manualshive.com logo in svg

HP 10500 series, Security Configuration Manual, Page: 87 / 596

Share
Download
HP 10500 series Security Configuration Manual Download Page 87

 

73 

Packet exchange 
method 

Benefits Limitations 

EAP termination 

Works with any RADIUS server 
that supports PAP or CHAP 
authentication. 

 

Supports only the following EAP 
authentication methods: 

{

 

MD5-Challenge EAP 
authentication. 

{

 

The username and password 
EAP authentication initiated by 
an HPE iNode 802.1X client. 

 

The processing is complex on the 
access device.  

 

EAP relay 

Figure 33

 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that 

EAP-MD5 is used.  

Figure 33 802.1X authentication procedure in EAP relay mode 

 

 

The following steps describe the 802.1X authentication procedure: 

1. 

When a user launches the 802.1X client and enters a registered username and password, the 
802.1X client sends an EAPOL-Start packet to the access device. 

2. 

The access device responds with an Identity EAP-Request packet to ask for the client 
username. 

 

EAPOL

EAPOR

(1) EAPOL-Start

(2) EAP-Request/Identity

(3) EAP-Response/Identity

(6) EAP-Request/MD5 challenge

(10) EAP-Success

(7) EAP-Response/MD5 challenge

(4) RADIUS Access-Request

(EAP-Response/Identity)

(5) RADIUS Access-Challenge
(EAP-Request/MD5 challenge)

(9) RADIUS Access-Accept

(EAP-Success)

(8) RADIUS Access-Request

(EAP-Response/MD5 challenge)

(11) EAP-Request/Identity

(12) EAP-Response/Identity

(13) EAPOL-Logoff

...

Client

Device

Authentication server

Port authorized

Port unauthorized

(14) EAP-Failure

Summary of Contents for 10500 series

Page 1: ...HPE FlexNetwork 10500 Switch Series Security Configuration Guide Part number 5998 7134R Software version 10500 CMW710 R7178 Document version 6W100 20160129 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ...rrent login users 48 Configuring a NAS ID profile 49 Displaying and maintaining AAA 49 AAA configuration examples 49 AAA for SSH users by an HWTACACS server 49 Local authentication HWTACACS authorization and RADIUS accounting for SSH users 51 Authentication and authorization for SSH users by a RADIUS server 53 Authentication for SSH users by an LDAP server 56 AAA for 802 1X users by a RADIUS serve...

Page 4: ...LAN tags 92 Configuring an 802 1X guest VLAN 93 Configuration guidelines 93 Configuration prerequisites 93 Configuration procedure 94 Configuring an 802 1X Auth Fail VLAN 94 Configuration guidelines 94 Configuration prerequisites 94 Configuration procedure 95 Configuring an 802 1X critical VLAN 95 Configuration guidelines 95 Configuration prerequisites 95 Configuration procedure 95 Enabling the 80...

Page 5: ...estrictions and guidelines 126 Configuration procedure 126 Displaying and maintaining MAC authentication 126 MAC authentication configuration examples 127 Local MAC authentication configuration example 127 RADIUS based MAC authentication configuration example 129 ACL assignment configuration example 131 Configuring portal authentication 134 Overview 134 Extended portal functions 134 Portal system ...

Page 6: ...ce 189 Cannot log out portal users on the RADIUS server 190 Users logged out by the access device still exist on the portal authentication server 190 Re DHCP portal authenticated users cannot log in successfully 190 Configuring port security 192 Overview 192 Port security features 192 Port security modes 192 General guidelines and restrictions 195 Configuration task list 195 Enabling port security...

Page 7: ...laying and maintaining public keys 228 Examples of public key management 228 Example for entering a peer host public key 228 Example for importing a public key from a public key file 230 Configuring SSL 233 Overview 233 SSL security services 233 SSL protocol stack 233 FIPS compliance 234 SSL configuration task list 234 Configuring an SSL server policy 234 Configuring an SSL client policy 237 Displ...

Page 8: ...ociation 279 Authentication and encryption 279 IPsec implementation 280 IPsec RRI 281 Protocols and standards 282 FIPS compliance 282 IPsec tunnel establishment 282 Implementing ACL based IPsec 282 Feature restrictions and guidelines 282 ACL based IPsec configuration task list 282 Configuring an ACL 283 Configuring an IPsec transform set 284 Configuring a manual IPsec policy 286 Configuring an IKE...

Page 9: ...alid identity information 332 Configuring IKEv2 336 Overview 336 IKEv2 negotiation process 336 New features in IKEv2 337 Protocols and standards 337 IKEv2 configuration task list 337 Configuring an IKEv2 profile 338 Configuring an IKEv2 policy 341 Configuring an IKEv2 proposal 342 Configuring an IKEv2 keychain 343 Configure global IKEv2 parameters 344 Enabling the cookie challenging feature 344 Co...

Page 10: ...ying MAC algorithms for SSH2 379 Displaying and maintaining SSH 379 Stelnet configuration examples 379 Password authentication enabled Stelnet server configuration example 379 Publickey authentication enabled Stelnet server configuration example 382 Password authentication enabled Stelnet client configuration example 387 Publickey authentication enabled Stelnet client configuration example 390 Ste...

Page 11: ...ample on a DHCP server 435 Configuration example on a DHCP relay agent 436 Configuring ARP detection 437 Configuring user validity check 438 Configuring ARP packet validity check 439 Configuring ARP restricted forwarding 439 Enabling ARP detection logging 440 Displaying and maintaining ARP detection 440 User validity check configuration example 440 User validity check and ARP packet validity check...

Page 12: ...guration task list 472 Configuring an attack defense policy 472 Creating an attack defense policy 472 Configuring a single packet attack defense policy 472 Configuring a scanning attack defense policy 474 Configuring a flood attack defense policy 474 Configuring attack detection exemption 479 Applying an attack defense policy to an interface 479 Applying an attack defense policy to the device 480 ...

Page 13: ...FF 507 MFF configuration examples 507 Auto mode MFF configuration example in a tree network 507 Auto mode MFF configuration example in a ring network 509 Manual mode MFF configuration example in a tree network 511 Manual mode MFF configuration example in a ring network 512 Configuring ND attack defense 514 Overview 514 Configuration restrictions and guidelines 514 Configuring source MAC consistenc...

Page 14: ...ns and icons 527 Conventions 527 Network topology icons 528 Support and other resources 529 Accessing Hewlett Packard Enterprise Support 529 Accessing updates 529 Websites 530 Customer self repair 530 Remote support 530 Documentation feedback 530 Index 532 ...

Page 15: ...agram To access networks or resources beyond the NAS a user sends its identity information to the NAS The NAS transparently passes the user information to AAA servers and waits for the authentication authorization and accounting result Based on the result the NAS determines whether to permit or deny the access request AAA has various implementations including RADIUS HWTACACS and LDAP RADIUS is mos...

Page 16: ...ients 2 Performs user authentication authorization or accounting 3 Returns user access control information for example rejecting or accepting the user access request to the clients The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy services The RADIUS server maintains the following databases Users Stores user information such as the usernames pass...

Page 17: ...ct packet 4 The RADIUS client permits or denies the user according to the authentication result If the result permits the user the RADIUS client sends a start accounting request Accounting Request packet to the RADIUS server 5 The RADIUS server returns an acknowledgment Accounting Response packet and starts accounting 6 The user accesses the network resources 7 The host requests the RADIUS client ...

Page 18: ...Type attribute in the packet indicates whether to start or stop accounting 5 Accounting Respons e From the server to the client The server sends a packet of this type to notify the client that it has received the Accounting Request and has successfully recorded the accounting information The Identifier field 1 byte long is used to match response packets with request packets and to detect duplicate...

Page 19: ...8 Framed IP Address 52 Acct Input Gigawords 9 Framed IP Netmask 53 Acct Output Gigawords 10 Framed Routing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Login IP Host 61 NAS Port Type 15 Login Service 62 Port Limit 16 Login TCP Port 63 Login LAT Port 17 unassigned 64 Tunnel Type 18 Reply Message 65 Tunnel Medium Type 19 Call...

Page 20: ...res excellent extensibility The Vendor Specific attribute attribute 26 allows a vendor to define extended attributes The extended attributes can implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended functions As shown in Figure 5 a subattribute encapsulated in attribute 26 consist...

Page 21: ...een HWTACACS and RADIUS Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP which provides reliable network transmission Uses UDP which provides high transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authent...

Page 22: ...esponse to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password 9 The user enters the password Host HWTACACS client HWTACACS server 1 The user tries to log in 2 Start authentication packet 3 Authentication response requesting the username 4 Request for username 5 The user enters the username 6 Continue authentication packet with the ...

Page 23: ... often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user information and user group information for user login authentication and authorization LDAP directory service LDAP uses directories to maintain the organization information personnel information and resourc...

Page 24: ...ements the client sends an administrator bind request to the LDAP server This operation obtains the right to search for authorization information about users on the user DN list Basic LDAP packet exchange process The following example illustrates the basic packet exchange process during LDAP authentication and authorization for a Telnet user Figure 7 Basic packet exchange process for LDAP authenti...

Page 25: ...ent exchanges authorization packets with the HWTACACS authorization server instead 10 After successful authorization the LDAP client notifies the user of the successful login AAA implementation on the device This section describes AAA user management and methods User management based on ISP domains and user access types AAA manages users based on the users ISP domains and access types On a NAS eac...

Page 26: ...ndamentals Configuration Guide FTP SFTP and SCP login users also have the root directory of the NAS set as the working directory However the users do not have permission to access the root directory Local authorization The NAS performs authorization according to the user attributes locally configured for users Remote authorization The NAS works with a RADIUS HWTACACS or LDAP server to authorize us...

Page 27: ...ransparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication Authentication packets of private users in different VPNs do not affect each other Figure 9 Network diagram This feature can also help an MCE to implement portal authentication for VPNs For more information about MCE see MPLS Configuration Guide For more information ...

Page 28: ... 1X EAP authentication 14 Login IP Host IP address of the NAS interface that the user accesses 15 Login Service Type of the service that the user uses for login 18 Reply Message Text to be displayed to the user which can be used by the server to communicate information for example the reason of the authentication failure 26 Vendor Specific Vendor specific proprietary attribute A packet can contain...

Page 29: ...ssage Authenticato r Used for authentication and verification of authentication packets to prevent spoofing Access Requests This attribute is present when EAP authentication is used 81 Tunnel Private Group ID Group ID for a tunneled session If this attribute is used to assign VLANs it conveys VLAN IDs 87 NAS Port Id String for describing the port of the NAS that is authenticating the user Propriet...

Page 30: ...er 00 00 00 on Jan 1 1970 UTC 60 Ip_Host_Addr User IP address and MAC address included in authentication and accounting requests in the format A B C D hh hh hh hh hh hh A space is required between the IP address and the MAC address 61 User_Notify Information that must be sent from the server to the client transparently 62 User_HeartBeat Hash value assigned after an 802 1X user passes authenticatio...

Page 31: ...rl redirect xxx 250 WEB URL Web redirect URL for users 255 Product_ID Product name FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode AAA configuration considerations and task list To configure AAA complete the following tasks on the NAS 1 Con...

Page 32: ...on control feature Optional Configuring the RADIUS DAE server feature Optional Setting the maximum number of concurrent login users Optional Configuring a NAS ID profile Configuring AAA schemes This section includes information on configuring local users RADIUS schemes HWTACACS schemes and LDAP schemes Configuring local users To implement local authentication authorization and accounting create lo...

Page 33: ...include the IP address access port MAC address and native VLAN For support and usage information about binding attributes see Configuring local user attributes Authorization attributes Authorization attributes indicate the user s rights after it passes local authentication Authorization attributes include the ACL idle cut feature user role VLAN and FTP SFTP SCP working directory For support inform...

Page 34: ...ach local user In FIPS mode only password protected users can pass authentication 4 Assign services to the local user For a network access user service type advpn ike lan access portal ppp For a device management user In non FIPS mode service type ftp http https pad ssh telnet terminal In FIPS mode service type https pad ssh terminal By default no service is authorized to a local user The advpn ik...

Page 35: ...assword control aging aging time Set the minimum password length password control length length Configure the password composition policy password control composition type number type number type length type length Configure the password complexity checking policy password control complexity same character user name check Configure the maximum login attempts and the action to take if there is a lo...

Page 36: ...Configure password control attributes for the user group Set the password aging time password control aging aging time Set the minimum password length password control length length Configure the password composition policy password control composition type number type number type length type length Configure the password complexity checking policy password control complexity same character user n...

Page 37: ...y policy servers Optional Configuring the Login Service attribute check method for SSH FTP and terminal users Optional Enabling SNMP notifications for RADIUS Optional Displaying and maintaining RADIUS Configuring a test profile for RADIUS server status detection Use a test profile to detect whether a RADIUS authentication server is reachable at a detection interval To detect the RADIUS server stat...

Page 38: ...thorization together because authorization information is piggybacked in authentication responses sent to RADIUS clients You can specify one primary authentication server and up to 16 secondary authentication servers for a RADIUS scheme Secondary servers provide AAA services when the primary server becomes unavailable The device searches for an active server in the order the secondary servers are ...

Page 39: ...US scheme Secondary servers provide AAA services when the primary server becomes unavailable The device searches for an active server in the order the secondary servers are configured If redundancy is not required specify only the primary server A RADIUS accounting server can act as the primary accounting server for one scheme and a secondary accounting server for another scheme at the same time W...

Page 40: ...generate the Authenticator value for packet authentication and user password encryption The client and server must use the same key for each type of communication A key configured in this task is for all servers of the same type accounting or authentication in the scheme The key has a lower priority than a key configured individually for a RADIUS server To specify a shared key for secure RADIUS co...

Page 41: ... name format keep original with domain without domain By default the ISP domain name is included in a username 4 Optional Set the data flow and packet measurement units for traffic statistics data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet By default traffic is counted in bytes and packets Setting the maximum number of RADIUS request t...

Page 42: ...or a server in active state by first checking the primary server and then checking secondary servers in the order they are configured When all servers are in blocked state the device only tries to communicate with the primary server When one or more servers are in active state the device tries to communicate with these active servers only even if the servers are unavailable When a RADIUS server s ...

Page 43: ...e order they are configured The first secondary server in active state is used for communication In this process the workload is always placed on the active server Use the RADIUS server load sharing feature to dynamically distribute the workload over multiple servers regardless of their server roles The device forwards an AAA request to the most appropriate server of all active servers in the sche...

Page 44: ... VPN or the public network Step Command Remarks 1 Enter system view system view N A 2 Specify a source IP address for outgoing RADIUS packets radius nas ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name By default the IP address of the RADIUS packet outbound interface is used as the source IP address To specify a source IP address for a RADIUS scheme Step Command Remarks 1 Enter sys...

Page 45: ... in blocked state until the timer expires A short realtime accounting interval helps improve accounting precision but requires many system resources When there are 1000 or more users set the interval to 15 minutes or longer To set RADIUS timers Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Set the RADIUS server response t...

Page 46: ...y up to eight security policy servers for a RADIUS scheme Configuring the Login Service attribute check method for SSH FTP and terminal users The device supports the following check methods for the Login Service attribute RADIUS attribute 15 of SSH FTP and terminal users Strict Matches Login Service attribute values 50 51 and 52 for SSH FTP and terminal services respectively Loose Matches the stan...

Page 47: ...t trap enable radius accounting server down authentication error threshold authentication server down accounting server up authentication server up By default all types of SNMP notifications are enabled for RADIUS Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view Task Command Display the RADIUS scheme configuration display radius scheme radius s...

Page 48: ...ter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name N A 3 Specify HWTACACS authentication servers Specify the primary HWTACACS authentication server primary authentication host name ipv4 address ipv6 ipv6 address port number key cipher simple string single connection vpn instance vpn instance name Specify a secondary HWTACACS authentication server secondary authentication host name ipv4 ...

Page 49: ...ondary servers in the order they are configured The first secondary server in active state is used for communication If redundancy is not required specify only the primary server An HWTACACS server can act as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time HWTACACS does not support accounting for FTP SFTP and SCP users To specif...

Page 50: ...ual HWTACACS server the VPN specified for the HWTACACS scheme does not take effect on that server To specify a VPN for an HWTACACS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name N A 3 Specify a VPN for the HWTACACS scheme vpn instance vpn instance name By default an HWTACACS scheme belongs to the public network Sett...

Page 51: ...e situations you must change the source IP address For example when VRRP is configured for stateful failover configure the virtual IP of the uplink VRRP group as the source address You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view or in system view The IP address specified in HWTACACS scheme view applies to one HWTACACS scheme The IP address specified in s...

Page 52: ...communicates with the HWTACACS servers based on the following rules When the primary server is in active state the device communicates with the primary server If the primary server fails the device performs the following operations Changes the server status to blocked Starts a quiet timer for the server Tries to communicate with a secondary server in active state that has the highest priority If t...

Page 53: ...d maintaining HWTACACS Execute display commands in any view and reset commands in user view Task Command Display the configuration or server statistics of HWTACACS schemes display hwtacacs scheme hwtacacs server name statistics Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization Configuring LDAP schemes Configuration task list Tasks at a glance Configuri...

Page 54: ...r system view system view N A 2 Enter LDAP server view ldap server server name N A 3 Specify the LDAP version protocol version v2 v3 By default LDAPv3 is used A Microsoft LDAP server supports only LDAPv3 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server s response within the server timeout period the authentication or...

Page 55: ...search policy determined by the LDAP user attributes of the LDAP client The LDAP user attributes include Search base DN Search scope Username attribute Username format User object class If the LDAP server contains many directory levels a user DN search starting from the root directory can take a long time To improve efficiency you can change the start point by specifying the search base DN To conf...

Page 56: ...ing LDAP Execute display commands in any view Task Command Display the configuration of LDAP schemes display ldap scheme scheme name Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view Each ISP domain has a set of system defined AAA methods which are local authentication local authorization and local accountin...

Page 57: ...le You can specify an authentication domain for 802 1X portal or MAC authentication When you configure an ISP domain follow these restrictions and guidelines An ISP domain cannot be deleted when it is the default ISP domain Before you use the undo domain command change the domain to a non default ISP domain by using the undo domain default enable command You can modify the settings of the system d...

Page 58: ...red With AAA you can configure an authentication method for each access type and service type 2 Determine whether to configure the default authentication method for all access types or service types The default authentication method applies to all access users However the method has a lower priority than the authentication method that is specified for an access type or service type Configuration g...

Page 59: ...s scheme name local none By default the default authentication method is used for portal users The none keyword is not supported in FIPS mode 7 Specify the authentication method for obtaining a temporary user role authentication super hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name By default the default authentication method is used for obtaining a temporary user role Config...

Page 60: ...e none radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local none By default the default authorization method is used for login users The none keyword is not supported in FIPS mode 7 Specify the authorization method for portal users authorization portal local none none radius scheme radius scheme name local none By default the default authorization method is used for portal u...

Page 61: ... keyword is not supported in FIPS mode 6 Specify the accounting method for login users accounting login hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name local none local none none radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local none By default the default accounting method is used for login users The none keyword is not supported in FIPS mode 7 Spec...

Page 62: ...oA requests to the DAE server for the following purposes Change the authorization information of specific online users Shut down the access interfaces of users To configure the RADIUS DAE server feature Step Command Remarks 1 Enter system view system view N A 2 Enable the RADIUS DAE server feature and enter RADIUS DAE server view radius dynamic author server By default the RADIUS DAE server featur...

Page 63: ...attribute for the RADIUS server to identify requests from any Company A users You can apply a NAS ID profile to portal or port security enabled interfaces For more information see Configuring portal and Configuring port security A NAS ID can be bound with more than one VLAN but a VLAN can be bound with only one NAS ID To configure a NAS ID profile Step Command Remarks 1 Enter system view system vi...

Page 64: ...ication 10 1 1 1 49 Specify the primary authorization server Switch hwtacacs hwtac primary authorization 10 1 1 1 49 Specify the primary accounting server Switch hwtacacs hwtac primary accounting 10 1 1 1 49 Set the shared keys for secure HWTACACS communication to expert in plain text Switch hwtacacs hwtac key authentication simple expert Switch hwtacacs hwtac key authorization simple expert Switc...

Page 65: ... authentication HWTACACS authorization and RADIUS accounting for SSH users Network requirements As shown in Figure 12 configure the switch to meet the following requirements Perform local authentication for SSH servers Use the HWTACACS server and RADIUS server for SSH user authorization and accounting respectively Exclude domain names from the usernames sent to the servers Assign the default user ...

Page 66: ... hello class manage Assign the SSH service for the local user Switch luser manage hello service type ssh Set a password for the local user to 123456TESTplat in plain text In FIPS mode you must set the password in interactive mode Switch luser manage hello password simple 123456TESTplat Switch luser manage hello quit Create ISP domain bbb and configure the login users to use local authentication HW...

Page 67: ...IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 Add the switch to the IMC Platform as an access device Log in to IMC click the Service tab and select User Access Manager Access Device Management Access Device from the navigation tree Then click Add to configure an access device as follows a Set the shared key for secure RADIUS communication to expert b Set the ports for authentication and accounting to 1...

Page 68: ...s User View Device Mgmt User from the navigation tree Then click Add to configure a device management account as follows a Enter the account name hello bbb and specify the password b Select the service type SSH c Specify 10 1 1 0 to 10 1 1 255 as the IP address range of the hosts to be managed d Click OK NOTE The IP address range must contain the IP address of the switch ...

Page 69: ...tes with the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Create local RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Enable the SSH service Switch ssh server enable Enable scheme authentication for user lines VTY 0 through VTY 63 Switch line vty 0 63 Switch line vty0 63 au...

Page 70: ...ng login none Switch isp bbb quit Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the correct password The user logs in to the switch Details not shown Verify that the user can use the commands permitted by the network operator user role Details not shown Authentication for SSH users by an LDAP server Network requirements As shown in Figure...

Page 71: ... b Double click Active Directory Users and Computers The Active Directory Users and Computers window is displayed c From the navigation tree click Users under the ldap com node d Select Action New User from the menu to display the dialog box for adding a user e Enter the logon name aaa and click Next Figure 17 Adding user aaa f In the dialog box enter the password ldap 123456 select options as nee...

Page 72: ...assword g Click OK Add user aaa to group Users h From the navigation tree click Users under the ldap com node i In the right pane right click the user aaa and select Properties j In the dialog box click the Member Of tab and click Add ...

Page 73: ...select field and click OK User aaa is added to group Users Figure 20 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click the user Administrator and select Set Password b In the dialog box enter the administrator password Details not shown 2 Configure the switch ...

Page 74: ...ticated SSH users the default user role network operator Switch role default role enable Configure an LDAP server Switch ldap server ldap1 Specify the IP address of the LDAP authentication server Switch ldap server ldap1 ip 10 1 1 1 Specify the administrator DN Switch ldap server ldap1 login dn cn administrator cn users dc ldap dc com Specify the administrator password Switch ldap server ldap1 log...

Page 75: ... the service to the user Set the shared keys for secure RADIUS communication to expert Set the ports for authentication and accounting to 1812 and 1813 respectively Figure 21 Network diagram Configuration procedure 1 Configure interfaces and VLANs so the host promptly obtains a new IP address to access resources in the authorized VLAN after passing authentication Details not shown 2 If you are usi...

Page 76: ...ress specified by the radius nas ip command IP address of the outbound interface the default Figure 22 Adding the switch as an access device Add a service Click the Service tab and select User Access Manager Service Configuration from the navigation tree Then click Add to configure a service as follows a Add a service named Dot1x auth and set the service suffix to bbb the authentication domain for...

Page 77: ...s from the navigation tree to enter the All Access Users page Then click Add to configure a user as follows a Select the user or add a user named hello b Specify the account name as dot1x and configure the password c Select the access service Dot1x auth d Configure other parameters as needed and click OK ...

