background image

11 

2.

 

After receiving the request, the LDAP client establishes a TCP connection with the LDAP server.  

3.

 

To obtain the right to search, the LDAP client uses the administrator DN and password to send an 
administrator bind request to the LDAP server.  

4.

 

The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an 

acknowledgment to the LDAP client.  

5.

 

The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP 
server.  

6.

 

After receiving the request, the LDAP server searches for the user DN by the base DN, search 
scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the 

LDAP client of the successful search. There might be one or more user DNs found. 

7.

 

The LDAP client uses the obtained user DN and the entered user password as parameters to send 
a user DN bind request to the LDAP server. The server will check whether the user password is 

correct.  

8.

 

The LDAP server processes the request, and sends a response to notify the LDAP client of the bind 
operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the 

parameter to send a user DN bind request to the LDAP server. This process continues until a DN is 

bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client 

notifies the user of the login failure and denies the user's access request.  

9.

 

The LDAP client and server perform authorization exchanges. If another scheme (for example, an 
HWTACACS scheme) is expected for authorization, the LDAP client exchanges authorization 
packets with the HWTACACS authorization server instead.  

10.

 

After successful authorization, the LDAP client notifies the user of the successful login.  

AAA implementation on the device 

This section describes AAA user management and methods. 

User management based on ISP domains and user access types 

AAA manages users based on the users' ISP domains and access types. 
On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a user 

belongs based on the username entered by the user at login. 

Figure 8

 

Determining the ISP domain for a user by username 

 

 

AAA manages users in the same ISP domain based on the users' access types. The device supports the 
following user access types: 

 

Summary of Contents for FlexFabric 5700 series

Page 1: ...HP FlexFabric 5700 Switch Series Security Configuration Guide Part number 5998 6696 Software version Release 2416 Document version 6W100 20150130 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ... the maximum number of concurrent login users 47 Configuring a NAS ID profile 47 Displaying and maintaining AAA 48 AAA configuration examples 48 AAA for SSH users by an HWTACACS server 48 Local authentication HWTACACS authorization and RADIUS accounting for SSH users 49 Authentication and authorization for SSH users by a RADIUS server 51 Authentication for SSH users by an LDAP server 54 Troublesho...

Page 4: ... Configuration guidelines 84 Configuration procedure 84 Specifying a mandatory authentication domain on a port 84 Configuring the quiet timer 85 Enabling the periodic online user reauthentication feature 85 Configuring an 802 1X guest VLAN 86 Configuration guidelines 86 Configuration prerequisites 86 Configuration procedure 87 Configuring an 802 1X Auth Fail VLAN 87 Configuration guidelines 87 Con...

Page 5: ...cation 118 Overview 118 Extended portal functions 118 Portal system components 118 Interaction between portal system components 120 Portal authentication modes 120 Portal authentication process 121 Portal configuration task list 123 Configuration prerequisites 123 Configuring a portal authentication server 124 Configuring a portal Web server 125 Enabling portal authentication on an interface 125 C...

Page 6: ...173 Configuration task list 176 Enabling port security 177 Setting port security s limit on the number of secure MAC addresses on a port 177 Setting the port security mode 178 Configuring port security features 179 Configuring NTK 179 Configuring intrusion protection 179 Configuring secure MAC addresses 180 Configuration prerequisites 181 Configuration procedure 181 Ignoring authorization informat...

Page 7: ...ing public keys 211 Examples of public key management 211 Example for entering a peer host public key 211 Example for importing a public key from a public key file 213 Configuring PKI 216 Overview 216 PKI terminology 216 PKI architecture 217 PKI operation 218 PKI applications 218 FIPS compliance 218 PKI configuration task list 218 Configuring a PKI entity 219 Configuring a PKI domain 220 Requestin...

Page 8: ...estrictions and guidelines 255 ACL based IPsec configuration task list 255 Configuring an ACL 256 Configuring an IPsec transform set 257 Configuring a manual IPsec policy 258 Configuring an IKE based IPsec policy 260 Applying an IPsec policy to an interface 264 Enabling ACL checking for de encapsulated packets 264 Configuring the IPsec anti replay function 265 Configuring IPsec anti replay redunda...

Page 9: ...ntication methods 301 FIPS compliance 302 Configuring the device as an SSH server 303 SSH server configuration task list 303 Generating local key pairs 303 Enabling the Stelnet server 304 Enabling the SFTP server 304 Enabling the SCP server 305 Configuring NETCONF over SSH 305 Configuring user lines for SSH login 305 Configuring a client s host public key 306 Configuring an SSH user 307 Configurin...

Page 10: ... task list 348 Configuring the IPv4SG feature 348 Enabling IPv4SG on an interface 348 Configuring a static IPv4SG binding 349 Configuring the IPv6SG feature 349 Enabling IPv6SG on an interface 349 Configuring a static IPv6SG binding 350 Displaying and maintaining IPSG 350 IPSG configuration examples 351 Static IPv4SG configuration example 351 Dynamic IPv4SG using DHCP snooping configuration exampl...

Page 11: ...elines 373 Configuration procedure 373 Configuration example 373 Configuring MFF 375 Overview 375 Basic concepts 376 MFF operation modes 376 MFF working mechanism 377 Protocols and standards 377 Configuring MFF 377 Enabling MFF 377 Configuring a network port 377 Enabling periodic gateway probe 378 Specifying the IP addresses of servers 378 Displaying and maintaining MFF 379 MFF configuration examp...

Page 12: ...guring QoS parameters for traffic management 396 Displaying and maintaining user profiles 396 User profile configuration examples 396 Local 802 1X authentication authorization with QoS policy configuration example 396 Configuring attack detection and prevention 401 Overview 401 Configuring TCP fragment attack prevention 401 Configuring ND attack defense 402 Overview 402 Configuring source MAC cons...

Page 13: ...gure 1 AAA network diagram To access networks or resources beyond the NAS a user sends its identity information to the NAS The NAS transparently passes the user information to AAA servers and waits for the authentication authorization and accounting result Based on the result the NAS determines whether to permit or deny the access request AAA has various implementations including RADIUS HWTACACS a...

Page 14: ...cation authorization and accounting requests from RADIUS clients 2 Performs user authentication authorization or accounting 3 Returns user access control information for example rejecting or accepting the user access request to the clients The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy services The RADIUS server maintains the following databas...

Page 15: ...MD5 algorithm and shared key 3 The RADIUS server authenticates the username and password If the authentication succeeds the server sends back an Access Accept packet that contains the user s authorization information If the authentication fails the server returns an Access Reject packet 4 The RADIUS client permits or denies the user according to the authentication result If the result permits the ...

Page 16: ...er Password and NAS Port 2 Access Accept From the server to the client If all attribute values included in the Access Request are acceptable the authentication succeeds and the server sends an Access Accept response 3 Access Reject From the server to the client If any attribute value included in the Access Request is unacceptable the authentication fails and the server sends an Access Reject respo...

Page 17: ... the Type subfield Commonly used RADIUS attributes are defined in RFC 2865 RFC 2866 RFC 2867 and RFC 2868 For more information see Commonly used standard RADIUS attributes Table 2 Commonly used RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acc...

Page 18: ...t Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility The Vendor Specific attribute attribute 26 allows a vendor to define extended attributes The extended attributes implement functions that the standard RADIUS protocol does not provide A vendor can enc...

Page 19: ...y differences between HWTACACS and RADIUS Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP which provides reliable network transmission Uses UDP which provides high transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the user password field in an authentication packet Protocol packets are complicated and authorization is inde...

Page 20: ...thentication response to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password Host HWTACACS client HWTACACS server 1 The user tries to log in 2 Start authentication packet 3 Authentication response requesting the username 4 Request for username 5 The user enters the username 6 Continue authentication packet with the username 7 Authen...

Page 21: ... X 500 protocol It improves the following functions of X 500 Read write interactive access Browse Search LDAP is suitable for storing data that does not often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user information and user group information for user login ...

Page 22: ...legal In LDAP authorization the client performs the same tasks as in LDAP authentication When the client constructs search conditions it obtains both authorization information and the user DN list If the authorization information meets the authorization requirements the authorization process ends If the authorization information does not meet the authorization requirements the client sends an admi...

Page 23: ...nd operation result If the bind operation fails the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server This process continues until a DN is bound successfully or all DNs fail to be bound If all user DNs fail to be bound the LDAP client notifies the user of the login failure and denies the user s access request 9 The LDAP client and server p...

Page 24: ...d and low cost but the amount of information that can be stored is limited by the size of the storage space Remote authentication The NAS works with a RADIUS HWTACACS or LDAP server to authenticate users The server manages user information in a centralized manner Remote authentication provides high capacity reliable and centralized authentication services for multiple NASs You can configure backup...

Page 25: ...n command authorization is enabled command accounting enables the accounting server to record all authorized commands For more information about command accounting see Fundamentals Configuration Guide User role authentication Authenticates each user who wants to obtain another user role without logging out or getting disconnected For more information about user role authentication see Fundamentals...

Page 26: ...n of the authentication failure 26 Vendor Specific Vendor specific proprietary attribute A packet can contain one or more proprietary attributes each of which can contain one or more sub attributes 27 Session Timeout Maximum service duration for the user before termination of the session 28 Idle Timeout Maximum idle time permitted for the user before termination of the session 31 Calling Station I...

Page 27: ...rection from the user to the NAS in bps 4 Output Peak Rate Peak rate in the direction from the NAS to the user in bps 5 Output Average Rate Average rate in the direction from the NAS to the user in bps 6 Output Basic Rate Basic rate in the direction from the NAS to the user in bps 15 Remanent_Volume Total remaining available traffic for the connection in different units for different server types ...

Page 28: ...after the SSL VPN user passes authentication A user can belong to multiple user groups that are separated by semicolons This attribute is used to work with the SSL VPN device 141 Security_Level Security level assigned after the SSL VPN user passes security authentication 201 Input Interval Octets Number of bytes input within a real time accounting interval 202 Output Interval Octets Number of byte...

Page 29: ...domains 1 Required Creating an ISP domain 2 Optional Configuring ISP domain attributes 3 Required Perform at least one of the following tasks to configure AAA authentication authorization and accounting methods for the ISP domain Configuring authentication methods for an ISP domain Configuring authorization methods for an ISP domain Configuring accounting methods for an ISP domain Optional Enablin...

Page 30: ...to a local user group and has all attributes of the group The attributes include the password control attributes and authorization attributes For more information about local user group see Configuring user group attributes Binding attributes Binding attributes control the scope of users and are checked during local authentication of a user If the attributes of a user do not match the binding attr...

Page 31: ...tal users only the following authorization attributes are effective acl user profile and vlan For Telnet and terminal users only the authorization attribute idle cut and user role is effective For HTTP and HTTPS users only the authorization attribute user role is effective For SSH users only the authorization attributes idle cut user role and work directory are effective For FTP users only the fol...

Page 32: ... mode service type ftp http https ssh telnet terminal In FIPS mode service type https ssh terminal By default no service is authorized to a local user 5 Optional Place the local user to the active or blocked state state active block By default a created local user is in active state and can request network services 6 Optional Set the upper limit of concurrent logins using the local user name acces...

Page 33: ...figure the maximum login attempts and the action to take if there is a login failure password control login attempt login times exceed lock lock time time unlock Optional By default the local user uses password control attributes of the user group to which the local user belongs Only device management users support the password control feature 10 Optional Assign the local user to a user group grou...

Page 34: ...e character user name check Configure the maximum login attempts and the action to take for login failures password control login attempt login times exceed lock lock time time unlock Optional By default the user group uses the global password control settings For more information see Configuring password control Displaying and maintaining local users and local user groups Execute display commands...

Page 35: ...P notifications for RADIUS Optional Displaying and maintaining RADIUS Creating a RADIUS scheme Create a RADIUS scheme before performing any other RADIUS configurations You can configure a maximum of 16 RADIUS schemes A RADIUS scheme can be used by multiple ISP domains To create a RADIUS scheme Step Command Remarks 1 Enter system view system view N A 2 Create a RADIUS scheme and enter RADIUS scheme...

Page 36: ...ion servers in a scheme primary or secondary cannot have the same combination of hostname IP address and port number Specifying the RADIUS accounting servers and the relevant parameters You can specify one primary accounting server and a maximum of 16 secondary accounting servers for a RADIUS scheme When the primary server is not available the device searches for the secondary servers in the order...

Page 37: ...y for a RADIUS server To specify a shared key for secure RADIUS communication Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Specify a shared key for secure RADIUS communication key accounting authentication cipher simple string By default no shared key is specified The shared key configured on the device must be the same ...

Page 38: ...ransmission attempts RADIUS uses UDP packets to transfer data Because UDP communication is not reliable RADIUS uses a retransmission mechanism to improve reliability A RADIUS request is retransmitted if the NAS does not receive a server response for the request within the response timeout timer For more information about the RADIUS server response timeout timer see Setting RADIUS timers You can se...

Page 39: ... the server to the active state the status of the server changes back to active The device does not check the server again during the authentication or accounting process When you remove a server in use communication with the server times out The device looks for a server in active state by first checking the primary server and then checking secondary servers in the order they are configured When ...

Page 40: ...US server identifies a NAS by its IP address Upon receiving a RADIUS packet a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS If the source IP address of the packet is the IP address of a managed NAS the server processes the packet If the source IP address of the packet is not the IP address of a managed NAS the server drops the packet The source...

Page 41: ...timer realtime accounting Defines the interval at which the device sends real time accounting packets to the RADIUS accounting server for online users When you set RADIUS timers follow these guidelines When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer consider the number of secondary servers If the retransmission process takes...

Page 42: ...ich the device waits to resend the accounting on packet and the maximum number of retries To configure the accounting on feature for a RADIUS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Enable accounting on accounting on enable interval seconds send send times By default the accounting on feature is disabled Conf...

Page 43: ...er system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Configure the Login Service attribute check method for SSH FTP and terminal users attribute 15 check mode loose strict The default check method is strict Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS the SNMP agent supports the following notifications generated b...

Page 44: ... scheme Required Specifying the HWTACACS authentication servers Optional Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers Required Specifying the shared keys for secure HWTACACS communication Optional Setting the username format and traffic statistics units Optional Specifying the source IP address for outgoing HWTACACS packets Optional Setting HWTA...

Page 45: ...imple string single connection Specify a secondary HWTACACS authentication server secondary authentication host name ipv4 address ipv6 ipv6 address port number key cipher simple string single connection By default no authentication server is specified Two HWTACACS authentication servers in a scheme primary or secondary cannot have the same combination of hostname IP address and port number Specify...

Page 46: ...first secondary server in active state is used for communication If redundancy is not required specify only the primary server An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time HWTACACS does not support accounting for FTP SFTP and SCP users To specify HWTACACS accounting servers for an HWTACACS s...

Page 47: ...e isp name argument represents the user s ISP domain name By default the ISP domain name is included in a username If HWTACACS servers do not recognize usernames that contain ISP domain names you can configure the device to send usernames without domain names to the servers If two or more ISP domains use the same HWTACACS scheme configure the HWTACACS scheme to keep the ISP domain name in username...

Page 48: ...fied in system view applies to all HWTACACS schemes Before sending an HWTACACS packet the NAS selects a source IP address in the following order 1 The source IP address specified for the HWTACACS scheme 2 The source IP address specified in system view 3 The IP address of the outbound interface specified by the route To specify a source IP address for all HWTACACS schemes Step Command Remarks 1 Ent...

Page 49: ...ver Tries to communicate with a secondary server in active state that has the highest priority If the secondary server is unreachable the device performs the following tasks Changes the server status to blocked Starts a quiet timer for the server Tries to communicate with the next secondary server in active state that has the highest priority The search process continues until the device finds an ...

Page 50: ... the reset command in user view Task Command Display the configuration or server statistics of HWTACACS schemes display hwtacacs scheme hwtacacs server name statistics Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server Required Creating an LDAP server Required ...

Page 51: ...stem view N A 2 Enter LDAP server view ldap server server name N A 3 Specify the LDAP version protocol version v2 v3 By default LDAPv3 is used A Microsoft LDAP server supports only LDAPv3 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server s response within the server timeout period the authentication or authorization r...

Page 52: ...earch policy determined by the LDAP user attributes of the LDAP client The LDAP user attributes include Search base DN Search scope Username attribute Username format User object class If the LDAP server contains many directory levels a user DN search starting from the root directory can take a long time To improve efficiency you can change the start point by specifying the search base DN To confi...

Page 53: ...DAP authentication server Step Command Remarks 1 Enter system view system view N A 2 Enter LDAP scheme view ldap scheme ldap scheme name N A 3 Specify the LDAP authentication server authentication server server name By default no LDAP authentication server is specified Displaying and maintaining LDAP Execute the display command in any view Task Command Display the configuration of LDAP schemes dis...

Page 54: ...ser does not provide an ISP domain name at login the device considers the user belongs to the default ISP domain An ISP domain cannot be deleted when it is the default ISP domain Before you use the undo domain command change the domain to a non default ISP domain by using the undo domain default enable command To create an ISP domain Step Command Remarks 1 Enter system view system view N A 2 Creat...

Page 55: ...ation methods follow these guidelines If a RADIUS scheme is used for authentication but not for authorization AAA accepts only the authentication result from the RADIUS server The Access Accept message from the RADIUS server also includes the authorization information but the device ignores the information To specify a scheme for user role authentication make sure the user role is in the format of...

Page 56: ...acacs scheme name radius scheme radius scheme name By default the default authentication method is used for obtaining a temporary user role Configuring authorization methods for an ISP domain Configuration prerequisites Before configuring authorization methods complete the following tasks 1 Determine the access type or service type to be configured With AAA you can configure an authorization schem...

Page 57: ...cs scheme name local none By default the default authorization method is used for login users The none keyword is not supported in FIPS mode 7 Specify the authorization method for portal users authorization portal local none none radius scheme radius scheme name local none By default the default authorization method is used for portal users The none keyword is not supported in FIPS mode Configurin...

Page 58: ... keyword is not supported in FIPS mode 6 Specify the accounting method for login users accounting login hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name local none local none none radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local none By default the default accounting method is used for login users The none keyword is not supported in FIPS mode 7 Spec...

