H3C S9500E Series Security Configuration Manual Download

Page: 52 / 207

To do…

Use the command…

Remarks

Specify the primary

HWTACACS accounting server

primary accounting

ip-address

[

port-number

vpn-instance

vpn-instance-name

] *

Required
Configure at least one of the

commands
No accounting server by default

Specify the secondary

HWTACACS accounting server

secondary accounting

ip-

address

[

port-number

vpn-

instance

vpn-instance-name

] *

Enable the switch to buffer stop-
accounting requests getting no

responses

stop-accounting-buffer
enable

Optional
Enabled by default

Set the maximum number of

stop-accounting request
transmission attempts

retry stop-accounting

retry-

times

Optional
100 by default

•

It is recommended to specify only the primary HWTACACS accounting server if backup is not required.

•

If both the primary and secondary accounting servers are specified, the secondary one is used when the
primary one is not reachable.

•

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the
configuration fails.

•

You can remove an accounting server only when no active TCP connection for sending accounting
packets is using it.

•

Currently, HWTACACS does not support keeping accounts on FTP users.

Setting the shared key for HWTACACS packets

When using an HWTACACS server as an AAA server, you can set a key to secure the
communications between the switch and the HWTACACS server.
The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets

exchanged between them and a shared key to verify the packets. Only when the same key is used

can they properly receive the packets and make responses.
Follow these steps to set the shared key for HWTACACS packets:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter HWTACACS scheme view

hwtacacs scheme

hwtacacs-scheme-

name

—

Set the shared keys for HWTACACS
authentication, authorization, and

accounting packets

key

{

accounting

authentication

authorization

}

string

Required
No shared key exists by

default.

Summary of Contents for S9500E Series

Page 1: ...H3C S9500E Series Routing Switches Security Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com...

Page 2: ...hou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without n...

Page 3: ...th the S9500E series Conventions This section describes the conventions used in this documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords th...

Page 4: ...older Symbols Convention Description Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment...

Page 5: ...ide Guides you through installing SFP SFP XFP transceiver modules Adjustable Slider Rail Installation Guide Guides you through installing adjustable slider rails to a rack H3C High End Network Product...

Page 6: ...6...

Page 7: ...chnical Documents Provides hardware installation software upgrading and software feature configuration and maintenance documentation Products Solutions Provides information about products and technolo...

Page 8: ...isites 28 Creating an ISP domain 28 Configuring ISP domain attributes 29 Configuring AAA authentication method for an ISP domain 30 Configuring AAA authorization methods for an ISP domain 31 Configuri...

Page 9: ...packets 52 Configuring attributes related to the data sent to HWTACACS server 53 Specifying the source IP address for HWTACACS packets to be sent 53 Setting timers regarding HWTACACS servers 54 Displ...

Page 10: ...89 Displaying and maintaining MAC authentication 90 MAC authentication configuration examples 91 Local MAC authentication configuration 91 RADIUS based MAC authentication configuration 92 Portal confi...

Page 11: ...0 Introduction to SSH2 0 120 Operation of SSH 120 Configuring the device as an SSH server 123 Enabling SSH server 123 Configuring the user interfaces for SSH clients 123 Configuring a client public ke...

Page 12: ...source guard binding function configuration example I 157 Dynamic IP source guard binding function configuration example II 159 Troubleshooting IP source guard 160 Failed to configure static binding e...

Page 13: ...gister your product 175 Purchase value added services 175 Troubleshoot online 175 Access software downloads 176 Telephone technical support and repair 176 Contact us 176 Appendix A RADIUS attributes 1...

Page 14: ...n the rights to access other networks or network resources the NAS authenticates you or the corresponding connection The NAS can transparently pass your AAA information to the server RADIUS server or...

Page 15: ...ient server model RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required Based on UDP RADIUS use...

Page 16: ...n a RADIUS client and the RADIUS server is authenticated with a shared key that is never transmitted over the network This enhances information exchange security and prevents user passwords from being...

Page 17: ...sage 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5...

Page 18: ...the authentication succeeds the server sends an Access Accept response 3 Access Reject From the server to the client If any attribute value carried in the Access Request is unacceptable the server re...

Page 19: ...details of the request or response This field is represented in triplets of Type Length and Value Type One byte in the range 1 to 255 It indicates the type of the attribute See Table 2 for commonly u...

Page 20: ...in LAT Port 1 7 unassigned 6 4 Tunnel Type 1 8 Reply Message 6 5 Tunnel Medium Type 1 9 Callback Number 6 6 Tunnel Client Endpoint 2 0 Callback ID 6 7 Tunnel Server Endpoint 2 1 unassigned 6 8 Acct Tu...

