HP 6125XLG Configuration Manual

Blade switch security configuration guide
Table of Contents

Advertisement

HP 6125XLG Blade Switch
Security

Configuration Guide

Part number: 5998-3718
Software version: Release 2306
Document version: 6W100-20130912

Advertisement

Table of Contents
loading

Summary of Contents for HP 6125XLG

  • Page 1: Configuration Guide

    HP 6125XLG Blade Switch Security Configuration Guide Part number: 5998-3718 Software version: Release 2306 Document version: 6W100-20130912...
  • Page 2 HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   Overview ············································································································································································ 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   LDAP ·········································································································································································· 9   AAA implementation on the device ····················································································································· 11   AAA for MPLS L3VPNs ········································································································································· 13   Protocols and standards ······································································································································· 13  ...
  • Page 4 EAP termination ····················································································································································· 66   Configuring 802.1X ·················································································································································· 68   HP implementation of 802.1X ······································································································································ 68   Configuration prerequisites ··········································································································································· 68   802.1X configuration task list ······································································································································· 68   Enabling 802.1X ···························································································································································· 69   Enabling EAP relay or EAP termination ······················································································································· 69  ...
  • Page 5 Configuring NTK ··················································································································································· 92   Configuring intrusion protection ·························································································································· 93   Configuring secure MAC addresses ···························································································································· 94   Configuration prerequisites ·································································································································· 94   Configuration procedure ······································································································································ 94   Ignoring authorization information from the server ···································································································· 95   Displaying and maintaining port security ···················································································································· 95  ...
  • Page 6 Example for entering a peer public key ···················································································································· 120   Network requirements ········································································································································· 120   Configuration procedure ···································································································································· 120   Verifying the configuration ································································································································· 121   Example for importing a public key from a public key file ····················································································· 122   Network requirements ·········································································································································...
  • Page 7 Enabling IPv4 source guard on an interface ···································································································· 162   Configuring a static IPv4 source guard binding entry on an interface ························································· 163   Configuring the IPv6 source guard function ·············································································································· 164   Enabling IPv6 source guard on an interface ···································································································· 164  ...
  • Page 8 Configuring FIPS······················································································································································ 191   Overview ······································································································································································· 191   Configuration restrictions and guidelines ·················································································································· 191   Configuring FIPS mode ················································································································································ 192   Entering FIPS mode ············································································································································· 192   Configuration changes in FIPS mode ················································································································ 193   FIPS self-tests ································································································································································· 194   Power-up self-tests ················································································································································...
  • Page 9 Configuring the IKE keepalive function ······················································································································ 229   Configuring the IKE NAT keepalive function ············································································································ 230   Configuring IKE DPD···················································································································································· 230   Enabling invalid SPI recovery ····································································································································· 231   Setting the limit on the number of IKE SAs ················································································································ 231  ...
  • Page 10: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...
  • Page 11: Radius

    The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
  • Page 12 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS operates in the following manner: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 13 RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
  • Page 14 The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.
  • Page 15 Attribute Attribute Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility.
  • Page 16: Hwtacacs

    Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
  • Page 17 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
  • Page 18: Ldap

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
  • Page 19 An LDAP client uses the LDAP server administrator DN to bind with the LDAP server, establishes a connection to the server, and obtains the search rights. The LDAP client uses the username in the authentication information of a user to construct search conditions, searches for the user in the specified root directory of the server, and obtains a user DN list.
  • Page 20: Aaa Implementation On The Device

    After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server, which checks whether the user password is correct.
  • Page 21 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user, and uses the methods configured for the access type in the domain to control the user's access. AAA also supports configuring a set of default methods for an ISP domain.
  • Page 22: Aaa For Mpls L3Vpns

    authorized commands. For more information about command accounting, see Fundamentals Configuration Guide. User role authentication—Authenticates each user who wants to obtain a temporary user role • without logging out or getting disconnected. For more information about temporary user role authorization, see Fundamentals Configuration Guide. AAA for MPLS L3VPNs In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs.
  • Page 23: Radius Attributes

    RADIUS attributes Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated. User password for PAP authentication, only present in Access-Request User-Password packets when PAP authentication is used. Digest of the user password for CHAP authentication, only present in CHAP-Password Access-Request packets when CHAP authentication is used.
  • Page 24 Attribute Description Type of the Accounting-Request packet. Possible values include: • 1—Start. • 2—Stop. • 3—Interim-Update. • Acct-Status-Type 4—Reset-Charge. • 7—Accounting-On. (Defined in the 3rd Generation Partnership Project.) • 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.) • 9 to 14—Reserved for tunnel accounting. •...
  • Page 25 Sub-attribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this attribute can take the same value.
  • Page 26: Fips Compliance

    Sub-attribute Description Amount of bytes output within an accounting interval, in units of 4G Output-Interval-Gigawords bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
  • Page 27: Configuring Aaa Schemes

    Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes • Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: (Required.) Creating an ISP domain (Optional.)
  • Page 28 Binding attributes are used for controlling the scope of users. They are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include IP address, access port, MAC address, and native VLAN.
  • Page 29 To configure local user attributes: Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name [ class By default, no local user exists. local user view. { manage | network } ] Network access user passwords are •...
  • Page 30 Step Command Remarks The following default settings apply: • No authorization ACL, idle timeout period, or authorized VLAN is configured for local users. • FTP, SFTP, or SCP users are authorized access to the root directory of the device, but they do not have the access permission.
  • Page 31: Configuring Radius Schemes

    Step Command Remarks Enter system view. system-view By default, there is a Create a user group and system-defined user group named user-group group-name enter its view. system, which is the default user group. authorization-attribute { acl By default, no authorization Configure authorization acl-number | idle-cut minute | vlan attribute is configured for a user...
  • Page 32 Tasks at a glance (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.) Setting the maximum number of RADIUS request transmission attempts (Optional.) Setting the status of RADIUS servers (Optional.) Specifying the source IP address for outgoing RADIUS packets (Optional.) Setting RADIUS timers (Optional.)
  • Page 33 Step Command Remarks Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS authentication server: primary authentication Configure at least one command. { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authentication server simple } string | vpn-instance is specified.
  • Page 34 Step Command Remarks (Optional.) Set the maximum number of real-time retry realtime-accounting retry-times The default setting is 5. accounting attempts. Specifying the shared keys for secure RADIUS communication The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption.
  • Page 35 To set the username format and the traffic statistics units for a RADIUS scheme: Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Set the format for usernames user-name-format { keep-original By default, the ISP domain name is sent to the RADIUS servers.
  • Page 36 If the quiet timer of a server expires or you manually set the server to the active state, the status of the server changes back to active, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.
  • Page 37 The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate with the RADIUS server. In some cases, however, you must change the source IP address. For example, if the NAS is configured with VRRP for stateful failover, the source IP address of outgoing RADIUS packets can be the virtual IP address of the uplink VRRP group.
  • Page 38 real-time accounting, the device must periodically send real-time accounting packets to the accounting server for online users. When you set RADIUS timers, follow these guidelines: When you configure the maximum number of RADIUS packet transmission attempts and the • RADIUS server response timeout timer, consider the number of secondary servers. If the retransmission process takes too much time, the client connection in the access module such as the Telnet module might time out while the device is trying to find an available server.
  • Page 39: Configuring Hwtacacs Schemes

