manualshive.com logo in svg

HP 5500 HI Series, Configuration Manual, Page: 265 / 444

Share
Download
HP 5500 HI Series Configuration Manual Download Page 265

 

252 

An online certificate request can be submitted in manual mode or auto mode. 

Submitting a certificate request in auto mode 

 

 

IMPORTANT: 

In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is 
expiring or has expired. After the certificate expires, the service using the certificate might be interrupted.

 

In auto mode, an entity automatically requests a certificate from the CA server through SCEP if it has no 

local certificate for an application working with PKI, and then retrieves the certificate and saves the 

certificate locally. Before requesting a certificate, if the PKI domain does not have the CA certificate yet, 
the entity automatically retrieves the CA certificate.  
To configure an entity to submit a certificate request in auto mode: 

 

Step Command 

Remarks 

1.

 

Enter system view. 

system-view 

N/A 

2.

 

Enter PKI domain view. 

pki domain 

domain-name

 N/A 

3.

 

Set the certificate request 
mode to auto. 

certificate request mode auto 

[

 key-length 

key

-

length

 

|

 password 

{

 cipher 

|

 simple 

}

 

password

 

] * 

Manual by default 

 

Submitting a certificate request in manual mode 

In manual mode, you must submit a local certificate request for an entity. Before the request, you must 

retrieve a CA certificate or generate a key pair for the PKI domain if the domain do not have the CA 

certificate or the key pair. 
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.  
Generating a key pair is an important step in certificate request. The key pair includes a public key and 

a private key. The private key is kept by the user. The public key is transferred to the CA along with some 

other information. For more information about RSA key pair configuration, see "

Managing public keys

." 

Configuration guidelines 

 

If a PKI domain already has a local certificate, creating an RSA key pair might result in 

inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the 

local certificate and then execute the 

public-key local create 

command (see 

Security Command 

Reference

). 

 

A newly created key pair will overwrite the existing one. If you perform the 

public-key local create

 

command in the presence of a local RSA key pair, the system will ask you whether you want to 

overwrite the existing one. 

 

If a PKI domain already has a local certificate, you cannot request another certificate for it. This 
helps avoid inconsistency between the certificate and the registration information resulting from 

configuration changes. Before requesting a new certificate, use the 

pki delete-certificate

 command 

to delete the existing local certificate and the CA certificate stored locally. 

 

When it is impossible to request a certificate from the CA through SCEP, you can print the request 
information or save the request information to a local file, and then send the printed information or 

saved file to the CA by an out-of-band means. To print the request information, use the 

pki 

Summary of Contents for 5500 HI Series

Page 1: ...HP 5500 HI Switch Series Security Configuration Guide Part number 5998 2383 Software version Release 5203 and Release 5206 Document version 6W102 20140228 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ...S ID VLAN binding 47 Specifying the device ID used in stateful failover mode 48 Configuring a switch as a RADIUS server 48 RADIUS server functions configuration task list 48 Configuring a RADIUS user 48 Specifying a RADIUS client 49 Displaying and maintaining AAA 50 AAA configuration examples 50 AAA for Telnet users by an HWTACACS server 50 AAA for Telnet users by separate servers 51 Authenticatio...

Page 4: ...cedure 84 Specifying a mandatory authentication domain on a port 84 Configuring the quiet timer 84 Enabling the periodic online user re authentication function 85 Configuration guidelines 85 Configuration procedure 85 Configuring a port to send EAPOL frames untagged 86 Setting the maximum number of 802 1X authentication attempts for MAC authentication users 86 Configuring a VLAN group 86 Configuri...

Page 5: ...s 105 VLAN assignment 105 ACL assignment 105 Guest VLAN 105 Critical VLAN 106 Configuration task list 106 Basic configuration for MAC authentication 106 Configuring MAC authentication globally 107 Configuring MAC authentication on a port 107 Specifying a MAC authentication domain 108 Configuring a MAC authentication guest VLAN 108 Configuring a MAC authentication critical VLAN 109 Configuring MAC ...

Page 6: ...3 Specifying an auto redirection URL for authenticated portal users 145 Configuring portal detection functions 146 Configuring online Layer 2 portal user detection 146 Configuring the portal server detection function 146 Configuring portal user information synchronization 148 Logging off portal users 148 Displaying and maintaining portal 149 Portal configuration examples 150 Configuring direct por...

Page 7: ...Configuring the userLoginWithOUI mode 207 Configuring the macAddressElseUserLoginSecure mode 212 Troubleshooting port security 214 Cannot set the port security mode 214 Cannot configure secure MAC addresses 215 Cannot change port security mode when a user is online 215 Configuring a user profile 217 Overview 217 User profile configuration task list 217 Creating a user profile 217 Applying a QoS po...

Page 8: ...onfiguration procedure 251 Submitting a PKI certificate request 251 Submitting a certificate request in auto mode 252 Submitting a certificate request in manual mode 252 Retrieving a certificate manually 253 Configuration guidelines 253 Configuration procedure 254 Configuring PKI certificate verification 254 Configuration guidelines 254 Configuring CRL checking enabled PKI certificate verification...

Page 9: ... 288 Overview 288 IKE security mechanism 288 IKE operation 289 IKE functions 289 Relationship between IKE and IPsec 290 Protocols and standards 290 IKE configuration task list 290 Configuring a name for the local security gateway 291 Configuring an IKE proposal 291 Configuring an IKE peer 292 Setting keepalive timers 294 Setting the NAT keepalive timer 294 Configuring a DPD detector 295 Disabling ...

Page 10: ... server 326 Enabling the SFTP server 326 Configuring the SFTP connection idle timeout period 327 Configuring the switch as an SFTP client 327 Specifying a source IP address or interface for the SFTP client 327 Establishing a connection to the SFTP server 327 Working with SFTP directories 328 Working with SFTP files 329 Displaying help information 330 Terminating the connection to the remote SFTP s...

Page 11: ...ration example 364 Dynamic IPv6 source guard using ND snooping configuration example 365 Global static IP source guard configuration example 366 Troubleshooting IP source guard 368 Configuring ARP attack protection 369 Overview 369 ARP attack protection configuration task list 369 Configuring ARP defense against IP packet attacks 370 Configuring ARP source suppression 370 Enabling ARP black hole r...

Page 12: ...ion procedure 391 Displaying and maintaining ND detection 391 ND detection configuration example 392 Network requirements 392 Configuration procedure 392 Configuring URPF 394 Overview 394 URPF check modes 394 How URPF works 394 Network application 397 Configuring URPF 397 URPF configuration example 397 Configuring MFF 399 Overview 399 Basic concepts 400 Operation modes 400 Working mechanism 401 Pr...

Page 13: ...re 416 Configuring blacklist 418 Overview 418 Configuring the blacklist feature 418 Displaying and maintaining the blacklist 418 Blacklist configuration example 419 Network requirements 419 Configuration procedure 419 Verifying the configuration 419 Configuring FIPS 421 Overview 421 FIPS self tests 421 Power up self test 421 Conditional self tests 421 Triggering a self test 421 Configuration proce...

Page 14: ... AAA network a NAS is a server for users but a client for the AAA servers See Figure 1 Figure 1 Network diagram When a user tries to log in to the NAS use network resources or access other networks the NAS authenticates the user The NAS can transparently pass the user s authentication authorization and accounting information to the servers The RADIUS and HWTACACS protocols define how a NAS and a r...

Page 15: ...tication and network service access It listens to connection requests authenticates users and returns user access control information for example rejecting or accepting the user access request to the clients In general the RADIUS server maintains the following databases Users Clients and Dictionary Figure 2 RADIUS server components Users Stores user information such as usernames passwords applied ...

Page 16: ...lient permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response and starts accounting 6 The user accesses the network resources 7 The host requests the RADIUS client to tear down the connection and the RADIUS...

Page 17: ...ket of this type carries user information for the server to start or stop accounting for the user The Acct Status Type attribute in the packet indicates whether to start or stop accounting 5 Accounting Response From the server to the client The server sends a packet of this type to notify the client that it has received the Accounting Request and has successfully recorded the accounting informatio...

Page 18: ...d RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acct Input Gigawords 9 Framed IP Netmask 53 Acct Output Gigawords 10 Frame...

Page 19: ...on Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vendor Specific an attribute defined by RFC 2865 allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple sub attributes in the type length value TLV format in RADIUS packets for ...

Page 20: ...xibility and extensibility Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authent...

Page 21: ...sting the login password 8 Upon receipt of the response the HWTACACS client asks the user for the login password Host HWTACACS client HWTACACS server 1 The user logs in 2 Start authentication packet 3 Authentication response requesting the username 4 Request for username 5 The user inputs the username 6 Authentication continuance packet with the username 7 Authentication response requesting the lo...

Page 22: ...ting request has been received Domain based user management A NAS manages users based on Internet service provider ISP domains On a NAS each user belongs to one ISP domain A NAS determines the ISP domain a user belongs to by the username entered by the user at login as shown in Figure 7 Figure 7 Determining the ISP domain of a user by the username The authentication authorization and accounting of...

Page 23: ...on and accounting methods for different types of users in a domain See Configuring AAA methods for ISP domains RADIUS server feature of the switch Generally the RADIUS server runs on a computer or workstation and the RADIUS client runs on a NAS A network device that supports the RADIUS server feature can also serve as the RADIUS server working with RADIUS clients to implement user authentication a...

Page 24: ... the standard RADIUS protocol listens on UDP port 1812 for authentication requests but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server AAA for MPLS L3VPNs In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated yo...

Page 25: ...ncapsulation protocol for framed access 8 Framed IP Address IP address assigned to the user 11 Filter ID Name of the filter list 12 Framed MTU Maximum transmission unit MTU for the data link between the user and NAS For example with 802 1X EAP authentication NAS uses this attribute to notify the server of the MTU for EAP packets so as to avoid oversized EAP packets 14 Login IP Host IP address of t...

Page 26: ...emented on it the value of this attribute is 201 79 EAP Message Used for encapsulating EAP packets to allow the NAS to authenticate dial in users via EAP without having to understand the EAP protocol 80 Message Authentic ator Used for authentication and checking of authentication packets to prevent spoofing Access Requests This attribute is used when RADIUS supports EAP authentication 87 NAS Port ...

Page 27: ...ch is represented by the time elapsed after 00 00 00 on Jan 1 1970 UTC 60 Ip_Host_Addr User IP address and MAC address carried in authentication and accounting requests in the format A B C D hh hh hh hh hh hh A space is required between the IP address and the MAC address 61 User_Notify Information to be sent from the server to the client transparently 62 User_HeartBeat Hash value assigned after an...

Page 28: ...passwords of the users to be authenticated Remote authentication Configure the required RADIUS and HWTACACS schemes You must configure user attributes on the servers accordingly 2 Configure AAA methods for the users ISP domains Authentication method No authentication none local authentication local or remote authentication scheme Authorization method No authorization none local authorization local...

Page 29: ...formation about the configuration command see Fundamentals Command Reference Configuring AAA schemes Configuring local users To implement local user authentication authorization and accounting you must create local users and configure user attributes on the switch The local users and attributes are stored in the local user database on the switch A local user is uniquely identified by a username Co...

Page 30: ... a user If the attributes of a user do not match the binding attributes configured for the local user account the user cannot pass authentication Binding attributes include the ISDN calling number IP address access port MAC address and native VLAN For more information about binding attributes see Configuring local user attributes Be cautious when deciding which binding attributes to configure for ...

Page 31: ... only security log manager in the system nor can you change or delete the security log manager role of the user To do so you must specify a new security log manager first To configure local user attributes Step Command Remarks 1 Enter system view system view N A 2 Add a local user and enter local user view local user user name No local user exists by default 3 Configure a password for the local us...

Page 32: ...ng attributes for the local user bind attribute ip ip address location port slot number subslot number port number mac mac address vlan vlan id Optional By default no binding attribute is configured for a local user 9 Configure the authorization attributes for the local user authorization attribute acl acl number idle cut minute level level user profile profile name user role guest guest manager s...

Page 33: ...ontrol length length Configure the password composition policy password control composition type number type number type length type length Optional By default the user group uses global password control attribute settings For more information about password control attributes configuration commands see Security Command Reference 4 Configure the authorization attributes for the user group authoriz...

Page 34: ...DIUS communication Optional Specifying the VPN to which the servers belong Optional Setting the username format and traffic statistics units Optional Setting the supported RADIUS server type Optional Setting the maximum number of RADIUS request transmission attempts Optional Setting the status of RADIUS servers Optional Specifying the source IP address for outgoing RADIUS packets Optional Specifyi...

Page 35: ...us of the server to active If not the switch sets the status of the server to block This feature can promptly notify authentication modules of latest server status information For example server status detection can work with the 802 1X critical VLAN feature so that the switch can trigger 802 1X authentication for users in the critical VLAN immediately on detection of a reachable RADIUS authentica...

Page 36: ...wn request from a host or a connection teardown notification from an administrator it sends a stop accounting request to the accounting server You can enable buffering of non responded stop accounting requests to allow the switch to buffer and resend a stop accounting request until it receives a response or the number of stop accounting attempts reaches the configured limit In the latter case the ...

Page 37: ...orithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption They must use the same key for the same type of communication A shared key configured in this task is for all servers of the same type accounting or authentication in the scheme and has a lower priority than a shared key configured individually for a RADIUS server To sp...

Page 38: ...t the ISP domain name do not apply the RADIUS scheme to more than one ISP domain Otherwise users using the same username but in different ISP domains are considered the same user For level switching authentication the user name format keep original and user name format without domain commands produce the same results They make sure usernames sent to the RADIUS server carry no ISP domain name To se...

Page 39: ...imeout command expires it retransmits the request If the number of transmission attempts exceeds the specified limit but it still receives no response it tries to communicate with other RADIUS servers in active state If no other servers are in active state at the time it considers the authentication or accounting attempt a failure For more information about RADIUS server states see Setting the sta...

Page 40: ...e no longer delivered to the server If you remove an authentication or accounting server in use the communication of the switch with the server soon times out and the switch looks for a server in active state from scratch by checking any primary server first and then secondary servers in the order they are configured When the primary server and secondary servers are all in blocked state the switch...

Page 41: ...ver checks whether the source IP address of the packet is the IP address of any managed NAS If yes the server processes the packet If not the server drops the packet Usually the source address of outgoing RADIUS packets can be the IP address of the NAS s any interface that can communicate with the RADIUS server In some special scenarios however you must change the source IP address If the NAS is c...

Page 42: ...h configuration the active switch sends the source IP address for outgoing RADIUS packets that is configured on the standby switch to the RADIUS server so that the RADIUS server can send unsolicited RADIUS packets to the standby switch You can specify a backup IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme or in system view for all RADIUS schemes whose se...

Page 43: ...ckets to the accounting server for online users To set timers for controlling communication with RADIUS servers Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Set the RADIUS server response timeout timer timer response timeout seconds Optional The default RADIUS server response timeout timer is 3 seconds 4 Set the quiet ti...

Page 44: ...ting on packet to the RADIUS server but receives no response it resends the packet to the server at a particular interval for a specified number of times To configure the accounting on feature for a RADIUS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Enable accounting on and configure parameters accounting on enab...

Page 45: ...f RADIUS class attribute as CAR parameters is supported depends on two factors Whether the switch supports CAR parameters assignment Whether the RADIUS server supports assigning CAR parameters through the class attribute Enabling the trap function for RADIUS With the trap function a NAS sends a trap message when either of the following events occurs The status of a RADIUS server changes If a NAS r...

Page 46: ...adius dscp dscp value Optional The default DSCP value is 0 3 Set the DSCP value for IPv6 RADIUS packets radius ipv6 dscp dscp value Optional The default DSCP value is 0 Displaying and maintaining RADIUS Task Command Remarks Display the configuration information of RADIUS schemes display radius scheme radius scheme name slot slot number begin exclude include regular expression Available in any view...

Page 47: ...rs Optional Specifying the shared keys for secure HWTACACS communication Required Specifying the VPN to which the servers belong Optional Setting the username format and traffic statistics units Optional Specifying a source IP address for outgoing HWTACACS packets Optional Setting timers for controlling communication with HWTACACS servers Optional Displaying and maintaining HWTACACS Optional Creat...

Page 48: ...s for an HWTACACS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name N A 3 Specify HWTACACS authentication servers Specify the primary HWTACACS authentication server primary authentication ip address port number key cipher simple key vpn instance vpn instance name Specify the secondary HWTACACS authentication server sec...

Page 49: ...counting server for an HWTACACS scheme When the primary server is not available the secondary server is used For Release 5206 and later versions you can specify one primary accounting server and up to 16 secondary accounting servers for an HWTACACS scheme When the primary server is not available the device tries to communicate with the secondary servers in the order they are configured Once a seco...

Page 50: ...hich no responses are received stop accounting buffer enable Optional Enabled by default 5 Set the maximum number of stop accounting attempts retry stop accounting retry times Optional The default setting is 100 Specifying the shared keys for secure HWTACACS communication The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets exchanged between them and use shared key...

