. Return to system view. quit Enable ARP packet validity arp detection validate { dst-mac | ip | check and specify the objects to Disabled by default.

  • Page 347: Displaying And Maintaining Arp Detection

    To configure the ARP detection logging function: Step Command Remarks Enter system view. system-view By default, the ARP detection logging function is enabled. Enable the ARP detection arp detection log enable logging function. This command is available only in Release 5206 and later. Displaying and maintaining ARP detection Task Command...

  • Page 348: User Validity Check And Arp Packet Validity Check Configuration Example

    Configure Switch A as a DHCP server: # Configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection.
  • Page 349 Figure 92 Network diagram Configuration procedure Add all ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure DHCP address pool 0 on Switch A as a DHCP server. <SwitchA>...

  • Page 350: Arp Restricted Forwarding Configuration Example

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.

  • Page 351: Configuring Arp Automatic Scanning And Fixed Arp

    ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. H3C recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe.

  • Page 352: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure ARP automatic scanning and fixed ARP: IP addresses existing in ARP entries are not scanned. • ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic •...

  • Page 353: Configuration Procedure

    Configuration procedure To configure ARP gateway protection: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view/Layer 2 aggregate interface view. interface-number Enable ARP gateway protection for a arp filter source ip-address Disabled by default specific gateway.

  • Page 354: Configuring Arp Filtering

    Configuring ARP filtering To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP packets on a port. The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries.
  • Page 355 Figure 95 Network diagram Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets.

  • Page 356: Configuring Nd Attack Defense

    Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 357: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, H3C developed the source MAC consistency check and ND detection features. Enabling source MAC consistency check for ND...

  • Page 358: Configuration Procedure

    The DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more • information, see Layer 3—IP Services Configuration Guide. The ND snooping table is created automatically by the ND snooping module. For more information, • see Layer 3—IP Services Configuration Guide. ND detection performs source check by using the binding tables of IP source guard, DHCPv6 •...

  • Page 359: Configuration Procedure

    Enable ND detection on Switch B to filter out forged ND packets. Figure 97 Network diagram Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1 VLAN 10 ND snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10::5 10::6 0001-0203-0405 0001-0203-0607 Configuration procedure Configuring Switch A: # Enable IPv6 forwarding.
  • Page 360 [SwitchB-vlan10] quit # Add ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port access vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port access vlan 10 [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type trunk [SwitchB-GigabitEthernet1/0/3] port trunk permit vlan 10 [SwitchB-GigabitEthernet1/0/3] quit # Enable ND snooping for global unicast and link local addresses in VLAN 10.

  • Page 361: Configuring Savi

    Configuring SAVI Overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.

  • Page 362: Savi Configuration In Dhcpv6-Only Address Assignment Scenario

    Step Command Remarks Optional One second by default. This command is used with the DHCPv6 snooping function. After DHCPv6 snooping Set the time to wait for a ipv6 savi dad-preparedelay detects that a client obtains an IPv6 address, it DAD NS from a value monitors whether the client detects IP address DHCPv6 client.

  • Page 363: Packet Check Principles

    Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see "Configuring ND attack defense." Configure a static IPv6 source guard binding entry on each interface connected to a client. This step is optional.

  • Page 364: Savi Configuration In Slaac-Only Address Assignment Scenario

    [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 99 Network diagram Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1...

  • Page 365: Packet Check Principles

    Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."...

  • Page 366: Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario

    [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 100 Network diagram As shown in Figure 100, Switch B connects to the DHCPv6 server through interface GigabitEthernet 1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3.

  • Page 367: Packet Check Principles

    For more information about static IPv6 source guard binding entries, see "Configuring IP source guard." Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see "Configuring IP source guard."...
  • Page 368 # Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/3 through GigabitEthernet 1/0/5. [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/4 [SwitchB-GigabitEthernet1/0/4] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] ipv6 verify source ipv6-address mac-address...

  • Page 369: Configuring Blacklist

    Configuring blacklist Overview The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature.

  • Page 370: Blacklist Configuration Example

    Blacklist configuration example Network requirements As shown in Figure 101, Host A, Host B, and Host C are internal users, and external user Host D is considered an attacker. Configure Device to always filter packets from Host D, and to prevent internal users from guessing passwords.
  • Page 371 Host D and Host C are on the blacklist. Host C will stay on the list for 10 minutes, and will then be able to try to log in again. The entry for Host D will never age out. When you do not consider Host D an attacker anymore, you can use the undo blacklist ip 5.5.5.5 command to remove the entry.

  • Page 372: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch supports Level 2.

  • Page 373: Configuration Procedure

    Configuration procedure To configure FIPS, complete the following tasks: Remove the existing key pairs and certificates. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable the FIPS mode. Enable the password control function. Configure local user attributes (including local username, service type, password, and so on) on the switch.

  • Page 374: Triggering A Self-Test

    Triggering a self-test To examine whether the cryptography modules operate normally, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. To trigger a self-test: Step Command...

  • Page 375: Verifying The Configuration

    [Sysname-luser-test] service-type terminal [Sysname-luser-test] authorization-attribute level 3 [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.
  • Page 376 <Sysname> display fips status FIPS mode is enabled...

  • Page 377: Index

    Index A B C D E F H I L M N O P R S T U Configuring an IKE peer,243 Configuring an IKE proposal,242 AAA configuration considerations and task list,14 Configuring an SSL client policy,298 AAA configuration examples,47 Configuring an SSL server policy,294 overview,1...
  • Page 378 FIPS configuration example,357 Disabling next payload field checking,246 FIPS self-tests,355 Displaying and maintaining 802.1X,95 Displaying and maintaining AAA,47 H3C implementation of 802.1X,76 Displaying and maintaining EAD fast deployment,104 HABP configuration example,190 Displaying and maintaining FIPS,357 Displaying and maintaining HABP,190 Displaying and maintaining...
  • Page 379 Overview,352 Setting the maximum number of authentication request attempts,85 Overview,288 Setting the maximum number of concurrent 802.1X Overview,293 users on a port,85 Overview,174 Setting the NAT keepalive timer,245 Overview,177 Setting the port authorization state,84 Overview,300 Setting the port security mode,157 Overview,224 SFTP client configuration example,281...

Table of Contents