Page 78: ...n the usernames sent to the RADIUS server Switch radius rad user name format with domain Switch radius rad quit b Configure an authentication domain Create an ISP domain named bbb and enter ISP domain view Switch domain bbb Configure the ISP domain to use RADIUS scheme rad for authentication authorization and accounting of LAN users Switch isp bbb authentication lan access radius scheme rad Switch...

Page 79: ...the server assigns the port connecting the client to VLAN 4 after the user passes authentication Details not shown 3 Display the connection information on the switch Switch display dot1x connection Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails Analysis Possible reasons include A communication failure exists between the NAS and the RADIUS server The u...

Page 80: ...DIUS server s authentication and accounting port numbers are available 2 If the problem persists contact Hewlett Packard Enterprise Support RADIUS accounting error Symptom A user is authenticated and authorized but accounting for the user is not normal Analysis The accounting server configuration on the NAS is not correct Possible reasons include The accounting port number configured on the NAS is...

Page 81: ...d on the server No user search base DN is specified for the LDAP scheme Solution To resolve the problem 1 Check the following items The NAS and the LDAP server can ping each other The IP address and port number of the LDAP server configured on the NAS match those of the server The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS Th...

Page 82: ...n the server returns the authentication results to the access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can use the access device as the authentication server Figure 25 802 1X architecture Controlled uncontrolled port and port authorization status 802 1X defines two logical ports for the network access port controlled port and uncontr...

Page 83: ... over a LAN Between the access device and the authentication server 802 1X delivers authentication information by using one of the following methods Encapsulates EAP packets in RADIUS by using EAP over RADIUS EAPOR as described in EAP relay Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets as described in EAP termination Packet for...

Page 84: ...tart The client sends an EAPOL Start message to initiate 802 1X authentication to the access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff message to tell the access device that the client is logging off Length Data length in bytes or length of the Packet body If packet type is EAPOL Start or EAPOL Logoff this field is set to 0 and no Packet body field follows Packet body Content of th...

Page 85: ...t and the authentication server does not support the multicast address you must use an 802 1X client that can send broadcast EAPOL Start packets For example you can use the HPE iNode 802 1X client Access device as the initiator The access device initiates authentication if a client cannot send EAPOL Start packets One example is the 802 1X client available with Windows XP The access device supports...

Page 86: ... relay You cannot use EAP relay if the RADIUS server does not support any EAP authentication method or no RADIUS server is available EAP termination mode As shown in Figure 32 the access device performs the following operations in EAP termination mode a Terminates the EAP packets received from the client b Encapsulates the client authentication information in standard RADIUS packets c Uses PAP or ...

Page 87: ...e 802 1X authentication procedure 1 When a user launches the 802 1X client and enters a registered username and password the 802 1X client sends an EAPOL Start packet to the access device 2 The access device responds with an Identity EAP Request packet to ask for the client username EAPOL EAPOR 1 EAPOL Start 2 EAP Request Identity 3 EAP Response Identity 6 EAP Request MD5 challenge 10 EAP Success ...

Page 88: ...e identical the server considers the client valid and sends a RADIUS Access Accept packet to the access device 10 Upon receiving the RADIUS Access Accept packet the access device performs the following operations a Sends an EAP Success packet to the client b Sets the controlled port in authorized state The client can access the network 11 After the client comes online the access device periodicall...

Page 89: ...EAP termination mode the access device rather than the authentication server generates an MD5 challenge for password encryption The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server ...

Page 90: ...zation VLANs for an 802 1X user to control access to authorized network resources When the 802 1X user passes authentication the authentication server assigns the authorization VLANs or VLAN group to the users Supported VLAN types and forms Which VLAN types and forms are supported depends on the authorization type Local VLAN authorization You can specify only one authorization VLAN by its ID in us...

Page 91: ...p of VLANs If the port has other online users the device selects the VLAN by using the following process a The device selects the VLAN that has the fewest number of online users b If two VLANs have the same number of online 802 1X users the device selects the VLAN with the lower ID The device follows the rules in Table 6 to handle VLAN assignment VLAN IDs with suffixes 1 The device selects the lef...

Page 92: ...ss device creates a MAC to VLAN mapping for the user when the following requirements are met The user passes reauthentication The authorization VLAN for the user is changed For more information about VLAN configuration and MAC based VLANs see Layer 2 LAN Switching Configuration Guide Guest VLAN The 802 1X guest VLAN on a port accommodates users who have not performed 802 1X authentication Users in...

Page 93: ...s still in the 802 1X guest VLAN A user in the 802 1X guest VLAN passes 802 1X authentication The device remaps the MAC address of the user to the authorization VLAN If the authentication server does not authorize a VLAN the device remaps the MAC address of the user to the initial PVID on the port For the 802 1X guest VLAN feature to take effect on a port that performs MAC based access control mak...

Page 94: ...uthentication because of any other reason except for unreachable servers The user is still in the Auth Fail VLAN A user in the 802 1X Auth Fail VLAN passes 802 1X authentication The device remaps the MAC address of the user to the authorization VLAN If the authentication server does not authorize a VLAN the device remaps the MAC address of the user to the initial PVID on the port For the 802 1X Au...

Page 95: ...plies The user and all subsequent 802 1X users are assigned to this port VLAN After the user logs off the PVID remains unchanged A user in the 802 1X guest VLAN fails authentication because all the RADIUS servers are unreachable The device assigns the 802 1X critical VLAN to the port as the PVID and all 802 1X users on this port are in this VLAN A user in the 802 1X Auth Fail VLAN fails authentica...

Page 96: ...ions If MAC based access control is used the device removes 802 1X users from the critical VLAN The port sends a unicast Identity EAP Request to these users to trigger authentication If port based access control is used the device removes the port from the critical VLAN The port sends a multicast Identity EAP Request to all 802 1X users on the port to trigger authentication Using 802 1X authentica...

Page 97: ...expires they must reconnect to the network to access the free IP Redirect URL assignment The device supports the URL attribute assigned by a RADIUS server when the 802 1X enabled port performs MAC based access control and the port authorization state is auto During authentication an 802 1X user is redirected to the Web interface specified by the server assigned URL attribute After the user passes ...

Page 98: ...switch ID and password configured on the device Configuration prerequisites Before you configure 802 1X complete the following tasks Configure an ISP domain and AAA scheme local or RADIUS authentication for 802 1X users If RADIUS authentication is used create user accounts on the RADIUS server If local authentication is used create local user accounts on the access device and set the service type ...

Page 99: ...EAP Success packets for 802 1X users assignment to the 802 1X critical VLAN Optional Specifying supported domain name delimiters Optional Enabling 802 1X guest VLAN assignment delay Optional Configuring the EAD assistant feature Optional Configuring 802 1X SmartOn Enabling 802 1X When you enable 802 1X follow these guidelines For 802 1X to work correctly with MACsec configure MACsec on the uplink ...

Page 100: ...ommunicate with the RADIUS server Specify the eap keyword to enable EAP relay Specify the chap or pap keyword to enable CHAP enabled or PAP enabled EAP termination NOTE If EAP relay mode is used the user name format command configured in RADIUS scheme view does not take effect The access device sends the authentication data from the client to the server without any modification Setting the port au...

Page 101: ...m number of concurrent 802 1X users on a port Perform this task to prevent the system resources from being overused To set the maximum number of concurrent 802 1X users on a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Set the maximum number of concurrent 802 1X users on a port dot1x max user u...

Page 102: ...Set the client timeout timer dot1x timer supp timeout supp timeout value The default is 30 seconds 3 Set the server timeout timer dot1x timer server timeout server timeout value The default is 100 seconds Configuring the online user handshake feature The online user handshake feature checks the connectivity status of online 802 1X users The access device sends handshake messages to online users at...

Page 103: ...stem view N A 2 Optional Set the handshake timer dot1x timer handshake period handshake period value The default is 15 seconds 3 Enter Layer 2 Ethernet interface view interface interface type interface number N A 4 Enable the online user handshake feature dot1x handshake By default the feature is enabled 5 Optional Enable the online user handshake security feature dot1x handshake secure By default...

Page 104: ...n authorization and accounting on a port No user can use an account in any other domain to access the network through the port The implementation of a mandatory authentication domain enhances the flexibility of 802 1X access control deployment To specify a mandatory authentication domain for a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view int...

Page 105: ...he device does not take effect The device reauthenticates the online 802 1X users after the session timeout timer expires Support for the server configuration and assignment of session timeout timer and termination action depends on the server model The VLANs assigned to an online user before and after reauthentication can be the same or different You can set the perodic reauthenticaiton timer eit...

Page 106: ...LAN tags After an 802 1X user passes authentication on a port the 802 1X server assigns authorization attributes to the access device If the port is assigned to a VLAN as a tagged member the device sends packets to the client with VLAN tags This feature enables the device to send 802 1X protocol packets without VLAN tags It prevents terminal devices connected to the port from failing 802 1X authen...

Page 107: ...curity features on a port follow the guidelines in Table 7 Table 7 Relationships of the 802 1X guest VLAN and other security features Feature Relationship description Reference Super VLAN You cannot specify a VLAN as both a super VLAN and an 802 1X guest VLAN See Layer 2 LAN Switching Configuration Guide MAC authentication guest VLAN on a port that performs MAC based access control Only the 802 1X...

Page 108: ...ignment makes sure the port can correctly process VLAN tagged incoming traffic You can configure only one 802 1X Auth Fail VLAN on a port The 802 1X Auth Fail VLANs on different ports can be different When you configure multiple security features on a port follow the guidelines in Table 8 Table 8 Relationships of the 802 1X Auth Fail VLAN with other features Feature Relationship description Refere...

Page 109: ...N follow these restrictions and guidelines Assign different IDs to the voice VLAN the PVID and the 802 1X critical VLAN on a port The assignment makes sure the port can correctly process VLAN tagged incoming traffic You can configure only one 802 1X critical VLAN on a port The 802 1X critical VLANs on different ports can be different You cannot specify a VLAN as both a super VLAN and an 802 1X cri...

Page 110: ...al voice VLAN The port sends a unicast EAP Request Identity packet to each 802 1X voice user that was assigned to the critical voice VLAN to trigger authentication If port based access control is used the device removes the port from the critical voice VLAN The port sends a multicast EAP Request Identity packet to all 802 1X voice users on the port to trigger authentication Configuration prerequis...

Page 111: ...X critical VLAN on the port dot1x critical eapol By default the device sends an EAP Failure packet to a client when the 802 1X client user is assigned to the 802 1X critical VLAN on the port Specifying supported domain name delimiters By default the access device supports the at sign as the delimiter You can also configure the access device to accommodate 802 1X users who use other domain name del...

Page 112: ...mand is reached To enable 802 1X guest VLAN assignment delay on a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable 802 1X guest VLAN assignment delay on the port dot1x guest vlan delay eapol new mac By default 802 1X guest VLAN assignment delay is disabled on a port Configuring the EAD assis...

Page 113: ...t to the client After the device has made the maximum retransmission attempts but received no response it stops the 802 1X authentication process for the client If the device receives an EAP Response Notification packet within the timer or before the maximum retransmission attempts have been made it starts the SmartOn authentication If the SmartOn switch ID and the MD5 digest of the SmartOn passwo...

Page 114: ...ar 802 1X statistics reset dot1x statistics interface interface type interface number Remove users from the 802 1X guest VLAN on a port reset dot1x guest vlan interface interface type interface number mac address mac address 802 1X authentication configuration examples Basic 802 1X authentication configuration example Network requirements As shown in Figure 36 the access device performs 802 1X aut...

Page 115: ...alpass Set the service type to lan access Device luser network localuser service type lan access Device luser network localuser quit 5 Configure a RADIUS scheme Create the RADIUS scheme radius1 and enter RADIUS scheme view Device radius scheme radius1 Specify the IP addresses of the primary authentication and accounting RADIUS servers Device radius radius1 primary authentication 10 1 1 1 Device ra...

Page 116: ...rt method macbased Specify ISP domain bbb as the mandatory domain Device GigabitEthernet1 0 1 dot1x mandatory domain bbb Device GigabitEthernet1 0 1 quit Enable 802 1X globally Device dot1x Verifying the configuration Verify the 802 1X configuration on GigabitEthernet 1 0 1 Device display dot1x interface gigabitethernet 1 0 1 Display the user connection information after an 802 1X user passes auth...

Page 117: ...t shown 3 Create VLANs and assign ports to the VLANs on the access device Device system view Device vlan 1 Device vlan1 port gigabitethernet 1 0 2 Device vlan1 quit Device vlan 10 Device vlan10 port gigabitethernet 1 0 1 Device vlan10 quit Device vlan 2 Device vlan2 port gigabitethernet 1 0 4 Device vlan2 quit Device vlan 5 Device vlan5 port gigabitethernet 1 0 3 Device vlan5 quit 4 Configure a RA...

Page 118: ...ation lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp bbb quit 6 Configure 802 1X on the access device Enable 802 1X on port GigabitEthernet 1 0 2 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 dot1x Implement port based access control on the port Device GigabitEthernet1 0 2 dot1x port method portbased Set the port authorization ...

Page 119: ...ample for the users Details not shown 3 Assign an IP address to each interface as shown in Figure 38 Details not shown 4 Configure a RADIUS scheme Create RADIUS scheme 2000 and enter RADIUS scheme view Device system view Device radius scheme 2000 Specify the server at 10 1 1 1 as the primary authentication server and set the authentication port to 1812 Device radius 2000 primary authentication 10 ...

Page 120: ...ber 3000 Device acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 time range ftp Device acl adv 3000 quit 8 Configure 802 1X Enable 802 1X on GigabitEthernet 1 0 1 Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 dot1x Device GigabitEthernet1 0 1 quit Enable 802 1X globally Device dot1x Verifying the configuration Use the user account to pass authentication Details not shown Ver...

Page 121: ... server for 802 1X client downloading Allow authenticated 802 1X users to access the network Figure 39 Network diagram Configuration procedure 1 Make sure the DHCP server the Web server and the authentication servers have been configured correctly Details not shown 2 Configure an IP address for each interface Details not shown 3 Configure DHCP relay Enable DHCP Device system view Device dhcp enabl...

Page 122: ...w Device domain bbb Apply RADIUS scheme 2000 to the ISP domain for authentication authorization and accounting Device isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp bbb quit 6 Configure 802 1X Configure the free IP Device dot1x ead assistant free ip 192 168 2 0 24 Con...

Page 123: ...ure 40 The intranet 192 168 1 0 24 is attached to GigabitEthernet 1 0 1 of the access device The hosts use DHCP to obtain IP addresses A Web server is deployed on the 192 168 2 0 24 subnet for users to download client software Deploy an EAD solution for the intranet to meet the following requirements Allow unauthenticated users and users who have failed 802 1X authentication to access 192 168 2 0 ...

Page 124: ...rimary accounting server and set the accounting port to 1813 Device radius 2000 primary accounting 10 1 1 2 1813 Set the shared key to abc in plain text for secure communication between the authentication server and the device Device radius 2000 key authentication simple abc Set the shared key to abc in plain text for secure communication between the accounting server and the device Device radius ...

Page 125: ... Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Ping statistics for 192 168 2 3 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 0ms Maximum 0ms Average 0ms The output shows that you can access the free IP subnet before passing 802 1X authentication Verify that you are redirected to the Web server when ...

Page 126: ...abc in plain text for secure communication between the accounting server and the device Device radius 2000 key accounting simple abc Exclude the ISP domain names from the usernames sent to the RADIUS server Device radius 2000 user name format without domain Device radius 2000 quit 2 Configure an ISP domain Create ISP domain bbb and enter ISP domain view Device domain bbb Apply RADIUS scheme 2000 t...

Page 127: ...e string format The operating system of the host regards the string as a website name and tries to resolve the string If the resolution fails the operating system sends an ARP request but the target address is not in the dotted decimal notation The redirection feature does redirect this kind of ARP request The address is within a free IP segment No redirection will take place even if no host is pr...

Page 128: ...sed user account for each user The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable f...

Page 129: ...rs Table 9 VLAN manipulation Port type VLAN manipulation Access port Trunk port Hybrid port with MAC based VLAN disabled The device assigns the first authenticated user s authorization VLAN to the port as the PVID NOTE For these port types you must assign the same authorization VLAN to all MAC authentication users on a port If a different authorization VLAN is assigned to a subsequent user the use...

Page 130: ...een assigned to any VLAN fails MAC authentication because all the RADIUS servers are unreachable The device maps the MAC address of the user to the MAC authentication critical VLAN The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable A user in the MAC authentication critical VLAN fails MAC authentication for...

Page 131: ...erver model When no server is reachable for MAC reauthentication the device keeps the MAC authentication users online or logs off the users depending on the keep online feature configuration on the device For information about the keep online feature see Configuring the keep online feature Configuration prerequisites Before you configure MAC authentication complete the following tasks 1 Configure ...

Page 132: ... Enabling parallel processing of MAC authentication and 802 1X authentication Enabling MAC authentication Step Command Remarks 1 Enter system view system view N A 2 Enable MAC authentication globally mac authentication By default MAC authentication is disabled globally 3 Enter Layer 2 Ethernet interface view interface interface type interface number N A 4 Enable MAC authentication on the port mac ...

Page 133: ...tication user name format fixed account name password cipher simple password By default the device uses the MAC address of a user as the username and password for MAC authentication The MAC address is in the hexadecimal notation without hyphens and letters are in lower case Setting MAC authentication timers MAC authentication uses the following timers Offline detect timer Sets the interval that th...

Page 134: ...Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable MAC authentication offline detection mac authentication offline detect enable By default MAC authentication offline detection is enabled Setting the maximum number of concurrent MAC authentication users on a port Perform this task to prevent the system resources from being overused To set the maximum number of c...

Page 135: ...thentication are enabled on a port you can delay MAC authentication so that 802 1X authentication is preferentially triggered If no 802 1X authentication is triggered or 802 1X authentication fails within the delay period the port continues to process MAC authentication Do not set the port security mode to mac else userlogin secure or mac else userlogin secure ext when you use MAC authentication d...

Page 136: ...of the port intrusion protection feature See Configuring port security 802 1X guest VLAN on a port that performs MAC based access control The MAC authentication guest VLAN does not take effect A user who fails MAC authentication is not assigned to the MAC authentication guest VLAN See Configuring 802 1X Including user IP addresses in the authentication requests If the feature is configured users i...

Page 137: ...ed member on the port When you configure the MAC authentication critical VLAN on a port follow the guidelines in Table 12 Table 12 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference Quiet feature of MAC authentication The MAC authentication critical VLAN feature has higher priority When a user fails MAC authentication becau...

Page 138: ...er 2 LAN Switching Configuration Guide Enable voice VLAN on the port Configuration procedure To enable the MAC authentication critical voice VLAN feature on a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable the MAC authentication critical voice VLAN feature on a port mac authentication crit...

Page 139: ... addresses It prevents those users from modifying their IP addresses to access the network Users who obtain IP addresses through DHCP are not affected Do not configure this feature together with the MAC authentication guest VLAN on a port If both features are configured users in the MAC authentication guest VLAN cannot perform a new round of authentication To include user IP addresses in MAC authe...

Page 140: ...tication delay on the port This operation will delay MAC authentication after 802 1X authentication is triggered To configure both 802 1X authentication and MAC authentication on the port use one of the following methods Enable the 802 1X and MAC authentication features separately on the port Enable port security on the port The port security mode must be userlogin secure or mac or userlogin secur...

Page 141: ...mac address mac address Remove users from the MAC authentication guest VLAN on a port reset mac authentication guest vlan interface interface type interface number mac address mac address MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 42 the device performs local MAC authentication on GigabitEthernet 1 0 1 to control...

Page 142: ...ntication to use MAC based accounts Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Device mac authentication user name format mac address with hyphen lowercase Enable MAC authentication globally Device mac authentication Verifying the configuration Display MAC authentication settings and statistics to verify your configuration Device display mac authenti...

Page 143: ... accounting for users To control user access to the Internet by MAC authentication perform the following tasks Enable MAC authentication globally and on GigabitEthernet 1 0 1 Configure the device to detect whether a user has gone offline every 180 seconds Configure the device to deny a user for 180 seconds if the user fails MAC authentication Configure all users to belong to the ISP domain bbb Use...

Page 144: ...GigabitEthernet1 0 1 quit Specify the MAC authentication domain as the ISP domain bbb Device mac authentication domain bbb Set MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users Device mac authentication user name format fixed...

Page 145: ... Figure 44 configure the device to meet the following requirements Use RADIUS servers to perform authentication authorization and accounting for users Perform MAC authentication on GigabitEthernet 1 0 1 to control Internet access Use MAC based user accounts for MAC authentication users Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Use an ACL to deny aut...

Page 146: ...the hexadecimal notation with hyphens and letters are in lower case Device mac authentication user name format mac address with hyphen lowercase Enable MAC authentication on GigabitEthernet 1 0 1 Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 mac authentication Device GigabitEthernet1 0 1 quit Enable MAC authentication globally Device mac authentication 3 Configure the RADIUS s...

Page 147: ...line detection Enabled Authentication order Default Max online users 4294967295 Authentication attempts successful 1 failed 0 Current online users 1 MAC address Auth state 00e0 fc12 3456 Authenticated Verify that you cannot ping the FTP server from the host C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics...

Page 148: ...SPs with diversified management choices and extended functions For example the ISPs can place advertisements provide community services and publish information on the authentication page Supports multiple authentication modes For example re DHCP authentication implements a flexible address assignment scheme and saves public IP addresses Cross subnet authentication can authenticate users who reside...

Page 149: ...racts with the access device to authenticate users Portal Web server The portal Web server pushes the Web authentication page to authentication clients and forwards user authentication information username and password to the portal authentication server The access device also redirects HTTP requests from unauthenticated users to the portal Web server The portal Web server can be integrated with t...

Page 150: ... the device when the portal client is on a private network and the portal server is on a public network As a best practice in NAT traversal scenarios use an interface s public IP address as the source address of outgoing portal packets Portal authentication modes Portal authentication has three modes direct authentication re DHCP authentication and cross subnet authentication In direct authenticat...

Page 151: ...hentication can implement digital certificate based user authentication Figure 46 Portal support for EAP working flow diagram As shown in Figure 46 the authentication client and the portal authentication server exchange EAP authentication packets The portal authentication server and the access device exchange portal authentication packets that carry the EAP Message attributes The access device and...

Page 152: ... RADIUS server exchange RADIUS packets 6 The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure 7 The portal authentication server sends an authentication success or failure packet to the client 8 If the authentication is successful the portal authentication server sends an authentication reply acknowledgment packet to...

Page 153: ...ted an IP change of the client IP 11 After receiving the IP change notification packets sent by the client and the access device the portal authentication server notifies the client of login success 12 The portal authentication server sends an IP change acknowledgment packet to the access device Step 13 and step 14 are for extended portal functions 13 The client and the security policy server exch...

Page 154: ...sers Configuration prerequisites The portal feature provides a solution for user identity authentication and security check To complete user identity authentication portal must cooperate with RADIUS The prerequisites for portal authentication configuration are as follows The portal authentication server portal Web server and RADIUS server have been installed and configured correctly To use the re ...

Page 155: ...server is created 3 Specify the IP address of the portal authentication server To specify an IPv4 portal server ip ipv4 address vpn instance vpn instance name key cipher simple key string To specify an IPv6 portal server ipv6 ipv6 address vpn instance vpn instance name key cipher simple key string Specify an IPv4 portal authentication server an IPv6 authentication portal server or both By default ...

Page 156: ...rops the packet After a user logs in to the device the user interacts with the portal authentication server as needed Configuration restrictions and guidelines When you enable portal authentication on an interface follow these restrictions and guidelines Make sure the interface has a valid IP address before you enable re DHCP portal authentication on the interface Cross subnet authentication mode ...

