manualshive.com logo in svg

HPE FlexFabric 5940 SERIES, Security Configuration Manual

The HPE FlexFabric 5940 SERIES delivers high-performance, Ethernet switching for modern data centers. Simplify network management with the comprehensive Command Reference Manual, available for free download at our website. Unlock the full potential of this product by accessing the manual today from manualshive.com.

Share
Download
background image

 

134 

[Device-Ten-GigabitEthernet1/0/1] quit 

# Enable MAC authentication globally.  

[Device] mac-authentication 

3. 

Configure the RADIUS servers: 

# Add a user account with 

00-e0-fc-12-34-56

 as both the username and password on each 

RADIUS server. (Details not shown.) 

# Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) 

Verifying the configuration 

# Verify the MAC authentication configuration. 

[Device] display mac-authentication 

Global MAC authentication parameters: 

   MAC authentication     : Enabled 

   Username format        : MAC address in lowercase(xx-xx-xx-xx-xx-xx) 

           Username       : mac 

           Password       : Not configured 

   Offline detect period  : 300 s 

   Quiet period           : 60 s 

   Server timeout         : 100 s 

   Reauth period          : 3600 s 

   Authentication domain  : bbb 

 Online MAC-auth users    : 1 

 

 Silent MAC users: 

          MAC address       VLAN ID  From port               Port index 

 

 Ten-GigabitEthernet1/0/1  is link-up 

   MAC authentication         : Enabled 

   Carry User-IP              : Disabled 

   Authentication domain      : Not configured 

   Auth-delay timer           : Disabled 

   Periodic reauth            : Disabled 

   Re-auth server-unreachable : Logoff 

   Guest VLAN                 : Not configured 

   Guest VLAN auth-period     : 30 s 

   Critical VLAN              : Not configured 

   Critical voice VLAN        : Disabled 

   Host mode                  : Single VLAN 

   Offline detection          : Enabled 

   Authentication order       : Default 

 

   Max online users           : 4294967295 

   Authentication attempts    : successful 1, failed 0 

   Current online users       : 1 

          MAC address       Auth state 

          00e0-fc12-3456    Authenticated 

# Verify that you cannot ping the FTP server from the host. 

C:\>ping 10.0.0.1 

Summary of Contents for FlexFabric 5940 SERIES

Page 1: ...HPE FlexFabric 5940 Switch Series Security Configuration Guide Part number 5200 1030a Software version Release 2508 and later verison Document version 6W101 20161101 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ...DIUS attribute translation feature 54 Setting the maximum number of concurrent login users 56 Configuring a NAS ID profile 56 Configuring the device ID 57 Displaying and maintaining AAA 57 AAA configuration examples 57 AAA for SSH users by an HWTACACS server 57 Local authentication HWTACACS authorization and RADIUS accounting for SSH users 59 Authentication and authorization for SSH users by a RAD...

Page 4: ...X reauthentication 93 Overview 93 Configuration restrictions and guidelines 94 Configuring 802 1X periodic reauthentication 94 Configuring 802 1X manual reauthentication 94 Enabling the keep online feature 95 Configuring an 802 1X guest VLAN 95 Configuration guidelines 95 Configuration prerequisites 96 Configuration procedure 96 Enabling 802 1X guest VLAN assignment delay 96 Configuring an 802 1X ...

Page 5: ...C authentication guest VLAN 124 Configuring a MAC authentication critical VLAN 125 Enabling the MAC authentication critical voice VLAN 125 Configuration prerequisites 125 Configuration procedure 126 Configuring periodic MAC reauthentication 126 Overview 126 Configuration restrictions and guidelines 126 Configuration procedure 127 Enabling MAC authentication offline detection 127 Displaying and mai...

Page 6: ...sed quick portal authentication 165 Configuring a MAC binding server 165 Specifying a MAC binding server on an interface 166 Enabling logging for user logins and logouts 167 Displaying and maintaining portal 167 Portal configuration examples 168 Configuring direct portal authentication 168 Configuring re DHCP portal authentication 176 Configuring cross subnet portal authentication 179 Configuring ...

Page 7: ...xample 234 Network requirements 234 Configuration procedure 234 Verifying the configuration 237 Configuring password control 239 Overview 239 Password setting 239 Password updating and expiration 240 User login control 241 Password not displayed in any form 242 Logging 242 FIPS compliance 242 Password control configuration task list 242 Enabling password control 243 Setting global password control...

Page 8: ...erifying certificates with CRL checking 274 Verifying certificates without CRL checking 275 Specifying the storage path for the certificates and CRLs 275 Exporting certificates 276 Removing a certificate 276 Configuring a certificate based access control policy 277 Displaying and maintaining PKI 278 PKI configuration examples 278 Requesting a certificate from an RSA Keon CA server 278 Requesting a...

Page 9: ...dards 328 FIPS compliance 328 IKE configuration prerequisites 328 IKE configuration task list 328 Configuring an IKE profile 329 Configuring an IKE proposal 331 Configuring an IKE keychain 332 Configuring the global identity information 333 Configuring the IKE keepalive feature 333 Configuring the IKE NAT keepalive feature 334 Configuring IKE DPD 334 Enabling invalid SPI recovery 335 Setting the m...

Page 10: ...tablishing a connection to an Stelnet server 368 Establishing a connection to an Stelnet server based on Suite B 370 Configuring the device as an SFTP client 371 SFTP client configuration task list 371 Generating local key pairs 371 Specifying the source IP address for SFTP packets 372 Establishing a connection to an SFTP server 372 Establishing a connection to an SFTP server based on Suite B 374 ...

Page 11: ...ation task list 428 Configuring an attack defense policy 429 Creating an attack defense policy 429 Configuring a single packet attack defense policy 429 Configuring a scanning attack defense policy 430 Configuring a flood attack defense policy 431 Configuring attack detection exemption 435 Applying an attack defense policy to the device 435 Enabling log non aggregation for single packet attack eve...