Page 59: ...equests A NAS ID profile enables you to send different NAS Identifier attribute strings in RADIUS requests from different VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of company A The device will send companyA in the NAS Identifier attribute for the RADIUS ...

Page 60: ...ation Exclude domain names from the usernames sent to the HWTACACS server Use expert as the shared keys for secure HWTACACS communication Figure 10 Network diagram Configuration procedure 1 Configure the HWTACACS server Set the shared keys for secure communication with the switch to expert Details not shown Add user account hello for the SSH user and specify the password Details not shown 2 Config...

Page 61: ...DSA key pairs Switch public key local create rsa Switch public key local create dsa Enable the SSH service Switch ssh server enable Enable scheme authentication for user lines VTY 0 through VTY 63 Switch line vty 0 63 Switch line vty0 63 authentication mode scheme Switch line vty0 63 quit Enable the default user role feature to assign authenticated SSH users the default user role network operator ...

Page 62: ...cal create dsa Enable the SSH service Switch ssh server enable Enable scheme authentication for user lines VTY 0 through VTY 63 Switch line vty 0 63 Switch line vty0 63 authentication mode scheme Switch line vty0 63 quit Configure an HWTACACS scheme Switch hwtacacs scheme hwtac Switch hwtacacs hwtac primary authorization 10 1 1 2 49 Switch hwtacacs hwtac key authorization simple expert Switch hwta...

Page 63: ...ration Initiate an SSH connection to the switch and enter the username hello bbb and the correct password The user logs in to the switch Details not shown Verify that the user can use the commands permitted by the network operator user role Details not shown Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 12 configure the switch to meet the...

Page 64: ...or manually add the access device with the IP address 10 1 1 2 f Leave the default settings for other parameters and click OK The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch The source IP address is chosen in the following order on the switch IP address specified by the nas ip command IP address specified by th...

Page 65: ... ip address 192 168 1 70 255 255 255 0 Switch Vlan interface2 quit Configure the IP address of VLAN interface 3 through which the switch communicates with the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Create local RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Enable the...

Page 66: ...witch domain bbb Switch isp bbb authentication login radius scheme rad Switch isp bbb authorization login radius scheme rad Switch isp bbb accounting login none Switch isp bbb quit Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the correct password The user logs in to the switch Details not shown Verify that the user can use the commands p...

Page 67: ...ect Start Control Panel Administrative Tools b Double click Active Directory Users and Computers The Active Directory Users and Computers window is displayed c From the navigation tree click Users under the ldap com node d Select Action New User from the menu to display the dialog box for adding a user e Enter the logon name aaa and click Next Figure 16 Adding user aaa f In the dialog box enter th...

Page 68: ...ssword g Click OK Add user aaa to group Users h From the navigation tree click Users under the ldap com node i In the right pane right click the user aaa and select Properties j In the dialog box click the Member Of tab and click Add ...

Page 69: ...select field and click OK User aaa is added to group Users Figure 19 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click the user Administrator and select Set Password b In the dialog box enter the administrator password Details not shown 2 Configure the switch ...

Page 70: ...ticated SSH users the default user role network operator Switch role default role enable Configure an LDAP server Switch ldap server ldap1 Specify the IP address of the LDAP authentication server Switch ldap server ldap1 ip 10 1 1 1 Specify the administrator DN Switch ldap server ldap1 login dn cn administrator cn users dc ldap dc com Specify the administrator password Switch ldap server ldap1 log...

Page 71: ...gured on the RADIUS server The password entered by the user is incorrect The RADIUS server and the NAS are configured with different shared keys Solution To resolve the problem 1 Check that the following items The NAS and the RADIUS server can ping each other The username is in the userid isp name format and the ISP domain is correctly configured on the NAS The user is configured on the RADIUS ser...

Page 72: ...ng error Symptom A user is authenticated and authorized but accounting for the user is not normal Analysis The accounting server configuration on the NAS is not correct Possible reasons include The accounting port number configured on the NAS is incorrect The accounting server IP address configured on the NAS is incorrect For example the NAS is configured to use a single server to provide authenti...

Page 73: ... No user search base DN is specified for the LDAP scheme Solution To resolve the problem 1 Check the following items The NAS and the LDAP server can ping each other The IP address and port number of the LDAP server configured on the NAS match those of the server The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS The user is confi...

Page 74: ...s 802 1X clients by using the data sent from the access device Then the server returns the authentication results to the access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can use the access device as the authentication server Figure 20 802 1X architecture Controlled uncontrolled port and port authorization status 802 1X defines two log...

Page 75: ...hods including MD5 Challenge EAP Transport Layer Security EAP TLS and Protected EAP PEAP 802 1X defines EAP over LAN EAPOL for passing EAP packets between the client and the access device over a wired or wireless LAN Between the access device and the authentication server 802 1X delivers authentication information by using one of the following methods Encapsulates EAP packets in RADIUS by using EA...

Page 76: ...e 4 lists the types of EAPOL packets supported by HP implementation of 802 1X Table 4 Types of EAPOL packets Value Type Description 0x00 EAP Packet The client and the access device use EAP Packets to transport authentication information 0x01 EAPOL Start The client sends an EAPOL Start message to initiate 802 1X authentication to the access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff ...

Page 77: ...ends an EAPOL Start packet to the access device to initiate 802 1X authentication The destination MAC address of the packet is the IEEE 802 1X specified multicast address 01 80 C2 00 00 03 or the broadcast MAC address If any intermediate device between the client and the authentication server does not support the multicast address you must use an 802 1X client that can send broadcast EAPOL Start p...

Page 78: ...EAP relay is defined in IEEE 802 1X In this mode the network device uses EAPOR packets to send authentication information to the RADIUS server as shown in Figure 26 Figure 26 EAP relay In EAP relay mode the client must use the same authentication method as the RADIUS server On the access device you only need to use the dot1x authentication method eap command to enable EAP relay EAP termination mod...

Page 79: ...tributes and the EAP authentication method used by the client EAP termination Works with any RADIUS server that supports PAP or CHAP authentication Supports only the following EAP authentication methods MD5 Challenge EAP authentication The username and password EAP authentication initiated by an HP iNode 802 1X client The processing is complex on the access device EAP relay Figure 28 shows the bas...

Page 80: ...ed challenge EAP Request MD5 challenge to encrypt the password in the entry Then the server sends the challenge in a RADIUS Access Challenge packet to the access device 6 The access device transmits the EAP Request MD5 Challenge packet to the client 7 The client uses the received challenge to encrypt the password and sends the encrypted password in an EAP Response MD5 Challenge packet to the acces...

Page 81: ...o consecutive handshake attempts fail the device logs off the client 12 Upon receiving a handshake request the client returns a response If the client fails to return a response after a number of consecutive handshake attempts two by default the access device logs off the client This handshake mechanism enables timely release of the network resources used by 802 1X users who have abnormally gone o...

Page 82: ...EAP termination mode the access device rather than the authentication server generates an MD5 challenge for password encryption The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server ...

Page 83: ...r online users are affected 802 1X VLAN manipulation Authorization VLAN You can specify authorization VLANs for an 802 1X user to control access to authorized network resources When the 802 1X user passes authentication the authentication server assigns the authorization VLANs or VLAN group to the user Supported VLAN types and forms Support for VLAN types and forms depends on the authorization typ...

Page 84: ...pending on whether the port has other online users If the port does not have other online users the device selects the VLAN with the lowest ID from the group of VLANs If the port has other online users the device selects the VLAN by using the following process a The device selects the VLAN that has the fewest number of online users b If two VLANs have the same number of online 802 1X users the dev...

Page 85: ...t do not reconfigure the port as a tagged member in the VLAN On a port enabled with periodic online user reauthentication the MAC based VLAN feature does not take effect on a user who has been online before this feature was enabled The access device creates a MAC to VLAN mapping for the user when the following requirements are met The user passes reauthentication The authorization VLAN for the use...

Page 86: ...t VLAN The user can access only resources in the guest VLAN A user in the 802 1X guest VLAN fails 802 1X authentication If an 802 1X Auth Fail VLAN is available the device remaps the MAC address of the user to the Auth Fail VLAN The user can access only resources in the Auth Fail VLAN If no 802 1X Auth Fail VLAN is configured the user is still in the 802 1X guest VLAN A user in the 802 1X guest VL...

Page 87: ...t authorize a VLAN the initial PVID of the port applies The user and all subsequent 802 1X users are assigned to the initial PVID After the user logs off the PVID remains unchanged On a port that performs MAC based access control Authentication status VLAN manipulation A user fails 802 1X authentication The device maps the MAC address of the user to the 802 1X Auth Fail VLAN The user can access on...

Page 88: ...e servers If an 802 1X Auth Fail VLAN is configured the PVID of the port changes to the Auth Fail VLAN ID All 802 1X users on this port are moved to the Auth Fail VLAN If no 802 1X Auth Fail VLAN is configured the initial PVID of the port is restored A user in the 802 1X critical VLAN passes 802 1X authentication The device assigns the authorization VLAN of the user to the port as the PVID and it ...

Page 89: ...e remaps the MAC address of the user to the 802 1X critical VLAN The user can access only resources in the 802 1X critical VLAN A user in the 802 1X Auth Fail VLAN fails authentication because all the RADIUS servers are unreachable The user remains in the 802 1X Auth Fail VLAN For the 802 1X critical VLAN feature to take effect on a port that performs MAC based access control make sure the followi...

Page 90: ...network The solution enables the security client security policy server access device and third party server to operate together If a terminal device seeks to access an EAD network it must have an EAD client which performs 802 1X authentication EAD assistant enables the access device to redirect a user who is seeking to access the network to download and install an EAD client This feature eliminat...

Page 91: ...l Setting the maximum number of authentication request attempts Optional Setting the 802 1X authentication timeout timers Optional Configuring the online user handshake feature Optional Configuring the authentication trigger feature Optional Specifying a mandatory authentication domain on a port Optional Configuring the quiet timer Optional Enabling the periodic online user reauthentication featur...

Page 92: ...on initiated by an HP iNode 802 1X client To use EAP TL PEAP or any other EAP authentication methods you must use EAP relay When you make your decision see Comparing EAP relay and EAP termination for help For more information about EAP relay and EAP termination see 802 1X authentication procedures To configure EAP relay or EAP termination Step Command Remarks 1 Enter system view system view N A 2 ...

Page 93: ...the authorization state of a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Set the port authorization state dot1x port control authorized force auto unauthorized force By default the auto state applies Specifying an access control method Step Command Remarks 1 Enter system view system view N A 2...

Page 94: ...cation timeout timers The network device uses the following 802 1X authentication timeout timers Client timeout timer Starts when the access device sends an EAP Request MD5 Challenge packet to a client If no response is received when this timer expires the access device retransmits the request to the client Server timeout timer Starts when the access device sends a RADIUS Access Request packet to ...

Page 95: ...restrictions and guidelines To use the online user handshake security feature make sure the online user handshake feature is enabled The online user handshake security feature takes effect only on the network where the iNode client and IMC server are used If the network has 802 1X clients that cannot exchange handshake packets with the access device disable the online user handshake feature This o...

Page 96: ...e The default is 30 seconds 3 Enter Layer 2 Ethernet interface view interface interface type interface number N A 4 Enable an authentication trigger dot1x multicast trigger unicast trigger By default the multicast trigger is enabled and the unicast trigger is disabled Specifying a mandatory authentication domain on a port You can place all 802 1X users in a mandatory authentication domain for auth...

Page 97: ...rmination Action attribute 29 attributes can affect the periodic online user reauthentication feature To display the server assigned Session Timeout and Termination Action attributes use the display dot1x connection command see Security Command Reference If the termination action is logging off users periodic reauthentication takes effect only when the periodic reauthentication timer is shorter th...

Page 98: ...2 1X guest VLAN on a port The assignment makes sure the port can correctly process incoming VLAN tagged traffic When you configure multiple security features on a port follow the guidelines in Table 7 Table 7 Relationships of the 802 1X guest VLAN and other security features Feature Relationship description Reference 802 1X Auth Fail VLAN on a port that performs MAC based access control The 802 1X...

Page 99: ...orrectly process VLAN tagged incoming traffic You can configure only one 802 1X Auth Fail VLAN on a port The 802 1X Auth Fail VLANs on different ports can be different When you configure multiple security features on a port follow the guidelines in Table 8 Table 8 Relationships of the 802 1X Auth Fail VLAN with other features Feature Relationship description Reference MAC authentication guest VLAN...

Page 100: ...s When you configure an 802 1X critical VLAN follow these restrictions and guidelines Assign different IDs to the voice VLAN the PVID and the 802 1X critical VLAN on a port The assignment makes sure the port can correctly process VLAN tagged incoming traffic You can configure only one 802 1X critical VLAN on a port The 802 1X critical VLANs on different ports can be different Configuration prerequ...

Page 101: ... 121 123 22 If a username string contains none of the delimiters the access device authenticates the user in the mandatory or default ISP domain To specify a set of domain name delimiters Step Command Remarks 1 Enter system view system view N A 2 Specify a set of domain name delimiters for 802 1X users dot1x domain delimiter string By default only the at sign delimiter is supported NOTE If you con...

Page 102: ...out ead timeout value The default setting is 30 minutes Displaying and maintaining 802 1X Execute the display commands in any view and reset commands in user view Task Command Display 802 1X session information statistics or configuration information of specified or all ports display dot1x sessions statistics interface interface type interface number Display online 802 1X user information display ...

Page 103: ... address for each interface on the access device Details not shown 4 Configure user accounts for the 802 1X users on the access device Add a local network access user with the username localuser and password localpass in plaintext Make sure the username and password are the same as those configured on the RADIUS servers Device system view Device local user localuser class network Device luser netw...

Page 104: ...entication as the secondary authentication method Device isp bbb authentication lan access radius scheme radius1 local Device isp bbb authorization lan access radius scheme radius1 local Device isp bbb accounting lan access radius scheme radius1 local Device isp bbb quit 7 Configure 802 1X Enable 802 1X on Ten GigabitEthernet 1 0 1 Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEther...

Page 105: ...e Internet Figure 31 Network diagram Configuration procedure 1 Configure the 802 1X client Make sure the 802 1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN Details not shown 2 Configure the RADIUS server to provide authentication authorization and accounting services Configure user accounts and authorization VLAN VLAN 5 in this exam...

Page 106: ...e radius 2000 key authentication simple abc Set the shared key to abc in plain text for secure communication between the accounting server and the device Device radius 2000 key accounting simple abc Exclude the ISP domain name from the usernames sent to the RADIUS server Device radius 2000 user name format without domain Device radius 2000 quit 5 Configure an ISP domain Create ISP domain bbb and e...

Page 107: ...th ACL assignment configuration example Network requirements As shown in Figure 32 the host that connects to Ten GigabitEthernet 1 0 1 must pass 802 1X authentication to access the Internet Perform 802 1X authentication on Ten GigabitEthernet 1 0 1 Use the RADIUS server at 10 1 1 1 as the authentication and authorization server and the RADIUS server at 10 1 1 2 as the accounting server Configure A...

Page 108: ...IUS server Device radius 2000 user name format without domain Device radius 2000 quit 5 Configure an ISP domain Create ISP domain bbb and enter ISP domain view Device domain bbb Apply RADIUS scheme 2000 to the ISP domain for authentication authorization and accounting Device isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp b...

Page 109: ...tranet 192 168 1 0 24 is attached to Ten GigabitEthernet 1 0 1 of the access device The hosts use DHCP to obtain IP addresses A DHCP server and a Web server are deployed on the 192 168 2 0 24 subnet for users to obtain IP addresses and download client software Deploy an EAD solution for the intranet to meet the following requirements Allow unauthenticated users and users who have failed 802 1X aut...

Page 110: ...e VLAN interface 2 Device Vlan interface2 dhcp relay server address 192 168 2 2 Device Vlan interface2 quit 4 Configure a RADIUS scheme Create RADIUS scheme 2000 and enter RADIUS scheme view Device radius scheme 2000 Specify the server at 10 11 1 1 as the primary authentication server and set the authentication port to 1812 Device radius 2000 primary authentication 10 11 1 1 1812 Specify the serve...

Page 111: ...ree ip 192 168 2 0 24 Configure the redirect URL for client software download Device dot1x ead assistant url http 192 168 2 3 Enable the EAD assistant feature Device dot1x ead assistant enable Enable 802 1X globally Device dot1x Enable 802 1X on Ten GigabitEthernet 1 0 1 Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 dot1x Device Ten GigabitEthernet1 0 1 quit Verifying ...

Page 112: ...ng system of the host regards the string as a website name and tries to resolve the string If the resolution fails the operating system sends an ARP request but the target address is not in the dotted decimal notation The redirection feature does redirect this kind of ARP request The address is within a free IP segment No redirection will take place even if no host is present with the address The ...

Page 113: ...pports the following user account policies One MAC based user account for each user The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication...

Page 114: ...Table 9 describes the way the network access device handles authorization VLANs for MAC authenticated users Table 9 VLAN manipulation Port type VLAN manipulation Access port Trunk port Hybrid port with MAC based VLAN disabled The device assigns the first authenticated user s authorization VLAN to the port as the PVID NOTE For these port types you must assign the same authorization VLAN to all MAC ...

Page 115: ... RADIUS authentication the user is not assigned to the critical VLAN For more information about the authentication methods see Configuring AAA Table 1 1 shows the way that the network access device handles critical VLANs for MAC authentication users Table 11 VLAN manipulation Authentication status VLAN manipulation A user that has not been assigned to any VLAN fails MAC authentication because all ...

Page 116: ...ice To change the user s access permissions you can use one of the following methods Modify the user profile configuration on the access device Specify another user profile for the user on the authentication server For more information about user profiles see Configuring user profiles Periodic MAC reauthentication Periodic MAC reauthentication tracks the connection status of online users and updat...

Page 117: ...format Optional Setting MAC authentication timers Optional Setting the maximum number of concurrent MAC authentication users on a port Optional Enabling MAC authentication multi VLAN mode on a port Optional Configuring MAC authentication delay Optional Configuring a MAC authentication guest VLAN Optional Configuring a MAC authentication critical VLAN Optional Configuring the keep online feature En...