Page 157: ...rtal apply web server server name fail permit To specify an IPv6 portal Web server portal ipv6 apply web server server name fail permit Specify an IPv4 portal Web server an IPv6 portal Web server or both on the interface By default no portal Web servers are specified Controlling portal user access Configuring a portal free rule A portal free rule allows specified users to access specified external...

Page 158: ...uthentication source subnets can trigger portal authentication If an unauthenticated user is not on any authentication source subnet the access device discards all the user s HTTP packets that do not match any portal free rule When you configure a portal authentication source subnet follow these restrictions and guidelines Authentication source subnets apply only to cross subnet portal authenticat...

Page 159: ...hen they accessing the specified subnets excluding the destination IP addresses and subnets specified in portal free rules Users can access other subnets without portal authentication If both authentication source subnets and destination subnets are configured on an interface only the authentication destination subnets take effect You can configure multiple authentication destination subnets If th...

Page 160: ...domain defines a set of authentication authorization and accounting policies Each portal user belongs to an authentication domain and is authenticated authorized and accounted in the domain After you specify a portal authentication domain on an interface the device uses the specified authentication domain for AAA of all portal users on the interface ignoring the domain names carried in the usernam...

Page 161: ...filter enable By default outgoing packets filtering is disabled The interface can send any packets Configuring portal detection features Configuring online detection of portal users Configure online detection to quickly detect abnormal logouts of portal users Configure ARP or ICMP detection for IPv4 portal users Configure ND or ICMPv6 detection for IPv6 portal users If the device receives no packe...

Page 162: ...cation server detection During portal authentication if the communication between the access device and portal authentication server is broken both of the following occur New portal users are not able to log in The online portal users are not able to log out normally To address this problem the access device needs to be able to detect the reachability changes of the portal server quickly and take ...

Page 163: ... With the portal Web server detection feature the access device simulates a Web access process to initiate a TCP connection to the portal Web server If the TCP connection can be established successfully the access device considers the detection successful and the portal Web server is reachable Otherwise it considers the detection to have failed Portal authentication status on interfaces of the acc...

Page 164: ...ained in the packet does not exist on the access device the access device informs the portal authentication server to delete the user The access device starts the synchronization detection timer timeout timeout immediately when a user logs in If the user does not appear in any synchronization packet within a synchronization detection interval the access device considers the user does not exist on ...

Page 165: ... By default portal fail permit is disabled for a portal Web server Configuring BAS IP for portal packets sent to the portal authentication server If the device runs Portal 2 0 the unsolicited packets sent to the portal authentication server must carry the BAS IP attribute If the device runs Portal 3 0 the unsolicited packets sent to the portal authentication server must carry the BAS IP or BAS IPv...

Page 166: ...d different NAS Identifier attribute strings in RADIUS requests from different VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of company A The device will send companyA in the NAS Identifier attribute for the RADIUS server to identify requests from any Compan...

Page 167: ...age Logon success page Logon failure page Online page System busy page Logoff success page You must customize the authentication pages including the page elements that the authentication pages will use for example back jpg for authentication page Logon htm Follow the authentication page customization rules when you edit the authentication page files File name rules The names of the main authentica...

Page 168: ... name input type text name PtUser style width 160px height 22px maxlength 64 p Password input type password name PtPwd style width 160px height 22px maxlength 32 p input type SUBMIT value Logon name PtButton style width 60px onclick form action form action location search form 3 Authentication pages logonSuccess htm and online htm must contain the logoff Post request The following example shows pa...

Page 169: ...l portal Web server and enter its view portal local web server http https ssl server policy policy name tcp port port number By default no local portal Web servers exist 3 Specify the default authentication page file for the local portal Web server default logon page filename By default no default authentication page file is specified for the local portal Web server 4 Optional Configure the listen...

Page 170: ...mand 1 Enter system view system view 2 Log out IPv4 online portal users portal delete user ipv4 address all interface interface type interface number 3 Log out IPv6 online portal users portal delete user all interface interface type interface number ipv6 ipv6 address Displaying and maintaining portal Execute display commands in any view and the reset command in user view Task Command Display porta...

Page 171: ...onfigure direct portal authentication so the host can access only the portal server before passing the authentication and access other network resources after passing the authentication Figure 49 Network diagram Configuration prerequisites Configure IP addresses for the host switch and servers as shown in Figure 49 and make sure they can reach each other Configure the RADIUS server correctly to pr...

Page 172: ...ddress group configuration page b Click Add to open the page as shown in Figure 51 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address is in the IP group e Select a service group This example uses the default group Ungrouped f Select the action Normal g Click OK Figure 51 Adding an IP address group 3 Add a portal device ...

Page 173: ...ist g Select whether to support sever heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 52 Adding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 53 click the icon in the Port Group Information Management column of device NAS to enter the port group configurati...

Page 174: ...counting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Switch radius rs1 user name format without domain Switch radius rs1 quit Enable RADIUS session control Switch radius session control enable 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure AAA methods for the ISP domain Switch isp dm1 auth...

Page 175: ... VLAN interface 100 to the portal authentication server Switch Vlan interface100 portal bas ip 2 2 2 1 Switch Vlan interface100 quit Verifying the configuration Verify that the portal configuration has taken effect Switch display portal interface vlan interface 100 Portal information of Vlan interface100 Nas id profile Not configured IPv4 Portal status Enabled Authentication type Direct Portal Web...

Page 176: ...N Interface 0015 e9a6 7cfe 2 2 2 2 100 Vlan interface100 Authorization information DHCP IP pool N A ACL N A CAR N A Configuring re DHCP portal authentication Network requirements As shown in Figure 55 the host is directly connected to the switch the access device The host obtains an IP address through the DHCP server A portal server acts as both a portal authentication server and a portal Web serv...

Page 177: ...24 Configuration procedure Perform the following tasks on the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 113 Switch radius rs1 prim...

Page 178: ...ttp 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable re DHCP portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface100 portal enable method redhcp Specify the portal Web server newpt on VLAN interface 100 Switch Vlan interface100 portal apply web server newpt Configure the BAS IP as 20 20 20 1 for portal packets sent from VLAN interfac...

Page 179: ...ess Internet resources After the user passes authentication use the following command to display information about the portal user Switch display portal user interface vlan interface 100 Total portal users 1 Username abc Portal server newpt State Online VPN instance MAC IP VLAN Interface 0015 e9a6 7cfe 20 20 20 2 100 Vlan interface100 Authorization information DHCP IP pool N A ACL N A CAR N A Conf...

Page 180: ...iew SwitchA radius scheme rs1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers SwitchA radius rs1 primary authentication 192 168 0 112 SwitchA radius rs1 primary accounting 192 168 0 112 SwitchA radius rs1 key authentication simple radius SwitchA radius rs1 key accounting simple radius Exclude the ISP domain name from...

Page 181: ...y the portal Web server newpt on VLAN interface 4 SwitchA Vlan interface4 portal apply web server newpt Configure the BAS IP as 20 20 20 1 for portal packets sent from VLAN interface 4 to the portal authentication server SwitchA Vlan interface4 portal bas ip 20 20 20 1 SwitchA Vlan interface4 quit On Switch B configure a default route to subnet 192 168 0 0 24 specifying the next hop address as 20 ...

Page 182: ...d to display information about the portal user SwitchA display portal user interface vlan interface 4 Total portal users 1 Username abc Portal server newpt State Online VPN instance MAC IP VLAN Interface 0000 0000 0000 8 8 8 2 4 Vlan interface4 Authorization information DHCP IP pool N A ACL N A CAR N A Configuring extended direct portal authentication Network requirements As shown in Figure 57 the...

Page 183: ...ting 192 168 0 112 Switch radius rs1 key accounting simple radius Switch radius rs1 key authentication simple radius Switch radius rs1 user name format without domain Specify the security policy server Switch radius rs1 security policy server 192 168 0 113 Switch radius rs1 quit Enable RADIUS session control Switch radius session control enable 2 Configure an authentication domain Create an ISP do...

Page 184: ...tch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable direct portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface100 portal enable method direct Specify the portal Web server newpt on VLAN interface 100 Switch Vlan interface100 portal apply web server newpt Configure the BAS IP as 2 2 2 1 for portal packet...

Page 185: ...er passing only identity authentication The user can access Internet resources permitted by ACL 3001 after passing both identity authentication and security check After the user passes identity authentication and security check use the following command to display information about the portal user Switch display portal user interface vlan interface 100 Total portal users 1 Username abc Portal serv...

Page 186: ...P relay agent The portal enabled interface must be configured with a primary IP address a public IP address and a secondary IP address a private IP address For information about DHCP relay agent configuration see Layer 3 IP Services Configuration Guide Make sure the IP address of the portal device added on the portal server is the public IP address 20 20 20 1 of the switch s interface connecting t...

Page 187: ...0 as the isolation ACL and ACL 3001 as the security ACL Switch acl number 3000 Switch acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 Switch acl adv 3000 rule deny ip Switch acl adv 3000 quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit NOTE Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security polic...

Page 188: ... bas ip 20 20 20 1 Switch Vlan interface100 quit Verifying the configuration Verify that the portal configuration has taken effect Switch display portal interface vlan interface 100 Portal information of Vlan interface100 Nas id profile Not configured IPv4 Portal status Enabled Authentication type Redhcp Portal Web server newpt Authentication domain Not configured BAS IP 20 20 20 1 User Detection ...

Page 189: ...tal server newpt State Online VPN instance MAC IP VLAN Interface 0015 e9a6 7cfe 20 20 20 2 100 Vlan interface100 Authorization information DHCP IP pool N A ACL 3001 CAR N A Configuring extended cross subnet portal authentication Network requirements As shown in Figure 59 Switch A supports portal authentication The host accesses Switch A through Switch B A portal server acts as both a portal authen...

Page 190: ...mple radius SwitchA radius rs1 key authentication simple radius SwitchA radius rs1 user name format without domain Specify the security policy server SwitchA radius rs1 security policy server 192 168 0 113 SwitchA radius rs1 quit Enable RADIUS session control SwitchA radius session control enable 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view SwitchA domain ...

Page 191: ...hA Vlan interface4 portal apply web server newpt Configure the BAS IP as 20 20 20 1 for portal packets sent from VLAN interface 4 to the portal authentication server SwitchA Vlan interface4 portal bas ip 20 20 20 1 SwitchA Vlan interface4 quit On Switch B configure a default route to subnet 192 168 0 0 24 specifying the next hop address as 20 20 20 1 Details not shown Verifying the configuration V...

Page 192: ...s 1 Username abc Portal server newpt State Online VPN instance MAC IP VLAN Interface 0000 0000 0000 8 8 8 2 4 Vlan interface4 Authorization information DHCP IP pool N A ACL 3001 CAR N A Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 60 the host is directly connected to the switch the access device The host is assigned a public IP address...

Page 193: ...can detect the reachability of the portal authentication server by cooperating with the portal server heartbeat function Configure portal user synchronization so that the switch can synchronize portal user information with the portal authentication server by cooperating with the portal user heartbeat function Configuring the portal authentication server on IMC PLAT 5 0 This example assumes that th...

Page 194: ...tal IP address group configuration page b Click Add to open the page as shown in Figure 62 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address is in the IP group e Select a service group This example uses the default group Ungrouped f Select the action Normal g Click OK Figure 62 Adding an IP address group 3 Add a portal device ...

Page 195: ...ist g Select whether to support sever heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 63 Adding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 64 click the icon in the Port Group Information Management column of device NAS to enter the port group configurat...

Page 196: ...counting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Switch radius rs1 user name format without domain Switch radius rs1 quit Enable RADIUS session control Switch radius session control enable 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure AAA methods for the ISP domain Switch isp dm1 auth...

Page 197: ...Switch Vlan interface100 portal enable method direct Enable portal fail permit for the portal authentication server newpt Switch Vlan interface100 portal fail permit server newpt Specify the portal Web server newpt on VLAN interface 100 Switch Vlan interface100 portal apply web server newpt Configure the BAS IP as 2 2 2 1 for portal packets sent from VLAN interface 100 to the portal authentication...

Page 198: ...figure the RADIUS server correctly to provide authentication and accounting functions Configuration procedure Perform the following tasks on Switch A 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view SwitchA system view SwitchA radius scheme rs1 For the RADIUS scheme specify the VPN instance that is bound to the interface connected to the portal RADIUS server This exa...

Page 199: ...n server SwitchA portal server newpt SwitchA portal server newpt ip 192 168 0 111 vpn instance vpn3 key simple portal SwitchA portal server newpt port 50100 SwitchA portal server newpt quit Configure a portal Web server SwitchA portal web server newpt SwitchA portal websvr newpt url http 192 168 0 111 8080 portal SwitchA portal websvr newpt vpn instance vpn3 SwitchA portal websvr newpt quit Enable...

Page 200: ...nfiguration prerequisites and guidelines Configure IP addresses for the host switch and server as shown in Figure 67 and make sure they can reach each other Configure the RADIUS server correctly to provide authentication and accounting functions Customize the authentication pages compress them to a file and upload the file to the root directory of the storage medium of the switch Configuration pro...

Page 201: ...itch Switch portal local websvr http default logon page abc zip Set the HTTP service listening port number to 2331 for the local portal Web server Switch portal local webserver http tcp port 2331 Switch portal local websvr http quit Configure the portal Web server name as newpt and URL as the IP address of the portal authentication enabled interface or a loopback interface except 127 0 0 1 Switch ...

Page 202: ...tection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length A user can perform portal authentication through a Web page Before passing the authentication the user can access only the authentication page http 2 2 2 1 2331 portal and all Web requests will be redirected to the...

Page 203: ...cking the Disconnect button on the portal authentication client Analysis When you execute the portal delete user command on the access device to log out a user the access device sends an unsolicited logout notification message to the portal authentication server The destination port number in the logout notification is the listening port number of the portal authentication server configured on the...

Page 204: ... portal authentication server the portal authentication server discards the logout notification When sending of the logout notifications times out the access device logs out the user However the portal authentication server does not receive the logout notification successfully and therefore it regards the user is still online Solution Configure the BAS IP or BAS IPv6 attribute on the interface ena...

Page 205: ...server considers that the user has failed the authentication Solution Configure the BAS IP or BAS IPv6 attribute on the interface enabled with portal authentication Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server ...

Page 206: ...y for scenarios that require only 802 1X authentication or MAC authentication For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features NTK The need to know NTK feature prevents traffic interception by checking the destination MAC address in the outbound frames The feature ensures that frames are sent only to the follo...

Page 207: ... is disabled on the port and access to the port is not restricted N A Controlling MAC address learning autoLearn NTK intrusion protection secure Performing 802 1X authentication userLogin N A userLoginSecure NTK intrusion protection userLoginSecureExt userLoginWithOUI Performing MAC authentication macAddressWithRadius NTK intrusion protection Performing a combination of MAC authentication and 802 ...

Page 208: ...t based access control The port can service multiple 802 1X users Once an 802 1X user passes authentication on the port any subsequent 802 1X users can access the network through the port without authentication userLoginSecure A port in this mode performs 802 1X authentication and implements MAC based access control The port services only one user passing 802 1X authentication userLoginSecureExt T...

Page 209: ... Ext keyword implies General guidelines and restrictions Do not configure port security and EVB on the same port For information about EVB see EVB Configuration Guide Configuration task list Tasks at a glance Remarks Required Enabling port security N A Optional Setting port security s limit on the number of secure MAC addresses on a port N A Required Setting the port security mode N A Required Con...

Page 210: ... allows The limit of concurrent users allowed by the authentication mode in use Controlling the number of secure MAC addresses on the port in autoLearn mode The port security s limit on the number of secure MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration For more information about MAC address table configuration see Layer 2 LAN Switchin...

Page 211: ...enable a port security mode Step Command Remarks 1 Enter system view system view N A 2 Optional Set an OUI value for user authentication port security oui index index value mac address oui value By default no OUI value is configured for user authentication This command is required for the userlogin withoui mode You can set multiple OUIs but when the port security mode is userlogin withoui the port...

Page 212: ...mode ntk withbroadcasts ntk withmulticasts ntkonly By default NTK is disabled on a port and all frames are allowed to be sent Configuring intrusion protection Intrusion protection enables a device to take one of the following actions in response to illegal frames blockmac Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards the frames All subsequent frames s...

Page 213: ...icky keyword Not available The static secure MAC addresses never age out unless you perform any of the following tasks Manually remove these MAC addresses Change the port security mode Disable the port security feature Yes Sticky Manually added by using the port security mac address security command with the sticky keyword Converted from dynamic secure MAC addresses Automatically learned when the ...

Page 214: ...t secure MAC addresses do not age out 3 Configure a secure MAC address In system view port security mac address security sticky mac address interface interface type interface number vlan vlan id In Layer 2 Ethernet interface view a interface interface type interface number b port security mac address security sticky mac address vlan vlan id c quit By default no secure MAC address exists In the sam...

Page 215: ...rt the user is not reauthenticated As a best practice enable MAC move for wireless users that roam between ports to access the network To enable MAC move Step Command Remarks 1 Enter system view system view N A 2 Enable MAC move port security mac move permit By default MAC move is disabled Enabling the authorization fail offline feature The authorization fail offline feature logs off port security...

Page 216: ...d profile the device uses the device name as the NAS ID For more information about the NAS ID profile configuration see Configuring AAA To apply a NAS ID profile to port security Step Command Remarks 1 Enter system view system view N A 2 Apply a NAS ID profile to port security In system view port security nas id profile profile name In Layer 2 Ethernet interface view a interface interface type int...

Page 217: ...rity enable Set the secure MAC aging timer to 30 minutes Device port security timer autolearn aging 30 Set port security s limit on the number of secure MAC addresses to 64 on port GigabitEthernet 1 0 1 Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 port security max mac count 64 Set the port security mode to autoLearn Device GigabitEthernet1 0 1 port security port mode autolea...

Page 218: ...vlan 1 port security mac address security sticky 0002 0000 0012 vlan 1 port security mac address security sticky 0002 0000 0011 vlan 1 Device GigabitEthernet1 0 1 quit Verify that the port security mode changes to secure after the number of MAC addresses learned by the port reaches 64 Device display port security interface gigabitethernet 1 0 1 Verify that the port will be disabled for 30 seconds ...

Page 219: ...lowing configuration steps cover some AAA RADIUS configuration commands For more information about the commands see Security Command Reference Make sure the host and the RADIUS server can reach each other 1 Configure AAA Configure a RADIUS scheme named radsun Device system view Device radius scheme radsun Device radius radsun primary authentication 192 168 1 2 Device radius radsun primary accounti...

Page 220: ...port security mode to userLoginWithOUI Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 port security port mode userlogin withoui Device GigabitEthernet1 0 1 quit Verifying the configuration Verify the RADIUS scheme configuration Device display radius scheme radsun RADIUS Scheme Name radsun Index 0 Primary Auth Server Host name Not configured IP 192 168 1 2 Port 1812 State Active...

Page 221: ...bitEthernet1 0 1 is link up Port mode userLoginWithOUI NeedToKnow mode Disabled Intrusion protection mode NoAction Security MAC address attribute Learning mode Sticky Aging type Periodical Max secure MAC addresses 4294967295 Current secure MAC addresses 1 Authorization Permitted Display information about the online 802 1X user to verify 802 1X configuration Device display dot1x Verify that the por...

Page 222: ...y Enable port security Device system view Device port security enable Use MAC based accounts for MAC authentication Each MAC address must be in the hexadecimal notation with hyphens and letters are in upper case Device mac authentication user name format mac address with hyphen uppercase Specify the MAC authentication domain Device mac authentication domain sun Set the 802 1X authentication method...

Page 223: ... to be authenticated Device display mac authentication interface gigabitethernet 1 0 1 Global MAC authentication parameters MAC authentication Enabled Username format MAC address in uppercase XX XX XX XX XX XX Username mac Password Not configured Offline detect period 300 s Quiet period 180 s Server timeout 100 s Authentication domain sun Max MAC auth users 4294967295 per slot Online MAC auth user...

Page 224: ...uth period 3600 s Max auth requests 2 SmartOn supp timeout 30 s SmartOn retry counts 3 EAD assistant function Disabled EAD timeout 30 min Domain delimiter Max 802 1X users 4294967295 per slot Online 802 1X users 1 GigabitEthernet1 0 1 is link up 802 1X authentication Enabled Handshake Enabled Handshake security Disabled Handshake reply Disabled Unicast trigger Disabled Periodic reauth Disabled Por...

Page 225: ...port security mode for a port Analysis For a port operating in a port security mode other than noRestrictions you cannot change the port security mode by using the port security port mode command Solution To resolve the problem 1 Set the port security mode to noRestrictions Device GigabitEthernet1 0 1 undo port security port mode 2 Set a new port security mode for the port for example autoLearn De...

Page 226: ...evice GigabitEthernet1 0 1 port security max mac count 64 Device GigabitEthernet1 0 1 port security port mode autolearn Device GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 2 If the problem persists contact Hewlett Packard Enterprise Support ...

Page 227: ...he password control composition command in Security Command Reference Depending on the system s security requirements you can set the minimum number of character types a password must contain and the minimum number of characters for each type as shown in Table 16 Table 16 Password composition policy Password combination level Minimum number of character types Minimum number of characters for each ...

Page 228: ...e passwords for FTP users Early notice on pending password expiration When a user logs in the system checks whether the password will expire in a time equal to or less than the specified notification period If so the system notifies the user when the password will expire and provides a choice for the user to change the password If the user sets a new password that is complexity compliant the syste...

Page 229: ...e user and user account in any of the following ways Disables the user account until the account is manually removed from the password control blacklist Allows the user to continue using the user account The user s IP address and user account are removed from the password control blacklist when the user uses this account to successfully log in to the device Disables the user account for a period o...

Page 230: ...lication scope have higher priority To configure password control perform the following tasks Tasks at a glance Required Enabling password control Optional Setting global password control parameters Optional Setting user group password control parameters Optional Setting local user password control parameters Optional Setting super password control parameters Enabling password control To successfu...

Page 231: ...assword control blacklist Other password control configurations do not take effect on users that have been logged in or passwords that have been configured To set global password control parameters Step Command Remarks 1 Enter system view system view N A 2 Set the password expiration time password control aging aging time The default setting is 90 days 3 Set the minimum password update interval pa...

Page 232: ...w N A 2 Create a user group and enter user group view user group group name By default no user group exists For information about how to configure a user group see Configuring AAA 3 Configure the password expiration time for the user group password control aging aging time By default the password expiration time of the user group equals the global password expiration time 4 Configure the minimum p...

Page 233: ... composition policy for the local user password control composition type number type number type length type length By default the settings equal those for the user group to which the local user belongs If no password composition policy is configured for the user group the global settings apply to the local user 6 Configure the password complexity checking policy for the local user password contro...

Page 234: ...e Displaying and maintaining password control Execute display commands in any view and reset commands in user view Task Command Display password control configuration display password control super Display information about users in the password control blacklist display password control blacklist user name name ip ipv4 address ipv6 ipv6 address Delete users from the password control blacklist res...

Page 235: ...re Enable the password control feature globally Sysname system view Sysname password control enable Disable a user account permanently if a user fails two consecutive login attempts on the user account Sysname password control login attempt 2 exceed lock Set all passwords to expire after 30 days Sysname password control aging 30 Globally set the minimum password length to 16 characters Sysname pas...

Page 236: ... the password for the local user to expire after 20 days Sysname luser manage test password control aging 20 Configure the password of the local user in interactive mode Sysname luser manage test password Password Confirm Updating user information Please wait Sysname luser manage test quit Verifying the configuration Display the global password control configuration Sysname display password contro...

Page 237: ...r user name test class manage Total 1 local users matched Device management user test State Active Service type Telnet User group system Bind attributes Authorization attributes Work directory flash User role list network operator Password control configurations Password aging Enabled 20 days Password length Enabled 24 characters Password composition Enabled 4 types 5 characters per type ...

