i
Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA implementation on the device ····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list ·········································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 30
Configuring LDAP schemes ·································································································································· 36
Configuring AAA methods for ISP domains ················································································································ 39
Configuration prerequisites ·································································································································· 40
Creating an ISP domain ······································································································································· 40
Configuring ISP domain status ····························································································································· 40
Configuring authentication methods for an ISP domain ··················································································· 41
Configuring authorization methods for an ISP domain ····················································································· 42
Configuring accounting methods for an ISP domain ························································································· 43
Enabling the session-control feature ····························································································································· 44
Displaying and maintaining AAA ································································································································ 44
AAA configuration examples ········································································································································ 44
AAA for SSH users by an HWTACACS server ·································································································· 44
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 46
Authentication and authorization for SSH users by a RADIUS server ····························································· 47
Authentication for SSH users by an LDAP server ······························································································· 51
Troubleshooting RADIUS ··············································································································································· 56
RADIUS authentication failure ······························································································································ 56
RADIUS packet delivery failure ···························································································································· 56
RADIUS accounting error ····································································································································· 57
Troubleshooting HWTACACS ······································································································································ 57
Troubleshooting LDAP ···················································································································································· 57
802.1X overview ······················································································································································· 59
802.1X architecture ······················································································································································· 59
Controlled/uncontrolled port and port authorization status ······················································································ 59
802.1X-related protocols ·············································································································································· 60
Packet formats ························································································································································ 61
EAP over RADIUS ·················································································································································· 62
Initiating 802.1X authentication ··································································································································· 62
802.1X client as the initiator································································································································ 62
Access device as the initiator ······························································································································· 63
802.1X authentication procedures ······························································································································ 63
Comparing EAP relay and EAP termination ······································································································· 64
EAP relay ································································································································································ 64
Page 1: ...H3C S5830V2 S5820V2 Switch Series Security Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Software version Release 22xx Document version 6W100 20131105...
Page 2: ...re Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the...
Page 3: ...ection This preface includes Audience Added and modified features Conventions About the H3C S5830V2 S5820V2 documentation set Obtaining documentation Technical support Documentation feedback Audience...
Page 4: ...eatures Password control Public key management N A PKI Added features PKI SSH Added features Configuring the service type as SCP for SSH users Configuring the device as an SCP client Specifying the ou...
Page 5: ...choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI convent...
Page 6: ...n assemblies installation manual Describes the appearance specifications and installation and removal of hot swappable fan assemblies Power modules user manual Describes the appearance specifications...
Page 7: ...Technical support service h3c com http www h3c com Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...
Page 8: ...nabling the session control feature 44 Displaying and maintaining AAA 44 AAA configuration examples 44 AAA for SSH users by an HWTACACS server 44 Local authentication HWTACACS authorization and RADIUS...
Page 9: ...guration procedure 75 Verifying the configuration 77 Configuring MAC authentication 78 Overview 78 User account policies 78 Authentication methods 78 Configuration prerequisites 79 Configuration task...
Page 10: ...ontrol parameters 110 Displaying and maintaining password control 111 Password control configuration example 111 Network requirements 111 Configuration procedure 112 Verifying the configuration 113 Ma...
Page 11: ...ion example 149 Troubleshooting PKI configuration 155 Failed to obtain the CA certificate 155 Failed to obtain local certificates 155 Failed to request local certificates 156 Failed to obtain CRLs 157...
Page 12: ...Configuring an SSL server policy 198 Configuring an SSL client policy 199 Displaying and maintaining SSL 200 Configuring IP source guard 202 Overview 202 Static IP source guard binding entries 202 Dy...
Page 13: ...delines 223 Configuration procedure 223 Configuration example 224 Configuring ARP filtering 224 Configuration guidelines 224 Configuration procedure 225 Configuration example 225 Configuring uRPF 227...
Page 14: ...guring IKE 264 Overview 264 IKE negotiation process 264 IKE security mechanism 265 Protocols and standards 266 FIPS compliance 266 IKE configuration prerequisites 266 IKE configuration task list 266 C...
Page 15: ...ormation centrally See Figure 1 Figure 1 AAA network diagram A user who wants to access networks or resources beyond the NAS sends its identity information to the NAS which transparently passes the us...
Page 16: ...s performs user authentication authorization or accounting and returns user access control information for example rejecting or accepting the user access request to the clients In addition the RADIUS...
Page 17: ...he authentication succeeds the server sends back an Access Accept packet that contains the user s authorization information If the authentication fails the server returns an Access Reject packet 4 The...
Page 18: ...t From the server to the client If any attribute value included in the Access Request is unacceptable the authentication fails and the server sends an Access Reject response 4 Accounting Request From...
Page 19: ...ttributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct...
Page 20: ...ets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vendor Specific an attribute defin...
Page 21: ...their primary differences Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency...
Page 22: ...ntication response requesting the login password 8 Upon receipt of the response the HWTACACS client asks the user for the login password Host HWTACACS client HWTACACS server 1 The user tries to log in...
Page 23: ...suitable for storing data that does not often change LDAP is typically used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating s...
Page 24: ...quirements the client sends an administrator bind request to the LDAP server to obtain the right to search for authorization information about users on the user DN list Basic LDAP packet exchange proc...
Page 25: ...s fail to be bound If all user DNs fail to be bound the LDAP client notifies the user of the login failure and denies the user s access request 9 The LDAP client and server perform authorization excha...
Page 26: ...ot available The device supports the following authorization methods No authorization The NAS performs no authorization exchange After passing authentication non login users can access the network FTP...
Page 27: ...deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs For example in the network shown in Figure 9 you can deploy the AAA across VPNs feature so that the multi V...
Page 28: ...d MTU MTU for the data link between the user and NAS For example this attribute can be used to define the maximum size of EAP packets allowed to be processed in 802 1X EAP authentication 14 Login IP H...
Page 29: ...this attribute is 201 79 EAP Message Used to encapsulate EAP packets to allow RADIUS to support EAP authentication 80 Message Authenticator Used for authentication and verification of authentication p...
Page 30: ..._Host_Addr User IP address and MAC address included in authentication and accounting requests in the format A B C D hh hh hh hh hh hh A space is required between the IP address and the MAC address 61...
Page 31: ...d the related attributes including the usernames and passwords for the users to be authenticated Remote authentication Configure the required RADIUS HWTACACS and LDAP schemes 2 Configure AAA methods f...
Page 32: ...ied into the following types Device management user User who logs in to the device for device management Network access user User who accesses network resources through the device Configurable local u...
Page 33: ...ing password control Local user configuration task list Tasks at a glance Required Configuring local user attributes Optional Configuring user group attributes Optional Displaying and maintaining loca...
Page 34: ...ices 6 Optional Configure binding attributes for the local user bind attribute ip ip address location port slot number subslot number port number mac mac address vlan vlan id By default no binding att...
Page 35: ...longs to the default user group system and bears all attributes of the group To assign a local user to a different user group use the user group command in local user view To configure user group attr...
Page 36: ...ptional Specifying the RADIUS accounting servers and the relevant parameters Optional Specifying the shared keys for secure RADIUS communication Optional Specifying a VPN for the scheme Optional Setti...
Page 37: ...pv6 ipv6 address port number key cipher simple string vpn instance vpn instance name Configure at least one command By default no authentication server is specified Two authentication servers in a sch...
