HP 5120 EI Series Configuration Manual Download Page 214

Page: 214 / 304

204

10242FDD D3947F5E 2DA70BD9 1FAF07E5

1D167CE1 FC20394F 476F5C08 C5067DF9

CB4D05E6 55DC11B6 9F4C014D EA600306

81D403CF 2D93BC5A 8AF3224D 1125E439

78ECEFE1 7FA9AE7B 877B50B8 3280509F

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1

X509v3 Authority Key Identifier:

keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE

X509v3 CRL Distribution Points:

URI:http://l00192b/CertEnroll/CA%20server.crl

URI:file://\\l00192b\CertEnroll\CA server.crl

Authority Information Access:

CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt

CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt

1.3.6.1.4.1.311.20.2:

.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e

Signature Algorithm: sha1WithRSAEncryption

81029589 7BFA1CBD 20023136 B068840B

(Omitted)

You can also use some other

display

commands—such as,

display pki certificate ca

domain

command—

to view more information about the CA certificate. For more information about the command, see the

Security Command Reference.

Configuring a certificate attribute-based access control policy

Network requirements



The client accesses the remote HTTP Secure (HTTPS) server through the HTTPS protocol.



Configure SSL to ensure that only legal clients log in to the HTTPS server.



Create a certificate attribute-based access control policy to control access to the HTTPS server.

Figure 57

Configure a certificate attribute-based access control policy

CA server

IP network

Host

Switch

HTTPS client

HTTPS server

Summary of Contents for 5120 EI Series

Page 1: ... procedures These configuration guides also provide configuration examples to help you apply software features to different network scenarios This documentation is intended for network planners field technical support and servicing engineers and network administrators working with the HP A Series products Part number 5998 1800 Software version Release 2208 Document version 5W100 20110530 ...

Page 2: ... MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompa...

Page 3: ...ns configuration task list 42 Configuring a RADIUS user 42 Specifying a RADIUS client 43 Displaying and maintaining AAA 44 AAA configuration examples 44 AAA for Telnet users by an HWTACACS server 44 AAA for Telnet users by separate servers 45 Authentication Authorization for SSH Telnet users by a RADIUS server 47 AAA for 802 1X users by a RADIUS server 50 Level switching authentication for Telnet ...

Page 4: ...on configuration example 84 802 1X with guest VLAN and VLAN assignment configuration example 86 802 1X with ACL assignment configuration example 89 EAD fast deployment configuration 91 EAD fast deployment overview 91 EAD fast deployment implementation 91 Configuring EAD fast deployment 91 Configuration prerequisites 91 Configuration procedure 91 Displaying and maintaining EAD fast deployment 92 EA...

Page 5: ... 121 Specifying the Auth Fail VLAN for portal authentication 122 Specifying the auto redirection URL for authenticated portal users 122 Configuring portal detection functions 123 Logging off portal users 123 Displaying and maintaining portal 123 Portal configuration examples 124 Configuring Layer 2 portal authentication 124 Troubleshooting portal 128 Inconsistent keys on the access device and the ...

Page 6: ...tion task list 161 Creating a user profile 161 Configuration prerequisites 161 Creating a user profile 161 Configuring a user profile 162 Enabling a user profile 162 Displaying and maintaining user profile 163 Password control configuration 164 Password control overview 164 Password control configuration task list 166 Configuring password control 167 Enabling password control 167 Setting global pa...

Page 7: ...eleting a certificate 196 Configuring an access control policy 197 Displaying and maintaining PKI 197 PKI configuration examples 198 Requesting a certificate from a CA running RSA Keon 198 Requesting a certificate from a CA running Windows 2003 Server 201 Configuring a certificate attribute based access control policy 204 Troubleshooting PKI 206 Failed to retrieve a CA certificate 206 Failed to re...

Page 8: ...L configuration 241 SSL overview 241 SSL security mechanism 241 SSL protocol stack 242 SSL configuration task list 242 Configuring an SSL server policy 242 Configuration prerequisites 242 Configuration procedure 243 SSL server policy configuration example 243 Configuring an SSL client policy 245 Configuration prerequisites 245 Configuration procedure 245 Displaying and maintaining SSL 246 Troubles...

Page 9: ...ed ARP attack detection 268 Introduction 268 Configuration procedure 268 Displaying and maintaining source MAC address based ARP attack detection 269 Configuring ARP packet source MAC address consistency check 269 Introduction 269 Configuration procedure 269 Configuring ARP active acknowledgement 270 Introduction 270 Configuration procedure 270 Configuring ARP detection 270 Introduction 270 Enabli...

Page 10: ...ion 284 Configuring ND detection 285 Displaying and maintaining ND detection 285 ND detection configuration example 286 Support and other resources 288 Contacting HP 288 Subscription service 288 Related information 288 Documents 288 Websites 288 Conventions 289 Index 291 ...

Page 11: ...s shown in Figure 1 Figure 1 Network diagram for AAA Remote user NAS RADIUS server HWTACACS server Internet Network When a user tries to log in to the NAS use network resources or access other networks the NAS authenticates the user The NAS can transparently pass the user s authentication authorization and accounting information to the servers The RADIUS and HWTACACS protocols define how a NAS and...

Page 12: ... to connection requests authenticates users and returns user access control information for example rejecting or accepting the user access request to the clients In general the RADIUS server maintains the following databases Users Clients and Dictionary Figure 2 RADIUS server components RADIUS servers Users Clients Dictionary Users Stores user information such as usernames passwords applied protoc...

Page 13: ...ization information If the authentication fails it returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response and starts accounting 6 The user accesses the ...

Page 14: ...A packet of this type carries user information for the server to start or stop accounting for the user The Acct Status Type attribute in the packet indicates whether to start or stop accounting 5 Accounting Response From the server to the client The server sends a packet of this type to notify the client that it has received the Accounting Request and has correctly recorded the accounting informat...

Page 15: ... depend on the Type and Length fields Table 2 RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acct Input Gigawords 9 Framed ...

Page 16: ...ssion Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vender Specific defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple type length value TLV sub attributes in RADIUS packets for extension in application...

Page 17: ... using a client server model using shared keys for user information security and providing flexibility and extensibility Table 3 lists their differences Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only th...

Page 18: ...nse indicating the start of accounting 17 The user logs off 18 Stop accounting request 19 Stop accounting response 10 Authentication continuance packet with the login password Here is the process 1 A Telnet user sends an access request to the HWTACACS client 2 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS server 3 The HWTACACS server sends back ...

Page 19: ...ed Domain based user management A NAS manages users based on Internet service provider ISP domains On a NAS each user belongs to one ISP domain A NAS determines the ISP domain a user belongs to by the username entered by the user at login as shown in Figure 7 Figure 7 Determine the ISP domain of a user by the username Username carries domain name A user enters the username in the form of userid do...

Page 20: ...RADIUS server runs on a computer or workstation and the RADIUS client runs on a NAS device A network device that supports the RADIUS server feature can also serve as the RADIUS server working with RADIUS clients to implement user authentication authorization and accounting As shown in Figure 8 the RADIUS server and client can reside on the same device or different devices Using a network device as...

Page 21: ...s are related to AAA RADIUS and HWTACACS RFC 2865 Remote Authentication Dial In User Service RADIUS RFC 2866 RADIUS Accounting RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions RFC 1492 An Access Control Protocol Sometimes Called TACACS RADIUS attributes Commonly used standard RADIUS attributes No ...

Page 22: ...ver With the LAN access service provided by an HP device this attribute carries the MAC address of the user in the format HHHH HHHH HHHH 32 NAS Identifier Identification that the NAS uses for indicating itself 40 Acct Status Type Type of the Accounting Request packet Possible values are as follows 1 Start 2 Stop 3 Interium Update 4 Reset Charge 7 Accounting On Defined in 3GPP the 3rd Generation Pa...

Page 23: ..._Identifier Identification for retransmitted packets For retransmitted packets of the same session this attribute must take the same value for retransmitted packets of different sessions this attribute may take the same value The client response of a retransmitted packet must also carry this attribute and the value of the attribute must be the same For Accounting Request packets of the start stop ...

Page 24: ...ut Interval Packets Packets output within an accounting interval in the unit set on the device 205 Input Interval Gigawords Result of bytes input within an accounting interval divided by 4G bytes 206 Output Interval Gigawords Result of bytes output within an accounting interval divided by 4G bytes 207 Backup NAS IP Backup source IP address for sending RADIUS packets 255 Product_ID Product name AAA...

Page 25: ...S schemes Configuring HWTACACS schemes Configuring AAA methods for ISP domains Creating an ISP domain Required Configuring ISP domain attributes Optional Configuring AAA authentication methods for an ISP domain Required Complete at least one task Configuring AAA authorization methods for an ISP domain Configuring AAA accounting methods for an ISP domain Tearing down user connections forcibly Optio...

Page 26: ...about local user group see Configuring user group attributes Password control attributes Password control attributes help you improve the security of local users passwords Password control attributes include password aging time minimum password length and password composition policy You can configure a password control attribute in system view user group view or local user view making the attribut...

Page 27: ...nd Add a local user and enter local user view local user user name Required No local user exists by default Configure a password for the local user password cipher simple password Optional Place the local user to the state of active or blocked state active block Optional When created a local user is in the active state by default and the user can request network services Set the maximum number of ...

Page 28: ...r other types of local users Configure the authorization attributes for the local user authorization attribute acl acl number callback number callback number idle cut minute level level user profile profile name user role security audit vlan vlan id work directory directory name Optional By default no authorization attribute is configured for a local user For LAN and portal users only acl idle cut...

Page 29: ...nfiguration Guide Be cautious when deciding which binding attributes should be configured for a local user Binding attributes are checked upon local authentication of a user If the checking fails the user fails the authentication Every configurable authorization attribute has its definite application environments and purposes When configuring authorization attributes for a local user consider what...

Page 30: ... A RADIUS scheme specifies the RADIUS servers that the device can cooperate with and defines a set of parameters that the device uses to exchange information with the RADIUS servers There may be authentication authorization servers and accounting servers or primary servers and secondary servers The parameters mainly include the IP addresses of the servers the shared keys and the RADIUS server type...

Page 31: ...eme name Required No RADIUS scheme by default NOTE A RADIUS scheme can be referenced by multiple ISP domains at the same time Specifying the RADIUS authentication authorization servers Follow these steps to specify the RADIUS authentication authorization servers To do Use the command Remarks Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Specify the primary...

Page 32: ...sers for whom no accounting response is received before the number of accounting attempts reaches the limit When the device receives a connection teardown request from a host or a connection teardown notification from an administrator it sends a stop accounting request to the accounting server You can enable buffering of non responded stop accounting requests to allow the device to buffer and rese...

Page 33: ...s To do Use the command Remarks Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Set the shared key for RADIUS authentication authorization or accounting packets key accounting authentication string Required No shared key by default NOTE A shared key configured on the device must be the same as that configured on the RADIUS server Setting the maximum number o...

Page 34: ...ers to blocked or active you can control which servers the device will communicate with for authentication authorization and accounting or turn to when the current servers are not available anymore In practice you can specify one primary RADIUS server and multiple secondary RADIUS servers with the secondary ones as the backup of the primary one Generally the device chooses servers based on these r...

Page 35: ...IUS scheme view radius scheme radius scheme name Set the status of the primary RADIUS authentication authorization server state primary authentication active block Optional active for every server specified in the RADIUS scheme by default Set the status of the primary RADIUS accounting server state primary accounting active block Set the status of the secondary RADIUS authentication authorization ...