Page 51: ...stics of online users For normal and accurate traffic statistics make sure the unit for data flows and that for packets on the switch are consistent with those configured on the HWTACACS servers Follow these guidelines when you set the username format and the traffic statistics units for an HWTACACS scheme If an HWTACACS server does not support a username that carries the domain name configure the...

Page 52: ...e IP address specified in system view for the VPN IP address of the outbound interface specified by the route To specify a source IP address for all HWTACACS schemes Step Command Remarks 1 Enter system view system view N A 2 Specify a source IP address for outgoing HWTACACS packets hwtacacs nas ip ip address vpn instance vpn instance name By default the IP address of the outbound interface is used...

Page 53: ...et the real time accounting interval timer realtime accounting minutes Optional The default real time accounting interval is 12 minutes NOTE Consider the performance of the NAS and the HWTACACS server when you set the real time accounting interval A shorter interval requires higher performance A shorter interval requires higher performance Displaying and maintaining HWTACACS Task Command Remarks D...

Page 54: ...ifferent user attributes such as different username and password structures different service types and different rights To distinguish the users of different ISPs configure ISP domains and configure different AAA methods and domain attributes for the ISP domains The switch can accommodate up to 16 ISP domains including the system defined ISP domain system You can specify one of the ISP domains as...

Page 55: ...in username userid domain name Policy based routing routes IP packets to different destinations based on the DSCP value This attribute applies only to ISP domains that use the same scheme for Layer 3 portal authentication For more information about policy based routing see Layer 3 IP Routing Configuration Guide For more information about Layer 3 portal authentication see Configuring portal authent...

Page 56: ... not require a scheme 2 Determine the access type or service type to be configured With AAA you can configure an authentication method for each access type and service type limiting the authentication protocols that can be used for access 3 Determine whether to configure an authentication method for all access types or service types Follow these guidelines when you configure AAA authentication met...

Page 57: ...uper hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name Optional The default authentication method is used by default Configuring AAA authorization methods for an ISP domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization servers and to send authoriza...

Page 58: ...local none option when you configure an authorization method local authorization or no authorization is the backup method and is used only when the remote server is not available If you specify only the local or none keyword in an authorization method configuration command the switch has no backup authorization method and performs only local authorization or does not perform any authorization To c...

Page 59: ...d none accounting methods do not require a scheme 2 Determine the access type or service type to be configured With AAA you can configure an accounting method for each access type and service type limiting the accounting protocols that can be used for access 3 Determine whether to configure an accounting method for all access types or service types Follow these guidelines when you configure AAA ac...

Page 60: ...e hwtacacs scheme name local local none radius scheme radius scheme name local Optional The default accounting method is used by default 8 Specify the accounting method for portal users accounting portal local none radius scheme radius scheme name local Optional The default accounting method is used by default Tearing down user connections Step Command Remarks 1 Enter system view system view N A 2...

Page 61: ... or changing the device ID of a switch logs out all online users of the switch HP recommends to save the configuration and reboot the switch after configuring or changing the device ID The device ID is the symbol for stateful failover mode Do not configure any device ID for a switch working in stand alone mode To specify the device ID used in stateful failover mode Step Command Remarks 1 Enter sys...

Page 62: ...default no password is specified 4 Configure the authorization attribute for the RADIUS user authorization attribute acl acl number vlan vlan id Optional Not configured by default 5 Set the expiration time for the RADIUS user expiration date time Optional By default no expiration time is set and the system does not check users expiration time 6 Configure a description for the RADIUS user descripti...

Page 63: ...guration examples Unless otherwise noted devices in the configuration examples are operating in non FIPS mode AAA for Telnet users by an HWTACACS server Network requirements As shown in Figure 1 1 configure the switch to use the HWTACACS server to provide authentication authorization and accounting services for Telnet users Set the shared keys for secure communication with the HWTACACS server to e...

Page 64: ...he username to the HWTACACS server Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login hwtacacs scheme hwtac Switch isp bbb authorization login hwtacacs scheme hwtac Switch isp bbb accounting login hwtacacs scheme hwtac Switch isp bbb quit 2 Verify the configuration Telnet to...

Page 65: ... Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary accounting 10 1 1 1 1813 Switch radius rd key accounting expert Switch radius rd server type extended Switch radius rd user name format without domain Switch radius rd quit Create a local user named hello Switch local user hello Switch luser...

Page 66: ... an account with the username hello bbb on the RADIUS server and configure the RADIUS server to assign the privilege level of 3 to the user after the user passes authentication Set the shared keys for secure RADIUS communication to expert Figure 13 Network diagram Configuring the RADIUS server This example assumes that the RADIUS server runs on IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 1 Add the sw...

Page 67: ...dding the switch to IMC as an access device 2 Add a user for device management a Click the User tab and select Device Management User from the navigation tree b Click Add c Configure the following parameters Enter hello bbb as the username and set the password Select SSH as the service type Set the EXEC privilege level to 3 This value identifies the privilege level of the SSH user after login and ...

Page 68: ...erface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users Switch user interface vty 0 4 S...

Page 69: ...me rad Switch isp bbb authorization login radius scheme rad Switch isp bbb quit Verifying the configuration After you complete the configuration the SSH user should be able to use the configured account to access the user interface of the switch and can access the demands of level 0 through level 3 Use the display connection command to view the connection information on the switch Switch display c...

Page 70: ...se the HWTACACS scheme hwtac for user privilege level switching authentication Configure the password for local privilege level switching authentication 3 On the HWTACACS server add the username and password for user privilege level switching authentication Configuration procedure 1 Configure the switch Configure the IP address of VLAN interface 2 through which the Telnet user accesses the switch ...

Page 71: ...witch isp bbb authentication login local Configure to use HWTACACS scheme hwtac for privilege level switching authentication Switch isp bbb authentication super hwtacacs scheme hwtac Switch isp bbb quit Create a local Telnet user named test Switch local user test Switch luser test service type telnet Switch luser test password simple aabbcc Configure the user level of the Telnet user to 0 after us...

Page 72: ...evel 0 commands Switch telnet 192 168 1 70 Trying 192 168 1 70 Press CTRL K to abort Connected to 192 168 1 70 Copyright c 2010 2014 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Login authentication Username test bbb Password Switch User view commands display Display current system information ping Ping fun...

Page 73: ...ly those commands can be used whose level is equal or less than this Privilege note 0 VISIT 1 MONITOR 2 SYSTEM 3 MANAGE RADIUS authentication and authorization for Telnet users by a switch Network requirements As shown in Figure 18 configure Switch B to act as a RADIUS server to provide authentication and authorization for the Telnet user on port 1645 Configure Switch A to use the RADIUS server fo...

Page 74: ...r Telnet users as none SwitchA isp bbb accounting login none Configure the RADIUS server type as standard When a switch is configured to serve as a RADIUS server the server type must be set to standard SwitchA isp bbb server type standard SwitchA isp bbb quit Configure bbb as the default ISP domain Then if a user enters a username without any ISP domain at login the authentication and accounting m...

Page 75: ...configured on the NAS 3 The user is configured on the RADIUS server 4 The correct password is entered 5 The same shared key is configured on both the RADIUS server and the NAS Symptom 2 RADIUS packets cannot reach the RADIUS server Analysis 1 The NAS and the RADIUS server cannot communicate with each other 2 The NAS is not configured with the IP address of the RADIUS server 3 The UDP ports for aut...

Page 76: ...on server and the accounting server are not correct on the NAS For example one server is configured on the NAS to provide all the services of authentication authorization and accounting but in fact the services are provided by different servers Solution Check that 1 The accounting port number is correctly set 2 The authentication authorization server and the accounting server are correctly configu...

Page 77: ... Provides authentication services for the network access device It authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results for the network access device to make access decisions The authentication server is typically a Remote Authentication Dial in User Service RADIUS server In a small LAN you can also use the network access device ...

Page 78: ...ntication methods including MD5 Challenge EAP Transport Layer Security EAP TLS and Protected EAP PEAP 802 1X defines EAP over LAN EAPOL for passing EAP packets between the client and the network access device over a wired or wireless LAN Between the network access device and the authentication server 802 1X delivers authentication information in one of the following methods Encapsulates EAP packet...

Page 79: ...format PAE Ethernet type Protocol type It takes the value 0x888E for EAPOL Protocol version The EAPOL protocol version used by the EAPOL packet sender Type Type of the EAPOL packet Table 5 lists the types of EAPOL packets supported by HP implementation of 802 1X Table 5 EAPOL packet types Value Type Description 0x00 EAP Packet The client and the network access device uses EAP Packets to transport ...

Page 80: ...henticator attribute value The Message Authenticator prevents EAP authentication packets from being tampered with during EAP authentication Figure 24 Message Authenticator attribute format Initiating 802 1X authentication Both the 802 1X client and the access device can initiate 802 1X authentication 802 1X client as the initiator The client sends an EAPOL Start packet to the access device to init...

Page 81: ...formation to the RADIUS server as shown in Figure 25 In EAP relay mode the client must use the same authentication method as the RADIUS server On the network access device you only need to execute the dot1x authentication method eap command to enable EAP relay Figure 25 EAP relay EAP termination mode In EAP termination mode the network access device terminates the EAP packets received from the cli...

Page 82: ...X authentication procedure in EAP relay mode assuming that EAP MD5 is used Figure 27 802 1X authentication procedure in EAP relay mode 1 When a user launches the 802 1X client software and enters a registered username and password the 802 1X client software sends an EAPOL Start packet to the network access device 2 The network access device responds with an Identity EAP Request packet to ask for t...

Page 83: ...nd sends a RADIUS Access Accept packet to the network access device 10 Upon receiving the RADIUS Access Accept packet the network access device sends an EAP Success packet to the client and sets the controlled port in the authorized state so the client can access the network 11 After the client comes online the network access device periodically sends handshake requests to check whether the client...

Page 84: ...mode it is the network access device rather than the authentication server generates an MD5 challenge for password encryption see Step 4 The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server ...

Page 85: ...hentication with other features VLAN assignment The device can work with a RADIUS server to assign VLANs to 802 1X users The device accepts untagged VLANs that are assigned through the RFC 3580 compliant Tunnel attributes and tagged VLANs that are assigned through the RFC 4675 compliant Egress VLANID or Egress VLAN Name attribute NOTE Access ports do not support RFC 4675 compliant assignment of VL...

Page 86: ...butes or the Egress VLANID attribute On a periodic online user re authentication enabled port if a user has been online before you enable the MAC based VLAN function the device does not create a MAC to VLAN mapping for the user unless the user passes re authentication and the VLAN for the user has changed For more information about VLAN configuration and MAC based VLAN see Layer 2 LAN Switching Co...

Page 87: ...ll subsequent 802 1X users are assigned to the user configured port VLAN After the user logs off the PVID remains unchanged 2 On a port that performs MAC based access control To use the 802 1X guest VLAN function on a port that performs MAC based access control make sure that the port is a hybrid port and enable MAC based VLAN on the port Authentication status VLAN manipulation A user has not pass...

Page 88: ...r the user to the port as the PVID and removes the port from the Auth Fail VLAN After the user logs off the user configured PVID restores If the authentication server assigns no VLAN the initial PVID applies The user and all subsequent 802 1X users are assigned to the user configured PVID After the user logs off the PVID remains unchanged 2 On a port that performs MAC based access control To perfo...

Page 89: ... the PVID of the port and all 802 1X users on this port are in this VLAN A user in the 802 1X critical VLAN fails authentication for any other reason than server unreachable If an Auth Fail VLAN has been configured the PVID of the port changes to Auth Fail VLAN ID and all 802 1X users on this port are moved to the Auth Fail VLAN A user in the critical VLAN passes 802 1X authentication Assigns the ...

Page 90: ...ollowing RADIUS authentication server changes in the ISP domain for 802 1X users on a port can cause the users to be removed from the critical VLAN An authentication server is added to the ISP domain and the server is reachable A response from a RADIUS authentication server is received The RADIUS server probing function detects that a RADIUS authentication server is reachable You can use the dot1x...

Page 91: ...ion domain on a port Optional Configuring the quiet timer Optional Enabling the periodic online user re authentication function Optional Configuring a port to send EAPOL frames untagged Optional Setting the maximum number of 802 1X authentication attempts for MAC authentication users Optional Configuring a VLAN group Optional Configuring an 802 1X guest VLAN Optional Configuring an 802 1X Auth Fai...

Page 92: ... 1X client you can use both EAP termination and EAP relay To use EAP TL PEAP or any other EAP authentication methods you must use EAP relay When you make your decision see A comparison of EAP relay and EAP termination for help For more information about EAP relay and EAP termination see 802 1X authentication procedures To configure EAP relay or EAP termination Step Command Remarks 1 Enter system v...

Page 93: ...is set for a port in system view and Ethernet interface view the one set later takes effect To set the authorization state of a port Step Command Remarks 1 Enter system view system view N A 2 Set the port authorization state In system view dot1x port control authorized force auto unauthorized force interface interface list In Ethernet interface view a interface interface type interface number b do...

Page 94: ...m number of concurrent 802 1X users on a port In system view dot1x max user user number interface interface list In Ethernet interface view a interface interface type interface number b dot1x max user user number interface interface list Optional Use either method The default maximum number of concurrent 802 1X users on a port is 2048 Setting the maximum number of authentication request attempts T...

Page 95: ... seconds 3 Set the server timeout timer dot1x timer server timeout server timeout value Optional The default is 100 seconds Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802 1X users The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake period command If ...

Page 96: ...Periodically multicasts Identity EAP Request packets out of a port to detect 802 1X clients and trigger authentication Unicast trigger Enables the network device to initiate 802 1X authentication when it receives a data frame from an unknown source MAC address The device sends a unicast Identity EAP Request packet to the unknown source MAC address and retransmits the packet if it has received no r...

Page 97: ... port No user can use an account in any other domain to access the network through the port The implementation of a mandatory authentication domain enhances the flexibility of 802 1X access control deployment To specify a mandatory authentication domain for a port Step Command Remarks 1 Enter system view system view N A 2 Enter Ethernet interface view interface interface type interface number N A ...

Page 98: ...n the server vary with servers The VLAN assignment status must be consistent before and after re authentication If the authentication server has assigned a VLAN before re authentication it must also assign a VLAN at re authentication If the authentication server has assigned no VLAN before re authentication it must not assign one at re authentication Violation of either rule can cause the user to ...

Page 99: ...ntication and 802 1X authentication are enabled on a port the device allows an authenticated MAC authentication user to initiate an 802 1X authentication If the user passes 802 1X authentication the user goes online as an 802 1X user If the user fails 802 1X authentication the user can retry authentication until the maximum number of authentication attempts is reached To set the maximum number of ...

Page 100: ...sources immediately after an 802 1X authentication is complete As a solution remind the 802 1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802 1X authentication is complete The HP iNode client does not have this problem Use Table 8 when configuring multiple security features on a port Table 8 Relationships of the 802 1X guest VLAN and other...

Page 101: ...Auth Fail VLAN Configuration guidelines Follow these guidelines when configuring an 802 1X Auth Fail VLAN Assign different IDs to the voice VLAN the port VLAN and the 802 1X Auth Fail VLAN on a port so the port can correctly process VLAN tagged incoming traffic You can configure only one 802 1X Auth Fail VLAN on a port The 802 1X Auth Fail VLANs on different ports can be different If 802 1X client...

Page 102: ...ction see Layer 2 LAN Switching Configuration Guide Configuration procedure To configure an Auth Fail VLAN Step Command Remarks 1 Enter system view system view N A 2 Enter Ethernet interface view interface interface type interface number N A 3 Configure the Auth Fail VLAN on the port dot1x auth fail vlan authfail vlan id By default no Auth Fail VLAN is configured Configuring an 802 1X critical VLA...

Page 103: ... the port to trigger 802 1X authentication on detection of a reachable authentication server for users in the critical VLAN dot1x critical recovery action reinitialize Optional By default when a reachable RADIUS server is detected the system removes the port or 802 1X users from the critical VLAN without triggering authentication Specifying supported domain name delimiters By default the access de...

Page 104: ...ist Available in user view 802 1X authentication configuration example Network requirements As shown in Figure 29 the access device performs 802 1X authentication for users that connect to port GigabitEthernet 1 0 1 Implement MAC based access control on the port so the logoff of one user does not affect other online 802 1X users Use RADIUS servers to perform authentication authorization and accoun...

Page 105: ...localuser password simple localpass Configure the idle cut function to log off any online user that has been idled for 20 minutes Device luser localuser authorization attribute idle cut 20 Device luser localuser quit 5 Configure a RADIUS scheme Create the RADIUS scheme radius1 and enter its view Device radius scheme radius1 Specify the IP addresses of the primary authentication and accounting RADI...

Page 106: ...le cut function to log off any online domain user that has been idle for 20 minutes Device isp aabbcc net idle cut enable 20 Device isp aabbcc net quit Specify aabbcc net as the default ISP domain If a user does not provide any ISP domain name it is assigned to the default ISP domain Device domain default enable aabbcc net 7 Configure 802 1X Enable 802 1X globally Device dot1x Enable 802 1X on por...