Page 12: ...3 Configuring ARP attack detection 464 Configuring user validity check 465 Configuring ARP packet validity check 466 Configuring ARP restricted forwarding 466 Enabling ARP attack detection logging 467 Displaying and maintaining ARP attack detection 467 User validity check configuration example 467 User validity check and ARP packet validity check configuration example 469 ARP restricted forwarding...

Page 13: ... Configuring FIPS mode 493 Entering FIPS mode 493 Configuration changes in FIPS mode 494 Exiting FIPS mode 495 FIPS self tests 495 Power up self tests 496 Conditional self tests 496 Triggering self tests 497 Displaying and maintaining FIPS 497 FIPS configuration examples 497 Entering FIPS mode through automatic reboot 497 Entering FIPS mode through manual reboot 498 Exiting FIPS mode through autom...

Page 14: ...gure 1 AAA network diagram To access networks or resources beyond the NAS a user sends its identity information to the NAS The NAS transparently passes the user information to AAA servers and waits for the authentication authorization and accounting result Based on the result the NAS determines whether to permit or deny the access request AAA has various implementations including RADIUS HWTACACS a...

Page 15: ...ients 2 Performs user authentication authorization or accounting 3 Returns user access control information for example rejecting or accepting the user access request to the clients The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy services The RADIUS server maintains the following databases Users Stores user information such as the usernames pass...

Page 16: ...ct packet 4 The RADIUS client permits or denies the user according to the authentication result If the result permits the user the RADIUS client sends a start accounting request Accounting Request packet to the RADIUS server 5 The RADIUS server returns an acknowledgment Accounting Response packet and starts accounting 6 The user accesses the network resources 7 The host requests the RADIUS client ...

Page 17: ...e From the server to the client The server sends a packet of this type to notify the client that it has received the Accounting Request and has successfully recorded the accounting information The Identifier field 1 byte long is used to match response packets with request packets and to detect duplicate request packets The request and response packets of the same exchange process for the same purp...

Page 18: ...ramed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Login IP Host 61 NAS Port Type 15 Login Service 62 Port Limit 16 Login TCP Port 63 Login LAT Port 17 unassigned 64 Tunnel Type 18 Reply Message 65 Tunnel Medium Type 19 Callback Number 66 Tunnel Client Endpoint 20 Callback ID 67 Tunnel Server Endpoint 21 unassigned 68 Acct Tunnel Connection 22 Framed Route 69 Tunnel Password 23 ...

Page 19: ...nctions As shown in Figure 5 a subattribute encapsulated in attribute 26 consists of the following parts Vendor ID ID of the vendor The most significant byte is 0 The other three bytes contains a code compliant to RFC 1700 Vendor Type Type of the subattribute Vendor Length Length of the subattribute Vendor Data Contents of the subattribute The device supports RADIUS subattributes with a vendor ID ...

Page 20: ...ncrypts only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on different HWTACACS servers Protocol packets are simple and the authorization process is combined with the authentication process Supports authorization of configuration commands Access to commands de...

Page 21: ...esponse to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password 9 The user enters the password Host HWTACACS client HWTACACS server 1 The user tries to log in 2 Start authentication packet 3 Authentication response requesting the username 4 Request for username 5 The user enters the username 6 Continue authentication packet with the ...

Page 22: ...not often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user information and user group information for user login authentication and authorization LDAP directory service LDAP uses directories to maintain the organization information personnel information and reso...

Page 23: ...e basic LDAP authentication process 1 A Telnet user initiates a connection request and sends the username and password to the LDAP client 2 After receiving the request the LDAP client establishes a TCP connection with the LDAP server 3 To obtain the right to search the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server 4 The LDAP server proc...

Page 24: ...e 8 Basic LDAP authorization process for a Telnet user The following shows the basic LDAP authorization process 1 A Telnet user initiates a connection request and sends the username and password to the device The device will act as the LDAP client during authorization 2 After receiving the request the device exchanges authentication packets with the authentication server for the user If LDAP authe...

Page 25: ...or a user by username AAA manages users in the same ISP domain based on the users access types The device supports the following user access types LAN LAN users must pass 802 1X or MAC authentication to come online Login Login users include SSH Telnet FTP and terminal users who log in to the device Terminal users can access through a console port Portal Portal users must pass portal authentication...

Page 26: ...uthorization can work only after RADIUS authentication is successful and the authorization information is included in the Access Accept packet HWTACACS authorization is separate from HWTACACS authentication and the authorization information is included in the authorization response after successful authentication You can configure backup methods to be used when the remote server is not available T...

Page 27: ...e For more information about portal authentication see Configuring portal authentication Protocols and standards RFC 2865 Remote Authentication Dial In User Service RADIUS RFC 2866 RADIUS Accounting RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions RFC 5176 Dynamic Authorization Extensions to Remot...

Page 28: ...d by the server to communicate information for example the reason of the authentication failure 26 Vendor Specific Vendor specific proprietary attribute A packet can contain one or more proprietary attributes each of which can contain one or more subattributes 27 Session Timeout Maximum service duration for the user before termination of the session 28 Idle Timeout Maximum idle time permitted for ...

Page 29: ...ibute 87 NAS Port Id String for describing the port of the NAS that is authenticating the user Proprietary RADIUS subattributes vendor ID 25506 Table 4 lists all RADIUS subattributes with a vendor ID of 25506 Support for these subattributes depends on the device model Table 4 RADIUS subattributes vendor ID 25506 No Subattribute Description 1 Input Peak Rate Peak rate in the direction from the user...