    Step Command Remarks accounting-on enable By default, the accounting-on feature is Enable accounting-on. [ interval seconds | send disabled. send-times ] * Configuring the IP addresses of the security policy servers The NAS verifies the validity of received control packets and accepts only control packets from known servers.
  • Page 40 Tasks at a glance (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.) Setting HWTACACS timers (Optional.) Displaying and maintaining HWTACACS Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations.
  • Page 41 Specifying the HWTACACS authorization servers You can specify one primary authorization server and up to 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.
  • Page 42 Step Command Remarks • Specify the primary HWTACACS accounting server: primary accounting { ipv4-address | Configure at least one command. ipv6 ipv6-address } [ port-number | By default, no accounting server is key { cipher | simple } string | specified.
  • Page 43 Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username. However, some HWTACACS servers do not recognize usernames that contain ISP domain names. In this case, you can configure the device to remove the domain name from each username to be sent.
  • Page 44 Step Command Remarks Enter system view. system-view By default, the IP address of the Specify a source IP address hwtacacs nas-ip { ipv4-address | HWTACACS packet outbound for outgoing HWTACACS ipv6 ipv6-address } [ vpn-instance interface is used as the source IP packets.
  • Page 45 search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If the quiet timer of a server expires, the status of the server changes back to active, but the device does not check the server again during the authentication or accounting process.
  • Page 46: Configuring Ldap Schemes

    Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...
  • Page 47 Step Command Remarks By default, LDAPv3 is used. Specify the LDAP version. protocol-version { v2 | v3 } A Microsoft LDAP server supports only LDAPv3. Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server but receives no response from the server within the LDAP server timeout period, the device considers that the authentication or authorization request has timed out and tries the backup authentication or authorization method.
  • Page 48 User object class • If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. You can change the start point by specifying the search base DN to improve search efficiency.
  • Page 49: Configuring Aaa Methods For Isp Domains

    Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting.
  • Page 50: Configuring Isp Domain Status

    Configuring ISP domain status By placing the ISP domain to the active or blocked state, you allow or deny network service requests from users in the domain. The ISP domain status applies to all users in the domain. To configure the ISP domain status: Step Command Remarks...
  • Page 51: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks authentication default { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme authentication method is Specify the default radius-scheme-name ] [ local ] [ none ] | local. authentication method for ldap-scheme ldap-scheme-name [ local ] all types of users. [ none ] | local [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ hwtacacs-scheme...
  • Page 52: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme By default, the authorization hwtacacs-scheme-name [ radius-scheme Specify the default method is local. radius-scheme-name ] [ local ] [ none ] | authorization method for local [ none ] | none | radius-scheme The none keyword is not all types of users.
  • Page 53: Enabling The Session-Control Feature

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name accounting default { hwtacacs-scheme By default, the accounting hwtacacs-scheme-name [ radius-scheme Specify the default method is local. radius-scheme-name ] [ local ] [ none ] | accounting method for all local [ none ] | none | radius-scheme The none keyword is not types of users.
  • Page 54: Aaa Configuration Examples

    AAA configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode. AAA for SSH users by an HWTACACS server Network requirements As shown in Figure 1 1, configure the switch to use the HWTACACS server for SSH user authentication, authorization, and accounting.
  • Page 55: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    [Switch-hwtacacs-hwtac] key accounting simple expert # Remove domain names from the usernames sent to an HWTACACS server. [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Create ISP domain bbb and configure AAA methods for login users. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac [Switch-isp-bbb] quit...
  • Page 56: Configuration Procedure

    Figure 12 Network diagram Configuration procedure Configure the HWTACACS server. (Details not shown.) Configure the RADIUS server. (Details not shown.) Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch>...
  • Page 57: Authentication And Authorization For Ssh Users By A Radius Server

    [Switch-luser-manage-hello] quit # Create ISP domain bbb and configure AAA methods for login users. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit # Enable the default-user-role authorization function, so that an SSH user gets the default user role network-operator after passing authentication.
  • Page 58 # Add the switch to the IMC Platform as an access device. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. Then, click Add to configure an access device as follows: Set the shared key for secure RADIUS communication to expert.
  • Page 59 Figure 15 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
  • Page 60: Authentication For Ssh Users By An Ldap Server

    # Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
  • Page 61 NOTE: This example assumes that the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. On the LDAP server, select Start > Control Panel > Administrative Tools, and double-click Active Directory Users and Computers to display the Active Directory Users and Computers window.
  • Page 62 Figure 18 Setting the user's password Click OK. # Add user aaa to group Users. From the navigation tree, click Users under the ldap.com node. On the right pane, right-click aaa and select Properties. In the dialog box, click the Member Of tab and click Add.
  • Page 63 Figure 19 Modifying user properties In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
  • Page 64 # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
  • Page 65: Troubleshooting Radius

    Verifying the configuration When the user initiates an SSH connection to the switch and enter the username aaa@bbb and password ldap!123456, the user successfully logs in and can use the commands for the network-operator user role. Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails.
  • Page 66: Radius Accounting Error

    Solution Check that: • The link between the NAS and the RADIUS server work well at both the physical and data link layers. The IP address of the RADIUS server is correctly configured on the NAS. • The authentication and accounting UDP port numbers configured on the NAS are the same as those •...
  • Page 67 The administrator DN or password is not configured. • • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server. No user search base DN is specified for the LDAP scheme. •...
  • Page 68: Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs, and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
  • Page 69: 802.1X-Related Protocols

    Figure 22 Authorization state of a controlled port In the unauthorized state, a controlled port controls traffic in one of the following ways: Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. •...
  • Page 70: Packet Formats

    Packet formats EAP packet format Figure 23 shows the EAP packet format. Figure 23 EAP packet format • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). Identifier—Used for matching Responses with Requests. •...
  • Page 71: Eap Over Radius

    Value Type Description The client sends an EAPOL-Logoff message to tell the network 0x02 EAPOL-Logoff access device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.
  • Page 72: Access Device As The Initiator

    the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP.
  • Page 73: A Comparison Of Eap Relay And Eap Termination

    A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the authentication methods. EAP-Message and EAP relay • Message-Authenticator attributes, and The configuration and the EAP authentication method used by processing is simple on the the client.
  • Page 74 Figure 30 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...
  • Page 75: Eap Termination

    The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
  • Page 76 Figure 31 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
  • Page 77: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.
  • Page 78: Enabling 802.1X

    Tasks at a glance (Optional.) Enabling the periodic online user re-authentication function Enabling 802.1X Do not enable 802.1X on a port that is in a link aggregation or service loopback group. To enable 802.1X: Step Command Remarks Enter system view. system-view By default, 802.1X is disabled Enable 802.1X globally.
  • Page 79: Setting The Port Authorization State

    NOTE: If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. Setting the port authorization state The port authorization state determines whether the client is granted access to the network.
  • Page 80: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks Enter system view. system-view interface interface-type Enter Ethernet interface view. interface-number Set the maximum number of The default maximum number dot1x max-user user-number concurrent 802.1X users on a of concurrent 802.1X users on [ interface interface-list ] port.
  • Page 81: Configuring The Online User Handshake Function