Page 107: ...e authentication server runs RADIUS and is in VLAN 2 The update server in VLAN 10 is for client software download and upgrade If no user performs 802 1X authentication on GigabitEthernet 1 0 2 within a period of time the device adds GigabitEthernet 1 0 2 to its guest VLAN VLAN 10 The host and the update server are both in VLAN 10 and the host can access the update server and download the 802 1X cl...

Page 108: ...et 1 0 4 Device vlan2 quit Device vlan 5 Device vlan5 port gigabitethernet 1 0 3 Device vlan5 quit 4 Configure a RADIUS scheme Configure RADIUS scheme 2000 and enter its view Device system view Device radius scheme 2000 Specify primary and secondary authentication and accounting servers Set the shared key to abc for authentication and accounting packets Device radius 2000 primary authentication 10...

Page 109: ...ific period of time use the display vlan 10 command to verify whether GigabitEthernet 1 0 2 is assigned to VLAN 10 After a user passes authentication you can use the display interface gigabitethernet 1 0 2 command to verity that port GigabitEthernet 1 0 2 has been added to VLAN 5 802 1X with ACL assignment configuration example Network requirements As shown in Figure 31 the host at 192 168 1 10 co...

Page 110: ... radius 2000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain Device domain 2000 Device isp 2000 authentication default radius scheme 2000 Device isp 2000 authorization default radius scheme 2000 Device isp 2000 acc...

Page 111: ...Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss The output shows that ACL 3000 has taken effect on the user and the user cannot access the FTP server ...

Page 112: ... client obtain a dynamic IP address from a DHCP server or perform some other tasks to be compliant with the network security strategy URL redirection If an unauthenticated 802 1X user is using a web browser to access the network the EAD fast deployment function redirects the user to a specific URL for example the EAD client software download page The server that provides the URL must be on the fre...

Page 113: ... timer EAD fast deployment automatically creates an ACL rule or an EAD rule to open access to the redirect URL for each redirected user seeking to access the network The EAD rule timer sets the lifetime of each ACL rule When the timer expires or the user passes authentication the rule is removed If users fail to download EAD client or fail to pass authentication before the timer expires they must ...

Page 114: ...ers to install and update 802 1X client program from a web server configure the following Allow unauthenticated users to access the segment of 192 168 2 0 24 and to obtain IP address on the segment of 192 168 1 0 24 through DHCP Redirect unauthenticated users to a preconfigured web page when the users use a web browser to access any external network except 192 168 2 0 24 The web page allows users ...

Page 115: ... configuration procedure see 802 1X authentication configuration example 4 Configure 802 1X Configure the free IP Device dot1x free ip 192 168 2 0 24 Configure the redirect URL for client software download Device dot1x url http 192 168 2 3 Enable 802 1X globally Device dot1x Enable 802 1X on the port Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 dot1x Verifying the configurati...

Page 116: ...fied redirect URL after they enter external website addresses in their web browsers Analysis Redirection will not happen for one of the following reasons The address is in the string format The operating system of the host regards the string as a website name and tries to resolve it If the resolution fails the operating system sends an ARP request but the target address is not in the dotted decima...

Page 117: ...e uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable for a secure environment Authentication approach...

Page 118: ...s the VLAN to the port as the default VLAN After the user logs off the initial default VLAN or the default VLAN configured before any VLAN is assigned by the authentication server restores If the authentication server assigns no VLAN the initial default VLAN applies A hybrid port is always assigned to a server assigned VLAN as an untagged member After the assignment do not re configure the port as...

Page 119: ...thentication users on a port can cause users to be removed from the critical VLAN An authentication server is added to the ISP domain and the server is reachable A response from a RADIUS authentication server is received The RADIUS server probing function detects that a RADIUS authentication server is reachable Configuration task list Task Remarks Basic configuration for MAC authentication Configu...

Page 120: ...word for a MAC authentication user account must be a MAC address in lower case without hyphens NOTE When global MAC authentication is enabled the EAD fast deployment function cannot take effect Configuring MAC authentication on a port Step Command Remarks 1 Enter system view system view N A 2 Enable MAC authentication In system view mac authentication interface interface list In interface view a i...

Page 121: ...erface type interface number b mac authentication domain domain name Use either method By default the system default authentication domain is used for MAC authentication users Configuring a MAC authentication guest VLAN Follow the guidelines in Table 10 when configuring a MAC authentication guest VLAN on a port Table 10 Relationships of the MAC authentication guest VLAN with other security feature...

Page 122: ...n guest VLAN on a port Configuring a MAC authentication critical VLAN Follow the guidelines in Table 1 1 when you configure a MAC authentication critical VLAN on a port Table 11 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference Quiet function of MAC authentication The MAC authentication critical VLAN function has higher pr...

Page 123: ...rentially triggered To configure MAC authentication delay Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable MAC authentication delay and set the delay time mac authentication timer auth delay time By default MAC authentication is not delayed Enabling MAC authentication multi VLAN mode By default a...

Page 124: ...tion enabled port forwards packets for an authenticated user only in the VLAN where the user s MAC address was authenticated This command is available only in Release 5206 and later Displaying and maintaining MAC authentication Task Command Remarks Display MAC authentication information display mac authentication interface interface list begin exclude include regular expression Available in any vi...

Page 125: ...hentication interface gigabitethernet 1 0 1 Specify the ISP domain for MAC authentication Device mac authentication domain aabbcc net Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Configure MAC authentication to use MAC based accounts The MAC address usernames and passwords are hyphenated and in lowercase Device mac a...

Page 126: ...e 34 a host connects to port GigabitEthernet 1 0 1 on the access device The device uses RADIUS servers for authentication authorization and accounting Perform MAC authentication on port GigabitEthernet 1 0 1 to control Internet access Make sure that The device detects whether a user has gone offline every 180 seconds If a user fails authentication the device does not authenticate the user within 1...

Page 127: ...rface gigabitethernet 1 0 1 Specify the ISP domain for MAC authentication Device mac authentication domain 2000 Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify username aaa and plaintext password 123456 for the account shared by MAC authentication users Device mac authentication user name format fixed account aa...

Page 128: ...t GigabitEthernet 1 0 1 and the device uses RADIUS servers to perform authentication authorization and accounting Perform MAC authentication on port GigabitEthernet 1 0 1 to control Internet access Make sure that an authenticated user can access the Internet but the FTP server at 10 0 0 1 Use MAC based user accounts for MAC authentication users The MAC addresses are hyphen separated and in lower c...

Page 129: ...o use MAC based user accounts and the MAC addresses are hyphen separated and in lowercase Sysname mac authentication user name format mac address with hyphen lowercase Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication 4 Configure the RADIUS servers Add a user account with 00 e0 fc 12 34 56 as both the us...

Page 130: ...117 Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss ...

Page 131: ...ite can for example present advertisements and deliver community and personalized services In this way broadband network providers equipment vendors and content service providers form an industrial ecological system Extended portal functions By forcing patching and anti virus policies extended portal functions help users to defend against viruses Portal authentication supports the following extend...

Page 132: ...tication security check and accounting Allowing users who have passed identity authentication and security check to access granted Internet resources Portal server A portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device It provides free portal services and pushes Web authentication pages to users NOTE A p...

Page 133: ...uthorizes the user to access the Internet resources NOTE To implement security check the client must be the HP iNode client Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client When the portal authentication client is on a private network but the portal server is on a public network and the access device is enabled with NAT network address tran...

Page 134: ...upports Layer 2 portal authentication Layer 2 portal authentication allows the authentication server to assign different VLANs according to user authentication results so that access devices can thereby control user access to resources After a client passes authentication the authentication server can assign an authorized VLAN to allow the user to access the resources in the VLAN If a client fails...

Page 135: ... using the username and password is less secure Digital certificate authentication is usually used to ensure higher security The Extensible Authentication Protocol EAP supports several digital certificate based authentication methods for example EAP TLS Working together with EAP portal authentication can implement digital certificate based user authentication Figure 38 Portal support for EAP worki...

Page 136: ...N entry If the authorized VLAN does not exist the access device first creates the VLAN By deploying the authorized VLAN assignment function you can control which authenticated users can access which network resources Auth Fail VLAN The Auth Fail VLAN feature allows users failing authentication to access a VLAN that accommodates network resources such as the patches server virus definitions server ...

Page 137: ...ice Layer 3 portal authentication process Direct authentication and cross subnet authentication share the same authentication process while re DHCP authentication has a different process because of the presence of two address allocation procedures Direct authentication cross subnet authentication process with CHAP PAP authentication Figure 40 Direct authentication cross subnet authentication proce...

Page 138: ...client meets the security requirements 9 Based on the security check result the security policy server authorizes the user to access certain resources and sends the authorization information to the access device The access device then controls access of the user based on the authorization information Re DHCP authentication process with CHAP PAP authentication Figure 41 Re DHCP authentication proce...

Page 139: ...authentication request to the access device and starts a timer to wait for the portal authentication reply The portal authentication request contains several EAP Message attributes which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client 3 After the access device receives the portal authentication request it constructs a R...

Page 140: ...ribute 9 The portal server notifies the authentication client of the authentication success 10 The portal server sends an authentication reply acknowledgment to the access device The remaining steps are for extended portal authentication For more information about the steps see the portal authentication process with CHAP PAP authentication Portal stateful failover Overview The stateful failover fe...

Page 141: ...thentication for new portal users Basic concepts 1 Device states Independence A stable running status of a device when it does not establish the failover link with the other device Synchronization A stable running status of a device when it establishes the failover link with the other device successfully and is ready for data backup 2 User modes Stand alone Indicates that the user data is stored o...

Page 142: ...s portal authentication packets in a VPN transparently through the MPLS backbone to the servers in another VPN This feature implements centralized client authentication across different VPNs while ensuring the separation of packets of the different VPNs Figure 44 Network diagram for portal authentication across VPNs For information about AAA implementation across VPNs see Configuring AAA Portal co...

Page 143: ...ional Configuring portal stateful failover Optional Specifying an auto redirection URL for authenticated portal users Optional Configuring portal detection functions Configuring the portal server detection function Optional Configuring portal user information synchronization Logging off portal users Optional Configuration prerequisites The portal feature provides a solution for user identity authe...

Page 144: ...entication to work normally make sure that the system name of the access device is no more than 16 characters Specifying the portal server Specifying the local portal server for Layer 2 portal authentication Layer 2 portal authentication uses the local portal server Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the ...

Page 145: ...s required only for local portal authentication During local portal authentication the local portal server pushes authentication pages to users You can define the authentication pages for users otherwise the default authentication pages will be used during the authentication process Customizing authentication pages Customized authentication pages exist in the form of HTML files You can compress th...

Page 146: ...on Post request attributes 1 Observe the following requirements when editing a form of an authentication page An authentication page can have multiple forms but there must be one and only one form whose action is logon cgi Otherwise user information cannot be sent to the local portal server The username attribute is fixed as PtUser and the password attribute is fixed as PtPwd Attribute PtButton is...

Page 147: ...ation pages smoothly you need comply with the following size and content requirements on authentication pages The size of the zip file of each set of authentication pages including the main authentication pages and the page elements must be no more than 500 KB The size of a single page including the main authentication page and its page elements must be no more than 50 KB before being compressed P...

Page 148: ...ogon success or online page If a user refreshes the logon success or online page or jumps to another website from either of the pages the device also logs off the user Only Microsoft IE Mozilla Firefox and Apple Safari browsers support the device to log off the user when the user closes the logon success or online page Google Chrome Opera and other browsers do not support this function Configuring...

Page 149: ...e perform portal authentication for connected clients Enabling Layer 2 portal authentication Before enabling Layer 2 portal authentication make sure that The listening IP address of the local portal server is specified Layer 3 portal authentication is not enabled on any interface Follow these guidelines when you enable Layer 2 portal authentication To ensure normal operation of portal authenticati...

Page 150: ...port the re DHCP portal authentication mode You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal authentication on an interface but you cannot enable two IPv4 or two IPv6 portal servers on the interface To enable Layer 3 portal authentication Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N...

Page 151: ...Command Remarks 1 Enter system view system view N A 2 Configure a portal free rule To configure an IPv4 portal free rule portal free rule rule number destination any ip ip address mask mask length netmask any tcp tcp port number udp udp port number source any interface interface type interface number ip ip address mask mask length mask any tcp tcp port number udp udp port number mac mac address vl...

Page 152: ...he maximum number of online portal users You can use this feature to control the total number of online portal users in the system If the maximum number of online portal users to be set is less than that of the current online portal users the limit can be set successfully and does not impact the online portal users but the system does not allow new portal users to log on until the number drops dow...

Page 153: ...portal free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication You must add the port numbers of the Web proxy servers on the switch and users must make sure their browsers that use a Web proxy server do not use the proxy server for the listening IP address of the local portal server Thus HTTP packets that the portal user sends to the local por...

Page 154: ...information to the new port If the operation fails the switch deletes the user s information from the original port and re authenticates the user on the new port Specifying an Auth Fail VLAN for portal authentication Only Layer 2 portal authentication supports this feature This task sets the Auth Fail VLAN to be assigned to users failing portal authentication You can specify different Auth Fail VL...

Page 155: ...cording to the practical access environment To specify the NAS Port Type value for an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Specify the NAS Port Type value for the interface portal nas port type ethernet wireless Not configured by default Specifying a NAS ID profile for an interface In some networks...

Page 156: ... server and the destination IP address of packets that the portal server sends to the access device To specify a source IP address for outgoing portal packets to be sent Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Specify a source IP address for outgoing portal packets portal nas ip ipv4 address ipv6 ipv6 address O...

Page 157: ...ndependence to synchronization and the portal group takes effect the two devices start to back up the data of online portal users for each other The AAA and portal configuration must be consistent on the two devices that back up each other For example you must configure the same portal server on the two devices To configure stateful failover Step Command Remarks 1 Enter system view system view N A...

Page 158: ...er the configuration save the configuration and restart the device Do not delete the configured backup source IP addresses Otherwise online users on the backup device may not be able to receive packets from the server Specifying an auto redirection URL for authenticated portal users After a user passes portal authentication if the access device is configured with an auto redirection URL it redirec...

Page 159: ... Configuring the portal server detection function Only Layer 3 portal authentication supports this feature During portal authentication if the communication between the access device and portal server is broken new portal users are not able to log on and the online portal users are not able to log off normally To address this problem the access device must be able to detect the reachability change...

Page 160: ...hat use the portal server allows all portal users on the interfaces to access network resources When the device receives from the portal server portal heartbeat packets or authentication packets such as logon requests and logout requests it re enables the portal authentication function You can configure any combination of the configuration items described as needed with respect to the following If...

Page 161: ... it considers that the user does not exist on the portal server and logs the user off To configure the portal user information synchronization function Step Command Remarks 1 Enter system view system view N A 2 Configure the portal user information synchronization function portal server server name user sync interval interval retry retries Not configured by default The portal server specified in t...

Page 162: ...clude regular expression Available in any view Display configuration information about the local portal server display portal local server begin exclude include regular expression Available in any view Display information about a specific portal server or all portal servers display portal server server name begin exclude include regular expression Available in any view Display portal server statis...

Page 163: ...server serves as the authentication authorization and accounting server Figure 45 Network diagram Configuration prerequisites Configure IP addresses for the host switch and servers as shown in Figure 45 and make sure they can reach each other Configure the RADIUS server properly to provide authentication and accounting functions for users Configuring the portal server IMC PLAT 5 0 This example ass...

Page 164: ...l IP address group configuration page Then click Add to enter the page shown in Figure 47 Enter the IP group name Enter the start IP address and end IP address of the IP group Make sure that the host IP address is in the IP group Select a service group By default the group Ungrouped is used Select the IP group type Normal Figure 47 Adding an IP address group Add a portal device ...

Page 165: ...o support sever heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat Figure 48 Adding a portal device Associate the portal device with the IP address group As shown in Figure 49 click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page Figure 49 Device list On the ...

Page 166: ...e keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112 Switch radius rs1 key authentication simple radius Switch radius rs1 key accounting simple radius Specify that the ISP domain name should not be included in the username sent to the RADIUS server Switch radius rs1 user name format without domain Switch...

Page 167: ...uthentication Network requirements As shown in Figure 51 The host is directly connected to the switch and the switch is configured for re DHCP authentication The host is assigned with an IP address through the DHCP server Before passing portal authentication the host uses an assigned private IP address After passing portal authentication the host can get a public IP address and access Internet res...

Page 168: ...er type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 113 Switch radius rs1 primary accounting 192 168 0 113 Switch radius rs1 key authentication simple radius Switch radius rs1 key accounting simple radius Specify...

Page 169: ... interface connecting the host Switch Vlan interface100 portal server newpt method redhcp Switch Vlan interface100 quit Configuring cross subnet portal authentication Network requirements As shown in Figure 52 Switch A is configured for cross subnet portal authentication Before passing portal authentication the host can access only the portal server After passing portal authentication the host can...