Page 238: ... Encryption and decryption Any public key receiver can use the public key to encrypt information but only the private key owner can decrypt the information Digital signature The key owner uses the private key to digitally sign information to be sent The receiver decrypts the information with the sender s public key to verify information authenticity RSA DSA and ECDSA can all perform digital signat...

Page 239: ...One host key pair if you specify a key pair name One server key pair and one host key pair if you do not specify a key pair name Both key pairs use their default names In FIPS mode One host key pair NOTE Only SSH 1 5 uses the RSA server key pair In non FIPS mode 512 to 2048 bits and defaults to 1024 bits To ensure security use a minimum of 768 bits In FIPS mode 2048 bits DSA One host key pair In n...

Page 240: ...a host public key follow these restrictions and guidelines If you specify a file name in the command the command exports the key to the specified file If you do not specify a file name the command exports the key to the monitor screen You must manually save the exported key to a file To export a local host public key Step Command 1 Enter system view system view 2 Export a local host public key Exp...

Page 241: ...re of the peer device you must configure the peer device s public key on the local device You can configure the peer host public key by using the following methods Import the peer host public key form a public key file recommended Manually enter type or copy the peer host public key Importing a peer host public key from a public key file Before you perform this task make sure you have exported the...

Page 242: ...d enter public key view public key peer keyname By default no peer host public keys exist 3 Type or copy the key N A You can use spaces and carriage returns but the system does not save them 4 Return to system view peer public key end When you exit public key view the system automatically saves the public key Displaying and maintaining public keys Execute display commands in any view Task Command ...

Page 243: ...7347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Key name serverkey default Key type RSA Time when key pair created 16 48 31 2011 05 12 Key code 307C300D06092A864886F70D0101010500036B003068...

Page 244: ...modulus 1024 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public ...

Page 245: ... serverkey default Key type RSA Time when key pair created 16 48 31 2011 05 12 Key code 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 Export the RSA host public key to the file devicea pub D...

Page 246: ...Import the host public key from the key file devicea pub DeviceB system view DeviceB public key peer devicea import sshkey devicea pub Verifying the configuration Verify that the host public key is the same as it is on Device A DeviceB display public key peer name devicea Key name devicea Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F592373...

Page 247: ... message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the original message will result in a change to the calculated fixed length message As shown in Figure 74 the message integrity verification process is as follows a The sender uses a MAC algorithm and a key to calculate a MAC va...

Page 248: ...at complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode SSL configuration task list Tasks at a glance Remarks Configuring an SSL server policy Perform this configuration task on the SSL server Configuring an SSL client policy Perform this configuration task on the SSL client Configuring an SSL serve...

Page 249: ...tiation ssl renegotiation disable By default SSL session renegotiation is enabled 4 Create an SSL server policy and enter its view ssl server policy policy name By default no SSL server policies exist on the device 5 Optional Specify a PKI domain for the SSL server policy pki domain domain name By default no PKI domain is specified for an SSL server policy If SSL server authentication is required ...

Page 250: ...dsa_aes_256_gc m_sha384 exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256 rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode ciphersuite ecdhe_rsa_aes_128_cbc_ sha256 ecdhe_rsa_aes_256_cbc_s ha384 ecdhe_rsa_aes_128_gcm_s ha256 ecdhe_rsa_aes_256_gcm_s ha384 ecdhe_ecdsa_aes_128_cbc ...

Page 251: ...e client uses to establish a connection to the server An SSL client policy takes effect only after it is associated with an application such as DDNS To configure an SSL client policy Step Command Remarks 1 Enter system view system view N A 2 Optional Disable SSL session renegotiation ssl renegotiation disable By default SSL session renegotiation is enabled 3 Create an SSL client policy and enter i...

Page 252: ...ha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256 rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode prefer cipher ecdhe_rsa_aes_128_cbc _sha256 ecdhe_rsa_aes_256_cbc_ sha384 ecdhe_rsa_aes_128_gcm _sha256 ecdhe_rsa_aes_256_gcm _sha384 ecdhe_ecdsa_aes_128_c bc_sha256 ecdhe_ecdsa_aes_256_c bc_sha384...

Page 253: ... server policy policy name Display SSL client policy information display ssl client policy policy name SSL server policy configuration example Network requirements As shown in Figure 76 users need to access and control the device through the Web interface To protect the device and prevent data from being eavesdropped or tampered with configure the device to be accessible to users through HTTPS onl...

Page 254: ...n Configure a general purpose RSA key pair named abc and set the key modulus length to 1024 bits Device pki domain 1 public key rsa general name abc length 1024 Device pki domain 1 quit Generate RSA key pair abc Device public key local create rsa name abc The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modul...

Page 255: ...e 123 Device luser usera service type https Device luser usera authorization attribute user role network admin 3 Request a certificate for the host a Launch IE on the host and then enter http 10 1 2 2 certsrv in the address bar b Request a client certificate for the host Details not shown Verifying the configuration Perform the following tasks on the host 1 Launch IE and enter https 10 1 1 1 in th...

Page 256: ...t comply with the international standards of ITU T X 509 of which X 509 v3 is the most commonly used This chapter covers the following types of certificates CA certificate Certificate of a CA Multiple CAs in a PKI system form a CA tree with the root CA at the top The root CA generates a self signed certificate and each lower level CA holds a CA certificate issued by the CA immediately above it The...

Page 257: ...e SCEP to communicate with the CA or RA CA Certification authority that grants and manages certificates A CA issues certificates defines the certificate validity periods and revokes certificates by publishing CRLs RA Registration authority which offloads the CA by processing enrollment requests The RA accepts certificate requests verifies user identity and determines whether to ask the CA to issue...

Page 258: ... PKI can address the email requirements for confidentiality integrity authentication and non repudiation A common secure email protocol is Secure Multipurpose Internet Mail Extensions S MIME which is based on PKI and allows for transfer of encrypted mails with signature Web security PKI can be used in the SSL handshake phase to verify the identities of the communicating parties by digital certific...

Page 259: ...ntity must include at least one of following identity categories Distinguished name DN of the entity which further includes the common name county code locality organization unit in the organization and state If you configure the DN for an entity a common name is required FQDN of the entity IP address of the entity Whether the categories are required or optional depends on the CA policy Follow the...

Page 260: ...rface number By default the IP address is not configured Configuring a PKI domain A PKI domain contains enrollment information for a PKI entity It is locally significant and is intended only for reference by other applications like SSL To configure a PKI domain Step Command Remarks 1 Enter system view system view N A 2 Create a PKI domain and enter its view pki domain domain name By default no PKI...

Page 261: ...CA and verifying the fingerprint of the CA certificate If a fingerprint is not entered in the PKI domain and if the CA certificate is imported or obtained through manual certificate request you must verify the fingerprint that is displayed during authentication of the CA certificate If the CA certificate is obtained through automatic certificate request the certificate will be rejected if a finger...

Page 262: ...ertificate request is submitted by using an out of band method such as phone disk or email You can use this mode as required or if you fail to request a certificate in online mode To submit a certificate request in offline mode a Use pki request certificate domain pkcs10 to print the request information on the terminal or use pki request certificate domain pkcs10 filename to save the request infor...

Page 263: ...st a local certificate If no CA certificate exists in the PKI domain the PKI entity automatically obtains a CA certificate before sending a certificate request To configure automatic certificate request Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki domain domain name N A 3 Set the certificate request mode to auto certificate request mode auto password cipher ...

Page 264: ...ning certificates You can obtain the CA certificate local certificates and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency To do so use either the offline mode or the online mode In offline mode obtain the certificates by an out of band means like FTP disk or email and then import them locally Use this mode when the CRL repository is not speci...

Page 265: ...ew N A 2 Obtain certificates Import certificates in offline mode pki import domain domain name der ca local peer filename filename p12 local filename filename pem ca local peer filename filename Obtain certificates in online mode pki retrieve certificate domain domain name ca local peer entity name The pki retrieve certificate command is not saved in the configuration file Verifying PKI certificat...

Page 266: ...checking Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki domain domain name N A 3 Optional Specify the URL of the CRL repository crl url url string vpn instance vpn instance name By default the URL of the CRL repository is not specified 4 Enable CRL checking crl check enable By default CRL checking is enabled 5 Return to system view quit N A 6 Obtain the CA cer...

Page 267: ...S12 format the PKI domain must have at least one local certificate Otherwise the certificates in the PKI domain cannot be exported You can export the CA certificate and the local certificates in a PKI domain to certificate files The exported certificate files can then be imported back to the device or other PKI applications When you export a local certificate with the RSA key pair the name of the ...

Page 268: ...ent s certificate A certificate based access control policy is a set of access control rules permit or deny statements each associated with a certificate attribute group A certificate attribute group contains multiple attribute rules each defining a matching criterion for an attribute in the certificate issuer name subject name or alternative subject name field If a certificate matches all attribu...

Page 269: ...playing and maintaining PKI Execute display commands in any view Task Command Display the contents of a certificate display pki certificate domain domain name ca local peer serial serial num Display certificate request status display pki certificate request status domain domain name Display locally stored CRLs in a PKI domain display pki crl domain domain name Display certificate attribute group i...

Page 270: ...ess list for SCEP autovetting Configuring the device 1 Synchronize the system time of the device with the CA server for the device to correctly request certificates or obtain CRLs Details not shown 2 Create an entity named aaa and set the common name to Device Device system view Device pki entity aaa Device pki entity aaa common name Device Device pki entity aaa quit 3 Configure a PKI domain Creat...

Page 271: ...CA s finger print is MD5 fingerprint EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct Y N y Retrieved the certificates successfully Submit a certificate request manually You must specify a password for certificate revocation when an RSA Keon CA server is used Device pki request certificate domain torsa password 1...

Page 272: ... 25 64 a5 99 d1 f6 ec 4f 22 e8 6a 96 58 6c c9 47 46 8c f1 ba 89 b8 af fa 63 c6 c9 77 10 45 0d 8f a6 7f b9 e8 25 90 4a 8e c6 cc b8 1a f8 e0 bc 17 e0 6a 11 ae e7 36 87 c4 b0 49 83 1c 79 ce e2 a3 4b 15 40 dd fe e0 35 52 ed 6d 83 31 2c c2 de 7c e0 a7 92 61 bc 03 ab 40 bd 69 1b f5 To display detailed information about the CA certificate use the display pki certificate domain command Requesting a certif...

Page 273: ...y the path for certificate service in the Local path field e Specify a unique TCP port number for the default website to avoid conflict with existing services This example uses port 8080 Configuring the device 1 Synchronize the device s system time with the CA server for the device to correctly request certificates Details not shown 2 Create an entity named aaa and set the common name to test Devi...

Page 274: ...request the general certificate Request certificate of domain winserver successfully Verifying the configuration Display information about the local certificate in PKI domain winserver Device display pki certificate domain winserver local Certificate Data Version 3 0x2 Serial Number Negative 01 03 99 ff ff ff ff fd 11 Signature Algorithm sha1WithRSAEncryption Issuer CN sec Validity Not Before Dec ...

Page 275: ...c crl Authority Information Access CA Issuers URI http gc CertEnroll gc_sec crt CA Issuers URI file gc CertEnroll gc_sec crt 1 3 6 1 4 1 311 20 2 0 I P S E C I n t e r m e d i a t e O f f l i n e Signature Algorithm sha1WithRSAEncryption 76 f0 6c 2c 4d bc 22 59 a7 39 88 0b 5c 50 2e 7a 5c 9d 6c 28 3c c0 32 07 5a 9c 4c b6 31 32 62 a9 45 51 d5 f5 36 8f 47 3d 47 ae 74 6c 54 92 f2 54 9f 1a 80 8a 3f b2 ...

Page 276: ...vice system view Device pki entity aaa Device pki entity aaa common name rnd Device pki entity aaa country CN Device pki entity aaa organization test Device pki entity aaa organization unit software Device pki entity aaa quit 3 Configure a PKI domain Create a PKI domain named openca and enter its view Device pki domain openca Set the name of the trusted CA to myca Device pki domain openca ca ident...

Page 277: ... to request the general certificate Request certificate of domain openca successfully Verifying the configuration Display information about the local certificate in PKI domain openca Device display pki certificate domain openca local Certificate Data Version 3 0x2 Serial Number 21 1d b8 d2 e4 a9 21 28 e4 de Signature Algorithm sha256WithRSAEncryption Issuer C CN L shangdi ST pukras O OpenCA Labs O...

Page 278: ...22 218 pki pub cacert cacert crt OCSP URI http 192 168 222 218 2560 1 3 6 1 5 5 7 48 12 URI http 192 168 222 218 830 X509v3 CRL Distribution Points Full Name URI http 192 168 222 218 pki pub crl cacrl crl Signature Algorithm sha256WithRSAEncryption 5c 4c ba d0 a1 35 79 e6 e5 98 69 91 f6 66 2a 4f 7f 8b 0e 80 de 79 45 b9 d9 12 5e 13 28 17 36 42 d5 ae fc 4e ba b9 61 f1 0a 76 42 e7 a6 34 43 3e 2d 02 5...

Page 279: ...ce ssl server policy abc pki domain domain1 Device ssl server policy abc client verify enable Device ssl server policy abc quit 4 Configure certificate attribute groups Create a certificate attribute group named mygroup1 and add two attribute rules The first rule defines that the DN in the subject DN contains the string of aabbcc The second rule defines that the IP address of the certificate issue...

Page 280: ...f the certificate issuer is 1 1 1 1 and the FQDN of the alternative subject name is banaba The host s certificate does not match certificate attribute group mygroup1 specified in rule 1 of the certificate based access control policy The certificate continues to match against rule 2 The host s certificate matches certificate attribute group mygroup2 specified in rule 2 Because rule 2 is a permit st...

Page 281: ...kilocal pem signature and pkilocal pem encryption and contain the private key for signature and encryption respectively Display local certificate file pkilocal pem signature DeviceA quit DeviceA more pkicachain pem sign Bag Attributes friendlyName localKeyID 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89 subject C CN O OpenCA Labs OU Users CN subsign 11 issuer C CN L shangdi ST pukras...

Page 282: ... DeviceB pki domain importdomain DeviceB pki domain importdomain undo crl check enable Specify RSA key pair sign for signature and RSA key pair encr for encryption DeviceB pki domain importdomain public key rsa signature name sign encryption name encr DeviceB pki domain importdomain quit Import CA certificate file pkicachain pem in PEM format to the PKI domain DeviceB pki import domain importdomai...

Page 283: ...nsions X509v3 Basic Constraints CA FALSE Netscape Cert Type SSL Client S MIME X509v3 Key Usage Digital Signature Non Repudiation X509v3 Extended Key Usage TLS Web Client Authentication E mail Protection Microsoft Smartcardlogin Netscape Comment User Certificate of OpenCA Labs X509v3 Subject Key Identifier AA 45 54 29 5A 50 2B 89 AB 06 E5 BD 0D 07 8C D9 79 35 B1 F5 X509v3 Authority Key Identifier k...

Page 284: ... d7 bf 1a 86 22 78 87 3e 67 fe 4b ed 37 3d d6 0a 1c 0b Certificate Data Version 3 0x2 Serial Number 08 7c 67 01 5c b3 5a 12 0f 2f Signature Algorithm sha256WithRSAEncryption Issuer C CN L shangdi ST pukras O OpenCA Labs OU docm CN subca1 Validity Not Before May 26 05 58 26 2011 GMT Not After Nov 22 05 58 26 2012 GMT Subject C CN O OpenCA Labs OU Users CN subencr 11 Subject Public Key Info Public K...

Page 285: ... fa 15 16 90 71 e2 98 e3 5c c6 e3 d4 5f 7a f6 a9 4f a2 7f ca af c4 c8 c7 2c c0 51 0a 45 d4 56 e2 81 30 41 be 9f 67 a1 23 a6 09 50 99 a1 40 5f 44 6f be ff 00 67 9d 64 98 fb 72 77 9e fd f2 4c 3a b2 43 d8 50 5c 48 08 e7 77 df fb 25 9f 4a ea de 37 1e fb bc 42 12 0a 98 11 f2 d9 5b 60 bc 59 72 04 48 59 cc 50 39 a5 40 12 ff 9d d0 69 3a 5e 3a 09 5a 79 e0 54 67 a0 32 df bf 72 a0 74 63 f9 05 6f 5e 28 d2 e8 ...

Page 286: ...he CA administrator 6 Verify the fingerprint of the CA certificate on the CA server 7 If the problem persists contact Hewlett Packard Enterprise Support Failed to obtain local certificates Symptom The local certificates can be obtained Analysis The network connection is down The PKI domain does not have a CA certificate before you submit the local certificate request The LDAP server is not configu...

Page 287: ... are incorrectly configured No key pair is specified in the PKI domain for certificate request or the key pair is changed during a certificate request process Exclusive certificate request applications are running in the PKI domain The CA server does not accept the source IP address specified in the PKI domain or no source IP address is specified The system time of the device is not synchronized w...

Page 288: ...not accept the source IP address specified in the PKI domain or no source IP address is specified Solution 1 Fix the network connection problems if any 2 Obtain or import the CA certificate 3 If the URL of the CRL repository cannot be obtained verify that the following conditions exist The URL for certificate request is valid A local certificate has been successfully obtained The local certificate...

Page 289: ...icate is out of the validity period The system time is incorrect Solution 1 Obtain or import the CA certificate 2 Use the undo crl check enable command to disable CRL checking or obtain the correct CRL before you import certificates 3 Make sure the format of the file to be imported is correct 4 Make sure the certificate file contains the private key 5 Make sure the certificate is not revoked 6 Mak...

Page 290: ...lett Packard Enterprise Support Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set Analysis The specified storage path does not exist The specified storage path is illegal The storage space of the device is full Solution 1 Use the mkdir command to create the path 2 Specify a valid storage path for certificates or CRLs 3 Clear up the storage space of the ...

Page 291: ...plicate packets IPsec delivers the following benefits Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol IKE provides automatic key negotiation and automatic IPsec security association SA setup and maintenance Good compatibility You can apply IPsec to all IP based application systems and services without modifying them Encryption on a per packet rather than ...

Page 292: ...The security protocols protect the entire IP packet The entire IP packet is used to calculate the security protocol headers The calculated security protocol headers and the encrypted data only for ESP encapsulation are encapsulated in a new IP packet In this mode the encapsulated packet has two IP headers The inner IP header is the original IP header The outer IP header is added by the network dev...

Page 293: ... up SAs through IKE negotiations in medium and large scale dynamic networks A manually configured SA never ages out An IKE created SA has a lifetime which comes in two types Time based lifetime Defines how long the SA can be valid after it is created Traffic based lifetime Defines the maximum traffic that the SA can process If both lifetime timers are configured for an SA the SA becomes invalid wh...

Page 294: ...negotiation triggered by the packet The IPsec tunnels are actually the IPsec SAs The inbound packets are protected by the inbound SA and the outbound packets are protected by the outbound SA When the remote IPsec peer receives the packet it drops de encapsulates or directly forwards the packet according to the configured IPsec policy Interface based IPsec supports setting up IPsec tunnels based on...

Page 295: ...e center and the branches are protected by IPsec The gateway at the enterprise center is configured with static routes to route traffic to the IPsec protected interfaces It is difficult to add or modify static routes on the gateway at the enterprise center if the IPsec VPN has a large number of branches or if the network structure changes Figure 87 IPsec VPN IPsec Reverse Route Injection RRI enabl...

Page 296: ...pecify an ACL in the policy and apply the policy to an interface see Implementing ACL based IPsec The IPsec tunnel establishment steps are the same in an IPv4 network and in an IPv6 network Application based IPsec tunnel Protects the packets of an application This method can be used to protect IPv6 routing protocols It does not require any ACL For information about IPv6 routing protocol protection...

Page 297: ...ding a source interface to an IPsec policy Optional Enabling QoS pre classify Optional Enabling logging of IPsec packets Optional Configuring IPsec RRI Optional Configuring the DF bit of IPsec packets Optional Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected Keywords in ACL rules An ACL is a collection of ACL rules Each ACL rule is...

Page 298: ... match a permit statement at the receiving end they will be dropped by IPsec Mirror image ACLs To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly between two IPsec peers create mirror image ACLs on the IPsec peers If the ACL rules on IPsec peers do not form mirror images of each other SAs can be set up only when both of the following requirements are met T...

Page 299: ...a256 sha384 sha512 Configure at least one command By default no security algorithm is specified You can specify security algorithms for a security protocol only when the security protocol is used by the transform set For example you can specify the ESP specific security algorithms only when you select ESP or AH ESP as the security protocol If you use ESP in FIPS mode you must specify both the ESP ...

Page 300: ...must have IPsec transform sets that use the same security protocols security algorithms and encapsulation mode The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end The remote IPv6 address configured on the local end must be the same as the first IPv6 address of the interface applied with th...

Page 301: ...r a manual IPsec policy 6 Specify the remote IP address of the IPsec tunnel remote address ipv4 address ipv6 ipv6 address By default the remote IP address of the IPsec tunnel is not specified The local IPv4 address of the IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied The local IPv6 address of the IPsec tunnel is the first IPv6 address of the interfa...

Page 302: ...n an IKE based IPsec policy the parameters are automatically negotiated through IKE To configure an IKE based IPsec policy use one of the following methods Directly configure it by configuring the parameters in IPsec policy view Configure it by using an existing IPsec policy template with the parameters to be negotiated configured A device using an IPsec policy that is configured in this way canno...

Page 303: ...cy security acl ipv6 acl number name acl name aggregation per host By default no ACL is specified for the IPsec policy You can specify only one ACL for an IPsec policy 5 Specify IPsec transform sets for the IPsec policy transform set transform set name 1 6 By default no IPsec transform sets are specified for an IPsec policy 6 Specify an IKE profile for the IPsec policy ike profile profile name By ...

Page 304: ... based SA lifetime is 3600 seconds and the traffic based SA lifetime is 1843200 kilobytes 15 Optional Enable the global IPsec SA idle timeout feature and set the global SA idle timeout ipsec sa idle time seconds By default the global IPsec SA idle timeout feature is disabled Configuring an IKE based IPsec policy by using an IPsec policy template The configurable parameters for an IPsec policy temp...

Page 305: ...bout IKE profiles see Configuring IKE 7 Specify an IKEv2 profile for the IPsec policy template ikev2 profile profile name By default no IKEv2 profile is specified for the IPsec policy template You can specify only one IKEv2 profile for an IPsec policy template For more information about IKEv2 profiles see Configuring IKEv2 8 Optional Specify the local IP address of the IPsec tunnel local address i...

Page 306: ... sent out of an interface applied with an IPsec policy the interface looks through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers If the packet matches the ACL of an IPsec policy entry the interface uses the IPsec policy entry to protect the packet If no match is found the interface sends the packet out without IPsec protection When the interface receives an IP...

Page 307: ...ure is enabled Configuring IPsec anti replay The IPsec anti replay feature protects networks against anti replay attacks by using a sliding window mechanism called anti replay window This feature checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window If the sequence number is not in the current sequence number range the...

Page 308: ...ndancy This feature synchronizes the following information from the active device to the standby device at configurable packet based intervals Lower bound values of the IPsec anti replay window for inbound packets IPsec anti replay sequence numbers for outbound packets This feature used together with IPsec redundancy ensures uninterrupted IPsec traffic forwarding and anti replay protection when th...

Page 309: ... address of the bound source interface to perform IKE negotiation If a local address is specified the IPsec policy uses the local address to perform IKE negotiation To bind a source interface to an IPsec policy Step Command Remarks 1 Enter system view system view N A 2 Bind a source interface to an IPsec policy ipsec ipv6 policy policy policy name local address interface type interface number By d...

Page 310: ...abled Configuring IPsec RRI Configuration guidelines When you enable or disable IPsec RRI for an IPsec policy the device deletes all IPsec SAs created by this IPsec policy and the associated static routes If you change the preference value or tag value for an IPsec policy the device deletes all IPsec SAs created by this IPsec policy and the associated static routes Your change takes effect for fut...