Page 21: ...8 2 Tunnel Assignment id 3 6 Login LAT Group 8 3 Tunnel Preference 3 7 Framed AppleTalk Link 8 4 ARAP Challenge Response 3 8 Framed AppleTalk Network 8 5 Acct Interim Interval 3 9 Framed AppleTalk Zo...

Page 22: ...e contents of the sub attribute Figure 5 Segment of a RADIUS packet containing an extended attribute Introduction to HWTACACS HW Terminal Access Controller Access Control System HWTACACS is an enhance...

Page 23: ...Protocol packets are simple and authorization is combined with authentication Supports authorized use of configuration commands The user level and AAA authorization determine which commands you can us...

Page 24: ...er 3 The HWTACACS server sends back an authentication response requesting the username 4 Upon receiving the response the HWTACACS client asks the user for the username 5 The user inputs the username 6...

Page 25: ...accounting response indicating that it has received the start accounting request 17 The user logs off 18 The HWTACACS client sends a stop accounting request to the HWTACACS server 19 The HWTACACS serv...

Page 26: ...authenticated you can deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs Figure 8 shows that with the AAA across VPNs feature the PE device at the left side o...

Page 27: ...onfigure local users and related attributes including usernames and passwords of the users to be authenticated Remote authentication Configure the required RADIUS and or HWTACACS schemes and configure...

Page 28: ...me first For RADIUS scheme configuration see Configuring RADIUS For HWTACACS scheme configuration see Configuring HWTACACS Creating an ISP domain In a networking scenario with multiple ISPs an access...

Page 29: ...P domain view domain Isp name 3 Place the ISP domain to the state of active or blocked state active block Optional When created an ISP domain is in the active state by default and users in the domain...

Page 30: ...centralized authentication for multiple devices You can configure local authentication as the backup in case the remote server is not available You can configure AAA authentication to work alone witho...

Page 31: ...ng AAA authorization methods for an ISP domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the...

Page 32: ...s scheme name local local none radius scheme radius scheme name local Optional local by default 4 Specify the authorization method for command line users authorization command hwtacacs scheme hwtacacs...

Page 33: ...nted on the access device collects statistics on the number of users and controls the number of local user connections It does not provide statistics for user charge Remote accounting scheme The acces...

Page 34: ...heme name local keyword and argument combination configured local accounting is used only when the remote server is not available If the primary accounting method is local or none the system performs...

Page 35: ...maximum number of user connections using the local user account access limit max user number Optional By default there is no limit on the maximum number of user connections using the same local user a...

Page 36: ...not pass authentication In authentication methods that require a username and password local authentication RADIUS authentication and HWTACACS authentication the level of the user determines the comma...

Page 37: ...own AAA user connections forcibly IRF mode cut connection all domain isp name ucibindex ucib index user name user name chassis chassis number slot slot number Required Applies to only LAN access and p...

Page 38: ...slot number Available in any view 6 Display configuration information about a specified user group or all user groups display user group group name Available in any view Configuring RADIUS The RADIUS...

Page 39: ...ame 3 Specify a VPN instance for the RADIUS scheme vpn instance vpn instance name Required Currently the VPN instance specified with the vpn instance command is not effective for IPv6 authentication a...

Page 40: ...and relevant parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations To do Use the command Remarks 1 Enter system view system view 2 Enter RADIUS sch...

Page 41: ...user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request The IP addresses of the primary and secondar...

Page 42: ...S packets retry retry times Optional 3 by default The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 For...

Page 43: ...s of a user starts the switch keeps sending the user s real time accounting requests and stop accounting requests to the same accounting server If you remove the accounting server real time accounting...

Page 44: ...rap accounting server down authentication server down Optional Disabled by default 3 Enter RADIUS scheme view radius scheme radius scheme name 4 Specify the format of the username to be sent to a RADI...

Page 45: ...e ratio check the configurations on the NAS and the RADIUS server and the communications between them Follow these steps to enable the RADIUS trap function To do Use the command Remarks 1 Enter system...

Page 46: ...S request authentication authorization or accounting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response tim...

Page 47: ...find an available server When a number of secondary servers are configured the client connections of access modules that have a short client connection timeout period may still be timed out during ini...

Page 48: ...ter system view system view 2 Enable the listening port of the RADIUS client radius client enable Optional Enabled by default Specifying to interpret RADIUS class attribute as CAR parameters According...

Page 49: ...unting requests that get no responses IRF mode display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name chassis chassis...