Page 170: ...e should not be included in the username sent to the RADIUS server SwitchA radius rs1 user name format without domain SwitchA radius rs1 quit 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view SwitchA domain dm1 Configure AAA methods for the ISP domain SwitchA isp dm1 authentication portal radius scheme rs1 SwitchA isp dm1 authorization portal radius scheme rs1 ...

Page 171: ...cation accounting server Figure 53 Network diagram Configuration procedure Configure IP addresses for the host switch and servers as shown in Figure 53 and make sure they can reach each other Configure the RADIUS server properly to provide authentication and accounting functions for users Configure the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch sy...

Page 172: ... user Switch domain default enable dm1 3 Configure the ACL ACL 3000 for resources on subnet 192 168 0 0 24 and the ACL ACL 3001 for Internet resources Switch acl number 3000 Switch acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 Switch acl adv 3000 rule deny ip Switch acl adv 3000 quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit On the security ...

Page 173: ...entication the switch must be configured as a DHCP relay agent and the portal enabled interface must be configured with a primary IP address a public IP address and a secondary IP address a private IP address For information about DHCP relay agent configuration see Layer 3 IP Services Configuration Guide Make sure the IP address of the portal device added on the portal server is the public IP addr...

Page 174: ...2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure AAA methods for the ISP domain Switch isp dm1 authentication portal radius scheme rs1 Switch isp dm1 authorization portal radius scheme rs1 Switch isp dm1 accounting portal radius scheme rs1 Switch isp dm1 quit Configure domain dm1 as the default ISP domain for all users Then if a use...

Page 175: ... Switch Vlan interface100 dhcp relay server select 0 Switch Vlan interface100 dhcp relay address check enable Enable re DHCP portal authentication on the interface connecting the host Switch Vlan interface100 portal server newpt method redhcp Switch Vlan interface100 quit Configuring cross subnet portal authentication with extended functions Network requirements As shown in Figure 55 Switch A is c...

Page 176: ... primary accounting 192 168 0 112 SwitchA radius rs1 key accounting simple radius SwitchA radius rs1 key authentication simple radius SwitchA radius rs1 user name format without domain Configure the IP address of the security policy server SwitchA radius rs1 security policy server 192 168 0 113 SwitchA radius rs1 quit 2 Configure an authentication domain Create an ISP domain named dm1 and enter it...

Page 177: ...ateful failover Network requirements As shown in Figure 56 a failover link is present between Switch A and Switch B Both Switch A and Switch B support portal authentication Configure stateful failover between Switch A and Switch B to support portal service backup and use VRRP to implement traffic switchover between the switches More specifically When Switch A works normally Host accesses Switch A ...

Page 178: ...e High Availability Configuration Guide For information about stateful failover configuration see High Availability Configuration Guide Configuring the portal server IMC PLAT 5 0 This example assumes that the portal server runs on IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 Configure the portal server Log in to IMC and select the Service tab Then select User Access Manager Portal Service Management S...

Page 179: ...ter the IP group name Enter the start IP address and end IP address of the IP group Make sure that the host IP address is in the IP group Select a service group By default the group Ungrouped is used Select the IP group type Normal Figure 58 Adding an IP address group Add a portal device Select User Access Manager Portal Service Management Device from the navigation tree to enter the portal device...

Page 180: ...r both Support Server Heartbeat and Support User Heartbeat Figure 59 Adding a portal device Associate the portal device with the IP address group As shown in Figure 49 click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page Figure 60 Device list On the port group configuration page click Add to enter the page shown in Figure 50 Perfor...

Page 181: ...te of VLAN interface 20 becomes Down or Removed SwitchA Vlan interface10 vrrp vrid 1 track interface vlan interface20 reduced 150 SwitchA Vlan interface10 quit Create VRRP group 2 and configure the virtual IP address of the VRRP group 2 as 192 168 0 1 SwitchA interface vlan interface 20 SwitchA Vlan interface20 vrrp vrid 2 virtual ip 192 168 0 1 Set the priority of VLAN interface 20 in VRRP group ...

Page 182: ...all users Then if a user enters a username without any ISP domain at logon the authentication and accounting methods of the default domain are used for the user SwitchA domain default enable dm1 4 Enable portal authentication on the interface connecting the host Configure a portal server on the switch making sure the IP address port number and URL match those of the actual portal server SwitchA po...

Page 183: ...t 2 Configure a RADIUS scheme Create RADIUS scheme rs1 and enter its view SwitchB radius scheme rs1 Configure the server type for the RADIUS scheme When using the IMC server configure the RADIUS server type as extended SwitchB radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers SwitchB rad...

Page 184: ...l group 1 SwitchB Vlan interface10 portal backup group 1 SwitchB Vlan interface10 quit Set the ID of the device in the stateful failover mode to 2 SwitchB nas device id 2 Specify the source IP address of outgoing RADIUS packets as 192 168 0 1 the virtual IP address of VRRP group 2 SwitchB radius nas backup ip 192 168 0 1 Make sure you have added the access device with IP address 192 168 0 1 on the...

Page 185: ...ting server Detailed requirements are as follows The host is assigned with a public network IP address either manually or through DHCP Before passing portal authentication the host can access only the portal server After passing portal authentication the host can access the Internet The access device Switch can detect whether the portal server is reachable and send trap messages upon state changes...

Page 186: ...the RADIUS server properly to provide authentication and accounting functions for users Configuring the portal server IMC PLAT 5 0 This example assumes that the portal server runs IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 Configure the portal server Log in to IMC and select the Service tab Then select User Access Manager Portal Service Management Server from the navigation tree to enter the portal ...

Page 187: ...e configuration page Then click Add to enter the page shown in Figure 48 Enter the device name NAS Enter the IP address of the switch s interface connected to the user Enter the key which must be the same as that configured on the switch Set whether to enable IP address reallocation This example uses direct portal authentication and therefore select No from the Reallocate IP list Set whether to su...

Page 188: ...s group The IP address used by the user to access the network must be within this IP address group Use the default settings for other parameters Figure 67 Adding a port group Select User Access Manager Service Parameters Validate System Configuration from the navigation tree to validate the configurations Configure the switch 1 Configure a RADIUS scheme Create RADIUS scheme rs1 and enter its view ...

Page 189: ...e actual portal server Switch portal server newpt ip 192 168 0 111 key simple portal port 50100 url http 192 168 0 111 8080 portal Enable portal authentication on the interface connecting the host Switch interface vlan interface 100 Switch Vlan interface100 portal server newpt method direct Switch Vlan interface100 quit 4 Configure the portal server detection function Configure the access device t...

Page 190: ...o provide cross subnet portal authentication for hosts in VPN 1 through communication with the RADIUS server and portal server in VPN 3 Figure 68 Network diagram Configuration procedure Before enabling portal authentication be sure to configure the MPLS L3VPN capabilities properly and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other This example gives...

Page 191: ... the server to avoid authentication failures 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view SwitchA domain dm1 Configure AAA methods for the ISP domain SwitchA isp dm1 authentication portal radius scheme rs1 SwitchA isp dm1 authorization portal radius scheme rs1 SwitchA isp dm1 accounting portal radius scheme rs1 SwitchA isp dm1 quit Configure domain dm1 as ...

Page 192: ...d to port GigabitEthernet 1 0 1 More specifically Use the remote RADIUS server for authentication authorization and accounting Use the remote DHCP server to assign IP addresses to users The listening IP address of the local portal server is 4 4 4 4 The local portal server pushes the user defined authentication pages to users and uses HTTPS to transmit authentication data Add users passing authenti...

Page 193: ...ess Because the DHCP server and the DHCP client are not in the same subnet you need to configure a DHCP relay agent on the subnet of the client For more information about DHCP relay agent see Layer 3 IP Services Configuration Guide Perform the following configuration on the switch to implement Layer 2 portal authentication 1 Configure portal authentication Add Ethernet ports to related VLANs and c...

Page 194: ...ch radius scheme rs1 Set the server type for the RADIUS scheme When using the IMC server set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 1 1 1 2 Switch radius rs1 primary accounting 1 1 1 2 Switch radius rs...

Page 195: ...s a Web page the user is in VLAN 8 the initial VLAN and is assigned with an IP address on subnet 192 168 1 0 24 When the user accesses a Web page on the external network the Web request will be redirected to authentication page https 4 4 4 4 portal logon htm After entering the correct username and password the user can pass the authentication Then the device will move the user from VLAN 8 to VLAN ...

Page 196: ...ect server port number on the access device Symptom After a user passes the portal authentication you cannot force the user to log off by executing the portal delete user command on the access device but the user can log off by using the disconnect attribute on the authentication client Analysis When you execute the portal delete user command on the access device to force the user to log off the a...

Page 197: ...l server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to make sure that it is the actual listening port of the portal server ...

Page 198: ...ication are triggered by different packets The access port performs MAC authentication for a terminal when it receives an ARP or DHCP broadcast packet from the terminal for the first time If the terminal passes MAC authentication the terminal can access the network If the MAC authentication fails the access port performs 802 1X or portal authentication The access port performs 802 1X authenticatio...

Page 199: ...tion If it fails to pass all types of authentication the access port adds the terminal to the 802 1X Auth Fail VLAN ACL assignment You can specify an authorization ACL for an authenticated user to control its access to network resources After the user passes MAC authentication the authentication server either the local access device or a RADIUS server assigns the ACL onto the access port to filter...

Page 200: ...zation and accounting and configure the switch to send usernames carrying no ISP domain names to the RADIUS server The local portal authentication server on the switch uses listening IP address 4 4 4 4 The switch sends a default authentication page to the web user and forwards authentication data using HTTP Figure 71 Network diagram Configuration procedure Make sure that the terminals the server a...

Page 201: ...1 dot1x port method macbased Switch GigabitEthernet1 0 1 dot1x Switch GigabitEthernet1 0 1 quit 4 Configure MAC authentication Enable MAC authentication globally Switch mac authentication Enable MAC authentication on GigabitEthernet 1 0 1 Switch interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 mac authentication Switch GigabitEthernet1 0 1 quit 5 Configure a RADIUS scheme Create a RADIU...

Page 202: ...n pass portal authentication The printer can pass MAC authentication after being connected to the network Use the display connection command to view online users Switch display connection Slot 1 Index 30 Username userpt triple IP 192 168 1 2 IPv6 N A MAC 0015 e9a6 7cfe Index 31 Username userdot triple IP 192 168 1 3 IPv6 N A MAC 0002 0002 0001 Index 32 Username 001588f80dd7 triple IP 192 168 1 4 I...

Page 203: ...the Auth Fail VLAN on the access device Users failing authentication are added to this VLAN and are allowed to access only the Update server Figure 72 Network diagram Configuration procedure Make sure that the terminals the servers and the switch can reach each other When using an external DHCP server make sure that the terminals can get IP addresses from the server before and after authentication...

Page 204: ... lease is recommended to shorten the time terminals use to re acquire IP addresses after the terminals pass authentication Switch dhcp server ip pool 2 Switch dhcp pool 2 network 2 2 2 0 mask 255 255 255 0 Switch dhcp pool 2 expired day 0 hour 0 minute 1 Switch dhcp pool 2 gateway list 2 2 2 1 Switch dhcp pool 2 quit Configure IP address pool 3 including the address range lease and gateway address...

Page 205: ...2 as the Auth Fail VLAN Switch interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 dot1x port method macbased Switch GigabitEthernet1 0 1 dot1x Switch GigabitEthernet1 0 1 dot1x auth fail vlan 2 Switch GigabitEthernet1 0 1 quit 7 Configure MAC authentication Enable MAC authentication globally Switch mac authentication Enable MAC authentication on GigabitEthernet 1 0 1 and specify VLAN 2 as...

Page 206: ...ion Web user userpt uses a web browser to access an external network The web request is redirected to the authentication page http 4 4 4 4 portal logon htm After inputting the correct username and password the web user can pass portal authentication The printer can pass MAC authentication after being connected to the network Use the display connection command to view connection information about o...

Page 207: ...ip in use all Pool utilization 0 59 IP address Client identifier Lease expiration Type Hardware address 3 3 3 111 0015 88f8 0dd7 Dec 15 2009 17 40 52 Auto COMMITTED 3 3 3 2 0002 0002 0001 Dec 15 2009 17 41 02 Auto COMMITTED 3 3 3 3 0015 e9a6 7cfe Unlimited Manual total 3 entry When a terminal fails authentication it is added to VLAN 2 You can also use the display commands to view the MAC VLAN entr...

Page 208: ...ation or MAC authentication HP recommends you configure 802 1X authentication or MAC authentication rather than port security For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features NTK The need to know NTK feature prevents traffic interception by checking the destination MAC address in the outbound frames The featur...

Page 209: ...be triggered Turning off the port security feature noRestrictions the default mode In this mode port security is disabled on the port and access to the port is not restricted N A Controlling MAC address learning autoLearn NTK intrusion protection secure Performing 802 1X authentication userLogin N A userLoginSecure NTK intrusion protection userLoginSecureExt userLoginWithOUI Performing MAC authent...

Page 210: ...cation and implements port based access control The port can service multiple 802 1X users If one 802 1X user passes authentication all the other 802 1X users of the port can access the network without authentication userLoginSecure A port in this mode performs 802 1X authentication and implements MAC based access control The port services only one user passing 802 1X authentication userLoginSecur...

Page 211: ...est VLAN is the VLAN that a user is in after failing authentication Support for the guest VLAN and Auth Fail VLAN features varies with security modes You can use the 802 1X guest VLAN and 802 1X Auth Fail VLAN features together with port security modes that support 802 1X authentication For more information about the 802 1X guest VLAN and Auth Fail VLAN on a port that performs MAC based access con...

Page 212: ...C authentication configuration see Configuring MAC authentication Setting port security s limit on the number of MAC addresses on a port You can set the maximum number of MAC addresses that port security allows on a port for the following purposes Controlling the number of concurrent users on the port The maximum number of concurrent users on the port equals this limit or the limit of the authenti...

Page 213: ...tion group or service loopback group If you are configuring the autoLearn mode set port security s limit on the number of MAC addresses You cannot change the setting when the port is operating in autoLearn mode Configuration procedure To enable a port security mode Step Command Remarks 1 Enter system view system view N A 2 Set an OUI value for user authentication port security oui oui value index ...

Page 214: ...security ntk mode ntk withbroadcasts ntk withmulticasts ntkonly By default NTK is disabled on a port and all frames are allowed to be sent Configuring intrusion protection Intrusion protection enables a device to take one of the following actions in response to illegal frames blockmac Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames All subs...

Page 215: ...AC authentication user logon and MAC authentication user logoff intrusion Detection of illegal frames To enable port security traps Step Command Remarks 1 Enter system view system view N A 2 Enable port security traps port security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon By default port security traps are disabled Configuring secure ...

Page 216: ...activity aging function are configured the aging timer restarts once traffic data is detected from the sticky MAC address Yes The secure MAC aging timer restarts at a reboot Dynamic Converted from sticky MAC addresses or automatically learned after the dynamic secure MAC function is enabled Same as sticky MAC addresses No All dynamic secure MAC addresses are lost at reboot Configuration prerequisi...

Page 217: ...e saved to the configuration file and once saved can survive a device reboot NOTE You can display dynamic secure MAC addresses only by using the display port security mac address security command Ignoring authorization information The authorization information is delivered by the RADIUS server or the local device to an 802 1X user or MAC authenticated user who passes RADIUS or local authentication...

Page 218: ...configuration examples Configuring the autoLearn mode Network requirements See Figure 73 Configure port GigabitEthernet 1 0 1 on the Device as follows Accept up to 64 users on the port without authentication Permit the port to learn and add MAC addresses as sticky MAC addresses and set the sticky MAC aging timer to 30 minutes After the number of secure MAC addresses reaches 64 the port stops learn...

Page 219: ...ess number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute The output shows that the port security s limit on the number of secure MAC addresses on the port is 64 the port security mode is autoLearn intrusion protection traps are enabled and the intrusion protection action is disabling the port DisablePortTemporarily for 30 s...

Page 220: ...itEthernet1 0 1 Interface Delete several secure MAC addresses and you can see that the port security mode of the port changes to autoLearn and the port can learn MAC addresses again Configuring the userLoginWithOUI mode Network requirements As shown in Figure 74 a client is connected to the Device through port GigabitEthernet 1 0 1 The Device authenticates the client with a RADIUS server If the au...

Page 221: ...evice radius radsun key authentication name Device radius radsun key accounting money Device radius radsun timer response timeout 5 Device radius radsun retry 5 Device radius radsun timer realtime accounting 15 Device radius radsun user name format without domain Device radius radsun quit Configure ISP domain sun to use RADIUS scheme radsun for authentication authorization and accounting of all ty...

Page 222: ...Port 1812 State active Encryption Key N A VPN instance N A Probe username N A Probe interval N A Primary Acct Server IP 192 168 1 3 Port 1813 State active Encryption Key N A VPN instance N A Second Auth Server IP 192 168 1 3 Port 1812 State active Encryption Key N A VPN instance N A Probe username N A Probe interval N A Second Acct Server IP 192 168 1 2 Port 1813 State active Encryption Key N A VP...