Page 311: ...s the DF bit in the new header set Sets the DF bit in the new header copy Copies the DF bit in the original IP header to the new IP header You can configure the DF bit in system view and interface view The interface view DF bit setting takes precedence over the system view DF bit setting If the interface view DF bit setting is not configured the interface uses the system view DF bit setting Follow...

Page 312: ... 3 IP Routing Configuration Guide Optional Enabling logging of IPsec packets Optional Configuring SNMP notifications for IPsec Configuring a manual IPsec profile A manual IPsec profile is similar to a manual IPsec policy The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration A manual IPsec profile specifies the IPsec transform set used fo...

Page 313: ...IPsec SA Configure an authentication key in hexadecimal format for AH sa hex key authentication inbound outbound ah cipher simple key value Configure an authentication key in character format for AH sa string key inbound outbound ah cipher simple key value Configure a key in character format for ESP sa string key inbound outbound esp cipher simple key value Configure an authentication key in hexad...

Page 314: ...event types are disabled Displaying and maintaining IPsec Execute display commands in any view and reset commands in user view Task Command Display IPsec policy information display ipsec ipv6 policy policy policy name seq number Display IPsec policy template information display ipsec ipv6 policy template policy template template name seq number Display IPsec profile information display ipsec profi...

Page 315: ...e 0 permit ip source 2 2 2 1 0 destination 2 2 3 1 0 SwitchA acl adv 3101 quit Create an IPsec transform set named tran1 SwitchA ipsec transform set tran1 Specify the encapsulation mode as tunnel SwitchA ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchA ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms Swi...

Page 316: ...v 3101 quit Create an IPsec transform set named tran1 SwitchB ipsec transform set tran1 Specify the encapsulation mode as tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms SwitchB ipsec transform set tran1 esp encryption algorithm aes cbc 128...

Page 317: ...ipsec sa Interface Vlan interface 1 IPsec policy map1 Sequence number 10 Mode manual Tunnel id 549 Encapsulation mode tunnel Path MTU 1443 Tunnel local address 2 2 2 1 remote address 2 2 3 1 Flow as defined in ACL 3101 Inbound ESP SA SPI 54321 0x0000d431 Transform set ESP ENCRYPT AES CBC 128 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 12345 0x00003039 Transform set ESP ENCRYPT ...

Page 318: ...gorithm sha1 SwitchA ipsec transform set tran1 quit Create and configure the IKE keychain named keychain1 SwitchA ike keychain keychain1 Specify the plaintext 123456TESTplat as the pre shared key to be used with the remote peer at 2 2 3 1 SwitchA ike keychain keychain1 pre shared key address 2 2 3 1 255 255 255 0 key simple 123456TESTplat SwitchA ike keychain keychain1 quit Create and configure th...

Page 319: ... set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms SwitchB ipsec transform set tran1 esp encryption algorithm aes cbc 128 SwitchB ipsec transform set tran1 esp authentication algorithm sha1 SwitchB ipsec transform set tran1 quit Create and configure the IKE keychain named ...

Page 320: ...shown in Figure 90 establish an IPsec tunnel between Switch A and Switch B to protect the data flows in between Configure the IPsec tunnel as follows Specify the encapsulation mode as tunnel the security protocol as ESP the encryption algorithm as 128 bit AES and the authentication algorithm as HMAC SHA1 Set up SAs through IKE negotiation Figure 90 Network diagram Configuration procedure 1 Configu...

Page 321: ... remote IPv6 addresses of the IPsec tunnel as 111 1 and 222 1 SwitchA ipsec ipv6 policy isakmp map1 10 local address ipv6 111 1 SwitchA ipsec ipv6 policy isakmp map1 10 remote address ipv6 222 1 Apply the IKE profile profile1 SwitchA ipsec ipv6 policy isakmp map1 10 ike profile profile1 SwitchA ipsec ipv6 policy isakmp map1 10 quit Apply the IPsec policy map1 to interface VLAN interface 1 SwitchA ...

Page 322: ...rm set tran1 Specify the local and remote IPv6 addresses of the IPsec tunnel as 222 1 and 111 1 SwitchB ipsec ipv6 policy isakmp use1 10 local address ipv6 222 1 SwitchB ipsec ipv6 policy isakmp use1 10 remote address ipv6 111 1 Apply the IKE profile profile1 SwitchB ipsec ipv6 policy isakmp use1 10 ike profile profile1 SwitchB ipsec ipv6 policy isakmp use1 10 quit Apply the IPsec policy use1 to i...

Page 323: ...nterface vlan interface 100 SwitchA Vlan interface100 ripng 1 enable SwitchA Vlan interface100 quit Create and configure the IPsec transform set named tran1 SwitchA ipsec transform set tran1 SwitchA ipsec transform set tran1 encapsulation mode transport SwitchA ipsec transform set tran1 protocol esp SwitchA ipsec transform set tran1 esp encryption algorithm aes cbc 128 SwitchA ipsec transform set ...

Page 324: ...form set tran1 SwitchB ipsec profile profile001 sa spi outbound esp 123456 SwitchB ipsec profile profile001 sa spi inbound esp 123456 SwitchB ipsec profile profile001 sa string key outbound esp simple abcdefg SwitchB ipsec profile profile001 sa string key inbound esp simple abcdefg SwitchB ipsec profile profile001 quit Apply the IPsec profile to RIPng process 1 SwitchB ripng 1 SwitchB ripng 1 enab...

Page 325: ...essfully on the switches to protect RIPng packets This example uses Switch A to verify the configuration Use the display ripng command to display the RIPng configuration The output shows that the IPsec profile profile001 has been applied to RIPng process 1 SwitchA display ripng 1 RIPng process 1 Preference 100 Checkzero Enabled Default Cost 0 Maximum number of balanced paths 8 Update time 30 sec s...

Page 326: ...312 No duration limit for this SA ...

Page 327: ...otiates SAs when the sequence number in the AH or ESP header overflows making sure IPsec can provide the anti replay service by using the sequence number As shown in Figure 92 IKE negotiates SAs for IPsec and transfers the SAs to IPsec and IPsec uses the SAs to protect IP packets Figure 92 Relationship between IKE and IPsec IKE negotiation process IKE negotiates keys and SAs for IPsec in two phase...

Page 328: ...ion key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers The device supports the following identity authentication methods Pre shared key authentication Two communicating peers use the pre configured shared key for identity authentication RSA signature authe...

Page 329: ...mine the following parameters prior to IKE configuration The algorithms to be used during IKE negotiation including the identity authentication method encryption algorithm authentication algorithm and DH group Different algorithms provide different levels of protection A stronger algorithm provides more resistance to decryption but uses more resources A DH group that uses more bits provides higher...

Page 330: ...tiation For digital signature authentication the device can use any type of ID If the local ID is an IP address that is different from the IP address in the local certificate the device uses the FQDN the device name configured by using the sysname command instead For pre shared key authentication the device can use any type of ID other than the DN 6 Configure the IKE DPD feature to detect dead IKE...

Page 331: ... as required By default no IKE keychain or PKI domain is specified for an IKE profile 5 Specify the IKE negotiation mode for phase 1 In non FIPS mode exchange mode aggressive main In FIPS mode exchange mode main By default the main mode is used during IKE negotiation phase 1 6 Specify IKE proposals for the IKE profile proposal proposal number 1 6 By default no IKE proposals are specified for an IK...

Page 332: ...le to the peer An IKE proposal specified earlier for the IKE profile has a higher priority If the initiator is using an IPsec policy with no IKE profile the initiator sends all its IKE proposals to the peer An IKE proposal with a smaller number has a higher priority The peer searches its own IKE proposals for a match The search starts from the IKE proposal with the highest priority and proceeds in...

Page 333: ...pre shared key for authentication Follow these guidelines when you configure an IKE keychain 1 Two peers must be configured with the same pre shared key to pass pre shared key authentication 2 You can specify the local address configured in IPsec policy or IPsec policy template view using the local address command for the IKE keychain to be applied If no local address is configured specify the IP ...

Page 334: ...bal identity can be used by the device for all IKE SA negotiations and the local identity set by the local identity command can be used only by the device that uses the IKE profile When signature authentication is used you can set any type of the identity information When pre shared key authentication is used you cannot set the DN as the identity To configure the global identity information Step C...

Page 335: ...ive timeout time ike keepalive timeout seconds By default IKE SA keepalive never times out Configuring the IKE NAT keepalive feature If IPsec traffic passes through a NAT device you must configure the NAT traversal feature If no packet travels across an IPsec tunnel in a period of time the NAT sessions are aged and deleted disabling the tunnel from transmitting data to the intended end To prevent ...

Page 336: ...ew N A 2 Enable sending IKE DPD messages ike dpd interval interval seconds retry seconds on demand periodic By default IKE DPD is disabled Enabling invalid SPI recovery An IPsec black hole occurs when one IPsec peer fails for example a peer can fail if a reboot occurs One peer fails and loses its SAs with the other peer When an IPsec peer receives a data packet for which it cannot find an SA an in...

Page 337: ...E module notifies the NMS of important module events The notifications are sent to the device s SNMP module You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications For more information about SNMP notifications see Network Management and Monitoring Configuration Guide To generate and output SNMP notifications for a specifi...

Page 338: ...ommunication in between Configure Switch A and Switch B to use the default IKE proposal for the IKE negotiation to set up the IPsec SAs Configure the two switches to use the pre shared key authentication method for the IKE negotiation phase 1 Figure 94 Network diagram Configuration procedure 1 Configure Switch A Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vla...

Page 339: ...ntity address 2 2 2 2 255 255 255 0 SwitchA ike profile profile1 quit Create an IKE based IPsec policy entry with the name map1 and the sequence number 10 SwitchA ipsec policy map1 10 isakmp Specify the remote IP address 2 2 2 2 for the IPsec tunnel SwitchA ipsec policy isakmp map1 10 remote address 2 2 2 2 Specify ACL 3101 to identify the traffic to be protected SwitchA ipsec policy isakmp map1 1...

Page 340: ...chain keychain1 Configure the local ID with the identity type as IP address and the value as 2 2 2 2 SwitchB ike profile profile1 local identity address 2 2 2 2 Configure a peer ID with the identity type as IP address and the value as 1 1 1 1 24 SwitchB ike profile profile1 match remote identity address 1 1 1 1 255 255 255 0 SwitchB ike profile profile1 quit Create an IKE based IPsec policy entry ...

Page 341: ...dress for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA vlan interface1 ip address 1 1 1 1 255 255 255 0 SwitchA vlan interface1 quit Configure ACL 3101 to identify traffic between Switch A and Switch B SwitchA acl number 3101 SwitchA acl adv 3101 rule 0 permit ip source 1 1 1 1 0 destination 2 2 2 2 0 SwitchA acl adv 3101 quit Create an IPsec transform set named ...

Page 342: ...equest entity entity1 Specify the RSA key pair rsa1 with the general purpose for certificate request SwitchA pki domain domain1 public key rsa general name rsa1 SwitchA pki domain domain1 quit Create an IKE profile named profile1 SwitchA ike profile profile1 Specify PKI domain domain1 for the IKE profile SwitchA ike profile profile1 certificate domain domain1 Specify that IKE negotiation operates ...

Page 343: ...0 permit ip source 2 2 2 2 0 destination 1 1 1 0 0 SwitchB acl adv 3101 quit Create an IPsec transform set named tran1 SwitchB ipsec transform set tran1 Set the packet encapsulation mode to tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Use the ESP protocol for the IPsec transform set SwitchB ipsec transform set tran1 protocol esp Specify the encryption and authentication algor...

Page 344: ...cha com SwitchB ike profile profile2 match remote identity fqdn www switcha com SwitchB ike profile profile2 quit Create an IKE proposal named 10 SwitchB ike proposal 10 Specify the authentication algorithm as HMAC MD5 SwitchB ike proposal 10 authentication algorithm md5 Specify the RSA authentication method SwitchB ike proposal 10 authentication method rsa signature SwitchB ike proposal 10 quit C...

Page 345: ...ng message The attributes are unacceptable IKE packet debugging message Construct notification packet NO_PROPOSAL_CHOSEN Analysis Certain IKE proposal settings are incorrect Solution 1 Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals 2 Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals IKE negotiation failed bec...

Page 346: ...s that the IKE SA negotiation succeeded and the IKE SA is in RD state but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet 2 The following IKE debugging message appeared The attributes are unacceptable Or Construct notification packet NO_PROPOSAL_CHOSEN Analysis Certain IPsec policy settings are incorrect Solution 1 Examine the IPsec configuration to see wh...

Page 347: ... entity Responder Local IP 192 168 222 5 Local ID type IPV4_ADDR Local ID 192 168 222 5 Remote IP 192 168 222 71 Remote ID type IPV4_ADDR Remote ID 192 168 222 71 Authentication method PRE SHARED KEY Authentication algorithm MD5 Encryption algorithm 3DES CBC Life duration sec 86400 Remaining key duration sec 85847 Exchange mode Main Diffie Hellman group Group 1 NAT traversal Not detected Verify th...

Page 348: ...22 71 0 destination 192 168 222 5 0 3 Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured If for example the IPsec policy has no remote address configured the IPsec SA negotiation will fail Sysname display ipsec policy IPsec Policy policy1 Interface GigabitEthernet1 0 1 Sequence number 1 Mode...

Page 349: ...ame display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip source 192 168 222 0 0 0 0 255 destination 192 168 222 0 0 0 0 255 3 Configure the missing settings for example the remote address ...

Page 350: ...changes during the initial exchange process IKE_SA_INIT and IKE_AUTH each with two messages IKE_SA_INIT exchange Negotiates IKE SA parameters and exchanges keys IKE_AUTH exchange Authenticates the identity of the peer and establishes IPsec SAs After the four message initial exchanges IKEv2 sets up one IKE SA and one pair of IPsec SAs For IKEv1 to set up one IKE SA and one pair of IPsec SAs it must...

Page 351: ...ders the initiator valid and proceeds with the negotiation If the carried cookie is incorrect the responder terminates the negotiation The cookie challenging mechanism automatically stops working when the number of half open IKE SAs drops below the threshold IKEv2 SA rekeying For security purposes both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the lifetime expires An IKEv1 SA ...

Page 352: ...dress pools The cookie challenging feature takes effect only on IKEv2 responders Configuring an IKEv2 profile An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation To configure an IKEv2 profile perform the following tasks 1 Specify the local and remote identity authentication methods The local and remote identity authentication methods must both be specified and they ca...

Page 353: ...tes them If you specify an inside VPN instance the device looks for a route in the specified VPN instance to forward the packets If you do not specify an inside VPN instance the internal and external networks are in the same VPN instance The device looks for a route in this VPN instance to forward the packets 11 Configure the NAT keepalive interval Configure this task when the device is behind a N...

Page 354: ...email email string key id key id string By default no peer ID is configured You must configure a minimum of one peer ID on each of the two peers 8 Optional Specify the local interface or IP address to which the IKEv2 profile can be applied match local address interface type interface number ipv4 address ipv6 ipv6 address By default an IKEv2 profile can be applied to any local interface or IP addre...

Page 355: ...examines the existence of the match local address command An IKEv2 policy with the match local address command configured has a higher priority 2 If a tie exists the device compares the priority numbers An IKEv2 policy with a smaller priority number has a higher priority 3 If a tie still exists the device prefers an IKEv2 policy configured earlier To configure an IKEv2 policy Step Command Remarks ...

Page 356: ... ikev2 proposal proposal name By default an IKEv2 proposal named default exists In non FIPS mode the default proposal uses the following settings Encryption algorithms AES CBC 128 and 3DES Integrity protection algorithms HMAC SHA1 and HMAC MD5 PRF algorithms HMAC SHA1 and HMAC MD5 DH groups 2 and 5 In FIPS mode the default proposal uses the following settings Encryption algorithms AES CBC 128 and ...

Page 357: ...ny DH groups Configuring an IKEv2 keychain An IKEv2 keychain specifies the pre shared keys used for IKEv2 negotiation An IKEv2 keychain can have multiple IKEv2 peers Each peer has a symmetric pre shared key or an asymmetric pre shared key pair and information for identifying the peer such as the peer s host name IP address or address range or ID An IKEv2 negotiation initiator uses the peer host na...

Page 358: ...a large number of source IP addresses to forge IKE_SA_INIT requests To enable cookie challenging Step Command Remarks 1 Enter system view system view N A 2 Enable cookie challenging ikev2 cookie challenge number By default IKEv2 cookie challenging is disabled Configuring the IKEv2 DPD feature IKEv2 DPD detects dead IKEv2 peers in periodic or on demand mode Periodic IKEv2 DPD Verifies the liveness ...

Page 359: ...onds Configuring IKEv2 address pools To perform centralized management on remote users an IPsec gateway can use an address pool to assign private IP addresses to remote users You must use an IKEv2 address pool together with AAA authorization by specifying the IKEv2 address pool as an AAA authorization attribute For more information about AAA authorization see Configuring AAA To configure IKEv2 add...

Page 360: ... and Switch B to use the default IKEv2 proposal and the default IKEv2 policy in IKEv2 negotiation to set up IPsec SAs Configure the two switches to use the pre shared key authentication method in IKEv2 negotiation Figure 97 Network diagram Configuration procedures 1 Configure Switch A Assign an IP address to VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA vlan inter...

Page 361: ...file1 authentication method remote pre share Specify the IKEv2 keychain keychain1 SwitchA ikev2 profile profile1 keychain keychain1 Specify the peer ID that the IKEv2 profile matches The peer ID is the IP address 2 2 2 2 24 SwitchA ikev2 profile profile1 match remote identity address 2 2 2 2 255 255 255 0 SwitchA ikev2 profile profile1 quit Create an IKE based IPsec policy entry with the name map1...

Page 362: ...ecify the peer ID which is the IP address 1 1 1 1 SwitchB ikev2 keychain keychain1 peer peer1 identity address 1 1 1 1 Specify the plaintext abcde as the pre shared key to be used with the peer SwitchB ikev2 keychain keychain1 peer peer1 pre shared key plaintext abcde SwitchB ikev2 keychain keychain1 peer peer1 quit SwitchB ikev2 keychain keychain1 quit Create an IKEv2 profile named profile1 Switc...

Page 363: ...otiated by IKEv2 traffic between the switches is IPsec protected IKEv2 with RSA signature authentication configuration example Network requirements As shown in Figure 98 configure an IKE based IPsec tunnel between Switch A and Switch B to secure the communication between them Configure Switch A and Switch B to use IKEv2 negotiation and RSA signature authentication Figure 98 Network diagram Configu...

Page 364: ...uest through the SCEP protocol This example uses the URL of http 192 168 222 1 446 eadbf9af4f2c4641e685f7a6021e7b298373feb7 SwitchA pki domain domain1 certificate request url http 192 168 222 1 446 eadbf9af4f2c4641e685f7a6021e7b298373feb7 Specify the CA to accept certificate requests SwitchA pki domain domain1 certificate request from ca Specify the PKI entity for certificate request as entity1 Sw...

Page 365: ...witchA ipsec policy isakmp map1 10 transform set tran1 Specify ACL 3101 to identify the traffic to be protected SwitchA ipsec policy isakmp map1 10 security acl 3101 Specify the IKEv2 profile profile1 for the IPsec policy SwitchA ipsec policy isakmp map1 10 ikev2 profile profile1 SwitchA ipsec policy isakmp map1 10 quit Apply the IPsec policy map1 to VLAN interface 1 SwitchA interface vlan interfa...

Page 366: ...or certificate request through the SCEP protocol This example uses the URL of http 192 168 222 1 446 eadbf9af4f2c4641e685f7a6021e7b298373feb7 SwitchB pki domain domain2 certificate request url http 192 168 222 1 446 eadbf9af4f2c4641e685f7a6021e7b298373feb7 Specify the CA to accept certificate requests SwitchB pki domain domain2 certificate request from ca Specify the PKI entity for certificate req...

Page 367: ...ected SwitchB ipsec policy template template1 1 security acl 3101 Specify the IPsec transform set tran1 for the IPsec policy template SwitchB ipsec policy template template1 1 transform set tran1 Specify the IKEv2 profile profile2 for the IPsec policy template SwitchB ipsec policy template template1 1 ikev2 profile profile2 SwitchB ipsec policy template template1 1 quit Create an IKE based IPsec p...

Page 368: ...rm sets were found Symptom The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status The display ipsec sa command shows that the expected IPsec SAs have not been negotiated yet Analysis Certain IPsec policy settings are incorrect Solution 1 Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets 2 Modify the ...

Page 369: ...n the other end by using the reset ikev2 sa command and trigger new negotiation If an IKEv2 SA exists on both ends go to the next step 2 Use the display ipsec sa command to examine whether IPsec SAs exist on both ends If the IPsec SAs on one end are lost delete the IPsec SAs on the other end by using the reset ipsec sa command and trigger new negotiation ...

Page 370: ...server allowing a user to log in to the device for file upload and download The device can also act as an SCP client enabling a user to log in from the device to a remote device for secure file transfer NETCONF over SSH Based on SSH2 it enables users to securely log in to the device through SSH and perform NETCONF operations on the device through the NETCONF over SSH connections The device can act...

Page 371: ...ext pasted at one time must be no more than 2000 bytes As a best practice to ensure correct command execution paste commands that are in the same view To execute commands of more than 2000 bytes save the commands in a configuration file upload the file to the server through SFTP and use it to restart the server SSH authentication methods This section describes authentication methods that are suppo...

Page 372: ...vice supports using the public key algorithms RSA DSA and ECDSA to generate digital signatures For more information about public key configuration see Managing public keys Password publickey authentication The server requires SSH2 clients to pass both password authentication and publickey authentication However an SSH1 client only needs to pass either authentication Any authentication The server r...

Page 373: ...he following conditions exist The authentication method is publickey The client sends its public keys to the server through a digital certificate for validity check The PKI domain must have the CA certificate to verify the client s digital certificate Required optional Configuring an SSH user Required if the authentication method is publickey password publickey or any Optional if the authenticatio...

Page 374: ... the DSA algorithm The public key local create ecdsa command generates only an ECDSA host key pair SSH1 does not support the ECDSA algorithm Configuration procedure To generate local key pairs on the SSH server Step Command Remarks 1 Enter system view system view N A 2 Generate local key pairs public key local create dsa ecdsa secp192r1 secp256r1 secp384r1 secp521r1 rsa By default no local key pai...

Page 375: ...t connection requests initiated by SSH1 clients To enable NETCONF over SSH Step Command Remark 1 Enter system view system view N A 2 Enable NETCONF over SSH netconf ssh server enable By default NETCONF over SSH is disabled For more information about NETCONF over SSH commands see Network Management and Monitoring Command Reference Configuring the user lines for SSH login Depending on the SSH applic...

Page 376: ...g the digital signature You can enter the content of a client s host public key or import the client s host public key from the public key file As a best practice import the client s host public key Entering a client s host public key Before you enter the client s host public key you must use the display public key local public command on the client to obtain the client s host public key To enter ...

Page 377: ... server In either case the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user For information about configuring local users and remote authentication see Configuring AAA Configuration restrictions and guidelines When you configure an SSH user follow these restrictions and guidelines An SSH server supports up to 1024 SSH users For a...

Page 378: ... user username service type all netconf scp sftp stelnet authentication type password password publickey assign pki domain domain name publickey keyname Configuring the SSH management parameters Step Command Remarks 1 Enter system view system view N A 2 Enable the SSH server to support SSH1 clients ssh server compatible ssh1x enable By default the SSH server supports SSH1 clients This command is n...

Page 379: ...fy the maximum number of concurrent online SSH users aaa session limit ssh max sessions The default setting is 32 When the number of online SSH users reaches the upper limit the system denies new SSH connection requests Changing the upper limit does not affect online SSH users Specifying a PKI domain for the SSH server The PKI domain specified for the SSH server has the following functions The SSH...

Page 380: ...rface interface type interface number ipv6 ipv6 address By default the source IP address for SSH packets is not configured The IPv4 SSH packets use the primary IP address of the output interface specified in the routing entry as their source address The IPv6 SSH packets automatically select an IPv6 address as their source address in compliance with RFC 3484 Establishing a connection to an Stelnet ...

Page 381: ...2 256 sha2 512 dscp dscp value escape character public key keyname server pki domain domain name source interface interface type interface number ip ip address In FIPS mode Establish a connection to an IPv4 Stelnet server ssh2 server port number vpn instance vpn instance name identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain domain name prefer compress zlib pr...

Page 382: ...d5 96 sha1 sha1 96 sha2 256 sha2 512 dscp dscp value escape character public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 address In FIPS mode Establish a connection to an IPv6 Stelnet server ssh2 ipv6 server port number vpn instance vpn instance name i interface type interface number identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 e...

Page 383: ...terface interface type interface number ipv6 ipv6 address Available in user view The client cannot establish connections to both IPv4 and IPv6 Stelnet servers Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance Optional Specifying the source IP address for SFTP packets Required Establishing a connection to an SFTP server Optional Establishing a connection...

Page 384: ...t an IPv6 address as their source address in compliance with RFC 3484 Establishing a connection to an SFTP server When you try to access an SFTP server the device must use the server s host public key to authenticate the server If the server s host public key is not configured on the device the device will notify you to confirm whether to continue with the access If you choose to continue the devi...

Page 385: ... sha1 sha1 96 sha2 256 sha2 512 dscp dscp value public key keyname server pki domain domain name source interface interface type interface number ip ip addres In FIPS mode Establish a connection to an IPv4 SFTP server sftp server port number vpn instance vpn instance name identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain domain name prefer compress zlib prefer...

Page 386: ...ce interface interface type interface number ipv6 ipv6 addres In FIPS mode Establish a connection to an IPv6 SFTP server sftp ipv6 server port number vpn instance vpn instance name i interface type interface number identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain domain name prefer compress zlib prefer ctos cipher aes128 cbc aes256 cbc aes128 ctr aes192 ctr a...

Page 387: ...rking directory on the SFTP server cd remote path Available in SFTP client view Return to the upper level directory cdup Available in SFTP client view Display the current working directory on the SFTP server pwd Available in SFTP client view Display files under a directory dir a l remote path ls a l remote path Available in SFTP client view The dir command has the same function as the ls command C...

Page 388: ...vailable in SFTP client view These three commands have the same function Configuring the device as an SCP client This section describes how to configure the device as an SCP client to establish a connection with an SCP server and transfer files with the server Establishing a connection to an SCP server When you try to access an SCP server the device must use the server s host public key to authent...

Page 389: ... stoc hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 public key keyname server pki domain domain name source interface interface type interface number ip ip address In FIPS mode Connect to an IPv4 SCP server and transfer files with this server scp server port number vpn instance vpn instance name put get source file name destination file name identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v...

Page 390: ...aes256 gcm prefer stoc hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 address In FIPS mode Connect to an IPv6 SCP server and transfer files with this server scp ipv6 server port number vpn instance vpn instance name i interface type interface number put get source file name destination file ...

Page 391: ...source interface interface type interface number ipv6 ipv6 address Available in user view The client cannot establish connections to both IPv4 and IPv6 SCP servers Specifying algorithms for SSH2 Perform this task to specify the following types of algorithms that the SSH2 client and server use for algorithm negotiation during the Stelnet SFTP or SCP session establishment Key exchange algorithms Pub...

Page 392: ...sa sha2 nistp384 x509v3 ecdsa sha2 nistp256 In FIPS mode ssh2 algorithm public key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 By default SSH2 uses the public key algorithms x509v3 ecdsa sha2 nistp256 x509v3 ecdsa sha2 nistp384 ecdsa rsa and dsa in descending order of priority for algorithm negotiation Specifying encryption algorithms for SSH2 Step Command Remarks 1 Enter syste...

Page 393: ...er information on the SSH server display ssh user information username Display the public keys of the local key pairs display public key local dsa ecdsa rsa public name publickey name Display information about peer public keys display public key peer brief name publickey name Stelnet configuration examples Unless otherwise noted devices in the configuration examples operate in non FIPS mode When y...

Page 394: ...ublic key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server Switch ssh server enable Assign an IP address to ...

Page 395: ...ork admin Switch luser manage client001 quit Create an SSH user client001 Specify the service type as stelnet and the authentication method as password for the user Switch ssh user client001 service type stelnet authentication type password 2 Establish a connection to the Stelnet server There are different types of Stelnet client software including PuTTY and OpenSSH This example uses an Stelnet cl...

Page 396: ...een the host and the switch so you can log in to the switch to manage configurations Figure 101 Network diagram Configuration procedure In the server configuration the client s host public key is required Use the client software to generate RSA key pairs on the client before configuring the Stelnet server There are different types of Stelnet client software including PuTTY and OpenSSH This example...

Page 397: ...air on the client b Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 103 Otherwise the progress bar stops moving and the key pair generating progress stops Figure 103 Generating process ...

Page 398: ...saving window appears g Enter a file name private ppk in this example and click Save h Transmit the public key file to the server through FTP or TFTP Details not shown 2 Configure the Stelnet server Generate RSA key pairs Switch system view Switch public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to a...

Page 399: ...ort the client s public key from file key pub and name it switchkey Switch public key peer switchkey import sshkey key pub Create an SSH user client002 Specify the authentication method as publickey for the user Assign the public key switchkey to the user Switch ssh user client002 service type stelnet authentication type publickey assign publickey switchkey Create a local device management user cl...

Page 400: ...ifying the host name or IP address c Select Connection SSH from the navigation tree The window shown in Figure 106 appears d Specify the Preferred SSH protocol version as 2 Figure 106 Specifying the preferred SSH version ...

Page 401: ...s successfully established the system notifies you to enter the username After entering the username client002 you can enter the CLI of the server Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 108 Switch B acts as the Stelnet server and uses password authentication The username and password of the client are saved on Switch B Establish...

Page 402: ...B public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server SwitchB ssh server enable Assign an IP address to VLAN interface 2 The Stelnet client uses this address as the destination address of the SSH connection SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 1 40 255 255 255 0 SwitchB Vlan interface2 quit Set ...

Page 403: ...ic key of the server to the client SwitchA public key peer key1 Enter public key view Return to system view with peer public key end command SwitchA pkey public key key1 308201B73082012C06072A8648CE3804013082011F028181 0 0D757262C4584C44C211F18BD96E5F0 SwitchA pkey public key key1 61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CEC E 65BE6C265854889DC1EDBD13EC8B274 SwitchA pkey public key key1 DA9F75...

Page 404: ... to save the server public key Y N y client001 192 168 1 40 s password After you enter the correct password you can access Switch B successfully At the next connection attempt the client authenticates the server by using the saved server s host public key on the client Publickey authentication enabled Stelnet client configuration example Network requirements As shown in Figure 109 Switch B acts as...

Page 405: ... The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate a DSA key pair SwitchB public key local create dsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to ...

Page 406: ...attribute user role network admin SwitchB luser manage client002 quit 3 Establish an SSH connection to the Stelnet server 192 168 1 40 SwitchA ssh2 192 168 1 40 Username client002 The server is not authenticated Continue Y N y Do you want to save the server public key Y N n Select Yes to access the server and download the server s host public key At the next connection attempt the client authentic...

Page 407: ...itchA system view SwitchA pki domain server256 Disable CRL checking SwitchA pki domain server256 undo crl check enable SwitchA pki domain server256 quit Import the local certificate file ssh server ecdsa256 p12 to the PKI domain server256 SwitchA pki import domain server256 p12 local filename ssh server ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is...

Page 408: ...eate a PKI domain named client256 for the client s certificate and enter its view SwitchA pki domain client256 Disable CRL checking SwitchA pki domain client256 undo crl check enable SwitchA pki domain client256 quit Import the local certificate file ssh client ecdsa256 p12 to the PKI domain client256 SwitchA pki import domain client256 p12 local filename ssh client ecdsa256 p12 The system is goin...

Page 409: ...c3 be 37 4e 49 19 cf c6 Assign an IP address to VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 1 56 255 255 255 0 SwitchA Vlan interface2 quit 3 Configure the Stelnet server Upload the server s certificate file ssh server ecdsa256 p12 and the client s certificate file ssh client ecdsa256 p12 to the Stelnet server through FTP or TF...

Page 410: ...lient s certificate Switch ssh user client001 service type stelnet authentication type publickey assign pki domain client256 4 Establish an SSH connection to the Stelnet server 192 168 1 40 based on the 128 bit Suite B algorithms SwitchA ssh2 192 168 1 40 suite b 128 bit pki domain client256 server pki domain server256 Username client001 Press CTRL C to abort Connecting to 192 168 1 40 port 22 Ent...

Page 411: ...s Switch system view Switch public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate a DSA key pair Switch public key local create dsa The range of public key size is 512 2048 If the key modulus is greate...

Page 412: ...ory flash to the local user client002 Switch luser manage client002 authorization attribute user role network admin work directory flash Switch luser manage client002 quit Create an SSH user client002 Specify the authentication method as password and service type as sftp for the user Switch ssh user client002 service type sftp authentication type password 2 Establish a connection between the SFTP ...

Page 413: ...h B to manage and transfer files Figure 113 Network diagram Configuration procedure In the server configuration the client s host public key is required Generate RSA key pairs on the client before configuring the SFTP server 1 Configure the SFTP client Assign an IP address to VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 ...

Page 414: ...few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate a DSA key pair SwitchB public key local create dsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Gen...

Page 415: ...chA sftp 192 168 0 1 identity key rsa Username client001 Press CTRL C to abort Connecting to 192 168 0 1 port 22 The server is not authenticated Continue Y N y Do you want to save the server public key Y N n sftp Display files under the current directory of the server delete the file z and verify the result sftp dir l rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup...

Page 416: ...1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk sftp Exit SFTP client view sftp quit SwitchA SFTP configuration example based on 19...

Page 417: ...hA pki domain server384 Disable CRL checking SwitchA pki domain server384 undo crl check enable SwitchA pki domain server384 quit Import the local certificate file ssh server ecdsa384 p12 to the PKI domain server384 SwitchA pki import domain server384 p12 local filename ssh server ecdsa384 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive str...

Page 418: ...37 f8 52 52 26 99 28 97 ac 6e f9 c7 01 Create a PKI domain named client384 for the client s certificate and enter its view SwitchA pki domain client384 Disable CRL checking SwitchA pki domain client384 undo crl check enable SwitchA pki domain client384 quit Import the local certificate file ssh client ecdsa384 p12 to the PKI domain client384 SwitchA pki import domain client384 p12 local filename s...

Page 419: ... 12 3f 88 ea fe 19 05 ef 56 ca 33 71 75 5e 11 c9 a6 51 4b 3e 7c eb 2a 4d 87 2b 71 7c 30 64 fe 14 ce 06 d5 0a e2 cf 9a 69 19 ff Assign an IP address to VLAN interface 2 SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface2 quit SwitchA quit 3 Configure the SFTP server Upload the server s certificate file ssh server ecdsa384 p12 and t...

Page 420: ...ient001 service type sftp authentication type publickey assign pki domain client384 4 Establish an SFTP connection to the SFTP server 192 168 0 1 based on the 192 bit Suite B algorithms SwitchA sftp 192 168 0 1 suite b 192 bit pki domain client384 server pki domain server384 Username client001 Press CTRL C to abort Connecting to 192 168 0 1 port 22 sftp SCP configuration examples Unless otherwise ...

Page 421: ...inutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair SwitchB public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the SCP server SwitchB scp server enable Configure an IP address for VLAN interface 2 The client uses this address as the destination for SCP connection ...

Page 422: ...rt 22 The server is not authenticated Continue Y N y Do you want to save the server public key Y N n client001 192 168 0 1 s password remote bin 100 2875 2 8KB s 00 00 SCP configuration example based on Suite B algorithms Network requirements As shown in Figure 116 Switch A acts as an SCP client SSH2 Switch B acts as the SCP server SSH2 and it uses publickey authentication Switch B uses the follow...

Page 423: ...omain server256 SwitchA pki import domain server256 p12 local filename ssh server ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name server256 Display information about local certificates in the PKI domain...

Page 424: ... p12 to the PKI domain client256 SwitchA pki import domain client256 p12 local filename ssh client ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name client256 Display information about local certificates ...

Page 425: ...rl check enable SwitchA pki domain server384 quit Import the local certificate file ssh server ecdsa384 p12 to the PKI domain server384 SwitchA pki import domain server384 p12 local filename ssh server ecdsa384 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyph...

Page 426: ...Create a PKI domain named client384 for the client s certificate ecdsa384 and enter its view SwitchA pki domain client384 Disable CRL checking SwitchA pki domain client384 undo crl check enable SwitchA pki domain client384 quit Import the local certificate file ssh client ecdsa384 p12 to the PKI domain client384 SwitchA pki import domain client384 p12 local filename ssh client ecdsa384 p12 The sys...

Page 427: ... cf 9a 69 19 ff Assign an IP address to VLAN interface 2 SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface2 quit 3 Configure the SCP server Upload the server s certificate files ssh server ecdsa256 p12 and ssh server ecdsa384 p12 and the client s certificate files ssh client ecdsa256 p12 and ssh client ecdsa384 p12 to the SCP ser...

Page 428: ...zation attribute user role network admin SwitchB luser manage client002 quit 4 Establish an SCP connection to the SCP server 192 168 0 1 Based on the 128 bit Suite B algorithms Specify server256 as the PKI domain of the server s certificate SwitchB ssh server pki domain server256 Create an SSH user client001 Specify the authentication method publickey for the user and specify client256 as the PKI ...

Page 429: ...ir must be 2048 bits When the device acts as the NETCONF over SSH server it supports only RSA and ECDSA key pairs If both RSA and ECDSA key pairs exist on the server the server uses the ECDSA key pair Network requirements As shown in Figure 117 The switch uses local password authentication The client s username and password are saved on the switch Establish a NETCONF over SSH connection between th...

Page 430: ... 168 1 40 255 255 255 0 Switch Vlan interface2 quit Set the authentication mode to AAA for the user lines Switch line vty 0 15 Switch line vty0 15 authentication mode scheme Switch line vty0 15 quit Create a local device management user client001 Switch local user client001 class manage Set the password to aabbcc in plain text for the local user client001 Switch luser manage client001 password sim...

Page 431: ...417 Verifying the configuration Verify that you can perform NETCONF operations after logging in to the switch Details not shown ...

Page 432: ...PSG bindings As shown in Figure 118 IPSG forwards only the packets that match one of the IPSG bindings Figure 118 Diagram for the IPSG feature Static IPSG bindings Static IPSG bindings are configured manually They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured For example you can configure a static IPSG binding on an interface that connects...

Page 433: ...h modules such as the ARP detection module to provide security services Layer 3 Ethernet interface VLAN interface DHCP relay agent Packet filtering DHCP server For cooperation with modules such as the ARP detection module to provide security services For more information about 802 1X see Configuring 802 1X For information about DHCP snooping DHCP relay and DHCP server see Layer 3 IP Services Confi...

Page 434: ...ypes are supported Layer 2 Ethernet port Layer 3 Ethernet interface VLAN interface and Layer 3 aggregate interface 3 Enable the IPv4SG feature ip verify source ip address ip address mac address mac address By default this IPv4SG feature is disabled on an interface If you configure this command on an interface multiple times the most recent configuration takes effect Configuring a static IPv4SG bin...

Page 435: ...ou enable IPv6SG on an interface the static and dynamic IPv6SG are both enabled Static IPv6SG uses static bindings configured by using the ipv6 source binding command Dynamic IPv6SG generates dynamic bindings from related source modules IPv6SG uses the bindings to filter incoming IPv6 packets based on the matching criteria specified in the ipv6 verify source command To implement dynamic IPv6SG mak...

Page 436: ...lan vlan id option must be specified and ND detection must be enabled for the specified VLAN You can configure the same static IPv6SG binding on different interfaces Displaying and maintaining IPSG Execute display commands in any view and reset commands in user view Task Command Display IPv4SG bindings in standalone mode display ip source binding static vpn instance vpn instance name dhcp relay dh...

Page 437: ...net 1 0 2 DeviceA GigabitEthernet1 0 2 ip verify source ip address mac address On GigabitEthernet 1 0 2 configure a static IPv4SG binding for Host C DeviceA GigabitEthernet1 0 2 ip source binding ip address 192 168 0 3 mac address 0001 0203 0405 DeviceA GigabitEthernet1 0 2 quit Enable IPv4SG on GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 ip verify so...

Page 438: ...erface VLAN Type 192 168 0 1 0001 0203 0405 GE1 0 2 N A Static 192 168 0 3 0001 0203 0406 GE1 0 1 N A Static Verify that the static IPv4SG bindings are configured successfully on Device B DeviceB display ip source binding static Total entries found 2 IP Address MAC Address Interface VLAN Type 192 168 0 1 0001 0203 0406 N A N A Static N A 0001 0203 0407 GE1 0 1 N A Static Dynamic IPv4SG using DHCP ...

Page 439: ...ries on GigabitEthernet 1 0 1 Device GigabitEthernet1 0 1 dhcp snooping binding record Device GigabitEthernet1 0 1 quit Verifying the configuration Verify that a dynamic IPv4SG binding is generated based on a DHCP snooping entry Device display ip source binding dhcp snooping Total entries found 1 IP Address MAC Address Interface VLAN Type 192 168 0 1 0001 0203 0406 GE1 0 1 1 DHCP snooping Dynamic ...

Page 440: ...ip source binding dhcp relay Total entries found 1 IP Address MAC Address Interface VLAN Type 192 168 0 1 0001 0203 0406 Vlan100 100 DHCP relay Static IPv6SG configuration example Network requirements As shown in Figure 122 configure a static IPv6SG binding on GigabitEthernet 1 0 1 of the device to allow only IPv6 packets from the host to pass Figure 122 Network diagram Configuration procedure Ena...

Page 441: ...ration procedure 1 Configure DHCPv6 snooping Enable DHCPv6 snooping globally Device system view Device ipv6 dhcp snooping enable Configure GigabitEthernet 1 0 2 as a trusted interface Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 ipv6 dhcp snooping trust Device GigabitEthernet1 0 2 quit 2 Enable IPv6SG Enable IPv6SG on GigabitEthernet 1 0 1 and verify the source IP address and...

Page 442: ...igured on access devices Configuring source MAC based ARP attack detection configured on gateways User and gateway spoofing prevention Configuring ARP packet source MAC consistency check configured on gateways Configuring ARP active acknowledgement configured on gateways Configuring authorized ARP configured on gateways Configuring ARP detection configured on access devices Configuring ARP scannin...

Page 443: ...ARP source suppression Step Command Remarks 1 Enter system view system view N A 2 Enable ARP source suppression arp source suppression enable By default ARP source suppression is disabled 3 Set the maximum number of unresolvable packets that the device can process per source IP address within 5 seconds arp source suppression limit limit value By default the maximum number is 10 Configuring ARP bla...

Page 444: ...re the ARP source suppression feature as follows 1 Enable ARP source suppression 2 Set the threshold to 100 If the number of unresolvable IP packets received from an IP address within 5 seconds exceeds 100 the device stops resolving packets from the host until the 5 seconds elapse If the attack packets have different source addresses enable the ARP blackhole routing feature on the gateway Configur...

Page 445: ...gging for ARP packet rate limit is enabled the device sends the highest threshold crossed ARP packet rate within the sending interval in a log message to the information center You can configure the information center module to set the log output rules For more information about information center see Network Management and Monitoring Configuration Guide To configure ARP packet rate limit Step Com...

Page 446: ...eature does not inspect ARP packets from those devices even if they are attackers Configuration procedure To configure source MAC based ARP attack detection Step Command Remarks 1 Enter system view system view N A 2 Enable source MAC based ARP attack detection and specify the handling method arp source mac filter monitor By default this feature is disabled 3 Configure the threshold arp source mac ...

Page 447: ...cannot process requests from the clients To solve this problem configure source MAC based ARP attack detection on the gateway Figure 125 Network diagram Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address To prevent such attacks configure the gateway in the following steps 1 Enable source MAC based AR...

Page 448: ...d check enable By default ARP packet source MAC address consistency check is disabled Configuring ARP active acknowledgement Configure this feature on gateways to prevent user spoofing ARP active acknowledgement prevents a gateway from generating incorrect ARP entries In strict mode a gateway performs more strict validity checks before creating an ARP entry Upon receiving an ARP request destined f...

Page 449: ...face view interface interface type interface number N A 3 Enable authorized ARP on the interface arp authorized enable By default authorized ARP is disabled Configuration example on a DHCP server Network requirements As shown in Figure 126 configure authorized ARP on GigabitEthernet 1 0 1 of Device A a DHCP server to ensure user validity Figure 126 Network diagram Configuration procedure 1 Configu...

Page 450: ...ess and MAC address in the authorized ARP entry to communicate with Device A Otherwise the communication fails Thus user validity is ensured Configuration example on a DHCP relay agent Network requirements As shown in Figure 127 configure authorized ARP on GigabitEthernet 1 0 2 of Device B a DHCP relay agent to ensure user validity Figure 127 Network diagram Configuration procedure 1 Configure Dev...

Page 451: ...ntries on the relay agent DeviceB dhcp relay client information record 3 Configure Device C DeviceC system view DeviceC ip route static 10 1 1 0 24 10 10 1 1 DeviceC interface gigabitethernet 1 0 2 DeviceC GigabitEthernet1 0 2 ip address dhcp alloc DeviceC GigabitEthernet1 0 2 quit Verifying the configuration Display authorized ARP information on Device B DeviceB display arp all Type S Static D Dy...

Page 452: ...DHCP snooping For more information see Layer 3 IP Services Configuration Guide 802 1X security entries are generated by 802 1X After a client passes 802 1X authentication and uploads its IP address to an ARP detection enabled device the device automatically generates an 802 1X security entry The 802 1X client must be enabled to upload its IP address to the device For more information see Configuri...

Page 453: ...m view N A 2 Enter VLAN view vlan vlan id N A 3 Enable ARP detection arp detection enable By default ARP detection is disabled 4 Return to system view quit N A 5 Enable ARP packet validity check and specify the objects to be checked arp detection validate dst mac ip src mac By default ARP packet validity check is disabled 6 Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view ...

Page 454: ...e ARP detection logging Step Command Remarks 1 Enter system view system view N A 2 Enable ARP detection logging arp detection log enable By default ARP detection logging is disabled Displaying and maintaining ARP detection Execute display commands in any view and reset commands in user view Task Command Display the VLANs enabled with ARP detection display arp detection Display the ARP detection st...

Page 455: ...itchB system view SwitchB dot1x SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dot1x SwitchB GigabitEthernet1 0 1 quit SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dot1x SwitchB GigabitEthernet1 0 2 quit Add a local user test SwitchB local user test SwitchB luser test service type lan access SwitchB luser test password simple test SwitchB luser test qu...

Page 456: ...n Switch B to VLAN 10 and specify the IP address of VLAN interface 10 on Switch A Details not shown 2 Configure the DHCP server on Switch A and configure DHCP address pool 0 SwitchA system view SwitchA dhcp enable SwitchA dhcp server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 3 Configure Host A DHCP client and Host B Details not shown 4 Configure Switch B Enable DHCP snoopin...

Page 457: ...feature in small scale networks ARP scanning automatically creates ARP entries for devices in an address range The device performs ARP scanning in the following steps 1 Sends ARP requests for each IP address in the address range 2 Obtains their MAC addresses through received ARP replies 3 Creates dynamic ARP entries Fixed ARP converts existing dynamic ARP entries including those generated through ...

Page 458: ...ected gateway If yes it discards the packet If not it handles the packet correctly Configuration guidelines Follow these guidelines when you configure ARP gateway protection You can enable ARP gateway protection for a maximum of eight gateways on an interface Do not configure both the arp filter source and arp filter binding commands on an interface If ARP gateway protection works with ARP detecti...

Page 459: ...filter source 10 1 1 1 Verifying the configuration Verify that GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway Configuring ARP filtering The ARP filtering feature can prevent gateway spoofing and user spoofing attacks An interface enabled with this feature checks the sender IP and MAC addresses in a received ...

Page 460: ...k requirements As shown in Figure 131 the IP and MAC addresses of Host A are 10 1 1 2 and 000f e349 1233 respectively The IP and MAC addresses of Host B are 10 1 1 3 and 000f e349 1234 respectively Configure ARP filtering on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch B to permit ARP packets from only Host A and Host B Figure 131 Network diagram Configuration procedure Configure ARP ...

Page 461: ... you can configure this feature in the sub VLANs to check the ARP packets in the sub VLANs For information about super VLANs and sub VLANs see Layer 2 LAN Switching Configuration Guide If Layer 3 communication is configured between the specified secondary VLANs associated with a primary VLAN configure the sender IP address range in the primary VLAN If Layer 3 communication is not configured betwee...

Page 462: ...considers it a spoofing attack and discards the packet uRPF check modes uRPF supports strict and loose modes Strict uRPF check To pass strict uRPF check the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry In some scenarios for example asymmetrical routing strict uRPF might discard valid packets Strict uRPF is often deplo...

Page 463: ...ork flow 1 uRPF checks address validity uRPF permits a packet with a multicast destination address For a packet with an all zero source address uRPF permits the packet if it has a broadcast destination address A packet with source address 0 0 0 0 and destination address ...

Page 464: ...k the packet If no uRPF discards the packet If no uRPF proceeds to step 4 4 uRPF checks whether the matching route is a default route If yes uRPF checks whether the allow default route keyword is configured to allow using the default route If yes uRPF proceeds to step 5 If no uRPF discards the packet If no uRPF proceeds to step 5 5 uRPF checks whether the receiving interface matches the output int...

Page 465: ...re the allow default route keyword for loose uRPF check Otherwise uRPF might fail to work To enable uRPF globally Step Command Remarks 1 Enter system view system view N A 2 Enable uRPF globally ip urpf loose allow default route strict allow default route By default uRPF is disabled Displaying and maintaining uRPF Execute display commands in any view Task Command Display uRPF configuration in stand...

Page 466: ...452 SwitchB system view SwitchB ip urpf strict 2 Configure strict uRPF check on Switch A and allow using the default route for uRPF check SwitchA system view SwitchA ip urpf strict allow default route ...

Page 467: ...t uRPF considers it a spoofing attack and discards the packet IPv6 uRPF check modes IPv6 uRPF supports strict and loose check modes Strict IPv6 uRPF check To pass strict IPv6 uRPF check the source address of a packet and the receiving interface must match the destination address and output interface of an IPv6 FIB entry In some scenarios for example asymmetrical routing strict IPv6 uRPF might disc...

Page 468: ...uRPF work flow 1 IPv6 uRPF checks whether the received packet carries a multicast destination address If yes IPv6 uRPF permits the packet If no IPv6 uRPF proceeds to step 2 2 IPv6 uRPF checks whether the source address matches a unicast route If yes IPv6 uRPF proceeds to step 3 ...

Page 469: ...e receiving interface matches the output interface of the matching FIB entry If yes IPv6 uRPF proceeds to step 5 If no IPv6 uRPF checks whether the check mode is loose If yes IPv6 uRPF proceeds to step 5 If no IPv6 uRPF discards the packet 5 IPv6 uRPF checks whether the matching route is a default route If yes IPv6 uRPF checks whether the allow default route keyword is configured to allow using th...

Page 470: ...ll label For more information about the implicit null label see MPLS Configuration Guide Do not configure the allow default route keyword for loose IPv6 uRPF check Otherwise IPv6 uRPF might fail to work To enable IPv6 uRPF globally Step Command Remarks 1 Enter system view system view N A 2 Enable IPv6 uRPF globally ipv6 urpf loose strict allow default route By default IPv6 uRPF is disabled Display...

Page 471: ... strict IPv6 uRPF check on Switch B SwitchB system view SwitchB ipv6 urpf strict 2 Configure strict uRPF check on Switch A and allow using the default route for IPv6 uRPF check SwitchA system view SwitchA ipv6 urpf strict allow default route ...

Page 472: ...y with the password control policies such as password length complexity and aging policy When the aging timer for a password expires the system prompts you to change the password If you adjust the system time after the device enters FIPS mode the login password might expire before the next login because the original system time is typically much earlier than the actual time If you choose the autom...

Page 473: ...ystem provides two methods to enter FIPS mode automatic reboot and manual reboot Automatic reboot To use automatic reboot to enter FIPS mode 1 Enable FIPS mode 2 Select the automatic reboot method The system automatically performs the following tasks a Create a default FIPS configuration file named fips startup cfg b Specify the default file as the startup configuration file c Prompt you to config...

Page 474: ...he Telnet server and client are disabled The HTTP server is disabled SNMPv1 and SNMPv2c are disabled Only SNMPv3 is available The SSL server supports TLS1 0 TLS1 1 and TLS1 2 The SSH server does not support SSHv1 clients and DSA key pairs The generated RSA and DSA key pairs must have a modulus length of 2048 bits When the device acts as a server to authenticate a client through the public key the ...

Page 475: ...ng default authentication modes are available for different ports or lines you can modify the default mode as needed The default authentication mode is password for VTY lines If the device supports a console port the default authentication mode is none for the console port After you disable FIPS mode follow these restrictions and guidelines before you manually reboot the device If you are logged i...

Page 476: ...authenticate the signed data If the authentication is successful the test succeeds Encryption and decryption test The test is run when an RSA asymmetrical key pair is generated It uses the public key to encrypt a plain text and then uses the private key to decrypt the encrypted text If the decryption is successful the test succeeds The power up self test examines the cryptographic algorithms liste...

Page 477: ...cess exists reboots To trigger a self test Step Command 1 Enter system view system view 2 Trigger a self test fips self test Displaying and maintaining FIPS Execute display commands in any view Task Command Display the FIPS mode state display fips status FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode a...

Page 478: ...get started login root Password First login or password reset For security reason you need to change your password Please enter your password old password new password confirm Updating user information Please wait Sysname Display the current FIPS mode state Sysname display fips status FIPS mode is enabled Display the default configuration file Sysname more fips startup cfg password control enable ...

Page 479: ...root directory of the storage medium and specify it as the startup configuration file Sysname save The current configuration will be written to the device Are you sure Y N y Please input the file name cfg flash startup cfg To leave the existing filename unchanged press the enter key flash startup cfg exists overwrite Y N y Validating file Please wait Saved the current configuration to mainboard de...

Page 480: ...PS mode state Sysname display fips status FIPS mode is disabled Exiting FIPS mode through manual reboot Network requirements A user has logged in to the device in FIPS mode through SSH with a username of test and a password of 12345zxcvb ZXCVB Use the manual reboot method to exit FIPS mode Configuration procedure Disable FIPS mode Sysname undo fips mode enable FIPS mode change requires a device re...

Page 481: ...e successfully Sysname quit Delete the startup configuration file in binary format Sysname delete flash startup mdb Delete flash startup mdb Y N y Deleting file flash startup mdb Done Reboot the device Sysname reboot Verifying the configuration After the device reboots enter a username of test and a password of 12345zxcvb ZXCVB to enter non FIPS mode Press ENTER to get started login test Password ...

Page 482: ...packet attack Description ICMP redirect An attacker sends ICMP redirect messages to modify the victim s routing table The victim cannot forward packets correctly ICMP destination unreachable An attacker sends ICMP destination unreachable messages to cut off the connections between the victim and its destinations ICMP type A receiver responds to an ICMP packet according to its type An attacker send...

Page 483: ...ke An attacker sends Out Of Band OOB data to the TCP port 139 NetBIOS on the victim that runs Windows system The malicious packets contain an illegal Urgent Pointer which causes the victim s operating system to crash UDP bomb An attacker sends a malformed UDP packet The length value in the IP header is larger than the IP header length plus the length value in the UDP header When the target system ...

Page 484: ...YN ACK flood attack Upon receiving a SYN ACK packet the server must search for the matching SYN packet it has sent A SYN ACK flood attacker sends a large number of SYN ACK packets to the server This causes the server to be busy searching for SYN packets and the server is unable to process packets for normal services FIN flood attack FIN packets are used to shut down TCP connections A FIN flood att...

Page 485: ...the subsequent fragments can all pass through After the receiving host reassembles the fragments a TCP fragment attack occurs To prevent TCP fragment attacks enable TCP fragment attack prevention to drop attack TCP fragments Login DoS attack In a login DoS attack a malicious user can attempt to interfere with the normal operations of a device by flooding it with login requests These requests consu...

Page 486: ...iguring the IP blacklist feature Optional Configuring login attack prevention Optional Enabling the login delay Configuring an attack defense policy Creating an attack defense policy An attack defense policy can contain a set of attack detection and prevention configuration against multiple attacks To create an attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Create...

Page 487: ...oblem redirect source quench time exceeded timestamp reply timestamp request action drop logging none signature detect icmpv6 type icmpv6 type value destination unreachable echo reply echo request group query group reduction group report packet too big parameter problem time exceeded action drop logging none signature detect ip option option code internet timestamp loose source routing record rout...

Page 488: ...globally or on the interface where the defense policy is applied For more information about the blacklist see Configuring the IP blacklist feature To configure a scanning attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense policy policy name N A 3 Configure scanning attack detection scan detect level high low medium actio...

Page 489: ...ection is not configured Configuring an ACK flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense policy policy name N A 3 Enable global ACK flood attack detection ack flood detect non specific By default global ACK flood attack detection is disabled 4 Set the global trigger threshold for ACK flood attack prevention a...

Page 490: ...e global trigger threshold for FIN flood attack prevention fin flood threshold threshold value The default setting is 1000 5 Specify global actions against FIN flood attacks fin flood action drop logging By default no global action is specified for FIN flood attacks 6 Configure IP address specific FIN flood attack detection fin flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instan...

Page 491: ...lood detect ip ip address vpn instance vpn instance name threshold threshold value action drop logging By default IP address specific ICMP flood attack detection is not configured Configuring an ICMPv6 flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense policy policy name N A 3 Enable global ICMPv6 flood attack dete...

Page 492: ...able global DNS flood attack detection dns flood detect non specific By default global DNS flood attack detection is disabled 4 Set the global trigger threshold for DNS flood attack prevention dns flood threshold threshold value The default setting is 1000 5 Optional Specify the global ports to be protected against DNS flood attacks dns flood port port list By default DNS flood attack prevention p...

Page 493: ...can configure the ACL to identify packets from trusted servers The exemption feature reduces the false alarm rate and improves packet processing efficiency For example the attack defense policy identifies multicast packets with the same source addresses and different destination addresses as scanning attack packets for example OSPF or PIM packets You can configure an ACL to exempt such packets fro...

Page 494: ...destined for the switch The software does not provide any attack defense features so you can apply an attack defense policy to the switch to prevent attacks aimed at the switch Applying an attack defense policy to a device can improve the efficiency of processing attack packets destined for the device If a device and its interfaces have attack defense policies applied a packet destined for the dev...

Page 495: ...gment enable By default TCP fragment attack prevention is enabled TCP fragment attack prevention is typically used alone Configuring the IP blacklist feature The IP blacklist feature filters packets sourced from IP addresses in blacklist entries IP blacklist entries can be manually added or dynamically learned You can manually add an IP blacklist entry by using the blacklist ip or blacklist ipv6 c...

Page 496: ...n attempts from the user is blocked for the block period For login attack prevention to take effect you must enable the global blacklist feature This feature can effectively prevent login DoS attacks To configure login attack prevention Step Command Remarks 1 Enter system view system view N A 2 Enable login attack prevention attack defense login enable By default login attack prevention is disable...

Page 497: ...guration display attack defense policy policy name Display information about IPv4 scanning attackers display attack defense scan attacker ip interface interface type interface number count Display information about IPv6 scanning attackers display attack defense scan attacker ipv6 interface interface type interface number count Display information about IPv4 scanning attack victims display attack d...

Page 498: ... information about IPv6 addresses protected by flood attack detection and prevention in standalone mode display attack defense policy policy name ack flood dns flood fin flood flood http flood icmpv6 flood rst flood syn ack flood syn flood udp flood ipv6 ipv6 address vpn vpn instance name slot slot number count Display information about IPv6 addresses protected by flood attack detection and preven...

Page 499: ...k defense policy and apply the policy to GigabitEthernet 1 0 2 to meet the following requirements Provide low level scanning attack detection for internal hosts and servers If a scanning attack is detected log the attack and keep the attacker on the blacklist for 10 minutes Protect internal hosts and servers against smurf attacks If a smurf attack is detected log the attack Protect the internal se...

Page 500: ...tEthernet 1 0 2 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 attack defense apply policy a1 Device GigabitEthernet1 0 2 quit Verifying the configuration Verify that the attack defense policy a1 is successfully configured Device display attack defense policy a1 Attack defense Policy Information Policy name a1 Applied list GE1 0 2 Exempt IPv4 ACL Not configured Exempt IPv6 ACL ...

Page 501: ... request Disabled info L ICMP timestamp reply Disabled info L ICMP information request Disabled info L ICMP information reply Disabled info L ICMP address mask request Disabled info L ICMP address mask reply Disabled info L ICMPv6 echo request Disabled info L ICMPv6 echo reply Disabled info L ICMPv6 group membership query Disabled info L ICMPv6 group membership report Disabled info L ICMPv6 group ...

Page 502: ... 2 0 IP sweep 3 0 Distribute port scan 1 0 Flood attack defense statistics AttackType AttackTimes Dropped SYN flood 1 5000 Signature attack defense statistics AttackType AttackTimes Dropped Smurf 1 0 Verify that the IPv4 blacklist feature collaborates with the scanning attack detection Device display blacklist ip IP address VPN instance Type TTL sec Dropped 5 5 5 5 Dynamic 600 353452 IP blacklist ...

Page 503: ...hat the IPv4 blacklist entries are successfully added Device display blacklist ip IP address VPN instance Type TTL sec Dropped 5 5 5 5 Manual Never 0 192 168 1 4 Manual 2989 0 Verify that the device drops packets from Host D Details not shown Execute the undo blacklist ip 5 5 5 5 command and verify that the device forwards packets from Host D Details not shown Verify that the device drops packets ...

Page 504: ...s a cipher suite and keys for integrity check A secure channel can contain more than one SA Each SA uses a unique secure association key SAK The SAK is generated from the CAK and MACsec uses the SAK to encrypt data transmitted along the secure channel MACsec Key Agreement MKA limits the number of packets that can be encrypted by an SAK When the limit is exceeded the SAK will be refreshed For examp...

Page 505: ...ent oriented mode NOTE In client oriented mode an MKA enabled port on the access device must perform port based 802 1X access control The authentication method must be EAP relay Device oriented mode Secures data transmission between devices In this mode the devices do not perform identity authentication and the same preshared key must be configured on the MACsec ports that connect the devices The ...

Page 506: ...server The key server generates an SAK from the CAK for packet encryption and it distributes the SAK to the client 3 The client and the access device use the SAK to encrypt packets and they send and receive the encrypted packets in secure channels 4 When the access device receives a logoff request from the client it immediately removes the associated secure session from the port The remove operati...

Page 507: ...nd hardware compatibility MACsec is supported only on the following ports Ports that are numbered from 1 to 8 on the following modules LSUM2GP44TSSE0 JH191A JH199A LSUM2GT48SE0 JH192A JH200A Ports that are numbered from 1 to 4 on the LSUM1TGS48SG0 JH197A JH205A module General restrictions and guidelines When you configure MACsec follow these restrictions and guidelines In device oriented mode the ...

Page 508: ...ACsec secure channels on a port It also negotiates keys used by MACsec You cannot enable MKA on a MACsec incapable port To enable MKA Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable MKA mka enable By default MKA is disabled on the port Enabling MACsec desire The MACsec desire feature expects MACsec protection fo...

Page 509: ...ey server selection The lower the priority value the higher the priority In device oriented mode the port that has higher priority becomes the key server If a port and its peers have the same priority MACsec compares the SCI values on the ports The port with the lowest SCI value a combination of MAC address and port ID becomes the key server A port with priority 255 cannot become the key server Fo...

Page 510: ...the entire frame needs to be encrypted The offset value can be 0 30 or 50 Configuring MACsec replay protection The MACsec replay protection feature allows a MACsec port to accept a number of out of order or repeated inbound frames The configured replay protection window size is effective only when MACsec replay protection is enabled To configure MACsec replay protection Step Command Remarks 1 Ente...

Page 511: ...an MKA policy and enter MKA policy view mka policy policy name By default an MKA policy named default policy exists The settings for parameters in the default policy are the same as the default settings for the parameters on a port You cannot delete or modify the default MKA policy You can create multiple MKA policies 3 Optional Configure the MACsec confidentiality offset macsec confidentiality of...

Page 512: ...ks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Apply an MKA policy mka apply policy policy name By default no MKA policy is applied to the port Displaying and maintaining MACsec Execute display commands in any view and reset commands in user view Task Command Display MACsec information on ports display macsec interface interface type i...

Page 513: ...n plain text DeviceA GigabitEthernet1 0 1 mka psk ckn E9AC cak simple 09DB3EF1 Set the MACsec confidentiality offset to 30 bytes DeviceA GigabitEthernet1 0 1 macsec confidentiality offset 30 Enable MACsec replay protection DeviceA GigabitEthernet1 0 1 macsec replay protection enable Set the MACsec replay protection window size to 100 DeviceA GigabitEthernet1 0 1 macsec replay protection window siz...

Page 514: ...et 1 0 1 of Device A DeviceA display macsec interface gigabitethernet 1 0 1 verbose Interface GigabitEthernet1 0 1 Protect frames Yes Replay protection Enabled Replay window size 100 frames Confidentiality offset 30 bytes Validation mode Strict Included SCI No SCI conflict No Cipher suite GCM AES 128 Transmit secure channel SCI 00E00100000A0006 Elapsed time 00h 05m 00s Current SA AN 0 PN 1 Receive...

Page 515: ...Included SCI No SCI conflict No Cipher suite GCM AES 128 Transmit secure channel SCI 00E0020000000106 Elapsed time 00h 05m 36s Current SA AN 0 PN 1 Receive secure channels SCI 00E00100000A0006 Elapsed time 00h 03m 21s Current SA AN 0 LPN 1 Previous SA AN N A LPN N A Display MKA session information on GigabitEthernet 1 0 1 of Device B DeviceB display mka session interface gigabitethernet 1 0 1 verb...

Page 516: ...t the link are not enabled with MKA A port at the link is not configured with a preshared key or configured with a preshared key different from the peer Solution To resolve the problem 1 Enter interface view 2 Use the display this command to check the MACsec configuration If MKA is not enabled on the port execute the mka enable command If a preshared key is not configured or the preshared key is d...

Page 517: ... for further forwarding The hosts are isolated at Layer 2 but they can communicate at Layer 3 An MFF enabled device and a host cannot ping each other Figure 147 Network diagram for MFF MFF works with any of the following features to implement traffic filtering and Layer 2 isolation on the EANs DHCP snooping see Layer 3 IP Services Configuration Guide ARP snooping see Layer 3 IP Services Configurat...

Page 518: ... the MFF devices in a cascaded network a network with multiple MFF devices connected to one another Ports between devices in a ring network Link aggregation is supported by network ports in an MFF enabled VLAN but it is not supported by user ports in the VLAN You can add the network ports to link aggregation groups but cannot add the user ports to link aggregation groups For more information about...

Page 519: ... replies with the MAC address of a gateway This mechanism helps reduce the number of broadcast messages The MFF device processes ARP packets as follows After receiving an ARP request from a host the MFF device sends the MAC address of the corresponding gateway to the host In this way hosts in the network have to communicate at Layer 3 through a gateway After receiving an ARP request from a gateway...

Page 520: ...MFF device to detect gateways periodically for the change of MAC addresses by sending forged ARP packets The ARP packets use 0 0 0 0 as the sender IP address and bridge MAC address as the source MAC address The interval for sending gateway probes is 30 seconds This feature is supported by MFF manual mode and MFF automatic mode To enable periodic gateway probe Step Command Remarks 1 Enter system vi...

Page 521: ...es to send ARP packets include all these IP addresses in the server IP address list To specify the IP addresses of servers Step Command Remarks 1 Enter system view system view N A 2 Enter VLAN view vlan vlan id N A 3 Specify the IP addresses of servers mac forced forwarding server server ip 1 10 By default no server IP address is specified Displaying and maintaining MFF Execute display commands in...

Page 522: ... Configure the IP address of GigabitEthernet 1 0 2 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 ip address 10 1 1 50 24 3 Configure Switch A Enable DHCP snooping SwitchA system view SwitchA dhcp snooping enable Enable MFF in automatic mode on VLAN 100 SwitchA vlan 100 SwitchA vlan100 mac forced forwarding auto SwitchA vlan100 quit Configure IP address 10 1 1 50 for the DHCP s...

Page 523: ...trust Auto mode MFF configuration example in a ring network Network requirements As shown in Figure 149 all the devices are in VLAN 100 and the switches form a ring Hosts A B and C obtain IP addresses from the DHCP server Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through Gateway at Layer 3 Figure 149 Network diagram Configuration procedure 1 Config...

Page 524: ...ping trusted port SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit Configure GigabitEthernet 1 0 3 as a network port SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 mac forced forwarding network port Configure GigabitEthernet 1 0 3 as a DHCP snooping trusted port SwitchA GigabitEthernet1 0 3 dhcp snooping trust 4 Configure Switch B Enable DHCP...

Page 525: ...onfigure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through Gateway at Layer 3 Figure 150 Network diagram Configuration procedure 1 Configure IP addresses of the hosts as shown in Figure 150 2 Configure the IP address of GigabitEthernet 1 0 1 on Gateway Gateway system view Gateway interface gigabitethernet 1 0 1 Gateway GigabitEthernet1 0 1 ip address 10 1 1 ...

Page 526: ...ced forwarding network port Manual mode MFF configuration example in a ring network Network requirements As shown in Figure 151 all the devices are in VLAN 100 and the switches form a ring Hosts A B and C are assigned IP addresses manually Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through Gateway at Layer 3 Figure 151 Network diagram Configuration ...

Page 527: ...Switch B Enable STP globally to make sure STP is enabled on interfaces SwitchB stp global enable Configure manual mode MFF on VLAN 100 SwitchB vlan 100 SwitchB vlan100 mac forced forwarding default gateway 10 1 1 100 Specify the IP address of the server SwitchB vlan100 mac forced forwarding server 10 1 1 200 Enable ARP snooping on VLAN 100 SwitchB vlan100 arp snooping enable SwitchB vlan100 quit C...

Page 528: ...ich the Ethernet frame header and the source link layer address option of the ND message contain different source MAC addresses ND attack detection Access devices ND messages in which the mapping between the source IPv6 address and the source MAC address is invalid RA guard Layer 2 access devices RA messages incompliant with the RA guard policy or identified to be sent from hosts Configuration res...

Page 529: ...aces It does not perform user validity check ND untrusted interface The device discards RA and redirect messages received by ND untrusted interfaces For other types of ND messages received by the ND untrusted interfaces the device checks the user validity ND attack detection compares the source IPv6 address and the source MAC address in an incoming ND message against security entries from other mo...