Page 38: ...r password encryption They must use the same key for each type of communication A key configured in this task is for all servers of the same type accounting or authentication in the scheme and has a l...
Page 39: ...name is included in a username 4 Optional Set the data flow and packet measurement units for traffic statistics data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet...
Page 40: ...the server changes back to active but the device does not check the server again during the authentication or accounting process If no server is found reachable during one search process the device co...
Page 41: ...NAS If yes the server processes the packet If not the server drops the packet The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate...
Page 42: ...accounting packets to the accounting server for online users When you set RADIUS timers follow these guidelines When you configure the maximum number of RADIUS packet transmission attempts and the RAD...
Page 43: ...f retries The RADIUS server must run on IMC to correctly log out users when a card reboots on the distributed device to which the users connect To configure the accounting on feature for a RADIUS sche...
Page 44: ...pecifying the HWTACACS authentication servers Optional Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers Required Specifying the shared keys for secure...
Page 45: ...pn instance name Specify a secondary HWTACACS authentication server secondary authentication ipv4 address ipv6 ipv6 address port number key cipher simple string vpn instance vpn instance name Configur...
Page 46: ...e primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time HWTACACS does not support accounting for FTP users To specify HWTACACS accounting se...
Page 47: ...public network Setting the username format and traffic statistics units A username is typically in the format userid isp name where isp name represents the user s ISP domain name By default the ISP do...
Page 48: ...ed with the VRRP for stateful failover the source IP address of outgoing HWTACACS packets can be the virtual IP address of the uplink VRRP group You can specify the source IP address for outgoing HWTA...
Page 49: ...communicates when the current servers are no longer available You can specify one primary HWTACACS server and multiple secondary HWTACACS servers with the secondary servers functioning as the backup...
Page 50: ...ting precision but requires many system resources When there are 1000 or more users set a longer interval 5 Set the server quiet timer timer quiet minutes By default the server quiet timer is 5 minute...
Page 51: ...ifying the LDAP version Specify the LDAP version on the NAS The device supports LDAPv2 and LDAPv3 and the LDAP version specified on the device must be consistent with that specified on the LDAP server...
Page 52: ...is specified Configuring LDAP user attributes To authenticate a user an LDAP client must establish a connection to the LDAP server obtain the user DN from the LDAP server and use the user DN and the...
Page 53: ...rks 1 Enter system view system view N A 2 Create an LDAP scheme and enter its view ldap scheme ldap scheme name By default no LDAP scheme is defined Specifying the LDAP authentication server Step Comm...
Page 54: ...ice each user belongs to an ISP domain If a user provides no ISP domain name at login the device considers the user belongs to the default ISP domain To delete the ISP domain functioning as the defaul...
Page 55: ...a RADIUS scheme is specified the device uses the username enabn on the RADIUS server for role authentication where n is the same as that in the target user role level n Configuration procedure To conf...
Page 56: ...ntication and reference the same RADIUS scheme for RADIUS authentication and authorization If the RADIUS authorization configuration is invalid or RADIUS authorization fails the RADIUS authentication...
Page 57: ...uidelines Login users who use FTP services do not support accounting Local accounting does not provide statistics for charging It only counts and controls the number of concurrent users who use the sa...
Page 58: ...mmand Remarks 1 Enter system view system view N A 2 Enable the session control feature radius session control enable By default the session control feature is disabled Displaying and maintaining AAA E...
Page 59: ...ting 10 1 1 1 49 Set the shared keys for secure HWTACACS communication to expert in plain text Switch hwtacacs hwtac key authentication simple expert Switch hwtacacs hwtac key authorization simple exp...
Page 60: ...hentication for SSH servers use the HWTACACS server and RADIUS server for SSH user authorization and accounting respectively and to assign the default user role network operator to SSH users after the...
Page 61: ...ice type ssh Set a password for the local user to hello in plain text Switch luser manage hello password simple hello Switch luser manage hello quit Create ISP domain bbb and configure AAA methods for...
Page 62: ...access device Log in to IMC click the Service tab and select User Access Manager Access Device Management Access Device from the navigation tree Then click Add to configure an access device as follow...
Page 63: ...ser from the navigation tree Then click Add to configure a device management account as follows a Enter the account name hello bbb and specify the password b Select the service type SSH c Specify 10 1...
Page 64: ...vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Create local RSA and DSA key pairs Switch public key local create rsa Switch public key local crea...
Page 65: ...sp bbb accounting login none Switch isp bbb quit Verifying the configuration When the user initiates an SSH connection to the switch and enter the username hello bbb and the correct password the user...
Page 66: ...and double click Active Directory Users and Computers to display the Active Directory Users and Computers window b From the navigation tree click Users under the ldap com node c Select Action New User...
Page 67: ...s password e Click OK Add user aaa to group Users f From the navigation tree click Users under the ldap com node g On the right pane right click aaa and select Properties h In the dialog box click th...
Page 68: ...field and click OK User aaa is added to group Users Figure 20 Adding user aaa to group Users Set the administrator password to admin 123456 a From the user list on the right pane right click Administ...
Page 69: ...he default user role network operator after passing authentication Switch role default role enable Configure an LDAP server Switch ldap server ldap1 Specify the IP address of the LDAP authentication s...
Page 70: ...ct The RADIUS server and the NAS are configured with different shared keys Solution Check that The NAS and the RADIUS server can ping each other The username is in the userid isp name format and the I...
Page 71: ...address configured on the NAS is incorrect For example the NAS is configured to use a single server to provide authentication authorization and accounting services but in fact the services are provide...
Page 72: ...number of the LDAP server configured on the NAS match those of the server The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS The u...
Page 73: ...ion services for the network access device The authentication server authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results to the ne...
Page 74: ...cation server EAP is an authentication framework that uses the client server model It supports a variety of authentication methods including MD5 Challenge EAP Transport Layer Security EAP TLS and Prot...
Page 75: ...4 MD5 challenge are two examples for the type field EAPOL packet format Figure 24 shows the EAPOL packet format Figure 24 EAPOL packet format PAE Ethernet type Protocol type It takes the value 0x888E...
Page 76: ...3 bytes RADIUS encapsulates it in multiple EAP Message attributes Figure 25 EAP Message attribute format Message Authenticator RADIUS includes the Message Authenticator attribute in all packets that h...
Page 77: ...t if no response has been received within a certain time interval 802 1X authentication procedures 802 1X authentication provides two methods EAP relay and EAP termination You choose either mode depen...
Page 78: ...ge Authenticator attributes and the EAP authentication method used by the client EAP termination Works with any RADIUS server that supports PAP or CHAP authentication Supports only MD5 Challenge EAP a...
Page 79: ...enge to encrypt the password in the entry and sends the challenge in a RADIUS Access Challenge packet to the network access device 6 The network access device relays the EAP Request MD5 Challenge pack...
Page 80: ...handshake attempts fail the device logs off the client 12 Upon receiving a handshake request the client returns a response If the client fails to return a response after a certain number of consecutiv...
Page 81: ...nation mode the network access device rather than the authentication server generates an MD5 challenge for password encryption The network access device then sends the MD5 challenge together with the...
Page 82: ...tely authenticated on a port When a user logs off no other online users are affected Configuration prerequisites Configure an ISP domain and AAA scheme local or RADIUS authentication for 802 1X users...