Page 223: ...s 123404 Index is 5 OUI value is 123405 GigabitEthernet1 0 1 is link up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute After an 802 1X user gets online you can see...

Page 224: ... action NOT configured Max number of on line users is 2048 EAPOL Packet Tx 16331 Rx 102 Sent EAP Request Identity Packets 16316 EAP Request Challenge Packets 6 EAP Success Packets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled User s a...

Page 225: ...e as in Configuring the userLoginWithOUI mode 2 Configure port security Enable port security Device system view Device port security enable Configure the device to use hyphenated lowercased MAC addresses of users as the usernames and passwords for MAC authentication Device mac authentication user name format mac address with hyphen lowercase Device interface gigabitethernet 1 0 1 Specify ISP domai...

Page 226: ...iod is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info MAC Addr From Port Port Index GigabitEthernet1 0 1 is link up MAC address authentication is enabled Authenticate success 3 failed 7 Max number of on line users is 2048 Current online user number is 3 MAC ADDR Au...

Page 227: ...NOT configured Auth Fail VLAN NOT configured Critical VLAN NOT configured Critical recovery action NOT configured Max number of on line users is 2048 EAPOL Packet Tx 16331 Rx 102 Sent EAP Request Identity Packets 16316 EAP Request Challenge Packets 6 EAP Success Packets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Pa...

Page 228: ...n Solution Set the port security mode to autoLearn Device GigabitEthernet1 0 1 undo port security port mode Device GigabitEthernet1 0 1 port security max mac count 64 Device GigabitEthernet1 0 1 port security port mode autolearn Device GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Cannot change port security mode when a user is online Symptom Port security mode cannot be cha...

Page 229: ...216 Device GigabitEthernet1 0 1 undo port security port mode ...

Page 230: ...cts authenticated users behaviors as follows 1 After the authentication server verifies a user the server sends the device the name of the user profile associated with the user If the profile is enabled the device applies the configurations in the user profile and allows user access based on all valid configurations If the user profile is disabled the device denies the user access 2 After the user...

Page 231: ...e applied QoS policy including the ACL that is referenced by the QoS policy or remove it For information about QoS policy configurations see ACL and QoS Configuration Guide To apply a QoS policy Step Command Remarks 1 Enter system view system view N A 2 Enter user profile view user profile profile name N A 3 Apply a QoS policy qos apply policy policy name inbound outbound The inbound keyword appli...

Page 232: ...rofile user profile profile name enable A user profile is disabled by default Displaying and maintaining user profiles Task Command Remarks Display information about all the created user profiles display user profile begin exclude include regular expression Available in any view ...

Page 233: ... see Fundamentals Configuration Guide This function is not effective on a user who is prompted to change the password at the first login or a user whose password has just been aged out Password aging Password aging imposes a lifecycle on a user password After the password aging time expires the user needs to change the password If a user enters an expired password when logging in the system displa...

Page 234: ...ber of consecutive attempts the system takes action as configured Prohibiting the user from logging in until the user is removed from the password control blacklist manually Allowing the user to try continuously and removing the user from the password control blacklist when the user logs in to the system successfully or the blacklist entry times out the blacklist entry aging time is one minute Pro...

Page 235: ... You can impose the following password complexity requirements A password cannot contain the username or the reverse of the username For example if the username is abc a password such as abc982 or 2cba is weak No character of the password is repeated three or more times consecutively For example password a1 1 1 is weak Password display in the form of a string of asterisks For the sake of security ...

Page 236: ...e those configured in system view Complete the following tasks to configure password control Task Remarks Enabling password control Required Setting global password control parameters Optional Setting user group password control parameters Optional Setting local user password control parameters Optional Setting super password control parameters Optional Setting a local user password in interactive...

Page 237: ...rol and FIPS mode are enabled but the minimum password length restriction function is disabled the minimum password length is eight characters and the password must have at least four different characters When global password control and the minimum password length restriction function are both enabled the minimum password length is that configured by the password control length length command How...

Page 238: ...n times exceed lock unlock lock time time Optional By default the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for one minute before trying again 9 Set the number of days during which the user is warned of the pending password expiration password control alert before expire alert time Optional 7 days by default 10 Set the maxim...

Page 239: ...p Command Remarks 1 Enter system view system view N A 2 Create a local user and enter local user view local user user name N A 3 Configure the password aging time for the local user password control aging aging time Optional By default the setting equals that for the user group to which the local user belongs If no aging time is configured for the user group the global setting applies to the local...

Page 240: ...ength for super passwords password control super length length Optional By default the minimum super password length is the same as the global minimum password length 4 Configure the password composition policy for super passwords password control super composition type number type number type length type length Optional By default the super password composition policy is the same as the global pa...

Page 241: ...successive login attempts is permanently prohibited from logging in A user can log in five times within 60 days after the password expires The password aging time is 30 days The minimum password update interval is 36 hours The maximum account idle time is 30 days A password cannot contain the username or the reverse of the username No character occurs consecutively three or more times in a passwor...

Page 242: ...ix Create a local user named test Sysname local user test Set the service type of the user to Telnet Sysname luser test service type telnet Set the minimum password length to 12 for the local user Sysname luser test password control length 12 Specify that the password of the local user must contain at least two types of characters and each type must contain at least five characters Sysname luser t...

Page 243: ...ntrol super Super password control configurations Password aging Enabled 30 days Password length Enabled 10 characters Password composition Enabled 3 types 5 characters per type Display the password control configuration information for local user test Sysname display local user user name test The contents of local user test State Active ServiceType telnet Access limit Disable Current AccessNum 0 ...

Page 244: ...er It is built on the client server model Generally the HABP server is enabled on the authentication device which is configured with 802 1X or MAC authentication such as Switch A in the above example and the attached switches function as the HABP clients such as Switch B through Switch E in the example No device can function as both an HABP server and a client at the same time Typically the HABP s...

Page 245: ... to work in server mode and specify the VLAN for HABP packets habp server vlan vlan id HABP works in client mode by default The VLAN specified on the HABP server for transmitting HABP packets must be the same as that to which the HABP clients belong 4 Set the interval to send HABP requests habp timer interval Optional 20 seconds by default Configuring an HABP client An HABP client is usually confi...

Page 246: ...e begin exclude include regular expression Available in any view Display HABP packet statistics display habp traffic begin exclude include regular expression Available in any view HABP configuration example Network requirements As shown in Figure 76 Switch A is attached with access devices Switch B and Switch C 802 1X authentication is configured on Switch A for central authentication and manageme...

Page 247: ... packets to 50 seconds SwitchA habp timer 50 2 Configure Switch B Enable HABP HABP is enabled by default This configuration is optional SwitchA system view SwitchB habp enable Configure HABP to work in client mode HABP works in client mode by default This configuration is optional SwitchB undo habp server Specify the VLAN to which the HABP client belongs as VLAN 1 An HABP client belongs to VLAN 1 ...

Page 248: ...n HABP Mode Server Sending HABP request packets every 50 seconds Bypass VLAN 1 Display HABP MAC address table entries SwitchA display habp table MAC Holdtime Receive Port 001f 3c00 0030 53 GigabitEthernet1 0 2 001f 3c00 0031 53 GigabitEthernet1 0 1 ...

Page 249: ...igital Signature Algorithm DSA Asymmetric key algorithms can be used in two scenarios for two purposes To encrypt and decrypt data The sender uses the public key of the intended receiver to encrypt the information to be sent Only the intended receiver the holder of the paired private key can decrypt the information This mechanism guarantees confidentiality Only RSA can be used for data encryption ...

Page 250: ... with a target application After you enter the command specify a proper modulus length for the key pair The following table compares the three types of key pairs Type Number of key pairs Modulus length Remarks RSA in non FIPS mode Two key pairs one server key pair and one host key par Each key pair comprises a public key and a private key 512 to 2048 bits 1024 by default To achieve high security s...

Page 251: ...ude include regular expression Available in any view Use at least one command Display the local host public key display public key local dsa public begin exclude include regular expression The display public key local rsa public command displays both the RSA server and host public keys Recording the RSA host public key is enough After displaying the host public key record the key information for m...

Page 252: ...ay need to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred the storage media of the device is replaced the asymmetric key has been used for a long time or the local certificate expires For more information about the local certificate see Configuring PKI To destroy a local asymmetric key pair Step Command 1 Enter system view system view 2 Destroy a l...

Page 253: ...he manual configuration of a format incompliant public key will fail Always use the first method if you are not sure about the format of the recorded public key To import the host public key from a public key file to the local device Step Command 1 Enter system view system view 2 Import the host public key from the public key file public key peer keyname import sshkey filename To manually configur...

Page 254: ...authenticates Device A the peer device through a digital signature Before configuring authentication parameters on Device B configure the public key of Device A on Device B Configure Device B to use the asymmetric key algorithm of RSA Manually specify the host public key of Device A s public key pair on Device B Figure 78 Network diagram Configuration procedure 1 Configure Device A Create local RS...

Page 255: ...e A by using the display public key local dsa public command DeviceB system view DeviceB public key peer devicea Public key view return to System View with peer public key end DeviceB pkey public key public key code begin Public key code view return to last view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100 D90003FA95F5A44A2A2CD3F814F9854...

Page 256: ...ost public key Create local RSA key pairs on Device A setting the modulus length to the default 1024 bits DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the local RSA key...

Page 257: ... ftp service type ftp DeviceA luser ftp authorization attribute level 3 DeviceA luser ftp quit 3 On Device B use FTP to log in to Device A and get the public key file devicea pub with the file transfer mode of binary DeviceB ftp 10 1 1 1 Trying 10 1 1 1 Press CTRL K to abort Connected to 10 1 1 1 220 FTP service ready User 10 1 1 1 none ftp 331 Password required for ftp Password 230 User logged in...

Page 258: ...21B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A ...

Page 259: ...l standard of ITU T X 509 The most common standard is X 509 v3 This document discusses two types of certificates local certificate and CA certificate A local certificate is a digital certificate signed by a CA for an entity A CA certificate is the certificate of a CA If multiple CAs are trusted by different users in a PKI system the CAs will form a CA tree with the root CA at the top level The roo...

Page 260: ... independent authority An RA can implement functions including identity authentication CRL management key pair generation and key pair backup The PKI standard recommends that an independent RA be used for registration management to achieve higher security PKI repository A PKI repository can be a Lightweight Directory Access Protocol LDAP server or a common database It stores and manages informatio...

Page 261: ...rivate data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for instance IPsec in conjunction with PKI based encryption and digital signature technologies for confidentiality Secure email Emails require confidentiality integrity authentication and non repudiation PKI can address these needs The secure email protocol that is...

Page 262: ...a domain name IP address of the entity Locality where the entity resides Organization to which the entity belongs Unit of the entity in the organization State where the entity resides The configuration of an entity DN must comply with the CA certificate issue policy You must determine for example which entity DN parameters are mandatory and which are optional Otherwise certificate requests might b...

Page 263: ...equest from an entity examines its qualification and determines whether to ask the CA to sign a digital certificate The RA only examines the application qualification of an entity it does not issue any certificate Sometimes the registration management function is provided by the CA in which case no independent RA is required It is a good practice to deploy an independent RA URL of the registration...

Page 264: ... the polling interval and attempt limit for querying the certificate request status certificate request polling count count interval minutes Optional The polling is executed for up to 50 times at the interval of 20 minutes by default 8 Specify the LDAP server ldap server ip ip address port port number version version number Optional No LDP server is specified by default 9 Configure the fingerprint...

Page 265: ...o verify the authenticity and validity of a local certificate Generating a key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user The public key is transferred to the CA along with some other information For more information about RSA key pair configuration see Managing public keys Configuration guidelines If a ...

Page 266: ...request manually pki request certificate domain domain name password pkcs10 filename filename N A Retrieving a certificate manually You can download CA certificates local certificates or peer entity certificates from the CA server and save them locally To do so use either the offline mode or the online mode In offline mode you must retrieve a certificate by an out of band means like FTP disk or em...

Page 267: ... or been revoked You can specify whether to perform CRL checking during certificate verification If you enable CRL checking CRLs will be used in verification of a certificate and you must retrieve the CA certificate and CRLs to the local switch before the certificate verification If you disable CRL checking you only need to retrieve the CA certificate Configuration guidelines The CRL update period...

Page 268: ...abled PKI certificate verification Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki domain domain name N A 3 Disable CRL checking crl check disable Enabled by default 4 Return to system view quit N A 5 Retrieve the CA certificate See Retrieving a certificate manually N A 6 Verify the validity of the certificate pki validate certificate ca local domain domain nam...

Page 269: ...ew N A 2 Create a certificate attribute group and enter its view pki certificate attribute group group name No certificate attribute group exists by default 3 Configure an attribute rule for the certificate issuer name certificate subject name or alternative subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional No restrict...

Page 270: ...onfiguration examples are operating in non FIPS mode When the CA uses Windows Server the SCEP add on is required and you must use the certificate request from ra command to specify that the entity request a certificate from an RA When the CA uses RSA Keon the SCEP add on is not required and you must use the certificate request from ca command to specify that the entity request a certificate from a...

Page 271: ...ce Device pki entity aaa quit 2 Configure the PKI domain Create PKI domain torsa and enter its view Device pki domain torsa Configure the name of the trusted CA as myca Device pki domain torsa ca identifier myca Configure the URL of the registration server in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server Device...

Page 272: ...e CRL retrieval success Request a local certificate manually Device pki request certificate domain torsa challenge word Certificate is being requested please wait Device Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate to device Done Verifying the configuration Display information about the retrieved local certificate Device display ...

Page 273: ... 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use display pki certificate ca domain and display pki crl domain to display detailed information about the CA certificate and CRLs For more information about the commands see Security Command Reference Certificate request from a Windows 2003 CA server Network requirements Configure PKI entity Device to request a local certificate from the ...

Page 274: ...rt number as the TCP port number of the default website After completing the configuration make sure the system clock of the switch is synchronous to that of the CA server so that that the switch can request a certificate normally Configuring the switch 1 Configure the entity name as aaa and the common name as device Device system view Device pki entity aaa Device pki entity aaa common name device...

Page 275: ...l success Request a local certificate manually Device pki request certificate domain torsa challenge word Certificate is being requested please wait Device Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate to device Done Verifying the configuration Display information about the retrieved local certificate Device display pki certificat...

Page 276: ...formation Access CA Issuers URI http l00192b CertEnroll l00192b_CA 20server crt CA Issuers URI file l00192b CertEnroll l00192b_CA server crt 1 3 6 1 4 1 311 20 2 0 I P S E C I n t e r m e d i a t e O f f l i n e Signature Algorithm sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B Omitted You can also use some other display commands to display more information about the CA certificate For ...

Page 277: ...efines that the IP address of the certificate issuer is 10 0 0 1 Device pki certificate attribute group mygroup1 Device pki cert attribute group mygroup1 attribute 1 subject name dn ctn aabbcc Device pki cert attribute group mygroup1 attribute 2 issuer name ip equ 10 0 0 1 Device pki cert attribute group mygroup1 quit Create certificate attribute group mygroup2 and add two attribute rules The firs...

Page 278: ... authority is specified for certificate request The system clock of the switch is not synchronized with that of the CA Solution Make sure the network connection is physically proper Check that the required commands are configured properly Use the ping command to verify that the RA server is reachable Specify the authority for certificate request Synchronize the system clock of the switch with that...

Page 279: ...mple the network cable might be damaged or loose No CA certificate has been retrieved before you try to retrieve CRLs The IP address of LDAP server is not configured The CRL distribution URL is not configured The LDAP server version is wrong The domain name of the CRL distribution point failed to be resolved Solution Make sure the network connection is physically proper Retrieve a CA certificate S...

Page 280: ...and automatic IPsec security association SA setup and maintenance Good compatibility You can apply IPsec to all IP based application systems and services without modifying them Encryption on a per packet rather than per flow basis Per packet encryption allows for flexibility and greatly enhances IP security IPsec comprises a set of protocols including Authentication Header AH Encapsulating Securit...

Page 281: ...he AH ESP header A manually configured SA requires an SPI to be specified manually for it an IKE created SA will have an SPI generated at random A manually configured SA never ages out An IKE created SA has a specified period of lifetime which comes in two types Time based lifetime which defines how long the SA can be valid after it is created Traffic based lifetime which defines the maximum traff...

Page 282: ... the device Data Encryption Standard DES which encrypts a 64 bit plain text block with a 56 bit key DES is the least secure but the fastest algorithm It is sufficient for general security requirements Triple DES 3DES which encrypts plain text data with three 56 bit DES keys The key length totals up to 168 bits It provides moderate security strength and is slower than DES Advanced Encryption Standa...

Page 283: ...vice supports the FIPS mode that complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode Configuring IPsec IPsec can be implemented based on ACLs or applications ACL based IPsec uses ACLs to identify the data flows to be protected To implement ACL based IPsec configure IPsec policies reference ACLs in ...

Page 284: ...y Applying an IPsec policy group to an interface Configuring the IPsec session idle timeout Optional Enabling ACL checking of de encapsulated IPsec packets Optional Configuring the IPsec anti replay function Optional Configuring packet information pre extraction Optional CAUTION Typically IKE uses UDP port 500 for communication and AH and ESP use the protocol numbers 51 and 50 respectively Make su...