Page 30: ...ter an 802 1X user passes authentication which is a 32 byte string This attribute is stored in the user list on the NAS and verifies the handshake packets from the 802 1X user This attribute only exists in Access Accept and Accounting Request packets 98 Multicast_Receive_Group IP address of the multicast group that the user s host joins as a receiver This subattribute can appear multiple times in ...

Page 31: ... to shut down a port in the format of subscriber command disable host port 215 Accounting Level ITA traffic level in the range of 1 to 8 216 Ita Policy ITA policy name 230 Nas Port Interface through which the user is connected to the NAS 246 Auth_Detail_Result Accounting details The server sends Access Accept packets with subattribute 250 and this subattribute in the following situations 1 The sub...

Page 32: ...ticated Remote authentication Configure the required RADIUS HWTACACS and LDAP schemes 2 Configure AAA methods for the users ISP domains Remote AAA methods need to use the configured RADIUS HWTACACS and LDAP schemes Figure 11 AAA configuration procedure To configure AAA perform the following tasks Tasks at a glance Required Perform a minimum one of the following tasks to configure local users or AA...

Page 33: ...user database on the device A local user is uniquely identified by the combination of a username and a user type Local users are classified into the following types Device management user User who logs in to the device for device management Network access user User who accesses network resources through the device The following shows the configurable local user attributes Description Descriptive i...

Page 34: ...e a password control attribute in system view user group view or local user view A password control attribute with a smaller effective range has a higher priority For more information about password management and global password configuration see Configuring password control Validity period Time period in which a network access user is considered valid for authentication Local user configuration ...

Page 35: ...ed state state active block By default a local user is in active state and can request network services 7 Optional Set the upper limit of concurrent logins using the local user name access limit max user number By default the number of concurrent logins is not limited for the local user This command takes effect only when local accounting is configured for the local user It does not apply to FTP S...

Page 36: ...configure validity periods only for network access users Configuring user group attributes User groups simplify local user configuration and management A user group contains a group of local users and has a set of local user attributes You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group Local user attributes ...

Page 37: ... at fixed time periods of 10 minutes and automatically delete expired local users To configure the auto delete feature of local users Step Command Remarks 1 Enter system view system view N A 2 Enable the local user auto delete feature local user auto delete enable By default the feature is disabled Displaying and maintaining local users and local user groups Execute display commands in any view Ta...

Page 38: ...nal Enabling SNMP notifications for RADIUS Configuring a test profile for RADIUS server status detection Use a test profile to detect whether a RADIUS authentication server is reachable at a detection interval To detect the RADIUS server status you must configure the RADIUS server to use this test profile in a RADIUS scheme With the test profile specified the device sends a detection packet to the...

Page 39: ...quired specify only the primary server A RADIUS authentication server can function as the primary authentication server for one scheme and a secondary authentication server for another scheme at the same time When RADIUS server load sharing is enabled the device distributes the workload over all servers without considering the primary and secondary server roles The device checks the weight value a...

Page 40: ...r connection teardown commands from an administrator However the device might fail to receive a response for a stop accounting request in a single transmission Enable the device to buffer RADIUS stop accounting requests that have not received responses from the accounting server The device will resend the requests until responses are received To limit the transmission times set a maximum number of...

Page 41: ...N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Specify a shared key for secure RADIUS communication key accounting authentication cipher simple string By default no shared key is specified for secure RADIUS communication The shared key configured on the device must be the same as the shared key configured on the RADIUS server Specifying an MPLS L3VPN instance for the scheme ...

Page 42: ...ission mechanism to improve reliability A RADIUS request is retransmitted if the NAS does not receive a server response for the request within the response timeout timer For more information about the RADIUS server response timeout timer see Setting RADIUS timers You can set the maximum number for the NAS to retransmit a RADIUS request to the same server When the maximum number is reached the NAS ...

Page 43: ...s disabled for the server regardless of whether a test profile has been specified for the server When the RADIUS server is set to active state server detection is enabled for the server on which an existing test profile is specified By default the device sets the status of all RADIUS servers to active However in some situations you must change the status of a server For example if a server fails y...

Page 44: ...ing once the device sends a start accounting request to a server for a user it forwards all subsequent accounting requests of the user to the same server If the accounting server is unreachable the device returns an accounting failure message rather than searching for another active accounting server To enable the RADIUS server load sharing feature Step Command Remarks 1 Enter system view system v...

Page 45: ...y IP address of the outbound interface is used Setting RADIUS timers The device uses the following types of timers to control communication with a RADIUS server Server response timeout timer response timeout Defines the RADIUS request retransmission interval The timer starts immediately after a RADIUS request is sent If the device does not receive a response from the RADIUS server before the timer...

Page 46: ...device automatically sends an accounting on packet to the RADIUS server after the entire device reboots Upon receiving the accounting on packet the RADIUS server logs out all online users so they can log in again through the device Without this feature users cannot log in again after the reboot because the RADIUS server considers them to come online You can configure the interval for which the dev...

Page 47: ...ue 0 for SSH FTP and terminal services An Access Accept packet received for a user must contain the matching attribute value Otherwise the user cannot log in to the device Use the loose check method only when the server does not issue Login Service attribute values 50 51 and 52 for SSH FTP and terminal users To configure the Login Service attribute check method for SSH FTP and terminal users Step ...

Page 48: ...MP agent supports the following notifications generated by RADIUS RADIUS server unreachable notification The RADIUS server cannot be reached RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts RADIUS server reachable notification The RADIUS server can be reached RADIUS ge...

Page 49: ... HWTACACS accounting servers Required Specifying the shared keys for secure HWTACACS communication Optional Specifying an MPLS L3VPN instance for the scheme Optional Setting the username format and traffic statistics units Optional Specifying the source IP address for outgoing HWTACACS packets Optional Setting HWTACACS timers Creating an HWTACACS scheme Create an HWTACACS scheme before performing ...