Page 118: ...pecify an authentication domain for MAC authentication users Step Command Remarks 1 Enter system view system view N A 2 Specify an authentication domain for MAC authentication users In system view mac authentication domain domain name In Layer 2 Ethernet interface view a interface interface type interface number b mac authentication domain domain name By default the system default authentication d...

Page 119: ...rver unavailable If the timer expires during MAC authentication the user cannot access the network To set MAC authentication timers Step Command Remarks 1 Enter system view system view N A 2 Set MAC authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value By default the offline detect timer is 300 seconds the quiet tim...

Page 120: ...ac authentication host mode multi vlan By default this feature is disabled on a port When the port receives a packet sourced from an authenticated user in a VLAN not matching the existing MAC VLAN mapping the device logs off and reauthenticates the user Configuring MAC authentication delay When both 802 1X authentication and MAC authentication are enabled on a port you can delay MAC authentication...

Page 121: ...protection The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature See Configuring port security To configure the MAC authentication guest VLAN on a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A ...

Page 122: ...cation critical VLAN on the port mac authentication critical vlan critical vlan id By default no MAC authentication critical VLAN is configured You can configure only one MAC authentication critical VLAN on a port Configuring the keep online feature By default the device logs off online MAC authentication users if no server is reachable for MAC reauthentication The keep online feature keeps authen...

Page 123: ...nterface number mac address mac address Remove users from the MAC authentication guest VLAN on a port reset mac authentication guest vlan interface interface type interface number mac address mac address MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 34 the device performs local MAC authentication on Ten GigabitEther...

Page 124: ...in as the ISP domain bbb Device mac authentication domain bbb Configure MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Configure MAC authentication to use MAC based accounts Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Device mac authentication user name format mac address with hyp...

Page 125: ...ts As shown in Figure 35 the device uses RADIUS servers to perform authentication authorization and accounting for users To control user access to the Internet by MAC authentication perform the following tasks Enable MAC authentication globally and on port Ten GigabitEthernet 1 0 1 Configure the device to detect whether a user has gone offline every 180 seconds Configure the device to deny a user ...

Page 126: ...ort Ten GigabitEthernet 1 0 1 Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 mac authentication Device Ten GigabitEthernet1 0 1 quit Specify the MAC authentication domain as the ISP domain bbb Device mac authentication domain bbb Set MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify username aa...

Page 127: ...figure the device to meet the following requirements Use RADIUS servers to perform authentication authorization and accounting for users Perform MAC authentication on port Ten GigabitEthernet 1 0 1 to control Internet access Use MAC based user accounts for MAC authentication users Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Use an ACL to deny authenti...

Page 128: ...ccounts Each MAC address is in the hexadecimal notation with hyphens and letters are in lower case Sysname mac authentication user name format mac address with hyphen lowercase Enable MAC authentication on port Ten GigabitEthernet 1 0 1 Sysname interface ten gigabitethernet 1 0 1 Sysname Ten GigabitEthernet1 0 1 mac authentication Sysname Ten GigabitEthernet1 0 1 quit Enable MAC authentication glo...

Page 129: ...e users 4294967295 Authentication attempts successful 1 failed 0 Current online users 1 MAC address Auth state 00e0 fc12 3456 Authenticated Verify that you cannot ping the FTP server from the host C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss The o...

Page 130: ...SPs with diversified management choices and extended functions For example the ISPs can place advertisements provide community services and publish information on the authentication page Supports multiple authentication modes For example re DHCP authentication implements a flexible address assignment scheme and saves public IP addresses Cross subnet authentication can authenticate users who reside...

Page 131: ...ion requests from authentication clients and interacts with the access device to authenticate users Portal Web server The portal Web server pushes the Web authentication page to authentication clients and forwards user authentication information username and password to the portal authentication server The access device also redirects HTTP requests from unauthenticated users to the portal Web serv...

Page 132: ...y a Web client or an HP iNode client NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network Portal authentication modes Portal authentication has three modes direct authentication re DHCP authentication and cross subnet authentication In direct authentication and re DHCP authentication no Layer 3 forwarding devices exist between...

Page 133: ...n process The direct cross subnet authentication process is as follows 1 A portal user access the Internet through HTTP and the HTTP packet arrives at the access device If the packet matches a portal free rule the access device allows the packet to pass If the packet does not match any portal free rule the access device redirects the packet to the portal Web server The portal Web server pushes the...

Page 134: ...ion files unauthorized software and operating system patches 10 The security policy server authorizes the user to access certain network resources based on the check result The access device saves the authorization information and uses it to control access of the user Re DHCP authentication process with CHAP PAP authentication Figure 39 Re DHCP authentication process The re DHCP authentication pro...

Page 135: ...Required Enabling portal authentication on an interface Required Referencing a portal Web server for an interface Optional Controlling portal user access Configuring a portal free rule Configuring an authentication source subnet Configuring an authentication destination subnet Setting the maximum number of portal users Specifying a portal authentication domain Optional Configuring portal detection...

Page 136: ...server parameters IP address of the portal authentication server Shared encryption key used between the device and the portal authentication server Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server The device supports multiple portal authentication servers Do not delete a portal authentication server in use Otherwise users authent...

Page 137: ...d portal authentication server the interface regards the packet valid and sends an authentication response packet to the portal authentication server Otherwise the interface drops the packet After a user logs in to the device the user interacts with the portal authentication server as needed Configuration restrictions and guidelines When you enable portal authentication on an interface follow thes...

Page 138: ...eb server for an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The interface must be a Layer 3 interface 3 Reference a portal Web server for the interface To reference an IPv4 portal Web server portal apply web server server name fail permit To reference an IPv6 portal Web server portal ipv6 apply web server serv...

Page 139: ...ny tcp tcp port number udp udp port number source ipv6 ipv6 address prefix length any tcp tcp port number udp udp port number By default no IPv6 based portal free rule exists To configure a source based portal free rule Step Command Remarks 1 Enter system view system view N A 2 Configure a source based portal free rule portal free rule rule number source interface interface type interface number m...

Page 140: ...4 portal authentication source subnet Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure an IPv4 portal authentication source subnet portal layer3 source ipv4 network address mask length mask By default no IPv4 portal authentication source subnet is configured and users from any subnets must pass portal authenti...

Page 141: ...ion destination subnet is configured and users accessing any subnets must pass portal authentication Setting the maximum number of portal users Perform this task to control the total number of login IPv4 and IPv6 portal users in the system If the maximum number of portal users you set is less than that of the current login portal users the limit can be set successfully and does not impact the logi...

Page 142: ... domain portal ipv6 domain domain name By default no ISP domain is specified for IPv6 portal users on the interface Configuring portal detection features Configuring online detection of portal users Configureonline detection to timely detect abnormal logouts of portal users Configure ARP or ICMP detection for IPv4 portal users Configure ND or ICMPv6 detection for IPv6 portal users If the device re...

Page 143: ... idle time By default this feature is disabled on the interface Configuring portal authentication server detection During portal authentication if the communication between the access device and portal authentication server is broken both of the following occur New portal users are not able to log in The online portal users are not able to log out normally To address this problem the access device...

Page 144: ...To address this problem you can enable portal Web server detection on the access device With the portal Web server detection feature the access device simulates a Web access process to initiate a TCP connection to the portal Web server If the TCP connection can be established successfully the access device considers the detection successful and the portal Web server is reachable Otherwise it consi...

Page 145: ...t on the access device the access device informs the portal authentication server to delete the user The access device starts the synchronization detection timer timeout timeout immediately when a user logs in If the user does not appear in any synchronization packet within a synchronization detection interval the access device considers the user does not exist on the portal authentication server ...

Page 146: ...r server name fail permit By default portal fail permit is disabled for a portal Web server Configuring BAS IP for unsolicited portal packets sent to the portal authentication server If the device runs Portal 2 0 the unsolicited packets sent to the portal authentication server must carry the BAS IP attribute If the device runs Portal 3 0 the unsolicited packets sent to the portal authentication se...

Page 147: ...ferent VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of company A The device will send companyA in the NAS Identifier attribute for the RADIUS server to identify requests from any Company A users You can apply a NAS ID profile to a portal enabled interface I...

Page 148: ...aming portal roaming enable By default portal roaming is disabled You cannot enable portal roaming when login users exist on the device Logging out portal users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list To log out users Step Command 1 Enter system view system view 2 Log out IPv4 portal users portal delete user ipv4 a...

Page 149: ... Figure 40 the host is directly connected to the switch the access device The host is assigned with a public IP address either manually or through DHCP A portal server acts as both a portal authentication server and a portal Web server A RADIUS server acts as the authentication accounting server Configure direct portal authentication so the host can access only the portal server before passing the...

Page 150: ...n 2 Configure the IP address group a Select Access Service Portal Service Management IP Group from the navigation tree to enter the portal IP address group configuration page b Click Add to enter the page shown in Figure 42 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address 2 2 2 2 is in the IP group e Select a service group This...

Page 151: ...llocation This example uses direct portal authentication and therefore select No from the Reallocate IP list g Set whether to support the portal server heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 43 Adding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 4...

Page 152: ...alidate the configurations Configuring the portal authentication server on IMC PLAT 5 0 In this example the portal server runs on IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 1 Configure the portal authentication server a Log in to IMC and click the Service tab b Select User Access Manager Portal Service Management Server from the navigation tree to enter the portal server configuration page as shown ...

Page 153: ...al IP address group configuration page b Click Add to enter the page shown in Figure 47 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address is in the IP group e Select a service group This example uses the default group Ungrouped f Select Normal from the Action list g Click OK Figure 47 Adding an IP address group ...

Page 154: ...from the Reallocate IP list g Select whether to support sever heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 48 Adding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 49 click the icon in the Port Group Information Management column of device NAS to enter th...

Page 155: ...configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112 Switch radius rs1 key authentication simple radius Switch radius rs1 key accounting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Switch radius rs1 user name format without domain Switch radius rs1 qu...

Page 156: ... 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable direct portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface100 portal enable method direct Reference the portal Web server newpt on VLAN interface 100 Switch Vlan interface100 portal apply web server newpt Configure the BAS IP as 2 2 2 1 for portal packets sent from VLAN interface 100...

Page 157: ...ccess Internet resources After the user passes authentication use the following command to display information about the portal user Switch display portal user interface vlan interface 100 Total portal users 1 Username abc Portal server newpt State Online Authorization ACL VPN instance MAC IP VLAN Interface 0015 e9a6 7cfe 2 2 2 2 100 Vlan interface100 Configuring re DHCP portal authentication Netw...

Page 158: ...ace connecting the host The private IP address range for the IP address group associated with the portal device is the private subnet 10 0 0 0 24 where the host resides The public IP address range for the IP address group is the public subnet 20 20 20 0 24 Configuration procedure Perform the following tasks on the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its vi...

Page 159: ... Vlan interface100 ip address 10 0 0 1 255 255 255 0 sub Switch Vlan interface100 dhcp select relay Switch Vlan interface100 dhcp relay server address 192 168 0 112 Enable authorized ARP Switch Vlan interface100 arp authorized enable Switch Vlan interface100 quit 4 Configure portal authentication Configure a portal authentication server Switch portal server newpt Switch portal server newpt ip 192 ...

Page 160: ...red Authentication domain Not configured Bas ipv6 Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page Before passing the authentication the user can acces...

Page 161: ...for the switch and servers as shown in Figure 52 and make sure the host switch and servers can reach each other Configure the RADIUS server properly to provide authentication and accounting functions Make sure the IP address of the portal device added on the portal authentication server is the IP address 20 20 20 1 of the switch s interface connecting the host The IP address group associated with ...

Page 162: ...SwitchA portal server newpt SwitchA portal server newpt ip 192 168 0 111 key simple portal SwitchA portal server newpt port 50100 SwitchA portal server newpt quit Configure a portal Web server SwitchA portal web server newpt SwitchA portal websvr newpt url http 192 168 0 111 8080 portal SwitchA portal websvr newpt quit Enable cross subnet portal authentication on VLAN interface 4 SwitchA interface...

Page 163: ...network IP address Prefix length Destination authenticate subnet IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page Before passing the authentication the user can access only the authentication page http 192 168 0 1 1 1 8080 portal and all Web requests will be redirected to the authentication page After passing the authentication the ...

Page 164: ... addresses for the host switch and servers as shown in Figure 53 and make sure they can reach each other Configure the RADIUS server properly to provide authentication and accounting functions Configuration procedure Perform the following tasks on the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the prima...

Page 165: ...quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit NOTE Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server 4 Configure portal authentication Configure a portal authentication server Switch portal server newpt Switch portal server newpt ip 192 168 0 111 key simple portal Switch portal server newpt p...

Page 166: ...detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length Before a user performs portal authentication by using the HP iNode client the user can access only the authentication page http 192 168 0 1 1 1 8080 portal All Web requests the user initiates will be redirected t...

Page 167: ... check If the host fails the security check it can access only subnet 192 168 0 0 24 After passing the security check the host can access Internet resources Figure 54 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 54 and make sure the host switch and servers can reach each other Configure the RADIUS server properly to...

Page 168: ...ple radius Switch radius rs1 user name format without domain Specify the security policy server Switch radius rs1 security policy server 192 168 0 114 Switch radius rs1 quit Enable RADIUS session control Switch radius session control enable 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure AAA methods for the ISP domain Switch isp dm...

Page 169: ... newpt port 50100 Switch portal server newpt quit Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable re DHCP portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface100 portal enable method redhcp Reference the portal Web server newpt on VLAN i...

Page 170: ...using the HP iNode client the user can access only the authentication page http 192 168 0 1 1 1 8080 portal All Web requests the user initiates will be redirected to the authentication page If the user passes the authentication but fails the security check the user can access only the resources that match ACL 3000 After passing both the authentication and the security check the user can access Int...

Page 171: ... switch and servers as shown in Figure 55 and make sure the host switch and servers can reach each other Configure the RADIUS server properly to provide authentication and accounting functions Make sure the IP address of the portal device added on the portal server is the IP address 20 20 20 1 of the switch s interface connecting the host The IP address group associated with the portal device is t...

Page 172: ...y ACL SwitchA acl number 3000 SwitchA acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 SwitchA acl adv 3000 rule deny ip SwitchA acl adv 3000 quit SwitchA acl number 3001 SwitchA acl adv 3001 rule permit ip SwitchA acl adv 3001 quit NOTE Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server 4 Configure portal authentication ...

Page 173: ...ion Not configured Action for server detection Server type Server name Action Layer3 source network IP address Mask Destination authenticate subnet IP address Mask IPv6 Portal status Disabled Authentication type Disabled Portal Web server Not configured Authentication domain Not configured Bas ipv6 Not configured User detection Not configured Action for server detection Server type Server name Act...

Page 174: ...ss either manually or through DHCP A portal server acts as both a portal authentication server and a portal Web server A RADIUS server acts as the authentication accounting server Configure direct portal authentication on the switch so the host can access only the portal server before passing the authentication and access Internet resources after passing the authentication Configure the switch to ...

Page 175: ...ion server on IMC PLAT 3 20 In this example the portal server runs on IMC PLAT 3 20 R2602P13 and IMC UAM 3 60 E6301 1 Configure the portal authentication server a Log in to IMC and click the Service tab b Select Access Service Portal Service Management Server from the navigation tree to enter the portal server configuration page as shown in Figure 57 c Configure the portal server heartbeat interva...

Page 176: ...must be the same as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authentication and therefore select No from the Reallocate IP list g Set whether to support the portal server heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 59 Adding a por...

Page 177: ...figuration from the navigation tree to validate the configurations Configuring the portal authentication server on IMC PLAT 5 0 In this example the portal server runs on IMC PLAT 5 0 E0101 and IMC UAM 5 0 E0101 1 Configure the portal authentication server a Log in to IMC and click the Service tab b Select User Access Manager Portal Service Management Server from the navigation tree to enter the po...

Page 178: ...the portal IP address group configuration page b Click Add to enter the page shown in Figure 63 c Enter the IP group name d Enter the start IP address and end IP address of the IP group Make sure the host IP address is in the IP group e Select a service group This example uses the default group Ungrouped f Select Normal from the Action list g Click OK Figure 63 Adding an IP address group ...

Page 179: ...from the Reallocate IP list g Select whether to support sever heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 64 Adding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 65 click the icon in the Port Group Information Management column of device NAS to enter t...

Page 180: ...configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112 Switch radius rs1 key authentication simple radius Switch radius rs1 key accounting simple radius Exclude the ISP domain name from the username sent to the RADIUS server Switch radius rs1 user name format without domain Switch radius rs1 qu...

Page 181: ...ronization with the portal authentication server and configure the synchronization detection interval as 600 seconds Switch portal server newpt user sync timeout 600 Switch portal server newpt quit NOTE The value of timeout must be greater than or equal to the portal user heartbeat interval Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 1...

Page 182: ...rtal authentication server refuses to push the authentication page Solution Use the display portal server command on the access device to check whether a key is configured for the portal authentication server If no key is configured configure the right key If a key is configured use the ip or ipv6 command in the portal authentication server view to correct the key or correct the key configured for...

Page 183: ...efault Therefore the access device cannot receive the portal user logout requests from the RADIUS server Solution On the access device execute the radius session control enable command in system view to enable the RADIUS session control function Users logged out by the access device still exist on the portal authentication server Symptom After you log out a portal user on the access device the use...

Page 184: ...ication server notifies of the authentication success only after it receives the IP change notification from both the access device and the client If the BAS IP or BAS IPv6 address carried in the portal notification packet is different from the portal device IP address specified on the portal authentication server the portal authentication server discards the portal notification packet As a result...

Page 185: ...es network security and reduces human intervention NOTE For scenarios that require only 802 1X authentication or MAC authentication HP recommends you use the 802 1X authentication or MAC authentication feature rather than port security For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features NTK The need to know NTK f...

Page 186: ...hat port security allows The maximum number of concurrent users the authentication mode in use allows For example if 802 1X allows more concurrent users than port security s limit on the number of MAC addresses on the port in userLoginSecureExt mode port security s limit takes effect Table 14 describes the port security modes and the security features Table 14 Port security modes Purpose Security ...