Page 83: ...ted by the 802 1X client and the RADIUS server If the client is using only MD5 Challenge EAP authentication or the username password EAP authentication initiated by an H3C iNode 802 1X client you can...
Page 84: ...e to allow only EAPOL packets to pass After a user passes authentication sets the port in the authorized state to allow access to the network You can use this option in most scenarios To set the autho...
Page 85: ...view N A 2 Set the maximum number of attempts for sending an authentication request dot1x retry max retry value The default setting is 2 Setting the 802 1X authentication timeout timers The network de...
Page 86: ...3 Enter Ethernet interface view interface interface type interface number N A 4 Enable the online handshake function dot1x handshake By default the function is enabled Configuring the authentication t...
Page 87: ...ce view interface interface type interface number N A 4 Enable an authentication trigger dot1x multicast trigger unicast trigger By default the multicast trigger is enabled and the unicast trigger is...
Page 88: ...authentication interval is user configurable The periodic online user re authentication timer can also be set by the authentication server in the session timeout attribute The server assigned timer o...
Page 89: ...thentication and accounting servers and the host at 10 1 1 2 24 as the secondary authentication and accounting servers Assign all users to the ISP domain aabbcc net Configure the shared key as name fo...
Page 90: ...and accounting RADIUS servers Device radius radius1 secondary authentication 10 1 1 2 Device radius radius1 secondary accounting 10 1 1 2 Specify the shared key between the access device and the authe...
Page 91: ...terface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 dot1x port method macbased Specify aabbcc net as the mandatory domain Device Ten GigabitEthernet1 0 1 dot1x mandatory domain aabbcc ne...
Page 92: ...policies One MAC based user account for each user The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for...
Page 93: ...is disabled For more information about port security see Configuring port security Configuration task list Tasks at a glance Required Enabling MAC authentication Optional Specifying a MAC authenticat...
Page 94: ...tication chooses an authentication domain for users on a port in this order the port specific domain the global domain and the default domain For more information about authentication domains see Conf...
Page 95: ...evice must wait before it can perform MAC authentication for a user who has failed MAC authentication All packets from the MAC address are dropped during the quiet time This quiet mechanism prevents r...
Page 96: ...authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 32 configure local MAC authentication on port Ten GigabitEthernet 1 0 1 to...
Page 97: ...imer offline detect 180 Device mac authentication timer quiet 180 Configure MAC authentication to use MAC based accounts The MAC address usernames and passwords are hyphenated and in lower case Device...
Page 98: ...Network diagram Configuration procedure 1 Make sure the RADIUS server and the access device can reach each other 2 Create a shared account for MAC authentication users on the RADIUS server and set th...
Page 99: ...ication users Device mac authentication user name format fixed account aaa password simple 123456 Verifying the configuration Display MAC authentication settings and statistics Device display mac auth...
Page 100: ...require only 802 1X authentication or MAC authentication H3C recommends you use the 802 1X authentication or MAC authentication feature rather than port security For more information about 802 1X and...
Page 101: ...cation mode in use allows whichever is smaller For example if 802 1X allows more concurrent users than port security s limit on the number of MAC addresses on the port in userLoginSecureExt mode port...
Page 102: ...ess dynamic and mac address static commands to pass When the number of secure MAC addresses reaches the upper limit the port transitions to secure mode secure MAC address learning is disabled on a por...
Page 103: ...s mode supports multiple 802 1X and MAC authentication users macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication ha...
Page 104: ...the number of secure MAC addresses on a port You can set the maximum number of secure MAC addresses that port security allows on a port for the following purposes Controlling the number of concurrent...
Page 105: ...ddress oui value By default no OUI value is configured for user authentication This command is required for the userlogin withoui mode You can set multiple OUIs but when the port security mode is user...
Page 106: ...iew interface interface type interface number N A 3 Configure the NTK feature port security ntk mode ntk withbroadcasts ntk withmulticasts ntkonly By default NTK is disabled on a port and all frames a...
Page 107: ...comparison of static and sticky secure MAC addresses Type Address sources Aging mechanism Can be saved and survive a device reboot Static Manually added Not available They never age out unless you ma...
Page 108: ...not be specified as both a static secure MAC address and a sticky MAC address Ignoring authorization information from the server You can configure a port to ignore the authorization information receiv...
Page 109: ...If any frame with an unknown MAC address arrives intrusion protection starts and the port shuts down and stays silent for 30 seconds Figure 34 Network diagram Configuration procedure Enable port secu...
Page 110: ...ernet1 0 1 display this interface Ten GigabitEthernet1 0 1 port security max mac count 64 port security port mode autolearn port security mac address security sticky 0002 0000 0015 vlan 1 port securit...
Page 111: ...The following configuration steps cover some AAA RADIUS configuration commands For more information about the commands see Security Command Reference Make sure the host and the RADIUS server can reac...
Page 112: ...thOUI Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 port security port mode userlogin withoui Device Ten GigabitEthernet1 0 1 quit Verifying the configuration Display the...
Page 113: ...ode Disabled Intrusion protection mode NoAction Max number of secure MAC addresses Not configured Current number of secure MAC addresses 1 Authorization is permitted After an 802 1X user goes online y...
Page 114: ...ty enable Configure the username and password for MAC authentication as aaa and 123456 Device mac authentication user name format fixed account aaa password simple 123456 Specify the MAC authenticatio...
Page 115: ...Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s Max number of users is 1024 per slot Current number of online users is 3 Current authentication domain is sun Sil...
Page 116: ...ed EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled Users 1 Bec...
Page 117: ...a port security mode other than autoLearn Solution Set the port security mode to autoLearn Device Ten GigabitEthernet1 0 1 undo port security port mode Device Ten GigabitEthernet1 0 1 port security ma...
Page 118: ...m the following types Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters For information about special characters see the password control composition command in Securi...
Page 119: ...ssword expiration Password expiration imposes a lifecycle on a user password After the password expires the user needs to change the password If a user enters an expired password when logging in the s...
Page 120: ...Limiting the number of consecutive failed login attempts can effectively prevent password guessing If an FTP or VTY user fails authentication the system adds the user to a password control blacklist...
Page 121: ...ll user groups if you do not configure password policies for these users in both local user view and user group view For local user passwords the settings with a smaller application scope have higher...
Page 122: ...not take effect on users that have been logged in or passwords that have been configured To set global password control parameters Step Command Remarks 1 Enter system view system view N A 2 Set the pa...
Page 123: ...n idle time idle time The default setting is 90 days Setting user group password control parameters Step Command Remarks 1 Enter system view system view N A 2 Create a user group and enter user group...
Page 124: ...ed for the user group the global setting applies to the local user 5 Configure the password composition policy for the local user password control composition type number type number type length type...
Page 125: ...cklist reset password control blacklist user name name Clear history password records reset password control history record user name name super role role name NOTE The reset password control history...
Page 126: ...swords to expire after 30 days Sysname password control aging 30 Globally set the minimum password length to 16 Sysname password control length 16 Set the minimum password update interval to 36 hours...
Page 127: ...ser in interactive mode Sysname luser manage test password Password Confirm Updating user information Please wait Sysname luser manage test quit Verifying the configuration Display the global password...
Page 128: ...name local user test class manage Sysname luser manage test display this local user test class manage service type telnet authorization attribute user role network operator password control aging 20 p...