Page 50: ...ifying a server for the scheme the server belongs to the specific VPN instance Follow these steps to specify a VPN instance for an HWTACACS scheme To do Use the command Remarks 1 Enter system view sys...

Page 51: ...ss port number vpn instance vpn instance name Required Configure at least one of the commands No authorization server by default 4 Specify the secondary HWTACACS authorization server secondary authori...

Page 52: ...esses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails You can remove an accounting server only when no active TCP connection for sending accounting...

Page 53: ...e the switch to remove the domain name before sending the username to the server Specifying the source IP address for HWTACACS packets to be sent You can specify an IP address as the source address fo...

Page 54: ...servers To do Use the command Remarks 1 Enter system view system view 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name 3 Set the HWTACACS server response timeout timer timer response...

Page 55: ...ew 5 Clear HWTACACS statistics standalone mode reset hwtacacs statistics accounting all authentication authorization slot slot number Available in user view 6 Clear HWTACACS statistics IRF mode reset...

Page 56: ...ious interfaces omitted Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0 4 Switch ui v...

Page 57: ...bbb for authentication using domain bbb AAA for telnet users by separate servers Network requirements Configure the switch to provide local authentication HWTACACS authorization and RADIUS accounting...

Page 58: ...ch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary...

Page 59: ...the RADIUS server to provide authentication authorization and accounting services for SSH users The IP address of the RADIUS server is 10 1 1 1 24 Set both the shared keys for authentication and acco...

Page 60: ...H3C as the access device type e Select the access device from the device list or manually add the device with the IP address of 10 1 1 2 f Click OK to finish the operation Figure 13 Add an access dev...

Page 61: ...face 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs...

Page 62: ...rad quit Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login radius scheme rad Switch isp bbb authorization login radius scheme rad Switch isp bbb accountin...

Page 63: ...by other applications Solution Check that 1 The communication links between the NAS and the RADIUS server work well at both physical and link layers 2 The IP address of the RADIUS server is correctly...

Page 64: ...64 Troubleshooting HWTACACS Refer to Troubleshooting RADIUS if you encounter an HWTACACS fault...

Page 65: ...l over LAN EAPOL Device residing at the other end of the LAN segment is the entity that authenticates connected clients Device is usually an 802 1X enabled network device and provides access ports for...

Page 66: ...ays send and receive authentication packets The controlled port is open to allow data traffic to pass only when it is in the authorized state The controlled port and uncontrolled port are two parts of...

Page 67: ...s and switches over LANs Figure 17shows the EAPOL packet format See Figure 17 Figure 17 EAPOL packet format PAE Ethernet type Protocol type It takes the value 0x888E Protocol version Version of the EA...

Page 68: ...of the EAP packet including the Code Identifier Length and Data fields in bytes Data Content of the EAP packet This field is zero or more bytes and its format is determined by the Code field EAP over...

Page 69: ...st MAC address as the destination address Currently the iNode 802 1X client is required for the client to send EAPOL Start packets Unsolicited triggering by the device z The switch can trigger authent...

Page 70: ...hentication process 2 Upon receiving the EAPOL Start packet the switch responds with an EAP Request Identity packet for the username of the client 3 When the client receives the EAP Request Identity p...

Page 71: ...cally sends handshake requests to the client to check whether the client is still online By default if two consecutive handshake attempts end up with failure the switch concludes that the client has l...

Page 72: ...or encrypting the user password information in EAP termination authentication process Consequently the switch sends the challenge together with the username and encrypted password information from the...

Page 73: ...est packet to the authentication server it starts this timer If this timer expires but it receives no response from the server it retransmits the request Handshake timer handshake period After a clien...

Page 74: ...er initiates authentication on the port in a certain period of time 90 seconds by default the port will be added to the guest VLAN and all users accessing the port will be authorized to access the res...

Page 75: ...signs no VLAN the port returns to its initial VLAN After the client logs off the port still stays in its initial VLAN If the user initiates authentication again and passes the authentication the switc...

Page 76: ...bled by default 3 Specify the authentication method dot1x authentication method chap eap pap Optional CHAP by default 4 Specify the port authorization mode for specified or all ports dot1x port contro...

Page 77: ...tions and configurations on a port lies in the applicable scope If both a global setting and a local setting exist for an argument of a port the one configured later takes effect When enabling both po...

Page 78: ...this case you can configure the user name format command but it does not take effect For information about the user name format command see AAA in the Security Command Reference If the username of a...

Page 79: ...steps to configure the multicast trigger function To do Use the command Remarks 1 Enter system view system view 2 Enter Ethernet interface view interface interface type interface number 3 Enable the...