Page 50: ...ecify one primary authorization server and a maximum of 16 secondary authorization servers for an HWTACACS scheme When the primary server is not available the device searches for the secondary servers in the order they are configured The first secondary server in active state is used for communication If redundancy is not required specify only the primary server An HWTACACS server can function as ...

Page 51: ...ber of attempts that can be made for transmitting individual HWTACACS stop accounting requests When the maximum attempts are made for a request the device discards the buffered request HWTACACS does not support accounting for FTP SFTP and SCP users To specify HWTACACS accounting servers for an HWTACACS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter HWTACACS scheme view hwt...

Page 52: ... instance specified for an HWTACACS scheme applies to all servers in that scheme If a VPN instance is also configured for an individual HWTACACS server the VPN instance specified for the HWTACACS scheme does not take effect on that server To specify a VPN instance for an HWTACACS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs s...

Page 53: ...ACS packets is typically the IP address of an egress interface on the NAS However in some situations you must change the source IP address For example when VRRP is configured for stateful failover configure the virtual IP of the uplink VRRP group as the source address You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view or in system view The IP address specif...

Page 54: ...of HWTACACS servers If the scheme includes one primary HWTACACS server and multiple secondary HWTACACS servers the device communicates with the HWTACACS servers based on the following rules When the primary server is in active state the device communicates with the primary server If the primary server fails the device performs the following operations Changes the server status to blocked Starts a ...

Page 55: ...utes Displaying and maintaining HWTACACS Execute display commands in any view and reset commands in user view Task Command Display the configuration or server statistics of HWTACACS schemes display hwtacacs scheme hwtacacs scheme name statistics Display information about buffered HWTACACS stop accounting requests to which no responses have been received display stop accounting buffer hwtacacs sche...

Page 56: ... address or an IPv6 address for an LDAP server The most recent configuration takes effect Specifying the LDAP version Specify the LDAP version on the NAS The device supports LDAPv2 and LDAPv3 The LDAP version specified on the device must be consistent with the version specified on the LDAP server To specify the LDAP version Step Command Remarks 1 Enter system view system view N A 2 Enter LDAP serv...

Page 57: ...user attributes To authenticate a user an LDAP client must complete the following operations 1 Establish a connection to the LDAP server 2 Obtain the user DN from the LDAP server 3 Use the user DN and the user s password to bind with the LDAP server LDAP provides a DN search mechanism for obtaining the user DN According to the mechanism an LDAP client sends search requests to the server based on t...

Page 58: ...ttributes obtained from an LDAP authorization server to device recognizable AAA attributes based on the mapping entries Because the device ignores unrecognized LDAP attributes configure the mapping entries to include important LDAP attributes that should not be ignored An LDAP attribute can be mapped only to one AAA attribute Different LDAP attributes can be mapped to the same AAA attribute To con...

Page 59: ...map in an LDAP scheme To specify an LDAP attribute map for LDAP authorization Step Command Remarks 1 Enter system view system view N A 2 Enter LDAP scheme view ldap scheme ldap scheme name N A 3 Specify an LDAP attribute map attribute map map name By default no LDAP attribute map is specified Displaying and maintaining LDAP Execute display commands in any view Task Command Display the configuratio...

Page 60: ... order 1 The authentication domain specified for the access module 2 The ISP domain in the username 3 The default ISP domain of the device If the chosen domain does not exist on the device the device searches for the ISP domain that accommodates users who are assigned to nonexistent domains If no such ISP domain is configured user authentication fails NOTE Support for the authentication domain con...

Page 61: ... domain whose total traffic in the idle timeout period at the specified direction is less than the specified minimum traffic IPv4 address pool The device assigns IPv4 addresses from the pool to authenticated users in the domain Default authorization user profile When a user passes authentication it typically obtains an authorization user profile from the local or remote server If the user does not...

Page 62: ...period or portal user online detection period Configuring authentication methods for an ISP domain Configuration prerequisites Before configuring authentication methods complete the following tasks 1 Determine the access type or service type to be configured With AAA you can configure an authentication method for each access type and service type 2 Determine whether to configure the default authen...

Page 63: ... ldap scheme ldap scheme name local none local none none radius scheme radius scheme name local none By default the default authentication method is used for portal users The none keyword is not supported in FIPS mode 7 Specify the authentication method for obtaining a temporary user role authentication super hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name By default the defa...

Page 64: ...r login users authorization login hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name local none local none none radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local none By default the default authorization method is used for login users The none keyword is not supported in FIPS mode 7 Specify the authorization method for portal users authorization portal ...

Page 65: ...ecify the accounting method for login users accounting login hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name local none local none none radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name local none By default the default accounting method is used for login users The none keyword is not supported in FIPS mode 7 Specify the accounting method for portal users ...

Page 66: ...n control client configuration takes effect only when the session control feature is enabled To configure the RADIUS session control feature Step Command Remarks 1 Enter system view system view N A 2 Enable the RADIUS session control feature radius session control enable By default the RADIUS session control feature is disabled 3 Specify a RADIUS session control client radius session control clien...

Page 67: ...oS field determines the transmission priority of RADIUS packets A larger value represents a higher priority To change the DSCP priority for RADIUS packets Step Command Remarks 1 Enter system view system view N A 2 Change the DSCP priority for RADIUS packets radius ipv6 dscp dscp value By default the DSCP priority is 0 for RADIUS packets Configuring the RADIUS attribute translation feature The RADI...

Page 68: ...d sent By default no RADIUS attribute conversion rules exist Repeat this command to add multiple RADIUS attribute conversion rules 6 Configure a RADIUS attribute rejection rule attribute reject attr name access accept access request accounting received sent By default no RADIUS attribute rejection rules exist Repeat this command to add multiple RADIUS attribute rejection rules To configure the RAD...