Page 187: ...urced from the following MAC addresses to pass Secure MAC addresses MAC addresses configured by using the mac address dynamic and mac address static commands When the number of secure MAC addresses reaches the upper limit the port transitions to secure mode secure MAC address learning is disabled on a port in secure mode You configure MAC addresses by using the mac address static and mac address d...

Page 188: ...cureExt This mode is similar to the macAddressOrUserLoginSecure mode except that this mode supports multiple 802 1X and MAC authentication users macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher priority as the Else keyword implies The mode allows one 802 1X authentication user and multiple MAC a...

Page 189: ...ity Because the command logs off the online users make sure no online users are present Enabling or disabling port security resets the following security settings to the default 802 1X access control mode is MAC based 802 1X port authorization state is auto For more information about 802 1X authentication and MAC authentication configuration see Configuring 802 1X and Configuring MAC authenticatio...

Page 190: ...configuring the autoLearn mode set port security s limit on the number of secure MAC addresses You cannot change the setting when the port is operating in autoLearn mode When you set the port security mode follow these guidelines You can specify a port security mode when port security is disabled but your configuration cannot take effect Changing the port security mode of a port logs off the onlin...

Page 191: ...icated destination MAC addresses ntk withbroadcasts Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses ntk withmulticasts Forwards only broadcast frames multicast frames and unicast frames with authenticated destination MAC addresses The NTK feature drops any unicast frame with an unknown destination MAC address Not all port security modes support trigge...

Page 192: ...mains disabled port security timer disableport time value By default the port silence timeout is 20 seconds NOTE On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode intrusion protection is triggered only after both MAC authentication and 802 1X authentication fail for the same frame Configuring secure MAC addresses Secure MAC addresses are conf...

Page 193: ... MAC addresses If only the aging timer is configured the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address If both the aging timer and the inactivity aging feature are configured the aging timer restarts once traffic data is detected from the sticky MAC address Yes The secure MAC aging timer restarts at a reboot Dynamic Converted from sticky MAC add...

Page 194: ...ddress dynamic By default the dynamic secure MAC feature is disabled Sticky MAC addresses can be saved to the configuration file Once saved they can survive a device reboot Ignoring authorization information from the server You can configure a port to ignore the authorization information received from the server local or remote after an 802 1X or MAC authentication user passes authentication To co...

Page 195: ...D companyA to all VLANs of company A The device will send companyA in the NAS Identifier attribute for the RADIUS server to identify requests from any Company A users You can apply a NAS ID profile to port security globally or on a port On a port the device selects a NAS ID profile in the following order 1 The port specific NAS ID profile 2 The NAS ID profile applied globally If no NAS ID profile ...

Page 196: ...ommands in any view Task Command Display the port security configuration operation information and statistics display port security interface interface type interface number Display information about secure MAC addresses display port security mac address security interface interface type interface number vlan vlan id count Display information about blocked MAC addresses display port security mac a...

Page 197: ... is triggered Device Ten GigabitEthernet1 0 1 port security intrusion mode disableport temporarily Device Ten GigabitEthernet1 0 1 quit Device port security timer disableport 30 Verifying the configuration Verify the port security configuration Device display port security interface ten gigabitethernet 1 0 1 Port security parameters Port security Enabled AutoLearn aging time 30 min Disableport tim...

Page 198: ...er the number of MAC addresses learned by the port reaches 64 Device display port security interface ten gigabitethernet 1 0 1 Verify that the port will be disabled for 30 seconds after it receives a frame with an unknown MAC address Details not shown After the port is re enabled delete several secure MAC addresses Device undo port security mac address security sticky 0002 0000 0015 vlan 1 Device ...

Page 199: ...radius scheme radsun Device radius radsun primary authentication 192 168 1 2 Device radius radsun primary accounting 192 168 1 3 Device radius radsun secondary authentication 192 168 1 3 Device radius radsun secondary accounting 192 168 1 2 Device radius radsun key authentication simple name Device radius radsun key accounting simple money Device radius radsun timer response timeout 5 Device radiu...

Page 200: ... RADIUS Scheme Name radsun Index 0 Primary Auth Server IP 192 168 1 2 Port 1812 State Active VPN Not configured Primary Acct Server IP 192 168 1 3 Port 1813 State Active VPN Not configured Second Auth Server IP 192 168 1 3 Port 1812 State Active VPN Not configured Second Acct Server IP 192 168 1 2 Port 1813 State Active VPN Not configured Accounting On function Disabled retransmission times 50 ret...

Page 201: ...Is to pass authentication Device display mac address interface ten gigabitethernet 1 0 1 MAC Address VLAN ID State Port Aging 1234 0300 0011 1 Learned Ten GigabitEthernet1 0 1 Y macAddressElseUserLoginSecure configuration example Network requirements As shown in Figure 69 a client is connected to the device through Ten GigabitEthernet 1 0 1 The device authenticates the client by a RADIUS server If...

Page 202: ...uthentication domain sun Set the 802 1X authentication method to CHAP By default the authentication method for 802 1X is CHAP Device dot1x authentication method chap Set port security s limit on the number of MAC addresses to 64 on the port Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 port security max mac count 64 Set the port security mode to macAddressElseUserLogin...

Page 203: ...gabitethernet 1 0 1 Global MAC authentication parameters MAC authentication Enabled User name format MAC address in uppercase XX XX XX XX XX XX Username mac Password Not configured Offline detect period 60 s Quiet period 5 s Server timeout 100 s Authentication domain sun Max MAC auth users 4294967295 per slot Online MAC auth users 3 Silent MAC users MAC address VLAN ID From port Port index Ten Gig...

Page 204: ...s 1 Ten GigabitEthernet1 0 1 is link up 802 1X authentication Enabled Handshake Enabled Handshake security Disabled Unicast trigger Disabled Periodic reauth Disabled Port role Authenticator Authorization mode Auto Port access control MAC based Multicast trigger Enabled Mandatory auth domain Not configured Guest VLAN Not configured Auth Fail VLAN Not configured Critical VLAN Not configured Re auth ...

Page 205: ...Set a new port security mode for the port for example autoLearn Device Ten GigabitEthernet1 0 1 port security port mode autolearn 3 If the problem persists contact HP Support Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn Solution To resolve the pro...

Page 206: ...aracters from the following types Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters For information about special characters see the password control composition command in Security Command Reference Depending on the system s security requirements you can set the minimum number of character types a password must contain and the minimum number of characters for each...

Page 207: ... Password expiration Password expiration imposes a lifecycle on a user password After the password expires the user needs to change the password If a user enters an expired password when logging in the system displays an error message The user is prompted to provide a new password and to confirm it by entering it again The new password must be valid and the user must enter exactly the same passwor...

Page 208: ...minimum change interval Login attempt limit Limiting the number of consecutive failed login attempts can effectively prevent password guessing Login attempt limit takes effect on FTP and VTY users It does not take effect on the following types of users Nonexistent users users not configured on the device Users logging in to the device through console ports If a user fails to use a user account to ...

Page 209: ...tings configured in different views or for different objects have the following application ranges Settings for super passwords apply only to super passwords Settings in local user view apply only to the password of the local user Settings in user group view apply to the passwords of the local users in the user group if you do not configure password policies for these users in local user view Glob...

Page 210: ...e is enabled by default and cannot be disabled 3 Optional Enable a specific password control feature password control aging composition history length enable By default all four password control features are enabled Setting global password control parameters The password expiration time minimum password length and password composition policy can be configured in system view user group view or loca...

Page 211: ...n attempt login times exceed lock lock time time unlock By default the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again 9 Set the number of days during which a user is notified of the pending password expiration password control alert before expire alert time The default setting is 7 days 10 Set the...

Page 212: ...pt login times exceed lock lock time time unlock By default the login attempt policy of the user group equals the global login attempt policy Setting local user password control parameters Step Command Remarks 1 Enter system view system view N A 2 Create a device management user and enter local user view local user user name class manage By default no local user exists Local user password control ...

Page 213: ...r group to which the local user belongs If no login attempt policy is configured for the user group the global settings apply to the local user Setting super password control parameters The super password allows you to obtain a temporary user role without reconnecting to the device For more information about passwords for user roles see Fundamentals Configuration Guide To set super password contro...

Page 214: ...st contain at least four character types and at least four characters for each type An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in A user can log in five times within 60 days after the password expires A password expires after 30 days The minimum password update interval is 36 hours The maximum account idle time...

Page 215: ...ol complexity same character check Globally specify that all passwords must each contain at least four character types and at least four characters for each type Sysname password control composition type number 4 type length 4 Set the minimum super password length to 24 characters Sysname password control super length 24 Specify that a super password must contain at least four character types and ...

Page 216: ...attempts 2 Action for exceeding login attempts Lock Minimum interval between two updates 36 hours User account idle time 30 days Logins with aged password 5 times in 60 days Password complexity Enabled username checking Enabled repeated characters checking Display the password control configuration for super passwords Sysname display password control super Super password control configurations Pas...

Page 217: ...205 Password length Enabled 24 characters Password composition Enabled 4 types 5 characters per type ...

Page 218: ...applications use the asymmetric key algorithms for the following purposes Encryption and decryption Any public key receiver can use the public key to encrypt information but only the private key owner can decrypt the information Digital signature The key owner uses the private key to sign information to be sent The receiver decrypts the information with the sender s public key to verify informatio...

Page 219: ...verwrite the existing key pair The key pairs are automatically saved and can survive system reboots Table 17 A comparison of different types of asymmetric key pairs Type Number of key pairs Modulus length RSA In non FIPS mode One host key pair if you specify a key pair name One server key pair and one host key pair if you do not specify a key pair name Both key pairs use their default names In FIP...

Page 220: ...isplay the key Export a host public key Export a host public to a file Export a host public key to the monitor screen and then save it to a file After the key is exported to a file transfer the file to the peer device On the peer device import the key from the file Display a host public key After the key is displayed record the key for example copy it to an unformatted file On the peer device you ...

Page 221: ...ic key local rsa public name key name Display local DSA public keys display public key local dsa public name key name Display local ECDSA public keys display public key local ecdsa public name key name NOTE Do not distribute the RSA server public key serverkey default to a peer device Destroying a local key pair To avoid key compromise destroy a local key pair and generate a new pair after any of ...

Page 222: ...tering a peer host public key Before you perform this task make sure you have displayed the key on the peer device and recorded the key For information about displaying a host public key see Displaying a host public key Use the display public key local public command to display the public key on the peer device The format of the public key displayed in any other way might be incorrect If the key i...

Page 223: ...e the public key of Device A on Device B Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A Manually specify the host public key of Device A on Device B Figure 71 Network diagram Configuration procedure 1 Configure Device A Create local RSA key pairs with default names on Device A and use the default modulus length 1024 bits DeviceA system view DeviceA public ke...

Page 224: ...er the host public key of Device A in public key view The key must be literally the same as displayed on Device A DeviceB system view DeviceB public key peer devicea Enter public key view Return to system view with peer public key end command DeviceB pkey public key devicea 30819F300D06092A864886F70D010101050003818D003081 890 2818100DA3B90F59237347B DeviceB pkey public key devicea 8D41B58F81435128...

Page 225: ...ost public key of Device A from the public key file to Device B Figure 72 Network diagram Configuration procedure 1 Configure Device A Create local RSA key pairs with default names on Device A and use the default modulus length 1024 bits DeviceA system view DeviceA public key local create rsa The range of public key modulus is 512 2048 If the key modulus is greater than 512 it will take a few minu...

Page 226: ...eviceA local user ftp DeviceA luser manage ftp password simple 123 DeviceA luser manage ftp service type ftp DeviceA luser manage ftp authorization attribute user role network admin DeviceA luser manage ftp quit 2 Configure Device B Use FTP in binary mode to get the public key file devicea pub from Device A DeviceB ftp 10 1 1 1 Connected to 10 1 1 1 10 1 1 1 220 FTP service ready User 10 1 1 1 non...

Page 227: ... type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ...

Page 228: ...t issued the certificate Subject name name of the individual or group to which the certificate is issued Identity information of the subject Subject s public key Signature of the CA Period of validity A digital certificate must comply with the international standards of ITU T X 509 of which X 509 v3 is the most commonly used This chapter covers the following types of certificates CA certificate Ce...

Page 229: ...uch as phone disk and email Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies PKI architecture A PKI system consists of PKI entities CAs RAs and a certificate CRL repository as shown in Figure 73 Figure 73 PKI architecture PKI entity An end user using PKI certificates The PKI entity can be an operator an...

Page 230: ...certificate repository PKI applications The PKI technology can meet security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A VPN is a private data communication network built on the public communication infrastructure A VPN can use network layer security protocols for example IPsec in conjunction with PKI based ...

Page 231: ...ngs For example if the CA policy requires the entity DN but you configure only the IP address the CA rejects the certificate request from the entity The SCEP add on on the Windows 2000 CA server has restrictions on the data length of a certificate request If a request from a PKI entity exceeds the data length limit the CA server does not respond to the certificate request In this case you can use ...

Page 232: ... trusted CA ca identifier name By default no trusted CA is specified To obtain a CA certificate the trusted CA name must be provided The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server The CA server s URL is specified by using the certificate request url command 4 Specify the PKI entity name certificate request entity entity name By default no enti...

Page 233: ...A certificate If the CA certificate is obtained through automatic certificate request the certificate will be rejected if a fingerprint has not been entered By default no fingerprint is specified 10 Specify the key pair for certificate request Specify an RSA key pair public key rsa encryption name encryption key name length key length signature name signature key name length key length general nam...

Page 234: ...t certificate domain pkcs10 filename to save the request information to a local file b Send the printed information or the saved file to the CA by using an out of band method to submit the request Online mode A certificate request can be automatically or manually submitted This section describes the online request mode Configuration guidelines The following guidelines apply to certificate request ...

Page 235: ...e PKI domain the PKI entity automatically obtains a CA certificate before sending a certificate request To configure automatic certificate request Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki domain domain name N A 3 Set the certificate request mode to auto certificate request mode auto password cipher simple password By default the manual request mode appli...

Page 236: ...the associated certificate request To abort a certificate request Step Command Remarks 1 Enter system view system view N A 2 Abort a certificate request pki abort certificate request domain domain name This command is not saved in the configuration file Obtaining certificates You can obtain the CA certificate local certificates and peer certificates related to a PKI domain from a CA and save them ...

Page 237: ... local certificates one for signature and the other for encryption If CRL checking is enabled obtaining a certificate triggers CRL checking If the certificate to be obtained has been revoked the certificate cannot be obtained The device compares the validity period of a certificate with the local system time to determine whether the certificate is valid Make sure the system time of the device is s...

Page 238: ... Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki domain domain name N A 3 Optional Specify the URL of the CRL repository crl url url string By default the URL of the CRL repository is not specified 4 Enable CRL checking crl check enable By default CRL checking is enabled 5 Return to system view quit N A 6 Obtain the CA certificate See Obtaining certificates N A...

Page 239: ...ed to the new path To specify the storage path for the certificates and CRLs Task Command Remarks Specify the storage path for certificates and CRLs pki storage certificates crls dir path By default the device stores certificates and CRLs in the PKI directory on the storage media of the device Exporting certificates IMPORTANT To export all certificates in the PKCS12 format the PKI domain must have...

Page 240: ...es and CRLs in the domain You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate s private key is compromised To remove a local certificate and request a new certificate perform the following tasks 1 Remove the local certificate 2 Use the public key local destroy command to destroy the existing local key pair 3 Use the public key l...

Page 241: ...attribute rules the certificate matches the statement If the certificate based access control policy referenced by a security application for example HTTPS does not exist all certificates in the application pass the verification To configure a certificate based access control policy Step Command Remarks 1 Enter system view system view N A 2 Create a certificate attribute group and enter its view p...

Page 242: ...ase when you configure a PKI domain you must use the certificate request from ra command to specify the RA to accept certificate requests If you use RSA Keon the SCEP add on is not required When you configure a PKI domain you must use the certificate request from ca command to specify the CA to accept certificate requests Requesting a certificate from an RSA Keon CA server Network requirements Con...

Page 243: ...ted on the CA server Device pki domain torsa certificate request url http 1 1 2 22 446 80f6214aa8865301d07929ae481c7ceed99f95bd Specify the CA for accepting certificate requests Device pki domain torsa certificate request from ca Specify the PKI entity name as aaa Device pki domain torsa certificate request entity aaa Specify the URL of the CRL repository Device pki domain torsa crl url ldap 1 1 2...

Page 244: ...n Issuer CN myca Validity Not Before Jan 6 03 10 58 2013 GMT Not After Jan 6 03 10 58 2014 GMT Subject CN Device Subject Public Key Info Public Key Algorithm rsaEncryption Public Key 1024 bit Modulus 00 ab 45 64 a8 6c 10 70 3b b9 46 34 8d eb 1a a1 b3 64 b2 37 27 37 9d 15 bd 1a 69 1d 22 0f 3a 5a 64 0c 8f 93 e5 f0 70 67 dc cd c1 6f 7a 0c b1 57 48 55 81 35 d7 36 d5 3c 37 1f ce 16 7e f8 18 30 f6 6b 00...

Page 245: ...ame to myca 2 Install the SCEP add on By default Windows Server 2003 does not support SCEP You must install the SCEP add on on the server for a PKI entity to register and obtain a certificate from the server After the SCEP add on installation is complete you will see a URL Specify this URL as the certificate request URL on the device 3 Modify the certificate service attributes a Select Control Pan...

Page 246: ...P address and port number of the CA server Device pki domain winserver certificate request url http 4 4 4 1 8080 certsrv mscep mscep dll Specify the RA to accept certificate requests Device pki domain winserver certificate request from ra Specify the PKI entity name as aaa Device pki domain winserver certificate request entity aaa Specify the RSA key pair with the purpose general the name abc and ...