Page 80: ...er Ethernet interface view interface interface type interface number 3 Enable periodic re authentication dot1x re authenticate Required Disabled by default After an 802 1X user passes authentication i...

Page 81: ...ce view interface interface type interface number dot1x guest vlan guest vlan id Different ports can be configured with different guest VLANs but a port can be configured with only one guest VLAN Conf...

Page 82: ...figuration example By default Ethernet interfaces VLAN interfaces and aggregate interfaces are in the state of DOWN To configure such an interface use the undo shutdown command to bring it up first Ne...

Page 83: ...rocedure covers most AAA RADIUS configuration commands for the switch while configuration on the 802 1X client and RADIUS server are omitted For information about AAA RADIUS configuration commands see...

Page 84: ...specify to use local authentication as the secondary scheme Device isp aabbcc net authentication default radius scheme radius1 local Device isp aabbcc net authorization default radius scheme radius1 l...

Page 85: ...re 25 On port GigabitEthernet 3 0 2 enable 802 1X and set VLAN 10 as the guest VLAN of the port If the number of attempts of the switch for sending EAP Request Identity messages from GigabitEthernet 3...

Page 86: ...wing configuration procedure covers most AAA RADIUS configuration commands for the switch while configuration on the 802 1X client and RADIUS server are omitted For information about AAA RADIUS config...

Page 87: ...auto Device GigabitEthernet3 0 2 dot1x port control auto Device GigabitEthernet3 0 2 quit Create VLAN 10 Device vlan 10 Device vlan10 quit Specify port GigabitEthernet 3 0 2 to use VLAN 10 as its gue...

Page 88: ...resses RADIUS based MAC authentication In RADIUS based MAC authentication the switch serves as a RADIUS client and requires a RADIUS server to cooperate with it If the type of username is MAC address...

Page 89: ...AC address which means that any packets from the MAC address will be discarded silently by the switch until the quiet timer expires This prevents the switch from authenticating an illegal user repeate...

Page 90: ...password for MAC authentication mac authentication user name format fixed account name password cipher simple password mac address with hyphen without hyphen lowercase uppercase Optional By default th...

Page 91: ...diagram for local MAC authentication Configuration procedure 1 Configure MAC authentication on the device Add a local user setting the username and password as 00 e0 fc 12 34 56 the MAC address of th...

Page 92: ...s 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is aabbcc net Silent Mac User info MAC ADDR From Port Port Index Gigabitethernet3 0 1 is link up MAC...

Page 93: ...1 2 1813 Device radius 2000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Specify the AAA schemes for the ISP...

Page 94: ...aaa Fixed password 123456 Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current...

Page 95: ...ent advertisements and deliver community and personalized services In this way broadband network providers equipment providers and content service providers form an industrial ecological system Introd...

Page 96: ...thenticated to the portal server During authentication interacting with the portal server security policy server and the authentication accounting server for identity authentication security checking...

Page 97: ...ver communicates to perform security checking of the user and the security policy server authorizes the user to access resources depending on the security checking result Since a portal client uses an...

Page 98: ...to the access device Meanwhile the portal server starts a timer to wait for an authentication acknowledgment message 4 The access device and the RADIUS server exchange RADIUS packets to authenticate t...

Page 99: ...on see AAA in the Security Configuration Guide To implement extended portal functions you need install and configure the security policy server CAMS EAD or iMC EAD and ensure that the ACLs configured...

Page 100: ...erface and ports in the VLAN or for the switch ACLs that are related with the network segment to which the VLAN interface belongs Configuring a portal free rule A portal free rule allows specified use...

Page 101: ...cated Configuration of authentication subnets applies to only Layer 3 portal authentication Logging out users Logging out a user terminates the authentication process for the user or removes the user...

Page 102: ...sent to the RADIUS server A NAS ID profile defines the binding relationship between VLANs and NAS IDs A NAS ID VLAN binding is defined by the nas id id value bind vlan vlan id command which is descri...

Page 103: ...al users to log in until the number drops down below the limit Displaying and maintaining a portal To do Use the command Remarks 1 Display the ACLs on a specified interface display portal acl all dyna...

Page 104: ...tistics reset portal tcp cheat statistics Available in user view Portal configuration examples By default Ethernet VLAN and aggregate interfaces are in the state of DOWN To configure such an interface...

Page 105: ...92 168 0 112 SwitchA radius rs1 key authentication radius SwitchA radius rs1 key accounting radius Specify that the ISP domain name should not be included in the username sent to the RADIUS server Swi...

Page 106: ...sed identity authentication but have not passed security checking they can access only subnet 192 168 0 0 24 After passing security checking they can access Internet resources The host accesses Switch...