Page 69: ...ts device name in the NAS Identifier attribute of all RADIUS requests A NAS ID profile enables you to send different NAS Identifier attribute strings in RADIUS requests from different VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of company A The device will...

Page 70: ... configuration of ISP domains display domain isp name AAA configuration examples AAA for SSH users by an HWTACACS server Network requirements As shown in Figure 12 configure the switch to meet the following requirements Use the HWTACACS server for SSH user authentication authorization and accounting Assign the default user role network operator to SSH users after they pass authentication Exclude d...

Page 71: ...ain Switch hwtacacs hwtac quit Create an ISP domain named bbb and configure the domain to use the HWTACACS scheme for authentication authorization and accounting of login users Switch isp bbb authentication login hwtacacs scheme hwtac Switch isp bbb authorization login hwtacacs scheme hwtac Switch isp bbb accounting login hwtacacs scheme hwtac Switch isp bbb quit Create local RSA and DSA key pairs...

Page 72: ...and RADIUS server Figure 13 Network diagram Configuration procedure 1 Configure the HWTACACS server Details not shown 2 Configure the RADIUS server Details not shown 3 Configure the switch Configure IP addresses for interfaces Details not shown Create local RSA and DSA key pairs Switch system view Switch public key local create rsa Switch public key local create dsa Enable the SSH service Switch s...

Page 73: ... Switch isp bbb quit Enable the default user role feature to assign authenticated SSH users the default user role network operator Switch role default role enable Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the correct password The user logs in to the switch Details not shown Verify that the user can use the commands permitted by the ne...

Page 74: ... b Set the ports for authentication and accounting to 1812 and 1813 respectively c Select the service type Device Management Service d Select the access device type HP e Select the access device from the device list or manually add the access device with the IP address 10 1 1 2 f Leave the default settings for other parameters and click OK The IP address of the access device specified here must be...

Page 75: ...User from the navigation tree Then click Add to configure a device management account as follows a Enter the account name hello bbb and specify the password b Select the service type SSH c Specify 10 1 1 0 to 10 1 1 255 as the IP address range of the hosts to be managed d Click OK NOTE The IP address range must contain the IP address of the switch ...

Page 76: ...3 authentication mode scheme Switch line vty0 63 quit Enable the default user role feature to assign authenticated SSH users the default user role network operator Switch role default role enable Create a RADIUS scheme Switch radius scheme rad Specify the primary authentication server Switch radius rad primary authentication 10 1 1 1 1812 Set the shared key to expert in plaintext form for secure c...

Page 77: ...7 an LDAP server is located at 10 1 1 1 24 and uses the domain name ldap com Configure the switch to meet the following requirements Use the LDAP server to authenticate SSH users Assign the default user role network operator to SSH users after they pass authentication On the LDAP server set the administrator password to admin 123456 add a user named aaa and set the user s password to ldap 123456 F...

Page 78: ...xt Figure 18 Adding user aaa f In the dialog box enter the password ldap 123456 select options as needed and click Next Figure 19 Setting the user s password a Click OK Add user aaa to group Users a From the navigation tree click Users under the ldap com node b In the right pane right click the user aaa and select Properties ...

Page 79: ...he Enter the object names to select field and click OK User aaa is added to group Users Figure 21 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click the user Administrator and select Set Password b In the dialog box enter the administrator password Details not shown 2 Configure the switch ...

Page 80: ...rs dc ldap dc com Specify the administrator password Switch ldap server ldap1 login password simple admin 123456 Configure the base DN for user search Switch ldap server ldap1 search base dn dc ldap dc com Switch ldap server ldap1 quit Create an LDAP scheme Switch ldap scheme ldap shm1 Specify the LDAP authentication server Switch ldap ldap shm1 authentication server ldap1 Switch ldap ldap shm1 qu...

Page 81: ...S The user is configured on the RADIUS server The correct password is entered The same shared key is configured on both the RADIUS server and the NAS 2 If the problem persists contact Hewlett Packard Enterprise Support RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server Analysis Possible reasons include A communication failure exists between the NAS and the RADIUS ...

Page 82: ...roblem 1 Verify the following items The accounting port number is correctly configured The accounting server IP address is correctly configured on the NAS 2 If the problem persists contact Hewlett Packard Enterprise Support Troubleshooting HWTACACS Similar to RADIUS troubleshooting See Troubleshooting RADIUS Troubleshooting LDAP LDAP authentication failure Symptom User authentication fails Analysi...

Page 83: ...or the user authentication is correctly configured on the NAS The user is configured on the LDAP server The correct password is entered The administrator DN and the administrator password are correctly configured The user attributes for example the username attribute configured on the NAS are consistent with those configured on the LDAP server The user search base DN for authentication is specifie...

Page 84: ...n the server returns the authentication results to the access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can use the access device as the authentication server Figure 22 802 1X architecture Controlled uncontrolled port and port authorization status 802 1X defines two logical ports for the network access port controlled port and uncontr...

Page 85: ... over a LAN Between the access device and the authentication server 802 1X delivers authentication information by using one of the following methods Encapsulates EAP packets in RADIUS by using EAP over RADIUS EAPOR as described in EAP relay Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets as described in EAP termination Packet for...

Page 86: ...tart The client sends an EAPOL Start message to initiate 802 1X authentication to the access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff message to tell the access device that the client is logging off Length Data length in bytes or length of the Packet body If packet type is EAPOL Start or EAPOL Logoff this field is set to 0 and no Packet body field follows Packet body Content of th...

Page 87: ...t and the authentication server does not support the multicast address you must use an 802 1X client that can send broadcast EAPOL Start packets For example you can use the HPE iNode 802 1X client Access device as the initiator The access device initiates authentication if a client cannot send EAPOL Start packets One example is the 802 1X client available with Windows XP The access device supports...