Page 247: ... bit Modulus 00 c3 b5 23 a0 2d 46 0b 68 2f 71 d2 14 e1 5a 55 6e c5 5e 26 86 c1 5a d6 24 68 02 bf 29 ac dc 31 41 3f 5d 5b 36 9e 53 dc 3a bc 0d 11 fb d6 7d 4f 94 3c c1 90 4a 50 ce db 54 e0 b3 27 a9 6a 8e 97 fb 20 c7 44 70 8f f0 b9 ca 5b 94 f0 56 a5 2b 87 ac 80 c5 cc 04 07 65 02 39 fc db 61 f7 07 c6 65 4c e4 5c 57 30 35 b4 2e ed 9c ca 0b c1 5e 8d 2e 91 89 2f 11 e3 1e 12 8a f8 dd f8 a7 2a 94 58 d9 c7 ...

Page 248: ...f b2 14 47 fa dc 1e 4d 03 d5 d3 f5 9d ad 9b 8d 03 7f be 1e 29 28 87 f7 ad 88 1c 8f 98 41 9a db 59 ba 0a eb 33 ec cf aa 9b fc 0f 69 3a 70 f2 fa 73 ab c1 3e 4d 12 fb 99 31 51 ab c2 84 c0 2f e5 f6 a7 c3 20 3c 9a b0 ce 5a bc 0f d9 34 56 bc 1e 6f ee 11 3f 7c b2 52 f9 45 77 52 fb 46 8a ca b7 9d 02 0d 4e c3 19 8f 81 46 4e 03 1f 58 03 bf 53 c6 c4 85 95 fb 32 70 e6 1b f3 e4 10 ed 7f 93 27 90 6b 30 e7 81 36...

Page 249: ... 3 Configure a PKI domain Create a PKI domain named openca and enter its view Device pki domain openca Specify the name of the trusted CA as myca Device pki domain openca ca identifier myca Configure the certificate request URL The URL is in the format http host cgi bin pki scep where host is the host IP address of the OpenCA server Device pki domain openca certificate request url http 192 168 222...

Page 250: ...enca Device display pki certificate domain openca local Certificate Data Version 3 0x2 Serial Number 21 1d b8 d2 e4 a9 21 28 e4 de Signature Algorithm sha256WithRSAEncryption Issuer C CN L shangdi ST pukras O OpenCA Labs OU mysubUnit CN sub ca DC pki subdomain DC mydomain sub DC com Validity Not Before Jun 30 09 09 09 2011 GMT Not After May 1 09 09 09 2012 GMT Subject CN rnd O test OU software C C...

Page 251: ...Distribution Points Full Name URI http 192 168 222 218 pki pub crl cacrl crl Signature Algorithm sha256WithRSAEncryption 5c 4c ba d0 a1 35 79 e6 e5 98 69 91 f6 66 2a 4f 7f 8b 0e 80 de 79 45 b9 d9 12 5e 13 28 17 36 42 d5 ae fc 4e ba b9 61 f1 0a 76 42 e7 a6 34 43 3e 2d 02 5e c7 32 f7 6b 64 bb 2d f5 10 6c 68 4d e7 69 f7 47 25 f5 dc 97 af ae 33 40 44 f3 ab e4 5a a0 06 8f af 22 a9 05 74 43 b6 e4 96 a5 ...

Page 252: ...ort domain exportdomain pem ca filename pkicachain pem Export the local certificate to a file named pkilocal pem in PEM format and use 3DES_CBC to encrypt the private key with the password 111111 DeviceA pki export domain exportdomain pem local 3des cbc 111111 filename pkilocal pem After the previous operations the system generates three certificate files in PEM format a CA certificate file and tw...

Page 253: ... END ENCRYPTED PRIVATE KEY 2 Download the certificate files pkicachain pem pkilocal pem sign and pkilocal pem encr from Device A to the host through FTP Details not shown 3 Upload the certificate files pkicachain pem pkilocal pem sign and pkilocal pem encr from the host to Device B through FTP Details not shown 4 Import the certificate files to Device B Disable CRL checking You can configure CRL c...

Page 254: ...CN O OpenCA Labs OU Users CN subsign 11 Subject Public Key Info Public Key Algorithm rsaEncryption Public Key 1024 bit Modulus 00 9f 6e 2f f6 cb 3d 08 19 9a 4a ac b4 ac 63 ce 8d 6a 4c 3a 30 19 3c 14 ff a9 50 04 f5 00 ee a3 aa 03 cb b3 49 c4 f8 ae 55 ee 43 93 69 6c bf 0d 8c f4 4e ca 69 e5 3f 37 5c 83 ea 83 ad 16 b8 99 37 cb 86 10 6b a0 4d 03 95 06 42 ef ef 0d 4e 53 08 0a c9 29 dd 94 28 02 6e e2 9b ...

Page 255: ... 50 7c 9f 30 4a 83 de 98 8b 6a c9 3e 9d 54 ee 61 a4 26 f3 9a 40 8f a6 6b 2b 06 53 df b6 5f 67 5e 34 c8 c3 b5 9b 30 ee 01 b5 a9 51 f9 b1 29 37 02 1a 05 02 e7 cc 1c fe 73 d3 3e fa 7e 91 63 da 1d f1 db 28 6b 6c 94 84 ad fc 63 1b ba 53 af b3 5d eb 08 b3 5b d7 22 3a 86 c3 97 ef ac 25 eb 4a 60 f8 2b a3 3b da 5d 6f a5 cf cb 5a 0b c5 2b 45 b7 3e 6e 39 e9 d9 66 6d ef d3 a0 f6 2a 2d 86 a3 01 c4 94 09 c0 99 ...

Page 256: ... 62 11 0A CC A5 DB 0E 7E 74 DE DD X509v3 Subject Alternative Name email subencr docm com X509v3 Issuer Alternative Name DNS subca1 docm com DNS IP Address 1 1 2 2 IP Address 2 2 1 1 Authority Information Access CA Issuers URI http titan pki pub cacert cacert crt OCSP URI http titan 2560 1 3 6 1 5 5 7 48 12 URI http titan 830 X509v3 CRL Distribution Points Full Name URI http 192 168 40 130 pki pub ...

Page 257: ...The certificate request URL is incorrect or not specified The system time of the device is not synchronized with the CA server The source IP address of the PKI protocol packets is not specified or not correct The fingerprint of the root CA certificate is illegal Solution 1 Check for and fix any network connection problems 2 Verify that the required configurations are correct 3 Use ping to verify t...

Page 258: ... from the CRL repository 7 Specify the correct source IP address that the CA server can accept For the correct settings contact the CA administrator 8 Synchronize the system time of the device with the CA server 9 If the problem persists contact HP Support Failed to request local certificates Symptom Local certificate requests cannot be submitted Analysis The network connection is down for example...

Page 259: ...twork cable is damaged or the connectors have bad contact No CA certificate has been obtained before you try to obtain CRLs The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain The specified URL of the CRL repository is incorrect The device tries to obtain CRLs through SCEP but experiences the following problems The ...

Page 260: ...t of the imported file is correct 3 If the problem persists contact HP Support Failed to import a local certificate Symptom A local certificate cannot be imported Analysis The PKI domain does not have a locally stored CA certificate and the certificate file to be imported does not contain the CA certificate chain CRL checking is enabled but the device does not have a locally stored CRL and cannot ...

Page 261: ...he PKI domain The storage space of the device is full Solution 1 Obtain or request local certificates 2 Use mkdir to create the required path 3 Specify a correct export path 4 Configure the correct key pair in the PKI domain 5 Clear up the storage space of the device 6 If the problem persists contact HP Support Failed to set the storage path Symptom The storage path for certificates or CRLs cannot...

Page 262: ...de security services IKE performs automatic key exchange For more information about IKE see Configuring IKE IPsec provides the following security services for data packets in the IP layer Confidentiality The sender encrypts packets before transmitting them over the Internet protecting the packets from being eavesdropped en route Data integrity The receiver verifies the packets received from the se...

Page 263: ...ort mode The security protocols protect the upper layer data of an IP packet Only the transport layer data is used to calculate the security protocol headers The calculated security protocol headers and the encrypted data only for ESP encapsulation are placed after the original IP header You can use the transport mode when end to end security protection is required the secured transmission start a...

Page 264: ...he AH ESP header An SA can be set up manually or through IKE Manual mode Configure all parameters for the SA through commands This configuration mode is complex and does not support some advanced features such as periodic key update but it can implement IPsec without IKE This mode is mainly used in small and static networks or when the number of IPsec peers in the network is small IKE negotiation ...

Page 265: ...the IPsec policy to an interface or an application When you apply an IPsec policy to an interface you implement IPsec based on the interface Packets received and sent by the interface are protected according to the IPsec policy When you apply an IPsec policy to an application you implement IPsec based on the application Packets of the application are protected according to the IPsec policy regardl...

Page 266: ...hod The supported IPv6 routing protocols include RIPng In one to many communication scenarios you must configure the IPsec SAs for an IPv6 routing protocol in manual mode because of the following reasons The automatic key exchange mechanism is used only to protect communications between two points In one to many communication scenarios automatic key exchange cannot be implemented One to many commu...

Page 267: ... ACL based IPsec configuration task list Use the following procedure to implement ACL based IPsec 1 Configure an ACL for identifying data flows to be protected 2 Configure IPsec transform sets to specify the security protocols authentication and encryption algorithms and the encapsulation mode 3 Configure an IPsec policy to associate data flows with the IPsec transform sets specify the SA negotiat...

Page 268: ...king for de encapsulated packets is disabled the de encapsulated packets are not compared against the ACL rules and are directly processed by other modules When defining ACL rules for IPsec follow these guidelines Permit only data flows that need to be protected and use the any keyword with caution With the any keyword specified in a permit statement all outbound traffic matching the permit statem...

Page 269: ... esp encryption algorithm 3des cbc aes cbc 128 aes cbc 192 aes cbc 256 des cbc null In FIPS mode Specify the encryption algorithm for ESP esp encryption algorithm aes cbc 128 aes cbc 192 aes cbc 256 In non FIPS mode Specify the authentication algorithm for ESP esp authentication algorithm md5 sha1 In FIPS mode Specify the authentication algorithm for ESP esp authentication algorithm sha1 In non FI...

Page 270: ...n restrictions and guidelines Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following requirements The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols security algorithms and encapsulation mode The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied ...

Page 271: ...cy references no IPsec transform set A manual IPsec policy can reference only one IPsec transform set 6 Specify the remote IP address of the IPsec tunnel remote address ipv4 address ipv6 ipv6 address By default the remote IP address of the IPsec tunnel is not specified The local IPv4 address of the IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied The l...

Page 272: ...IKE based IPsec policy the parameters are automatically negotiated through IKE To configure an IKE based IPsec policy use one of the following methods Directly configure it by configuring the parameters in IPsec policy view Configure it by referencing an existing IPsec policy template with the parameters to be negotiated configured A device referencing an IPsec policy that is configured in this wa...

Page 273: ...s 3 Optional Configure a description for the IPsec policy description text By default no description is configured 4 Specify an ACL for the IPsec policy security acl ipv6 acl number name acl name aggregation per host By default no ACL is specified for the IPsec policy An IPsec policy can reference only one ACL 5 Specify IPsec transform sets for the IPsec policy transform set transform set name 1 6...

Page 274: ...200 kilobytes 13 Optional Enable the global IPsec SA idle timeout function and set the global SA idle timeout ipsec sa idle time seconds By default the global IPsec SA idle timeout function is disabled Configuring an IKE based IPsec policy by referencing an IPsec policy template The configurable parameters for an IPsec policy template are the same as those when you directly configure an IKE based ...

Page 275: ...emplate or IPsec policy For more information about IKE profiles see Configuring IKE 7 Optional Specify the local IP address of the IPsec tunnel local address ipv4 address ipv6 ipv6 address By default the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the...

Page 276: ... an IPsec packet whose destination address is the IP address of the local device it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet header for de encapsulation If the de encapsulated packet matches the permit rule of the ACL the device processes the packet Otherwise it drops the packet An interface can reference only one IPsec policy An IKE based IPsec policy can...

Page 277: ...le IPsec anti replay checking or adjust the size of the anti replay window as required IPsec anti replay does not affect manually created IPsec SAs According to the IPsec protocol only IKE based IPsec SAs support anti replay checking IMPORTANT IPsec anti replay is enabled by default Failure to detect anti replay attacks might result in denial of services Use caution when you disable IPsec anti rep...

Page 278: ... interval for outbound packets redundancy replay interval inbound inbound interval outbound outbound interval By default the master device synchronizes the anti replay window every time it receives 1000 packets and the sequence number every time it sends 100000 packets Binding a source interface to an IPsec policy For high availability a core device is usually connected to an ISP through two links...

Page 279: ...ght classify the packets of one IPsec SA to different queues causing packets to be sent out of order When IPsec anti replay is enabled IPsec will drop the incoming packets that are out of the anti replay window resulting in packet loss If you apply both an IPsec policy and a QoS policy to an interface QoS classifies packets by using the new headers added by IPsec If you want QoS to classify packet...

Page 280: ...in the new header copy Copies the DF bit in the original IP header to the new IP header You can configure the DF bit in system view and interface view The interface view DF bit setting takes precedence over the system view DF bit setting If the interface view DF bit setting is not configured the interface uses the system view DF bit setting Follow these guidelines when you configure the DF bit The...

Page 281: ...protecting data flows and specifies SPIs and the keys used by the SAs The IPsec profile configurations at the two tunnel ends must meet the following requirements The IPsec transform set referenced by the IPsec profile at the two tunnel ends must have the same security protocol encryption and authentication algorithms and packet encapsulation mode The local inbound and outbound IPsec SAs must have...

Page 282: ...mple key value Configure an encryption key in hexadecimal format for ESP sa hex key encryption inbound outbound esp cipher simple key value By default no keys are configured for the IPsec SA Configure a key for the security protocol AH ESP or both you have specified If you configure a key in character format for ESP the device automatically generates an authentication key and an encryption key for...

Page 283: ...display ipsec ipv6 policy policy policy name seq number Display IPsec policy template information display ipsec ipv6 policy template policy template template name seq number Display IPsec profile information display ipsec profile profile name Display IPsec transform set information display ipsec transform set transform set name Display IPsec SA information display ipsec sa brief count interface in...

Page 284: ...lows between Switch A and Switch B SwitchA acl number 3101 SwitchA acl adv 3101 rule 0 permit ip source 2 2 2 1 0 destination 2 2 3 1 0 SwitchA acl adv 3101 quit Create an IPsec transform set named tran1 SwitchA ipsec transform set tran1 Specify the encapsulation mode as tunnel SwitchA ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchA ipsec transform ...

Page 285: ...01 rule 0 permit ip source 2 2 3 1 0 destination 2 2 2 1 0 SwitchB acl adv 3101 quit Create an IPsec transform set named tran1 SwitchB ipsec transform set tran1 Specify the encapsulation mode as tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorith...

Page 286: ...nterface Vlan interface 1 IPsec policy map1 Sequence number 10 Mode manual Tunnel id 549 Encapsulation mode tunnel Path MTU 1443 Tunnel local address 2 2 2 1 remote address 2 2 3 1 Flow as defined in ACL 3101 Inbound ESP SA SPI 54321 0x0000d431 Transform set ESP ENCRYPT AES CBC 192 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 12345 0x00003039 Transform set ESP ENCRYPT AES CBC 19...

Page 287: ... SwitchA ipsec transform set tran1 esp encryption algorithm aes cbc 192 SwitchA ipsec transform set tran1 esp authentication algorithm sha1 SwitchA ipsec transform set tran1 quit Create the IKE keychain named keychain1 SwitchA ike keychain keychain1 Configure the pre shared key used with the peer 2 2 3 1 as plaintext string of 12345zxcvb ZXCVB SwitchA ike keychain keychain1 pre shared key address ...

Page 288: ... set named tran1 SwitchB ipsec transform set tran1 Specify the encapsulation mode as tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms SwitchB ipsec transform set tran1 esp encryption algorithm aes cbc 192 SwitchB ipsec transform set tran1 es...

Page 289: ...ed Configuring IPsec for RIPng Network requirements As shown in Figure 83 Switch A Switch B and Switch C learn IPv6 routes through RIPng Establish an IPsec tunnel between the switches to protect the RIPng packets transmitted in between Specify the security protocol as ESP the encryption algorithm as 128 bit AES and the authentication algorithm as HMAC SHA1 for the IPsec tunnel Figure 83 Network di...

Page 290: ...001 sa spi outbound esp 123456 SwitchA ipsec profile profile1001 sa spi inbound esp 123456 SwitchA ipsec profile profile1001 sa string key outbound esp simple abcdefg SwitchA ipsec profile profile1001 sa string key inbound esp simple abcdefg SwitchA ipsec profile profile1001 quit Apply the IPsec profile to RIPng process 1 SwitchA ripng 1 SwitchA ripng 1 enable ipsec profile profile001 SwitchA ripn...

Page 291: ...sform set named tran1 SwitchC ipsec transform set tran1 SwitchC ipsec transform set tran1 encapsulation mode transport SwitchC ipsec transform set tran1 protocol esp SwitchC ipsec transform set tran1 esp encryption algorithm aes cbc 128 SwitchC ipsec transform set tran1 esp authentication algorithm sha1 SwitchC ipsec transform set tran1 quit Create and configure the IPsec profile named profile001 ...

Page 292: ...sec s Garbage Collect time 120 sec s Number of periodic updates sent 186 Number of trigger updates sent 1 IPsec profile name profile001 Use the display ipsec sa command to display the established IPsec SAs SwitchA display ipsec sa Global IPsec SA IPsec profile profile001 Mode manual Encapsulation mode transport Inbound ESP SA SPI 123456 0x3039 Transform set ESP ENCRYPT AES CBC 128 ESP AUTH SHA1 No...

Page 293: ...that is independent of other keys Automatically negotiates SAs when the sequence number in the AH or ESP header overflows making sure IPsec can provide the anti replay service by using the sequence number As shown in Figure 84 IKE negotiates SAs for IPsec and transfers the SAs to IPsec and IPsec uses the SAs to protect IP packets Figure 84 Relationship between IKE and IPsec IKE negotiation process...

Page 294: ...tection mechanisms and supports secure identity authentication key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers The device supports the following identity authentication methods Pre shared key authentication Two communicating peers use the pre configured...