Page 36: ...ing RADIUS packets The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server A RADIUS server identifies a NAS by its IP address Upon receiving a RADIUS packet a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS If yes the server processes the packet If not the server drops the pa...

Page 37: ...ed state If a server is not reachable the device changes the server s status to blocked starts this timer for the server and tries to communicate with another server in the active state After this timer expires the device changes the status of the server back to active Real time accounting timer realtime accounting Defines the interval at which the device sends real time accounting packets to the ...

Page 38: ...y result in frequent authentication or accounting failures because the device has to repeatedly attempt to communicate with a server that is in the active state but is unreachable For more information about the maximum number of RADIUS packet retransmission attempts see Setting the maximum number of RADIUS request transmission attempts Configuring RADIUS accounting on The accounting on feature ena...

Page 39: ...rpret the attribute to implement user based traffic monitoring and controlling To support such applications configure the access devices to interpret the class attribute as the CAR parameters Follow these steps to configure the RADIUS client to interpret the class attribute as the CAR parameters To do Use the command Remarks Enter system view system view Enter RADIUS scheme view radius scheme radi...

Page 40: ...f RADIUS schemes display radius scheme radius scheme name slot slot number begin exclude include regular expression Available in any view Display statistics about RADIUS packets display radius statistics slot slot number begin exclude include regular expression Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer rad...

Page 41: ...s follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view To do Use the command Remarks Enter system view system view Create an HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default NOTE Up to 16 HWTACACS schemes can be configured A scheme can be deleted only when it is not referenced Specifying the HWTACACS authe...

Page 42: ...pecify the secondary HWTACACS authorization server secondary authorization ip address port number NOTE If both the primary and secondary authorization servers are specified the secondary one is used when the primary one is not reachable If redundancy is not required specify only the primary HWTACACS authorization server The IP addresses of the primary and secondary authorization servers cannot be ...

Page 43: ...e steps to set the shared keys for HWTACACS packets To do Use the command Remarks Enter system view system view Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Set the shared keys for HWTACACS authentication authorization and accounting packets key accounting authentication authorization string Required No shared key by default Setting the username format and traffic statistics uni...

Page 44: ...ACS server An HWTACACS server identifies a NAS by IP address Upon receiving an HWTACACS packet an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS If yes the server processes the packet If not the server drops the packet Usually the source address of outgoing HWTACACS packets can be the IP address of the NAS s any interface that can communicat...

Page 45: ...transmit the accounting information of online users to the HWTACACS accounting server periodically If the device does not receive any response to the information it does not forcibly disconnect the online users The real time accounting interval must be a multiple of 3 The setting of the real time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server A shorter i...

Page 46: ...cause users of different ISPs may have different user attributes for example different username and password structure service type and rights you must configure ISP domains to distinguish the users and configure different AAA methods for the ISP domains On a NAS each user belongs to an ISP domain A NAS can accommodate up to 16 ISP domains including the factory default ISP domain which is named sy...

Page 47: ... the self service function a user can manage and control his or her accounting information or card number A server with self service software is a self service server Configuring AAA authentication methods for an ISP domain In AAA authentication authorization and accounting are separate processes Authentication refers to the interactive authentication process of username password user information ...

Page 48: ...thods for an ISP domain To do Use the command Remarks Enter system view system view Enter ISP domain view domain isp name Specify the default authentication method for all types of users authentication default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional local by default Specify the authentication method for LAN users authentication lan acce...

Page 49: ...required Configuring AAA authorization methods for an ISP domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization Authorization method configuration is optional in AAA configuration AAA...

Page 50: ...n that for a specific access mode RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme In addition if a RADIUS authorization fails the error message returned to the NAS says that the server is not responding With the radius scheme radius scheme name local or hwtacacs scheme hwtacacs scheme name local none ...

Page 51: ...r access 3 Determine whether to configure an accounting method for all access modes or service types Follow these steps to configure AAA accounting methods for an ISP domain To do Use the command Remarks Enter system view system view Enter ISP domain view domain isp name Enable the accounting optional feature accounting optional Optional Disabled by default Specify the default accounting method fo...

Page 52: ...e has no backup accounting method and performs only local accounting or does not perform any accounting Accounting is not supported for FTP services Tearing down user connections forcibly Follow these steps to tear down user connections forcibly To do Use the command Remarks Enter system view system view Tear down AAA user connections forcibly cut connection access type dot1x mac authentication po...

Page 53: ...the NAS after the RADIUS user passes authentication The NAS then uses the assigned ACL and VLAN to control user access If the assigned ACL does not exist on the NAS ACL assignment will fail and the NAS will log the RADIUS user out forcibly If the assigned VLAN does not exist on the NAS the NAS will create the VLAN and add the RADIUS user or the access port to the VLAN Specifying a RADIUS client Th...

Page 54: ...re the switch to use the HWTACACS server to provide authentication authorization and accounting services for Telnet users Set the shared keys for authentication authorization and accounting packets exchanged with the HWTACACS server to expert Specify that the switch remove the domain names in usernames before sending usernames to the HWTACACS server Figure 10 Configure AAA for Telnet users by an H...

Page 55: ... hwtacacs scheme hwtac Switch isp bbb authorization login hwtacacs scheme hwtac Switch isp bbb accounting login hwtacacs scheme hwtac Switch isp bbb quit Or Switch domain bbb Switch isp bbb authentication default hwtacacs scheme hwtac Switch isp bbb authorization default hwtacacs scheme hwtac Switch isp bbb accounting default hwtacacs scheme hwtac When telnetting to the switch a user enters userna...

Page 56: ...hwtac key authorization expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary accounting 10 1 1 1 1813 Switch radius rd key accounting expert Switch radius rd server type extended Switch radius rd user name format without domain Switch radius rd quit Create a local user named hello Switch...

Page 57: ...de the domain names in usernames to be sent to the RADIUS server Add an account on the RADIUS server with the username hello bbb The SSH user uses the username and the configured password to log in to the switch and is authorized with the privilege level of 3 after login Figure 12 Configure authentication authorization for SSH users by a RADIUS server Internet Switch SSH user RADIUS server 10 1 1 ...

Page 58: ...IP address specified with the nas ip or radius nas ip command on the device Figure 13 Add an access device Add a user for device management Log in to the iMC management platform select the User tab and select Device Management User from the navigation tree to enter the Device Management User page Then click Add to enter the Add Device Management User window and perform the following configurations...

Page 59: ...gh which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users Switch user interface vty 0 4 Switch ui vty0 ...

Page 60: ...of level 0 through level 3 Use the display connection command to view the connection information on the switch Switch display connection Index 1 Username hello bbb IP 192 168 1 58 IPv6 N A Total 1 connection s matched AAA for 802 1X users by a RADIUS server Network requirements As shown in Figure 15 configure the switch to use the RADIUS server to perform authentication authorization and accountin...

Page 61: ...evice from the navigation tree to enter the Access Device List page Then click Add to enter the Add Access Device page and perform the following configurations Set the shared key for authentication and accounting to expert Specify the ports for authentication and accounting as 1812 and 1813 respectively Select LAN Access Service as the service type Select HP A Series as the access device type Sele...

Page 62: ... the following configurations Add a plan named UserAcct Select Flat rate as the charging template In the Basic Plan Settings field configure to charge the fixed fee of 120 dollars per month In the Service Usage Limit field set the Usage Threshold to 120 hours allowing the user to access the Internet for up to 120 hours per month Adopt the default settings for other parameters and click OK to finis...

Page 63: ...to carry the domain name Specify UserAcct as the Charging Plan Select Deploy VLAN and set the ID of the VLAN to be assigned to 4 Configure other parameters according to the actual situation Click OK to finish the operation Figure 18 Add a service Add a user Select the User tab and select All Access Users from the navigation tree to enter the All Access Users page Then click Add to enter the Add Ac...

Page 64: ...d primary authentication 10 1 1 1 Switch radius rad primary accounting 10 1 1 1 Switch radius rad key authentication expert Switch radius rad key accounting expert Configure the scheme to include the domain names in usernames to be sent to the RADIUS server Switch radius rad user name format with domain Switch radius rad quit Configure an authentication domain Create an ISP domain named bbb and en...

Page 65: ... EAP type as MD5 Challenge If the iNode client is used no advanced authentication options need to be enabled When using the iNode client the user can pass authentication after entering username dot1x bbb and the correct password in the client property page When using the Windows XP 802 1X client the user can pass authentication after entering the correct username and password in the pop up authent...

Page 66: ...cularly local authentication for Telnet users Create ISP domain bbb and configure it to use local authentication for Telnet users Create a local user account configure the password and assign the privilege level for the user to enjoy after login 2 On the switch configure the authentication method for user privilege level switching Specify to use HWTACACS authentication and if HWTACACS authenticati...

Page 67: ...1 1 and the port for authentication as 49 Switch hwtacacs hwtac primary authentication 10 1 1 1 49 Set the shared key for authentication packets to expert Switch hwtacacs hwtac key authentication expert Configure the scheme to remove the domain names in usernames before sending usernames to the HWTACACS server Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Create ...

Page 68: ...urations the user needs to use the password enabpass when switching to level 1 level 2 or level 3 Select Use separate password and specify the password as enabpass Figure 21 Configure advanced attributes for the Telnet user 3 Verify the configuration After you complete the configuration the Telnet user should be able to telnet to the switch and use username test bbb and password aabbcc to enter th...

Page 69: ...se commands can be used whose level is equal or less than this Privilege note 0 VISIT 1 MONITOR 2 SYSTEM 3 MANAGE If the HWTACACS server is not available the Telnet user needs to enter password 654321 as prompted for local authentication Switch super 3 Password Enter the password for HWTACACS privilege level switch authentication Error Invalid configuration or no response from the authentication s...

Page 70: ...me rad Specify the IP address for the primary authentication server as 10 1 1 2 the port for authentication as 1645 and the shared key for authentication packets as abc SwitchA radius rad primary authentication 10 1 1 2 1645 key abc Configure the scheme to remove the domain names in usernames before sending usernames to the RADIUS server SwitchA radius rad user name format without domain Specify t...

Page 71: ...command to view the connection information on Switch A SwitchA display connection Index 1 Username aaa bbb IP 192 168 1 2 IPv6 N A Total 1 connection s matched Troubleshooting AAA Troubleshooting RADIUS Symptom 1 User authentication authorization always fails Analysis 1 A communication failure exists between the NAS and the RADIUS server 2 The username is not in the format of userid isp name or no...

Page 72: ...orization accounting configured on the NAS are the same as those configured on the RADIUS server 4 The port numbers of the RADIUS server for authentication authorization and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization serve...

Page 73: ...ver is the entity that provides authentication services for the network access device It authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results for the network access device to make access decisions The authentication server is typically a Remote Authentication Dial in User Service RADIUS server In a small LAN you can also use the ...

Page 74: ...ient the network access device and the authentication server EAP is an authentication framework that uses the client server model It supports a variety of authentication methods including MD5 Challenge EAP Transport Layer Security EAP TLS and Protected EAP PEAP 802 1X defines EAP over LAN EAPOL for passing EAP packets between the client and the network access device over a wired or wireless LAN Be...