Page 129: ...public key The security applications use the asymmetric key algorithms for the following purposes Encryption and decryption Any public key receiver can use the public key to encrypt information but o...
Page 130: ...pair The key pairs are automatically saved and can survive system reboots Table 8 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length H3C recommendati...
Page 131: ...blic key Exporting a host public key in a specific format to a file Use this method if you can import public keys from a file on the peer device Displaying a host public key in a specific format and s...
Page 132: ...nd copy it to an unformatted file You must literally enter the key on the peer device Perform the following tasks in any view Task Command Display local RSA public keys display public key local rsa pu...
Page 133: ...ight be incorrect If the key is not in the correct format the system discards the key and displays an error message If the key is valid for example the key displayed by the display public key local pu...
Page 134: ...As shown in Figure 38 to prevent illegal access Device B authenticates Device A through a digital signature Before configuring authentication parameters on Device B configure the public key of Device...
Page 135: ...1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 2 Configure Device B Enter the host public key of Device A in public key view The key...
Page 136: ...PS mode Network requirements In Figure 39 Device B authenticates Device A through a digital signature Before configuring authentication parameters on Device B configure the public key of Device A on D...
Page 137: ...028A AC41C80A15953FB22AA30203010001 Export the RSA host public key to the file devicea pub DeviceA public key local export rsa ssh2 devicea pub DeviceA quit Enable the FTP server function create an FT...
Page 138: ...fy that the host public key is the same as it is on Device A DeviceB display public key peer name devicea Key name devicea Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003...
Page 139: ...e international standards of ITU T X 509 of which X 509 v3 is common This chapter covers the following types of certificates CA certificate Certificate of a CA Multiple CAs in a PKI system form a CA t...
Page 140: ...fines the certificate validity periods and revokes certificates by publishing CRLs RA In a PKI system with complex CA hierarchical structures RAs which are trusted by CAs manage registration requests...
Page 141: ...otocols for example IPsec in conjunction with PKI based encryption and digital signature technologies for confidentiality Secure emails PKI can address the email requirements for confidentiality integ...
Page 142: ...uesting a certificate Configuring automatic certificate request Manually requesting a certificate Optional Aborting a certificate request Optional Obtaining certificates Optional Verifying PKI certifi...
Page 143: ...efault no PKI entities exist To create multiple PKI entities repeat this step 3 Set a common name for the entity common name common name sting By default the common name is not set 4 Set the country c...
Page 144: ...d CA is specified To obtain a CA certificate the trusted CA name must be provided The trusted CA name is in SCEP messages and the CA server does not use this name unless the server has two CAs configu...
Page 145: ...tions including SSL clients and SSL server The extension of a certificate depends on the certificate user and it is not limited by PKI The extension options contained in an issued certificate depend o...
Page 146: ...re sending a certificate request Configuration guidelines Make sure the system time is synchronized with the CA server Otherwise the certificate request process might fail because the certificate migh...
Page 147: ...sed a PKI domain can have only one local certificate If RSA is used a PKI domain can have one local certificate for signature and one for encryption If a local certificate exists do not request a cert...
Page 148: ...btain the CA certificate local certificates and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency To do so use either the offline mode or the onlin...
Page 149: ...rocedure To obtain certificates Step Command Remarks 1 Enter system view system view N A 2 Import or obtain certificates Import certificates in offline mode pki import domain domain name der ca local...
Page 150: ...i retrieve crl domain domain name The newly obtained CRL overwrites the old one if any The obtained CRL must be issued by a CA certificate in the CA certificate chain in the current domain 8 Verify th...
Page 151: ...the PKI domain must have at least one local certificate Otherwise the export operation fails To back up or import certificates you can export the CA certificate and the local certificates in a PKI dom...
Page 152: ...ting with a certificate attribute group A certificate attribute group contains multiple attribute rules each defining a matching criterion for the issuer name subject name or alternative subject names...
Page 153: ...multiple statements for a certificate access control policy Displaying and maintaining PKI Execute display commands in any view Task Command Display the contents of a certificate display pki certifica...
Page 154: ...uding the common name CN organization unit OU organization O and country C You can use the default values for the other attributes 2 Configure extended attributes Enter the management interface for th...
Page 155: ...is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully 5 Request a l...
Page 156: ...01 X509v3 extensions X509v3 CRL Distribution Points Full Name DirName CN myca Signature Algorithm sha1WithRSAEncryption b0 9d d9 ac a0 9b 83 99 bf 9d 0a ca 12 99 58 60 d8 aa 73 54 61 4b a2 4c 09 bb 9f...
Page 157: ...icates issued by the CA to the RA b Right click the CA server in the navigation tree and select Properties Policy Module c Click Properties and then select Follow the settings in the certificate templ...
Page 158: ...public key local create rsa name abc The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1...
Page 159: ...3e c3 af fa 33 2c fc c2 ed b9 ee 60 83 b3 d3 e5 8e e5 02 cf b0 c8 f0 3a a4 b7 ac a0 2c 4d 47 5f 39 4b 2c 87 f2 ee ea d0 c3 d0 8e 2c 80 83 6f 39 86 92 98 1f d2 56 3b d7 94 d2 22 f4 df e3 f8 d1 b8 92 27...
Page 160: ...e c7 57 9d 7f 82 c7 46 06 7d 7c 39 c4 94 41 bd 9e 5c 97 86 c8 48 de 35 1e 80 14 02 09 ad 08 To display detailed information about the CA certificate use the display pki certificate domain command Cert...
Page 161: ...length 1024 bits Device pki domain openca public key rsa general name abc length 1024 Device pki domain openca quit 4 Generate a local RSA key pair Device public key local create rsa name abc The ran...
Page 162: ...5 f3 21 4d 3c 8e 63 8d f8 71 7d 28 a1 15 23 99 ed f9 a1 c3 be 74 0d f7 64 cf 0a dd 39 49 d7 3f 25 35 18 f4 1c 59 46 2b ec 0d 21 1d 00 05 8a bf ee ac 61 03 6c 1f 35 b5 b4 cd 86 9f 45 Exponent 65537 0x1...
Page 163: ...7f d2 50 ac a0 a3 9e 88 48 10 0b 4a 7d ed c1 03 9f 87 97 a3 5e 7d 75 1d ac 7b 6f bb 43 4d 12 17 9a 76 b0 bf 2f 6a cc 4b cd 3d a1 dd e0 dc 5a f3 7c fb c3 29 b0 12 49 5c 12 4c 51 6e 62 43 8b 73 b9 26 2a...
Page 164: ...ains the private key for signature and one is the local certificate file pkilocal pem encryption which contains the private key for encryption Display the local certificate file pkilocal pem signature...
Page 165: ...ample assumes CRL checking is not required DeviceB system view DeviceB pki domain importdomain DeviceB pki domain importdomain undo crl check enable Specify the RSA key pair for signature as sign and...
Page 166: ...98 db a7 c2 36 e2 86 90 55 c7 8c c5 ea 12 01 31 69 bf e3 91 71 ec 21 Exponent 65537 0x10001 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Cert Type SSL Client S MIME X509v3 Key Usage Di...