Page 295: ...ith NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode IKE configuration prerequisites Determine the following parameters prior to IKE configuration The algorithms to be used during IKE negotiation including the identity authentication method encryption algorithm authentication algorithm and DH group Different ...

Page 296: ...initiator When the device acts as the responder it uses the IKE negotiation mode of the initiator 4 Specifies the IKE proposals that the device can use as the initiator An IKE proposal specified earlier has a higher priority When the device acts as the responder it uses the IKE proposals configured in system view to match the IKE proposals received from the initiator If a match is not found the ne...

Page 297: ...red key authentication or the PKI domain used to request a certificate for digital signature authentication To specify the keychain for pre shared key authentication keychain keychain name To specify the PKI domain used to request a certificate for digital signature authentication certificate domain domain name Configure at least one command as required By default no IKE keychain or PKI domain is ...

Page 298: ...l for successful IKE negotiation During IKE negotiation The initiator sends its IKE proposals to the peer If the initiator is using an IPsec policy with an IKE profile the initiator sends all IKE proposals referenced by the IKE profile to the peer An IKE proposal specified earlier for the IKE profile has a higher priority If the initiator is using an IPsec policy with no IKE profile the initiator ...

Page 299: ...oup14 By default In non FIPS mode DH group1 the 768 bit DH group is used In FIPS mode DH group14 the 2048 bit DH group is used 7 Set the IKE SA lifetime for the IKE proposal sa duration seconds By default the IKE SA lifetime is 86400 seconds Configuring an IKE keychain Perform this task when you configure the IKE to use the pre shared key for authentication Follow these guidelines when you configu...

Page 300: ...efault an IKE keychain can be applied to any local interface or IP address 5 Optional Specify a priority for the IKE keychain priority number The default priority is 100 Configuring the global identity information Follow these guidelines when you configure the global identity information for the local IKE The global identity can be used by the device for all IKE SA negotiations and the local ident...

Page 301: ...ive function unless IKE DPD is not supported on the peer The IKE keepalive function sends keepalives at regular intervals which consumes network bandwidth and resources The keepalive timeout time configured on the local device must be longer than the keepalive interval configured at the peer Since it seldom occurs that more than three consecutive packets are lost on a network you can set the keepa...

Page 302: ...ll no response is received within the retry interval the local end sends the DPD message again The system allows a maximum of two retries 4 If the local device receives no response after two retries the device considers the peer to be dead and deletes the IKE SA along with the IPsec SAs it negotiated 5 If the local device receives a response from the peer during the detection process the peer is c...

Page 303: ...m view system view N A 2 Enable invalid SPI recovery ike invalid spi recovery enable By default the invalid SPI recovery is disabled Setting the maximum number of IKE SAs You can set the maximum number of half open IKE SAs and the maximum number of established IKE SAs The supported maximum number of half open IKE SAs depends on the device s processing capability Adjust the maximum number of half o...

Page 304: ...re invalid cert auth invalid cookie invalid id invalid proposal invalid protocol invalid sign no sa failure proposal add proposal delete tunnel start tunnel stop unsupport exch type By default SNMP notifications for all failure and event types are enabled Displaying and maintaining IKE Execute display commands in any view and reset commands in user view Task Command Display configuration informati...

Page 305: ...n mode tunnel Use the ESP protocol for the IPsec transform set SwitchA ipsec transform set tran1 protocol esp Specify the encryption and authentication algorithms SwitchA ipsec transform set tran1 esp encryption algorithm aes cbc 192 SwitchA ipsec transform set tran1 esp authentication algorithm sha1 SwitchA ipsec transform set tran1 quit Create IKE keychain keychain1 SwitchA ike keychain keychain...

Page 306: ...0 destination 1 1 1 0 0 SwitchB acl adv 3101 quit Create IPsec transform set tran1 SwitchB ipsec transform set tran1 Set the packet encapsulation mode to tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Use the ESP protocol for the IPsec transform set SwitchB ipsec transform set tran1 protocol esp Specify the encryption and authentication algorithms SwitchB ipsec transform set tr...

Page 307: ...e 1 SwitchB Vlan interface1 ipsec apply policy use1 Verifying the configuration Initiate a connection from Switch A to Switch B to trigger IKE negotiation After IPsec SAs are successfully negotiated by IKE traffic between the two switches is IPsec protected Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom 1 The IKE SA is in Unknown state Sysname displ...

Page 308: ...sal 1 in profile profile1 If the following debugging information appeared the matched IKE profile is not referencing the matched IKE keychain Failed to find keychain keychain1 in profile profile1 Solution Verify that the matched IKE proposal IKE proposal 1 in this debugging message example is referenced by the IKE profile IKE profile 1 in the example Verify that the matched IKE keychain IKE keycha...

Page 309: ...A Construct notification packet INVALID_ID_INFORMATION Analysis Certain IPsec policy settings of the responder are incorrect Verify the settings as follows 1 Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1 If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile the IPsec SA negotiation fails Verify ...

Page 310: ...the initiator s ACL defines a flow from one network segment to another but the responder s ACL defines a flow from one host to another host IPsec proposal matching will fail On the initiator Sysname display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip source 192 168 222 0 0 0 0 255 destination 192 168 222 0 0 0 0 255 On the responder Sysname display acl 3000 Advan...

Page 311: ... policy is referencing an IKE profile remove the reference 2 If the flow range defined by the responder s ACL is smaller than that defined by the initiator s ACL modify the responder s ACL so the ACL defines a flow range equal to or greater than that of the initiator s ACL For example Sysname display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip source 192 168 222 ...

Page 312: ...ugh Stelnet a user can securely log in to a remote server Stelnet can protect devices against attacks such as IP spoofing and plain text password interception The device can act as an Stelnet server or an Stelnet client SFTP Based on SSH2 it uses SSH connections to provide secure file transfer The device can act as an SFTP server allowing a remote user to log in to the SFTP server for secure file ...

Page 313: ...he authentication the client sends a session request to the server to request the establishment of a session or request the Stelnet SFTP SCP or NETCONF service Interaction After the server grants the request the client and the server start to communicate with each other in the session In this stage you can paste commands in text format and execute them at the CLI The text pasted at one time must b...

Page 314: ...s the public key information of the client 2 The server verifies the client s public key If the public key is invalid the server informs the client of the authentication failure If the public key is valid the server requests the digital signature of the client After receiving the signature the server uses the public key to verify the signature and informs the client of the authentication result Wh...

Page 315: ... an SSH user Required if the authentication method is publickey password publickey or any Optional if the authentication method is password Optional Configuring the SSH management parameters N A Generating local key pairs The DSA RSA or ECDSA key pairs are required for generating the session keys and session ID in the key exchange stage They can also be used by a client to authenticate the server ...

Page 316: ...SH server The public key local create ecdsa secp256r1 command generates only an ECDSA host key pair Configuration procedure To generate local key pairs on the SSH server Step Command Remarks 1 Enter system view system view N A 2 Generate local key pairs public key local create dsa ecdsa secp256r1 rsa By default no local key pairs exist Enabling the Stelnet server After you enable the Stelnet serve...

Page 317: ...CONF over SSH commands see Network Management and Monitoring Command Reference To configure NETCONF over SSH Step Command Remark 1 Enter system view system view N A 2 Enable NETCONF over SSH netconf ssh server enable By default NETCONF over SSH is disabled 3 Specify a port to listen for NETCONF over SSH connections netconf ssh server port port number By default port 830 listens for NETCONF over SS...

Page 318: ...on the client to generate the digital signature If the device acts as an SSH client specify the public key algorithm on the client The algorithm determines the associated host private key for generating the digital signature You can enter the content of a client s host public key or import the client s host public key from the public key file HP recommends that you import the client s host public ...

Page 319: ...h user command However if you want to display all SSH users including the password only SSH users for centralized management you can use this command to create them If such an SSH user has been created make sure you have specified the correct service type and authentication method If the authentication method is password publickey or any you must create an SSH user and perform one of the following...

Page 320: ...have the correct CA certificate For more information about configuring a PKI domain see Configuring PKI When the device operates in FIPS mode as an SSH server the device does not support the authentication method of any or publickey For information about configuring local users and remote authentication see Configuring AAA Configuration procedure To configure an SSH user and specify the service ty...

Page 321: ...ol IPv6 SSH user connections ssh server ipv6 acl ipv6 acl number By default no ACLs are specified and all SSH users can initiate connections to the server 7 Set the DSCP value in the packets that the SSH server sends to the SSH clients Set the DSCP value in IPv4 packets ssh server dscp dscp value Set the DSCP value in IPv6 packets ssh server ipv6 dscp dscp value The default setting is 48 The DSCP ...

Page 322: ...e source IPv6 address for SSH packets ssh client ipv6 source interface interface type interface number ipv6 ipv6 address By default the source IP address for SSH packets is not configured The IPv4 SSH packets use the primary IPv4 address of the output interface specified in the routing entry as their source address The IPv6 SSH packets automatically select an IPv6 address as their source address i...

Page 323: ...r publickey keyname source interface interface type interface number ip ip address In non FIPS mode establish a connection to an IPv6 Stelnet server ssh2 ipv6 server port number i interface type interface number identity key dsa ecdsa rsa prefer compress zlib prefer ctos cipher 3des aes128 aes256 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer ...

Page 324: ... for SFTP packets Specify the source IPv4 address for SFTP packets sftp client source ip ip address interface interface type interface number Specify the source IPv6 address for SFTP packets sftp client ipv6 source ipv6 ipv6 address interface interface type interface number By default the source IP address for SFTP packets is not configured The IPv4 SFTP packets use the primary IPv4 address of the...

Page 325: ...ipher aes128 aes256 prefer ctos hmac sha1 sha1 96 prefer kex dh group14 prefer stoc cipher aes128 aes256 prefer stoc hmac sha1 sha1 96 publickey keyname source interface interface type interface number ip ip address In non FIPS mode establish a connection to an IPv6 SFTP server sftp ipv6 server port number i interface type interface number identity key dsa ecdsa rsa prefer compress zlib prefer cto...

Page 326: ...e SFTP server rmdir remote path Available in SFTP client view Working with SFTP files Task Command Remarks Change the name of a file on the SFTP server rename old name new name Available in SFTP client view Download a file from the remote server and save it locally get remote file local file Available in SFTP client view Upload a local file to the SFTP server put local file remote file Available i...

Page 327: ...nd transfer files with the server When you try to access an SCP server the device must use the server s host public key to authenticate the server If the server s host public key is not configured on the device the device will notify you to confirm whether to continue with the access If you choose to continue the device accesses the server and downloads the server s host public key If you choose t...

Page 328: ... sha1 96 publickey keyname source interface interface type interface number ip ip address In non FIPS mode connect to the IPv6 SCP server and transfer files with this server scp ipv6 server port number i interface type interface number put get source file name destination file name identity key dsa ecdsa rsa prefer compress zlib prefer ctos cipher 3des aes128 aes256 des prefer ctos hmac md5 md5 96...

Page 329: ...amples Unless otherwise noted devices in the configuration examples are in non FIPS mode When you configure Stelnet on a device that operates in FIPS mode follow these restrictions and guidelines The modulus length of the key pair must be 2048 bits When the device acts as an Stelnet server only RSA and ECDSA key pairs are supported Password authentication enabled Stelnet server configuration examp...

Page 330: ...ey pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server Switch ssh server enable Assign an IP address to VLAN interface 2 The Stelnet client uses this IP address as the destination for SSH connection Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 40 255 2...

Page 331: ... are different types of Stelnet client software such as PuTTY and OpenSSH This example uses an Stelnet client that runs PuTTY version 0 58 To establish a connection to the Stelnet server a Launch PuTTY exe to enter the interface shown in Figure 88 b In the Host Name or IP address field enter the IP address 192 168 1 40 of the Stelnet server Figure 88 Specifying the host name or IP address c Click ...

Page 332: ...89 Network diagram Configuration procedure In the server configuration the client s host public key is required Use the client software to generate RSA key pairs on the client before configuring the Stelnet server There are different types of Stelnet client software such as PuTTY and OpenSSH This example uses an Stelnet client that runs PuTTY version 0 58 The configuration procedure is as follows ...

Page 333: ...air on the client a Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 91 Otherwise the progress bar stops moving and the key pair generating progress stops Figure 91 Generating process ...

Page 334: ...ox appears f Click Yes A file saving window appears g Enter a file name private ppk in this example and click Save h Transmit the public key file to the server through FTP or TFTP Details not shown 2 Configure the Stelnet server Generate RSA key pairs Switch system view Switch public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a...

Page 335: ...ion mode scheme Switch line vty0 63 quit Import the client s public key from file key pub and name it switchkey Switch public key peer switchkey import sshkey key pub Create an SSH user client002 Specify the authentication method as publickey for the user Assign the public key switchkey to the user Switch ssh user client002 service type stelnet authentication type publickey assign publickey switch...

Page 336: ...t name or IP address c Select Connection SSH from the navigation tree The window shown in Figure 94 appears d Specify the Preferred SSH protocol version as 2 in the Protocol options area Figure 94 Specifying the preferred SSH version ...

Page 337: ... established the system notifies you to enter the username After entering the username client002 you can enter the CLI of the server Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 96 You can log in to Switch B through the Stelnet client that runs on Switch A After login you are assigned the user role network admin for configuration mana...

Page 338: ...8 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair SwitchB public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server SwitchB ssh server enable Assign an IP address to VLAN interface 2 The St...

Page 339: ...a connection to the server you can configure the server s host public key on the client to authenticate the server To configure the server s host public key on the client perform the following tasks Use the display public key local dsa public command on the server to display the server s host public key Details not shown Enter public key view of the client and copy the host public key of the serve...

Page 340: ...y1 Username client001 Press CTRL C to abort Connecting to 192 168 1 40 port 22 client001 192 168 1 40 s password Enter a character and a dot to abort Copyright c 2010 2014 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB After you enter the correct password you log in to Switch B successfully If the cli...

Page 341: ...lickey authentication and the DSA public key algorithm Figure 97 Network diagram Configuration procedure In the server configuration the client public key is required Use the client software to generate a DSA key pair on the client before configuring the Stelnet server 1 Configure the Stelnet client Assign an IP address to VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 Swi...

Page 342: ... take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair SwitchB public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable Stelnet server SwitchB ssh server enable Assign an IP address to VLAN interface 2 The Stelnet client uses the address as the destination add...

Page 343: ...want to save the server public key Y N n client002 192 168 1 40 s password Enter a character and a dot to abort Copyright c 2010 2014 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB Select Yes to access the server and download the server s host public key At the next connection attempt the client authe...

Page 344: ... take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate a DSA key pair Switch public key local create dsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfu...

Page 345: ...ory flash Switch luser manage client002 quit Create an SSH user client002 Specify the authentication method as password and the service type as sftp for the user Switch ssh user client002 service type sftp authentication type password 2 Establish a connection between the SFTP client and the SFTP server The device supports different types of SFTP client software This example uses an SFTP client tha...

Page 346: ...g the SFTP server 1 Configure the SFTP client Assign an IP address to VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface2 quit Generate RSA key pairs SwitchA public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Pr...

Page 347: ... The SFTP client uses the address as the destination for SSH connection SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface2 quit Import the peer public key from the file pubkey and name it switchkey SwitchB public key peer switchkey import sshkey pubkey Create an SSH user client001 Specify the service type as sftp and the authenti...

Page 348: ...rwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Add a directory new1 and verify the result sftp mkdir new1 sftp dir l rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug...

Page 349: ...authentication Unless otherwise noted devices in the configuration example are in non FIPS mode When you configure SCP on a device that operates in FIPS mode follow these restrictions and guidelines The modulus length of the key pair must be 2048 bits When the device acts as an SCP server only RSA and ECDSA key pairs are supported Network requirements As shown in Figure 101 You can log in to Switc...

Page 350: ...for VLAN interface 2 The SCP client uses this address as the destination for SCP connection SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface2 quit Create a local device management user client001 SwitchB local user client001 class manage Specify the plaintext password as aabbcc and the service type as ssh for the user SwitchB lus...

Page 351: ...uration example with password authentication Unless otherwise noted the switch in the configuration example is in non FIPS mode When you configure NETCONF over SSH on a device that operates in FIPS mode follow these restrictions and guidelines The modulus length of the key pair must be 2048 bits When the device acts as a NETCONF over SSH server only RSA and ECDSA key pairs are supported Network re...

Page 352: ... over SSH Switch netconf ssh server enable Configure an IP address for VLAN interface 2 The client uses this address as the destination for NETCONF over SSH connection Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface2 quit Set the authentication mode to AAA for the user lines Switch line vty 0 63 Switch line vty0 63 authentication...

Page 353: ...s NETCONF and the authentication method as password for the user Switch ssh user client001 service type netconf authentication type password Verifying the configuration Verify that you can perform NETCONF operations after logging in to the switch Details not shown ...

Page 354: ...ficates see Configuring PKI Integrity SSL uses the message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the original message will result in a change to the calculated fixed length message As shown in Figure 103 the message integrity verification process is as follows a The sender u...

Page 355: ...rt message contains the alert severity level and a description FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode SSL configuration task list Tasks at a glance Remarks Configuring an SSL server policy Perform this configuration task on the SSL...

Page 356: ...sa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode ciphersuite rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha By default an SSL server policy supports all cipher suites 5 Set the maximum number of sessions that the SSL server can cache session cachesize size By default an SSL server can c...

Page 357: ...p_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode prefer cipher rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha In non FIPS mode The default preferred cipher suite is rsa_rc4_128_md5 In FIPS mode The default preferred cipher suite is sa_aes_128_cbc_sha 5 Specify the SSL version for the SSL client policy I...

Page 358: ...nually and dynamic bindings that are generated based on information from other modules NOTE Global IPSG supports only static IP MAC bindings For more information about global static IPSG bindings see Static IPSG bindings As shown in Figure 105 IPSG on the interface forwards only the packets that match one of the IPSG bindings Figure 105 Diagram for the IPSG feature NOTE IPSG is a per interface pac...