    Step Command Remarks Set the server timeout dot1x timer server-timeout The default is 100 seconds. timer. server-timeout-value Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command.
  • Page 82: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure the authentication trigger function: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication. Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these •...
  • Page 83: Configuring The Quiet Timer

    Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.
  • Page 84: Displaying And Maintaining 802.1X

    Displaying and maintaining 802.1X Task Command Remarks Display 802.1X session information, statistics, or display dot1x [ sessions | statistics ] [ interface Available in any view. configuration information of interface-type interface-number ] specified or all ports. reset dot1x statistics [ interface interface-type Clear 802.1X statistics.
  • Page 85 For information about the RADIUS commands used on the access device in this example, see Security Command Reference. Assign an IP address for each interface on the access device. (Details not shown.) Configure user accounts for the 802.1X users on the access device: # Add a local network access user with the username localuser, and password localpass in plaintext.
  • Page 86: Verifying The Configuration

    Configure 802.1X: # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on port Ten-GigabitEthernet 1/1/5. [Device] interface ten-gigabitethernet 1/1/5 [Device-Ten-GigabitEthernet1/1/5] dot1x [Device-Ten-GigabitEthernet1/1/5] quit # Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.) [Device] interface ten-gigabitethernet 1/1/5 [Device-Ten-GigabitEthernet1/1/5] dot1x port-method macbased # Specify aabbcc.net as the mandatory domain.
  • Page 87: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
  • Page 88: Configuration Prerequisites

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users.
  • Page 89: Specifying A Mac Authentication Domain

    Step Command Remarks Enable MAC authentication on By default, MAC authentication is mac-authentication the port. disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view.
  • Page 90: Configuring Mac Authentication Timers

    Step Command Remarks • Use one MAC-based user account for each user: mac-authentication Use either method. user-name-format mac-address By default, the device uses the [ { with-hyphen | without-hyphen } Configure the MAC MAC address of a user as the [ lowercase | uppercase ] ] authentication user username and password for...
  • Page 91: Displaying And Maintaining Mac Authentication

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Set the maximum number of By default, the maximum number mac-authentication max-user concurrent MAC authentication of concurrent MAC user-number users on the port authentication users is 256. Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view.
  • Page 92: Verifying The Configuration

    [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc to perform local authentication for LAN users. [Device] domain aabbcc [Device-isp-aabbcc] authentication lan-access local [Device-isp-aabbcc] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port Ten-GigabitEthernet 1/1/5.
  • Page 93: Radius-Based Mac Authentication Configuration Example

    Authentication attempts: successful 1, failed 0 MAC Addr Auth state 00e0-fc12-3456 authenticated RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 34, a host is connected to port Ten-GigabitEthernet 1/1/5 of the device. The device uses RADIUS servers for authentication, authorization, and accounting. To control user access to the Internet, configure MAC authentication on port Ten-GigabitEthernet 1/1/5, as follows: •...
  • Page 94: Verifying The Configuration

    [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port Ten-GigabitEthernet 1/1/5.
  • Page 95 MAC Addr Auth state 00e0-fc12-3456 authenticated...
  • Page 96: Configuring Port Security

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security prevents unauthorized access to a network by checking the source MAC address of inbound traffic, and it prevents access to unauthorized devices or hosts by checking the destination MAC address of outbound traffic.
  • Page 97 Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode.
  • Page 98 Controlling MAC address learning autoLearn • A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address, but to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
  • Page 99: Configuration Task List

    This mode is the combination of the macAddressWithRadius and userLoginSecure modes. It allows one 802.1X authentication user and multiple MAC authentication users to log in. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. macAddressOrUserLoginSecureExt •...
  • Page 100: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port

    You can use the undo port-security enable command to disable port security. Because it logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto. •...
  • Page 101: Configuring Port Security Features

    Do not enable 802.1X authentication or MAC authentication on a port where port security is • configured. To enable a port security mode: Step Command Remarks Enter system view. system-view By default, no OUI value is configured for user authentication. This command is required for the userlogin-withoui mode.
  • Page 102: Configuring Intrusion Protection

    ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with • authenticated destination MAC addresses. With the NTK feature, any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, see Table To configure the NTK feature: Step...
  • Page 103: Configuring Secure Mac Addresses

    Configuring secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode. If they are saved, they can survive a device reboot. You can bind a secure MAC address to only one port in a VLAN. Secure MAC addresses include static and sticky secure MAC addresses. Table 5 A comparison of static and sticky secure MAC addresses Can be saved and Type...
  • Page 104: Ignoring Authorization Information From The Server

    Step Command Remarks • In system view: port-security mac-address security [sticky] mac-address interface Use either method. interface-type interface-number vlan No secure MAC address exists by vlan-id default. Configure a secure • In interface view: In the same VLAN, a MAC address MAC address.
  • Page 105: Autolearn Configuration Example

    autoLearn configuration example Network requirements Figure 35. Configure port Ten-GigabitEthernet 1/1/5 on the device, as follows: Accept up to 64 users on the port without authentication. • Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC •...
  • Page 106: Userloginwithoui Configuration Example

    OUI value: Ten-GigabitEthernet1/1/5 is link-up Port mode: autoLearn NeedToKnow mode: Disabled Intrusion protection mode: DisablePortTemporarily Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 5 Authorization is permitted The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, and the intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds.
  • Page 107: Configuration Procedure

    The RADIUS server response timeout time is five seconds and the maximum number of RADIUS • packet retransmission attempts is five. The Device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server. Configure port Ten-GigabitEthernet 1/1/5 of the device to allow only one 802.1X user and a user that uses one of the specified OUI values to be authenticated.
  • Page 108: Verifying The Configuration

    [Device] dot1x authentication-method chap Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111 [Device] port-security oui index 3 mac-address 1234-0300-1111...
  • Page 109 [Device] display domain sun Domain:sun State: Active Access-limit: Disabled Access-Count: 0 lan-access Authentication Scheme: radius: radsun lan-access Authorization Scheme: radius: radsun lan-access Accounting Scheme: radius: radsun default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local # Display the port security configuration. [Device] display port-security interface ten-gigabitethernet 1/1/5 Port security is enabled globally AutoLearn aging time is 0 minutes...
  • Page 110: Macaddresselseuserloginsecure Configuration Example

    macAddressElseUserLoginSecure configuration example Network requirements As shown in Figure 37, a client is connected to the device through Ten-GigabitEthernet 1/1/5. The device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port Ten-GigabitEthernet 1/1/5 of the device as follows: •...
  • Page 111: Verifying The Configuration

    # Set port security's limit on the number of MAC addresses to 64 on the port. [Device] interface ten-gigabitethernet 1/1/5 [Device-Ten-GigabitEthernet1/1/5] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure. [Device-Ten-GigabitEthernet1/1/5]port-security port-mode mac-else-userlogin-secure # Set the NTK mode of the port to ntkonly. [Device-Ten-GigabitEthernet1/1/5] port-security ntk-mode ntkonly [Device-Ten-GigabitEthernet1/1/5] quit Verifying the configuration...
  • Page 112 Current authentication domain: Not configured Authentication attempts: successful 3, failed 7 MAC Addr Auth state 1234-0300-0011 authenticated 1234-0300-0012 authenticated 1234-0300-0013 authenticated # Display 802.1X authentication information. [Device] display dot1x interface ten-gigabitethernet 1/1/5 802.1X protocol is enabled globally CHAP authentication is enabled Configuration: Transmit Period 30 s, Handshake Period...
  • Page 113: Troubleshooting Port Security

    Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode for a port. Analysis For a port operating in a port security mode other than noRestriction, you cannot change the port security mode directly by using the port-security port-mode command. Solution Set the port security mode to noRestriction.
  • Page 114: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the device to manage login and super password setup, expirations, and updates for device management users, and to control user login status based on predefined policies. NOTE: Local users are divided into two types: device management users and network access users.
  • Page 115: Password Updating And Expiration

    In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password. When a user sets or changes a password, the system checks if the password meets the combination requirement.
  • Page 116: User Login Control

    Login with an expired password You can allow a user to log in a certain number of times within a specific period of time after the password expires. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.
  • Page 117: Password Not Displayed In Any Form

    Password not displayed in any form For security purposes, nothing is displayed when a user enters a password. Logging The system logs all successful password changing events and user adding events to the password control blacklist. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
  • Page 118: Setting Global Password Control Parameters

    After the global password control feature is enabled, you cannot display the password and supper password configurations for device management users by using the corresponding display commands. However, the configuration for network access user passwords can be displayed. To enable password control: Step Command Remarks...
  • Page 119: Setting User Group Password Control Parameters

    Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user. Specify the maximum number By default, the maximum number of login attempts and the password-control login-attempt of login attempts is 3 and a user action to be taken when a login-times [ exceed { lock | failing to log in after the specified...
  • Page 120: Setting Super Password Control Parameters

    Step Command Remarks By default, no local user exists. Local user password control applies to device management Create a device management users instead of network access local-user user-name class manage user and enter local user view. users. For information about how to configure a local user, see "Configuring AAA."...
  • Page 121: Displaying And Maintaining Password Control

    Displaying and maintaining password control Execute display commands in any view and reset commands in user view. Task Command Display password control configuration. display password-control [ super ] Display information about users in the display password-control blacklist [ user-name name | ip password control blacklist.
  • Page 122 Configuration procedure # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable # Prohibit the user from logging in forever after two successive login failures. [Sysname] password-control login-attempt 2 exceed lock # Globally set all passwords to expire after 30 days. [Sysname] password-control aging 30 # Globally set the minimum password length to 16.
  • Page 123 [Sysname-luser-manage-test] password-control aging 20 # Configure the password of the local user in interactive mode. [Sysname-luser-manage-test] password Password: Confirm : Updating user information. Please wait ..[Sysname-luser-manage-test] quit Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled...
  • Page 124: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications use asymmetric key algorithms to secure communications between two parties, as shown in Figure 38.
  • Page 125: Creating A Local Key Pair

    Creating a local key pair Configuration guidelines When you create a local key pair, follow these guidelines: The key algorithm must be the same as required by the security application. • The key modulus length must be appropriate (see Table 7).
  • Page 126: Distributing A Local Host Public Key

    Step Command Remarks public-key local create { dsa | Create local key pairs. By default, no local key pair exists. ecdsa | rsa } [ name key-name ] Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can use the public key to encrypt information sent to the local device or authenticate the digital signature signed by the local device.
  • Page 127: Displaying A Host Public Key

    Step Command Enter system view. system-view • Display RSA host public keys: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } Display local host public keys in a specific format. In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } •...
  • Page 128: Configuring A Peer Public Key

    Configuring a peer public key To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the public key of the peer device on the local device. Table 8 Peer public key configuration methods Method Prerequisites Remarks...
  • Page 129: Displaying And Maintaining Public Keys

    Displaying and maintaining public keys Execute display commands in any view. Task Command display public-key local { dsa | ecdsa | rsa } public [ name Display local public keys. key-name ] display public-key peer [ brief | name publickey-name ] [ name Display peer public keys.
  • Page 130: Verifying The Configuration

    # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code:...
  • Page 131: Example For Importing A Public Key From A Public Key File

    ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Unless otherwise noted, devices in the configuration example are operating in non-FIPS mode. Network requirements Figure 40, Device B authenticates Device A through a digital signature.
  • Page 132 # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code:...
  • Page 133: Verifying The Configuration

    226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 Logout. # Import the host public key from the key file devicea.pub. <DeviceB> system-view [DeviceB] public-key peer devicea import sshkey devicea.pub Verifying the configuration # Verify that the host public key is the same as it is on Device A.
  • Page 134: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
  • Page 135: Ssh Authentication Methods

    Stages Description The two parties use the DH exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for Key exchange identifying the SSH connection. In this stage, the client authenticates the server as well. The SSH server authenticates the client in response to the client's Authentication authentication request.
  • Page 136: Configuring The Device As An Ssh Server

    Password-publickey authentication—The server requires SSH2 clients to pass both password • authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication.
  • Page 137: Enabling The Ssh Server Function

    To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server. Configuration guidelines • SSH supports locally generated DSA and RSA key pairs with default names rather than with specified names.
  • Page 138: Configuring The User Interfaces For Stelnet Clients

    Step Command Remarks Enter system view. system-view Enable the SFTP server By default, the SFTP server function sftp server enable function. is disabled. Configuring the user interfaces for Stelnet clients Dependent on different SSH applications, an SSH client can be an Stelnet, SFTP, or SCP client. The Stelnet client accesses the device through a VTY user interface.
  • Page 139: Configuring An Ssh User

    Importing the host public key—You can upload the client's public key file (in binary) to the server, • for example, through FTP or TFTP, and import the host public key from the public key file. During the import process, the server automatically converts the host public key in the public key file to a string in PKCS format.
  • Page 140: Setting The Ssh Management Parameters

    For an SFTP or SCP user, the working directory depends on the authentication method: • If the authentication method is password, the working directory is authorized by AAA. If the authentication method is publickey or password-publickey, the working folder is specified by the authorization-attribute command in the associated local user view.
  • Page 141: Configuring The Device As An Stelnet Client

    SFTP connection idle timeout period. When the idle period of an SFTP connection exceeds the • specified threshold, the system automatically tears the connection down. Maximum number of concurrent online SSH users. When the number of online SSH users reaches •...
  • Page 142: Specifying A Source Ip Address Or Source Interface For The Stelnet Client

    Specifying a source IP address or source interface for the Stelnet client By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server. You can specify a source IP address or source interface for the client to communicate with the server.
  • Page 143 Task Command Remarks • Establish a connection to an IPv4 Stelnet server: In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des |...
  • Page 144: Configuring The Device As An Sftp Client

    Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance (Optional.) Specifying a source IP address or source interface for the SFTP client (Required.) Establishing a connection to an SFTP server (Optional.) Working with SFTP directories (Optional.) Working with SFTP files (Optional.)
  • Page 145 When an SFTP client accesses an SFTP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SFTP client, the device supports the first authentication by default. When the device accesses an SFTP server for the first time but it is not configured with the host public key of the SFTP server, it can access the server and locally save the server's host public key for future use.
  • Page 146: Working With Sftp Directories

    Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.
  • Page 147: Terminating The Connection With The Sftp Server

    Task Command Remarks Use either command. • help Display the help information of an Available in SFTP client view. SFTP client command. • These two commands function in the same way. Terminating the connection with the SFTP server Task Command Remarks Use one of the commands.
  • Page 148: Displaying And Maintaining Ssh

    Task Command Remarks • Connect to the IPv4 SCP server, and transfer files with this server: In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 |...
  • Page 149: Stelnet Configuration Examples

    Task Command Display SSH server status information or session display ssh server { session | status } information on an SSH server. Display SSH user information on the SSH display ssh user-information [ username ] server. display public-key local { dsa | rsa } public [ name Display the public keys of the local key pairs.
  • Page 150 # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 151: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 42 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
  • Page 152 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
  • Page 153 Figure 45 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save. Figure 46 Saving a key pair on the client...
  • Page 154 Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
  • Page 155 # Create a local device management user client002 with the service type ssh and the user role network-admin. [Switch] local-user client002 class manage [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin [Switch-luser-manage-client002] quit Specify the private key file and establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.
  • Page 156 Figure 48 Specifying the SSH version Select Connection > SSH > Auth from the navigation tree. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example) and click OK. The window shown in Figure 49 appears.
  • Page 157: Password Authentication Enabled Stelnet Client Configuration Example

    Figure 49 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements...
  • Page 158 [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 159 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit You can determine whether to configure the host public key of the server on the client before establishing a connection to the server. If you do not configure the host public key of the server on the client, select Yes to access the server without authenticating the server, and locally save the host public key of the server.
  • Page 160: Publickey Authentication Enabled Stelnet Client Configuration Example

    [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you successfully log in to Switch B. Publickey authentication enabled Stelnet client configuration example Network requirements...
  • Page 161 .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
  • Page 162: Sftp Configuration Examples

    # Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002 with the service type ssh and the user role network-admin.
  • Page 163 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
  • Page 164: Publickey Authentication Enabled Sftp Client Configuration Example

    Run the psftp.exe to launch the client interface shown in Figure 53, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 53 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in...
  • Page 165 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit # Generate the RSA key pairs. [SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 166 # Assign an IP address to VLAN-interface 2. The SSH client uses this address as the destination for SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001 with the service type sftp, authentication method publickey, and public key switchkey.
  • Page 167: Scp File Transfer With Password Authentication

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and verify that the directory has been successfully renamed.
  • Page 168: Configuration Procedure

    Figure 55 Network diagram Configuration procedure Configure the SCP server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 169 [SwitchB-luser-manage-client001] quit # Configure the SSH user client001 with service type scp and authentication method password. (Optional. If an SSH user is not created, password authentication is used by default.) [SwitchB] ssh user client001 service-type scp authentication-type password Configure an IP address for VLAN-interface 2 on the SCP client. <SwitchA>...
  • Page 170: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard is a security feature. It is usually configured on a user access interface to help prevent spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the network.
  • Page 171: Dynamic Ipv4 Source Binding Entries

    For information about ARP detection, see "Configuring ARP attack protection." Dynamic IPv4 source binding entries IP source guard can automatically obtain user information from other modules to generate IPv4 binding entries. On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with different modules to generate IPv4 binding entries dynamically: On an Ethernet port, IP source guard can cooperate with DHCP snooping, obtain the DHCP •...
  • Page 172: Configuring A Static Ipv4 Source Guard Binding Entry On An Interface

    All the fields in a static IPv4 binding entry are used by IP source guard to filter packets. For information about how to configure a static IPv4 binding entry, see "Configuring a static IPv4 source guard binding entry on an interface."...
  • Page 173: Configuring The Ipv6 Source Guard Function

    NOTE: You cannot configure the same static binding entry on one interface, but you can configure the same • static binding entry on different interfaces. For packet filtering on an interface, IP source guard ignores the VLAN information (if specified) in static •...
  • Page 174: Displaying And Maintaining Ip Source Guard

    Step Command Remarks By default, no static IPv6 binding entry is configured on an interface. IP source guard does not use the VLAN ipv6 source binding ip-address information (if specified) in static IPv6 Configure a static IPv6 ipv6-address [ mac-address source guard binding entries to filter binding entry.
  • Page 175 On port Ten-GigabitEthernet 1/1/5 of Switch A, only IP packets from Host A can pass. • • On port Ten-GigabitEthernet 1/1/6 of Switch B, only IP packets from Host A can pass. On port Ten-GigabitEthernet 1/1/5 of Switch B, only IP packets from Host B can pass. •...
  • Page 176: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    # On Ten-GigabitEthernet 1/1/6, configure a static IPv4 source guard binding entry to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. [SwitchB-Ten-GigabitEthernet1/1/6] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [SwitchB-Ten-GigabitEthernet1/1/6] quit # Enable IPv4 source guard on port Ten-GigabitEthernet 1/1/5.
  • Page 177 Figure 58 Network diagram Configuration procedure Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Configure DHCP snooping on the switch: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. <Switch>...
  • Page 178: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 59, the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200 respectively. DHCP relay is enabled on the switch. The host obtains an IP address from the DHCP server through the DHCP relay agent.
  • Page 179: Static Ipv6 Source Guard Configuration Example

    Static IPv6 source guard configuration example Network requirements As shown in Figure 60, the host is connected to port Ten-GigabitEthernet 1/1/5 of the switch. Configure a static IPv6 source guard binding entry for Ten-GigabitEthernet 1/1/5 of the switch to allow only IPv6 packets from the host to pass.
  • Page 180: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
  • Page 181: Configuring Arp Source Suppression

    ARP source suppression—If the attack packets have the same source address, you can enable the • ARP source suppression function, and set the maximum number of unresolvable IP packets that the device can receive from a host within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse.
  • Page 182: Configuring Arp Packet Rate Limit

    Figure 61 Network diagram IP network ARP attack protection Gateway Device VLAN 10 VLAN 20 Host A Host B Host C Host D R&D Office Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: Enable ARP source suppression.
  • Page 183: Configuring Source Mac-Based Arp Attack Detection

    Configuration guidelines Configure this feature when ARP detection, ARP snooping, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. Log messages are sent to the information center of the device. You can set output rules for log messages on the information center.
  • Page 184: Displaying And Maintaining Source Mac-Based Arp Attack Detection

    Step Command Remarks Enable source MAC-based ARP attack detection and arp source-mac { filter | monitor } By default, this feature is disabled. specify the handling method. arp source-mac threshold Configure the threshold. By default, the threshold is 30. threshold-value Configure the aging timer for By default, the lifetime is 300 arp source-mac aging-time time...
  • Page 185 Figure 62 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.
  • Page 186: Configuring Arp Packet Source Mac Consistency Check

    Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.
  • Page 187: Configuring Arp Packet Validity Check

    Static IP source guard binding entries are created by using the ip source binding command. For more information, see "Configuring IP source guard." DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide. Configuration guidelines Make sure at least one among static IP source guard binding entries and DHCP snooping entries is •...
  • Page 188: Configuring Arp Restricted Forwarding