Page 285: ...e conflicts between them are prone to cause mistreatment of packets For example when configuring a permit statement for an IPsec policy to protect an outbound traffic flow you must avoid the situation that the traffic flow matches a deny statement in a higher priority IPsec policy Otherwise the packets will be sent out as normal packets if they match a permit statement at the receiving end they wi...

Page 286: ... IPsec proposal exists 3 Specify the security protocol for the proposal transform ah ah esp esp Optional ESP by default 4 Specify the security algorithms Specify the encryption algorithm for ESP In non FIPS mode esp encryption algorithm 3des aes key length des In FIPS mode esp encryption algorithm aes key length Specify the authentication algorithm for ESP In non FIPS mode esp authentication algor...

Page 287: ...sec proposals that use the same security protocols security algorithms and encapsulation mode The remote IP address configured on the local end must be the same as the IP address of the remote end At each end configure parameters for both the inbound SA and the outbound SA and make sure that different SAs use different SPIs SPIs for the SAs in the same direction must be different The local inbound...

Page 288: ...IPsec policy only the last specified ACL takes effect 4 Assign an IPsec proposal to the IPsec policy proposal proposal name By default an IPsec policy references no IPsec proposal A manual IPsec policy can reference only one IPsec proposal To change an IPsec proposal for an IPsec policy you must remove the current reference first 5 Configure the two ends of the IPsec tunnel Configure the local add...

Page 289: ...from manual to through IKE or vice versa To create an IPsec policy that uses IKE delete the manual IPsec policy and then use IKE to configure an IPsec policy Configuring an IPsec policy that uses IKE available only in FIPS mode To configure an IPsec policy that uses IKE directly configure it by configuring the parameters in IPsec policy view Before you configure an IPsec policy that uses IKE confi...

Page 290: ...s effect 5 Assign IPsec proposals to the IPsec policy proposal proposal name 1 6 By default an IPsec policy references no IPsec proposal 6 Specify an IKE peer for the IPsec policy ike peer peer name An IPsec policy cannot reference any IKE peer that is already referenced by an IPsec profile and vice versa 7 Enable and configure the perfect forward secrecy feature for the IPsec policy pfs dh group2...

Page 291: ...cation of the IPsec policy group For each packet to be sent out an IPsec protected interface the system looks through the IPsec policies in the IPsec policy group in ascending order of sequence numbers If an IPsec policy matches the packet the system uses the IPsec policy to protect the packet If no match is found the system sends the packet out without IPsec protection To apply an IPsec policy gr...

Page 292: ...packets ipsec decrypt check Optional Enabled by default Configuring the IPsec anti replay function This feature is supported only in FIPS mode The IPsec anti replay function protects networks against anti replay attacks by using a sliding window mechanism called anti replay window This function checks the sequence number of each received IPsec packet against the current IPsec packet sequence numbe...

Page 293: ...ure is supported only in FIPS mode If you apply both an IPsec policy and QoS policy to an interface by default the interface first uses IPsec and then QoS to process IP packets and QoS classifies packets by the headers of IPsec encapsulated packets If you want QoS to classify packets by the headers of the original IP packets enable the packet information pre extraction feature For more information...

Page 294: ...supported only in FIPS mode Display IPsec packet statistics display ipsec statistics tunnel id integer begin exclude include regular expression Available in any view Display IPsec tunnel information display ipsec tunnel begin exclude include regular expression Available in any view Clear SAs reset ipsec sa parameters dest address protocol spi policy policy name seq number remote ip address Availab...

Page 295: ...tunnel Specify the security protocol as ESP SwitchA ipsec proposal tran1 transform esp Specify the algorithms for the proposal SwitchA ipsec proposal tran1 esp encryption algorithm aes 128 SwitchA ipsec proposal tran1 esp authentication algorithm sha1 SwitchA ipsec proposal tran1 quit Configure the IKE peer SwitchA ike peer peer SwitchA ike peer peer pre shared key Ab12 SwitchA ike peer peer remot...

Page 296: ...algorithm aes 128 SwitchB ipsec proposal tran1 esp authentication algorithm sha1 SwitchB ipsec proposal tran1 quit Configure the IKE peer SwitchB ike peer peer SwitchB ike peer peer pre shared key Ab12 SwitchB ike peer peer remote address 2 2 2 1 SwitchB ike peer peer quit Create an IPsec policy that uses IKE for IPsec SA negotiation SwitchB ipsec policy use1 10 isakmp Apply the ACL SwitchB ipsec ...

Page 297: ... to an interface to protect RIPng packets traveling through the interface Configuration procedure 1 Configure Switch A Assign an IPv6 address to each interface Details not shown Create a RIPng process and enable it on VLAN interface 100 SwitchA system view SwitchA ripng 1 SwitchA ripng 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ripng 1 enable SwitchA Vlan interface100 qu...

Page 298: ...ed tran1 and set the encapsulation mode to transport mode the security protocol to ESP the encryption algorithm to DES and authentication algorithm to SHA1 HMAC 96 SwitchB ipsec proposal tran1 SwitchB ipsec proposal tran1 encapsulation mode transport SwitchB ipsec proposal tran1 transform esp SwitchB ipsec proposal tran1 esp encryption algorithm des SwitchB ipsec proposal tran1 esp authentication ...

Page 299: ...olicy001 10 proposal tran1 SwitchC ipsec policy manual policy001 10 sa spi outbound esp 123456 SwitchC ipsec policy manual policy001 10 sa spi inbound esp 123456 SwitchC ipsec policy manual policy001 10 sa string key outbound esp abcdefg SwitchC ipsec policy manual policy001 10 sa string key inbound esp abcdefg SwitchC ipsec policy manual policy001 10 quit Apply IPsec policy policy001 to the RIPng...

Page 300: ...e policy001 sequence number 10 mode manual connection id 1 encapsulation mode transport perfect forward secrecy tunnel flow inbound ESP SAs spi 123456 0x3039 proposal ESP ENCRYPT DES ESP AUTH SHA1 No duration limit for this sa outbound ESP SAs spi 123456 0x3039 proposal ESP ENCRYPT DES ESP AUTH SHA1 No duration limit for this sa Similarly you can view the information on Switch B and Switch C Detai...

Page 301: ...nism IKE has a series of self protection mechanisms and supports secure identity authentication key distribution and IPsec SA establishment on insecure networks Data authentication Data authentication involves two concepts Identity authentication Mutual identity authentication between peers Two authentication methods are available pre shared key authentication and PKI based digital signature authe...

Page 302: ...ated in this stage ID and authentication data exchange used for identity authentication and authentication of data exchanged in phase 1 IKE functions IKE provides the following functions for IPsec Automatically negotiates IPsec parameters such as the keys Performs DH exchange when establishing an SA making sure that each SA has a key independent of other keys Automatically negotiates SAs when the ...

Page 303: ... Protocol IKE configuration task list Prior to IKE configuration you must determine the following parameters The strength of the algorithms for IKE negotiation the security protection level including the identity authentication method encryption algorithm authentication algorithm and DH group Different algorithms provide different levels of protection A stronger algorithm means more resistant to d...

Page 304: ...ay create multiple IKE proposals with different preferences The preference of an IKE proposal is represented by its sequence number and the lower the sequence number the higher the preference Two peers must have at least one matching IKE proposal for successful IKE negotiation During IKE negotiation the initiator sends its IKE proposals to the peer and the peer searches its own IKE proposals for a...

Page 305: ...egotiation responder the local end uses the IKE negotiation mode of the remote end Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator When acting as the responder the local end uses the IKE proposals configured in system view for negotiation Configure a pre shared key for pre shared key authentication or a PKI domain for digital signature authentication...

Page 306: ...s Specify a name for the local security gateway local name name Configure the name of the remote security gateway remote name name Optional By default no name is configured for the local security gateway in IKE peer view and the security gateway name configured by using the ike local name command is used The remote gateway name configured with remote name command on the local gateway must be ident...

Page 307: ...ew N A 2 Set the ISAKMP SA keepalive interval ike sa keepalive timer interval seconds No keepalive packet is sent by default 3 Set the ISAKMP SA keepalive timeout ike sa keepalive timer timeout seconds No keepalive packet is sent by default NOTE The keepalive timeout configured at the local end must be longer than the keepalive interval configured at the remote end Since it seldom occurs that more...

Page 308: ... of its peer only when necessary It generates less traffic than the keepalive mechanism which exchanges messages periodically To configure a DPD detector Step Command Remarks 1 Enter system view system view N A 2 Create a DPD detector and enter its view ike dpd dpd name N A 3 Set the DPD interval interval time interval time Optional 10 seconds by default 4 Set the DPD packet retransmission interva...

Page 309: ...hat uses IKE negotiation between gateways Switch A and Switch B to secure the communication between the two switches For Switch A configure an IKE proposal that uses the sequence number 10 and the authentication algorithm SHA1 Configure Switch B to use the default IKE proposal Configure the two routers to use the pre shared key authentication method Figure 89 Network diagram Configuration procedur...

Page 310: ...tion 5000 SwitchA ike proposal 10 quit Create IKE peer peer SwitchA ike peer peer Configure the IKE peer to reference IKE proposal 10 SwitchA ike peer peer proposal 10 Set the pre shared key SwitchA ike peer peer pre shared key Ab12 Specify the IP address of the peer security gateway SwitchA ike peer peer remote address 2 2 2 2 SwitchA ike peer peer quit Create an IPsec policy that uses IKE negoti...

Page 311: ...chB ipsec proposal tran1 quit Create an IKE proposal numbered 10 SwitchB ike proposal 10 Set the authentication algorithm to SHA1 SwitchB ike proposal 10 authentication algorithm sha Configure the authentication method as pre shared key SwitchB ike proposal 10 authentication method pre share Set the ISAKMP SA lifetime to 5000 seconds SwitchB ike proposal 10 sa duration 5000 SwitchB ike proposal 10...

Page 312: ...ch debugging ike error Invalid user ID Symptom Invalid user ID Analysis In IPsec user IDs are used to identify data flows and to set up different IPsec tunnels for different data flows Now the IP address and username are used as the user ID The following is the debugging information got NOTIFY of type INVALID_ID_INFORMATION Or drop message from A B C D due to notification type INVALID_ID_INFORMATI...

Page 313: ...y on the interface has established IPsec SA If the two commands show that one party has an SA but the other does not use the reset ipsec sa command to clear the IPsec SA that has no corresponding SA use the reset ike sa command to clear the IKE SA that has no corresponding IKE SA and trigger SA re negotiation ACL configuration error Symptom ACL configuration error results in data flow blockage Ana...

Page 314: ...d interaction between an SSH client and the server Stages Description Version negotiation SSH1 and SSH2 0 are supported The two parties negotiate a version to use Key and algorithm negotiation SSH supports multiple algorithms The two parties negotiate algorithms for communication and use the DH key exchange algorithm to generate the same session key and session ID Authentication The SSH server aut...

Page 315: ...hange algorithm and parameters such as the host key pair to generate the session key and session ID and the client authenticates the identity of the server Through the steps the server and the client get the same session key and session ID The session key will be used to encrypt and decrypt data exchanged between the server and client later The session ID will be used to identify the session estab...

Page 316: ... server Session request After passing authentication the client sends a session request to the server and the server listens to and processes the request from the client If the server successfully processes the request the server sends an SSH_SMSG_SUCCESS packet to the client and goes on to the interaction stage with the client Otherwise the server sends an SSH_SMSG_FAILURE packet to the client to...

Page 317: ...Optional Enabling the SSH server function Required Configuring the user interfaces for SSH clients Required Configuring a client public key Required for publickey authentication users and optional for password authentication users Configuring an SSH user Optional Setting the SSH management parameters Optional Setting the DSCP value for packets sent by the SSH server Optional Generating DSA or RSA ...

Page 318: ...marks 1 Enter system view system view N A 2 Generate DSA or RSA key pairs public key local create dsa rsa By default neither DSA nor RSA key pairs exist Enabling the SSH server function Step Command Remarks 1 Enter system view system view N A 2 Enable the SSH server function ssh server enable Disabled by default NOTE When the device acts as an SCP server only one SCP user is allowed to access to t...

Page 319: ...onfigure it manually You can type or copy the public key to the SSH server The public key must have not been converted and be in the Distinguished Encoding Rules DER encoding format Import it from the public key file During the import process the server will automatically convert the public key in the public key file to a string in Public Key Cryptography Standards PKCS format and save it locally ...

Page 320: ...ring SFTP For more information about SCP see Configuring SCP You can enable one of the following authentication modes for the SSH user Password The user must pass password authentication Publickey authentication The user must pass publickey authentication Password publickey authentication As an SSH2 0 user the user must pass both password and publickey authentication As an SSH1 user the user must ...

Page 321: ...ory name In FIPS mode ssh user username service type all scp sftp authentication type password password publickey assign publickey keyname work directory directory name Use one of the commands Setting the SSH management parameters SSH management includes Enabling the SSH server to be compatible with SSH1 client Setting the RSA server key pair update interval applicable to users using SSH1 client S...

Page 322: ...s called Traffic class According to RFC 2474 the ToS field is redefined as the differentiated services DS field where a DSCP value is represented by the first six bits 0 to 5 and is in the range 0 to 63 The remaining two bits 6 and 7 are reserved When a packet is being transmitted the network devices can identify its DSCP value and determines the transmission priority of the packet according to th...

Page 323: ... switch acts as an SSH client and connects to the SSH server you can configure whether the switch supports first time authentication With first time authentication when an SSH client not configured with the server host public key accesses the server for the first time the user can continue accessing the server and save the host public key on the client When accessing the server again the client wi...

Page 324: ...umber vpn instance vpn instance name identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 In FIPS mode ssh2 server port number vpn instance vpn instance name identity key rsa prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 ...

Page 325: ...in IPv4 packets sent by the SSH client and is 0 in IPv6 packets sent by the SSH client Displaying and maintaining SSH Task Command Remarks Display the source IP address or interface set for the SFTP client display sftp client source begin exclude include regular expression Available in any view Display the source IP address or interface information on an SSH client display ssh client source begin ...

Page 326: ...assword authentication Configure a username and password for the user on the switch Figure 91 Network diagram Configuration procedure 1 Configure the SSH server Generate the RSA key pairs Switch system view Switch public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the m...

Page 327: ...er client001 Switch luser client001 password simple aabbcc Switch luser client001 service type ssh Switch luser client001 authorization attribute level 3 Switch luser client001 quit Specify the service type for user client001 as stelnet and the authentication method as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Establish a connectio...

Page 328: ...er for publickey authentication Network requirements As shown in Figure 93 a host the SSH client and a switch the SSH server are directly connected Configure an SSH user on the switch so that the host can securely log in to the switch after passing publickey authentication Use the RSA public key algorithm Figure 93 Network diagram Configuration procedure During SSH server configuration the client ...

Page 329: ... Generate Figure 94 Generating the key pair on the client When the generator is generating the key pair you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 95 Otherwise the progress bar stops moving and the key pair generating process will be stopped ...

Page 330: ...317 Figure 95 Generating process b After the key pair is generated click Save public key and specify the file name as key pub to save the public key Figure 96 Saving the key pair on the client ...

Page 331: ...s 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server Switch ssh server enable Configure an IP address for VLAN interface 1 This address will serve as the destination of the SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 4...

Page 332: ... and establish a connection to the SSH server a Launch PuTTY exe to enter the interface as shown in Figure 97 b In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 97 Specifying the host name or IP address c Select Connection SSH Auth from the navigation tree The window as shown in Figure 98 appears d Click Browse to bring up the file selection window nav...

Page 333: ...ples Unless otherwise noted devices in the configuration examples are operating in non FIPS mode When switch acts as client for password authentication Network requirements As shown in Figure 99 Switch A the SSH client must pass password authentication to log in to Switch B the SSH server through the SSH protocol Configure the username client001 and the password aabbcc for the SSH client on Switch...

Page 334: ...or SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 15 SwitchB ui vty0 15 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 15 protocol inbound ssh SwitchB ui vty0 15 quit Create local...

Page 335: ...ic key by using the display public key local dsa public command on the server SwitchA public key peer key1 SwitchA pkey public key public key code begin SwitchA pkey key code 308201B73082012C06072A8648CE3804013082011F0281810 0D757262C4584C44C211F18BD96E5F0 SwitchA pkey key code 61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE 65BE6C265854889DC1EDBD13EC8B274 SwitchA pkey key code DA9F75BA26CCB9877...

Page 336: ...n Network requirements As shown in Figure 100 Switch A the SSH client must pass publickey authentication to log in to Switch B the SSH server through the SSH protocol Use the DSA public key algorithm Figure 100 Network diagram Configuration procedure During SSH server configuration the client public key is required Use the client software to generate a DSA key pair on the client before configuring...

Page 337: ...It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set ...

Page 338: ...n type publickey assign publickey Switch001 3 Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 Username client002 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Later you will find that you have logged in to Switch B successfully ...