Page 359: ...ct only on the interface to check the validity of users who are attempting to access the interface Dynamic IPSG bindings IPSG automatically obtains user information from other modules to generate dynamic bindings The source modules include DHCP relay DHCP snooping DHCPv6 snooping and DHCP server DHCP based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DH...

Page 360: ... dynamic bindings from related source modules IPv4SG uses the bindings to filter incoming IPv4 packets based on the matching criteria specified in the ip verify source command To implement dynamic IPv4SG make sure the DHCP snooping or DHCP relay feature operates correctly on the network To enable the IPv4SG feature on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter in...

Page 361: ...re a static IPv4SG binding ip source binding ip address ip address ip address ip address mac address mac address mac address mac address vlan vlan id By default no static IPv4SG binding is configured on an interface The vlan vlan id option is supported only in Layer 2 Ethernet interface view To configure a static IPv4SG binding for the ARP detection function the vlan vlan id option must be specifi...

Page 362: ...face uses the global bindings Configuring a global static IPv6SG binding Step Command Remarks 1 Enter system view system view N A 2 Configure a global static IPv6SG binding ipv6 source binding ip address ipv6 address mac address mac address No global static IPv6SG binding exists Configuring a static IPv6SG binding on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter int...

Page 363: ...ing requirements Ten GigabitEthernet 1 0 2 of Switch A allows only IP packets from Host C to pass Ten GigabitEthernet 1 0 1 of Switch A allows only IP packets from Host A to pass All interfaces of Switch B allow IP packets from Host A to pass Ten GigabitEthernet 1 0 1 of Switch B allows IP packets from Host B to pass Figure 106 Network diagram Configuration procedure 1 Configure Switch A Configure...

Page 364: ...tEthernet1 0 1 ip verify source ip address mac address On Ten GigabitEthernet 1 0 1 configure a static IPv4SG binding for Host B SwitchB Ten GigabitEthernet1 0 1 ip source binding mac address 0001 0203 0407 SwitchB Ten GigabitEthernet1 0 1 quit Verifying the configuration Verify that the static IPv4SG bindings are configured successfully on Switch A SwitchA display ip source binding static Total e...

Page 365: ... the source IP address and MAC address for dynamic IPSG Switch interface ten gigabitethernet 1 0 1 Switch Ten GigabitEthernet1 0 1 ip verify source ip address mac address Enable recording of client information in DHCP snooping entries on Ten GigabitEthernet 1 0 1 Switch Ten GigabitEthernet1 0 1 dhcp snooping binding record Switch Ten GigabitEthernet1 0 1 quit Verifying the configuration Verify tha...

Page 366: ...n record Configure VLAN interface 100 to operate in DHCP relay mode Switch interface vlan interface 100 Switch Vlan interface100 dhcp select relay Specify the IP address of the DHCP server Switch Vlan interface100 dhcp relay server address 10 1 1 1 Switch Vlan interface100 quit Verifying the configuration Verify that a dynamic IPv4SG binding is generated based on a DHCP relay entry Switch display ...

Page 367: ...ully on the switch Switch display ipv6 source binding static Total entries found 1 IPv6 Address MAC Address Interface VLAN Type 2001 1 0001 0202 0202 XGE1 0 1 N A Static Dynamic IPv6SG using DHCPv6 snooping configuration example Network requirements As shown in Figure 1 10 Enable DHCPv6 snooping on the device to record the IPv6 address and the MAC address of the host in a DHCPv6 snooping entry Ena...

Page 368: ... interface ten gigabitethernet 1 0 1 Switch Ten GigabitEthernet1 0 1 ipv6 verify source ip address mac address Enable recording of client information in DHCPv6 snooping entries on Ten GigabitEthernet 1 0 1 Switch Ten GigabitEthernet1 0 1 ipv6 dhcp snooping binding record Switch Ten GigabitEthernet1 0 1 quit Verifying the configuration Verify that a dynamic IPv6SG binding is generated based on a DH...

Page 369: ... a glance Flood prevention Configuring unresolvable IP attack protection configured on gateways Configuring ARP source suppression Configuring ARP blackhole routing Configuring ARP packet rate limit configured on access devices Configuring source MAC based ARP attack detection configured on gateways User and gateway spoofing prevention Configuring ARP packet source MAC consistency check configured...

Page 370: ... device finishes all probes the device deletes the blackhole route and does not perform the remaining probes This feature is applicable regardless of whether the attack packets have the same source addresses Configuring ARP source suppression Step Command Remarks 1 Enter system view system view N A 2 Enable ARP source suppression arp source suppression enable By default ARP source suppression is d...

Page 371: ...ence of an unresolvable IP attack To prevent the attack configure ARP source suppression or ARP blackhole routing Figure 111 Network diagram Configuration procedure If the attack packets have the same source address configure ARP source suppression Enable ARP source suppression Device system view Device arp source suppression enable Allow the device to receive a maximum of 100 unresolvable packets...

Page 372: ...on about notifications see Network Management and Monitoring Command Reference If logging for ARP packet rate limit is enabled the device sends the highest threshold crossed ARP packet rate within the sending interval in a log message to the information center You can configure the information center module to set the log output rules For more information about information center see Network Manag...

Page 373: ...feature does not inspect ARP packets from those devices even if they are attackers Configuration procedure To configure source MAC based ARP attack detection Step Command Remarks 1 Enter system view system view N A 2 Enable source MAC based ARP attack detection and specify the handling method arp source mac filter monitor By default this feature is disabled 3 Configure the threshold arp source mac...

Page 374: ...eway Figure 112 Network diagram Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address To prevent such attacks configure the gateway in the following steps 1 Enable source MAC based ARP attack detection and specify the handling method as filter 2 Set the threshold 3 Set the lifetime for ARP attack entrie...

Page 375: ...By default ARP packet source MAC address consistency check is disabled Configuring ARP active acknowledgement Configure this feature on gateways to prevent user spoofing ARP active acknowledgement prevents a gateway from generating incorrect ARP entries In strict mode a gateway performs more strict validity checks before creating an ARP entry Upon receiving an ARP request destined for the gateway ...

Page 376: ...er spoofing and gateway spoofing attacks ARP detection does not check ARP packets received from ARP trusted ports ARP detection provides the user validity check ARP packet validity check and ARP restricted forwarding functions If both ARP packet validity check and user validity check are enabled the former one applies first and then the latter applies Configuring user validity check The device che...

Page 377: ...nterface type interface number N A 7 Optional Configure the interface as a trusted interface excluded from ARP detection arp detection trust By default an interface is untrusted Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted ports and specify the following objects to be checked src mac Checks whether the sender MAC address in the message body is i...

Page 378: ...rding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows If the packets are ARP requests they are forwarded through the trusted interface If the packets are ARP replies they are forwarded according to their destination MAC address If no match is found in the MAC address table they are forwarded through the trusted interface Configure user validi...

Page 379: ...tch B to VLAN 10 and specify the IP address of VLAN interface 10 on Switch A Details not shown 2 Configure the DHCP server on Switch A and configure DHCP address pool 0 SwitchA system view SwitchA dhcp enable SwitchA dhcp server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 3 Configure Host A DHCP client and Host B Details not shown 4 Configure Switch B Enable DHCP snooping Swi...

Page 380: ...rface ten gigabitethernet 1 0 2 SwitchB Ten GigabitEthernet1 0 2 ip source binding ip address 10 1 1 6 mac address 0001 0203 0607 vlan 10 SwitchB Ten GigabitEthernet1 0 2 quit Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets SwitchB arp detection validate dst mac ip src mac After the configurations are completed Switch B first checks the validity of AR...

Page 381: ... system view SwitchB dhcp snooping enable SwitchB interface ten gigabitethernet 1 0 3 SwitchB Ten GigabitEthernet1 0 3 dhcp snooping trust SwitchB Ten GigabitEthernet1 0 3 quit Enable ARP detection for user validity check SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure Ten GigabitEthernet 1 0 3 as an ARP trusted port SwitchB vlan10 interface ten gigabitethernet 1 0 3 SwitchB Ten Giga...

Page 382: ...uests from Host A to Switch A through the trusted interface Ten GigabitEthernet 1 0 3 Host B cannot receive such packets Port isolation works correctly Configuring ARP scanning and fixed ARP ARP scanning is typically used together with the fixed ARP feature in small scale networks ARP scanning automatically creates ARP entries for devices in an address range The device performs ARP scanning in the...

Page 383: ...interfaces not connected to a gateway to prevent gateway spoofing attacks When such an interface receives an ARP packet it checks whether the sender IP address in the packet is consistent with that of any protected gateway If yes it discards the packet If not it handles the packet correctly Configuration guidelines Follow these guidelines when you configure ARP gateway protection You can enable AR...

Page 384: ...Configuration procedure Configure ARP gateway protection on Switch B SwitchB system view SwitchB interface ten gigabitethernet 1 0 1 SwitchB Ten GigabitEthernet1 0 1 arp filter source 10 1 1 1 SwitchB Ten GigabitEthernet1 0 1 quit SwitchB interface ten gigabitethernet 1 0 2 SwitchB Ten GigabitEthernet1 0 2 arp filter source 10 1 1 1 Verifying the configuration Verify that Ten GigabitEthernet 1 0 1...

Page 385: ...plies first Configuration procedure To configure ARP filtering Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view interface interface type interface number N A 3 Enable ARP filtering and configure a permitted entry arp filter binding ip address mac address By default ARP filtering is disabled Configuration example Network...

Page 386: ...0 1 1 2 000f e349 1233 SwitchB Ten GigabitEthernet1 0 1 quit SwitchB interface ten gigabitethernet 1 0 2 SwitchB Ten GigabitEthernet1 0 2 arp filter binding 10 1 1 3 000f e349 1234 Verifying the configuration Verify that Ten GigabitEthernet 1 0 1 permits ARP packets from Host A and discards other ARP packets Verify that Ten GigabitEthernet 1 0 2 permits ARP packets from Host B and discards other A...

Page 387: ...ateway for further forwarding The hosts are isolated at Layer 2 but they can communicate at Layer 3 An MFF enabled device and a host cannot ping each other Figure 117 Network diagram for MFF MFF works with any of the following features to implement traffic filtering and Layer 2 isolation on the EANs ARP snooping see Layer 3 IP Services Configuration Guide IP source guard see Configuring IP source ...

Page 388: ...ts Upstream ports connected to a gateway Ports connected to the MFF devices in a cascaded network a network with multiple MFF devices connected to one another Ports between devices in a ring network Link aggregation is supported by network ports in an MFF enabled VLAN but it is not supported by user ports in the VLAN You can add the network ports to link aggregation groups but cannot add the user ...

Page 389: ...sends the requested host s MAC address to the gateway if the corresponding entry is available If the entry is not available the MFF device forwards the ARP request The MFF device forwards ARP replies between hosts and gateways If the source MAC addresses of ARP requests from gateways are different from those recorded the MFF device updates and broadcasts the IP and MAC addresses of the gateways Pr...

Page 390: ... periodic gateway probe mac forced forwarding gateway probe By default this feature is disabled Specifying the IP addresses of servers You must specify the servers on the MFF device to ensure communication between the servers and clients When the MFF device receives an ARP request from a server the MFF device searches IP to MAC address entries it has stored Then the device replies with the request...

Page 391: ...erface Display the MFF configuration information for a VLAN display mac forced forwarding vlan vlan id MFF configuration examples Manual mode MFF configuration example in a tree network Network requirements As shown in Figure 1 18 all the devices are in VLAN 100 Hosts A B and C are assigned IP addresses manually Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each ...

Page 392: ...00 SwitchB vlan100 mac forced forwarding default gateway 10 1 1 100 Specify the IP address of the server SwitchB vlan100 mac forced forwarding server 10 1 1 200 Enable ARP snooping on VLAN 100 SwitchB vlan100 arp snooping enable SwitchB vlan100 quit Configure Ten GigabitEthernet 1 0 6 as a network port SwitchB interface ten gigabitethernet 1 0 6 SwitchB Ten GigabitEthernet1 0 6 mac forced forwardi...

Page 393: ...hernet 1 0 2 SwitchA Ten GigabitEthernet1 0 2 mac forced forwarding network port SwitchA Ten GigabitEthernet1 0 2 quit SwitchA interface ten gigabitethernet 1 0 3 SwitchA Ten GigabitEthernet1 0 3 mac forced forwarding network port 3 Configure Switch B Enable STP globally to make sure STP is enabled on interfaces SwitchB stp global enable Configure manual mode MFF on VLAN 100 SwitchB vlan 100 Switc...

Page 394: ...tchB Ten GigabitEthernet1 0 4 mac forced forwarding network port SwitchB Ten GigabitEthernet1 0 4 quit SwitchB interface ten gigabitethernet 1 0 6 SwitchB Ten GigabitEthernet1 0 6 mac forced forwarding network port 4 Enable STP on Switch C globally to make sure STP is enabled on interfaces SwitchC system view SwitchC stp global enable ...

Page 395: ... cannot enable or disable software crypto engines The switch only supports software crypto engines in the current software version Crypto engines provide encryption decryption services for service modules for example the IPsec module When a service module requires data encryption decryption it sends the desired data to a crypto engine After the crypto engine completes data encryption decryption it...

Page 396: ... through a console port and then create a key pair for the SSH server The password for entering the device in FIPS mode must comply with the password control policies such as password length complexity and aging policy When the aging timer for a password expires the system prompts you to change the password If you adjust the system time after the device enters FIPS mode the login password might ex...

Page 397: ...c you must reboot the entire IRF fabric Configuring FIPS mode Entering FIPS mode After you enable FIPS mode and reboot the device the device operates in FIPS mode The FIPS device has strict security requirements and performs self tests on cryptography modules to verify that they are operating correctly A FIPS device meets the requirements defined in Network Device Protection Profile NDPP of Common...

Page 398: ...ocal user service types Telnet HTTP and FTP 6 Enable FIPS mode 7 Select the manual reboot method 8 Save the configuration file and specify it as the startup configuration file 9 Delete the startup configuration file in binary format an mdb file 10 Reboot the device The system enters FIPS mode You can use the configured username and password to log in to the device in FIPS mode To enable FIPS mode ...

Page 399: ... and specifies the file as the startup configuration file The system reboots the device by using the default non FIPS configuration file After the reboot you are directly logged into the device Manual reboot This method requires that you manually complete the configurations for entering non FIPS mode and then reboot the device To log in to the device after the reboot you must enter user informatio...

Page 400: ...ut is already known The calculated output is compared with the known answer If they are not identical the KAT test fails Pairwise conditional test PWCT Signature and authentication test The test is run when a DSA RSA or ECDSA asymmetrical key pair is generated It uses the private key to sign the specific data and it then uses the public key to authenticate the signed data If the authentication is ...

Page 401: ...entication is successful the test succeeds Continuous random number generator test This test is run when a random number is generated If two consecutive random numbers are different the test succeeds Otherwise the test fails This test can also be run when a DSA RSA asymmetrical key pair is generated Triggering self tests To examine whether the cryptography modules operate correctly you can trigger...

Page 402: ...haracters root Enter password 15 63 characters Confirm password Waiting for reboot After reboot the device will enter FIPS mode Verifying the configuration After the device reboots enter the username root and the password 12345zxcvb ZXCVB The system prompts you to configure a new password After you configure the new password the device enters FIPS mode The new password must be different from the p...

Page 403: ...f test a password of 12345zxcvb ZXCVB a user role of network admin and a service type of terminal Sysname local user test class manage Sysname luser manage test password simple 12345zxcvb ZXCVB Sysname luser manage test authorization attribute user role network admin Sysname luser manage test service type terminal Sysname luser manage test quit Enable FIPS mode and choose the manual reboot method ...

Page 404: ...al characters For more information about the requirements for the password see the system output Press ENTER to get started login test Password First login or password reset For security reason you need to change your pass word Please enter your password old password new password confirm Updating user information Please wait Sysname Display the current FIPS mode state Sysname display fips status F...

Page 405: ...e and then reboot to enter non FIPS mode Set the authentication mode for VTY lines to scheme Sysname line vty 0 63 Sysname line vty0 63 authentication mode scheme Save the current configuration to the root directory of the storage medium and specify it as the startup configuration file Sysname save The current configuration will be written to the device Are you sure Y N y Please input the file nam...

Page 406: ...394 login test Password Last successfully login time Sysname Display the current FIPS mode state Sysname display fips status FIPS mode is disabled ...

Page 407: ...onfiguration task list Tasks at a glance Required Creating a user profile Required Configuring parameters for a user profile Configuration restrictions and guidelines Before creating a user profile perform the following tasks 1 Plan the authentication method for your network The user profile supports working with 802 1X and MAC authentication In remote authentication specify a user profile for eac...

Page 408: ...y must already exist For information about QoS policy configuration see ACL and QoS Configuration Guide For information about the commands see ACL and QoS Command Reference Displaying and maintaining user profiles Execute display commands in any view Task Command Display configuration and online user information for the specified user profile or all user profiles display user profile name profile ...

Page 409: ...h ACL 2000 Switch traffic classifier for_usera Switch classifier for_usera if match acl 2000 Switch classifier for_usera quit Create traffic behavior for_usera and configure a traffic filtering action as deny Switch traffic behavior for_usera Switch behavior for_usera filter deny Switch behavior for_usera quit Create QoS policy for_usera and associate traffic class for_usera with traffic behavior ...

Page 410: ... on User C Create traffic behavior for_userc and configure a CAR action in traffic behavior database Set the CIR to 4000 kbps Switch traffic behavior for_userc Switch behavior for_userc car cir 4000 Switch behavior for_userc quit Create QoS policy for_userc and associate traffic class class with traffic behavior for_userc Switch qos policy for_userc Switch qospolicy for_userc classifier class beha...

Page 411: ...c Switch luser network userc quit 8 Configure the authentication authorization and accounting method for local users Configure ISP domain user to use local authentication and authorization without accounting for local users Switch domain user Switch isp user authentication lan access local Switch isp user authorization lan access local Switch isp user accounting login none Switch isp user quit 9 C...