Page 88: ... performs the following operations in EAP termination mode a Terminates the EAP packets received from the client b Encapsulates the client authentication information in standard RADIUS packets c Uses PAP or CHAP to authenticate to the RADIUS server Figure 29 EAP termination Comparing EAP relay and EAP termination Packet exchange method Benefits Limitations EAP relay Supports various EAP authentica...

Page 89: ... the username in an EAP Response Identity packet to the access device 4 The access device relays the EAP Response Identity packet in a RADIUS Access Request packet to the authentication server 5 The authentication server uses the identity information in the RADIUS Access Request to search its user database If a matching entry is found the server uses a randomly generated EAPOL EAPOR 1 EAPOL Start ...

Page 90: ... an EAP Success packet to the client b Sets the controlled port in authorized state The client can access the network 11 After the client comes online the access device periodically sends handshake requests to check whether the client is still online By default if two consecutive handshake attempts fail the device logs off the client 12 Upon receiving a handshake request the client returns a respo...

Page 91: ...EAP termination mode the access device rather than the authentication server generates an MD5 challenge for password encryption The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server ...

Page 92: ... an 802 1X user to authorized network resources Supported VLAN types and forms Which VLAN types and forms are supported depends on the authorization type Local VLAN authorization The authorization VLAN of an 802 1X user is specified in user view or user group view in the form of VLAN ID on the device The port through which the user accesses the device is assigned to the VLAN as an untagged member ...

Page 93: ...does not have other online users the device selects the VLAN with the lowest ID from the group of VLANs If the port has other online users the device selects the VLAN by using the following process a The device selects the VLAN that has the fewest number of online users b If two VLANs have the same number of online 802 1X users the device selects the VLAN with the lower ID The device follows the r...

Page 94: ... its own authorization VLAN IMPORTANT An 802 1X enabled access port can be assigned to an authorization VLAN only as an untagged member As a best practice always assign a hybrid port to a VLAN as an untagged member After the assignment do not reconfigure the port as a tagged member in the VLAN On a port with periodic online user reauthentication enabled the MAC based VLAN feature does not take eff...

Page 95: ...cation The device creates a mapping between the MAC address of the user and the 802 1X guest VLAN The user can access only resources in the guest VLAN A user in the 802 1X guest VLAN fails 802 1X authentication If an 802 1X Auth Fail VLAN is available the device remaps the MAC address of the user to the Auth Fail VLAN The user can access only resources in the Auth Fail VLAN If no 802 1X Auth Fail ...

Page 96: ...e device maps the MAC address of the user to the 802 1X Auth Fail VLAN The user can access only resources in the Auth Fail VLAN A user in the 802 1X Auth Fail VLAN fails 802 1X authentication because of any other reason except for unreachable servers The user is still in the Auth Fail VLAN A user in the 802 1X Auth Fail VLAN passes 802 1X authentication The device remaps the MAC address of the use...

Page 97: ... the authentication server either the local access device or a RADIUS server does not authorize a VLAN the initial PVID of the port applies The user and all subsequent 802 1X users are assigned to this port VLAN After the user logs off the PVID remains unchanged A user in the 802 1X guest VLAN fails authentication because all the RADIUS servers are unreachable The device assigns the 802 1X critica...

Page 98: ...device performs the following operations If MAC based access control is used the device removes 802 1X users from the critical VLAN The port sends a unicast EAP Request Identity to these users to trigger authentication If port based access control is used the device removes the port from the critical VLAN The port sends a multicast EAP Request Identity to all 802 1X users on the port to trigger au...

Page 99: ...he following methods Modify the user profile configuration on the access device Specify another user profile for the user on the authentication server For more information about user profiles see Configuring user profiles EAD assistant Endpoint Admission Defense EAD is an integrated endpoint access control solution of Hewlett Packard Enterprise to improve the threat defensive capability of a netwo...

Page 100: ...h the EAD assistant feature Configuration prerequisites Before you configure 802 1X complete the following tasks Configure an ISP domain and AAA scheme local or RADIUS authentication for 802 1X users If RADIUS authentication is used create user accounts on the RADIUS server If local authentication is used create local user accounts on the access device and set the service type to lan access 802 1X...

Page 101: ... a port dot1x By default 802 1X is disabled on a port Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination consider the following factors Support of the RADIUS server for EAP packets Authentication methods supported by the 802 1X client and the RADIUS server You can use both EAP termination and EAP relay in any of the following situations The client is using only MD5...

Page 102: ...orce Places the port in the authorized state enabling users on the port to access the network without authentication unauthorized force Places the port in the unauthorized state denying any access requests from users on the port auto Places the port initially in unauthorized state to allow only EAPOL packets to pass After a user passes authentication sets the port in the authorized state to allow ...

Page 103: ...eives no response To set the maximum number of authentication request attempts Step Command Remarks 1 Enter system view system view N A 2 Set the maximum number of attempts for sending an authentication request dot1x retry retries The default setting is 2 Setting the 802 1X authentication timeout timers The network device uses the following 802 1X authentication timeout timers Client timeout timer...

Page 104: ...tion in the handshake packets from clients This feature can prevent 802 1X users that use illegal client software from bypassing iNode security check such as dual network interface cards NICs detection If a user fails the handshake security checking the device sets the user to the offline state Configuration guidelines When you configure online user handshake follow these restrictions and guidelin...

Page 105: ...e clients attached to the port cannot send EAPOL Start packets to initiate 802 1X authentication Enable the unicast trigger on a port if only a few 802 1X clients are attached to the port and these clients cannot initiate authentication To avoid duplicate authentication packets do not enable both triggers on a port Configuration procedure To configure the authentication trigger feature on a port S...