Page 107: ...med dm1 and enter its view SwitchA domain dm1 Configure the ISP domain to use RADIUS scheme rs1 SwitchA isp dm1 authentication portal radius scheme rs1 SwitchA isp dm1 authorization portal radius sche...

Page 108: ...s a result the portal server does not display the authentication page Solution Use the display portal server command to display the key for the portal server on the access device and view the key for...

Page 109: ...ice The source port is 50100 and the destination port of the ACK_LOGOUT message from the access device is the source port of the REQ_LOGOUT message so that the portal server can receive the ACK_LOGOUT...

Page 110: ...same algorithm also with the help of a key to obtain the original plain text Figure 33 Encryption and decryption There are two types of key algorithms based on whether the keys for encryption and dec...

Page 111: ...digital signature applications for peer identity authentication because they involve complex calculations and are time consuming In digital signature applications only the digests which are relativel...

Page 112: ...sh1 ssh2 filename Select a command according to the type of the key to be exported 3 Display the local DSA host public key on the screen in a specified format or export it to a specified file public k...

Page 113: ...nfigure a public key of the peer Enter the key Required Spaces and carriage returns are allowed between characters 5 Return to public key view public key code end When you exit public key code view th...

Page 114: ...so the public key of Device A should be configured on Device B in advance In this example RSA is used The host public key of Device A is configured manually on Device B Figure 34 Network diagram for m...

Page 115: ...809098C525304CA0F00E877F8D4BE08487EBA636C227C7F58871B5E98CD0B83A0B1F1 829D3 07FDDD537AAE5A9633A06D459F0C22B23DDA988DACFBAB13CFD4DE7C53123A64850203010001 2 Configure Device B Configure the host public...

Page 116: ...2B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3B C3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 Importing the public key of a peer from a public key file Network requirem...

Page 117: ...1 5E1BC 06551672B4344F6CA5EEB7E75749BEF4B5A3C3E399EA77F9B36078946B4FBD51E600FFC5E1E9366B4F1 D80F2 BCC5455FC9891747B62BB3284C0DF13052184D551379C9FC570203010001 Time of Key pair created 13 11 20 2007 10...

Page 118: ...Type set to I ftp put devicea pub 227 Entering Passive Mode 10 1 1 2 5 148 125 BINARY mode data connection already open transfer starting for devicea pub 226 Transfer complete FTP 299 byte s sent in 0...

Page 119: ...119 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3B C3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001...

Page 120: ...36 Stages in session establishment and interaction between an SSH client and the server Stages Description Version negotiation SSH1 and SSH2 0 are supported The two parties negotiate a version to use...

Page 121: ...of any type of algorithm fails the algorithm negotiation fails and the server tears down the connection with the client The server and the client use the DH key exchange algorithm and parameters such...

Page 122: ...authentication times exceed the maximum of authentication attempts and the session is torn down Besides password authentication and publickey authentication SSH2 0 provides another two authentication...

Page 123: ...the user interfaces for SSH clients An SSH client accesses the switch through a VTY user interface Therefore you need to configure the user interfaces for SSH clients to allow SSH login Note that the...

Page 124: ...rmat Import it from the public key file During the import process the system will automatically convert the public key to a string coded using the Public Key Cryptography Standards PKCS Before importi...

Page 125: ...H user and specify the service type and authentication mode Follow these steps to configure an SSH user and specify the service type and authentication mode To do Use the command Remarks 1 Enter syste...

Page 126: ...and on the user interface For users using password authentication You can configure the accounting information either on the switch or on the remote authentication server such as RADIUS authentication...

Page 127: ...s the SSH server Specify a source IPv6 address or interface for the SSH client ssh client ipv6 source ipv6 ipv6 address interface interface type interface number Configuring whether first time authent...

Page 128: ...Configuring a client public key Required The method of configuring server public key on the client is similar to that of configuring client public key on the server 4 Specify the host public key name...

Page 129: ...or session information on an SSH server display ssh server status session Available in any view 4 Display the mappings between SSH servers and their host public keys saved on an SSH client display ssh...

Page 130: ...onnection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode for the user interfaces to AAA Switch u...

Page 131: ...Figure 38 SSH client configuration interface Click Open If the connection is normal you will be prompted to enter the username and password After entering the correct username client001 and password...

Page 132: ...entication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0...

Page 133: ...t key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar See Figure 41 Otherwise the process bar stops moving and the key pair gener...

Page 134: ...134 Figure 41 Generate a client key pair 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key...

Page 135: ...ase Figure 43 Generate a client key pair 4 After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the se...