    Step Command Remarks Enable ARP detection. arp detection enable By default, ARP detection is disabled. Return to system view. quit Enable ARP packet validity check arp detection validate By default, ARP packet validity check and specify the objects to be { dst-mac | ip | src-mac } is disabled.
  • Page 189: User Validity Check And Arp Packet Validity Check Configuration Example

    User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 63, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 63 Network diagram Gateway DHCP server...
  • Page 190: Configuring Arp Automatic Scanning And Fixed Arp

    [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface (an interface is an untrusted interface by default). [SwitchB-vlan10] interface ten-gigabitethernet 1/1/7 [SwitchB-Ten-GigabitEthernet1/1/7] arp detection trust [SwitchB-Ten-GigabitEthernet1/1/7] quit # Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/1/6 for user validity check.
  • Page 191: Configuring Arp Gateway Protection

    Configuration procedure To configure ARP automatic scanning and fixed ARP: Step Command Enter system view. system-view Enter interface view. interface interface-type interface-number Enable ARP automatic scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view. quit Enable fixed ARP. arp fixup Configuring ARP gateway protection Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.
  • Page 192: Configuration Example

    Configuration example Network requirements As shown in Figure 64, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 64 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.
  • Page 193: Configuration Procedure

    Do not configure both the arp filter source and arp filter binding commands on an interface. • • If ARP filtering works with ARP detection and ARP snooping, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view.
  • Page 194 [SwitchB-Ten-GigabitEthernet1/1/6] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, Ten-GigabitEthernet 1/1/5 permits ARP packets from Host A, and discards other ARP packets. Ten-GigabitEthernet 1/1/6 permits ARP packets from Host B and discards other ARP packets.
  • Page 195: Configuring Urpf

    Configuring uRPF Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
  • Page 196 Figure 67 uRPF work flow uRPF works in the following steps: uRPF checks source address validity: Discards packets with a source broadcast address. Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)
  • Page 197 Proceeds to step 2 for other packets. uRPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. uRPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, uRPF checks whether the matching route is a direct route: if yes, proceeds to step 5.
  • Page 198: Network Application

    Network application Figure 68 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuration procedure Follow these guidelines when you configure uRPF: uRPF checks only incoming packets on an interface.
  • Page 199: Displaying And Maintaining Urpf

    Displaying and maintaining uRPF Execute display commands in any view. Task Command Display uRPF configuration display ip urpf [ slot slot-number ] Configuration example Network requirements As shown in Figure 69, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks.
  • Page 200: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch supports Level 2.
  • Page 201: Configuring Fips Mode

    reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations. To make sure the rollback between FIPS mode (entered by using the manual reboot method) and • non-FIPS mode succeeds, save the configuration when the device enters FIPS mode before performing other operations.
  • Page 202: Configuration Changes In Fips Mode

    Delete the FIPS-incompatible local user service types Telnet and FTP. Enable FIPS mode. Select the manual reboot method. Save the configuration file and specify it as the startup configuration file. Delete the startup configuration file in binary format (an .mdb file). Reboot the device.
  • Page 203: Fips Self-Tests

    FIPS self-tests FIPS provides self-test mechanisms, including power-up self-test and conditional self-test, to ensure the normal operation of cryptography modules. You can also trigger a self-test. If the power-up self-test fails, the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information.
  • Page 204: Displaying And Maintaining Fips

    Step Command Enter system view. system-view Trigger a self-test. fips self-test Displaying and maintaining FIPS Execute the display command in any view. Task Command Display FIPS mode state. display fips status FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.
  • Page 205: Entering Fips Mode Through Manual Reboot

    old password: new password: confirm: Updating user information. Please wait ..… # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. # Display the default configuration file. <Sysname> more fips-startup.cfg password-control enable local-user root class manage service-type terminal authorization-attribute user-role network-admin fips mode enable...
  • Page 206: Configuration File

    [Sysname] fips mode enable This command enables FIPS mode and requires a device reboot, are you sure? [Y/N]:y Reboot the device automatically to enter FIPS mode? [Y/N]:n Prepare and save all configurations for FIPS mode in the startup configuration file, and then reboot the device.
  • Page 207: Configuring Ipsec

    Configuring IPsec CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order.
  • Page 208 AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure • AH can provide data origin authentication, data integrity, and anti-replay services to prevent data tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for transmitting non-confidential data.
  • Page 209: Security Association

    Figure 72 Security protocol encapsulations in different modes Mode Transport Tunnel Protocol Data AH IP Data Data ESP-T ESP IP Data ESP-T AH-ESP Data ESP-T Data ESP-T Security association A security association (SA) is an agreement negotiated between two communicating parties called "IPsec peers."...
  • Page 210: Ipsec Implementation

    Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure. Encryption algorithms IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The following encryption algorithms are available for IPsec on the device: DES—Encrypts a 64-bit plaintext block with a 56-bit key.
  • Page 211: Protocols And Standards

    consumes more system resources when multiple data flows exist between two subnets to be protected. Protocols and standards RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • •...
  • Page 212: Configuring An Acl

    Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode. Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the required keys, and the SA lifetime.
  • Page 213: Configuring An Ipsec Transform Set

    again and, if they match a permit statement, continues to process the packets. If ACL checking for de-encapsulated packets is disabled, the device directly processes the de-encapsulated packets without matching against the ACL. When defining ACL rules for IPsec, follow these guidelines: Permit only data flows that need to be protected and use the any keyword with caution.
  • Page 214 Step Command Remarks • Specify the encryption algorithm for ESP in non-FIPS mode: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | Configure at least one command. des-cbc | null } * • Specify the encryption By default, no security algorithm is algorithm for ESP in FIPS mode: specified.
  • Page 215: Configuring A Manual Ipsec Policy

    Configuring a manual IPsec policy In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode. Configuration restrictions and guidelines Make sure the IPsec configurations at the two ends of an IPsec tunnel meet the following requirements: The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, •...
  • Page 216: Configuring An Ike-Based Ipsec Policy

    Step Command Remarks By default, the remote IP address of the IPsec tunnel is not specified. The local IPv4 address of the IPsec tunnel Specify the remote IP remote-address { ipv4-address | is the primary IP address of the interface address of the IPsec ipv6 ipv6-address } to which the IPsec policy is applied.
  • Page 217 Configure it by referencing an existing IPsec policy template with the parameters to be negotiated • configured. A device referencing an IPsec policy that is configured in this way cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator.
  • Page 218 Step Command Remarks By default, the IPsec policy references no IKE profile, and it uses the IKE parameters configured in system view for negotiation. An IPsec policy can reference only Specify an IKE profile for the one IKE profile and it cannot ike-profile profile-name IPsec policy.
  • Page 219 settings of the negotiation initiator. When the remote end's information (such as the IP address) is unknown, the IPsec policy configured by using this method allows the remote end to initiate negotiations with the local end. To configure an IKE-based IPsec policy by referencing an IPsec policy template: Step Command Remarks...
  • Page 220: Applying An Ipsec Policy To An Interface

    Step Command Remarks (Optional.) Set the IPsec SA By default, the global SA idle sa idle-time seconds idle timeout. timeout is used. Return to system view. quit ipsec sa global-duration By default, time-based SA lifetime Configure the global SA { time-based seconds | is 3600 seconds, and traffic-based lifetime.
  • Page 221: Enabling Acl Checking For De-Encapsulated Packets

    Enabling ACL checking for de-encapsulated packets This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid attacks using forged packets.
  • Page 222: Binding A Source Interface To An Ipsec Policy

    Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
  • Page 223: Enabling Logging Of Ipsec Packets

    Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or • Use either command. To enter IPsec policy template IPsec policy template view. view: ipsec { policy-template | ipv6-policy-template }...
  • Page 224: Displaying And Maintaining Ipsec

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface.
  • Page 225: Ipsec Configuration Examples

    IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 73, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches. Configure the tunnel as follows: Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as •...
  • Page 226 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit...
  • Page 227: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    [SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the previous configurations, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec protected.
  • Page 228 Figure 74 Network diagram Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
  • Page 229 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1. [SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1 [SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1 # Apply the IKE profile profile1. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B:...
  • Page 230 [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1. [SwitchB-ipsec-policy-manual-map1-10] local-address 2.2.3.1 [SwitchB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1 # Apply the IKE profile profile1. [SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1.
  • Page 231: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, dramatically simplifying the configuration and maintenance of IPsec.
  • Page 232: Ike Security Mechanism

    Figure 76 IKE exchange process in main mode As shown in Figure 76, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the security policy. Key exchange—Used for exchanging the DH public value and other values like the random number. •...
  • Page 233: Ike Configuration Prerequisites

    The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After PFS is enabled, an additional DH exchange is performed in IKE phase 2 to make sure negotiated keys have no derivative relations and a broken key brings no threats to other keys. Protocols and standards RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP) •...
  • Page 234: Configuring An Ike Profile

    Tasks at a glance Remarks (Optional.) Enabling invalid SPI recovery (Optional.) Setting the limit on the number of IKE SAs Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE profile, you can do the following: Configure peer IDs.
  • Page 235 Step Command Remarks match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range By default, an IKE profile has no low-ipv4-address high-ipv4-address } | peer ID. Configure a peer ID. ipv6 { ipv6-address [ prefix-length ] | Each of the two peers must have range low-ipv6-address at least one peer ID configured.
  • Page 236: Configuring An Ike Proposal

    Step Command Remarks By default, no inside VPN instance is specified for an IKE profile, and the device forwards Specify an inside VPN inside-vpn vpn-instance vpn-name protected data to the VPN instance. instance with the same name as the VPN instance on the external network.
  • Page 237: Configuring An Ike Keychain

    Step Command Remarks • In non-FIPS mode: authentication-algorithm { md5 | Specify an authentication By default, an IKE proposal uses sha } algorithm for the IKE the HMAC-SHA1 authentication proposal. • algorithm. In FIPS mode: authentication-algorithm sha • In non-FIPS mode: By default, DH group1 (the dh { group1 | group14 | group2 | 768-bit DH group) is used in...
  • Page 238: Configuring The Global Identity Information

    Step Command Remarks (Optional.) Specify a local match local address { interface-type By default, an IKE keychain can interface or IP address that interface-number | { ipv4-address | be applied to any local interface the IKE keychain can be ipv6 ipv6-address } [ vpn-instance or IP address.
  • Page 239: Configuring The Ike Nat Keepalive Function

    Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer. • The IKE keepalive function sends keepalives at regular intervals, which consumes network bandwidth and resources. • The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer.
  • Page 240: Enabling Invalid Spi Recovery

    If the local device receives no response after two retries, the device considers the peer is dead, and deletes the IKE SA along with the IPsec SAs it negotiated. If the local device receives a response from the peer during the detection process, the peer is considered alive.
  • Page 241: Displaying And Maintaining Ike

    The supported maximum number of half-open IKE SAs depends on the device's processing • capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency. • The supported maximum number of established IKE SAs depends on the device's memory space.
  • Page 242: Configuration Procedure

    Configuration procedure Make sure Switch A and Switch B can reach each other. Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.255.0 [SwitchA-vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-adv-3101] quit...
  • Page 243 [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Device B: # Assign an IP address to VLAN-interface 1. <SwitchB>...
  • Page 244: Troubleshooting Ike

    # Reference ACL 3101 to identify the traffic to be protected. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Reference IPsec transform set tran1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply IPsec policy use1 to VLAN-interface 1.
  • Page 245: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Referenced Correctly

    IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag ------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING The following IKE event debugging or packet debugging message appeared: IKE event debugging message: Notification PAYLOAD_MALFORMED is received.
  • Page 246: Ipsec Sa Negotiation Failed Due To Invalid Identity Information

    Analysis Certain IPsec policy settings are incorrect. Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated...
  • Page 247 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Verify that the IPsec policy is referencing an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: Vlan-interface1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5...
  • Page 248 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove the reference.
  • Page 249: Support And Other Resources

    Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • Technical support registration number (if applicable) • • Product serial numbers Error messages •...
  • Page 250: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 251 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 252: Index