Page 106: ...quick authentication response set the quiet timer to a low value To set the quiet timer Step Command Remarks 1 Enter system view system view N A 2 Enable the quiet timer dot1x quiet period By default the timer is disabled 3 Optional Set the quiet timer dot1x timer quiet period quiet period value The default is 60 seconds Configuring 802 1X reauthentication Overview 802 1X reauthentication tracks t...

Page 107: ...by using the dot1x timer reauth period command A change to the periodic reauthentication timer applies to online users only after the old timer expires The device selects a periodic reauthentication timer for 802 1X reauthentication in the following order a Server assigned reauthentication timer b Port specific reauthentication timer c Global reauthentication timer d Default reauthentication timer...

Page 108: ...network you can use the keep online feature to prevent 802 1X users from coming online and going offline frequently Configuring an 802 1X guest VLAN Configuration guidelines When you configure an 802 1X guest VLAN follow these guidelines You can configure only one 802 1X guest VLAN on a port The 802 1X guest VLANs on different ports can be different Assign different IDs to the voice VLAN the port ...

Page 109: ... view N A 2 Enter Ethernet interface view interface interface type interface number N A 3 Configure the 802 1X guest VLAN on the port dot1x guest vlan guest vlan id By default no 802 1X guest VLAN exists Enabling 802 1X guest VLAN assignment delay This feature delays assigning an 802 1X enabled port to the 802 1X guest VLAN when 802 1X authentication is triggered on the port This feature applies o...

Page 110: ...ionship description Reference Super VLAN You cannot specify a VLAN as both a super VLAN and an 802 1X Auth Fail VLAN See Layer 2 LAN Switching Configuration Guide MAC authentication guest VLAN on a port that performs MAC based access control The 802 1X Auth Fail VLAN has a high priority See Configuring MAC authentication Port intrusion protection actions on a port that performs MAC based access co...

Page 111: ...mes online and it can respond to the EAP Request Identity packet from the device for reauthentication Configuration guidelines When you configure an 802 1X critical VLAN follow these restrictions and guidelines Assign different IDs to the voice VLAN the PVID and the 802 1X critical VLAN on a port The assignment makes sure the port can correctly process VLAN tagged incoming traffic You can configur...

Page 112: ...obally and on the port The device uses LLDP to identify voice users For information about LLDP see Layer 2 LAN Switching Configuration Guide Enable voice VLAN on the port For information about voice VLANs see Layer 2 LAN Switching Configuration Guide Configuration procedure To enable the 802 1X critical voice VLAN feature on a port Step Command Remarks 1 Enter system view system view N A 2 Enter E...

Page 113: ...to the access device The device uses information such as user MAC addresses and IP addresses obtained through 802 1X to generate IPSG bindings to filter out IPv4 packets from unauthenticated 802 1X users For information about IP source guard see Configuring IP source guard This feature prevents any authenticated 802 1X users on a port from changing their IP addresses After you enable this feature ...

Page 114: ...n a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Set the maximum number of 802 1X authentication attempts for MAC authenticated users on the port dot1x after mac auth max attempt max attempts By default the number of 802 1X authentication attempts for MAC authenticated users is not limited on a...

Page 115: ... number user mac mac address user name name string Clear 802 1X statistics reset dot1x statistics interface interface type interface number Remove users from the 802 1X guest VLAN on a port reset dot1x guest vlan interface interface type interface number mac address mac address 802 1X authentication configuration examples Basic 802 1X authentication configuration example Network requirements As sh...

Page 116: ...ss Set the service type to lan access Device luser network localuser service type lan access Device luser network localuser quit 5 Configure a RADIUS scheme Create a RADIUS scheme named radius1 and enter RADIUS scheme view Device radius scheme radius1 Specify the IP addresses of the primary authentication and accounting RADIUS servers Device radius radius1 primary authentication 10 1 1 1 Device ra...

Page 117: ...hod macbased Specify ISP domain bbb as the mandatory domain Device Ten GigabitEthernet1 0 1 dot1x mandatory domain bbb Device Ten GigabitEthernet1 0 1 quit Enable 802 1X globally Device dot1x Verifying the configuration Verify the 802 1X configuration on Ten GigabitEthernet 1 0 1 Device display dot1x interface ten gigabitethernet 1 0 1 Display the user connection information after an 802 1X user p...

Page 118: ...3 Create VLANs and assign ports to the VLANs on the access device Device system view Device vlan 1 Device vlan1 port ten gigabitethernet 1 0 2 Device vlan1 quit Device vlan 10 Device vlan10 port ten gigabitethernet 1 0 1 Device vlan10 quit Device vlan 2 Device vlan2 port ten gigabitethernet 1 0 4 Device vlan2 quit Device vlan 5 Device vlan5 port ten gigabitethernet 1 0 3 Device vlan5 quit 4 Config...

Page 119: ...cheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp bbb quit 6 Configure 802 1X on the access device Enable 802 1X on Ten GigabitEthernet 1 0 2 Device interface ten gigabitethernet 1 0 2 Device Ten GigabitEthernet1 0 2 dot1x Implement port based access control on the port Device Ten GigabitEthernet1 0 2 dot1x port method portbased Set the port authorization mode to auto B...

Page 120: ...is example for the users Details not shown 3 Assign an IP address to each interface as shown in Figure 34 Details not shown 4 Configure a RADIUS scheme Create RADIUS scheme 2000 and enter RADIUS scheme view Device system view Device radius scheme 2000 Specify the server at 10 1 1 1 as the primary authentication server and set the authentication port to 1812 Device radius 2000 primary authenticatio...

Page 121: ...ice acl ipv4 adv 3000 rule 0 deny ip destination 10 0 0 1 0 time range ftp Device acl ipv4 adv 3000 quit 8 Configure 802 1X Enable 802 1X on Ten GigabitEthernet 1 0 1 Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 dot1x Device Ten GigabitEthernet1 0 1 quit Enable 802 1X globally Device dot1x Verifying the configuration Use the user account to pass authentication Details...