Page 339: ...ommand to set the service type of SSH users to sftp or all For more information about the configuration procedures see Configuring SSH2 0 Enabling the SFTP server This configuration task will enable the SFTP service so that a client can log in to the SFTP server through SFTP When the switch acts as the SFTP server the following restrictions are imposed on the SFTP client Only one client can access...

Page 340: ...ified source IP address or interface to access the SFTP server enhancing the service manageability To specify a source IP address or interface for the SFTP client Step Command Remarks 1 Enter system view system view N A 2 Specify a source IP address or interface for the SFTP client Specify a source IPv4 address or interface for the SFTP client sftp client source ip ip address interface interface t...

Page 341: ...identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 In FIPS mode sftp ipv6 server port number vpn instance vpn instance name identity key rsa prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 prefer kex dh group14 pr...

Page 342: ...ding a file Displaying a list of the files Deleting a file To work with SFTP files Step Command Remarks 1 Enter SFTP client view For more information see Establishing a connection to the SFTP server Execute the command in user view 2 Change the name of a file on the SFTP server rename old name new name Optional 3 Download a file from the remote server and save it locally get remote file local file...

Page 343: ...kets sent by the SFTP client A field in an IPv4 or IPv6 header contains 8 bits and is used to identify the service type of an IP packet In an IPv4 packet this field is called Type of Service ToS In an IPv6 packet this field is called Traffic class According to RFC 2474 the ToS field is redefined as the differentiated services DS field where a DSCP value is represented by the first six bits 0 to 5 ...

Page 344: ...N interface 1 and assign an IP address to it SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface1 quit Generate the RSA key pairs SwitchA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bi...

Page 345: ...entication mode on the user interfaces to AAA SwitchB user interface vty 0 15 SwitchB ui vty0 15 authentication mode scheme Set the protocol that a remote user uses to log in as SSH SwitchB ui vty0 15 protocol inbound ssh SwitchB ui vty0 15 quit Import the peer public key from the file pubkey SwitchB public key peer Switch001 import sshkey pubkey For user client001 set the service type as SFTP aut...

Page 346: ...key drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Add a directory named new1 and check if it has been created successfully sftp client mkdir new1 New directory created sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 ...

Page 347: ...lient Terminate the connection to the remote SFTP server sftp client quit Bye Connection closed SwitchA SFTP server configuration example Unless otherwise noted devices in the configuration example are operating in non FIPS mode Network requirements As shown in Figure 102 an SSH connection is required between the host and the switch The host an SFTP client needs to log in to the switch for file ma...

Page 348: ...he user interfaces to AAA Switch user interface vty 0 15 Switch ui vty0 15 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 15 protocol inbound ssh Switch ui vty0 15 quit Configure a local user named client002 with the password being aabbcc and the service type being SSH Switch local user client002 Switch luser client002 password simple aabbcc Switch luser client...

Page 349: ... to launch the client interface as shown in Figure 103 and enter the following command open 192 168 1 45 b Enter username client002 and password aabbcc as prompted to log in to the SFTP server Figure 103 SFTP client interface ...

Page 350: ...pe to all or scp and specify the authentication method ssh user username service type all scp authentication type password any password publickey publickey assign publickey keyname work directory directory name N A 4 Create a user account and assign a working directory for the SSH user on the switch or a remote server if password authentication is used On the remote server Details not shown On the...

Page 351: ... prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 prefer kex dh group14 prefer stoc cipher aes128 aes256 prefer stoc hmac sha1 sha1 96 Upload a file to the IPv6 SCP server In non FIPS mode scp ipv6 server port number put source file path destination file path identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange ...

Page 352: ...destination file path identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 In FIPS mode scp ipv6 server port number get source file path destination file path identity key rsa prefer ctos cipher aes128 aes256 prefer ctos hmac sha1...

Page 353: ...tes transfered in 0 001 seconds SCP server configuration example Unless otherwise noted devices in the configuration example are operating in non FIPS mode Network requirements As shown in Figure 105 the switch acts as the SCP server and the host acts as the SCP client The host establishes an SSH connection to the switch The user uses the username test and the password aabbcc The username and pass...

Page 354: ...e 1 Switch Vlan interface1 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode of the user interfaces to AAA Switch user interface vty 0 15 Switch ui vty0 15 authentication mode scheme Enable the user interfaces to support all protocols including SSH Switch ui vty0 15 protocol inbound all Switch ui vty0 15 quit Create a local user named test Switch local u...

Page 355: ...n code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message With the key the sender uses the MAC algorithm to compute the MAC value of a message Then the sender suffixes the MAC value to the message and sends the result to the receiver The receiver uses the same key and MAC algorithm to compute the MAC value of the received message and compar...

Page 356: ...tocol Enables the SSL client and server to send alert messages to each other An alert message contains the alert severity level and a description FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode Configuration task list Task Remarks Configuri...

Page 357: ...r policy to support In non FIPS mode ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha Optional By default an SSL server policy supports all cipher suites 5 Set the handshake timeout time for the SSL server handshake...

Page 358: ...ansfer Protocol Secure which uses SSL to log in to the web interface of the device Figure 108 Network diagram Configuration considerations To achieve the goal perform the following configurations Configure Device to work as the HTTPS server and request a certificate for Device Request a certificate for Host so that Device can authenticate the identity of Host Configure a CA server to issue certifi...

Page 359: ...r policy myssl pki domain 1 Enable client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit Configure HTTPS service to use SSL server policy myssl Device ip https ssl server policy myssl Enable HTTPS service Device ip https enable Create a local user named usera and set the password to 123 and service type to web Device local user usera Device l...

Page 360: ...ate based authentication for SSL clients you must use this command to specify a PKI domain for the client For more information about PKI domain configuration see Configuring PKI 4 Specify the preferred cipher suite for the SSL client policy In non FIPS mode prefer cipher rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode prefer...

Page 361: ...e server and the client have no matching cipher suite Solution 1 Issue the debugging ssl command and view the debugging information to locate the problem If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate request one for it If the server s certificate cannot be trusted install the root certificate of the CA that issued the local certificate to the ...

Page 362: ...e server unable to handle services normally The SYN Cookie feature can prevent SYN Flood attacks After receiving a TCP connection request the server directly returns a SYN ACK message instead of establishing an incomplete TCP connection Only after receiving an ACK message from the client can the server establish a connection and then enter ESTABLISHED state In this way incomplete TCP connections c...

Page 363: ...350 Task Command Remarks Display current TCP connection state display tcp status begin exclude include regular expression Available in any view ...

Page 364: ...the IP source guard function A binding entry can be statically configured or dynamically added Static IP source guard entries A static IP source guard entry is configured manually It is suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured For example you can configure a static binding entry on a port that connects a server allowing the port to receiv...

Page 365: ...IP source guard entries are generated according to DHCP snooping entries or DHCP relay entries They are suitable for scenarios where many hosts reside on a LAN and obtain IP addresses through DHCP Once DHCP allocates an IP address to a client IP source guard automatically adds the entry to allow the client to access the network A user using an IP address not obtained through DHCP cannot access the...

Page 366: ...ic IPv4 source guard entry On a Layer 2 Ethernet port IP source guard can cooperates with DHCP snooping and 802 1X to generate IP source guard entries On a VLAN interface IP source guard can cooperate with only DHCP relay to generate IP source guard entries Dynamic IPv4 source guard entries can contain such information as the MAC address IP address VLAN tag ingress port information and entry type ...

Page 367: ... Configure IPv4 source guard on the port ip verify source ip address ip address mac address mac address Not configured by default NOTE Although dynamic IPv4 source guard entries are generated based on DHCP entries the number of dynamic IPv4 source guard entries is not necessarily the same as that of the DHCP entries Configuring a static IPv4 source guard entry Static IPv4 binding entries take effe...

Page 368: ...ic IPv4 binding entry on a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 interface view interface interface type interface number N A 3 Configure a static IPv4 source guard entry on the port ip source binding ip address ip address ip address ip address mac address mac address mac address mac address vlan vlan id By default no static IPv4 binding entry is configured ...

Page 369: ...Cooperating with ND snooping IP source guard dynamically generates IP source guard entries based on dynamic ND snooping entries Dynamic IPv6 source guard entries can contain such information as the MAC address IPv6 address VLAN tag ingress port information and entry type DHCPv6 snooping or ND snooping where the MAC address IPv6 address and or VLAN tag information might not be included depending on...

Page 370: ...ecedence over global static IPv6 source guard entries A port matches a packet against global static binding entries only when the packet does not match any port based static binding entry or dynamic binding entry on the port Configuring global static IPv6 binding entries A global static IPv6 binding entry defines the IPv6 address and MAC address of the packets that can be forwarded by ports It tak...

Page 371: ...ximum number of IPv6 source guard entries The maximum number of IPv6 source guard entries is used to limit the total number of static and dynamic IPv6 source guard entries on a port When the number of IPv6 binding entries on a port reaches the maximum the port does not allow new IPv6 binding entries any more If the maximum number of IPv6 binding entries to be configured is smaller than the number ...

Page 372: ...e number ipv6 address ipv6 address mac address mac address slot slot number begin exclude include regular expression Available in any view IP source guard configuration examples Static IPv4 source guard configuration example Network requirements As shown in Figure 1 10 Host A and Host B are connected to ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 1 of Device B respectively Host C is connec...

Page 373: ... DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 ip verify source ip address mac address Configure GigabitEthernet 1 0 1 to allow only IP packets with the source MAC address of 0001 0203 0406 and the source IP address of 192 168 0 1 to pass DeviceA GigabitEthernet1 0 1 ip source binding ip address 192 168 0 1 mac address 0001 0203 0406 DeviceA GigabitEthernet1 0 1 quit 2 Confi...

Page 374: ...rce guard entries The output shows that the static IPv4 source guard entries are configured successfully DeviceB display ip source binding static Total entries found 2 MAC Address IP Address VLAN Interface Type 0001 0203 0406 192 168 0 1 N A GE1 0 2 Static N A 192 168 0 2 N A GE1 0 1 Static Dynamic IPv4 source guard using DHCP snooping configuration example Network requirements As shown in Figure ...

Page 375: ...whether they are consistent with the dynamic entries generated on GigabitEthernet 1 0 1 Device display dhcp snooping DHCP snooping is enabled The client binding table for all untrusted ports Type D Dynamic S Static R Recovering Type IP Address MAC Address Lease VLAN SVLAN Interface D 192 168 0 1 0001 0203 0406 86335 1 N A GigabitEthernet1 0 1 1 dhcp snooping item s found The output shows that a dy...

Page 376: ...relay server group 1 ip 10 1 1 1 Configure VLAN interface 100 to operate in DHCP relay mode Switch interface vlan interface 100 Switch Vlan interface100 dhcp select relay Correlate VLAN interface 100 with DHCP server group 1 Switch Vlan interface100 dhcp relay server select 1 Switch Vlan interface100 quit Verifying the configuration Display the generated IPv4 source guard entries Switch display ip...

Page 377: ...the binding entry is configured successfully Device display ipv6 source binding static Total entries found 1 MAC Address IP Address VLAN Interface Type 0001 0202 0202 2001 1 N A GE1 0 1 Static IPv6 Dynamic IPv6 source guard using DHCPv6 snooping configuration example Network requirements As shown in Figure 1 14 the host DHCPv6 client and the DHCPv6 server are connected to the device through ports ...

Page 378: ...1 Device display ipv6 source binding Total entries found 1 MAC Address IP Address VLAN Interface Type 040a 0000 0001 2001 1 2 GE1 0 1 DHCPv6 SNP Display all DHCPv6 snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1 0 1 Device display ipv6 dhcp snooping user binding dynamic IP Address MAC Address Lease VLAN Interface 2001 1 04...

Page 379: ...VLAN Interface Type 040a 0000 0001 2001 1 2 GE1 0 1 ND SNP Display the IPv6 ND snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1 0 1 Device display ipv6 nd snooping IPv6 Address MAC Address VID Interface Aging Status 2001 1 040a 0000 0001 2 GE1 0 1 25 Bound Total entries 1 The output shows that a dynamic IPv6 source guard en...

Page 380: ...nk DeviceB GigabitEthernet1 0 1 port trunk permit vlan 10 20 DeviceB GigabitEthernet1 0 1 quit Configure IPv4 source guard on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to filter packets based on both the source IP address and MAC address DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 ip verify source ip address mac address DeviceB GigabitEthernet1 0 2 quit DeviceB inter...

Page 381: ...ace Type 0001 0203 0406 192 168 0 2 N A N A Static 0001 0203 0407 192 168 1 2 N A N A Static After the configurations Host A and Host B can ping each other successfully Troubleshooting IP source guard Symptom Failed to configure static or dynamic IP source guard on a port Analysis IP source guard is not supported on a port in an aggregation group or a service loopback group Solution Remove the por...

Page 382: ... receiving device For more information about ARP attack features and types see ARP Attack Protection Technology White Paper ARP attacks and viruses are threatening LAN security This chapter introduces multiple features to detect and prevent such attacks ARP attack protection configuration task list Task Remarks Flood prevention Configuring ARP defense against IP packet attacks Configuring ARP sour...

Page 383: ...rce address you can enable the ARP source suppression function With the function enabled you can set a threshold for the number of ARP requests that a sending host can trigger in 5 seconds with packets with unresolvable destination IP addresses When the number of ARP requests exceeds that threshold the device suppresses the host from triggering any ARP requests in the following 5 seconds If the pa...

Page 384: ... expression Available in any view Configuration example Network requirements As shown in Figure 1 17 a LAN contains two areas an R D area in VLAN 10 and an office area in VLAN 20 The two areas connect to the gateway Device through an access switch A large number of ARP requests are detected in the office area and are considered as the consequence of an IP flood attack To prevent such attacks confi...

Page 385: ... a large number of ARP packets to an ARP detection enabled device the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking As a result the device fails to deliver other functions properly or even crashes To solve this problem you can configure ARP packet rate limit Enable this feature after the ARP detection or ARP snooping feature is configure...

Page 386: ...te limit arp rate limit disable rate pps drop By default ARP packet rate limit is disabled Configuring source MAC address based ARP attack detection With this feature enabled the device checks the source MAC address of ARP packets delivered to the CPU It detects an attack when one MAC address sends more ARP packets in 5 seconds than the specified threshold The device adds the MAC address to the at...

Page 387: ...xpires ARP packets sourced from the MAC address in the entry can be processed normally Displaying and maintaining source MAC address based ARP attack detection Task Command Remarks Display attacking MAC addresses detected by source MAC address based ARP attack detection display arp anti attack source mac slot slot number interface interface type interface number begin exclude include regular expre...

Page 388: ...of the server as a protected MAC address so that it can send ARP packets Configuration procedure Enable source MAC address based ARP attack detection and specify the filter mode Device system view Device arp anti attack source mac filter Set the threshold to 30 Device arp anti attack source mac threshold 30 Set the age timer for detection entries to 60 seconds Device arp anti attack source mac agi...

Page 389: ...packet source MAC address consistency check arp anti attack valid check enable Disabled by default Configuring ARP active acknowledgement Introduction The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating any incorrect ARP entry For more informa...

Page 390: ...d the ARP packet is considered invalid and is discarded If no entry with a matching IP address is found the device compares the ARP packet s sender IP and MAC addresses against the DHCP snooping entries 802 1X security entries and OUI MAC addresses 3 If a match is found from those entries the ARP packet is considered valid and is forwarded For a packet to pass user validity check based on OUI MAC ...

Page 391: ...UI MAC addresses is disabled by default 5 Return to system view quit N A 6 Enter Layer 2 Ethernet interface Layer 2 aggregate interface view interface interface type interface number N A 7 Configure the port as a trusted port on which ARP detection does not apply arp detection trust Optional The port is an untrusted port by default Configuring ARP packet validity check Perform this task to enable ...

Page 392: ...h the trusted ports If the packets are ARP responses they are forwarded according to their destination MAC address If no match is found in the MAC address table they are forwarded through the trusted ports Before performing the following configuration make sure you have configured the arp detection enable command To enable ARP restricted forwarding Step Command Remarks 1 Enter system view system v...

Page 393: ...any view Display the ARP detection statistics display arp detection statistics interface interface type interface number begin exclude include regular expression Available in any view Clear the ARP detection statistics reset arp detection statistics interface interface type interface number Available in user view User validity check configuration example Network requirements As shown in Figure 1 1...

Page 394: ...r test service type lan access SwitchB luser test password simple test SwitchB luser test quit Enable ARP detection for VLAN 10 SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untrusted ports a port is an untrusted port by default SwitchB vlan10 interface gigabitethernet 1 0 3 SwitchB GigabitEthernet1 0 3 arp detection t...

Page 395: ...chB dhcp snooping SwitchB interface gigabitethernet 1 0 3 SwitchB GigabitEthernet1 0 3 dhcp snooping trust SwitchB GigabitEthernet1 0 3 quit Enable ARP detection for VLAN 10 SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure the upstream port as a trusted port a port is an untrusted port by default SwitchB vlan10 interface gigabitethernet 1 0 3 SwitchB GigabitEthernet1 0 3 arp detection...