    Index Numerics port security client userLoginWithOUI configuration, 802.1X port security configuration, 87, access control method, port security feature configuration, architecture, port security intrusion protection configuration, authentication, port security MAC address autoLearn mode authentication (access device initiated), configuration, authentication (client initiated), port security MAC/802.1X authentication, authentication initiation, port security mode,...
  • Page 253 ISP domain authorization methods remote authentication method, configuration, remote authorization method, ISP domain creation, scheme configuration, ISP domain methods configuration, SSH user local authentication+HWTACACS ISP domain status configuration, authorization+RADIUS accounting, LDAP administrator attribute configuration, user group attribute configuration, LDAP authentication server specification, user management by ISP domains, LDAP implementation, user management by user access types,...
  • Page 254 active acknowledgement, RADIUS HP proprietary attributes, ARP user validity check, authenticating automatic scanning configuration, 802.1X access device initiated, black hole routing, 802.1X authentication, configuration, 802.1X authentication request max number attempts, detection configuration, 802.1X authentication trigger function, displaying ARP detection, 802.1X client-initiated, displaying IP attack protection (unresolvable), 802.1X EAP over RADIUS,...
  • Page 255 SSH password authentication, 802.1X authentication (client-initiated), SSH password-publickey authentication, 802.1X authentication client timeout timer, SSH publickey authentication, 802.1X authentication initiation, SSH server configuration, 802.1X configuration, 68, 68, Stelnet client password authentication command configuration, AAA command accounting method, Stelnet client publickey authentication AAA command authorization method, configuration, comparing 802.1X EAP relay/termination authentication...
  • Page 256 ARP restricted forwarding, MAC local authentication, ARP source MAC-based attack MAC RADIUS-based authentication, detection, 174, main mode IKE, ARP source suppression, manual IPsec policy, ARP user validity check, manual IPsec tunnel for IPv4 packets, ARP user/packet validity check, mirror image ACLs for IPsec, device as SCP client, number limit for IKE SAs, device as server (SSH),...
  • Page 257 LDAP scheme, SFTP help information, LDAP server, SSH, local key pair, 1 16 uRPF, RADIUS scheme, distributing local host public key, 1 17 domain DDoS attack (uRPF), 802.1X mandatory port authentication domain, decryption MAC authentication specification, public key, 1 15 DoS attack (uRPF), destroying local key pair,...
  • Page 258 802.1X packet format, entering early notification of password expiration, FIPS mode (automatic reboot), 192, ECDSA FIPS mode (manual reboot), 192, entering peer public key, entering peer public key, host public key display, 1 17 establishing host public key export to file, 1 17 SFTP server connection, host public key save to file,...
  • Page 259 fixed ARP configuration, HWTACACS format AAA configuration, 1, 802.1X EAP packet format, AAA for SSH user, 802.1X EAPOL packet format, AAA implementation, 802.1X packet, AAA MPLS L3VPN implementation, AAA HWTACACS username, AAA scheme configuration, AAA RADIUS username, accounting server specification, MAC authentication user account, authentication server specification, RADIUS packet format,...
  • Page 260 exchange, keychain, uRPF configuration, 186, 189, main mode configuration, IP addressing main mode in phase 1, ARP attack protection configuration, maintaining, ARP filtering configuration, negotiation failure (no proposal or keychain ARP gateway protection, referenced correctly), ARP user/packet validity check, negotiation failure troubleshooting (no proposal LDAP server IP address configuration, match), outgoing RADIUS packet source IP address,...
  • Page 261 configuring IKE-based tunnel for IPv4 IPv4 packets, configuring IKE-based IPsec tunnel, configuring manual policy, configuring manual IPsec tunnel, configuring manual tunnel for IPv4 packets, IPv4 source guard configuring transform set, configuration, 161, 162, displaying, displaying, enabling ACL checking for de-encapsulated dynamic binding entries, IPsec packets, dynamic configuration with DHCP relay,...
  • Page 262 ARP attack protection configuration, login LDAP expired password login, AAA configuration, 1, user first login, AAA implementation, user login attempt limit, AAA scheme configuration, user login control, administrator attribute configuration, authentication, authentication server specification, address. See MAC address authorization, authentication. See MAC authentication directory service, port security autoLearn MAC learning control,...
  • Page 263 port security client userLoginWithOUI port security MAC learning control mode, configuration, port security MAC learning control secure mode, port security configuration, 87, port security macAddressWithRadius port security feature configuration, authentication, 89, port security intrusion protection port security secure MAC learning control mode, configuration, uRPF loose check, port security MAC address autoLearn mode...
  • Page 264 ARP detection configuration, uRPF check modes, ARP filtering configuration, 183, uRPF operation, ARP gateway protection, 182, network management ARP packet rate limit configuration, 802.1X configuration, 68, 68, ARP packet source MAC consistency check, 802.1X overview, ARP packet validity check, AAA configuration, 1, ARP restricted forwarding, ARP attack protection configuration, ARP source MAC-based attack detection,...
  • Page 265 offline detect timer (MAC authentication), SSH password authentication, SSH password-publickey authentication, Stelnet client password authentication packet configuration, 802.1X EAP format, Stelnet server password authentication 802.1X EAPOL format, configuration, 802.1X format, password control ARP active acknowledgement, configuration, 105, 108, 1 12 ARP attack protection configuration, displaying, 1 12...
  • Page 266 802.1X authorization status, procedure 802.1X configuration, 68, 68, applying IPsec policy, 21 1 802.1X controlled/uncontrolled, authenticating with 802.1X EAP relay, 802.1X mandatory port authentication authenticating with 802.1X EAP termination, domain, binding source interface to IPsec policy, 802.1X max number concurrent users, configuring 802.1X, 68, 802.1X overview, configuring 802.1X authentication trigger...
  • Page 267 configuring DF bit of IPsec packets, configuring manual IPsec tunnel for IPv4 packets, configuring FIPS, configuring number limit for IKE SAs, configuring FIPS mode, configuring password control, 108, 1 12 configuring fixed ARP, configuring port security, configuring HWTACACS server SSH user AAA, configuring port security client macAddressElseUserLoginSecure,...
  • Page 268 creating HWTACACS scheme, enabling MAC authentication, creating LDAP scheme, enabling password control, creating LDAP server, enabling port security, creating local key pair, 1 16 enabling QoS pre-classify (IPsec), creating RADIUS scheme, enabling RADIUS session-control feature, destroying local key pair, 1 18 enabling SFTP server function, displaying 802.1X, enabling SSH server function,...
  • Page 269 setting MAC authentication max number troubleshooting security IPsec IKE negotiation concurrent port users, failure (no proposal match), setting password control global troubleshooting security IPsec IKE negotiation parameters, failure (no proposal or keychain referenced correctly), setting password control local user parameters, 1 10 troubleshooting security IPsec SA negotiation failure (invalid identity info),...
  • Page 270 Stelnet client publickey authentication real-time accounting timer configuration, (realtime-accounting), Stelnet server publickey authentication scheme configuration, configuration, scheme creation, scheme VPN specification, security policy server IP address configuration, QoS pre-classify server quiet timer (quiet), enabling (IPsec), server response timeout timer quiet (response-timeout), 802.1X quiet timer, server SSH user authentication+authorization,...
  • Page 271 local key pair destruction, 1 18 ARP source MAC-based attack detection, peer host public key import from file, 1 19 ARP source MAC-based attack detection configuration, public key management, 1 15 ARP source suppression, public key peer configuration, 1 19 ARP user validity check configuration, security SSH RSA host key pair, ARP user/packet validity check,...
  • Page 272 IPsec implementation, SSH Stelnet configuration, IPsec protocols, super password control parameters, 1 1 1 IPsec SA, triggering self-test, IPsec SA negotiation failure (invalid identity uRPF configuration, 186, 189, info), user login control, IPsec SA negotiation failure (no transform set security association. See match), self-test IPsec tunnel establishment,...
  • Page 273 SFTP source IP address for outgoing RADIUS packets, client device configuration, Stelnet client source IP address or interface, client publickey authentication spoofing configuration, uRPF configuration, 186, 189, client source IP address or interface specification, any authentication, configuration, client host public key configuration, directories, configuration, files,...
  • Page 274 Stelnet server connection establishment, Stelnet server connection establishment, Stelnet server password authentication Stelnet server password authentication configuration, configuration, Stelnet server publickey authentication Stelnet server publickey authentication configuration, configuration, user configuration, terminating SFTP server connection, static TFTP IP source guard static binding entries, local host public key distribution, 1 17 IPv4 source guard static configuration,...
  • Page 275 security IPsec IKE negotiation failure (no IPv4 source guard static configuration, proposal or keychain referenced correctly), IPv6 source guard static configuration, security IPsec SA negotiation failure (invalid user account identity info), MAC authentication user account format, security IPsec SA negotiation failure (no MAC authentication user account policies, transform set match), user authentication...
  • Page 276 IPv4 source guard dynamic configuration with DHCP snooping, IPv4 source guard static configuration, IPv6 source guard static configuration, secure MAC address configuration, AAA HWTACACS scheme VPN specification, AAA MPLS L3VPN implementation, AAA RADIUS scheme VPN specification, IPsec configuration, WLAN 802.1X overview, port security client macAddressElseUserLoginSecure configuration,...

Table of Contents