Page 530: ...tection statistics interface interface type interface number Clear ND attack detection statistics reset ipv6 nd detection statistics interface interface type interface number Configuring RA guard About RA guard RA guard allows Layer 2 access devices to analyze and block unwanted and forged RA messages Upon receiving an RA message the device makes the forwarding or dropping decision based on the ro...

Page 531: ...drops all received RA messages 3 Optional Specify an ACL match criterion if match acl ipv6 acl number name ipv6 acl name By default no ACL match criterion exists 4 Optional Specify a prefix match criterion if match prefix acl ipv6 acl number name ipv6 acl name By default no prefix match criterion exists 5 Optional Specify a router preference match criterion if match router preference maximum high ...

Page 532: ...s in user view Task Command Display the RA guard policy configuration display ipv6 nd raguard policy policy name Display RA guard statistics display ipv6 nd raguard statistics interface interface type interface number Clear RA guard statistics reset ipv6 nd raguard statistics interface interface type interface number RA guard configuration example Network requirements As shown in Figure 152 Gigabi...

Page 533: ...inimum advertised hop limit to 100 for the RA guard policy Switch raguard policy policy1 if match hop limit minimum 100 Switch raguard policy policy1 quit Assign GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to VLAN 10 Switch interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 port link type access Switch GigabitEthernet1 0 1 port access vlan 10 Switch GigabitEthernet1 0 1 quit Switch in...

Page 534: ...GigabitEthernet 1 0 3 Switch interface gigabitethernet 1 0 3 Switch GigabitEthernet1 0 3 ipv6 nd raguard role router Switch GigabitEthernet1 0 3 quit Verifying the configuration Verify that the device drops RA messages received on GigabitEthernet 1 0 1 Details not shown Verify that the device forwards RA messages received on GigabitEthernet 1 0 3 to other ports in VLAN 10 Details not shown Verify ...

Page 535: ...eys used by the local device and the peer device must have the same authentication algorithm and key string To configure a keychain Step Command Remarks 1 Enter system view system view N A 2 Create a keychain and enter keychain view keychain keychain name mode absolute By default no keychains exist 3 Optional Set a tolerance time for accept keys in the keychain accept tolerance value infinite By d...

Page 536: ...area 0 SwitchA ospf 1 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Create a keychain named abc and specify the absolute time mode for it SwitchA keychain abc mode absolute Create key 1 for keychain abc specify an authentication algorithm and configure a key string and the sending and receiving lifetimes for the key SwitchA keychain abc key 1 SwitchA...

Page 537: ...tion algorithm and configure a key string and the sending and receiving lifetimes for the key SwitchB keychain abc key 1 SwitchB keychain abc key 1 authentication algorithm hmac sha 256 SwitchB keychain abc key 1 key string plain 123456 SwitchB keychain abc key 1 send lifetime utc 10 00 00 2015 02 06 to 11 00 00 2015 02 06 SwitchB keychain abc key 1 accept lifetime utc 10 00 00 2015 02 06 to 11 00...

Page 538: ... 00 00 2015 02 06 to 11 00 00 2015 02 06 Accept status Active Key ID 2 Key string c 3 7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Send status Inactive Accept lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Accept status Inactive Display keychain information on Switch B The output shows that key 1 is the valid key SwitchB di...

Page 539: ... c 3 dYTC8QeOKJkwFwP2k rWL 1p6uMTw3MqNg Algorithm hmac sha 256 Send lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06 Send status Inactive Accept lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06 Accept status Inactive Key ID 2 Key string c 3 7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Send status Active Accept lifetime 11 ...

Page 540: ...0 2015 02 06 Accept status Inactive Key ID 2 Key string c 3 t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Send status Active Accept lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Accept status Active ...

Page 541: ...ast one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field nam...

Page 542: ... Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gatewa...

Page 543: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 544: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 545: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 546: ...n enable 86 EAP Message attribute 70 EAPOL packet format 70 EAP Success packet sending 97 enable 85 feature cooperation 82 guest VLAN 78 guest VLAN assignment configuration 102 guest VLAN assignment delay 98 guest VLAN configuration 93 MAC authentication delay 121 MAC based access control 76 maintain 100 mandatory port authentication domain 90 manual online user reauthentication 92 online user han...

Page 547: ...US implementation 2 RADIUS maintain 33 RADIUS request transmission attempts max 27 RADIUS scheme 23 RADIUS scheme creation 24 RADIUS scheme VPN 26 RADIUS security policy server IP address 32 RADIUS server 802 1X user 61 RADIUS server SSH user authentication authorization 53 RADIUS server status 28 RADIUS session control 47 RADIUS shared keys 26 RADIUS SNMP notification 32 RADIUS timer set 30 RADIU...

Page 548: ...anti replay IPsec anti replay redundancy 294 IPsec configuration 293 any authentication SSH 357 application IPsec application based implementation 281 IPsec application based tunnel establishment 282 IPv6 uRPF network 455 uRPF network 450 applying attack D P policy application device 480 480 attack D P policy application interface 479 IPsec policy to interface 292 MACsec MKA policy 498 port securi...

Page 549: ...nse policy creation 472 detection exemption configuration 479 device preventable attacks 468 display 483 flood attack 470 IP blacklist configuration 481 488 log non aggregation enable 480 login attack prevention configuration 482 login delay 482 login dictionary attack 471 login DoS attack 471 maintain 483 policy application device 480 policy application interface 479 scanning attack 469 single pa...

Page 550: ...US based 129 MAC authentication VLAN assignment 115 password control configuration 213 216 220 periodic MAC reauthentication 117 port security authentication modes 192 port security client macAddressElseUserLoginSecure 207 port security client userLoginWithOUI 204 port security configuration 192 195 203 port security MAC address autoLearn 203 portal authentication client 135 portal authentication ...

Page 551: ...ist configuration 481 C CA PKI architecture 243 PKI CA policy 243 PKI certificate 242 PKI certificate export 253 PKI certificate obtain 250 PKI certificate removal 254 PKI certificate request 248 PKI certificate request automatic 249 PKI certificate request manual 249 PKI certificate request abort 250 PKI certificate verification 251 PKI CRL 242 PKI domain configuration 246 PKI entity configuratio...

Page 552: ...6 802 1X EAD assistant DHCP server 109 802 1X guest VLAN 78 93 802 1X guest VLAN assignment 102 802 1X manual online user reauthentication 92 802 1X online user handshake 88 802 1X protocol packet sending rule 92 802 1X quiet timer 90 802 1X SmartOn 99 111 802 1X ACL assignment 105 AAA 1 17 49 AAA HWTACACS schemes 33 AAA HWTACACS server SSH user 49 AAA ISP domain accounting method 46 AAA ISP domai...

Page 553: ... signature authentication 327 IPsec IKE main mode pre shared key authentication 324 IPsec IKE DPD 321 IPsec IKE global identity information 320 IPsec IKE keepalive 321 IPsec IKE keychain 319 IPsec IKE NAT keepalive 321 IPsec IKE profile 316 IPsec IKE proposal 318 IPsec IKE SNMP notification 323 IPsec IKEv2 336 337 346 IPsec IKEv2 address pool 345 IPsec IKEv2 DPD 344 IPsec IKEv2 global parameters 3...

Page 554: ...134 139 157 portal authentication configuration cross subnet for MPLS L3VPN 184 portal authentication cross subnet configuration 165 portal authentication destination subnet 145 portal authentication detection features 147 portal authentication direct configuration 157 portal authentication extended cross subnet configuration 175 portal authentication extended direct configuration 168 portal authe...

Page 555: ...n 95 802 1X EAP Success packet sending 97 MAC authentication 116 MAC authentication configuration 123 critical voice VLAN 802 1X enable 96 MAC authentication enable 124 CRL PKI 242 PKI architecture 243 PKI CA policy 243 PKI certificate export 253 PKI certificate removal 254 PKI certificate based access control policy 254 troubleshooting PKI CRL obtain failure 274 cross subnet portal authentication...

Page 556: ...tant 98 802 1X EAD assistant configuration DHCP relay agent 106 802 1X EAD assistant configuration DHCP server 109 802 1X guest VLAN assignment configuration 102 802 1X SmartOn 99 802 1X SmartOn feature configuration 111 802 1X ACL assignment configuration 105 attack D P configuration 468 472 485 attack D P configuration interface based 485 attack D P defense policy 472 attack D P device preventab...

Page 557: ...hooting portal authentication users cannot log in re DHCP 190 DHCPv6 IPv6 source guard IPv6SG dynamic binding DHCPv6 snooping configuration 427 dictionary attack D P login delay 482 attack D P login dictionary attack 471 digital certificate PKI CA certificate 242 PKI CA policy 243 PKI CA storage path 253 PKI certificate export 253 PKI certificate import export 266 PKI certificate obtain 250 PKI ce...

Page 558: ...eck ARP 439 dynamic IP source guard IPSG dynamic binding 419 IPv4 source guard IPv4SG dynamic binding configuration 424 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 425 IPv6 source guard IPv6SG dynamic binding DHCPv6 snooping configuration 427 E EAD 802 1X EAD assistant 82 98 802 1X EAD assistant configuration DHCP relay agent 106 802 1X EAD assistant configuration DHCP server...

Page 559: ...ec tunnel mode 278 encrypting IPsec 279 IPsec configuration 277 301 IPsec crypto engine 280 IPsec encryption algorithm 3DES 279 IPsec encryption algorithm AES 279 IPsec encryption algorithm DES 279 IPsec RIPng configuration 308 IPsec RRI configuration 296 IPsec tunnel for IPv4 packets IKE based 303 IPsec tunnel for IPv4 packets manual 301 IPsec tunnel for IPv6 packets IKE based 306 MACsec data enc...

Page 560: ...lood 477 attack D P defense policy ICMPv6 flood 477 attack D P defense policy RST flood 476 attack D P defense policy SYN flood 475 attack D P defense policy SYN ACK flood 475 attack D P defense policy UDP flood 477 attack D P device preventable attacks 470 forcing portal authentication forced type 134 format 802 1X EAP packet format 69 802 1X EAPOL packet format 70 802 1X packet 69 AAA HWTACACS u...

Page 561: ...figuration 121 H handshake protocol SSL 233 handshaking 802 1X online user handshake 88 hardware compatibility MACsec 493 history password history 214 HTTP attack D P defense policy HTTP flood 478 SSL configuration 233 234 HW Terminal Access Controller Access Control System Use HWTACACS HWTACACS AAA configuration 1 17 49 AAA for SSH user 49 AAA implementation 7 AAA local user configuration 18 AAA ...

Page 562: ...guration 341 pre shared key authentication 346 profile configuration 338 proposal configuration 342 protocols and standards 337 RSA signature authentication 349 SA rekeying 337 troubleshoot 354 troubleshoot negotiation failure no proposal match 354 IMC AAA RADIUS session control 47 implementing 802 1X MAC based access control 76 802 1X port based access control 76 AAA for MPLS L3VPNs 13 AAA HWTACA...

Page 563: ... ACL based IPsec 280 anti replay redundancy 294 application based IPsec 281 authentication 279 authentication algorithms 279 configuration 277 301 crypto engine 280 display 300 encapsulation modes 277 encryption 279 encryption algorithms 279 FIPS compliance 282 IKE configuration 313 315 324 IKE configuration aggressive mode RSA signature authentication 327 IKE configuration main mode pre shared ke...

Page 564: ...ablishment based on Suite B 369 SSH SFTP server connection establishment 370 SSH SFTP server connection establishment based on Suite B 372 IPv4 source guard IPv4SG configuration 418 419 420 423 display 422 dynamic binding configuration 424 dynamic binding DHCP relay configuration 425 enable on interface 420 maintain 422 static binding configuration 420 423 IPv6 IPsec See IPv6 IPsec IPsec tunnel fo...

Page 565: ... in tree network 511 Layer 3 IPsec configuration 277 301 IPsec RIPng configuration 308 IPsec RRI configuration 296 IPsec tunnel for IPv4 packets IKE based 303 IPsec tunnel for IPv4 packets manual 301 IPsec tunnel for IPv6 packets IKE based 306 PKI MPLS L3VPN support 244 LDAP AAA configuration 1 17 49 AAA implementation 9 AAA local user configuration 18 AAA scheme 18 administrator attribute 40 auth...

Page 566: ...cy check 434 IP source guard IPSG configuration 418 419 423 IPv4 source guard IPv4SG dynamic binding configuration 424 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 425 IPv4 source guard IPv4SG static binding configuration 423 IPv6 source guard IPv6SG dynamic binding DHCPv6 snooping configuration 427 IPv6 source guard IPv6SG static binding configuration 426 MAC authentication 1...

Page 567: ...rating mechanism client oriented 491 operating mechanism device oriented 491 preshared key configuration 495 protection parameter configuration interface view 495 protection parameter configuration MKA policy 497 protocols and standards 493 replay protection configuration 496 services 490 troubleshooting 502 troubleshooting device cannot establish MKA session 502 validation mode configuration 496 ...

Page 568: ...rol 193 port security MAC learning control 192 port security MAC learning control autoLearn 192 port security MAC learning control secure 192 port security macAddressWithRadius authentication 194 port security secure MAC learning control 193 portal authentication 136 portal authentication cross subnet 137 portal authentication direct 136 portal authentication re DHCP 136 uRPF loose check 448 uRPF ...

Page 569: ...ration 111 802 1X VLAN manipulation 76 802 1X ACL assignment configuration 105 AAA device implementation 11 AAA HWTACACS implementation 7 AAA HWTACACS scheme 33 AAA HWTACACS server SSH user 49 AAA ISP domain accounting method 46 AAA ISP domain attribute 43 AAA ISP domain authentication method 44 AAA ISP domain authorization method 45 AAA ISP domain creation 43 AAA ISP domain method 42 AAA LDAP imp...

Page 570: ...ent 282 IPsec tunnel for IPv4 packets IKE based 303 IPsec tunnel for IPv4 packets manual 301 IPsec tunnel for IPv6 packets IKE based 306 IPv4 source guard IPv4SG configuration 420 IPv4 source guard IPv4SG dynamic binding configuration 424 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 425 IPv4 source guard IPv4SG enable on interface 420 IPv4 source guard IPv4SG static binding co...

Page 571: ...urity NTK 198 port security secure MAC address 199 port security secure MAC address port limit 196 portal authentication AAA server 135 portal authentication client 135 portal authentication cross subnet configuration 165 portal authentication domain 146 portal authentication interface NAS ID profile 152 portal authentication re DHCP configuration 162 portal authentication system components 134 RA...

Page 572: ...tion 514 password control configuration 213 216 220 PKI configuration 242 245 255 port security configuration 192 195 203 portal authentication 139 portal authentication configuration 134 134 public key import from file 230 public key management 224 228 RA guard 518 SSH configuration 356 SSL configuration 233 234 SSL services 233 uRPF configuration 448 451 no AAA no accounting method 12 AAA no aut...

Page 573: ...rce guard IPv6SG static binding configuration 426 ND attack defense configuration 514 RA guard 518 pairwise CAK MACsec 490 parameter AAA RADIUS accounting server parameters 25 configuring SSH management parameters 364 MACsec protection parameter interface view 495 MACsec protection parameter MKA policy 497 password control parameters global 217 password control parameters local user 219 password c...

Page 574: ...CA server certificate request configuration 258 policy AAA RADIUS security policy server IP address 32 attack D P defense policy 472 attack D P defense policy flood 474 attack D P defense policy scanning 474 attack D P defense policy single packet 472 IPsec application to interface 292 IPsec configuration manual 286 IPsec IKEv2 configuration 341 IPsec policy IKE based direct 289 IPsec policy IKE b...

Page 575: ... modes 192 authorization fail offline 201 client macAddressElseUserLoginSecure 207 client userLoginWithOUI 204 configuration 192 195 203 display 202 enable 195 feature configuration 198 features 192 intrusion protection 198 intrusion protection feature 192 MAC address autoLearn 203 MAC address learning control 193 MAC authentication 194 MAC move enable 201 MAC 802 1X authentication 194 mode set 19...

Page 576: ...802 1X EAP relay 73 authenticating with 802 1X EAP termination 74 binding IPsec source interface to policy 295 configuring AAA user group attributes 21 configuring portal authentication cross subnet for MPLS L3VPN 184 configuring 802 1X 84 configuring 802 1X authentication trigger 89 configuring 802 1X Auth Fail VLAN 94 configuring 802 1X authorization VLAN assignment 102 configuring 802 1X basics...

Page 577: ...ing attack D P defense policy FIN flood 476 configuring attack D P defense policy flood 474 configuring attack D P defense policy HTTP flood 478 configuring attack D P defense policy ICMP flood 477 configuring attack D P defense policy ICMPv6 flood 477 configuring attack D P defense policy RST flood 476 configuring attack D P defense policy scanning 474 configuring attack D P defense policy single...

Page 578: ...ng MAC authentication RADIUS based 129 configuring MAC authentication ACL assignment 131 configuring MAC authentication critical VLAN 123 configuring MAC authentication delay 121 configuring MAC authentication guest VLAN 121 configuring MAC authentication keep online 124 configuring MAC authentication multi VLAN mode 120 configuring MAC authentication user account format 119 configuring MACsec 494...

Page 579: ...guard logging 518 configuring RA guard policy 517 configuring Secure Telnet client user line 361 configuring security local portal Web server feature 153 configuring security password control 220 configuring security portal authentication direct local portal Web server 186 configuring security portal authentication local portal Web server 155 configuring source MAC consistency check 514 configurin...

Page 580: ...acket logging 296 enabling IPsec QoS pre classify 295 enabling IPv4 source guard IPv4SG on interface 420 enabling IPv6 source guard IPv6SG on interface 421 enabling MAC authentication 118 enabling MAC authentication critical voice VLAN 124 enabling MAC authentication offline detection 120 enabling MACsec desire 494 enabling MACsec MKA 494 enabling MFF 505 enabling MFF periodic gateway probe 506 en...

Page 581: ...ing MAC authentication concurrent port users max 120 setting MAC authentication timer 119 setting password control parameters global 217 setting password control parameters local user 219 setting password control parameters super 219 setting password control parameters user group 218 setting port security mode 196 setting portal authentication users max 146 specifying 802 1X access control method ...

Page 582: ...ubleshooting portal authentication users cannot log in re DHCP 190 troubleshooting portal authentication users logged out still exist on server 190 verifying PKI certificate 251 verifying PKI certificate verification CRL checking 251 verifying PKI certificate verification w o CRL checking 252 working with SSH SFTP directories 373 working with SSH SFTP files 373 processing parallel processing with ...

Page 583: ...mation exchange security 2 Login Service attribute check method 32 MAC authentication 114 MAC authentication RADIUS based 129 MAC authentication authorization VLAN 115 maintain 33 outgoing packet source IP address 29 packet exchange process 3 packet format 3 port security macAddressWithRadius 194 port security NAS ID profile 202 portal authentication interface NAS ID profile 152 protocols and stan...

Page 584: ... 1X authentication configuration 100 802 1X basic configuration 100 802 1X configuration 76 84 802 1X EAD assistant configuration DHCP relay agent 106 802 1X EAD assistant configuration DHCP server 109 802 1X guest VLAN assignment configuration 102 802 1X ACL assignment configuration 105 IPsec IPv6 routing protocol profile manual 298 IPsec IPv6 routing protocols configuration 298 MFF auto mode in ...

Page 585: ... 1X Auth Fail VLAN 79 94 802 1X authorization VLAN 76 802 1X authorization VLAN assignment configuration 102 802 1X basic configuration 100 802 1X critical VLAN 80 95 802 1X critical voice VLAN 96 802 1X display 100 802 1X EAD assistant 98 802 1X EAD assistant configuration DHCP relay agent 106 802 1X EAD assistant configuration DHCP server 109 802 1X EAP relay enable 86 802 1X EAP termination ena...

Page 586: ...interface based 485 attack D P defense policy 472 attack D P detection exemption 479 attack D P device preventable attacks 468 attack D P display 483 attack D P IP blacklist configuration 488 attack D P log non aggregation 480 attack D P maintain 483 attack D P policy application device 480 attack D P policy application interface 479 authorized ARP DHCP relay agent 436 authorized ARP DHCP server 4...

Page 587: ...port users max 120 MAC authentication configuration 114 MAC authentication critical VLAN 123 MAC authentication critical voice VLAN 124 MAC authentication delay 121 121 MAC authentication display 126 MAC authentication domain 118 MAC authentication enable 118 MAC authentication guest VLAN 121 MAC authentication keep online 124 MAC authentication maintain 126 MAC authentication methods 114 MAC auth...

Page 588: ... 262 PKI operation 243 PKI RSA Keon CA server certificate request 256 PKI terminology 242 PKI Windows 2003 CA server certificate request 258 port See port security port security display 202 portal authentication 139 portal authentication BAS IP 151 portal authentication configuration 134 157 portal authentication cross subnet configuration 165 portal authentication detection features 147 portal au...

Page 589: ...ver connection termination 374 SSH SFTP server enable 360 SSH SFTP server password authentication 397 SSH Stelnet server enable 360 SSH user configuration 363 SSH user configuration restrictions 363 SSH2 algorithms 377 SSH2 algorithms encryption 378 SSH2 algorithms key exchange 377 SSH2 algorithms MAC 379 SSH2 algorithms public key 378 SSL client policy configuration 237 SSL configuration 233 234 ...

Page 590: ...SSH ECDSA key pair 359 SSH RSA key pair 359 setting 802 1X authentication request attempts max 87 802 1X authentication timeout timers 88 802 1X port authorization state 86 802 1X port users max 87 AAA concurrent login user max 48 AAA HWTACACS timer 38 AAA HWTACACS traffic statistics unit 36 AAA HWTACACS username format 36 AAA LDAP server timeout period 40 AAA RADIUS request transmission attempts ...

Page 591: ...22 spoofing IPv6 uRPF configuration 453 456 456 uRPF configuration 448 451 451 SSH AAA HWTACACS server SSH user 49 AAA LDAP server SSH user authentication 56 AAA RADIUS Login Service attribute check method 32 AAA RADIUS server SSH user authentication authorization 53 AAA SSH user local authentication HWTACACS authorization RADIUS accounting 51 authentication methods 357 client host public key conf...

Page 592: ...n configuration cross subnet for MPLS L3VPN 184 portal authentication cross subnet configuration 165 portal authentication destination subnet 145 portal authentication extended cross subnet configuration 175 portal authentication source subnet 144 super password control parameters 219 suppressing ARP attack protection source suppression unresolvable IP attack 429 switch portal authentication cross...

Page 593: ...method 32 terminating SSH SFTP server connection 374 testing AAA RADIUS server status detection test profile 23 FIPS conditional self test 461 FIPS power up self test 461 FIPS triggered self test 461 TFTP local host public key distribution 226 time IPsec IKE negotiation time based lifetime 279 timeout 802 1X authentication timeout 88 MAC authentication server timeout 119 timer 802 1X authenticatio...

Page 594: ...on 189 portal authentication cannot log out users access device 189 portal authentication cannot log out users RADIUS server 190 portal authentication no page pushed for users 189 portal authentication users cannot log in re DHCP 190 portal authentication users logged out still exist on server 190 tunneling IPsec configuration 277 301 IPsec encapsulation tunnel mode 278 IPsec RIPng configuration 3...

Page 595: ...5 password setting 213 password updating 214 214 password user first login 215 password user login attempt limit 215 password user login control 215 userLoginWithOUI 204 username AAA HWTACACS format 36 AAA RADIUS format 27 V validating MACsec validation mode 496 validity check ARP packet 439 ARP user 438 440 ARP user packet 442 vendor AAA proprietary RADIUS subattributes vendor ID 25506 15 verifyi...

Page 596: ...figuration 157 portal authentication extended cross subnet configuration 175 portal authentication extended direct configuration 168 portal authentication extended functions 134 portal authentication extended re DHCP configuration 171 portal authentication re DHCP configuration 162 portal authentication server detection user synchronization configuration 178 portal authentication system components...

Reviews:

No comments