Page 136: ...SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection window navigate to the private key fil...

Page 137: ...By default Ethernet interfaces VLAN interfaces and aggregate interfaces are in the state of DOWN To configure such an interface use the undo shutdown command to bring it up first When switch acts as...

Page 138: ...e Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 SwitchB local user client001 SwitchB luser client001 password simp...

Page 139: ...m View with peer public key end SwitchA pkey public key public key code begin Public key code view return to last view with public key code end SwitchA pkey key code 308201B73082012C06072A8648CE380401...

Page 140: ...itchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 Enter password All rights reserved 2004 2006 Without the owner s prior written consent...

Page 141: ...the SSH client below Import the peer public key from the file key pub SwitchB public key peer Switch001 import sshkey key pub Specify the authentication type for user client002 as publickey and assig...

Page 142: ...cted to 10 165 87 136 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n All rights reserved 2004 2006 Without the owner s prior written consent no decompil...

Page 143: ...or all For the configuration procedure see Configuring an SSH user Enabling the SFTP server This configuration task is to enable the SFTP service so that a client can log into the SFTP server through...

Page 144: ...face number Required Use either command By default an SFTP client uses the interface address specified by the route of the switch to access the SFTP server Specify a source IPv6 address or interface f...

Page 145: ...ory Follow these steps to work with the SFTP directories To do Use the command Remarks 1 Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher 3des aes128 des pre...

Page 146: ...5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view 2 Change the n...

Page 147: ...command in user view 2 Display a list of all commands or the help information of an SFTP client command help all command name Required Terminating the connection to the remote SFTP server Follow thes...

Page 148: ...Enable the SFTP server SwitchB sftp server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB interface vlan interface 1 Switch...

Page 149: ...the configuration on the server done before continuing configuration of the client Establish a connection to the remote SFTP server and enter SFTP client view SwitchA sftp 192 168 0 1 identity key rsa...

Page 150: ...new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39...

Page 151: ...rd authentication with the username being client002 and the password being aabbcc The username and password are saved on the switch Figure 49 Network diagram for SFTP server configuration Configuratio...

Page 152: ...e user authentication type as password and service type as SFTP Switch ssh user client002 service type sftp authentication type password 2 Configure the SFTP client There are many kinds of SFTP client...

Page 153: ...up in the binding entries of the IP source guard See Figure 51 If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard bindings are on a per port basis...

Page 154: ...ou add a port configured with IP source guard to an aggregation group Configuring a static IP source guard binding entry Follow these steps to configure a static IP source guard binding entry To do Us...

Page 155: ...w interface interface type interface number 3 Configure the dynamic IP source guard binding function ip check source ip address ip address mac address mac address Required Not configured by default Th...

Page 156: ...thernet 3 0 1 of Switch A only IP packets from Host A can pass On port GigabitEthernet 3 0 2 of Switch B only IP packets from Host A can pass On port GigabitEthernet 3 0 1 of Switch B only IP packets...

Page 157: ...ss of 192 168 0 2 to pass SwitchB interface gigabitethernet 3 0 1 SwitchB GigabitEthernet3 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static...

Page 158: ...itEthernet3 0 1 quit Enable DHCP snooping SwitchA dhcp snooping Configure the port connecting to the DHCP server as a trusted port SwitchA interface gigabitethernet 3 0 2 SwitchA GigabitEthernet3 0 2...

Page 159: ...by using the generated DHCP Relay entries For detailed configuration of a DHCP relay agent see DHCP in the Layer 3 IP Services Configuration Guide Figure 54 Network diagram for configuring dynamic bin...

Page 160: ...0203 0406 192 168 0 1 100 Vlan interface100 DHCP RLY Troubleshooting IP source guard Failed to configure static binding entries and dynamic binding function Symptom Configuring static binding entries...

Page 161: ...up in the binding entries of the IP source guard See Figure 51 If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard bindings are on a per port basis...

Page 162: ...ou add a port configured with IP source guard to an aggregation group Configuring a static IP source guard binding entry Follow these steps to configure a static IP source guard binding entry To do Us...

Page 163: ...w interface interface type interface number 3 Configure the dynamic IP source guard binding function ip check source ip address ip address mac address mac address Required Not configured by default Th...

Page 164: ...thernet 3 0 1 of Switch A only IP packets from Host A can pass On port GigabitEthernet 3 0 2 of Switch B only IP packets from Host A can pass On port GigabitEthernet 3 0 1 of Switch B only IP packets...

Page 165: ...ss of 192 168 0 2 to pass SwitchB interface gigabitethernet 3 0 1 SwitchB GigabitEthernet3 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static...