Page 167: ...1e 18 fb df 56 cb 6f a2 56 35 0d 39 94 34 6d 19 1d 46 d7 bf 1a 86 22 78 87 3e 67 fe 4b ed 37 3d d6 0a 1c 0b Certificate Data Version 3 0x2 Serial Number 08 7c 67 01 5c b3 5a 12 0f 2f Signature Algori...
Page 168: ...ture Algorithm sha256WithRSAEncryption 53 69 66 5f 93 f0 2f 8c 54 24 8f a2 f2 f1 29 fa 15 16 90 71 e2 98 e3 5c c6 e3 d4 5f 7a f6 a9 4f a2 7f ca af c4 c8 c7 2c c0 51 0a 45 d4 56 e2 81 30 41 be 9f 67 a1...
Page 169: ...of the device with the CA server 5 Specify the correct source IP address for PKI protocol packets that the CA server can accept 6 Verify the fingerprint information on the CA server Failed to obtain...
Page 170: ...ectly specified The required parameters are not configured for the PKI entity or are mistakenly configured No key pair is specified for the PKI domain for certificate request or the key pair is change...
Page 171: ...orrect in the PKI domain The CA does not issue CRLs The PKI domain is not specified with the source IP address of the PKI protocol packets that the CA server can accept or is specified with an incorre...
Page 172: ...e system time is wrong Solution 1 Obtain or import the CA certificate 2 Use undo crl check enable to disable CRL checking or obtain the proper CRLs 3 Make sure the format of the imported file is prope...
Page 173: ...he device Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set Analysis The specified storage path does not exist The specified storage path is illegal The di...
Page 174: ...e transfer The device can serve as an SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a use...
Page 175: ...hentication request and sends the request to the server After receiving the request the SSH server decrypts the request to get the username and password in plain text examines the validity of the user...
Page 176: ...ed Enabling the SSH server function Required for Stelnet and SCP servers Required Enabling the SFTP server function Required for SFTP server Required Configuring the user interfaces for Stelnet client...
Page 177: ...encrypt the session key before transmitting the session key Because SSH2 uses the DH algorithm to separately generate the session key on the SSH server and the client no session key transmission is re...
Page 178: ...heme authentication mode scheme By default the authentication mode is password For more information about this command see Fundamentals Command Reference Configuring a client s host public key If the...
Page 179: ...public key view public key peer keyname N A 3 Configure a client s host public key Enter the content of the host public key When you enter the contents for a host public key you can use spaces and car...
Page 180: ...ept password authentication the other authentication methods require a client s host public key or digital certificate to be specified If a client directly sends the user s public key information to t...
Page 181: ...users When the number of online SSH users reaches the upper limit the system refuses new SSH connection requests To set the SSH management parameters Step Command Remarks 1 Enter system view system v...
Page 182: ...ageability of Stelnet clients in the authentication service H3C recommends that you specify a loopback interface as the source interface To specify a source IP address or source interface for the Stel...
Page 183: ...hentication by default When the device accesses an Stelnet server for the first time but it is not configured with the host public key of the SSH server it can access the server and locally save the s...
Page 184: ...eyname source interface interface type interface number ip ip address Establish a connection to an IPv6 Stelnet server In non FIPS mode ssh2 ipv6 server port number vpn instance vpn instance name i in...
Page 185: ...specify a loopback interface as the source interface To specify a source IP address or source interface for the SFTP client Step Command Remarks 1 Enter system view system view N A 2 Specify a source...
Page 186: ...erface number ip ip addres In FIPS mode sftp server port number vpn instance vpn instance name identity key rsa prefer compress zlib prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 pref...
Page 187: ...ir remote path Available in SFTP client view Working with SFTP files Task Command Remarks Change the name of a file on the SFTP server rename old name new name Available in SFTP client view Download a...
Page 188: ...ection describes how to configure the device as an SCP client and transfer files with an SCP server When an SCP client accesses an SCP server it uses the locally saved host public key of the server to...
Page 189: ...96 publickey keyname source interface interface type interface number ip ip address Connect to the IPv6 SCP server and transfer files with this server In non FIPS mode scp ipv6 server port number vpn...
Page 190: ...eers display public key peer brief name publickey name Stelnet configuration examples This section provides examples of configuring Stelnet Unless otherwise noted devices in the configuration examples...
Page 191: ...ode for the user interfaces to AAA Switch user interface vty 0 15 Switch ui vty0 15 authentication mode scheme Switch ui vty0 15 quit Create a local device management user client001 with the plaintext...
Page 192: ...of the Stelnet server Figure 47 Specifying the host name or IP address c Click Open to connect to the server If the connection is successfully established the system asks you to enter the username an...
Page 193: ...procedure In the server configuration the client s host public key is required Use the client software to generate RSA key pairs on the client before configuring the Stelnet server There are differen...
Page 194: ...the green progress bar shown in Figure 50 Otherwise the progress bar stops moving and the key pair generating progress stops Figure 50 Generating process c After the key pair is generated click Save p...
Page 195: ...erate the RSA key pairs Switch system view Switch public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to...
Page 196: ...ey import sshkey key pub Create an SSH user client002 with the authentication method publickey and assign the public key switchkey to the user Switch ssh user client002 service type stelnet authentica...
Page 197: ...52 Specifying the host name or IP address c Select Connection SSH from the navigation tree The window shown in Figure 53 appears d Select 2 for the Preferred SSH protocol version Figure 53 Specifying...
Page 198: ...lished the system asks you to enter the username After entering the username client002 you can enter the CLI of the server Password authentication enabled Stelnet client configuration example Network...
Page 199: ...t client will use this address as the destination address of the SSH connection SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 1 40 255 255 255 0 SwitchB Vlan interface2...
Page 200: ...next time after entering the correct password If you configure the host public key of the server on the client perform the following configurations In public key view enter the host public key of ser...
Page 201: ...192 168 1 40 s password After you enter the correct password you successfully log in to Switch B Publickey authentication enabled Stelnet client configuration example Network requirements As shown in...
Page 202: ...he key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate a DSA key pair Switc...
Page 203: ...ion to the Stelnet server 192 168 1 40 SwitchA ssh2 192 168 1 40 Username client002 The server is not authenticated Continue Y N y Do you want to save the server public key Y N n You can log in to Rou...
Page 204: ...destination for SSH connection Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface2 quit Create a local device management user named cl...
Page 205: ...d SFTP client configuration example Network requirements As shown in Figure 59 you can log in to Switch B through the SFTP client that runs on Switch A and are assigned the user role network admin to...
Page 206: ...chA public key local export rsa ssh2 pubkey SwitchA quit Transmit the public key file pubkey to the server through FTP or TFTP Details not shown 2 Configure the SFTP server Generate the RSA key pairs...
Page 207: ...client001 authorization attribute user role network admin work directory flash SwitchB luser manage client001 quit 3 Establish a connection to the SFTP server Establish a connection to the SFTP serve...
Page 208: ...pubkey2 from the server and save it as a local file public sftp get pubkey2 public Fetching pubkey2 to public pubkey2 100 225 1 4KB s 00 00 Upload the local file pu to the server save it as puk and ve...
Page 209: ...ange of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair su...
Page 210: ...ype password 2 Configure an IP address for VLAN interface 2 on the SCP client SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 255 255 0 Switch...
Page 211: ...tegrity SSL uses the message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the orig...
Page 212: ...nds alert messages to the receiving party An alert message contains the alert severity level and a description FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requ...
Page 213: ...ode ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4...