Page 412: ...rvice VLAN 1 User Profile userb Inbound Policy for_userb slot 1 User Authentication type 802 1X Network attributes Interface Ten GigabitEthernet1 0 1 MAC address 80c1 6ee0 2664 Service VLAN 1 User Profile userc Outbound Policy for_userc slot 1 User Authentication type 802 1X Network attributes Interface Ten GigabitEthernet1 0 1 MAC address 6805 ca05 3efa Service VLAN 1 ...

Page 413: ...ion feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect As defined in RFC 1858 attack TCP fragments refer to the following TCP fragments First fragments in which the TCP header is smaller than 20 bytes Non first fragments with a fragment offset of 8 bytes FO 1 To configure TCP fragment attack prevention Step Command R...

Page 414: ...k feature is typically configured on gateways to prevent ND attacks This feature checks the source MAC address and the source link layer address for consistency for each arriving ND packet If source MAC address and the source link layer address are not the same the device drops the packet If the addresses are the same the device continues learning ND entries The ND logging feature logs source MAC ...

Page 415: ...ing you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complete list ...

Page 416: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 417: ...r a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Represents a security card such as a firewall load balancing NetStream SSL VPN IPS ...

Page 418: ...93 MAC authentication delay 108 MAC based access control 71 maintain 90 mandatory port authentication domain 84 online user handshake 83 overview 62 packet format 63 periodic online user reauthentication 85 port authorization state 81 port authorization status 62 port security authentication control mode 173 port security client macAddressElseUserLoginSecure 189 port security client userLoginWithO...

Page 419: ...policy server IP address 30 RADIUS server SSH user authentication authorization 51 RADIUS server status 26 RADIUS session control 46 RADIUS shared keys 25 RADIUS SNMP notification 31 RADIUS timers 29 RADIUS traffic statistics units 25 RADIUS username format 25 scheme configuration 18 SSH user local authentication HWTACACS authorization RADIUS accounting 49 troubleshoot HWTACACS 60 troubleshoot LDA...

Page 420: ... in ring network 380 MFF manual mode in tree network 379 scanning configuration restrictions 370 ARP attack protection active acknowledgement 363 ARP detection display 366 ARP detection maintain 366 authorized ARP configuration 364 configuration 357 detection configuration 364 filtering configuration 372 373 fixed ARP configuration 370 gateway protection 371 372 packet rate limit configuration 360...

Page 421: ...S authorization RADIUS accounting 49 IPsec 253 IPsec authentication algorithms 253 IPsec Authentication Header Use AH IPsec configuration 250 272 IPsec Encapsulating Security Payload Use ESP IPsec IKE configuration main mode pre shared key authentication 292 IPsec IKE DSA signature authentication 282 IPsec IKE pre shared key authentication 282 IPsec IKE RSA signature authentication 282 IPsec RIPng...

Page 422: ...thentication BAS IP 134 binding IP source guard IPSG dynamic binding 347 IP source guard IPSG static binding 347 IPsec source interface to policy 266 IPv4 source guard IPv4SG dynamic binding configuration 352 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 353 IPv4 source guard IPv4SG static binding configuration 349 351 IPv6 source guard IPv6SG dynamic binding DHCPv6 snooping co...

Page 423: ...02 1X authentication 90 802 1X authentication trigger 83 802 1X Auth Fail VLAN 74 87 802 1X authorization VLAN assignment 93 802 1X basics 90 802 1X critical VLAN 76 88 802 1X EAD assistant 89 97 802 1X guest VLAN 73 86 802 1X guest VLAN assignment 93 802 1X online user handshake 83 802 1X quiet timer 85 AAA 1 16 48 AAA HWTACACS schemes 32 AAA HWTACACS server SSH user 48 AAA ISP domain accounting ...

Page 424: ...Pv4SG 348 IPv4 source guard IPv4SG dynamic binding 352 IPv4 source guard IPv4SG dynamic binding DHCP relay 353 IPv4 source guard IPv4SG static binding 349 351 IPv6 source guard IPv6SG 349 IPv6 source guard IPv6SG dynamic binding DHCPv6 snooping 355 IPv6 source guard IPv6SG static binding 350 354 MAC authentication 101 105 1 1 1 MAC authentication local 1 1 1 MAC authentication RADIUS based 1 13 MA...

Page 425: ...3 security portal authentication Web server 125 security portal authentication Web server detection 132 security user profile 395 source MAC consistency check 402 SSH 300 SSH client host public key 306 SSH device as Secure Telnet client 310 SSH device as server 303 SSH device as SFTP client 312 SSH management parameters 308 SSH SCP client device 315 SSH Secure Telnet 317 SSH Secure Telnet client p...

Page 426: ...ing user profile 395 crypto engine configuration 383 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 353 MFF server IP address 378 security password control 197 202 security password control configuration 194 security password control global parameters 198 security password control local user parameters 200 security password control user group parameters 199 security password set...

Page 427: ... 230 PKI verification CRL checking 226 PKI verification w o CRL checking 226 PKI Windows 2003 CA server certificate request 233 Digital Signature Algorithm Use DSA direct portal authentication mode 120 121 directory AAA LDAP directory service 9 SSH SFTP 314 displaying 802 1X 90 AAA 48 AAA HWTACACS 38 AAA LDAP 41 AAA local users user groups 22 AAA RADIUS 32 ARP attack detection source MAC based 361...

Page 428: ...termination 80 802 1X periodic online user reauthentication 85 AAA RADIUS session control 46 AAA RADIUS SNMP notification 31 IPsec ACL de encapsulated packet check 264 IPsec IKE invalid SPI recovery 291 IPsec packet logging 268 IPsec QoS pre classify 267 IPv4 source guard IPv4SG on interface 348 IPv6 source guard IPv6SG on interface 349 MAC authentication 105 MAC authentication multi VLAN mode 108...

Page 429: ...m file 210 public key import from file 213 SSH SFTP 314 filtering ARP packets 372 373 FIPS configuration 384 390 configuration restrictions 384 display 389 mode configuration 385 mode entry 385 mode entry automatic reboot 390 mode entry manual reboot 391 mode exit 387 mode exit automatic reboot 392 mode exit manual reboot 393 mode system changes 386 self test 388 FIPS compliance AAA 16 IPsec 254 I...

Page 430: ...ication 73 802 1X configuration 86 MAC authentication 102 MAC authentication configuration 109 H handshake protocol SSL 342 handshaking 802 1X online user handshake 83 hardware crypto engine configuration 383 history security password history 196 HP AAA RADIUS HP proprietary attributes 15 HTTP SSL configuration 342 343 HW Terminal Access Controller Access Control System Use HWTACACS AAA configurat...

Page 431: ...sed IPsec 253 255 security application based IPsec 254 importing peer host public key from file 210 PKI certificate import export 240 public key from file 213 troubleshooting PKI CA certificate import failure 248 troubleshooting PKI local certificate import failure 248 initiating 802 1X authentication 65 66 interface security portal authentication Web server reference 126 Internet SSL configuratio...

Page 432: ...rror image ACLs 256 non mirror image ACLs 256 packet DF bit 268 packet logging enable 268 PKI configuration 216 218 230 policy application to interface 264 policy configuration IKE based 260 policy configuration IKE based direct 261 policy configuration IKE based template 262 policy configuration manual 258 policy configuration restrictions 258 policy configuration restrictions IKE based 260 proto...

Page 433: ...AAA ISP domain creation 42 AAA ISP domain method 41 K keepalive IPsec IKE function 289 IPsec IKE NAT function 289 keep online feature MAC authentication 1 10 key IPsec IKE pre shared key authentication 282 PKI configuration 216 218 230 key pair SSH DSA host key pair 303 SSH ECDSA host key pair 303 SSH RSA host key pair 303 SSH RSA server key pair 303 keychain IPsec IKE keychain 287 keyword IPsec A...

Page 434: ...47 logging out security portal authentication users 136 login security password expired login 195 security password user first login 196 security password user login attempt limit 196 security password user login control 196 Login Service attribute RADIUS 31 M MAC 802 1X MAC based access control 71 address See ARP attack detection source MAC based 361 authentication See SSL services 342 MAC addres...

Page 435: ...olicies 101 user profile assignment 104 VLAN assignment 102 MAC learning port security autoLearn MAC learning control 175 port security MAC learning control modes 173 port security secure MAC learning control 175 MAC forced forwarding Use maintaining 802 1X 90 AAA HWTACACS 38 AAA RADIUS 32 ARP detection 366 crypto engine 383 IP source guard IPSG 350 IPsec 271 IPsec IKE 292 IPv4 source guard IPv4SG...

Page 436: ...ation 175 userLoginWithOUI 802 1X authentication 175 multicast 802 1X multicast trigger mode 65 83 N NAS AAA configuration 16 AAA device implementation 1 1 AAA HWTACACS implementation 7 AAA LDAP implementation 9 AAA NAS ID profile configuration 47 AAA RADIUS implementation 2 AAA RADIUS security policy server IP address 30 applying interface NAS ID profile RADIUS 135 NAT IPsec IKE keepalive functio...

Page 437: ...P source guard IPSG static binding 347 IPsec ACL 256 IPsec ACL de encapsulated packet check 264 IPsec ACL based implementation 253 255 IPsec anti replay 265 IPsec anti replay redundancy 266 IPsec application based implementation 254 IPsec IKE configuration main mode pre shared key authentication 292 IPsec IKE SNMP notification 291 IPsec implementation 253 IPsec IPv6 routing protocol profile manual...

Page 438: ...lient macAddressElseUserLoginSecure 189 port security client userLoginWithOUI 186 port security features 173 179 port security intrusion protection 179 port security MAC address autoLearn 184 port security MAC address learning control 175 port security mode 173 178 port security NAS ID profile 183 port security NTK 179 port security secure MAC address 180 port security secure MAC address port limi...

Page 439: ...m file 213 public key management 206 21 1 security password control 197 202 security password control configuration 194 security portal authentication 123 security portal authentication configuration 1 18 1 18 security user profile configuration 395 SSH configuration 300 SSL configuration 342 343 SSL services 342 no AAA no accounting method 12 AAA no authentication 12 AAA no authorization 12 notif...

Page 440: ...sword control global parameters 198 security password control local user parameters 200 security password control user group parameters 199 security super password control parameters 201 password SSH password authentication 301 SSH password publickey authentication 301 SSH Secure Telnet client password authentication 325 SSH Secure Telnet server password authentication 317 SSH SFTP server password...

Page 441: ... AAA RADIUS security policy server IP address 30 IPsec manual 258 IPsec application to interface 264 IPsec policy IKE based 260 IPsec policy IKE based direct 261 IPsec policy IKE based template 262 IPsec QoS pre classify enable 267 IPsec source interface policy bind 266 IPsec transform set 257 MAC authentication user account policies 101 PKI CA policy 217 PKI certificate based access control polic...

Page 442: ...cannot be set 193 troubleshooting secure MAC addresses 193 portal security user profile configuration 395 portal authentication AAA server 1 19 access device 1 19 authentication destination subnet 128 authentication modes 120 authentication process 121 authentication server 1 19 authentication source subnet 127 BAS IP 134 client 1 19 configuration 1 18 123 137 configuration restrictions 125 cross ...

Page 443: ...od 41 configuring AAA LDAP administrator attributes 39 configuring AAA LDAP scheme 38 configuring AAA LDAP server IP address 39 configuring AAA LDAP server SSH user authentication 54 configuring AAA LDAP user attributes 40 configuring AAA local user 18 configuring AAA local user attributes 19 configuring AAA NAS ID profile 47 configuring AAA RADIUS accounting on 30 configuring AAA RADIUS Login Ser...

Page 444: ...Pv4 source guard IPv4SG dynamic binding 352 configuring IPv4 source guard IPv4SG dynamic binding DHCP relay 353 configuring IPv4 source guard IPv4SG static binding 349 351 configuring IPv6 source guard IPv6SG 349 configuring IPv6 source guard IPv6SG dynamic binding DHCPv6 snooping 355 configuring IPv6 source guard IPv6SG static binding 350 354 configuring MAC authentication 105 configuring MAC aut...

Page 445: ...al authentication Web server 125 configuring security portal authentication Web server detection 132 configuring security user profile 395 configuring source MAC consistency check 402 configuring SSH client host public key 306 configuring SSH device as Secure Telnet client 310 configuring SSH device as server 303 configuring SSH device as SFTP client 312 configuring SSH management parameters 308 c...

Page 446: ...line 184 enabling port security MAC move 182 enabling security password control 198 enabling security portal authentication 125 enabling security portal authentication roaming 136 enabling SSH SCP server 305 enabling SSH SFTP server 304 enabling Stelnet server 304 entering FIPS mode automatic reboot 385 entering FIPS mode manual reboot 385 entering peer host public key 210 entering peer public key...

Page 447: ...oing packet source IP address 36 specifying AAA HWTACACS shared keys 35 specifying AAA LDAP authentication server 41 specifying AAA LDAP version 39 specifying AAA RADIUS accounting server parameters 24 specifying AAA RADIUS authentication server 23 specifying AAA RADIUS outgoing packet source IP address 28 specifying AAA RADIUS shared keys 25 specifying MAC authentication domain 106 specifying MFF...

Page 448: ... 63 AAA 13 AAA HWTACACS 7 13 AAA LDAP 9 13 AAA RADIUS 2 13 IPsec 254 IPsec IKE 283 IPsec IPv6 routing protocols configuration 269 IPsec security protocol 50 ESP 251 IPsec security protocol 51 AH 251 MFF 377 SSL configuration 342 343 SSL protocol stack 342 public key display 21 1 file import 213 FIPS compliance 206 host public key display 209 host public key export 208 local host public key distrib...

Page 449: ...ion HWTACACS authorization RADIUS accounting 49 traffic statistics units 25 troubleshooting 59 troubleshooting accounting error 60 troubleshooting authentication failure 59 troubleshooting packet delivery failure 59 troubleshooting security portal authentication cannot log out users RADIUS server 171 user authentication methods 3 username format 25 rate ARP packet rate limit 360 real time AAA HWTA...

Page 450: ... authentication 334 rule IPsec ACL rule keywords 256 security portal authentication portal free rule 126 S S MIME PKI secure email 218 SA IPsec transform set 257 security IKE SA max number set 291 troubleshooting IPsec SA negotiation failure invalid identity info 297 troubleshooting IPsec SA negotiation failure no transform set match 296 scheme AAA 18 AAA HWTACACS 32 AAA LDAP 38 AAA LDAP scheme cr...

Page 451: ...ion RADIUS accounting 49 ARP active acknowledgement 363 ARP attack detection source MAC based 361 362 ARP attack protection unresolvable IP attack 357 359 ARP attack protection blackhole routing unresolvable IP attack 358 ARP attack protection configuration 357 ARP attack protection source suppression unresolvable IP attack 358 ARP detection configuration 364 ARP detection display 366 ARP detectio...

Page 452: ...tion local 1 1 1 MAC authentication RADIUS based 1 13 MAC authentication ACL assignment 104 1 15 MAC authentication concurrent port users max 107 MAC authentication configuration 101 MAC authentication critical VLAN 109 MAC authentication delay 108 108 MAC authentication display 1 1 1 MAC authentication domain 106 MAC authentication enable 105 MAC authentication guest VLAN 109 MAC authentication k...

Page 453: ...30 portal authentication direct 137 portal authentication domain 129 portal authentication extended cross subnet 159 portal authentication extended direct 152 portal authentication extended re DHCP 155 portal authentication fail permit 134 portal authentication logout 136 portal authentication max number users 129 portal authentication policy server 1 19 portal authentication re DHCP 145 portal au...

Page 454: ...failure 248 troubleshooting PKI certificate export failure 249 troubleshooting PKI configuration 245 troubleshooting PKI CRL obtain failure 247 troubleshooting PKI local certificate failure 245 troubleshooting PKI local certificate import failure 248 troubleshooting PKI local certificate request failure 246 troubleshooting PKI storage path set failure 249 server 802 1X authentication 90 802 1X aut...

Page 455: ...ameters 308 shared key AAA HWTACACS 35 AAA RADIUS 25 signature authentication IKE 282 SNMP AAA RADIUS notifications 31 IPsec IKE SNMP notification 291 IPsec SNMP notification 270 software crypto engine configuration 383 source ARP attack detection source MAC based 361 362 ARP src mac validity check 365 security portal authentication portal free rule 126 security portal authentication subnet 127 so...

Page 456: ...es 314 SFTP help information display 314 SFTP server connection establishment 312 SFTP server connection termination 315 SFTP server enable 304 SFTP server password authentication 331 Stelnet server enable 304 user configuration 307 versions 300 SSL client policy configuration 344 configuration 342 343 display 345 FIPS compliance 343 PKI configuration 216 218 230 PKI Web application 218 protocol s...

Page 457: ...ure Telnet server connection establishment 310 SSH Secure Telnet server password configuration 317 SSH Secure Telnet server publickey authentication 320 terminal AAA RADIUS Login Service attribute check method 31 terminating SSH SFTP server connection 315 testing FIPS conditional self test 388 FIPS power up self test 388 FIPS triggered self test 388 TFTP local host public key distribution 208 time...

Page 458: ...rver 171 security portal authentication no page pushed for users 170 security portal authentication users cannot log in re DHCP 172 security portal authentication users logged out still exist on server 171 tunneling IPsec configuration 250 272 IPsec encapsulation tunnel mode 251 IPsec RIPng configuration 277 IPsec tunnel establishment 254 IPsec tunnel for IPv4 packets IKE based 274 IPsec tunnel fo...

Page 459: ...ns 1 1 AAA management by user access types 1 1 AAA user role authentication 12 user profile 802 1X user profile assignment 78 configuration 395 configuration restrictions 395 creating 395 displaying 396 MAC authentication user profile assignment 104 user profile parameters configuring 396 userLoginWithOUI 186 username AAA HWTACACS format 35 AAA RADIUS format 25 V validity check ARP packet 365 ARP ...

Page 460: ...2 security portal authentication extended functions 1 18 security portal authentication extended re DHCP 155 security portal authentication re DHCP 145 security portal authentication server detection user synchronization 162 security portal authentication system components 1 18 security portal authentication Web server 1 19 125 security portal authentication Web server detection 132 security porta...

Reviews: