HPE 704654-B21 Security Configuration Manual Download Page 527

Page: 527 / 540

514

802.1X protocol packet sending rule,

protocols

client and local portal server interaction,

125

protocols and standards

802.1X overview,

802.1X related protocols,

AAA,

AAA HWTACACS,

AAA LDAP,

AAA RADIUS,

IPsec,

262

IPsec IKE,

290

IPsec IKEv2,

307

IPsec IPv6 routing protocols
configuration,

276

IPsec security protocol 50 (ESP),

258

IPsec security protocol 51 (AH),

MFF,

SSL configuration,

SSL protocol stack,

public key

display,

220

file import,

222

FIPS compliance,

216

host public key display,

218

host public key export,

218

local host public key distribution,

218

local key pair creation,

216

local key pair destruction,

management,

peer configuration,

peer host public key import from file,

219

peer public key entry,

219

220

SSH client host public key configuration,

331

SSH password-publickey authentication,

326

SSH publickey authentication,

326

SSH Secure Telnet client publickey
authentication,

358

SSH Secure Telnet server publickey
authentication,

349

SSH SFTP client publickey
authentication,

366

SSH user configuration,

332

Public Key Infrastructure.

Use

PKI

QoS

IPsec QoS pre-classify enable,

274

user profile configuration,

447

QoS or CAR parameters

configuring,

447

quiet

MAC authentication quiet timer,

108

quiet timer

802.1X,

PKI architecture,

226

PKI certificate,

225

RADIUS

802.1X EAP over RADIUS,

802.1X EAP relay enable,

802.1X EAP termination enable,

802.1X RADIUS EAP-Message attribute,

802.1X RADIUS Message-Authentication
attribute,

AAA configuration,

AAA implementation,

AAA local user configuration,

AAA MPLS L3VPN implementation,

AAA NAS-ID profile configuration,

AAA scheme,

accounting server parameters,

accounting-on configuration,

applying interface NAS-ID profile,

141

attributes,

authentication server,

client/server model,

common standard attributes,

DAE server,

display,

extended attributes,

HPE proprietary attributes,

HWTACACS/RADIUS differences,

information exchange security,

MAC authentication,

103

MAC authentication (RADIUS-based),

117

MAC authentication authorization VLAN,

104

maintain,

outgoing packet source IP address,

packet exchange process,

packet format,

port security macAddressWithRadius,

187

port security NAS-ID profile,

194

protocols and standards,

request transmission attempts max,

scheme configuration,

scheme creation,

scheme VPN instance specification,

security policy server IP address,

Summary of Contents for 704654-B21

Page 1: ...HPE Moonshot 45Gc 45XGc 180XGc Switch Module Security Configuration Guide Part number 859335 002 Software version Release 242x Document version 6W100 20160201...

Page 2: ...d 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to thi...

Page 3: ...f concurrent login users 48 Configuring a NAS ID profile 49 Displaying and maintaining AAA 49 AAA configuration examples 50 AAA for SSH users by an HWTACACS server 50 Local authentication HWTACACS aut...

Page 4: ...es 86 Configuration prerequisites 87 Configuration procedure 87 Enabling 802 1X guest VLAN assignment delay 87 Configuring an 802 1X Auth Fail VLAN 88 Configuration guidelines 88 Configuration prerequ...

Page 5: ...em components 123 Portal system using the local portal Web server 125 Interaction between portal system components 125 Portal authentication modes 126 Portal authentication process 126 Portal configur...

Page 6: ...AC addresses on a port 189 Setting the port security mode 189 Configuring port security features 190 Configuring NTK 190 Configuring intrusion protection 191 Configuring secure MAC addresses 191 Confi...

Page 7: ...c certificate request 232 Manually requesting a certificate 232 Aborting a certificate request 233 Obtaining certificates 233 Configuration prerequisites 233 Configuration guidelines 233 Configuration...

Page 8: ...ion examples 279 Configuring a manual mode IPsec tunnel for IPv4 packets 279 Configuring an IKE based IPsec tunnel for IPv4 packets 281 Configuring IPsec for RIPng 284 Configuring IKE 288 Overview 288...

Page 9: ...server configuration task list 328 Generating local key pairs 328 Enabling the Stelnet server 329 Enabling the SFTP server 329 Enabling the SCP server 330 Configuring NETCONF over SSH 330 Configuring...

Page 10: ...SSL security services 385 SSL protocol stack 385 FIPS compliance 386 SSL configuration task list 386 Configuring an SSL server policy 386 Configuring an SSL client policy 388 Displaying and maintaini...

Page 11: ...rotection 418 Configuration guidelines 418 Configuration procedure 419 Configuration example 419 Configuring ARP filtering 420 Configuration guidelines 420 Configuration procedure 420 Configuration ex...

Page 12: ...an prevent 452 Single packet attacks 452 Scanning attacks 453 Flood attacks 454 TCP fragment attack 455 Login dictionary attack 455 Attack detection and prevention configuration task list 455 Configur...

Page 13: ...and icons 476 Conventions 476 Network topology icons 477 Support and other resources 478 Accessing Hewlett Packard Enterprise Support 478 Accessing updates 478 Websites 479 Customer self repair 479 R...

Page 14: ...ure 1 AAA network diagram To access networks or resources beyond the NAS a user sends its identity information to the NAS The NAS transparently passes the user information to AAA servers and waits for...

Page 15: ...ents 2 Performs user authentication authorization or accounting 3 Returns user access control information for example rejecting or accepting the user access request to the clients The RADIUS server ca...

Page 16: ...packet 4 The RADIUS client permits or denies the user according to the authentication result If the result permits the user the RADIUS client sends a start accounting request Accounting Request packe...

Page 17: ...in the packet indicates whether to start or stop accounting 5 Accounting Respo nse From the server to the client The server sends a packet of this type to notify the client that it has received the A...

Page 18: ...ut Gigawords 9 Framed IP Netmask 53 Acct Output Gigawords 10 Framed Routing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Logi...

Page 19: ...plement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended functions As shown in Figure...

Page 20: ...le network transmission Uses UDP which provides high transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the user password field in an authentication packet Pr...

Page 21: ...ponse to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password 9 The user enters the password Host HWTACACS client HWTACACS server 1 The...

Page 22: ...often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user informa...

Page 23: ...ments the client sends an administrator bind request to the LDAP server This operation obtains the right to search for authorization information about users on the user DN list Basic LDAP packet excha...

Page 24: ...with the HWTACACS authorization server instead 10 After successful authorization the LDAP client notifies the user of the successful login AAA implementation on the device This section describes AAA...

Page 25: ...or more information about the default user role feature see Fundamentals Configuration Guide FTP SFTP and SCP login users also have the root directory of the NAS set as the working directory However t...

Page 26: ...oss the VPNs The PE at the left side of the MPLS backbone acts as a NAS The NAS transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized a...

Page 27: ...versized EAP packets 14 Login IP Host IP address of the NAS interface that the user accesses 15 Login Service Type of the service that the user uses for login 18 Reply Message Text to be displayed to...

Page 28: ...1 Input Peak Rate Peak rate in the direction from the user to the NAS in bps 2 Input Average Rate Average rate in the direction from the user to the NAS in bps 3 Input Basic Rate Basic rate in the dir...

Page 29: ...ackets from the 802 1X user This attribute only exists in Access Accept and Accounting Request packets 140 User_Group User groups assigned after the SSL VPN user passes authentication A user can belon...

Page 30: ...hemes Required Configure AAA methods for ISP domains 1 Required Creating an ISP domain 2 Optional Configuring ISP domain attributes 3 Required Perform at least one of the following tasks to configure...

Page 31: ...cal user group and has all attributes of the group The attributes include the password control attributes and authorization attributes For more information about local user group see Configuring user...

Page 32: ...portal users specify the portal enabled interfaces through which the users access the device Specify the Layer 2 Ethernet interfaces if portal is enabled on VLAN interfaces and the portal roaming ena...

Page 33: ...cut minute ip pool pool name ipv6 pool ipv6 pool name user profile profile name user role role name vlan vlan id work directory directory name The following default settings apply FTP SFTP and SCP use...

Page 34: ...iew user group group name By default there is a system defined user group named system which is the default user group 3 Configure authorization attributes for the user group authorization attribute a...

Page 35: ...for secure RADIUS communication Optional Specifying an MPLS L3VPN instance for the scheme Optional Setting the username format and traffic statistics units Optional Setting the maximum number of RADIU...

Page 36: ...no test profiles exist You can configure multiple test profiles in the system Creating a RADIUS scheme Create a RADIUS scheme before performing any other RADIUS configurations You can configure a max...

Page 37: ...ipv6 address port number key cipher simple string test profile profile name vpn instance vpn instance name weight weight value Specify a secondary RADIUS authentication server secondary authenticatio...

Page 38: ...rs Specify the primary RADIUS accounting server primary accounting host name ipv4 address ipv6 ipv6 address port number key cipher simple string vpn instance vpn instance name weight weight value Spec...

Page 39: ...domain name By default the ISP domain name is included in a username However older RADIUS servers might not recognize usernames that contain the ISP domain names In this case you can configure the dev...

Page 40: ...system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Set the maximum number of RADIUS request transmission attempts retry retry times The default setting is 3 Setting the...

Page 41: ...ver load sharing is enabled the device distributes the workload over all servers without considering the primary and secondary server roles The device checks the weight value and number of currently s...

Page 42: ...e the device sends a start accounting request to a server for a user it forwards all subsequent accounting requests of the user to the same server If the accounting server is unreachable the device re...

Page 43: ...of the RADIUS packet outbound interface is used as the source IP address To specify a source IP address for a RADIUS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS sch...

Page 44: ...s 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Set the RADIUS server response timeout timer timer response timeout seconds The default setting...

Page 45: ...device Use the loose check method only when the server does not issue Login Service attribute values 50 51 and 52 for SSH FTP and terminal users To configure the Login Service attribute check method...

Page 46: ...Tasks at a glance Required Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Optional Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS a...

Page 47: ...nter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name N A 3 Specify HWTACACS authentication servers Specify the primary HWTACACS authentication server primary authentication host name ipv4 ad...

Page 48: ...mbination of hostname IP address port number and VPN instance Specifying the HWTACACS accounting servers You can specify one primary accounting server and a maximum of 16 secondary accounting servers...

Page 49: ...rs in an HWTACACS scheme The keys take effect on all servers for which a shared key is not individually configured To specify a shared key for secure HWTACACS communication Step Command Remarks 1 Ente...

Page 50: ...packet giga packet kilo packet mega packet one packet By default traffic is counted in bytes and packets Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACA...

Page 51: ...ter an HWTACACS authentication authorization or accounting request is sent If the device does not receive a response from the server within the timer it sets the server to blocked Then the device send...

Page 52: ...y even if they are unavailable When an HWTACACS server s status changes automatically the device changes this server s status accordingly in all HWTACACS schemes in which this server is specified To s...

Page 53: ...dress of the LDAP server Step Command Remarks 1 Enter system view system view N A 2 Enter LDAP server view ldap server server name N A 3 Configure the IP address of the LDAP server ip ip address ipv6...

Page 54: ...rver name N A 3 Specify the administrator DN login dn dn string By default no administrator DN is specified The administrator DN specified on the device must be the same as configured on the LDAP serv...

Page 55: ...ss user parameters user object class object class name By default no user object is specified and the default user object class on the LDAP server is used The default user object class for this comman...

Page 56: ...utes such as different username and password structures different service types and different rights To manage users of different ISPs configure ISP domains and configure AAA methods and domain attrib...

Page 57: ...for authenticated users in the ISP domain authorization attribute ip pool pool name ipv6 pool ipv6 pool name user profile profile name By default no authorization attributes are specified Configuring...

Page 58: ...fault authentication method is used for login users The none keyword is not supported in FIPS mode 6 Specify the authentication method for portal users authentication portal ldap scheme ldap scheme na...

Page 59: ...ne radius scheme radius scheme name local none By default the default authorization method is used for LAN users The none keyword is not supported in FIPS mode 6 Specify the authorization method for l...

Page 60: ...the default accounting method is used for command accounting 5 Specify the accounting method for LAN users accounting lan access local none none radius scheme radius scheme name local none By default...

Page 61: ...DAE server to log off specific online users Change of Authorization Messages CoA Messages The DAE client sends CoA requests to the DAE server to change the authorization information of specific onlin...

Page 62: ...xample map the NAS ID companyA to all VLANs of company A The device will send companyA in the NAS Identifier attribute for the RADIUS server to identify requests from any Company A users You can apply...

Page 63: ...H user and specify the password Details not shown 2 Configure the switch Configure IP addresses for interfaces Details not shown Create an HWTACACS scheme Switch system view Switch hwtacacs scheme hwt...

Page 64: ...work operator Switch role default role enable Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the password The user logs in to the switch Deta...

Page 65: ...hwtacacs scheme hwtac Switch hwtacacs hwtac primary authorization 10 1 1 2 49 Switch hwtacacs hwtac key authorization simple expert Switch hwtacacs hwtac user name format without domain Switch hwtacac...

Page 66: ...the network operator user role Details not shown Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 13 configure the switch to meet the following...

Page 67: ...OK The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch The source IP address is chosen in the following order on th...

Page 68: ...es with the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Create local RSA and DSA key pairs Switch public key local cre...

Page 69: ...ng login none Switch isp bbb quit Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the correct password The user logs in to the switch Details...

Page 70: ...ools b Double click Active Directory Users and Computers The Active Directory Users and Computers window is displayed c From the navigation tree click Users under the ldap com node d Select Action New...

Page 71: ...sword g Click OK Add user aaa to group Users h From the navigation tree click Users under the ldap com node i In the right pane right click the user aaa and select Properties j In the dialog box click...

Page 72: ...elect field and click OK User aaa is added to group Users Figure 20 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click the user Administrator...

Page 73: ...icated SSH users the default user role network operator Switch role default role enable Configure an LDAP server Switch ldap server ldap1 Specify the IP address of the LDAP authentication server Switc...

Page 74: ...are configured with different shared keys Solution To resolve the problem 1 Check that the following items The NAS and the RADIUS server can ping each other The username is in the userid isp name form...

Page 75: ...address configured on the NAS is incorrect For example the NAS is configured to use a single server to provide authentication authorization and accounting services but in fact the services are provide...

Page 76: ...LDAP server configured on the NAS match those of the server The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS The user is configur...

Page 77: ...the server returns the authentication results to the access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can use the access device as the...

Page 78: ...red or wireless LAN Between the access device and the authentication server 802 1X delivers authentication information by using one of the following methods Encapsulates EAP packets in RADIUS by using...

Page 79: ...art The client sends an EAPOL Start message to initiate 802 1X authentication to the access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff message to tell the access device that the client...

Page 80: ...thentication server does not support the multicast address you must use an 802 1X client that can send broadcast EAPOL Start packets For example you can use the HPE iNode 802 1X client Access device a...

Page 81: ...performs the following operations in EAP termination mode a Terminates the EAP packets received from the client b Encapsulates the client authentication information in standard RADIUS packets c Uses P...

Page 82: ...the username in an EAP Response Identity packet to the access device 4 The access device relays the EAP Response Identity packet in a RADIUS Access Request packet to the authentication server 5 The au...

Page 83: ...an EAP Success packet to the client b Sets the controlled port in authorized state The client can access the network 11 After the client comes online the access device periodically sends handshake req...

Page 84: ...AP termination mode the access device rather than the authentication server generates an MD5 challenge for password encryption The access device then sends the MD5 challenge together with the username...

Page 85: ...zed network resources The authorization VLAN of an 802 1X user can be specified on the local device or be assigned by a remote server Supported VLAN types and forms Support for VLAN types and forms de...

Page 86: ...port does not have other online users the device selects the VLAN with the lowest ID from the group of VLANs If the port has other online users the device selects the VLAN by using the following proce...

Page 87: ...r to its own authorization VLAN IMPORTANT An 802 1X enabled access port can be assigned to an authorization VLAN only as an untagged VLAN member A hybrid port is always assigned to a VLAN as an untagg...

Page 88: ...the 802 1X guest VLAN The user can access only resources in the guest VLAN A user in the 802 1X guest VLAN fails 802 1X authentication If an 802 1X Auth Fail VLAN is available the device remaps the M...

Page 89: ...2 1X Auth Fail VLAN The user can access only resources in the Auth Fail VLAN A user in the 802 1X Auth Fail VLAN fails 802 1X authentication because of any other reason except for unreachable servers...

Page 90: ...authorize a VLAN the initial PVID of the port applies The user and all subsequent 802 1X users are assigned to this port VLAN After the user logs off the PVID remains unchanged A user in the 802 1X g...

Page 91: ...based VLANs see Layer 2 LAN Switching Configuration Guide When a reachable RADIUS server is detected the device performs the following operations If MAC based access control is used the device removes...

Page 92: ...t feature is implemented by the following functionalities Free IP A free IP is a freely accessible network segment which has a limited set of network resources such as software and DHCP servers To ens...

Page 93: ...1X guest VLAN assignment delay Optional Configuring an 802 1X Auth Fail VLAN Optional Configuring an 802 1X critical VLAN Optional Enabling 802 1X critical voice VLAN Optional Sending 802 1X protocol...

Page 94: ...er Specify the eap keyword to enable EAP relay Specify the chap or pap keyword to enable CHAP enabled or PAP enabled EAP termination NOTE If EAP relay mode is used the user name format command configu...

Page 95: ...ter Layer 2 Ethernet interface view interface interface type interface number N A 3 Set the maximum number of concurrent 802 1X users on a port dot1x max user user number The default setting is 429496...

Page 96: ...online 802 1X users The access device sends handshake requests EAP Request Identity to online users at the interval specified by the dot1x timer handshake period command If the device does not receiv...

Page 97: ...he 802 1X online user handshake reply feature dot1x handshake reply enable By default the device does not reply to 802 1X clients EAP Response Identity packets during the online handshake process Conf...

Page 98: ...omain for a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Specify a mandatory 802 1X authenticat...

Page 99: ...e session timeout timer expires Support for the server configuration and assignment of session timeout timer and termination action depends on the server model If no server is reachable for 802 1X rea...

Page 100: ...feature See Configuring port security Configuration prerequisites Before you configure an 802 1X guest VLAN complete the following tasks Create the VLAN to be specified as the 802 1X guest VLAN If th...

Page 101: ...guidelines When you configure an 802 1X Auth Fail VLAN follow these restrictions and guidelines Assign different IDs to the voice VLAN the port VLAN and the 802 1X Auth Fail VLAN on a port The assign...

Page 102: ...uilt in 802 1X clients this mechanism causes reauthentication failure After receiving an EAP Failure packet such a client does not respond to the EAP Request Identity packet from the device when a rea...

Page 103: ...s the access port of a voice user to the 802 1X critical voice VLAN if the voice user fails authentication because all the RADIUS servers are unreachable The feature does not take effect if the voice...

Page 104: ...emarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable the device to send 802 1X protocol packets out of the port wit...

Page 105: ...uto When global MAC authentication or port security is enabled the free IP does not take effect If you use free IP guest VLAN and Auth Fail VLAN features together make sure the free IP segments are in...

Page 106: ...examples Basic 802 1X authentication configuration example Network requirements As shown in Figure 31 the access device performs 802 1X authentication for users that connect to port FortyGigE 1 1 1 Im...

Page 107: ...ng RADIUS servers Device radius radius1 primary authentication 10 1 1 1 Device radius radius1 primary accounting 10 1 1 1 Configure the IP addresses of the secondary authentication and accounting RADI...

Page 108: ...tion after an 802 1X user passes authentication Device display dot1x connection 802 1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 32 use RADIUS ser...

Page 109: ...tygige 1 1 1 Device vlan10 quit Device vlan 2 Device vlan2 port fortygige 1 1 4 Device vlan2 quit Device vlan 5 Device vlan5 port fortygige 1 1 3 Device vlan5 quit 4 Configure a RADIUS scheme on the a...

Page 110: ...ce isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp bbb quit 6 Configu...

Page 111: ...he users Details not shown 3 Assign an IP address to each interface as shown in Figure 33 Details not shown 4 Configure a RADIUS scheme Create RADIUS scheme 2000 and enter RADIUS scheme view Device sy...

Page 112: ...adv 3000 rule 0 deny ip destination 10 0 0 1 0 time range ftp Device acl adv 3000 quit 8 Configure 802 1X Enable 802 1X globally Device dot1x Enable 802 1X on FortyGigE 1 1 1 Device interface fortygi...

Page 113: ...e 34 Network diagram Configuration procedure 1 Make sure the DHCP server the Web server and the authentication servers have been configured correctly Details not shown 2 Configure an IP address for ea...

Page 114: ...on and accounting Device isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device...

Page 115: ...ollowing reasons The address is in the string format The operating system of the host regards the string as a website name and tries to resolve the string If the resolution fails the operating system...

Page 116: ...uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You sp...

Page 117: ...enticated user s authorization VLAN The authorization VLAN becomes the PVID You must assign the same untagged authorization VLAN to all MAC authentication users on the port If a different untagged aut...

Page 118: ...s still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable A user in the MAC authentication critical VLAN fails MAC authentic...

Page 119: ...ay the server assigned Session Timeout and Termination Action attributes use the display mac authentication connection command Support for the server configuration and assignment of Session Tmeout and...

Page 120: ...ou cannot enable MAC authentication on a port already in a link aggregation group or a service loopback group You cannot add a MAC authentication enabled port to a link aggregation group or a service...

Page 121: ...ice uses the MAC address of a user as the username and password for MAC authentication The MAC address is in the hexadecimal notation without hyphens and letters are in lower case Setting MAC authenti...

Page 122: ...is feature disables the device from inspecting the online user status To enable MAC authentication offline detection Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet i...

Page 123: ...authentication host mode multi vlan By default this feature is disabled on a port When the port receives a packet sourced from an authenticated user in a VLAN not matching the existing MAC VLAN mappin...

Page 124: ...based access control for 802 1X authentication The port is enabled with the 802 1X unicast trigger For the port to perform MAC authentication before it is assigned to the 802 1X guest VLAN delay assig...

Page 125: ...ayer 2 LAN Switching Configuration Guide Port intrusion protection The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port int...

Page 126: ...e shutdown port action of the port intrusion protection feature See Configuring port security To configure the MAC authentication critical VLAN on a port Step Command Remarks 1 Enter system view syste...

Page 127: ...r Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable the keep online feature for authenticated MAC authentication users on the port mac authentication re authentica...

Page 128: ...r slot slot number user mac mac addr user name user name Clear MAC authentication statistics reset mac authentication statistics interface interface type interface number Remove users from the MAC aut...

Page 129: ...ccess local Device isp bbb quit Enable MAC authentication on port FortyGigE 1 1 1 Device interface fortygige 1 1 1 Device FortyGigE1 1 1 mac authentication Device FortyGigE1 1 1 quit Specify the MAC a...

Page 130: ...1 failed 0 Current online users 1 MAC address Auth state 00e0 fc12 3456 Authenticated The output shows that Host A has passed MAC authentication and has come online Host B failed MAC authentication a...

Page 131: ...e radius 2000 quit Apply the RADIUS scheme to ISP domain bbb for authentication authorization and accounting Device domain bbb Device isp bbb authentication default radius scheme 2000 Device isp bbb a...

Page 132: ...Not configured Guest VLAN auth period 30 s Critical VLAN Not configured Critical voice VLAN Disabled Host mode Single VLAN Offline detection Enabled Authentication order Default Max online users 4294...

Page 133: ...without domain Device radius 2000 quit Apply RADIUS scheme 2000 to ISP domain 2000 for authentication authorization and accounting Device domain 2000 Device isp 2000 authentication default radius sch...

Page 134: ...ers 4294967295 per slot Online MAC auth users 1 Silent MAC users MAC address VLAN ID From port Port index FortyGigE1 1 1 is link up MAC authentication Enabled Carry User IP Disabled Authentication dom...

Page 135: ...122 Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss The output shows that ACL 3000 has been assigned to port FortyGigE 1 1 1 to deny access to the FTP server...

Page 136: ...s It has the following advantages Allows users to perform authentication through Web pages without installing client software Provides ISPs with diversified management choices and extended functions F...

Page 137: ...on requests from authentication clients and interacts with the access device to authenticate users Portal Web server The portal Web server pushes the Web authentication page to authentication clients...

Page 138: ...by SSL Portal page customization To perform local portal authentication you must customize a set of authentication pages that the device will push to users You can customize multiple sets of authentic...

Page 139: ...ources The process of direct authentication is simpler than that of re DHCP authentication Re DHCP authentication Before a user passes authentication DHCP allocates an IP address a private IP address...

Page 140: ...RADIUS server exchange RADIUS packets 6 The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure 7 The portal authenticati...

Page 141: ...ed an IP change of the client IP 11 After receiving the IP change notification packets sent by the client and the access device the portal authentication server notifies the client of login success 12...

Page 142: ...sites The portal feature provides a solution for user identity authentication and security check To complete user identity authentication portal must cooperate with RADIUS The prerequisites for portal...

Page 143: ...l authentication server To specify an IPv4 portal server ip ipv4 address vpn instance vpn instance name key cipher simple key string To specify an IPv6 portal server ipv6 ipv6 address vpn instance vpn...

Page 144: ...restrictions and guidelines Make sure the interface has a valid IP address before you enable re DHCP portal authentication on the interface Do not add the interface enabled with portal authentication...

Page 145: ...ipv6 apply web server server name fail permit Reference an IPv4 portal Web server an IPv6 portal Web server or both for the interface By default the interface does not reference any portal Web server...

Page 146: ...specify both a VLAN and an interface the interface must belong to the VLAN Otherwise the portal free rule does not take effect Configuring an authentication source subnet By configuring authenticatio...

Page 147: ...ource subnet portal ipv6 layer3 source ipv6 network address prefix length By default no IPv6 portal authentication source subnet is configured and IPv6 users from any subnets must pass portal authenti...

Page 148: ...er of portal users portal max user max number By default no limit is set on the number of portal users Specifying a portal authentication domain An authentication domain defines a set of authenticatio...

Page 149: ...ortal users Packets that match portal free rules Other outgoing packets on the interface are dropped To enable outgoing packets filtering on a portal enabled interface Step Command Remarks 1 Enter sys...

Page 150: ...tion of IPv4 portal users portal user detect type arp icmp retry retries interval interval idle time By default this feature is disabled on the interface To configure online detection of IPv6 portal u...

Page 151: ...erver detection server detect timeout timeout log trap By default portal authentication server detection is disabled This feature takes effect regardless of whether portal authentication is enabled on...

Page 152: ...erver 2 Upon receiving the synchronization packet the access device compares the users carried in the packet with its own user list If a user contained in the packet does not exist on the access devic...

Page 153: ...server name fail permit By default portal fail permit is disabled for a portal Web server Configuring BAS IP for unsolicited portal packets sent to the portal authentication server If the device runs...

Page 154: ...erent VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of com...

Page 155: ...or the user or removes the user from the authenticated users list To log out users Step Command 1 Enter system view system view 2 Log out IPv4 portal users portal delete user ipv4 address all interfac...

Page 156: ...nline htm System busy page Pushed when the system is busy or the user is in the logon process busy htm Logoff success page logoffSuccess htm Page request rules The local portal Web server supports onl...

Page 157: ...le can contain only letters numbers and underscores The authentication pages must be placed in the root directory of the zip file Zip files can be transferred to the device through FTP or TFTP and mus...

Page 158: ...tional Configure the listening TCP port for the local portal Web server tcp port port number By default the HTTP service listening port number is 80 and the HTTPS service listening port number is 443...

Page 159: ...authentication Figure 42 Network diagram Configuration prerequisites Configure IP addresses for the host switch and servers as shown in Figure 42 and make sure they can reach each other Configure the...

Page 160: ...oup This example uses the default group Ungrouped f Select Normal from the Action list g Click OK Figure 44 Adding an IP address group 3 Add a portal device a Select Access Service Portal Service Mana...

Page 161: ...ing a portal device 4 Associate the portal device with the IP address group a As shown in Figure 46 click the icon in the Port Group Information Management column of device NAS to enter the port group...

Page 162: ...nt Server from the navigation tree to enter the portal server configuration page as shown in Figure 48 c Configure the portal server parameters as needed This example uses the default settings d Click...

Page 163: ...me as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authentication Therefore select No from the Reallocate IP list g Select whether to s...

Page 164: ...e configurations Configuring the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the primary authentication s...

Page 165: ...port 50100 Switch portal server newpt quit Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit E...

Page 166: ...e authentication the user can access Internet resources After the user passes authentication use the following command to display information about the portal user Switch display portal user interface...

Page 167: ...private IP address range for the IP address group associated with the portal device is the private subnet 10 0 0 0 24 where the host resides The public IP address range for the IP address group is the...

Page 168: ...an interface100 dhcp relay server address 192 168 0 112 Enable authorized ARP Switch Vlan interface100 arp authorized enable Switch Vlan interface100 quit 4 Configure portal authentication Configure a...

Page 169: ...Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a...

Page 170: ...sure the IP address of the portal device added on the portal authentication server is the IP address 20 20 20 1 of the switch s interface connecting the host The IP address group associated with the...

Page 171: ...0 111 8080 portal SwitchA portal websvr newpt quit Enable cross subnet portal authentication on VLAN interface 4 SwitchA interface vlan interface 4 SwitchA Vlan interface4 portal enable method layer3...

Page 172: ...resources After the user passes authentication use the following command to display information about the portal user SwitchA display portal user interface vlan interface 4 Total portal users 1 Usern...

Page 173: ...ing 192 168 0 112 Switch radius rs1 key accounting simple radius Switch radius rs1 key authentication simple radius Switch radius rs1 user name format without domain Specify the security policy server...

Page 174: ...h portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable direct portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan inter...

Page 175: ...that match ACL 3001 After the user passes authentication use the following command to display information about the portal user Switch display portal user interface vlan interface 100 Total portal use...

Page 176: ...the IP address of the portal device added on the portal server is the public IP address 20 20 20 1 of the switch s interface connecting the host The private IP address range for the IP address group a...

Page 177: ...nation 192 168 0 0 0 0 0 255 Switch acl adv 3000 rule deny ip Switch acl adv 3000 quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit NOTE Make sure you specify ACL...

Page 178: ...fy that the portal configuration has taken effect Switch display portal interface vlan interface 100 Portal information of Vlan interface100 Nas id profile Not configured IPv4 Portal status Enabled Au...

Page 179: ...interface100 Configuring extended cross subnet portal authentication Network requirements As shown in Figure 57 Switch A supports portal authentication The host accesses Switch A through Switch B A po...

Page 180: ...able RADIUS session control SwitchA radius session control enable 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view SwitchA domain dm1 Configure AAA methods for th...

Page 181: ...ortal bas ip 20 20 20 1 SwitchA Vlan interface4 quit On Switch B configure a default route to subnet 192 168 0 0 24 specifying the next hop address as 20 20 20 1 Details not shown Verifying the config...

Page 182: ...r newpt State Online Authorization ACL 3001 VPN instance MAC IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 4 Vlan interface4 Configuring portal server detection and portal user synchronization Network requ...

Page 183: ...n detect the reachability of the portal authentication server by cooperating with the portal server heartbeat function Configure portal user synchronization so that the switch can synchronize portal u...

Page 184: ...oup This example uses the default group Ungrouped f Select Normal from the Action list g Click OK Figure 60 Adding an IP address group 3 Add a portal device a Select Access Service Portal Service Mana...

Page 185: ...ding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 62 click the icon in the Port Group Information Management column of device NAS to enter the port grou...

Page 186: ...ment Server from the navigation tree to enter the portal server configuration page as shown in Figure 64 c Configure the portal server heartbeat interval and user heartbeat interval d Use the default...

Page 187: ...switch s interface connected to the host e Enter the key which must be the same as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authent...

Page 188: ...User Access Manager Service Parameters Validate System Configuration from the navigation tree to validate the configurations Configuring the switch 1 Configure a RADIUS scheme Create a RADIUS scheme...

Page 189: ...nterval as 40 seconds and send log messages upon reachability status changes Switch portal server newpt server detect timeout 40 log NOTE The value of timeout must be greater than or equal to the port...

Page 190: ...thentication Configuring cross subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 69 the PE device Switch A provides portal authentication for the host in VPN 1 A por...

Page 191: ...tion domain Create an ISP domain named dm1 and enter its view SwitchA domain dm1 Configure AAA methods for the ISP domain SwitchA isp dm1 authentication portal radius scheme rs1 SwitchA isp dm1 author...

Page 192: ...the switch the access device The host is assigned a public IP address either manually or through DHCP The switch acts as both a portal authentication server and a portal Web server A RADIUS server ac...

Page 193: ...he authentication and accounting methods of the default domain are used for the user Switch domain default enable dm1 3 Configure portal authentication Create a local portal Web server Use HTTP to exc...

Page 194: ...configured Authentication domain Not configured BAS IPv6 Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefi...

Page 195: ...er can log out by clicking the Disconnect button on the portal authentication client Analysis When you execute the portal delete user command on the access device to log out a user the access device s...

Page 196: ...e portal authentication server the portal authentication server discards the logout notification When sending of the logout notifications times out the access device logs out the user However the port...

Page 197: ...erver considers that the user has failed the authentication Solution Configure the BAS IP or BAS IPv6 attribute on the interface enabled with portal authentication Make sure the attribute value is the...

Page 198: ...security for scenarios that require only 802 1X authentication or MAC authentication For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication...

Page 199: ...is disabled on the port and access to the port is not restricted N A Controlling MAC address learning autoLearn NTK intrusion protection secure Performing 802 1X authentication userLogin N A userLogin...

Page 200: ...rt based access control The port can service multiple 802 1X users Once an 802 1X user passes authentication on the port any subsequent 802 1X users can access the network through the port without aut...

Page 201: ...xt keyword implies Configuration task list Tasks at a glance Remarks Required Enabling port security N A Optional Setting port security s limit on the number of secure MAC addresses on a port N A Requ...

Page 202: ...pendent of the MAC learning limit described in MAC address table configuration For more information about MAC address table configuration see Layer 2 LAN Switching Configuration Guide To set the maxim...

Page 203: ...erating in noRestrictions the default mode To change the port security mode for a port in any other mode first use the undo port security port mode command to restore the default port security mode Co...

Page 204: ...port security intrusion mode blockmac disableport disableport temporarily By default intrusion protection is disabled 4 Return to system view quit N A 5 Optional Set the silence timeout period during...

Page 205: ...er counts up regardless of whether traffic data has been sent from the sticky MAC address If both the aging timer and the inactivity aging feature are configured the aging timer restarts once traffic...

Page 206: ...authorization information from the server You can configure a port to ignore the authorization information received from the server local or remote after an 802 1X or MAC authentication user passes a...

Page 207: ...y If no NAS ID profile is applied or no matching binding is found in the selected profile the device uses the device name as the NAS ID For more information about the NAS ID profile configuration see...

Page 208: ...d count Display information about blocked MAC addresses display port security mac address block interface interface type interface number vlan vlan id count Port security configuration examples autoLe...

Page 209: ...min Disableport timeout 30 s MAC move Denied Authorization fail Online NAS ID profile is not configured OUI value list FortyGigE1 1 1 is link up Port mode autoLearn NeedToKnow mode Disabled Intrusion...

Page 210: ...can learn MAC addresses again Details not shown userLoginWithOUI configuration example Network requirements As shown in Figure 72 a client is connected to the device through port FortyGigE 1 1 1 The d...

Page 211: ...ation lan access radius scheme radsun Device isp sun authorization lan access radius scheme radsun Device isp sun accounting lan access radius scheme radsun Device isp sun quit 2 Set the 802 1X authen...

Page 212: ...15 NAS IP Address Not configured VPN Not configured User Name Format without domain Data flow unit Byte Packet unit one Attribute 15 check mode strict After users pass authentication display port secu...

Page 213: ...uthentication succeeds the client is authorized to access the Internet Configure port FortyGigE 1 1 1 of the device to meet the following requirements Allow more than one MAC authenticated user to log...

Page 214: ...gE1 1 1 port security ntk mode ntkonly Device FortyGigE1 1 1 quit Verifying the configuration Verify the port security configuration Device display port security interface fortygige 1 1 1 Port securit...

Page 215: ...tection Enabled Authentication order Default Max online users 4294967295 Authentication attempts successful 3 failed 7 Current online users 3 MAC address Auth state 1234 0300 0011 authenticated 1234 0...

Page 216: ...Without Tag Disabled Add Guest VLAN delay Disabled EAPOL packets Tx 16331 Rx 102 Sent EAP Request Identity packets 16316 EAP Request Challenge packets 6 EAP Success packets 4 EAP Failure packets 5 Re...

Page 217: ...MAC addresses Symptom Cannot configure secure MAC addresses Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn Solution To resolve the p...

Page 218: ...he password control composition command in Security Command Reference Depending on the system s security requirements you can set the minimum number of character types a password must contain and the...

Page 219: ...asswords for FTP users Early notice on pending password expiration When a user logs in the system checks whether the password will expire in a time equal to or less than the specified notification per...

Page 220: ...t limits the user and user account in any of the following ways Disables the user account until the account is manually removed from the password control blacklist Allows the user to continue using th...

Page 221: ...erform the following tasks Tasks at a glance Required Enabling password control Optional Setting global password control parameters Optional Setting user group password control parameters Optional Set...

Page 222: ...the password expiration time password control aging aging time The default setting is 90 days 3 Set the minimum password update interval password control update interval interval The default setting i...

Page 223: ...time for the user group password control aging aging time By default the password expiration time of the user group equals the global password expiration time 4 Configure the minimum password length f...

Page 224: ...type number type length type length By default the settings equal those for the user group to which the local user belongs If no password composition policy is configured for the user group the global...

Page 225: ...w Task Command Display password control configuration display password control super Display information about users in the password control blacklist display password control blacklist user name name...

Page 226: ...ser account Sysname password control login attempt 2 exceed lock Set all passwords to expire after 30 days Sysname password control aging 30 Globally set the minimum password length to 16 characters S...

Page 227: ...gure the password of the local user in interactive mode Sysname luser manage test password Password Confirm Updating user information Please wait Sysname luser manage test quit Verifying the configura...

Page 228: ...matched Device management user test State Active Service type Telnet User group system Bind attributes Authorization attributes Work directory flash User role list network operator Password control c...

Page 229: ...pt information but only the private key owner can decrypt the information Digital signature The key owner uses the private key to sign information to be sent The receiver decrypts the information with...

Page 230: ...ost key pair if you do not specify a key pair name Both key pairs use their default names In FIPS mode One host key pair NOTE Only SSH 1 5 uses the RSA server key pair In non FIPS mode 512 to 2048 bit...

Page 231: ...d record the key for example copy it to an unformatted file On the peer device you must literally enter the key Exporting a host public key Step Command 1 Enter system view system view 2 Export a loca...

Page 232: ...ods Import the peer host public key form a public key file recommended Manually enter type or copy the peer host public key Importing a peer host public key from a public key file Before you perform t...

Page 233: ...but the system does not save them 4 Return to system view peer public key end When you exit public key view the system automatically saves the public key Displaying and maintaining public keys Execute...

Page 234: ...31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Key name serverkey default Key type RSA Time when key pair created 16 48 31 2011 05 12 Key code 307C300D06092A864886F70...

Page 235: ...0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements As shown in Figure 76 Device B authenticate...

Page 236: ...634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 Export the RSA host public key to the file devicea pub DeviceA publ...

Page 237: ...ic key peer devicea import sshkey devicea pub Verifying the configuration Verify that the host public key is the same as it is on Device A DeviceB display public key peer name devicea Key name devicea...

Page 238: ...y with the international standards of ITU T X 509 of which X 509 v3 is the most commonly used This chapter covers the following types of certificates CA certificate Certificate of a CA Multiple CAs in...

Page 239: ...SCEP to communicate with the CA or RA CA Certification authority that grants and manages certificates A CA issues certificates defines the certificate validity periods and revokes certificates by pub...

Page 240: ...e emails PKI can address the email requirements for confidentiality integrity authentication and non repudiation A common secure email protocol is Secure Multipurpose Internet Mail Extensions S MIME w...

Page 241: ...ity categories Distinguished name DN of the entity which further includes the common name county code locality organization unit in the organization and state If you configure the DN for an entity a c...

Page 242: ...in contains enrollment information for a PKI entity It is locally significant and is intended only for reference by other applications like IKE and SSL To configure a PKI domain Step Command Remarks 1...

Page 243: ...certificate request you must verify the fingerprint that is displayed during authentication of the CA certificate If the CA certificate is obtained through automatic certificate request the certificat...

Page 244: ...sing an out of band method to submit the request Online mode A certificate request can be automatically or manually submitted This section describes the online request mode Configuration guidelines Th...

Page 245: ...password cipher simple password By default the manual request mode applies In auto request mode set a password for certificate revocation as required by the CA policy Manually requesting a certificate...

Page 246: ...ertificates by an out of band means like FTP disk or email and then import them locally Use this mode when the CRL repository is not specified the CA server does not support SCEP or the CA server gene...

Page 247: ...rtificates in online mode pki retrieve certificate domain domain name ca local peer entity name The pki retrieve certificate command is not saved in the configuration file Verifying PKI certificates A...

Page 248: ...ertificates pki validate certificate domain domain name ca local N A Verifying certificates without CRL checking Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki do...

Page 249: ...t certificates Step Command Remarks 1 Enter system view system view N A 2 Export certificates Export certificates in DER format pki export domain domain name der all ca local filename filename Export...

Page 250: ...ction defined in the access control rule The following conditions describe how a certificate based access control policy verifies the validity of a certificate If a certificate matches a permit statem...

Page 251: ...oup information display pki certificate attribute group group name Display certificate based access control policy information display pki certificate access control policy policy name PKI configurati...

Page 252: ...e pki entity aaa quit 3 Configure a PKI domain Create a PKI domain named torsa and enter its view Device pki domain torsa Specify the name of the trusted CA as myca Device pki domain torsa ca identifi...

Page 253: ...ation about the local certificate in PKI domain torsa Device display pki certificate domain torsa local Certificate Data Version 3 0x2 Serial Number 15 79 75 ec d2 33 af 5e 46 35 83 bc bd 6e e3 b8 Sig...

Page 254: ...Add or Remove Programs from the start menu b Select Add Remove Windows Components Certificate Services c Click Next to begin the installation d Set the CA name In this example set the CA name to myca...

Page 255: ...rtificate request URL The URL format is http host port certsrv mscep mscep dll where host port is the host IP address and port number of the CA server Device pki domain winserver certificate request u...

Page 256: ...hm rsaEncryption Public Key 2048 bit Modulus 00 c3 b5 23 a0 2d 46 0b 68 2f 71 d2 14 e1 5a 55 6e c5 5e 26 86 c1 5a d6 24 68 02 bf 29 ac dc 31 41 3f 5d 5b 36 9e 53 dc 3a bc 0d 11 fb d6 7d 4f 94 3c c1 90...

Page 257: ...dc 1e 4d 03 d5 d3 f5 9d ad 9b 8d 03 7f be 1e 29 28 87 f7 ad 88 1c 8f 98 41 9a db 59 ba 0a eb 33 ec cf aa 9b fc 0f 69 3a 70 f2 fa 73 ab c1 3e 4d 12 fb 99 31 51 ab c2 84 c0 2f e5 f6 a7 c3 20 3c 9a b0 ce...

Page 258: ...A as myca Device pki domain openca ca identifier myca Configure the certificate request URL The URL is in the format http host cgi bin pki scep where host is the host IP address of the OpenCA server D...

Page 259: ...subdomain DC mydomain sub DC com Validity Not Before Jun 30 09 09 09 2011 GMT Not After May 1 09 09 09 2012 GMT Subject CN rnd O test OU software C CN Subject Public Key Info Public Key Algorithm rsaE...

Page 260: ...a 24 b1 f5 51 1d 0f 5a 07 e6 15 7a 02 31 05 8c 03 72 52 7c ff 28 37 1e 7e 14 97 80 0b 4e b9 51 2d 50 98 f2 e4 5a 60 be 25 06 f6 ea 7c aa df 7b 8d 59 79 57 8f d4 3e 4f 51 c1 34 e6 c1 1e 71 b5 0d 85 86...

Page 261: ...amed pkilocal pem signature and pkilocal pem encryption and contain the private key for signature and encryption respectively Display the local certificate file pkilocal pem signature DeviceA quit Dev...

Page 262: ...ystem view DeviceB pki domain importdomain DeviceB pki domain importdomain undo crl check enable Specify the RSA key pair for signature as sign and the RSA key pair for encryption as encr for certific...

Page 263: ...onent 65537 0x10001 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Cert Type SSL Client S MIME X509v3 Key Usage Digital Signature Non Repudiation X509v3 Extended Key Usage TLS Web Client...

Page 264: ...9 1d 46 d7 bf 1a 86 22 78 87 3e 67 fe 4b ed 37 3d d6 0a 1c 0b Certificate Data Version 3 0x2 Serial Number 08 7c 67 01 5c b3 5a 12 0f 2f Signature Algorithm sha256WithRSAEncryption Issuer C CN L shang...

Page 265: ...f1 29 fa 15 16 90 71 e2 98 e3 5c c6 e3 d4 5f 7a f6 a9 4f a2 7f ca af c4 c8 c7 2c c0 51 0a 45 d4 56 e2 81 30 41 be 9f 67 a1 23 a6 09 50 99 a1 40 5f 44 6f be ff 00 67 9d 64 98 fb 72 77 9e fd f2 4c 3a b2...

Page 266: ...f the problem persists contact Hewlett Packard Enterprise Support Failed to obtain local certificates Symptom No local certificates can be obtained Analysis The network connection is down No CA certif...

Page 267: ...ed during a certificate request process Exclusive certificate request applications are running in the PKI domain The PKI domain is not specified with the source IP address of the PKI protocol packets...

Page 268: ...nd fix any network connection problems 2 Obtain or import the CA certificate 3 If the URL of the CRL repository cannot be obtained verify that the following conditions exist The URL for certificate re...

Page 269: ...rmat of the file to be imported is correct 4 Make sure the certificate file contains the private key 5 Make sure the certificate is not revoked 6 Make sure the certificate is within the validity perio...

Page 270: ...s cannot be set Analysis The specified storage path does not exist The specified storage path is illegal The storage space of the device is full Solution 1 Use mkdir to create the path 2 Specify a val...

Page 271: ...KE IPsec provides the following security services for data packets in the IP layer Confidentiality The sender encrypts packets before transmitting them over the Internet protecting the packets from be...

Page 272: ...lation are placed after the original IP header You can use the transport mode when end to end security protection is required the secured transmission start and end points are the actual start and end...

Page 273: ...port some advanced features such as periodic key update but it can implement IPsec without IKE This mode is mainly used in small and static networks or when the number of IPsec peers in the network is...

Page 274: ...When an IPsec peer identifies the packets to be protected according to the IPsec policy it sets up an IPsec tunnel and sends the packet to the remote peer through the tunnel The IPsec tunnel can be m...

Page 275: ...and standards RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2406 IP Encapsulating Security Payload RFC 4552 Authentication Confidentiality for OSPFv3 F...

Page 276: ...ls authentication and encryption algorithms and the encapsulation mode 3 Configure an IPsec policy to associate data flows with the IPsec transform sets specify the SA negotiation mode the peer IP add...

Page 277: ...matching the permit statement will be protected by IPsec All inbound IPsec packets matching the permit statement will be received and processed but all inbound non IPsec packets will be dropped This w...

Page 278: ...ecify the authentication algorithm for AH ah authentication algorithm sha1 sha256 sha384 sha512 Configure at least one command By default no security algorithm is specified You can specify security al...

Page 279: ...configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end The remote IPv6 address configured on the local end must be th...

Page 280: ...A sa spi outbound ah esp spi number By default no SPI is configured for the inbound or outbound IPsec SA 8 Configure keys for the IPsec SA Configure an authentication key in hexadecimal format for AH...

Page 281: ...tion IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel If no match is found no SA can be set up and the packets expecting to be protected will be dropped The rem...

Page 282: ...ied and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied The local IP address specified by this command must be the same as th...

Page 283: ...al Configure a description for the IPsec policy template description text By default no description is configured 4 Optional Specify an ACL for the IPsec policy template security acl ipv6 acl number n...

Page 284: ...y by referencing the IPsec policy template ipsec ipv6 policy policy policy name seq number isakmp template template name By default no IPsec policy exists Applying an IPsec policy to an interface You...

Page 285: ...replay The IPsec anti replay feature protects networks against anti replay attacks by using a sliding window mechanism called anti replay window This feature checks the sequence number of each receive...

Page 286: ...ti replay window width The default size is 64 Configuring IPsec anti replay redundancy This feature synchronizes the following information from the master device to all subordinate devices in an IRF f...

Page 287: ...a source interface the IPsec policy uses the IP address of the bound source interface to perform IKE negotiation If a local address is specified the IPsec policy uses the local address to perform IKE...

Page 288: ...ng of IPsec packets ipsec logging packet enable By default the logging of IPsec packets is disabled Configuring the DF bit of IPsec packets Perform this task to configure the Don t Fragment DF bit in...

Page 289: ...nal Enabling logging of IPsec packets Optional Configuring SNMP notifications for IPsec Configuring a manual IPsec profile An IPsec profile is similar to an IPsec policy The difference is that an IPse...

Page 290: ...ipher simple key value Configure an authentication key in character format for AH sa string key inbound outbound ah cipher simple key value Configure a key in character format for ESP sa string key in...

Page 291: ...display commands in any view and reset commands in user view Task Command Display IPsec policy information display ipsec ipv6 policy policy policy name seq number Display IPsec policy template inform...

Page 292: ...itchA acl adv 3101 rule 0 permit ip source 2 2 2 1 0 destination 2 2 3 1 0 SwitchA acl adv 3101 quit Create an IPsec transform set named tran1 SwitchA ipsec transform set tran1 Specify the encapsulati...

Page 293: ...tchB ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms Sw...

Page 294: ...remote address 2 2 3 1 Flow as defined in ACL 3101 Inbound ESP SA SPI 54321 0x0000d431 Transform set ESP ENCRYPT AES CBC 192 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 12345 0x000...

Page 295: ...keychain1 SwitchA ike keychain keychain1 Configure the pre shared key used with the peer 2 2 3 1 as plaintext string of 12345zxcvb ZXCVB SwitchA ike keychain keychain1 pre shared key address 2 2 3 1...

Page 296: ...orithm sha1 SwitchB ipsec transform set tran1 quit Create the IKE keychain named keychain1 SwitchB ike keychain keychain1 Configure the pre shared key used with the peer 2 2 2 1 as plaintext string of...

Page 297: ...equirements perform the following tasks 1 Configure basic RIPng For more information about RIPng configurations see Layer 3 IP Routing Configuration Guide 2 Configure an IPsec profile The IPsec profil...

Page 298: ...itchB interface vlan interface 200 SwitchB Vlan interface200 ripng 1 enable SwitchB Vlan interface200 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ripng 1 enable SwitchB Vlan in...

Page 299: ...hC ipsec profile profile001 sa string key outbound esp simple abcdefg SwitchC ipsec profile profile001 sa string key inbound esp simple abcdefg SwitchC ipsec profile profile001 quit Apply the IPsec pr...

Page 300: ...ode manual Encapsulation mode transport Inbound ESP SA SPI 123456 0x3039 Transform set ESP ENCRYPT AES CBC 128 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 123456 0x3039 Transform s...

Page 301: ...ameters Performs DH exchanges to calculate shared keys making sure each SA has a key that is independent of other keys Automatically negotiates SAs when the sequence number in the AH or ESP header ove...

Page 302: ...on key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers Th...

Page 303: ...wing parameters prior to IKE configuration The algorithms to be used during IKE negotiation including the identity authentication method encryption algorithm authentication algorithm and DH group Diff...

Page 304: ...h is not found the negotiation fails 5 Configure the local ID the ID that the device uses to identify itself to the peer during IKE negotiation For digital signature authentication the device can use...

Page 305: ...ange mode main By default the main mode is used during IKE negotiation phase 1 6 Specify the IKE proposals for the IKE profile to reference proposal proposal number 1 6 By default an IKE profile refer...

Page 306: ...ller number has a higher priority The peer searches its own IKE proposals for a match The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority unt...

Page 307: ...icy template view using the local address command for the IKE keychain to be applied If no local address is configured specify the IP address of the interface that references the IPsec policy 3 You ca...

Page 308: ...em view N A 2 Configure the global identity to be used by the local end ike identity address ipv4 address ipv6 ipv6 address dn fqdn fqdn name user fqdn user fqdn name By default the IP address of the...

Page 309: ...IKE gateway behind the NAT device to send NAT keepalive packets to its peer periodically to keep the NAT session alive To configure the IKE NAT keepalive feature Step Command Remarks 1 Enter system vi...

Page 310: ...ies to send an SPI invalid notification to the data originator This notification is sent by using the IKE SA Because no IKE SA is available the notification is not sent The originating peer continues...

Page 311: ...ration Guide To generate and output SNMP notifications for a specific IKE failure or event type perform the following tasks 1 Enable SNMP notifications for IKE globally 2 Enable SNMP notifications for...

Page 312: ...er 1 Configure Switch A Assign an IP address to VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA vlan interface1 ip address 1 1 1 1 255 255 0 0 SwitchA vlan interface1 q...

Page 313: ...orm set tran1 Specify IKE profile profile1 for the IPsec policy SwitchA ipsec policy isakmp map1 10 ike profile profile1 SwitchA ipsec policy isakmp map1 10 quit Apply IPsec policy map1 to VLAN interf...

Page 314: ...y isakmp use1 10 remote address 1 1 1 1 Reference ACL 3101 to identify the traffic to be protected SwitchB ipsec policy isakmp use1 10 security acl 3101 Reference IPsec transform set tran1 for the IPs...

Page 315: ...ags RD READY RL REPLACED FD FADING 2 The following IKE event debugging or packet debugging message appeared IKE event debugging message Notification PAYLOAD_MALFORMED is received IKE packet debugging...

Page 316: ...ows that the IKE SA negotiation succeeded and the IKE SA is in RD state but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet 2 The following IKE debugging mess...

Page 317: ...2 168 222 71 Transform set transform1 IKE profile profile1 SA duration time based SA duration traffic based SA idle time 2 Verify that the ACL referenced by the IPsec policy is correctly configured If...

Page 318: ...l address 192 168 222 5 Remote address Transform set transform1 IKE profile profile1 SA duration time based SA duration traffic based SA idle time Solution 1 If no matching IKE profiles were found and...

Page 319: ...hanges during the initial exchange process IKE_SA_INIT and IKE_AUTH each with two messages IKE_SA_INIT exchange Negotiates IKE SA parameters and exchanges keys IKE_AUTH exchange Authenticates the iden...

Page 320: ...ers the initiator valid and proceeds with the negotiation If the carried cookie is incorrect the responder terminates the negotiation The cookie challenging mechanism automatically stops working when...

Page 321: ...e challenging feature takes effect only on IKEv2 responders Configuring an IKEv2 profile An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation To configure an IKEv2 profile...

Page 322: ...ets after it de encapsulates them If you specify an inside VPN instance the device looks for a route in the specified VPN instance to forward the packets If you do not specify an inside VPN instance t...

Page 323: ...address interface type interface number ipv4 address ipv6 ipv6 address By default an IKEv2 profile can be applied to any local interface or IP address 9 Optional Specify a priority for the IKEv2 profi...

Page 324: ...ew N A 2 Create an IKEv2 policy and enter IKEv2 policy view ikev2 policy policy name By default an IKEv2 policy named default exists 3 Specify the local interface or address used for IKEv2 policy matc...

Page 325: ...d HMAC SHA256 PRF algorithms HMAC SHA1 and HMAC SHA256 DH groups 14 and 19 3 Specify the encryption algorithms In non FIPS mode encryption 3des cbc aes cbc 128 aes cbc 192 aes cbc 256 aes ctr 128 aes...

Page 326: ...e an IKEv2 keychain Step Command Remarks 1 Enter system view system view N A 2 Create an IKEv2 keychain and enter IKEv2 keychain view ikev2 keychain keychain name By default no IKEv2 keychains exist 3...

Page 327: ...terval exceeds the DPD interval it sends a DPD message to the peer to detect its liveliness If the device has no data to send it never sends DPD messages If you configure IKEv2 DPD in both IKEv2 profi...

Page 328: ...s reset ikev2 sa local remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name tunnel tunnel id fast IKEv2 configuration examples IKEv2 with pre shared key authentication configuration ex...

Page 329: ...pre shared key to be used with the peer at 2 2 2 2 SwitchA ikev2 keychain keychain1 peer peer1 pre shared key plaintext abcde SwitchA ikev2 keychain keychain1 peer peer1 quit SwitchA ikev2 keychain k...

Page 330: ...encryption algorithm des cbc SwitchB ipsec transform set tran1 esp authentication algorithm sha1 SwitchB ipsec transform set tran1 quit Create an IKEv2 keychain named keychain1 SwitchB ikev2 keychain...

Page 331: ...y IPsec policy use1 to VLAN interface 1 SwitchB interface vlan interface 1 SwitchB Vlan interface1 ipsec apply policy use1 SwitchB Vlan interface1 quit Verifying the configuration Initiate a connectio...

Page 332: ...password simple 123 Set an MD5 fingerprint for verifying the validity of the CA root certificate SwitchA pki domain domain1 root certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e Specify th...

Page 333: ...uit Create an IKE based IPsec policy entry with name map1 and sequence number 10 SwitchA ipsec policy map1 10 isakmp Specify remote IP address 2 2 2 2 for the IPsec tunnel SwitchA ipsec policy isakmp...

Page 334: ...ede6c56b102e Specify the trusted CA 8088 SwitchB pki domain domain2 ca identifier 8088 Specify the URL of the registration server for certificate request through the SCEP protocol This example uses a...

Page 335: ...1 1 1 for the IPsec tunnel SwitchB ipsec policy template template1 1 remote address 1 1 1 1 Specify ACL 3101 to identify the traffic to be protected SwitchB ipsec policy template template1 1 security...

Page 336: ...m sets were found Symptom The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status The display ipsec sa command shows that the expected IPsec SAs ha...

Page 337: ...the other end by using the reset ikev2 sa command and trigger new negotiation If an IKEv2 SA exists on both ends go to the next step 2 Use the display ipsec sa command to examine whether IPsec SAs ex...

Page 338: ...ofing and plain text password interception The device can act as an Stelnet server or an Stelnet client SFTP Based on SSH2 it uses SSH connections to provide secure file transfer The device can act as...

Page 339: ...sted at one time must be no more than 2000 bytes As a best practice to ensure successful execution of commands paste commands that are in the same view To execute commands of more than 2000 bytes save...

Page 340: ...n SSH client the device supports using the public key algorithms RSA DSA and ECDSA to generate digital signatures For more information about public key configuration see Managing public keys Password...

Page 341: ...uthentication method is publickey password publickey or any Configuring the PKI domain for verifying the client certificate See Configuring PKI Required if the following conditions exist The authentic...

Page 342: ...or secure transmission of the session key Because SSH2 uses the DH algorithm to generate each session key on the SSH server and the client no session key transmission is required The server key pair i...

Page 343: ...NETCONF over SSH connection When the device acts as a server in the NETCONF over SSH connection connection requests initiated by SSH1 clients are not supported For more information about NETCONF over...

Page 344: ...erver 2 Specify the associated host private key on the client to generate the digital signature If the device acts as an SSH client specify the public key algorithm on the client The algorithm determi...

Page 345: ...mmand to create them If such an SSH user has been created make sure you have specified the correct service type and authentication method If the authentication method is password publickey or any you...

Page 346: ...ter system view system view 2 Create an SSH user and specify the service type and authentication method In non FIPS mode ssh user username service type all netconf scp sftp stelnet authentication type...

Page 347: ...timeout time out value The default setting is 10 minutes When the idle timeout timer expires the system automatically terminates the connection 9 Specify the maximum number of concurrent online SSH u...

Page 348: ...interface interface type interface number ipv6 ipv6 address By default the source IP address for SSH packets is not configured The IPv4 SSH packets use the primary IPv4 address of the output interface...

Page 349: ...prefer compress zlib prefer ctos cipher aes128 cbc aes256 cbc aes128 ctr aes192 ctr aes256 ctr aes128 gcm aes256 gcm prefer ctos hmac sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group14 sha1 ecdh sh...

Page 350: ...512 escape character public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 address Establishing a connection to an Stelnet server based on Suite...

Page 351: ...Specify the source IPv4 address for SFTP packets sftp client source ip ip address interface interface type interface number Specify the source IPv6 address for SFTP packets sftp client ipv6 source ip...

Page 352: ...FIPS mode establish a connection to an IPv4 SFTP server sftp server port number vpn instance vpn instance name identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain...

Page 353: ...2 public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 addres Establishing a connection to an SFTP server based on Suite B After the connection i...

Page 354: ...SFTP server rmdir remote path Available in SFTP client view Working with SFTP files Task Command Remarks Change the name of a file on the SFTP server rename old name new name Available in SFTP client...

Page 355: ...with an SCP server Task Command Remarks Connect to the SCP server and transfer files with the server In non FIPS mode connect to the IPv4 SCP server and transfer files with this server scp server port...

Page 356: ...aes128 gcm aes256 gcm prefer ctos hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group exchange sha1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc ciph...

Page 357: ...92 bit pki domain domain name server pki domain domain name prefer compress zlib source interface interface type interface number ipv6 ipv6 address Available in user view The client cannot establish c...

Page 358: ...thm public key dsa ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 In FIPS mode ssh2 algorithm public key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 By default SSH...

Page 359: ...on the SSH server display ssh user information username Display the public keys of the local key pairs display public key local dsa ecdsa rsa public name publickey name Display the public keys of the...

Page 360: ...The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key p...

Page 361: ...t001 quit Create an SSH user client001 Specify the service type as stelnet and the authentication method as password for the user By default password authentication is used if no SSH user is created S...

Page 362: ...figuration management The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm Figure 97 Network diagram Configuration procedure In the server configura...

Page 363: ...ir on the client a Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 99 Otherwise the progress bar stops moving and the key pair generating progress st...

Page 364: ...saving window appears g Enter a file name private ppk in this example and click Save h Transmit the public key file to the server through FTP or TFTP Details not shown 2 Configure the Stelnet server G...

Page 365: ...0 63 quit Import the client s public key from file key pub and name it switchkey Switch public key peer switchkey import sshkey key pub Create an SSH user client002 Specify the authentication method a...

Page 366: ...name or IP address c Select Connection SSH from the navigation tree The window shown in Figure 102 appears d Specify the Preferred SSH protocol version as 2 in the Protocol options area Figure 102 Sp...

Page 367: ...he system notifies you to enter the username After entering the username client002 you can enter the CLI of the server Password authentication enabled Stelnet client configuration example Network requ...

Page 368: ...ECDSA key pair SwitchB public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server SwitchB ssh server enable Assign an IP address to VLAN interf...

Page 369: ...ils not shown Enter public key view of the client and copy the host public key of the server to the client SwitchA public key peer key1 Enter public key view Return to system view with peer public key...

Page 370: ...witchB After you enter the correct password you log in to Switch B successfully If the client does not have the server s host public key the system notifies you to confirm whether to continue with the...

Page 371: ...VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 1 56 255 255 255 0 SwitchA Vlan interface2 quit Generate a DSA key pair SwitchA publi...

Page 372: ...255 255 255 0 SwitchB Vlan interface2 quit Set the authentication mode to AAA for the user lines SwitchB line vty 0 63 SwitchB line vty0 63 authentication mode scheme SwitchB line vty0 63 quit Import...

Page 373: ...an Stelnet client SSH2 Switch B acts as the Stelnet server SSH2 and it uses publickey authentication Switch B uses the following algorithms for the algorithm negotiation with the Stelnet client Key ex...

Page 374: ...ir name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name server256 Display information abo...

Page 375: ...l filename ssh client ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A...

Page 376: ...for verifying the client s certificate and import the file of the client s certificate to this domain Details not shown Create a PKI domain named server256 for the server s certificate and import the...

Page 377: ...ithout the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB SFTP configuration examples Unless otherwise noted devices in the configuration examples are in...

Page 378: ...to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the ke...

Page 379: ...a connection between the SFTP client and the SFTP server The device supports different types of SFTP client software This example uses an SFTP client that runs PSFTP of PuTTy version 0 58 NOTE PSFTP...

Page 380: ...SwitchA Vlan interface2 quit Generate RSA key pairs SwitchA public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press...

Page 381: ...itchkey import sshkey pubkey Create an SSH user client001 Specify the service type as sftp and the authentication method as publickey for the user Assign the public key switchkey to the user SwitchB s...

Page 382: ...pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new2 and verify the result...

Page 383: ...e and the server s certificate Details not shown You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties In...

Page 384: ...24 7b 32 6a ed b6 36 e1 4d cc 8c 05 22 f4 3a 7c 5d b7 be d1 e6 9e f0 ce 95 39 ca fd a0 86 cd 54 ab 49 60 10 be 67 9f 90 3a 18 e2 7d d9 5f 72 27 09 e7 bf 7e 64 0a 59 bb b3 7d ae 88 14 94 45 b9 34 d2 f3...

Page 385: ...ot After Aug 19 10 10 59 2016 GMT Subject C CN ST aaa O ccc OU Software CN ssh client Subject Public Key Info Public Key Algorithm id ecPublicKey Public Key 384 bit pub 04 85 7c 8b f4 7a 36 bf 74 f6 7...

Page 386: ...rver pki domain server384 Enable the SFTP server SwitchB sftp server enable Assign an IP address to VLAN interface 2 SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 0 1 2...

Page 387: ...n you are assigned the user role network admin and can securely transfer files with Switch B Switch B uses the password authentication method The client s username and password are saved on Switch B F...

Page 388: ...age client001 authorization attribute user role network admin SwitchB luser manage client001 quit Configure an SSH user client001 Specify the service type as scp and the authentication method as passw...

Page 389: ...re ssh server ecdsa256 p12 and ssh server ecdsa384 p12 The client s certificate files are ssh client ecdsa256 p12 and ssh client ecdsa384 p12 2 Configure the SCP client NOTE You can modify the pkix ve...

Page 390: ...ALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier 08 C1 F1 AA 97 45 19 6A DA 4A F2 87 A1 1A E8 30 BD 31 30 D7 X509v3 Authority Key Identifier keyid 5A BE 85 49 16 E5 EB...

Page 391: ...9a 4c 70 61 35 db e4 39 b8 38 c4 60 4a 65 28 49 14 32 3c cc 6d cd 34 29 83 84 74 a7 2d 0e 75 1c c2 52 58 1e 22 16 12 d0 b4 8a 92 ASN1 OID prime256v1 NIST CURVE P 256 X509v3 extensions X509v3 Basic Co...

Page 392: ...ver Subject Public Key Info Public Key Algorithm id ecPublicKey Public Key 384 bit pub 04 4a 33 e5 99 8d 49 45 a7 a3 24 7b 32 6a ed b6 36 e1 4d cc 8c 05 22 f4 3a 7c 5d b7 be d1 e6 9e f0 ce 95 39 ca fd...

Page 393: ...2 Signature Algorithm ecdsa with SHA384 Issuer C CN ST aaa L bbb O ccc OU Software CN SuiteB CA Validity Not Before Aug 20 10 10 59 2015 GMT Not After Aug 19 10 10 59 2016 GMT Subject C CN ST aaa O cc...

Page 394: ...he file of this certificate to this domain Details not shown Specify Suite B algorithms for algorithm negotiation SwitchB system view SwitchB ssh2 algorithm key exchange ecdh sha2 nistp256 ecdh sha2 n...

Page 395: ...erver pki domain server384 Create an SSH user client002 Specify the authentication method publickey for the user and specify client384 as the PKI domain for verifying the client s certificate Switch s...

Page 396: ...of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair succes...

Page 397: ...y the plaintext password as aabbcc and the service type as ssh for the user Switch luser manage client001 password simple aabbcc Switch luser manage client001 service type ssh Assign the user role net...

Page 398: ...message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the original message will re...

Page 399: ...at complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode SSL configuration task list Tasks at a glanc...

Page 400: ...er policy If SSL server authentication is required you must specify a PKI domain and request a local certificate for the SSL server in the domain For information about how to create and configure a PK...

Page 401: ...is a set of SSL parameters that the client uses to establish a connection to the server An SSL client policy takes effect only after it is associated with an application such as DDNS To configure an S...

Page 402: ..._256_cbc_sha rsa_aes_256_cbc_sha256 rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode prefer cipher ecdhe_ecdsa_aes_128_ cbc_sha256 ecdhe_ecdsa_aes_128_g cm_sha256 ecdhe_ecdsa_aes_256_c bc_...

Page 403: ...certificates server verify enable By default SSL server authentication is enabled Displaying and maintaining SSL Execute display commands in any view Task Command Display cryptographic library versio...

Page 404: ...SG bindings As shown in Figure 116 IPSG on the interface forwards only the packets that match one of the IPSG bindings Figure 116 Diagram for the IPSG feature NOTE IPSG is a per interface packet filte...

Page 405: ...LAN obtain IP addresses through DHCP IPSG is configured on the DHCP snooping device or the DHCP relay agent It generates dynamic IPSG bindings based on the DHCP snooping entries or DHCP relay entries...

Page 406: ...rrectly on the network To enable the IPv4SG feature on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The follow...

Page 407: ...or the ARP detection function the vlan vlan id option must be specified and ARP detection must be enabled for the specified VLAN You can configure the same static IPv4SG binding on different interface...

Page 408: ...the global bindings Configuring a global static IPv6SG binding Step Command Remarks 1 Enter system view system view N A 2 Configure a global static IPv6SG binding ipv6 source binding ip address ipv6...

Page 409: ...c IPv4SG configuration example Network requirements As shown in Figure 117 all hosts use static IP addresses Configure static IPv4SG bindings on Switch A and Switch B to meet the following requirement...

Page 410: ...yGigE 1 1 1 SwitchB interface fortygige 1 1 1 SwitchB FortyGigE1 1 1 ip verify source ip address mac address On FortyGigE 1 1 1 configure a static IPv4SG binding for Host B SwitchB FortyGigE1 1 1 ip s...

Page 411: ...Switch FortyGigE1 1 2 dhcp snooping trust Switch FortyGigE1 1 2 quit Enable IPv4SG on FortyGigE 1 1 1 and verify the source IP address and MAC address for dynamic IPSG Switch interface fortygige 1 1 1...

Page 412: ...onfigure VLAN interface 100 to operate in DHCP relay mode Switch interface vlan interface 100 Switch Vlan interface100 dhcp select relay Specify the IP address of the DHCP server Switch Vlan interface...

Page 413: ...from the DHCPv6 server Perform the following tasks Enable DHCPv6 snooping on the switch to make sure the DHCPv6 client obtains an IPv6 address from the authorized DHCPv6 server To generate a DHCPv6 s...

Page 414: ...ch FortyGigE1 1 1 ipv6 dhcp snooping binding record Switch FortyGigE1 1 1 quit Verifying the configuration Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 snooping entry Switch dis...

Page 415: ...cket rate limit configured on access devices Configuring source MAC based ARP attack detection configured on gateways User and gateway spoofing prevention Configuring ARP packet source MAC consistency...

Page 416: ...dresses Configuring ARP source suppression Step Command Remarks 1 Enter system view system view N A 2 Enable ARP source suppression arp source suppression enable By default ARP source suppression is d...

Page 417: ...ce suppression Enable ARP source suppression Device system view Device arp source suppression enable Configure the device to receive a maximum of 100 unresolvable packets from a host in 5 seconds Devi...

Page 418: ...center see Network Management and Monitoring Configuration Guide To configure ARP packet rate limit Step Command Remarks 1 Enter system view system view N A 2 Optional Enable notification sending for...

Page 419: ...igure the aging timer for ARP attack entries arp source mac aging time time By default the lifetime is 300 seconds 5 Optional Exclude specific MAC addresses from this detection arp source mac exclude...

Page 420: ...method as filter Device system view Device arp source mac filter Set the threshold to 30 Device arp source mac threshold 30 Set the lifetime for ARP attack entries to 60 seconds Device arp source mac...

Page 421: ...the gateway discards the packet To configure ARP active acknowledgement Step Command Remarks 1 Enter system view system view N A 2 Enable the ARP active acknowledgement feature arp active ack strict...

Page 422: ...e SwitchA FortyGigE1 1 1 ip address 10 1 1 1 24 SwitchA FortyGigE1 1 1 quit Configure DHCP SwitchA dhcp enable SwitchA dhcp server ip pool 1 SwitchA dhcp pool 1 network 10 1 1 0 mask 255 255 255 0 Swi...

Page 423: ...figuration procedure 1 Configure Switch A Specify the IP address for FortyGigE 1 1 1 SwitchA system view SwitchA interface fortygige 1 1 1 SwitchA FortyGigE1 1 1 port link mode route SwitchA FortyGigE...

Page 424: ...the configuration Display authorized ARP information on Switch B SwitchB display arp all Type S Static D Dynamic O Openflow M Multiport I Invalid IP Address MAC Address VLAN Interface Aging Type 10 10...

Page 425: ...uide Configuration guidelines You must specify a VLAN for an IP source guard binding Otherwise no ARP packets can match the IP source guard binding Configuration procedure To configure user validity c...

Page 426: ...t ARP packet validity check is disabled 6 Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number N A 7 Optional Configure the interface as...

Page 427: ...ining ARP detection Execute display commands in any view and reset commands in user view Task Command Display the VLANs enabled with ARP detection display arp detection Display the ARP detection stati...

Page 428: ...tchB interface fortygige 1 1 3 SwitchB FortyGigE1 1 3 dhcp snooping trust SwitchB FortyGigE1 1 3 quit Enable recording of client information in DHCP snooping entries on FortyGigE 1 1 1 SwitchB interfa...

Page 429: ...ents As shown in Figure 127 configure ARP restricted forwarding on Switch B where ARP detection is configured Port isolation configured on Switch B can take effect for broadcast ARP requests Figure 12...

Page 430: ...1 1 2 If the ARP packets are confirmed as valid the switch performs user validity check by using the static IP source guard bindings and DHCP snooping entries However ARP broadcast requests sent from...

Page 431: ...mmand 1 Enter system view system view 2 Enter Layer 3 Ethernet interface Layer 3 Ethernet subinterface VLAN interface Layer 3 aggregate interface Layer 3 aggregate subinterface view interface interfac...

Page 432: ...launches gateway spoofing attacks to Switch B As a result traffic that Switch B intends to send to Switch A is sent to Host B Configure Switch B to block such attacks Figure 128 Network diagram Config...

Page 433: ...ith ARP detection MFF ARP fast reply and ARP snooping ARP filtering applies first Configuration procedure To configure ARP filtering Step Command Remarks 1 Enter system view system view N A 2 Enter La...

Page 434: ...der IP address is within the allowed IP address range the gateway continues ARP learning If the sender IP address is out of the range the gateway determines the ARP packet as an attack packet and disc...

Page 435: ...422 Step Command Remarks for ARP sender IP address checking start ip address end ip address specified for ARP sender IP address checking...

Page 436: ...ts from hosts to the gateway for further forwarding The hosts are isolated at Layer 2 but they can communicate at Layer 3 An MFF enabled device and a host cannot ping each other Figure 130 Network dia...

Page 437: ...n a cascaded network a network with multiple MFF devices connected to one another Ports between devices in a ring network Link aggregation is supported by network ports in an MFF enabled VLAN but it i...

Page 438: ...d gateways If the source MAC addresses of ARP requests from gateways are different from those recorded the MFF device updates and broadcasts the IP and MAC addresses of the gateways Protocols and stan...

Page 439: ...Interfaces on a router in a VRRP group When the MFF device receives an ARP request from a server the MFF device searches IP to MAC address entries it has stored Then the device replies with the reques...

Page 440: ...other through Gateway at Layer 3 Figure 131 Network diagram Configuration procedure 1 Configure the IP addresses of the hosts and Gateway as shown in Figure 131 2 Configure Switch A Configure manual m...

Page 441: ...example in a ring network Network requirements As shown in Figure 132 all the devices are in VLAN 100 and the switches form a ring Hosts A B and C are assigned IP addresses manually Configure MFF to i...

Page 442: ...anual mode MFF on VLAN 100 SwitchB vlan 100 SwitchB vlan100 mac forced forwarding default gateway 10 1 1 100 Specify the IP address of the server SwitchB vlan100 mac forced forwarding server 10 1 1 20...

Page 443: ...t forged source addresses or attack multiple servers simultaneously to block connections or even break down the network uRPF can prevent these source address spoofing attacks It checks whether an inte...

Page 444: ...packets 2 uRPF checks whether the source address matches a FIB entry Checks the received packet Broadcast source address All zero source address Matching FIB entry found Broadcast destination address...

Page 445: ...o step 9 5 uRPF checks whether the source IP address matches an ARP entry If yes uRPF proceeds to step 8 If no uRPF proceeds to step 9 6 uRPF checks whether the FIB table has a default route If yes uR...

Page 446: ...hecks only incoming packets on an interface After you enable the uRPF function on the switch the routing table size might decrease by half If the number of routes exceeds half the routing table size o...

Page 447: ...itch A directly connects to an ISP switch Switch B Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks Figure 136 Network diagram Configuration procedure 1 Ena...

Page 448: ...cannot enable or disable software crypto engines The switch only supports software crypto engines in the current software version Crypto engines provide encryption decryption services for service modu...

Page 449: ...password control policies such as password length complexity and aging policy When the aging timer for a password expires the system prompts you to change the password If you adjust the system time af...

Page 450: ...omatic reboot and manual reboot Automatic reboot To use automatic reboot to enter FIPS mode 1 Enable FIPS mode 2 Select the automatic reboot method The system automatically performs the following task...

Page 451: ...is available The SSL server only supports TLS1 0 TLS1 1 and TLS1 2 The SSH server does not support SSHv1 clients and DSA key pairs The generated RSA and DSA key pairs must have a modulus length of 20...

Page 452: ...fault authentication mode is none for a console port After you disable FIPS mode follow these restrictions and guidelines before you manually reboot the device If you are logged into the device throug...

Page 453: ...en uses the private key to decrypt the encrypted text If the decryption is successful the test succeeds Table 21 lists the cryptographic algorithms examined by the power up self test Table 21 Power up...

Page 454: ...ode state display fips status FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode and use a console port to...

Page 455: ...password confirm Updating user information Please wait Sysname Display the current FIPS mode state Sysname display fips status FIPS mode is enabled Display the default configuration file Sysname more...

Page 456: ...ation will be written to the device Are you sure Y N y Please input the file name cfg flash startup cfg To leave the existing filename unchanged press the enter key flash startup cfg exists overwrite...

Page 457: ...s A user has logged in to the device in FIPS mode through SSH with a username of test and a password of 12345zxcvb ZXCVB Use the manual reboot method to exit FIPS mode Configuration procedure Disable...

Page 458: ...tartup mdb Delete flash startup mdb Y N y Deleting file flash startup mdb Done Reboot the device Sysname reboot Verifying the configuration After the device reboots enter a username of test and a pass...

Page 459: ...equired Configuring parameters for a user profile Configuration restrictions and guidelines Before creating a user profile perform the following tasks 1 Plan the authentication method for your network...

Page 460: ...Displaying and maintaining user profiles Execute display commands in any view Task Command Display configuration and online user information for the specified user profile or all user profiles displa...

Page 461: ...traffic filtering action as deny Switch traffic behavior for_usera Switch behavior for_usera filter deny Switch behavior for_usera quit Create QoS policy for_usera and associate traffic class for_use...

Page 462: ...vior for_userc Switch behavior for_userc car cir 4000 Switch behavior for_userc quit Create QoS policy for_userc and associate traffic class class with traffic behavior for_userc Switch qos policy for...

Page 463: ...od for local users Configure ISP domain user to use local authentication and authorization without accounting for local users Switch domain user Switch isp user authentication lan access local Switch...

Page 464: ...licy for_userb slot 1 User Authentication type 802 1X Network attributes Interface Ten GigabitEthernet1 0 1 MAC address 80c1 6ee0 2664 Service VLAN 1 User Profile userc Outbound Policy for_userc slot...

Page 465: ...cription ICMP redirect An attacker sends ICMP redirect messages to modify the victim s routing table The victim cannot forward packets correctly ICMP destination unreachable An attacker sends ICMP des...

Page 466: ...indows system The malicious packets contain an illegal Urgent Pointer which causes the victim s operating system to crash UDP bomb An attacker sends a malformed UDP packet The length value in the IP h...

Page 467: ...is causes the server to be busy searching for SYN packets and the server is unable to process packets for normal services FIN flood attack FIN packets are used to shut down TCP connections A FIN flood...

Page 468: ...receiving host reassembles the fragments a TCP fragment attack occurs To prevent TCP fragment attacks enable TCP fragment attack prevention to drop attack TCP fragments Login dictionary attack The log...

Page 469: ...view attack defense policy policy name N A 3 Configure signature detection for single packet attacks signature detect fraggle fragment impossible ip option abnormal land large icmp large icmpv6 ping...

Page 470: ...logging and drop for single packet attacks of the medium and high levels 6 Optional Enable signature detection for single packet attacks of a specific level signature level high info low medium detec...

Page 471: ...is disabled 4 Set the global trigger threshold for SYN flood attack prevention syn flood threshold threshold value The default setting is 1000 5 Specify global actions against SYN flood attacks syn f...

Page 472: ...ic SYN ACK flood attack detection is not configured Configuring a FIN flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack def...

Page 473: ...od threshold threshold value The default setting is 1000 5 Specify global actions against ICMP flood attacks icmp flood action drop logging By default no global action is specified for ICMP flood atta...

Page 474: ...DP flood attack detection is not configured Configuring a DNS flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense pol...

Page 475: ...detection is not configured Configuring attack detection exemption The attack defense policy uses the ACL to identify exempted packets The policy does not check the packets permitted by the ACL You ca...

Page 476: ...Disable log aggregation for single packet attack events attack defense signature log non aggregate By default log aggregation is enabled for single packet attack events Configuring TCP fragment attack...

Page 477: ...ctim ipv6 count Display flood attack detection and prevention statistics for an IPv4 address display attack defense ack flood dns flood fin flood flood http flood icmp flood rst flood syn ack flood sy...

Page 478: ...face of the switch enable global SYN flood attack detection When the device receives 2000 or more SYN packets that are destined to the switch but not to the protected IP address per second it outputs...

Page 479: ...apply policy a1 Verifying the configuration Verify that the attack defense policy a1 is correctly configured Switch display attack defense policy a1 Attack defense Policy Information Policy name a1 A...

Page 480: ...led info L ICMP information reply Disabled info L ICMP address mask request Disabled info L ICMP address mask reply Disabled info L ICMPv6 echo request Disabled info L ICMPv6 echo reply Disabled info...

Page 481: ...ice outputs logs and drops the attack packets If the device receives TCP SYN flood attack packets that are destined for the device but not to the protected IP address the device outputs logs Display t...

Page 482: ...ed on gateways to prevent ND attacks This feature checks the source MAC address and the source link layer address for consistency for each arriving ND packet If source MAC address and the source link...

Page 483: ...evice and the peer device must have the same authentication algorithm and key string To configure a keychain Step Command Remarks 1 Enter system view system view N A 2 Create a keychain and enter keyc...

Page 484: ...1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ospfv3 1 area 0 SwitchA Vlan interface100 quit Create a keychain named abc and specify the absolute time mode...

Page 485: ...keychain abc specify an authentication algorithm and configure a key string and the sending and receiving lifetimes for the key SwitchB keychain abc key 1 SwitchB keychain abc key 1 authentication alg...

Page 486: ...00 00 2015 02 06 to 11 00 00 2015 02 06 Accept status Active Key ID 2 Key string c 3 7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06...

Page 487: ...g c 3 dYTC8QeOKJkwFwP2k rWL 1p6uMTw3MqNg Algorithm hmac sha 256 Send lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06 Send status Inactive Accept lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06...

Page 488: ...2015 02 06 Accept status Inactive Key ID 2 Key string c 3 t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Send status Active Accept...

Page 489: ...st one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument...

Page 490: ...Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a...

Page 491: ...provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to...

Page 492: ...self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualif...

Page 493: ...umber edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal no...

Page 494: ...ontrol 72 maintain 93 mandatory port authentication domain 85 online user handshake 83 overview 64 packet format 65 periodic online user reauthentication 86 port authorization state 81 port authorizat...

Page 495: ...ername format 26 scheme configuration 18 SSH user local authentication HWTACACS authorization RADIUS accounting 51 troubleshoot HWTACACS 62 troubleshoot LDAP user authentication fails 62 troubleshoot...

Page 496: ...ation DHCP server 409 configuration 402 detection configuration 411 filtering configuration 420 420 fixed ARP configuration 417 gateway protection 418 419 packet rate limit configuration 404 packet so...

Page 497: ...68 802 1X EAP termination 70 802 1X EAP termination enable 81 802 1X initiation 67 802 1X mandatory port authentication domain 85 802 1X overview 64 802 1X periodic online user reauthentication 86 802...

Page 498: ...rization method 45 AAA LDAP authorization 9 AAA RADIUS server SSH user authentication authorization 53 AAA RADIUS session control 47 AAA SSH user local authentication HWTACACS authorization RADIUS acc...

Page 499: ...ecurity portal authentication system components 123 SSL client policy configuration 388 command AAA command accounting method 12 AAA command authorization method 12 communication peer public key entry...

Page 500: ...TCP fragment attack prevention 463 authorized ARP 408 authorized ARP DHCP relay agent 410 authorized ARP DHCP server 409 crypto engine 435 FIPS 436 441 FIPS mode 437 fixed ARP 417 IP source guard IPSG...

Page 501: ...n 455 security local portal Web server feature 142 security password control 205 208 212 security portal authentication 123 128 146 security portal authentication cross subnet for MPLS L3VPN 177 secur...

Page 502: ...tion 89 MAC authentication 105 MAC authentication configuration 112 critical voice VLAN 802 1X enable 90 MAC authentication enable 113 CRL PKI 225 PKI architecture 226 PKI CA policy 226 PKI certificat...

Page 503: ...orized ARP DHCP server 409 configuring keychain on switch 471 creating user profile 446 crypto engine configuration 435 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 398 MFF server...

Page 504: ...t 244 PKI peer certificate 225 PKI RA certificate 225 PKI RSA Keon CA server certificate request 238 PKI verification CRL checking 234 PKI verification w o CRL checking 235 PKI Windows 2003 CA server...

Page 505: ...cal VLAN 90 802 1X EAP relay 81 802 1X EAP termination 81 802 1X guest VLAN assignment delay 87 802 1X periodic online user reauthentication 86 AAA RADIUS server load sharing 29 AAA RADIUS session con...

Page 506: ...rtal authentication extended cross subnet 166 security portal authentication extended direct 159 security portal authentication extended re DHCP 162 F fail permit feature portal 140 Federal Informatio...

Page 507: ...SH SFTP configuration 364 SSH SFTP configuration 192 bit Suite B 370 SSH SFTP directories 341 SSH SFTP files 341 SSH SFTP packet source IP address 338 SSH SFTP server connection establishment 338 SSH...

Page 508: ...SA 260 IPsec tunnel establishment 262 IPsec tunnel for IPv4 packets IKE based 281 keepalive 295 keychain configuration 294 maintain 298 NAT keepalive 296 negotiation 288 PFS 290 profile configuration...

Page 509: ...ction configuration 402 ARP filtering configuration 420 ARP gateway protection 419 ARP restricted forwarding 416 ARP user packet validity check 414 authorized ARP DHCP relay agent 410 authorized ARP D...

Page 510: ...ty info 303 troubleshoot SA negotiation failure no transform set match 303 323 troubleshoot SA negotiation failure tunnel failure 323 tunnel establishment 262 tunnel for IPv4 packets IKE based 281 tun...

Page 511: ...hain 294 IPsec IKEv2 keychain 313 maintain 471 keyword IPsec ACL rule keywords 264 L LAN 802 1X overview 64 Layer 2 MFF configuration 423 425 427 MFF manual mode in ring network 428 MFF manual mode in...

Page 512: ...d access control 72 address See MAC addressing ARP attack detection source MAC based 405 authentication See MAC authentication SSL services 385 MAC address 802 1X authentication access device initiate...

Page 513: ...n 471 MAC authentication 115 security attack detection and prevention 464 security password control 212 security portal authentication 145 managing public keys 216 220 manual FIPS mode manual reboot 4...

Page 514: ...fense configuration 469 configuring source MAC consistency check 469 IPv6 See IPv6 ND attack defense need to know Use NTK negotiating IPsec IKE negotiation 288 IPsec IKE negotiation mode 260 IPsec IKE...

Page 515: ...c IKEv2 pre shared key authentication 315 IPsec IKEv2 RSA signature authentication 318 IPsec implementation 261 IPsec IPv6 routing protocol profile manual 276 IPsec IPv6 routing protocols 276 IPsec pa...

Page 516: ...9 Secure Telnet client user line 330 security ARP detection logging enable 414 security password control global parameters 209 security password control local user parameters 211 security password con...

Page 517: ...D attack defense configuration 469 PKI configuration 225 228 238 port security configuration 185 188 195 public key import from file 222 public key management 216 220 security password control 208 212...

Page 518: ...configuring SSH management parameters 333 security password control global parameters 209 security password control local user parameters 211 security password control user group parameters 210 securi...

Page 519: ...tack D P defense policy single packet 456 attack D P defense policy creation 456 attack D P policy application device 462 attack defense policy configuration 456 IPsec manual 266 IPsec application to...

Page 520: ...C addresses 204 portal security user profile configuration 446 portal authentication AAA server 124 access device 124 authentication destination subnet 134 authentication modes 126 authentication page...

Page 521: ...method 43 configuring AAA LDAP administrator attributes 41 configuring AAA LDAP scheme 40 configuring AAA LDAP server IP address 40 configuring AAA LDAP server SSH user authentication 56 configuring...

Page 522: ...nfiguring IPsec IKEv2 307 configuring IPsec IKEv2 DPD 314 configuring IPsec IKEv2 global parameters 314 configuring IPsec IKEv2 keychain 313 configuring IPsec IKEv2 NAT keepalive 314 configuring IPsec...

Page 523: ...curity password control 208 212 configuring security portal authentication 128 146 configuring security portal authentication destination subnet 134 configuring security portal authentication detectio...

Page 524: ...chain 471 displaying MAC authentication 115 displaying MFF 427 displaying port security 195 displaying public key 220 displaying security attack detection and prevention 464 displaying security passwo...

Page 525: ...ining IPsec IKEv2 315 maintaining IPv4 source guard IPv4SG 396 maintaining IPv6 source guard IPv6SG 396 maintaining keychain 471 maintaining MAC authentication 115 maintaining security attack detectio...

Page 526: ...fo 303 troubleshooting IPsec SA negotiation failure no transform set match 303 323 troubleshooting IPsec SA negotiation failure tunnel failure 323 troubleshooting PKI CA certificate import failure 255...

Page 527: ...user profile configuration 447 QoS or CAR parameters configuring 447 quiet MAC authentication quiet timer 108 quiet timer 802 1X 85 R RA PKI architecture 226 PKI certificate 225 RADIUS 802 1X EAP over...

Page 528: ...In User Service Use RADIUS removing PKI certificate 236 request PKI certificate request abort 233 requesting PKI certificate request 231 resource access restriction portal authentication 123 restricti...

Page 529: ...1X access control method 82 802 1X ACL assignment 98 802 1X authentication 93 802 1X authentication request attempts max number 82 802 1X Auth Fail VLAN 75 802 1X authorization VLAN 72 802 1X authoriz...

Page 530: ...ion restrictions 418 HWTACACS protocols and standards 13 keychain configuration 470 470 keychain configuration on switch 471 keychain display 471 keychain maintain 471 LDAP protocols and standards 13...

Page 531: ...5 802 1X online user handshake 83 802 1X periodic online user reauthentication 86 AAA configuration 17 AAA LDAP implementation 9 AAA local user 18 AAA RADIUS attributes 14 AAA RADIUS scheme 22 AAA RAD...

Page 532: ...1 PKI certificate request automatic 232 232 PKI certificate request manual 232 PKI certificate request abort 233 PKI certificate verification 234 PKI certificate verification CRL checking 234 PKI cert...

Page 533: ...ng IPsec IKEv2 323 troubleshooting PKI CA certificate failure 253 troubleshooting PKI CA certificate import failure 255 troubleshooting PKI certificate export failure 256 troubleshooting PKI configura...

Page 534: ...address 338 SSH application 325 SSH management parameters 333 shared key AAA HWTACACS 36 AAA RADIUS 25 signature authentication IKE 289 single packet attack attack D P defense policy 456 attack D P d...

Page 535: ...uration 128 bit Suite B 360 Secure Telnet server connection establishment 335 Secure Telnet server connection establishment based on Suite B 337 Secure Telnet server password authentication 346 Secure...

Page 536: ...ot 444 FIPS mode system changes 438 IPsec authentication 260 IPsec configuration 258 IPsec encryption 260 IPsec IKE configuration 288 290 299 IPsec IKE global identity information 295 IPsec IKE invali...

Page 537: ...A RADIUS accounting error 62 AAA RADIUS authentication failure 61 AAA RADIUS packet delivery failure 61 IPsec IKE 301 IPsec IKE negotiation failure no proposal match 301 IPsec IKE negotiation failure...

Page 538: ...ng configuration 397 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 398 IPv4 source guard IPv4SG static binding configuration 396 IPv6 source guard IPv6SG dynamic binding DHCPv6 sno...

Page 539: ...258 279 IPsec RIPng configuration 284 IPsec tunnel for IPv4 packets IKE based 281 IPsec tunnel for IPv4 packets manual 279 PKI application 227 security portal authentication cross subnet for MPLS L3VP...

Page 540: ...527 SSH SFTP files 341 X X 500 AAA LDAP implementation 9...

Search results

Summary of Contents for 704654-B21

Reviews:

Related manuals for 704654-B21

Brands by name

Popular brands

HPE 704654-B21, Security Configuration Manual

Search results

Summary of Contents for 704654-B21

Reviews:

Related manuals for 704654-B21

Brands by name

Popular brands