Page 166: ...itEthernet3 0 1 quit Enable DHCP snooping SwitchA dhcp snooping Configure the port connecting to the DHCP server as a trusted port SwitchA interface gigabitethernet 3 0 2 SwitchA GigabitEthernet3 0 2...

Page 167: ...by using the generated DHCP Relay entries For detailed configuration of a DHCP relay agent see DHCP in the Layer 3 IP Services Configuration Guide Figure 58 Network diagram for configuring dynamic bin...

Page 168: ...0203 0406 192 168 0 1 100 Vlan interface100 DHCP RLY Troubleshooting IP source guard Failed to configure static binding entries and dynamic binding function Symptom Configuring static binding entries...

Page 169: ...ofing Switch A originates a request to the server Switch B by sending a packet with a forged source IP address of 2 2 2 1 8 and Switch B sends a packet to Switch C at 2 2 2 1 8 in response to the requ...

Page 170: ...ould be disabled Configuring URPF Follow these steps to configure URPF To do Use the command Remarks 1 Enter system view system view 2 Enter VLAN interface view interface interface type interface numb...

Page 171: ...ork diagram for URPF configuration example Configuration procedure 1 Configure Switch B Create VLAN 10 SwitchB system view SwitchB vlan 10 SwitchB vlan10 quit Specify the IP address for VLAN interface...

Page 172: ...ofing Switch A originates a request to the server Switch B by sending a packet with a forged source IP address of 2 2 2 1 8 and Switch B sends a packet to Switch C at 2 2 2 1 8 in response to the requ...

Page 173: ...ould be disabled Configuring URPF Follow these steps to configure URPF To do Use the command Remarks 1 Enter system view system view 2 Enter VLAN interface view interface interface type interface numb...

Page 174: ...ork diagram for URPF configuration example Configuration procedure 1 Configure Switch B Create VLAN 10 SwitchB system view SwitchB vlan 10 SwitchB vlan10 quit Specify the IP address for VLAN interface...

Page 175: ...chase value added services To enhance response times or extend warranty benefits contact 3Com or your authorized reseller Value added services like ExpressSM and GuardianSM can include 24x7 telephone...

Page 176: ...of the warranty and other service benefits available to you When you contact 3Com for assistance please have the following information ready Product model name part number and serial number Proof of p...

Page 177: ...um transmission unit MTU for the data link between the user and NAS For example with 802 1X EAP authentication NAS uses this attribute to notify the server of the MTU for EAP packets so as to avoid ov...

Page 178: ...is 201 79 EAP Message Used for encapsulating EAP packets to allow the NAS to authenticate dial in users via EAP without having to understand the EAP protocol 80 Message Authenticator Used for authent...

Page 179: ...her value Failed 26 Connect_ID Index of the user connection 28 Ftp_Directory Working directory of the FTP user For an FTP user when the RADIUS client acts as the FTP server this attribute is used to s...

Page 180: ...Digital Subscriber Line AF Assured Forwarding AFI Address Family Identifier ALG Application Layer Gateway AM Accounting Management AMB Active Main Board ANSI American National Standard Institute AP A...

Page 181: ...sic Rate Interface BSR Bootstrap Router BT BitTorrent BS BSR State BT Burst Tolerance C Return C BSR Candidate Bootstrap Router C RP Candidate Rendezvous Point CA Call Appearance CA Certificate Author...

Page 182: ...Routing LSP CR LDP Constraint based Routing LDP CSMA CD Carrier Sense Multiple Access Collision Detect CSNP Complete SNP CSPF Constraint Shortest Path First CST Common Spanning Tree CT Call Transfer...

Page 183: ...tiplexing E Return EBGP External Border Gateway Protocol EACL Enhanced ACL EAD Endpoint Admission Defense EAP Extensible Authentication Protocol EAPOL Extensible Authentication Protocol over LAN EBS E...

Page 184: ...ocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High level Data Link Control HEC Header Error Control HMAC Hash based Message Authentication Code HoPE Hierarchy of PE Ho...

Page 185: ...nter Process Communication IPng IP Next Generation IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRDP ICMP Router Discovery Protocol I...

Page 186: ...ng Information Base LIB Label Information Base LLC Link Layer Control LLDP Link Layer Discovery Protocol LLDPDU Link Layer Discovery Protocol Data Units LOC Loss of continuity LOG Call Logging LR Line...

Page 187: ...stener Discovery Protocol MLD Snooping Multicast Listener Discovery Snooping MMC Meet Me Conference MODEM Modulator Demodulator MOS Mean Opinion Scores MP Multilink PPP MP BGP Multiprotocol extensions...