Page 75: ... Packet body Type Protocol version Length 7 2 4 6 N PAE Ethernet type Protocol type It takes the value 0x888E for EAPOL Protocol version The EAPOL protocol version used by the EAPOL packet sender Type Type of the EAPOL packet Table 5 lists the types of EAPOL packets that the HP implementation of 802 1X supports Table 5 Types of EAPOL packets Value Type Description 0x00 EAP Packet The client and th...

Page 76: ...different than the Message Authenticator attribute value The Message Authenticator prevents EAP authentication packets from being tampered with during EAP authentication Figure 28 Message Authenticator attribute format 0 2 Type String 1 Length 18 bytes Initiating 802 1X authentication Both the 802 1X client and the access device can initiate 802 1X authentication 802 1X client as the initiator The...

Page 77: ...entication information to the RADIUS server as shown in Figure 29 Figure 29 EAP relay RADIUS server Client Device EAP packets over LAN EAP packets over RADIUS EAP authentication In EAP termination mode the network access device terminates the EAP packets received from the client encapsulates the client authentication information in standard RADIUS packets and uses Password Authentication Protocol ...

Page 78: ...quest Identity 3 EAP Response Identity 6 EAP Request MD5 challenge 10 EAP Success 7 EAP Response MD5 challenge 4 RADIUS Access Request EAP Response Identity 5 RADIUS Access Challenge EAP Request MD5 challenge 9 RADIUS Access Accept EAP Success 8 RADIUS Access Request EAP Response MD5 challenge 11 EAP Request Identity 12 EAP Response Identity 13 EAPOL Logoff Client Device Authentication server Port...

Page 79: ...acket to the network access device 10 Upon receiving the RADIUS Access Accept packet the network access device sends an EAP Success packet to the client and sets the controlled port in the authorized state so the client can access the network 11 After the client comes online the network access device periodically sends handshake requests to check whether the client is still online By default if tw...

Page 80: ...lient Device Authentication server Port authorized Port unauthorized 6 RADIUS Access Request CHAP Response MD5 challenge 7 RADIUS Access Accept CHAP Success 14 EAP Failure In EAP termination mode it is the network access device rather than the authentication server generates an MD5 challenge for password encryption see Step 4 The network access device then sends the MD5 challenge together with the...

Page 81: ...t user can access the network through the port without authentication When the authenticated user logs off all other users are logged off With MAC based access control each user is separately authenticated on a port When a user logs off no other online users are affected For more information about the fundamentals of 802 1X see the chapter 802 1X fundamentals Using 802 1X authentication with other...

Page 82: ...authentication it is removed from the guest VLAN and can access authorized network resources The way that the network access device handles VLANs on the port differs by 802 1X access control mode 1 On a port that performs port based access control Authentication status VLAN manipulation No 802 1X user has performed authentication or passed authentication within 90 seconds after 802 1X is enabled A...

Page 83: ...hat have failed 802 1X authentication because of the failure to comply with the organization security strategy such as using a wrong password Users in the Auth Fail VLAN can access a limited set of network resources such as a software server to download anti virus software and system patches The Auth Fail VLAN does not accommodate 802 1X users that have failed authentication for authentication tim...

Page 84: ...tion about VLAN configuration and MAC based VLAN see the Layer 2 LAN Switching Configuration Guide ACL assignment You can specify an ACL for an 802 1X user to control its access to network resources After the user passes 802 1X authentication the authentication server either the local access device or a RADIUS server assigns the ACL to the port to filter the traffic from this user In either case y...

Page 85: ...the port For more information about voice VLANs see the Layer 2 LAN Switching Configuration Guide 802 1X is mutually exclusive with link aggregation group configuration on a port Follow these steps to enable 802 1X on a port To do Use the command Remarks Enter system view system view Enable 802 1X globally dot1x Required Disabled by default Enable 802 1X on a port In system view dot1x interface in...

Page 86: ...nformation about the user name format command see the Security Command Reference Setting the port authorization state The port authorization state determines whether the client is granted access to the network You can control the authorization state of a port by using the dot1x port control command and the following keywords authorized force Places the port in the authorized state enabling users o...

Page 87: ...ed access control applies In Layer 2 Ethernet interface view interface interface type interface number dot1x port method macbased portbased NOTE To use both 802 1X and portal authentication on a port you must specify MAC based access control For more information about portal authentication see the chapter Portal configuration Setting the maximum number of concurrent 802 1X users on a port You can ...

Page 88: ...lient Server timeout timer Starts when the access device sends a RADIUS Access Request packet to the authentication server If no response is received when this timer expires the access device retransmits the request to the server You can set the client timeout timer to a high value in a low performance network and adjust the server timeout timer to adapt to the performance of different authenticat...

Page 89: ...The default is 15 seconds Enter Layer 2 Ethernet interface view interface interface type interface number Enable the online handshake function dot1x handshake Optional Enabled by default Enable the online handshake security function dot1x handshake secure Optional Disabled by default NOTE When 802 1X clients do not support exchanging handshake packets with the device disable the online user handsh...

Page 90: ... Remarks Enter system view system view Set the username request timeout timer dot1x timer tx period tx period value Optional The default is 30 seconds Enter Layer 2 Ethernet interface view interface interface type interface number Enable an authentication trigger function dot1x multicast trigger unicast trigger Required if you want to enable the unicast trigger By default the multicast trigger is ...

Page 91: ...iew system view Set the periodic re authentication timer dot1x timer reauth period reauth period value Optional The default is 3600 seconds Enter Layer 2 Ethernet interface view interface interface type interface number Enable periodic online user re authentication dot1x re authenticate Required Disabled by default The periodic online user re authentication timer can also be set by the authenticat...

Page 92: ...s control The 802 1X Auth Fail VLAN has a higher priority The chapter 802 1X configuration Port intrusion protection on a port that performs MAC based access control The 802 1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature The chapter Port security configuration Configuration prerequisite...

Page 93: ... port that performs MAC based access control The 802 1X Auth Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature The chapter Port Security configuration Configuration prerequisites Create the VLAN to be specified as the 802 1X Auth Fail VLAN If the 802 1X enabled port performs port based access ...

Page 94: ...for the 802 1X users If RADIUS authentication fails perform local authentication on the access device If RADIUS accounting fails the access device logs the user off Configure the host at 10 1 1 1 as the primary authentication and accounting servers and the host at 10 1 1 2 as the secondary authentication and accounting servers Assign all users to the ISP domain aabbcc net which accommodates up to ...

Page 95: ... 10 1 1 1 Configure the IP addresses of the secondary authentication and accounting RADIUS servers Device radius radius1 secondary authentication 10 1 1 2 Device radius radius1 secondary accounting 10 1 1 2 Specify the shared key between the access device and the authentication server Device radius radius1 key authentication name Specify the shared key between the access device and the accounting ...

Page 96: ...ou can use the display connection command to view the user connection information If the user fails RADIUS authentication local authentication is performed 802 1X with guest VLAN and VLAN assignment configuration example Network requirements As shown in Figure 34 A host is connected to port GigabitEthernet 1 0 2 of the device and must pass 802 1X authentication to access the Internet GigabitEthern...

Page 97: ... 802 1X client and RADIUS server are not shown For more information about AAA RADIUS configuration commands see the Security Command Reference 1 Configure the 802 1X client Make sure the client is able to update its IP address after the access port is assigned to the guest VLAN or a server assigned VLAN Details not shown 2 Configure the RADIUS server to provide authentication authorization and acc...

Page 98: ...eme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp system quit 6 Configure 802 1X Enable 802 1X globally Device dot1x Enable 802 1X for port GigabitEthernet 1 0 2 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 dot1x Implement port based access control on the port Device GigabitEthernet1 0 2 dot1x port method portbased Set the port authorization mode to ...

Page 99: ...he 802 1X client and RADIUS server are beyond the scope of this configuration example For information about AAA and RADIUS configuration commands see the Security Command Reference Configuration procedure 1 Configure 802 1X client Make sure the client is able to update its IP address after the access port is assigned to the 802 1X guest VLAN or a server assigned VLAN Details not shown 2 Configure ...

Page 100: ... deny ip destination 10 0 0 1 0 Enable 802 1X globally Device dot1x Enable 802 1X on port GigabitEthernet 1 0 1 Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 dot1x Verification Use the user account to pass authentication Then ping the FTP server C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping s...

Page 101: ...ment which has a limited set of network resources such as software and DHCP servers An unauthenticated user can access only this segment to download EAD client obtain a dynamic IP address from a DHCP server or perform some other tasks to be compliant with the network security strategy URL redirection If an unauthenticated 802 1X user is using a web browser to access the network the EAD fast deploy...

Page 102: ...ach redirected user seeking to access the network The EAD rule timer sets the lifetime of each ACL rule When the timer expires or the user passes authentication the rule is removed If users fail to download EAD client or fail to pass authentication before the timer expires they must reconnect to the network to access the free IP To prevent ACL rule resources from being used up you can shorten the ...

Page 103: ...cess any external network except 192 168 2 0 24 The web page allows users to download the 802 1X client program Allow authenticated 802 1X users to access the network Figure 36 Network diagram for EAD fast deployment GE1 0 2 10 1 1 10 24 GE1 0 1 Free IP Web server 192 168 2 3 24 Internet 192 168 1 0 24 Vlan int 2 192 168 1 1 24 192 168 2 0 24 GE1 0 3 192 168 2 1 24 DHCP server 192 168 2 2 24 Authe...

Page 104: ...on Use the display dot1x command to display the 802 1X configuration After the host obtains an IP address from a DHCP server use the ping command from the host to ping an IP address on the network segment specified by free IP C ping 192 168 2 3 Pinging 192 168 2 3 with 32 bytes of data Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 ...

Page 105: ...em of the host regards the string as a website name and tries to resolve it If the resolution fails the operating system sends an ARP request but the target address is not in the dotted decimal notation The redirection function does redirect this kind of ARP request The address is within a free IP segment No redirection will take place even if no host is present with the address The redirect URL i...

Page 106: ...evice uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable for a secure environment Authentication appr...

Page 107: ...rver assigns the VLAN to the port as the default VLAN After the user logs off the initial default VLAN or the default VLAN configured before any VLAN is assigned by the authentication server restores If the authentication server assigns no VLAN the initial default VLAN applies NOTE A hybrid port is always assigned to a server assigned VLAN as an untagged member After the assignment do not re confi...

Page 108: ...uthentication domain for MAC authentication users Optional Configuring a MAC authentication guest VLAN Optional Basic configuration for MAC authentication Configuration prerequisites Create and configure an authentication domain also called an ISP domain For local authentication create local user accounts and specify the lan access service for the accounts For RADIUS authentication check that the ...

Page 109: ... on a port To do Use the command Remarks Enter system view system view Enable MAC authentication for specified ports In system view mac authentication interface interface list Required Use either approach Disabled by default In Layer 2 Ethernet interface view interface interface type interface number mac authentication Set the maximum number of concurrent MAC authentication users allowed on a port...

Page 110: ...e number mac authentication domain domain name Configuring a MAC authentication guest VLAN Configuration prerequisites Before you configure a MAC authentication guest VLAN on a port complete the following tasks Enable MAC authentication Enable MAC based VLAN on the port Create the VLAN to be specified as the MAC authentication guest VLAN Configuration procedure Follow these steps to configure a MA...

Page 111: ...MAC authentication related information display mac authentication interface interface list begin exclude include regular expression Available in any view Clear the MAC authentication statistics reset mac authentication statistics interface interface list Available in user view MAC authentication configuration examples Local MAC authentication configuration example Network requirements In the netwo...

Page 112: ...thentication Device mac authentication domain aabbcc net Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Configure MAC authentication to use MAC based accounts The MAC address usernames and passwords are hyphenated and in lowercase Device mac authentication user name format mac address with hyphen lowercase 2 Verify the...

Page 113: ...n port GigabitEthernet 1 0 1 to control Internet access Ensure that The device detects whether a user has gone offline every 180 seconds If a user fails authentication the device does not authenticate the user within 180 seconds All MAC authentication users belong to ISP domain 2000 and share the user account aaa with password 123456 Figure 38 Network diagram for RADIUS based MAC authentication IP...

Page 114: ...000 Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify username aaa and password 123456 for the account shared by MAC authentication users Device mac authentication user name format fixed account aaa password simple 123456 2 Verify the configuration Display MAC authentication settings and statistics Device display ...

Page 115: ...nticated user can access the Internet but the FTP server at 10 0 0 1 Use MAC based user accounts for MAC authentication users The MAC addresses are hyphen separated and in lower case Figure 39 Network diagram for ACL assignment Internet Switch Host 192 168 1 10 GE1 0 1 FTP server 10 0 0 1 RADIUS servers Auth 10 1 1 1 Acct 10 1 1 2 Configuration procedure NOTE Check that the RADIUS server and the a...

Page 116: ... separated and in lowercase Sysname mac authentication user name format mac address with hyphen lowercase Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication 3 Configure the RADIUS servers Add a user account with 00 e0 fc 12 34 56 as both the username and password on the RADIUS server and specify ACL 3000 ...

Page 117: ...107 Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss ...

Page 118: ... website can for example present advertisements and deliver community and personalized services In this way broadband network providers equipment vendors and content service providers form an industrial ecological system Extended portal functions By forcing users to implement patching and anti virus policies extended portal functions help users to defend against viruses The main extended functions...

Page 119: ...er and authentication accounting server for identity authentication security check and accounting Allowing users who have passed identity authentication and security check to access granted Internet resources Portal server A portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device It provides free portal ser...

Page 120: ...rtal system To implement security check the client must be the iNode client Portal system using the local portal server System components In addition to use a separate device as the portal server a portal system can also use the local portal server function of the access device to authenticate web users directly In this case the portal system consists of only three components authentication client...

Page 121: ... local portal server to perform web authentication on clients In addition Layer 2 authentication allows the authentication server to assign different VLANs according to user authentication results so that access devices can control user access to resources After a client passes authentication the authentication server can assign an authorized VLAN to allow the user to access the resources in the V...

Page 122: ...uth Fail VLAN Then the user can access the non HTTP resources in the Auth Fail VLAN and all HTTP requests of the user will be redirected to the authentication page If the user passes authentication the access device adds the user to the assigned VLAN or return the user to the initial VLAN of the port depending on whether the authentication server assigns a VLAN If the user fails the authentication...

Page 123: ...d the RADIUS server have been installed and configured properly Local portal authentication requires no independent portal server be installed The portal client access device and servers are routable to each other With RADIUS authentication usernames and passwords of the users are configured on the RADIUS server and the RADIUS client configurations are performed on the access device For informatio...

Page 124: ...ng the local portal server Configuring a local portal server is required only for local portal authentication During local portal authentication the local portal server pushes authentication pages to users You can define the authentication pages for users otherwise the default authentication pages will be used during the authentication process Customizing authentication pages Customized authentica...

Page 125: ...g off the system Rules on Post request attributes 1 Observe the following requirements when editing a form of an authentication page An authentication page can have multiple forms but there must be one and only one form whose action is logon cgi Otherwise user information cannot be sent to the local portal server The username attribute is fixed as PtUser and the password attribute is fixed as PtPw...

Page 126: ...nd contents For the system to push customized authentication pages smoothly you need comply with the following size and content requirements on authentication pages The size of the zip file of each set of authentication pages including the main authentication pages and the page elements must be no more than 500 KB The size of a single page including the main authentication page and its page elemen...

Page 127: ...ion clients Ensure that the browser of an authentication client permits pop ups or permits pop ups from the access device Otherwise the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page If a user refreshes the logon success or online page or jumps to another web site from either of the pages the device also ...

Page 128: ...rtal server does not support any protocol Configure the welcome banner of the default authentication pages of the local portal server portal server banner banner string Optional No welcome banner by default Enabling Layer 2 portal authentication Only after you enable portal authentication on an access interface can the access interface perform portal authentication on connected clients Before enab...

Page 129: ...l free rule rule number destination any ip ip address mask mask length netmask any Required NOTE You cannot configure two or more portal free rules with the same filtering criteria Otherwise the system prompts that the rule already exists No matter whether portal authentication is enabled or not you can only add or remove a portal free rule You cannot modify it Setting the maximum number of online...

Page 130: ...ormation about the default authentication domain see the chapter AAA configuration Adding a web proxy server port number NOTE Only Layer 2 portal authentication supports this feature By default only HTTP requests from unauthenticated users to port 80 trigger portal authentication If an unauthenticated user uses a web proxy server and the port number of the proxy server is not 80 the user s HTTP re...

Page 131: ...e when the original port is still up The reason is that the original port is still maintaining the authentication information of the user and the device does not permit such a user to get online from another port by default To solve the problem enable support for portal user moving on the device Then when a user moves from a port of the device to another the device provides services in either of t...

Page 132: ...ide You can specify different Auth Fail VLANs for portal authentication on different ports A port can be specified with only one Auth Fail VLAN for portal authentication The MAC VLAN entries generated due to portal authentication failures will not overwrite the MAC VLAN entries already generated in other authentication modes Specifying the auto redirection URL for authenticated portal users After ...

Page 133: ...number Set the Layer 2 portal user detection interval portal offline detect interval offline detect interval Required 300 seconds by default Logging off portal users Logging off a user terminates the authentication process for the user or removes the user from the authenticated users list Follow these steps to log off users To do Use the command Remarks Enter system view system view Log off users ...

Page 134: ...ected to port GigabitEthernet 1 0 1 More specifically Use the remote RADIUS server for authentication authorization and accounting Use the remote DHCP server to assign IP addresses to users The listening IP address of the local portal server is 4 4 4 4 The local portal server pushes the user defined authentication pages to users and uses HTTPS to transmit authentication data Add users passing auth...

Page 135: ... 2 2 2 to any host specify the leases of the assigned IP addresses set a short lease duration for each address to shorten the IP address update time in case of an authentication state change and make sure there is a route to the host As the DHCP server and the DHCP client are not in the same subnet you need to configure a DHCP relay agent on the subnet of the client For more information about DHCP...

Page 136: ...ew Switch system view Switch radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 1 1 1 2 Switch radius rs1 primary accountin...

Page 137: ...e 3 Switch Vlan interface3 dhcp relay server select 1 Switch Vlan interface3 quit Verification Before user userpt accesses a web page the user is in VLAN 8 the initial VLAN and is assigned with an IP address on subnet 192 168 1 0 24 When the user access a web page on the external network the web request will be redirected to authentication page https 4 4 4 4 portal logon htm After entering the cor...

Page 138: ...ice on the portal server Use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to ensure that the keys are consistent Incorrect server port number on the access device Symptom After a user passes the portal authentication you cannot force the user to log off by executing the portal delete user command on the access device ...

Page 139: ... the access device The user can log off the portal server Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to ensure that it is the actual listening port of the portal server ...

Page 140: ...sfy the requirements It is implemented by enabling portal authentication MAC authentication and 802 1X authentication on a Layer 2 access port A terminal connected to that port can access the network after passing a type of authentication NOTE For more information about portal authentication MAC authentication and 802 1X authentication see the chapters Portal configuration MAC authentication confi...

Page 141: ...a VLAN to the access port for the access terminal The terminal can then access the network resources in the server assigned VLAN Auth Fail VLAN or MAC authentication guest VLAN After a terminal fails authentication the access port Adds the terminal to an Auth Fail VLAN if it uses 802 1X or portal authentication service Adds the terminal to a MAC authentication guest VLAN if it uses MAC authenticat...

Page 142: ...al passing one of the three authentication methods 802 1X authentication portal authentication and MAC authentication can access the IP network More specifically Configure static IP addresses in network 192 168 1 0 24 for the terminals Use the remote RADIUS server to perform authentication authorization and accounting and configure the switch to send usernames carrying no ISP domain names to the R...

Page 143: ...h LoopBack12 quit Specify the listening IP address of the local portal server for Layer 2 portal authentication as 4 4 4 4 Switch portal local server ip 4 4 4 4 Enable Layer 2 portal authentication on GigabitEthernet 1 0 1 Switch interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 portal local server enable Switch GigabitEthernet1 0 1 quit 2 Configure 802 1X authentication Enable 802 1X au...

Page 144: ...f a username input by a user includes no ISP domain name the authentication scheme of the default domain is used Switch domain default enable triple Verification User userdot uses the 802 1X client to initiate authentication After inputting the correct username and password the user can pass 802 1X authentication Web user userpt uses a web browser to access an external network The web request is r...

Page 145: ...0 24 After passing authentication the printer obtains the IP address 3 3 3 1 1 1 24 that is bound with its MAC address through DHCP Use the remote RADIUS server to perform authentication authorization and accounting and configure the switch to send usernames carrying no ISP domain names to the RADIUS server The local portal authentication server on the switch uses listening IP address 4 4 4 4 The ...

Page 146: ...address pool 1 including the address range lease and gateway address A short lease is recommended to shorten the time terminals use to re acquire IP addresses after the terminals passing or failing authentication Switch dhcp server ip pool 1 Switch dhcp pool 1 network 192 168 1 0 mask 255 255 255 0 Switch dhcp pool 1 expired day 0 hour 0 minute 1 Switch dhcp pool 1 gateway list 192 168 1 1 Switch ...

Page 147: ...12 Switch LoopBack12 ip address 4 4 4 4 32 Switch LoopBack12 quit Specify the listening IP address of the local portal server as 4 4 4 4 Switch portal local server ip 4 4 4 4 Enable Layer 2 portal authentication on GigabitEthernet 1 0 1 and specify VLAN 2 as the Auth Fail VLAN to which terminals failing authentication are added Switch interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 por...

Page 148: ...gure the default AAA methods for all types of users in the domain Switch isp triple authentication default radius scheme rs1 Switch isp triple authorization default radius scheme rs1 Switch isp triple accounting default radius scheme rs1 Switch isp triple quit Configure domain triple as the default domain If a username input by a user includes no ISP domain name the authentication scheme of the de...

Page 149: ...2 0002 0001 ffff ffff ffff 3 0 D 0015 88f8 0dd7 ffff ffff ffff 3 0 D Total MAC VLAN address count 3 Use the display dhcp server ip in use command to view the IP addresses assigned to online users Switch display dhcp server ip in use all Pool utilization 0 59 IP address Client identifier Lease expiration Type Hardware address 3 3 3 111 0015 88f8 0dd7 Feb 15 2011 17 40 52 Auto COMMITTED 3 3 3 2 0002...

Page 150: ...y apply to scenarios that require both 802 1X authentication and MAC authentication For scenarios that require only 802 1X authentication or MAC authentication HP recommends you configure 802 1X authentication or MAC authentication rather than port security For information about 802 1X and MAC authentication see the chapters 802 1X configuration and MAC authentication configuration Port security f...

Page 151: ...ion protection secure Perform 802 1X authentication userLogin userLoginSecure NTK intrusion protection userLoginSecureExt userLoginWithOUI Perform MAC authentication macAddressWithRadius NTK intrusion protection Perform a combination of MAC authentication and 802 1X authentication Or macAddressOrUserLoginSecure NTK intrusion protection macAddressOrUserLoginSecureExt Else macAddressElseUserLoginSec...

Page 152: ...tion all the other 802 1X users of the port can access the network without authentication 2 userLoginSecure A port in this mode performs 802 1X authentication and implements MAC based access control The port services only one user passing 802 1X authentication 3 userLoginSecureExt This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802 1X users 4 userLog...

Page 153: ...s the VLAN that a user is in after failing authentication Support for the guest VLAN and Auth Fail VLAN features varies with security modes You can use the 802 1X guest VLAN and 802 1X Auth Fail VLAN features together with port security modes that support 802 1X authentication For more information about the 802 1X guest VLAN and Auth Fail VLAN on a port that performs MAC based access control see t...

Page 154: ...tion disabled 2 Disabling port security resets the following configurations on a port to the bracketed defaults Port security mode noRestrictions 802 1X disabled port access control method macbased and port authorization mode auto MAC authentication disabled 3 Port security cannot be disabled when a user is present on a port NOTE For more information about 802 1X configuration see the chapter 802 ...

Page 155: ...sable 802 1X and MAC authentication Set the port to perform MAC based access control and set the port authorization mode to auto Check the port does not belong to any aggregation group The requirements above must be all met Otherwise an error message appears when you set a security mode on the port On the other hand after setting a port security mode on a port you cannot change any of the configur...

Page 156: ... change the port security mode of a port only when the port is operating in noRestrictions mode the default mode To change the port security mode for a port in any other mode use the undo port security port mode command to restore the default port security mode first Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make s...

Page 157: ...rt security timer disableport command Follow these steps to configure the intrusion protection feature To do Use the command Remarks Enter system view system view Enter Layer 2 Ethernet interface view interface interface type interface number Configure the intrusion protection feature port security intrusion mode blockmac disableport disableport temporarily Required By default intrusion protection...

Page 158: ... secure MAC addresses manually configured at the command line interface or in the MIB and dynamic secure MAC addresses learned by a port in autoLearn mode These MAC addresses are sticky because unlike normal dynamic MAC addresses they can survive link down up events and once saved can survive a device reboot By default sticky MAC addresses do not age out You can use the port security timer autolea...

Page 159: ...m the server The authorization information is delivered by the RADIUS server to the device after an 802 1X user or MAC authenticated user passes RADIUS authentication You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a port to ignore the authorization information from the RADIUS server To do Use the command Remarks Enter system ...

Page 160: ... sticky MAC address and set the sticky MAC aging timer to 30 minutes After the number of secure MAC addresses reaches 64 the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port is disabled and stays silent for 30 seconds Figure 47 Network diagram for configuring the autoLearn mode Internet Switch Host GE1 0 1 192 168 1 1...

Page 161: ...intrusion protection is enabled and the intrusion protection action is to disable the port DisablePortTemporarily for 30 seconds You can also use the command above repeatedly to track the number of MAC addresses learned by the port or use the display this command in interface view to display the secure MAC addresses learned Switch system view Switch interface gigabitethernet 1 0 1 Switch GigabitEt...

Page 162: ...o the switch through port GigabitEthernet 1 0 1 The switch authenticates the client with a RADIUS server If the authentication succeeds the client is authorized to access the Internet The RADIUS server at 192 168 1 2 functions as the primary authentication server and the secondary accounting server and the RADIUS server at 192 168 1 3 functions as the secondary authentication server and the primar...

Page 163: ... 168 1 2 Switch radius radsun key authentication name Switch radius radsun key accounting money Switch radius radsun timer response timeout 5 Switch radius radsun retry 5 Switch radius radsun timer realtime accounting 15 Switch radius radsun user name format without domain Switch radius radsun quit Configure ISP domain sun to use RADIUS scheme radsun for authentication authorization and accounting...

Page 164: ... 1 Type standard Primary Auth Server IP 192 168 1 2 Port 1812 State active Encryption Key N A Primary Acct Server IP 192 168 1 3 Port 1813 State active Encryption Key N A Second Auth Server IP 192 168 1 3 Port 1812 State active Encryption Key N A Second Acct Server IP 192 168 1 2 Port 1813 State active Encryption Key N A Auth Server Encryption Key name Acct Server Encryption Key money Accounting O...

Page 165: ...dToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802 1X user gets online you can see that the number of secure MAC addresses stored is 1 You can also use the following command to view information about 802 1X Switch display dot1x interface gigabitethernet 1 0 1 Equipment 802 1X...

Page 166: ...cified OUIs to access the port You can use the following command to view the related information Switch display mac address interface gigabitethernet 1 0 1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 1234 0300 0011 1 Learned GigabitEthernet1 0 1 AGING 1 mac address es found Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 48 a client is connected to the...

Page 167: ...tication method chap Set the maximum number of secure MAC addresses allowed on the port to 64 Switch interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 port security max mac count 64 Set the port security mode to macAddressElseUserLoginSecure Switch GigabitEthernet1 0 1 port security port mode mac else userlogin secure Set the NTK mode of the port to ntkonly Switch GigabitEthernet1 0 1 po...

Page 168: ... number is 3 MAC ADDR Authenticate state Auth Index 1234 0300 0011 MAC_AUTHENTICATOR_SUCCESS 13 1234 0300 0012 MAC_AUTHENTICATOR_SUCCESS 14 1234 0300 0013 MAC_AUTHENTICATOR_SUCCESS 15 Use the following command to view 802 1X authentication information Switch display dot1x interface gigabitethernet 1 0 1 Equipment 802 1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disable...

Page 169: ...d user MAC address 0002 0000 0011 Controlled User s amount to 1 In addition as NTK is enabled frames with unknown destination MAC addresses multicast addresses and broadcast addresses should be discarded Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode Switch GigabitEthernet1 0 1 port security port mode autolearn Error When we change port mo...

Page 170: ...ort security mac address security 1 1 2 vlan 1 Cannot change port security mode when a user is online Symptom Port security mode cannot be changed when an 802 1X authenticated or MAC authenticated user is online Switch GigabitEthernet1 0 1 undo port security port mode Error Cannot configure port security for there is 802 1X user s on line on port GigabitEthernet1 0 1 Analysis Changing port securit...

Page 171: ... to any user that accesses the interface or VLAN or device If a user moves between ports to access a device to restrict the user behavior you must remove the policy from the previous port and then configure the same policy on the port that the user currently uses The configuration task is tedious and error prone User profiles provide flexible user based service applications because a user profile ...

Page 172: ...y to outgoing traffic of the switch traffic sent to online users NOTE If a user profile is enabled but not used by any online user you can edit only the content of the ACL that is referenced by the QoS policy in the profile If the user profile is being used by online users you cannot edit any configuration in the QoS policy The QoS policies that can be applied to user profiles support only the rem...

Page 173: ...Disabling a user profile logs out the users that are using the user profile Displaying and maintaining user profile To do Use the command Remarks Display information about all the created user profiles display user profile begin exclude include regular expression Available in any view ...

Page 174: ...t user levels see the Fundamentals Configuration Guide This function is not effective for a user who is prompted to change the password at the first login or a user whose password has just been aged out 3 Password aging Password aging imposes a lifecycle on a user password After the password aging time expires the user needs to change the password If a user enters an expired password when logging ...

Page 175: ...removing the user from the blacklist when the user logs in to the system successfully or the blacklist entry times out the blacklist entry aging time is one minute Prohibiting the user from logging in within a configurable period of time and allowing the user to log in again after the period of time elapses or the user is removed from the blacklist NOTE A blacklist can contain up to 1024 entries A...

Page 176: ...ccount idle time You can set the maximum account idle time to make accounts staying idle for this period of time become invalid and unable to log in again For example if you set the maximum account idle time to 60 days and user using the account test has never logged in successfully within 60 days after the last successful login the account becomes invalid 13 Logging The system logs all successful...

Page 177: ...d length Password history Password composition checking You must enable a function for its relevant configurations to take effect Follow these steps to enable password control To do Use the command Remarks Enter system view system view Enable the password control feature password control enable Required Disabled by default Enable a password control function individually password control aging comp...

Page 178: ...e time unlock Optional By default the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for one minute before trying again Set the number of days during which the user is warned of the pending password expiration password control alert before expire alert time Optional 7 days by default Set the maximum number of days and maximum num...

Page 179: ...user To do Use the command Remarks Enter system view system view Create a local user and enter local user view local user user name Configure the password aging time for the local user password control aging aging time Optional By default the setting for the user group to which the local user belongs is used if no aging time is configured for the user group the setting in system view is used Confi...

Page 180: ...rd control super length length Optional 10 characters by default Configure the password composition policy for super passwords password control super composition type number type number type length type length Optional By default the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too Setting a local user password in intera...

Page 181: ...rohibited from logging in A user can log in five times within 60 days after the password expires The password aging time is 30 days The minimum password update interval is 36 hours The maximum account idle time is 30 days A password cannot contain the username or the reverse of the username No character occurs consecutively three or more times in a password Implementing the following super passwor...

Page 182: ...FTweuix Create a local user named test Sysname local user test Set the service type of the user to Telnet Sysname luser test service type telnet Set the minimum password length to 12 for the local user Sysname luser test password control length 12 Set the minimum number of password composition types to 2 and the minimum number of characters of each password composition type to 5 for the local user...

Page 183: ...l super Super password control configurations Password aging Enabled 30 days Password length Enabled 10 characters Password composition Enabled 3 types 5 characters per type Display the password control configuration information for the local user test Sysname display local user user name test The contents of local user test State Active ServiceType telnet Access limit Disable Current AccessNum 0 ...

Page 184: ...witch C Authenticator Supplicant Switch A Supplicant Supplicant Switch D Switch E Authentication server 802 1X enabled HABP is a link layer protocol that works above the MAC layer It is built on the client server model Generally the HABP server is enabled on the authentication device which is configured with 802 1X or MAC authentication such as Switch A in Figure 49 and the attached switches funct...

Page 185: ...s to configure an HABP server To do Use the command Remarks Enter system view system view Enable HABP habp enable Optional Enabled by default Configure HABP to work in server mode and specify the VLAN for HABP packets habp server vlan vlan id Required HABP works in client mode by default Set the interval to send HABP requests habp timer interval Optional 20 seconds by default NOTE The VLAN specifi...

Page 186: ...isplay HABP MAC address table entries display habp table begin exclude include regular expression Available in any view Display HABP packet statistics display habp traffic begin exclude include regular expression Available in any view HABP configuration example Network requirements As shown in Figure 50 access devices Switch B and Switch C are connected to Switch A 802 1X authentication is configu...

Page 187: ...itchA habp enable Configure HABP to work in server mode and specify VLAN 1 for HABP packets SwitchA habp server vlan 1 Set the interval at which the switch sends HABP request packets to 50 seconds SwitchA habp timer 50 2 Configure Switch B Enable HABP Because HABP is enabled by default this configuration is optional SwitchA system view SwitchB habp enable Configure HABP to work in client mode Beca...

Page 188: ...guration information SwitchA display habp Global HABP information HABP Mode Server Sending HABP request packets every 50 seconds Bypass VLAN 1 Display HABP MAC address table entries SwitchA display habp table MAC Holdtime Receive Port 001f 3c00 0030 53 GigabitEthernet1 0 2 001f 3c00 0031 53 GigabitEthernet1 0 1 ...

Page 189: ...e available based on whether the keys for encryption and decryption are the same Symmetric key algorithm The keys for encryption and decryption are the same Commonly used symmetric key algorithms include Advanced Encryption Standard AES and Data Encryption Standard DES Asymmetric key algorithm The keys for encryption and decryption are different one is the public key and the other is the private k...

Page 190: ... key pair Follow these steps to create an asymmetric key pair To do Use the command Remarks Enter system view system view Create a local DSA key pair or RSA key pairs public key local create dsa rsa Required By default no key pair is created The public key local create rsa command generates two key pairs one server key pair and one host key pair Each key pair comprises a public key and a private k...

Page 191: ...Remarks Enter system view system view Destroy an asymmetric key pair public key local destroy dsa rsa Required Configuring a peer public key To enable your local host to authenticate a peer configure the peer RSA or DSA public key on the local host The following methods are available Import it from a public key file Obtain a copy of the peer public key file through FTP or TFTP in binary mode first...

Page 192: ...peer public key end NOTE Do not configure an RSA server public key of the peer for identity authentication in SSH applications Authentication in SSH applications uses the RSA host public key For more information about SSH see the chapter SSH2 0 configuration Displaying and maintaining public keys To do Use the command Remarks Display the public keys of the local key pairs display public key local ...

Page 193: ...airs DeviceA display public key local rsa public Time of Key pair created 09 50 06 2011 01 07 Key name HOST_KEY Key type RSA Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854 C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784A D597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC...

Page 194: ...t public key of Device A saved on Device B DeviceB display public key peer name devicea Key Name devicea Key Type RSA Key Module 1024 Key Code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854 C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784A D597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2B...

Page 195: ...9C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80A AB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 Time of Key pair created 09 50 07 2011 01 07 Key name SERVER_KEY Key type RSA Encryption Key Key code 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E3 5000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E...

Page 196: ...icea pub 226 Transfer complete FTP 299 byte s sent in 0 189 second s 1 00Kbyte s sec 4 Import the host public key of Device A to Device B Import the host public key of Device A from the key file devicea pub to Device B DeviceB public key peer devicea import sshkey devicea pub Display the host public key of Device A saved on Device B DeviceB display public key peer name devicea Key Name devicea Key...

Page 197: ...ate must comply with the international standard of ITU T X 509 The most common standard is X 509 v3 This document discusses two types of certificates local certificate and CA certificate A local certificate is a digital certificate signed by a CA for an entity A CA certificate is the certificate of a CA If multiple CAs are trusted by different users in a PKI system the CAs will form a CA tree with...

Page 198: ...tes as needed by publishing CRLs RA A registration authority RA is an extended part of a CA or an independent authority An RA can implement functions including identity authentication CRL management key pair generation and key pair backup The PKI standard recommends that an independent RA be used for registration management to achieve higher security PKI repository A PKI repository can be a Lightw...

Page 199: ...w it works 1 An entity submits a certificate request to the RA 2 The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA 3 The CA verifies the digital signature approves the application and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation ser...

Page 200: ...he entity Locality where the entity resides Organization to which the entity belongs Unit of the entity in the organization State where the entity resides NOTE The configuration of an entity DN must comply with the CA certificate issue policy You must determine for example which entity DN parameters are mandatory and which are optional Otherwise certificate requests might be rejected Follow these ...

Page 201: ...istration request from an entity checks its qualification and determines whether to ask the CA to sign a digital certificate The RA only checks the application qualification of an entity it does not issue any certificate Sometimes the registration management function is provided by the CA in which case no independent RA is required It is a good practice to deploy an independent RA URL of the regis...

Page 202: ...nal The polling is executed for up to 50 times at the interval of 20 minutes by default Specify the LDAP server ldap server ip ip address port port number version version number Optional No LDP server is specified by default Configure the fingerprint for root certificate verification root certificate fingerprint md5 sha1 string Required when the certificate request mode is auto and optional when t...

Page 203: ... In auto mode an entity does not automatically re request a certificate to replace a certificate that is expiring or has expired After the certificate expires the service using the certificate might be interrupted Submitting a certificate request in manual mode In manual mode you manually submit a certificate request for an entity Before submitting a certificate request you must ensure that an RSA...

Page 204: ...cally When it is impossible to request a certificate from the CA through SCEP save the request information by using the pki request certificate domain command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal The pki request ce...

Page 205: ...cate verification If you enable CRL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verification To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Specify the URL of the CRL distribution point crl url u...

Page 206: ... resolution Destroying a local RSA key pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate is about to expire destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter system view system view Destroy a local RSA key pair public key ...

Page 207: ...olicy and enter its view pki certificate access control policy policy name Required No access control policy exists by default Configure a certificate attribute based access control rule rule id deny permit group name Required No access control rule exists by default CAUTION A certificate attribute group must exist to be associated with a rule Displaying and maintaining PKI To do Use the command R...

Page 208: ...e a CA server named myca In this example configure these basic attributes on the CA server at first Nickname Name of the trusted CA Subject DN DN information of the CA including the Common Name CN Organization Unit OU Organization O and Country C The other attributes might be left using the default values Configure extended attributes After configuring the basic attributes perform configuration on...

Page 209: ...ration authority to CA Switch pki domain torsa certificate request from ca Specify the entity for certificate request as aaa Switch pki domain torsa certificate request entity aaa Configure the URL for the CRL distribution point Switch pki domain torsa crl url http 4 4 4 133 447 myca crl Switch pki domain torsa quit Generate a local key pair using RSA Switch public key local create rsa The range o...

Page 210: ...ation Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm sha1WithRSAEncryption Issuer C cn O org OU test CN myca Validity Not Before Jan 8 09 26 53 2011 GMT Not After Jan 8 09 26 53 2011 GMT Subject CN switch Subject ...

Page 211: ...indows 2003 Server NOTE The CA server runs the Windows 2003 server in this configuration example Network requirements Configure PKI entity Switch to request a local certificate from the CA server Figure 56 Request a certificate from a CA running Windows 2003 server CA server Internet Host Switch PKI entity Configuration procedure 1 Configure the CA server Install the certificate service suites Fro...

Page 212: ...the switch is synchronous to that of the CA server ensuring that the switch can request a certificate normally 2 Configure the switch Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit Configure the PKI domain Create PKI domain torsa and enter its view Sw...

Page 213: ... is being requested please wait Switch Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate to device Done 3 Verify your configuration Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 48FA0FD9 00000000 000C Sig...

Page 214: ...r crt 1 3 6 1 4 1 311 20 2 0 I P S E C I n t e r m e d i a t e O f f l i n e Signature Algorithm sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B Omitted You can also use some other display commands such as display pki certificate ca domain command to view more information about the CA certificate For more information about the command see the Security Command Reference Configuring a cert...

Page 215: ...t attribute group mygroup1 quit Create certificate attribute group mygroup2 and add two attribute rules The first rule defines that the FQDN of the alternative subject name does not include the string of apple and the second rule defines that the DN of the certificate issuer name includes the string aabbcc Switch pki certificate attribute group mygroup2 Switch pki cert attribute group mygroup2 att...

Page 216: ... to check that the RA server is reachable Specify the authority for certificate request Synchronize the system clock of the device with that of the CA Failed to request a local certificate Symptom Failed to request a local certificate Analysis Possible reasons include The network connection is not proper For example the network cable might be damaged or loose No CA certificate has been retrieved T...

Page 217: ...tion is not proper For example the network cable might be damaged or loose No CA certificate has been retrieved before you try to retrieve CRLs The IP address of LDAP server is not configured The CRL distribution URL is not configured The LDAP server version is wrong Solution Make sure that the network connection is physically proper Retrieve a CA certificate Specify the IP address of the LDAP ser...

Page 218: ...ble 11 Stages in session establishment and interaction between an SSH client and the server Stages Description Version negotiation SSH1 and SSH2 0 are supported The two parties negotiate a version to use Key and algorithm negotiation SSH supports multiple algorithms The two parties negotiate algorithms for communication Authentication The SSH server authenticates the client in response to the clie...

Page 219: ... session key and session ID and the client authenticates the identity of the server Through the steps the server and the client get the same session key and session ID The session key will be used to encrypt and decrypt data exchanged between the server and client later The session ID will be used to identify the session established between the server and client and will be used in the authenticat...

Page 220: ...r publickey authentication Session request After passing authentication the client sends a session request to the server and the server listens to and processes the request from the client After successfully processing the request the server sends an SSH_SMSG_SUCCESS packet to the client and goes on to the interaction stage with the client Otherwise the server sends an SSH_SMSG_FAILURE packet to t...

Page 221: ...te both DSA and RSA key pairs on the SSH server The public key local create rsa command generates a server key pair and a host key pair Each of the key pairs consists of a public key and a private key The public key in the server key pair of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key As SSH2 0 uses the DH algorithm to generate the session key on th...

Page 222: ... see the Fundamentals Command Reference If you configure a user interface to support SSH be sure to configure the corresponding authentication mode with the authentication mode scheme command For a user interface configured to support SSH you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a client public key NOTE This co...

Page 223: ... to system view peer public key end Importing a client public key from a public key file Follow these steps to import a public key from a public key file To do Use the command Remarks Enter system view system view Import the public key from a public key file public key peer keyname import sshkey filename Required NOTE For more information about client side public key configuration and the relevant...

Page 224: ...older depends on the authentication method For a user using only password authentication the working folder is the AAA authorized one For a user using only publickey authentication or using both the publickey and password authentication methods the working folder is the one set by using the ssh user command You can change the authentication method and public key of an SSH user when the user is com...

Page 225: ...ds that specified in the ssh server authentication retries command Configuring the device as an SSH client SSH client configuration task list Complete the following tasks to configure an SSH client Task Remarks Specifying a source IP address interface for the SSH client Optional Configuring whether first time authentication is supported Optional Establishing a connection between the SSH client and...

Page 226: ...fy the public key name for authentication on the client in advance Enable the device to support first time authentication Follow these steps to enable the device to support first time authentication To do Use the command Remarks Enter system view system view Enable the device to support first time authentication ssh client first time enable Optional By default first time authentication is supporte...

Page 227: ...Use the command Remarks Display the source IP address or interface currently set for the SFTP client display sftp client source begin exclude include regular expression Available in any view Display the source IP address or interface currently set for the SSH client display ssh client source begin exclude include regular expression Available in any view Display SSH server status information or ses...

Page 228: ... for password authentication SSH client SSH server Host Switch 192 168 0 2 24 Vlan int1 192 168 0 1 24 Configuration procedure 1 Configure the SSH server Generate the RSA key pairs Switch system view Switch public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus ...

Page 229: ...tch local user client001 Switch luser client001 password simple aabbcc Switch luser client001 service type ssh Switch luser client001 authorization attribute level 3 Switch luser client001 quit Specify the service type for user client001 as stelnet and the authentication method as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Establish...

Page 230: ...ntication Network requirements As shown in Figure 60 an SSH connection is required between the host and the switch for secure data exchange Use publickey authentication and the RSA public key algorithm Figure 60 Switch acts as server for publickey authentication SSH client SSH server Host Switch 192 168 1 56 24 Vlan int1 192 168 1 40 24 Configuration procedure NOTE During SSH server configuration ...

Page 231: ...nd click Generate Figure 61 Generate a key pair on the client 1 While the key pair is being generated you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 62 Otherwise the progress bar stops moving and the key pair generating process will be stopped ...

Page 232: ...Figure 62 Generate a key pair on the client 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key Figure 63 Generate a key pair on the client 3 ...

Page 233: ...n 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Generate a DSA key pair Switch public key local create dsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server Switch ssh ...

Page 234: ...public key Switch001 to the user Switch ssh user client002 service type stelnet authentication type publickey assign publickey Switch001 3 Establish a connection between the SSH client and the SSH server Specify the private key file and establish a connection to the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the serv...

Page 235: ...word authentication Network requirements As shown in Figure 67 Switch A the SSH client must pass password authentication to log in to Switch B the SSH server through the SSH protocol Configure the username client001 and the password aabbcc for the SSH client on Switch B Figure 67 Switch acts as client for password authentication SSH server SSH client Switch B Switch A Vlan int1 10 165 87 136 24 Vl...

Page 236: ...erface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 SwitchB local user client001 Swi...

Page 237: ...key peer key1 SwitchA pkey public key public key code begin SwitchA pkey key code 308201B73082012C06072A8648CE3804013082011F0281810 0D757262C4584C44C211F18BD96E5F0 SwitchA pkey key code 61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE 65BE6C265854889DC1EDBD13EC8B274 SwitchA pkey key code DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0 6FD60FE01941DDD77FE6B12893DA76E SwitchA pkey key code EBC1D1...

Page 238: ...H client must pass publickey authentication to log in to Switch B the SSH server through the SSH protocol Use the DSA public key algorithm Figure 68 Switch acts as client for publickey authentication SSH server SSH client Switch B Switch A Vlan int1 10 165 87 136 24 Vlan int1 10 165 87 137 24 Configuration procedure NOTE During SSH server configuration the client public key is required Use the cli...

Page 239: ...ys Generate a DSA key pair SwitchB public key local create dsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as the destination f...

Page 240: ...to the user SwitchB ssh user client002 service type stelnet authentication type publickey assign publickey Switch001 3 Establish a connection between the SSH client and the SSH server Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 Username client002 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Continue Y N...

Page 241: ...ut the configuration procedures see the chapter SSH configuration Enabling the SFTP server This configuration task will enable the SFTP service so that a client can log in to the SFTP server through SFTP Follow these steps to enable the SFTP server To do Use the command Remarks Enter system view system view Enable the SFTP server sftp server enable Required Disabled by default NOTE When the device...

Page 242: ...e either command By default an SFTP client uses the IP address of the interface specified by the route of the device to access the SFTP server Specify a source IPv6 address or interface for the SFTP client sftp client ipv6 source ipv6 ipv6 address interface interface type interface number Establishing a connection to the SFTP server This configuration task will enable the SFTP client to establish ...

Page 243: ...TP directories To do Use the command Remarks Enter SFTP client view For more information see Establishing a connection to the SFTP server Required Execute the command in user view Change the working directory of the remote SFTP server cd remote path Optional Return to the upper level directory cdup Optional Display the current working directory of the remote SFTP server pwd Optional Display files ...

Page 244: ... remove command remove remote file 1 10 Displaying help information This configuration task will display a list of all commands or the help information of an SFTP client command such as the command format and parameters Follow these steps to display a list of all commands or the help information of an SFTP client command To do Use the command Remarks Enter SFTP client view For more information see...

Page 245: ...cedure NOTE During SFTP server configuration the client public key is required Use the client software to generate RSA key pairs on the client before configuring the SFTP server 1 Configure the SFTP client Create VLAN interface 1 and assign an IP address to it SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface1...

Page 246: ...L C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server SwitchB ssh server enable Enable the SFTP server SwitchB sftp server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface1 q...

Page 247: ... rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noone nogroup 0 Sep 01 08 00 z sftp client delete z The following File will be deleted z Are you sure to delete it Y N y This operation might take a long time Please wait File successfully Remo...

Page 248: ...ile has been uploaded successfully sftp client put pu puk Local file pu Remote file puk Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 n...

Page 249: ...cal create dsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server Switch ssh server enable Enable the SFTP server Switch sftp server enable Configure an IP address for VLAN interface 1 which the client will use as the destination for S...

Page 250: ...tch ssh user client002 service type sftp authentication type password 2 Establish a connection between the SFTP client and the SFTP server NOTE The device support many types of SFTP client software The following uses PSFTP of PuTTy Version 0 58 as an example PSFTP supports only password authentication Establish a connection to the remote SFTP server Run the psftp exe to launch the client interface...

Page 251: ...ssage authentication code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message With the key the sender uses the MAC algorithm to compute the MAC value of a message Then the sender suffixes the MAC value to the message and sends the result to the receiver The receiver uses the same key and MAC algorithm to compute the MAC value of the received...

Page 252: ...ion is established between a client and the server A session consists of a set of parameters including the session ID peer certificate cipher suite and master secret SSL change cipher spec protocol Used for notification between the client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key SSL alert protocol Enables the ...

Page 253: ...ached sessions 3600 seconds for the caching timeout time Enable certificate based SSL client authentication client verify enable Optional Not enabled by default NOTE If you enable client authentication here you must request a local certificate for the client SSL mainly comes in these versions SSL 2 0 SSL 3 0 and TLS 1 0 where TLS 1 0 corresponds to SSL 3 1 When the device acts as an SSL server it ...

Page 254: ... the common name as http server1 and the FQDN as ssl security com Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Create PKI domain 1 specify the trusted CA as ca server the URL of the registration server as http 10 1 2 2 certsrv mscep mscep dll the authority for certificate request as RA and...

Page 255: ...certificate issued by the CA server The web interface of the device should appear After entering username usera and password 123 you should be able to log in to the web interface to access and manage the device NOTE For more information about PKI configuration commands and the public key local create rsa command see the Security Command Reference For more information about HTTPS see the Fundamenta...

Page 256: ...f you enable client authentication on the server you must request a local certificate for the client Displaying and maintaining SSL To do Use the command Remarks Display SSL server policy information display ssl server policy policy name all begin exclude include regular expression Available in any view Display SSL client policy information display ssl client policy policy name all begin exclude i...

Page 257: ...ued the local certificate to the SSL server on the SSL client or let the server request a certificate from the CA that the SSL client trusts If the SSL server is configured to authenticate the client but the SSL client has no certificate or the certificate cannot be trusted request and install a certificate for the client 2 Use the display ssl server policy command to view the cipher suites that t...

Page 258: ...t a large number of incomplete TCP connections are established resulting in heavy resource consumption and making the server unable to handle services normally The SYN Cookie feature can prevent SYN Flood attacks After receiving a TCP connection request the server directly returns a SYN ACK message instead of establishing an incomplete TCP connection Only after receiving an ACK message from the cl...

Page 259: ...s a match the port forwards the packet otherwise the port discards the packet as shown in Figure 75 IP source guard binding entries are on a per port basis After a binding entry is configured on a port it is effective only on the port Figure 75 Diagram for the IP source guard function IP network Illegal host Legal host Enable the IP source guard function on the port for user access IP source guard...

Page 260: ...rying to access a port NOTE Global static IP source guard binding entries take effect on all ports However port based static IP source guard binding entries and dynamic IP source guard binding entries take precedence over global static IP source guard binding entries If a port is configured with a static binding entry or dynamic binding the global static binding entries do not take effect on the p...

Page 261: ...through DHCP Once DHCP allocates an IP address to a client IP source guard automatically adds the client entry to allow the client to access the network A user using an IP address not obtained through DHCP cannot access the network Dynamic IPv6 source guard entries can also be obtained from client entries on the ND snooping device Dynamic IPv4 source guard binding generates IPv4 source guard bindi...

Page 262: ...rface number Configure a static IPv4 source guard binding entry for the port user bind ip address ip address ip address ip address mac address mac address mac address mac address vlan vlan id Required No static IPv4 source guard binding entry exists on a port by default The switch does not support the vlan vlan id option NOTE You cannot configure the same static binding entry on one port for multi...

Page 263: ...dress mac address Required Not configured by default NOTE To implement dynamic IPv4 source guard binding in IP source guard make sure that DHCP snooping or DHCP relay is configured and works normally For DHCP configuration information see the Layer 3 IP Services Configuration Guide If you configure dynamic IPv4 source guard binding on a port for multiple times the last configuration will overwrite...

Page 264: ...v6 source guard binding entry the MAC address cannot be all 0s all Fs a broadcast MAC address or a multicast address and the IPv6 address must be a unicast address and cannot be all 0s all Fs or a loopback address Configuring the dynamic IPv6 source guard binding function With the dynamic IPv6 source guard binding function enabled on a Layer 2 port IP source guard dynamically generates IP source g...

Page 265: ...port Displaying and maintaining IP source guard For IPv4 To do Use the command Remarks Display static IP source guard binding entries display user bind interface interface type interface number ip address ip address mac address mac address slot slot number begin exclude include regular expression Available in any view Display dynamic IP source guard binding entries display ip check source interfac...

Page 266: ...figuring static IPv4 source guard binding entries IP 192 168 0 3 24 MAC 0001 0203 0405 IP 192 168 0 1 24 MAC 0001 0203 0406 Host A IP 192 168 0 2 24 MAC 0001 0203 0407 Host B Host C GE1 0 2 GE1 0 1 GE1 0 2 GE1 0 1 Device A Device B Configuration procedure 1 Configure Device A Configure the IP addresses of the interfaces omitted Configure port GigabitEthernet 1 0 2 of Device A to allow only IP pack...

Page 267: ...A GE1 0 2 Static 0001 0203 0406 192 168 0 1 N A GE1 0 1 Static On Device B display information about static IPv4 source guard binding entries The output shows that the static IPv4 source guard binding entries are configured successfully DeviceB display user bind Total entries found 2 MAC Address IP Address VLAN Interface Type 0001 0203 0406 192 168 0 1 N A GE1 0 2 Static 0001 0203 0407 192 168 0 2...

Page 268: ... quit Specify port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 10 and VLAN 20 to pass DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan 10 20 DeviceB GigabitEthernet1 0 1 quit Configure global static bindings to filter IP packets from any host spoofs Host A or ...

Page 269: ...s from a client that obtains an IP address through the DHCP server to pass NOTE For detailed configuration of a DHCP server see the Layer 3 IP Services Configuration Guide Figure 79 Network diagram for configuring dynamic IPv4 source guard binding by DHCP snooping Host MAC 0001 0203 0406 Device DHCP server GE1 0 2 GE1 0 1 Configuration procedure 1 Configure DHCP snooping Configure IP addresses for...

Page 270: ...ding by DHCP relay configuration example Network requirements As shown in Figure 80 the switch connects the host and the DHCP server through interfaces VLAN interface 100 and VLAN interface 200 respectively DHCP relay is enabled on the switch The host with the MAC address 0001 0203 0406 obtains an IP address from the DHCP server through the DHCP relay agent Enable the dynamic IPv4 source guard bin...

Page 271: ...nd 1 MAC Address IP Address VLAN Interface Type 0001 0203 0406 192 168 0 1 100 Vlan100 DHCP RLY Static IPv6 source guard binding entry configuration example Network requirements As shown in Figure 81 the host is connected to port GigabitEthernet 1 0 1 of the device Configure a static IPv6 source guard binding entry for GigabitEthernet 1 0 1 of the device to allow only packets from the host to pass...

Page 272: ... on port GigabitEthernet 1 0 1 of the device to filter packets based on DHCPv6 snooping entries allowing only packets from a client that obtains an IP address through the DHCP server to pass Figure 82 Network diagram for configuring dynamic IPv6 source guard binding by DHCPv6 snooping Host GE1 0 1 GE1 0 2 DHCPv6 snooping DHCPv6 server Device VLAN 2 Configuration procedure 1 Configure DHCPv6 snoopi...

Page 273: ...dynamic IPv6 source guard entry has been generated on port GigabitEthernet 1 0 1 based on the DHCPv6 snooping entry Dynamic IPv6 source guard binding by ND snooping configuration example Network requirements The client is connected to the device through port GigabitEthernet 1 0 1 Enable ND snooping on the device establishing ND snooping entries by listening to DAD NS messages Enable the dynamic IP...

Page 274: ...1 1 2 GE1 0 1 ND SNP Display the IPv6 ND snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1 0 1 Device display ipv6 nd snooping IPv6 Address MAC Address VID Interface Aging Status 2001 1 040a 0000 0001 2 GE1 0 1 25 Bound Total entries 1 The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEther...

Page 275: ... can provide multiple features to detect and prevent such attacks This chapter mainly introduces these features ARP attack protection configuration task list Complete the following tasks to configure ARP attack protection Task Remarks Flood prevention Configuring ARP defense against IP packet attacks Configuring ARP source suppression Optional Configure this function on gateways recommended Enabli...

Page 276: ...source suppression function or ARP black hole routing function If the packets have the same source address you can enable the ARP source suppression function With the function enabled whenever the number of ARP requests triggered by the packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold the switch suppresses the packets of the sending h...

Page 277: ...ion enabled switch the CPU of the switch may become overloaded because all of the ARP packets are redirected to the CPU for checking As a result the switch fails to deliver other functions properly or even crashes To prevent this configure ARP packet rate limit Enable this feature after the ARP detection is configured or use this feature to prevent ARP flood attacks Configuring ARP packet rate lim...

Page 278: ...ate limit command see the Network Management and Monitoring Command Reference Configuring source MAC address based ARP attack detection Introduction This feature allows the switch to check the source MAC address of ARP packets delivered to the CPU If the number of ARP packets from a MAC address exceeds a specified threshold within five seconds the switch considers this an attack and adds the MAC a...

Page 279: ...from the MAC address in the entry can be processed normally Displaying and maintaining source MAC address based ARP attack detection To do Use the command Remarks Display attacking MAC addresses detected by source MAC address based ARP attack detection display arp anti attack source mac slot slot number interface interface type interface number begin exclude include regular expression Available in...

Page 280: ...arks Enter system view system view Enable the ARP active acknowledgement function arp anti attack active ack enable Required Disabled by default Configuring ARP detection Introduction The ARP detection feature is mainly configured on an access device to allow only the ARP packets of authorized clients to be forwarded and prevent user spoofing and gateway spoofing ARP detection includes ARP detecti...

Page 281: ...he sender MAC address of the received ARP packet is an OUI MAC address and voice VLAN is enabled the packet is considered valid 3 If no match is found the ARP packet is considered invalid and is discarded 4 Upon receiving an ARP packet from an ARP trusted port the switch does not check the ARP packet NOTE Static IP source guard binding entries are created by using the user bind command For more in...

Page 282: ...tical to the source MAC address in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded dst mac Checks the target MAC address of ARP replies If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and discarded ip Checks the sender and target IP addresses in...

Page 283: ...orwarding arp restricted forwarding enable Required Disabled by default Displaying and maintaining ARP detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detection begin exclude include regular expression Available in any view Display the ARP detection statistics display arp detection statistics interface interface type interface number begin exclude i...

Page 284: ...spectively details not shown 4 Configure Switch B Enable DHCP snooping SwitchB system view SwitchB dhcp snooping SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Enable ARP detection for VLAN 10 SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untru...

Page 285: ... to allow only packets from valid clients to pass Configure Host A and Host B as local 802 1X access users Figure 85 Network diagram for ARP detection configuration Switch A Switch B Host A Host B Vlan int10 10 1 1 1 24 DHCP server GE1 0 1 GE1 0 3 GE1 0 2 VLAN10 Configuration procedure 1 Add all the ports on Switch B into VLAN 10 and configure the IP address of VLAN interface 10 on Switch A detail...

Page 286: ...itchB gigabitethernet1 0 3 arp detection trust SwitchB gigabitethernet1 0 3 quit After the preceding configurations are complete when ARP packets arrive at interfaces GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 they are checked against 802 1X security entries ARP restricted forwarding configuration example Network requirements As shown in Figure 86 Switch A acts as a DHCP server Host A acts as...

Page 287: ...Configure the DHCP client on Hosts A and B details not shown 4 Configure Switch B Enable DHCP snooping and configure GigabitEthernet 1 0 3 as a DHCP trusted port SwitchB system view SwitchB dhcp snooping SwitchB interface GigabitEthernet 1 0 3 SwitchB GigabitEthernet1 0 3 dhcp snooping trust SwitchB GigabitEthernet1 0 3 quit Enable ARP detection SwitchB vlan 10 SwitchB vlan10 arp detection enable ...

Page 288: ...le SwitchB vlan10 quit Switch B forwards ARP broadcast requests from Host A to Switch A through the trusted port GigabitEthernet 1 0 3 and thus Host B cannot receive such packets Port isolation works normally Configuring ARP automatic scanning and fixed ARP Introduction ARP automatic scanning is usually used together with the fixed ARP feature With ARP automatic scanning enabled on an interface th...

Page 289: ...tries that the switch supports As a result the switch may fail to change all dynamic ARP entries into static ARP entries To delete a specific static ARP entry changed from a dynamic one use the undo arp ip address command To delete all such static ARP entries use the reset arp all or reset arp static command Configuring ARP gateway protection Introduction The ARP gateway protection feature if conf...

Page 290: ... Network diagram for ARP gateway protection configuration Switch A Switch B Host A Host B Gateway GE1 0 1 GE1 0 3 GE1 0 2 10 1 1 1 24 Configuration procedure Configure ARP gateway protection on Switch B SwitchB system view SwitchB interface GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 arp filter source 10 1 1 1 SwitchB GigabitEthernet1 0 1 quit SwitchB interface GigabitEthernet 1 0 2 SwitchB...

Page 291: ... You can configure up to eight ARP filtering entries on a port Commands arp filter source and arp filter binding cannot be both configured on a port If ARP filtering works with ARP detection ARP filtering applies first ARP filtering configuration example Network requirements As shown in Figure 88 the IP and MAC addresses of Host A are 10 1 1 2 and 000f e349 1233 respectively The IP and MAC address...

Page 292: ... 2 SwitchB GigabitEthernet1 0 2 arp filter binding 10 1 1 3 000f e349 1234 After the configuration is complete GigabitEthernet 1 0 1 will permit incoming ARP packets with sender IP and MAC addresses as 10 1 1 2 and 000f e349 1233 and discard other ARP packets GigabitEthernet 1 0 2 will permit incoming ARP packets with sender IP and MAC addresses as 10 1 1 3 and 000f e349 1234 and discard other ARP...

Page 293: ...ttacker can attack a network by sending forged ICMPv6 messages as shown in Figure 89 Sends forged NS NA RS packets with the IPv6 address of a victim host The gateway and other hosts update the ND entry for the victim host with incorrect address information As a result all packets intended for the victim host are sent to the attacking host rather than the victim host Sends forged RA packets with th...

Page 294: ...es on a per VLAN basis In an ND detection enabled VLAN a port is either ND trusted or ND untrusted An ND trusted port does not check ND packets for address spoofing An ND untrusted port checks all ND packets but RA and RR messages in the VLAN for source spoofing RA and RR messages are considered illegal and are discarded directly The ND detection function checks an ND packet by looking up the IPv6...

Page 295: ...t Optional A port does not trust sources of ND packets by default NOTE ND detection performs source check by using the binding tables of IP source guard DHCPv6 snooping and ND snooping To prevent an ND untrusted port from discarding legal ND packets in an ND detection enabled VLAN ensure that at least one of the three functions is available When creating an IPv6 static binding with IP source guard...

Page 296: ...witch B Host A Host B GE1 0 3 Vlan int10 10 1 Gateway GE1 0 1 GE1 0 3 GE1 0 2 VLAN 10 ND snooping 10 6 0001 0203 0607 Internet Configuration procedure 1 Configuring Switch A Enable IPv6 forwarding SwitchA system view SwitchA ipv6 Create VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Assign port GigabitEthernet 1 0 3 to VLAN 10 SwitchA interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 port ...

Page 297: ... quit SwitchB interface GigabitEthernet 1 0 3 SwitchB GigabitEthernet1 0 3 port link type trunk SwitchB GigabitEthernet1 0 3 port trunk permit vlan 10 SwitchB GigabitEthernet1 0 3 quit Enable ND snooping in VLAN 10 SwitchB vlan 10 SwitchB vlan 10 ipv6 nd snooping enable Enable ND detection in VLAN 10 SwitchB vlan 10 ipv6 nd detection enable SwitchB vlan 10 quit Configure the uplink port GigabitEth...

Page 298: ... wwalerts After registering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking categ...

Page 299: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 300: ...ting capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device ...

Page 301: ...ration prerequisites 91 Configuration prerequisites 148 Configuration prerequisites 145 Configuration prerequisites 144 Configuration prerequisites 36 Configuration prerequisites 161 Configuration procedure 270 Configuration procedure 91 Configuration procedure 148 Configuration procedure 245 Configuration procedure 281 Configuration procedure 279 Configuration procedure 278 Configuration procedur...

Page 302: ...intaining ND detection 285 Displaying and maintaining source MAC address based ARP attack detection 269 Displaying help information 234 Displaying or exporting the local RSA or DSA host public key 180 Domain based user management 9 Dynamic IPv4 source guard binding by DHCP relay configuration example 260 Dynamic IPv4 source guard binding by DHCP snooping configuration example 259 Dynamic IPv6 sour...

Page 303: ...rk device 59 RADIUS server feature of the device 10 RADIUS server functions configuration task list 42 RADIUS based MAC authentication configuration example 103 Requesting a certificate from a CA running RSA Keon 198 Requesting a certificate from a CA running Windows 2003 Server 201 S Setting a local user password in interactive mode 170 Setting global password control parameters 167 Setting local...

Page 304: ...e 132 Triple authentication mechanism 130 Triple authentication supporting VLAN assignment and Auth Fail VLAN configuration example 135 Troubleshooting HWTACACS 62 Troubleshooting RADIUS 61 U User account policies 96 Using 802 1X authentication with other features 71 Using triple authentication with other features 131 V VLAN assignment 97 W Web browser users cannot be correctly redirected 95 When ...

Search results

Summary of Contents for 5120 EI Series

Reviews:

Related manuals for 5120 EI Series

Brands by name

Popular brands

HP 5120 EI Series, Configuration Manual

Search results

Summary of Contents for 5120 EI Series

Reviews:

Related manuals for 5120 EI Series

Brands by name

Popular brands