Page 396: ...at port isolation configured on Switch B can take effect for broadcast ARP requests Figure 121 Network diagram Configuration procedure 1 Configure VLAN 10 add ports to VLAN 10 and configure the IP address of the VLAN interface as shown in Figure 117 Details not shown 2 Configure DHCP address pool 0 on Switch A as a DHCP server SwitchA system view SwitchA dhcp enable SwitchA dhcp server ip pool 0 S...

Page 397: ...es checked first and then are checked against the static IP source guard binding entries and finally DHCP snooping entries However ARP broadcast requests sent from Host A can pass the check on Switch B and reach Host B Port isolation fails Configure ARP restricted forwarding SwitchB vlan 10 SwitchB vlan10 arp restricted forwarding enable SwitchB vlan10 quit After the configuration Switch B forward...

Page 398: ...ARP entry changed from a dynamic one use the undo arp ip address vpn instance name command To delete all such static ARP entries use the reset arp all or reset arp static command Configuration procedure To configure ARP automatic scanning and fixed ARP Step Command 1 Enter system view system view 2 Enter interface view interface interface type interface number 3 Enable ARP automatic scanning arp s...

Page 399: ...rce ip address Disabled by default Configuration example Network requirements As shown in Figure 122 Host B launches gateway spoofing attacks to Switch B As a result traffic that Switch B intends to send to Switch A is sent to Host B Configure Switch B to block such attacks Figure 122 Network diagram Configuration procedure Configure ARP gateway protection on Switch B SwitchB system view SwitchB i...

Page 400: ...ds arp filter source and arp filter binding cannot be both configured on a port If ARP filtering works with ARP detection and ARP snooping ARP filtering applies first Configuration procedure To configure ARP filtering Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view Layer 2 aggregate interface view interface interface type interface number N A 3 Conf...

Page 401: ...net 1 0 2 SwitchB GigabitEthernet1 0 2 arp filter binding 10 1 1 3 000f e349 1234 After the configuration is complete GigabitEthernet 1 0 1 will permit incoming ARP packets with sender IP and MAC addresses as 10 1 1 2 and 000f e349 1233 and discard other ARP packets GigabitEthernet 1 0 2 will permit incoming ARP packets with sender IP and MAC addresses as 10 1 1 9 and 000f e349 1233 and discard ot...

Page 402: ...er Advertisement RA Redirect RR As shown in Figure 124 an attacker can attack a network by sending forged ICMPv6 messages Sends forged NS NA RS packets with the IPv6 address of a victim host The gateway and other hosts update the ND entry for the victim host with incorrect address information As a result all packets intended for the victim host are sent to the attacking host rather than the victim...

Page 403: ...rom a spoofing host or gateway it is discarded The ND detection function operates on a per VLAN basis In an ND detection enabled VLAN a port is either ND trusted or ND untrusted An ND trusted port does not check ND packets for address spoofing An ND untrusted port checks all ND packets but RA and RR messages in the VLAN for source spoofing RA and RR messages are considered illegal and are discarde...

Page 404: ...g If not no ND packets in the VLAN can match the binding Configuration procedure To configure ND detection Step Command Remarks 1 Enter system view system view N A 2 Enter VLAN view vlan vlan id N A 3 Enable ND Detection ipv6 nd detection enable Disabled by default 4 Quit system view quit N A 5 Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view interface interface type inter...

Page 405: ...e 1 Configuring Switch A Enable IPv6 forwarding SwitchA system view SwitchA ipv6 Create VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Assign port GigabitEthernet 1 0 3 to VLAN 10 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link type trunk SwitchA GigabitEthernet1 0 3 port trunk permit vlan 10 SwitchA GigabitEthernet1 0 3 quit Assign an IPv6 address to VLAN interface 10 ...

Page 406: ...k SwitchB GigabitEthernet1 0 3 port trunk permit vlan 10 SwitchB GigabitEthernet1 0 3 quit Enable ND snooping for global unicast and link local addresses in VLAN 10 SwitchB ipv6 nd snooping enable link local SwitchB ipv6 nd snooping enable global SwitchB vlan 10 SwitchB vlan 10 ipv6 nd snooping enable Enable ND detection in VLAN 10 SwitchB vlan 10 ipv6 nd detection enable SwitchB vlan 10 quit Conf...

Page 407: ...s the server Router B requests with a forged source IP address 2 2 2 1 and Router B sends response packets to IP address 2 2 2 1 Router C Consequently both Router B and Router C are attacked URPF can prevent such attacks URPF check modes URPF supports two check modes Strict URPF To pass strict URPF check the source address and receiving interface of a packet must match the destination address and ...

Page 408: ...the source address of the received packet A broadcast source address An all zone source address Does the FIB entry match the source address A broadcast destination addres Is there a default route Loose URPF Check passed Discard Yes Yes Yes Yes No Yes Yes No Does the output interface of the default route match the receiving interface No No No No Loose URPF Yes No No Yes Yes Does the receiving inter...

Page 409: ...e of the matching FIB entry If yes proceeds to step 8 If not proceeds to step 9 5 URPF checks whether the source IP address matches an ARP entry If yes proceeds to step 8 If not proceeds to step 9 6 URPF checks whether the FIB table has a default route If yes proceeds to step 7 If not proceeds to step 9 7 URPF checks whether the check mode is loose If yes proceeds to step 8 If not URPF checks whet...

Page 410: ...trict Disabled by default NOTE The routing table size decreases by half when URPF is enabled on the HP 5500 HI switches To prevent loss of routes and packets URPF cannot be enabled if the number of route entries the switch maintains exceeds half the routing table size URPF configuration example Network requirements As shown in Figure 129 a client Switch A directly connects to the ISP switch Switch...

Page 411: ...re 129 Network diagram Configuration procedure 1 Enable strict URPF check on Switch A SwitchA system view SwitchA ip urpf strict 2 Enable strict URPF check on Switch B SwitchB system view SwitchB ip urpf strict ...

Page 412: ... 130 Network diagram for MFF As shown in Figure 130 hosts are connected to Switch C aggregation node through Switch A and Switch B Ethernet access nodes or EANs The MFF enabled EANs forward packets from the hosts to the gateway for further forwarding Thus the hosts isolated at Layer 2 can communicate at Layer 3 without knowing the MAC address of each other MFF is often used in cooperation with the...

Page 413: ...addresses are learned a user port discards all received unicast packets Network port An MFF network port is connected to a networking device such as an access switch a distribution switch or a gateway A network port processes the following packets differently Allows multicast packets and DHCP packets to pass Delivers ARP packets to the CPU Denies broadcast packets You need to configure the followi...

Page 414: ...from a gateway is different from that of the gateway the MFF device uses the new MAC to replace the old one Working mechanism Hosts connecting to an MFF device use the ARP fast reply mechanism for Layer 3 communication This mechanism helps reduce the number of broadcast messages The MFF device processes ARP packets in the following steps After receiving an ARP request from a host the MFF device se...

Page 415: ...gateway s MAC address MFF in automatic mode uses the IP and MAC addresses of the first DHCP snooping entry corresponding to the gateway as the sender IP and MAC addresses of an ARP request and sends the ARP request to the gateway In manual mode MFF uses the IP and MAC addresses of the ARP snooping entry corresponding to the gateway After that MFF will always use this entry to detect the gateway s ...

Page 416: ...ew vlan vlan id N A 3 Specify the IP addresses of servers mac forced forwarding server server ip 1 10 No server IP address is specified by default Displaying and maintaining MFF Task Command Remarks Display MFF port configuration information display mac forced forwarding interface begin exclude include regular expression Available in any view Display the MFF configuration information of a specifie...

Page 417: ...vice dhcp pool 1 gateway list 10 1 1 100 Device dhcp pool 1 quit Configure the IP address of VLAN interface 1 Device interface Vlan interface 1 Device Vlan interface1 ip address 10 1 1 50 24 3 Configure Switch A Enable DHCP snooping SwitchA system view SwitchA dhcp snooping Enable MFF in automatic mode SwitchA vlan 100 SwitchA vlan 100 mac forced forwarding auto SwitchA vlan 100 quit Configure Gig...

Page 418: ...equirements As shown in Figure 132 all the devices are in VLAN 100 and the switches form a ring Host A Host B and Host C obtain IP addresses from the DHCP server They are isolated at Layer 2 and can communicate with each other through the gateway MFF automatic mode is enabled on Switch A and Switch B Figure 132 Network diagram Configuration procedure 1 Configure the IP address of VLAN interface 1 ...

Page 419: ...chA GigabitEthernet1 0 2 quit Configure GigabitEthernet 1 0 3 as a network port SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 mac forced forwarding network port Configure GigabitEthernet 1 0 3 as a DHCP snooping trusted port SwitchA GigabitEthernet1 0 3 dhcp snooping trust no user binding 4 Configure Switch B Enable DHCP snooping SwitchB system view SwitchB dhcp snooping Ena...

Page 420: ... hosts and the server the IP address of the server is specified on the MFF devices manually Figure 133 Network diagram Configuration procedure 1 Configure IP addresses of the hosts as shown in Figure 133 2 Configure the IP address of VLAN interface 1 on the gateway Gateway system view Gateway interface Vlan interface 1 Gateway Vlan interface1 ip address 10 1 1 100 24 3 Configure Switch A Configure...

Page 421: ...iguration example in a ring network Network requirements As shown in Figure 134 all the devices are in VLAN 100 and the switches form a ring Host A Host B and Host C are configured with IP addresses manually They are isolated at Layer 2 and can communicate with each other through the gateway To ensure communication between hosts and the server the IP address of the server is specified on the MFF d...

Page 422: ...ernet1 0 3 mac forced forwarding network port 4 Configure Switch B Enable STP SwitchB stp enable Configure manual mode MFF SwitchB vlan 100 SwitchB vlan 100 mac forced forwarding default gateway 10 1 1 100 Specify the IP address of the server SwitchB vlan 100 mac forced forwarding server 10 1 1 200 Enable ARP snooping SwitchB vlan 100 arp snooping enable SwitchB vlan 100 quit Configure GigabitEthe...

Page 423: ...DHCPv6 and SLAAC The following section describes SAVI configurations in these address assignment scenarios After a port is down the switch can wait for a period of delay time before deleting the DHCPv6 snooping entries and ND snooping entries for that port The deletion delay time is configurable This delay ensures a valid IPv6 user to access the port for the event that a port goes down and resumes...

Page 424: ...ch B connects to the DHCPv6 server through interface GigabitEthernet 1 0 1 and connects to two DHCPv6 clients through interfaces GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 The three interfaces of Switch B belong to VLAN 2 The client can obtain IP address only through DHCPv6 Configure SAVI on Switch B to automatically bind the IP addresses assigned through DHCPv6 and permit only packets from b...

Page 425: ...ooping entries and DHCPv6 snooping entries applied on the interfaces connected to the clients and against static binding entries The items to be examined include MAC address IPv6 address VLAN information and ingress port Configuration procedure Enable SAVI SwitchB system view SwitchB ipv6 savi strict Enable IPv6 SwitchB ipv6 Globally enable DHCPv6 snooping SwitchB ipv6 dhcp snooping enable Assign ...

Page 426: ...hosts can obtain IPv6 addresses only through SLAAC Configure SAVI on Switch B to bind the addresses assigned through SLAAC and permit only packets from the bound addresses Configuration considerations Configure Switch B as follows 1 Enable SAVI 2 Enable global unicast address ND snooping and link local address ND snooping For more information about ND snooping see Layer 3 IP Services Configuration...

Page 427: ...and against static binding entries The items to be examined include MAC address IPv6 address VLAN information and ingress port Configuration procedure Enable SAVI SwitchB system view SwitchB ipv6 savi strict Enable IPv6 SwitchB ipv6 Assign GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to VLAN 10 SwitchB vlan 10 SwitchB vlan10 port gigabitethernet 1 0 1 gigabitethernet 1 0 2...

Page 428: ...through DHCPv6 or SLAAC Configure SAVI on Switch B to permit only packets from addresses assigned through DHCPv6 and the bound addresses assigned through SLAAC Configuration considerations Configure Switch B as follows 1 Enable SAVI 2 Enable DHCPv6 snooping For more information about DHCPv6 snooping see Layer 3 IP Services Configuration Guide 3 Enable global unicast address ND snooping and link lo...

Page 429: ...witchB system view SwitchB ipv6 savi strict Enable IPv6 SwitchB ipv6 Enable DHCPv6 snooping SwitchB ipv6 dhcp snooping enable Assign interfaces GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 to VLAN 2 SwitchB vlan 2 SwitchB vlan2 port gigabitethernet 1 0 1 gigabitethernet 1 0 2 gigabitethernet 1 0 3 gigabitethernet 1 0 4 gigabitethernet 1 0 5 Enable DHCPv6 snooping in VLAN 2 SwitchB vlan2 ipv...

Page 430: ... 3 SwitchB GigabitEthernet1 0 3 ipv6 verify source ipv6 address mac address SwitchB GigabitEthernet1 0 3 quit SwitchB interface gigabitethernet 1 0 4 SwitchB GigabitEthernet1 0 4 ipv6 verify source ipv6 address mac address SwitchB GigabitEthernet1 0 4 quit SwitchB interface gigabitethernet 1 0 5 SwitchB GigabitEthernet1 0 5 ipv6 verify source ipv6 address mac address ...

Page 431: ...nfigurable User login failure reasons include wrong username wrong password and wrong verification code for web users The device also supports adding and removing blacklist entries manually Manually configured blacklist entries fall into two categories permanent and non permanent A permanent blacklist entry is always present unless being removed manually whereas a non permanent blacklist entry has...

Page 432: ...st Do not specify any aging time to make the entry never age out Device blacklist ip 5 5 5 5 Verifying the configuration If Host C tries to log in to Device through web for six times but fails to log in the device blacklists Host C Use the display blacklist all command to view all added blacklist entries Device display blacklist all Blacklist information Blacklist enabled Blacklist items 2 IP Type...

Page 433: ...t C will stay on the list for 10 minutes and will then be able to try to log in again The entry for Host D will never age out When you do not consider Host D an attacker anymore you can use the undo blacklist ip 5 5 5 5 command to remove the entry ...

Page 434: ...f FIPS allowed cryptographic algorithms A cryptographic algorithm is run on data for which the correct output is already known The calculated output is compared with the known answer If they are not identical the known answer test fails Conditional self tests A conditional self test runs when an asymmetrical cryptographic module or a random number generator module is invoked Conditional self tests...

Page 435: ... FIPS mode for an IRF fabric you must reboot all IRF member devices After you change the switch to operate in FIPS mode local Telnet users in previous non FIPS cannot log into the switch Do not disable the password control function when the switch operates in FIPS mode Otherwise users might be unable to log in To enable the FIPS mode Step Command Remarks 1 Enter system view system view N A 2 Enabl...

Page 436: ... port Configure Switch to operate in FIPS mode and create a local user for PC so that PC can log in to the switch Figure 139 Network diagram Configuration procedure Enable the FIPS mode Sysname system view Sysname fips mode enable FIPS mode change requires a device reboot Continue Y N y Change the configuration to meet FIPS mode requirements save the configuration to the next startup configuration...

Page 437: ...you cannot log in to the switch after the switch reboots In this case reboot the switch without the configuration file by ignoring or removing the configuration file so that the switch operates in non FIPS mode and then make correct configurations Verifying the configuration After the switch reboots enter the username test and password AAbbcc1234 The system prompts that your first login is success...

Page 438: ...425 Sysname display fips status FIPS mode is enabled ...

Page 439: ...ing you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complete list ...

Page 440: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 441: ... 2 features Represents an access controller a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point Represents a security product such as a firewall a UTM or a load balancing or security card that is installed in a device Represents a security card such as a firewall card a load balancing card or a NetStream card Port numbering in examples The ...

Page 442: ...an entity DN 249 Configuring an IKE peer 292 Configuring an IKE proposal 291 Configuring an SSL client policy 347 Configuring an SSL server policy 343 Configuring ARP active acknowledgement 376 Configuring ARP automatic scanning and fixed ARP 384 Configuring ARP defense against IP packet attacks 370 Configuring ARP detection 377 Configuring ARP filtering 387 Configuring ARP gateway protection 385 ...

Page 443: ... and maintaining public keys 240 Displaying and maintaining SSH 312 Displaying and maintaining SSL 347 Displaying and maintaining TCP attack protection 349 Displaying and maintaining the blacklist 418 Displaying and maintaining user profiles 219 Displaying or exporting the local host public key 238 E EAD fast deployment configuration example 101 Enabling 802 1X 78 Enabling a user profile 218 Enabl...

Page 444: ...est attempts 81 Setting the maximum number of concurrent 802 1X users on a port 81 Setting the NAT keepalive timer 294 Setting the port authorization state 80 Setting the port security mode 200 SFTP client configuration example 331 SFTP server configuration example 334 Specifying a MAC authentication domain 108 Specifying a mandatory authentication domain on a port 84 Specifying a source IP addres...

Reviews:

No comments