Page 214: ...e for the SSL client policy In non FIPS mode prefer cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha...
Page 215: ...201 Task Command Display SSL server policy information display ssl server policy policy name Display SSL client policy information display ssl client policy policy name...
Page 216: ...n be statically configured or dynamically added NOTE IP source guard is a per interface packet filter The IP source guard function configured on one interface does not affect packet forwarding on anot...
Page 217: ...cation Such binding entries do not filter packets directly but help other modules such as the ARP detection module to provide security services For information about DHCP snooping DHCP relay and DHCP...
Page 218: ...packet s source IP address matches a dynamic binding entry If no match is found the packet is dropped To implement dynamic IPv4 source guard make sure the DHCP snooping or DHCP relay function operate...
Page 219: ...loopback group Enabling IPv6 source guard on an interface You must first enable the IPv6 source guard function on an interface before the interface can use static IPv6 binding entries to filter packet...
Page 220: ...entries display ip source binding static vpn instance vpn instance name dhcp relay dhcp server dhcp snooping ip address ip address mac address mac address vlan vlan id interface interface type interf...
Page 221: ...rnet1 0 2 ip verify source ip address mac address On Ten GigabitEthernet 1 0 2 configure a static IPv4 source guard binding entry to allow only IP packets with the source MAC address of 0001 0203 0405...
Page 222: ...ay static IPv4 source guard binding entries on Switch A The output shows that the static IPv4 source guard binding entries are configured successfully SwitchA display ip source binding static Total en...
Page 223: ...gabitEthernet1 0 2 quit 3 Configure IPv4 source guard on the switch Enable IPv4 source guard on port Ten GigabitEthernet 1 0 1 to filter packets based on both the source IP address and the MAC address...
Page 224: ...to filter packets based on both the source IP address and the MAC address Switch system view Switch interface vlan interface 100 Switch Vlan interface100 ip verify source ip address mac address Switch...
Page 225: ...t1 0 1 ipv6 verify source ip address mac address On port Ten GigabitEthernet 1 0 1 configure a static IPv6 source guard binding entry to allow only IPv6 packets with the source IPv6 address of 2001 1...
Page 226: ...t a glance Flood prevention Configuring unresolvable IP attack protection configured on gateways Configuring ARP source suppression Enabling ARP blackhole routing Configuring ARP packet rate limit con...
Page 227: ...ARP source suppression is disabled 3 Set the maximum number of unresolvable packets that the device can receive from a host within 5 seconds arp source suppression limit limit value By default the max...
Page 228: ...n and set the threshold to 100 Device system view Device arp source suppression enable Device arp source suppression limit 100 Enable ARP blackhole routing Device arp resolving route enable Configurin...
Page 229: ...ate limit is 100 pps NOTE If you configure ARP packet rate limit on an aggregate interface log messages are sent when the ARP packet receiving rate on a member interface exceeds the limit Configuring...
Page 230: ...NOTE When an ARP attack entry expires ARP packets sourced from the MAC address in the entry can be processed normally Displaying and maintaining source MAC based ARP attack detection Execute display c...
Page 231: ...ttack entries 4 Exclude the MAC address of the server from this detection Configuration procedure Enable source MAC based ARP attack detection and specify the handling method as filter Device system v...
Page 232: ...e acknowledgement Step Command Remarks 1 Enter system view system view N A 2 Enable the ARP active acknowledgement function arp active ack enable By default ARP active acknowledgement function is disa...
Page 233: ...ggregate interface view interface interface type interface number N A 6 Optional Configure the interface as a trusted interface excluded from ARP detection arp detection trust By default an interface...
Page 234: ...validity check as follows If the packets are ARP requests they are forwarded through the trusted interface If the packets are ARP replies they are forwarded according to their destination MAC address...
Page 235: ...view SwitchA dhcp enable SwitchA dhcp server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 3 Configure Host A DHCP client and Host B Details not shown 4 Configure Switch B Enable...
Page 236: ...a cybercafe With ARP automatic scanning enabled on an interface the device automatically scans neighbors on the interface sends ARP requests to the neighbors obtains their MAC addresses and creates d...
Page 237: ...ed gateway If yes it discards the packet If not it handles the packet normally Configuration guidelines Follow these guidelines when you configure ARP gateway protection You can enable ARP gateway pro...
Page 238: ...tethernet 1 0 2 SwitchB Ten GigabitEthernet1 0 2 arp filter source 10 1 1 1 After the configuration is complete Ten GigabitEthernet 1 0 1 and Ten GigabitEthernet 1 0 2 discard the incoming ARP packets...
Page 239: ...efault ARP filtering is disabled Configuration example Network requirements As shown in Figure 72 the IP and MAC addresses of Host A are 10 1 1 2 and 000f e349 1233 respectively The IP and MAC address...
Page 240: ...binding 10 1 1 3 000f e349 1234 After the configuration is complete Ten GigabitEthernet 1 0 1 permits ARP packets from Host A and discards other ARP packets Ten GigabitEthernet 1 0 2 permits ARP pack...
Page 241: ...ltaneously to block connections or even break down the network uRPF can prevent these source address spoofing attacks It checks whether an interface that receives a packet is the output interface of t...
Page 242: ...dress validity Discards packets with a source broadcast address Discards packets with an all zero source address but a non broadcast destination address A packet with source address 0 0 0 0 and destin...
Page 243: ...ntry If yes proceeds to step 8 If not proceeds to step 9 5 uRPF checks whether the source IP address matches an ARP entry If yes proceeds to step 8 If not proceeds to step 9 6 uRPF checks whether the...
Page 244: ...le the uRPF function on the switch the routing table size might decrease by half If the number of routes exceeds half the routing table size of the switch the uRPF function cannot be enabled to avoid...
Page 245: ...s shown in Figure 76 a client Switch A directly connects to an ISP switch Switch B Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks Figure 76 Network diagra...
Page 246: ...evice through a console port and then create a key pair for the SSH server The password for entering the device in FIPS mode must comply with the password control policies such as password length comp...
Page 247: ...non FIPS devices to create an IRF fabric To enable FIPS mode for an IRF fabric you must reboot the entire IRF fabric Configuring FIPS mode Entering FIPS mode After you enable FIPS mode and reboot the...
Page 248: ...thod 8 Save the configuration file and specify it as the startup configuration file 9 Delete the startup configuration file in binary format an mdb file 10 Reboot the device The system enters FIPS mod...
Page 249: ...trigger a self test If the power up self test fails the device where the self test process exists reboots If the conditional self test fails the system outputs self test failure information NOTE If a...
Page 250: ...oots To trigger a self test Step Command 1 Enter system view system view 2 Trigger a self test fips self test Displaying and maintaining FIPS Execute the display command in any view Task Command Displ...
Page 251: ...started login root Password First login or password reset For security reason you need to change your pass word Please enter your password old password new password confirm Updating user information P...
Page 252: ...the storage medium and specify it as the startup configuration file Sysname save The current configuration will be written to the device Are you sure Y N y Please input the file name cfg flash startup...
Page 253: ...239 confirm Updating user information Please wait Sysname Display the current FIPS mode state Sysname display fips status FIPS mode is enabled...
Page 254: ...ion Header AH Encapsulating Security Payload ESP Internet Key Exchange IKE and algorithms for authentication and encryption AH and ESP are security protocols that provide security services IKE perform...
Page 255: ...supports the following encapsulation modes Transport mode The security protocols protect the upper layer data of an IP packet Only the transport layer data is used to calculate the security protocol h...
Page 256: ...ESP header An SA can be set up manually or through IKE Manual mode Configure all parameters for the SA through commands This configuration mode is complex and does not support some advanced features...
Page 257: ...rameters used for the protection Apply the IPsec policy to an interface When you apply an IPsec policy to an interface you implement IPsec based on the interface Packets received and sent by the inter...
Page 258: ...ts Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode IPsec tunnel establishment The switch supports establishing only ACL based IPsec tunnel...
Page 259: ...the IPsec policy to an interface Complete the following tasks to configure ACL based IPsec Tasks at a glance Required Configuring an ACL Required Configuring an IPsec transform set Required Configure...
Page 260: ...scope and matching order relative to permit statements The policy entries in an IPsec policy have different match priorities ACL rule conflicts between them are prone to cause mistreatment of packets...
Page 261: ...tication algorithm for AH in non FIPS mode ah authentication algorithm md5 sha1 Specify the authentication algorithm for AH in FIPS mode ah authentication algorithm sha1 Configure at least one command...
Page 262: ...mary IPv4 address of the interface applied with the IPsec policy at the remote end The remote IPv6 address configured on the local end must be the same as the first IPv6 address of the interface appli...
Page 263: ...SA sa spi outbound ah esp spi number By default no SPI is configured for the inbound or outbound IPsec SA 8 Configure keys for the IPsec SA Configure an authentication key in hexadecimal format for AH...
Page 264: ...ers An IKE based IPsec policy can reference up to six IPsec transform sets During an IKE negotiation IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel If no matc...
Page 265: ...the local IKE identity 8 Specify the remote IP address of the IPsec tunnel remote address ipv6 host name ipv4 address ipv6 ipv6 address By default the remote IP address of the IPsec tunnel is not spec...
Page 266: ...ost By default no ACL is specified for the IPsec policy template An IPsec policy template can reference only one ACL 5 Specify the IPsec transform sets for the IPsec policy template to reference trans...
Page 267: ...remove the application of the IPsec policy In addition to VLAN interfaces you can apply an IPsec policy to tunnel interfaces to protect GRE flows For each packet to be sent out of an interface applied...
Page 268: ...against anti replay attacks by using a sliding window mechanism called anti replay window This function checks the sequence number of each received IPsec packet against the current IPsec packet seque...
Page 269: ...a core device is usually connected to an ISP through two links which operate in backup or load sharing mode The two interfaces negotiate with their peers to establish IPsec SAs respectively When one i...
Page 270: ...eq number isakmp manual To enter IPsec policy template view ipsec policy template ipv6 policy template template name seq number Use either command 3 Enable QoS pre classify qos pre classify By default...
Page 271: ...s 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the DF bit of IPsec packets on the interface ipsec df bit clear copy set By defau...
Page 272: ...ckets Network requirements As shown in Figure 80 establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches Configure the tunnel as follows Specify the encapsul...
Page 273: ...tbound SA keys for ESP SwitchA ipsec policy manual map1 10 sa string key outbound esp simple abcdefg SwitchA ipsec policy manual map1 10 sa string key inbound esp simple gfedcba SwitchA ipsec policy m...
Page 274: ...gfedcba SwitchB ipsec policy manual use1 10 sa string key inbound esp simple abcdefg SwitchB ipsec policy manual use1 10 quit Apply the IPsec policy use1 to interface VLAN interface 1 SwitchB interfa...
Page 275: ...lan interface1 ip address 2 2 2 1 255 255 255 0 SwitchA Vlan interface1 quit Define an ACL to identify data flows from Switch A to Switch B SwitchA acl number 3101 SwitchA acl adv 3101 rule 0 permit i...
Page 276: ...akmp map1 10 ike profile profile1 SwitchA ipsec policy isakmp map1 10 quit Apply the IPsec policy map1 to interface VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ipsec ap...
Page 277: ...policy isakmp use1 10 security acl 3101 Apply the IPsec transform set tran1 SwitchB ipsec policy isakmp use1 10 transform set tran1 Specify the local and remote IP addresses of the IPsec tunnel as 2 2...
Page 278: ...e shared keys making sure each SA has a key independent of other keys Automatically negotiates SAs when the sequence number in the AH or ESP header overflows making sure IPsec can provide the anti rep...
Page 279: ...tion mechanisms and supports secure identity authentication key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used t...
Page 280: ...irements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode IKE configuration prerequisites Determine the following parameters prior to IKE c...
Page 281: ...responder it uses the IKE negotiation mode of the initiator 4 Specifies the IKE proposals that the device can use as the initiator An IKE proposal specified earlier has a higher priority When the devi...
Page 282: ...I domain used to request a certificate for digital signature authentication To specify the keychain for pre shared key authentication keychain keychain name To specify the PKI domain used to request a...
Page 283: ...ou can create multiple IKE proposals with different priorities The priority of an IKE proposal is represented by its sequence number The lower the sequence number the higher the priority Two peers mus...
Page 284: ...1 the 768 bit DH group is used in non FIPS mode and DH group 14 2048 bit DH group is used in FIPS mode 7 Set the IKE SA lifetime for the IKE proposal sa duration seconds By default the IKE SA lifetime...
Page 285: ...nterface or IP address 5 Optional Specify a priority for the IKE keychain priority number The default priority is 100 Configuring the global identity information Follow these guidelines when you confi...
Page 286: ...ve function unless IKE DPD is not supported on the peer The IKE keepalive function sends keepalives at regular intervals which consumes network bandwidth and resources The keepalive timeout time confi...
Page 287: ...aximum of two retries 4 If the local device receives no response after two retries the device considers the peer is dead and deletes the IKE SA along with the IPsec SAs it negotiated 5 If the local de...
Page 288: ...ery is disabled Setting the maximum number of IKE SAs You can set the maximum number of half open IKE SAs and the maximum number of established IKE SAs The supported maximum number of half open IKE SA...
Page 289: ...erface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA vlan interface1 ip address 1 1 1 1 255 255 255 0 SwitchA vlan interface1 quit Configure ACL 3101 to identify traffic from Switch...
Page 290: ...ipsec policy isakmp map1 10 security acl 3101 Reference IPsec transform set tran1 for the IPsec policy SwitchA ipsec policy isakmp map1 10 transform set tran1 Specify IKE profile profile1 for the IPse...
Page 291: ...1 1 1 1 255 255 255 0 SwitchB ike profile profile1 quit Create an IPsec policy entry and specify the IPsec policy name as use1 the sequence number as 10 and the IPsec SA setup mode as IKE SwitchB ips...
Page 292: ...roposal settings are incorrect Solution 1 Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals 2 Modify the IKE proposal configuration to make sure the two en...
Page 293: ...eeded and the IKE SA is in RD state but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet 2 The following IKE debugging message appeared The attributes are unac...
Page 294: ...e Transmitting entity Responder Local IP 192 168 222 5 Local ID type IPV4_ADDR Local ID 192 168 222 5 Remote IP 192 168 222 71 Remote ID type IPV4_ADDR Remote ID 192 168 222 71 Authentication method P...
Page 295: ...0 0 0 0 255 On the responder Sysname display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip source 192 168 222 71 0 destination 192 168 222 5 0 3 Verify that the IPsec...
Page 296: ...s ACL so the ACL defines a flow range equal to or greater than that of the initiator s ACL For example Sysname display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip so...
Page 297: ...e 86 port security client macAddressElseUserLoginSecure configuration 99 port security client userLoginWithOUI configuration 96 port security configuration 86 89 95 port security feature configuration...
Page 298: ...units 25 RADIUS username format 25 scheme configuration 18 SSH user local authentication HWTACACS authorization RADIUS accounting 46 troubleshooting HWTACACS 57 troubleshooting LDAP 57 troubleshooting...
Page 299: ...AAA HWTACACS scheme configuration 30 security AAA LDAP administrator attribute configuration 38 security AAA LDAP scheme configuration 36 security AAA LDAP user attribute configuration 38 security AAA...
Page 300: ...104 107 1 1 1 security SSH configuration 160 security SSH methods 161 security SSH SCP file transfer with password authentication 194 security SSH server configuration 162 security SSH SFTP client pu...
Page 301: ...802 1X authentication 63 security 802 1X authentication access device initiated 63 security 802 1X authentication client initiated 62 security 802 1X authentication client timeout timer 71 security 80...
Page 302: ...curity IPsec IKE main mode pre shared key authentication 275 security IPsec IKE DPD 273 security IPsec IKE global identity information 271 security IPsec IKE keepalive function 272 security IPsec IKE...
Page 303: ...eme 39 security AAA RADIUS scheme 22 security LDAP server 37 security local key pair 1 16 CRL security PKI 125 security PKI architecture 126 security PKI CA policy 126 security PKI certificate access...
Page 304: ...rs 109 security password setting 104 security SFTP server function enable 164 security SSH SCP client configuration 174 security SSH server configuration 162 security SSH server function enable 163 se...
Page 305: ...uthentication domain 73 security AAA ISP domain accounting methods configuration 43 security AAA ISP domain authentication methods 41 security AAA ISP domain authorization methods 42 security AAA ISP...
Page 306: ...rity IPsec encryption algorithm AES 243 security IPsec encryption algorithm DES 243 security IPsec IKE based tunnel for IPv4 packets configuration 261 security IPsec tunnel for IPv4 packets configurat...
Page 307: ...171 security SSH SFTP client publickey authentication 191 security SSH SFTP client source IP address interface 171 security SSH SFTP configuration 189 security SSH SFTP directories 173 security SSH S...
Page 308: ...configuration 272 negotiation 264 negotiation failure no proposal or keychain referenced correctly 278 negotiation failure troubleshooting no proposal match 278 PFS 266 profile configuration 267 propo...
Page 309: ...n algorithms 243 FIPS compliance 244 IKE configuration 264 266 IKE configuration main mode pre shared key authentication 275 IKE DPD configuration 273 IKE global identity information configuration 271...
Page 310: ...AAA ISP domain authorization methods 42 security AAA ISP domain creation 40 security AAA ISP domain methods configuration 39 security AAA ISP domain status configuration 40 K keepalive security IPsec...
Page 311: ...See MAC address authentication See MAC authentication security SSL services 197 MAC address MAC local authentication configuration 82 MAC RADIUS based authentication configuration 84 security 802 1X a...
Page 312: ...ecure mode 86 port security macAddressWithRadius authentication 89 port security secure MAC learning control mode 88 security 802 1X EAP relay termination comparison 64 security 802 1X multicast trigg...
Page 313: ...DAP implementation 9 security AAA LDAP scheme configuration 36 security AAA local user configuration 18 security AAA MPLS L3VPN implementation 13 security AAA network access user configuration 18 secu...
Page 314: ...ecurity SSH management parameters 167 security SSH SCP client device configuration 174 security SSH server configuration 162 security SSH server function enable 163 security SSH SFTP client device con...
Page 315: ...SH SCP file transfer with password authentication 194 security SSH SFTP client publickey authentication 191 security SSH SFTP configuration 189 security SSH SFTP server password authentication 189 sec...
Page 316: ...sword control user group parameters 109 security super password control parameters 1 10 setting security SSH management parameters 167 password security SSH password authentication 161 security SSH pa...
Page 317: ...2003 CA server certificate request configuration 142 policy security AAA RADIUS security policy server IP address configuration 29 security IPsec application to interface 253 security IPsec configurat...
Page 318: ...68 configuring security 802 1X authentication 75 configuring security 802 1X online user handshake function 72 configuring security 802 1X quiet timer 74 configuring security AAA 17 configuring securi...
Page 319: ...et DF bit 256 configuring security IPsec policy IKE based 250 configuring security IPsec policy IKE based direct 250 configuring security IPsec policy IKE based template 251 configuring security IPsec...
Page 320: ...aying security AAA RADIUS 30 displaying security ARP detection 220 displaying security ARP source MAC based attack detection 216 displaying security ARP unresolvable IP attack protection 213 displayin...
Page 321: ...y AAA HWTACACS traffic statistics unit 33 setting security AAA HWTACACS username format 33 setting security AAA LDAP server timeout period 37 setting security AAA RADIUS max request transmission attem...
Page 322: ...rifying PKI certificate verification CRL checking 135 verifying security PKI certificate 135 verifying security PKI certificate verification without CRL checking 136 working with SSH SFTP directories...
Page 323: ...e Authentication attribute 62 security MAC authentication 78 security MAC RADIUS based authentication configuration 84 security policy server IP address configuration 29 server quiet timer 28 server r...
Page 324: ...application 160 secure shell Use SSH Secure Sockets Layer Use SSL security 802 1X access control method 70 802 1X authentication configuration 75 802 1X authentication request max number attempts 71...
Page 325: ...lic key save to file 1 18 IP 240 See also IPsec IP source guard configuration 202 203 206 IP source guard static binding entry 202 IPsec ACL de encapsulated packet check 254 IPsec ACL based implementa...
Page 326: ...rt from file 1 19 peer public key entry 1 19 120 PKI applications 127 PKI architecture 126 PKI CA certificate failure 155 PKI CA certificate import failure 157 PKI CA policy 126 PKI CA storage path sp...
Page 327: ...ng AAA RADIUS packet delivery failure 56 troubleshooting LDAP 57 uRPF configuration 227 230 231 server port security authorization information 94 security 802 1X authentication configuration 75 securi...
Page 328: ...counting server parameters 23 security AAA RADIUS authentication server 23 security AAA RADIUS outgoing packet source IP address 27 security AAA RADIUS scheme VPN 24 security AAA RADIUS shared keys 24...
Page 329: ...ffic statistics units 25 status security AAA ISP domain status configuration 40 Stelnet client device configuration 168 client password authentication 184 client publickey authentication 187 client so...
Page 330: ...ACS 57 security AAA LDAP 57 security AAA RADIUS 56 security AAA RADIUS accounting error 57 security AAA RADIUS authentication failure 56 security AAA RADIUS packet delivery failure 56 security IPsec I...
Page 331: ...rity password history 106 security password max user account idle time 106 security password not displayed 106 security password setting 104 security password updating 105 105 security password user f...
Page 332: ...128 security PKI entity configuration 128 Windows 2003 security PKI CA server certificate request 142 WLAN port security client macAddressElseUserLoginSecure configuration 99 port security client use...