Page 188: ...zer NDC Network Data Collector NDP Neighbor Discovery Protocol NET Network Entity Title NetBIOS Network Basic Input Output System NHLFE Next Hop Label Forwarding Entry NLB Network Load Balancing NLPID...

Page 189: ...Code Modulation PD Powered Device Prefix Delegation or Pure Data PDU Protocol Data Unit PE Provider Edge Provider Edge Device PHP Penultimate Hop Popping PHY Physical layer PIM Protocol Independent Mu...

Page 190: ...02 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority or Router Advertisement RADIUS Remote Authentication Dial in User S...

Page 191: ...rt Protocol S Return SA Source Active or Suppress Advertisement SBM Sub network Bandwidth Management SCFF Single Choke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SEL Selector S...

Page 192: ...STM 16c SDH Transport Module 16c STM 4c SDH Transport Module 4c STP Spanning Tree Protocol SVC Signaling Virtual Connection SVLAN Service Provider Virtual Local Area Network Switch MDT Switch Multicas...

Page 193: ...e Bit Rate VCI Virtual Channel Identifier VE Virtual Ethernet VF Virtual Forwarder VFS Virtual File System VLAN Virtual Local Area Network VLL Virtual Leased Lines VOD Video On Demand VoIP Voice over...

Page 194: ...ghted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection WRR Weighted Round Robin WTR Wait to Restore WWW World Wide Web X Return X...

Page 195: ...ion 79 enabling quiet timer 80 enabling re authentication function 80 features working together 73 guest VLAN 74 maintaining 82 mandatory authentication domain for specified port 75 Message Authentica...

Page 196: ...g client portal 96 configuring first time authentication support SSH2 0 127 Layer 3 portal 97 local MAC 88 91 mandatory domain for specified port 802 1X 75 mode 802 1X 65 mode portal 97 process 802 1X...

Page 197: ...hentication portal 104 Layer 3 portal authentication with extended functions 106 local asymmetric pair public key 1 1 1 local user attribute AAA 34 MAC authentication 88 89 91 NAS ID VLAN binding AAA...

Page 198: ...ssage attribute 802 1X 68 EAPOL 802 1X 67 EAPOL packet format 802 1X 67 Message Authenticator attribute 802 1X 69 over RADIUS 802 1X 68 packet format 802 1X 68 enabling device to support first time au...

Page 199: ...s device portal 108 information displaying help SFTP 147 interaction SSH 122 interface configuring user for SSH client SSH2 0 123 specifying client SFTP 144 specifying NAS ID profile portal 102 specif...

Page 200: ...ction configuration IP source guard 157 159 165 167 guest VLAN configuration 85 HWTACACS server configuration for telnet user AAA 55 importing peer public key from public key file 1 16 IP source guard...

Page 201: ...iguration 104 Layer 3 configuration with extended functions 106 logging out user 101 maintaining 103 security policy server 96 server 96 setting max number online users 103 specifying interface NAS ID...

Page 202: ...86 creating HWTACACS scheme AAA 50 creating ISP domain AAA 28 creating ISP domain attribute AAA 29 creating RADIUS scheme AAA 38 destroying local asymmetric pair public key 1 12 disabling first time a...

Page 203: ...pecifying VPN instance for RADIUS scheme AAA 39 terminating remote server connection SFTP 147 working with directory SFTP 145 working with file SFTP 146 process authenticating portal 98 authentication...

Page 204: ...s for packet AAA 45 specifying VPN for scheme AAA 39 timer 802 1X 73 troubleshooting 62 RADIUS based MAC authentication 88 92 remote authentication dial in user service See RADIUS request setting RADI...

Page 205: ...144 147 configuring connection idle timeout period 143 configuring server 143 151 displaying help information 147 enabling server 143 establishing server connection 144 specifying client interface 14...

Page 206: ...121 maintaining 129 operation SSH 120 server configuration 129 session request 122 setting management parameter 126 specifying source IP address interface for SSH client 127 version negotiation 120 s...

Page 207: ...function 802 1X 78 disconnecting AAA 37 logging out portal 101 specifying max number online portal 103 user group configuring attribute AAA 36 version negotiation SSH2 0 120 VLAN assignment 802 1X 73...

Search results

Summary of Contents for S9500E Series

Reviews:

Related manuals for S9500E Series

Brands by name

Popular brands

H3C S9500E Series, Security Configuration Manual

Search results

Summary of Contents for S9500E Series

Reviews:

Related manuals for S9500E Series

Brands by name

Popular brands