Page 122: ...eb server for 802 1X client downloading Allow authenticated 802 1X users to access the network Figure 35 Network diagram Configuration procedure 1 Make sure the DHCP server the Web server and the authentication servers have been configured correctly Details not shown 2 Configure an IP address for each interface Details not shown 3 Configure DHCP relay Enable DHCP Device system view Device dhcp ena...

Page 123: ... domain bbb Apply RADIUS scheme 2000 to the ISP domain for authentication authorization and accounting Device isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp bbb quit 6 Configure 802 1X Configure the free IP Device dot1x ead assistant free ip 192 168 2 0 24 Configure t...

Page 124: ... 36 The intranet 192 168 1 0 24 is attached to Ten GigabitEthernet 1 0 1 of the access device The hosts use DHCP to obtain IP addresses A Web server is deployed on the 192 168 2 0 24 subnet for users to download client software Deploy an EAD solution for the intranet to meet the following requirements Allow unauthenticated users and users that have failed 802 1X authentication to access 192 168 2 ...

Page 125: ...rimary accounting server and set the accounting port to 1813 Device radius 2000 primary accounting 10 1 1 2 1813 Set the shared key to abc in plain text for secure communication between the authentication server and the device Device radius 2000 key authentication simple abc Set the shared key to abc in plain text for secure communication between the accounting server and the device Device radius ...

Page 126: ...i seconds Minimum 0ms Maximum 0ms Average 0ms The output shows that you can access the free IP subnet before passing 802 1X authentication Verify that you are redirected to the Web server when you enter in your Web browser an IP address not on the free IP Details not shown Troubleshooting 802 1X EAD assistant URL redirection failure Symptom Unauthenticated users are not redirected to the specified...

Page 127: ...s not provide Web services Solution To resolve the problem 1 Enter a dotted decimal IP address that is not in any free IP segments 2 Verify that the access device and the server are configured correctly 3 If the problem persists contact Hewlett Packard Enterprise Support ...

Page 128: ...sed user account for each user The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable f...

Page 129: ...thenticated user s authorization VLAN The authorization VLAN becomes the PVID All MAC authentication users on the port must be assigned the same authorization VLAN If a different authorization VLAN is assigned to a subsequent user the user cannot pass MAC authentication If the port is assigned to the authorization VLAN as a tagged member the PVID of the port does not change The device maps the MAC...

Page 130: ... 12 VLAN manipulation Authentication status VLAN manipulation A user fails MAC authentication because all the RADIUS servers are unreachable The device maps the MAC address of the user to the MAC authentication critical VLAN The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable If no MAC authentication critic...

Page 131: ... the authentication server the device remaps the MAC address of the voice user to the PVID of the access port ACL assignment You can specify an authorization ACL in the user account for a MAC authentication user to control the user s access to network resources After the user passes MAC authentication the authentication server local or remote assigns the authorization ACL to the access port of the...

Page 132: ...nts on the RADIUS server If you are using MAC based accounts make sure the username and password for each account are the same as the MAC address of each MAC authentication user 2 Make sure the port security feature is disabled For more information about port security see Configuring port security Configuration task list Tasks at a glance Required Enabling MAC authentication Optional Specifying a ...

Page 133: ...rs Specify a global authentication domain in system view This domain setting applies to all ports enabled with MAC authentication Specify an authentication domain for an individual port in interface view MAC authentication chooses an authentication domain for users on a port in this order the port specific domain the global domain and the default domain For more information about authentication do...

Page 134: ... wait before the device can perform MAC authentication for a user that has failed MAC authentication All packets from the MAC address are dropped during the quiet time This quiet mechanism prevents repeated authentication from affecting system performance Server timeout timer Sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server una...

Page 135: ...marks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable MAC authentication multi VLAN mode mac authentication host mode multi vlan By default this feature is disabled on a port When the port receives a packet sourced from an authenticated user in a VLAN not matching the existing MAC VLAN mapping the device logs off and reauthenticates...

Page 136: ... a port follow these restrictions and guidelines Make sure the port meets the following requirements The port is configured with both 802 1X authentication and MAC authentication and performs MAC based access control for 802 1X authentication The port is enabled with the 802 1X unicast trigger For the port to perform MAC authentication before it is assigned to the 802 1X guest VLAN enable new MAC ...

Page 137: ...n guest VLAN feature has higher priority When a user fails MAC authentication the user can access the resources in the guest VLAN The user s MAC address is not marked as a silent MAC address See Configuring MAC authentication timers Super VLAN You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN See Layer 2 LAN Switching Configuration Guide Port intrusion protection T...

Page 138: ...LAN The user s MAC address is not marked as a silent MAC address See Configuring MAC authentication timers Super VLAN You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN See Layer 2 LAN Switching Configuration Guide Port intrusion protection The critical VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of ...

Page 139: ...ble for MAC reauthentication Configuration restrictions and guidelines When you configure periodic MAC reauthentication follow these restrictions and guidelines The server assigned RADIUS Session Timeout attribute 27 and Termination Action attribute 29 attributes together can affect the periodic MAC reauthentication feature To display the server assigned Session Timeout and Termination Action attr...

Page 140: ...e By default periodic MAC reauthentication is disabled on a port 5 Optional Set the periodic reauthentication timer on the port mac authentication timer reauth period reauth period value By default no periodic reauthentication timer is set on a port The port uses the global periodic MAC reauthentication timer 6 Optional Enable the keep online feature for authenticated MAC authentication users on t...

Page 141: ... type interface number mac address mac address Remove users from the MAC authentication critical voice VLAN on a port reset mac authentication critical voice vlan interface interface type interface number mac address mac address Remove users from the MAC authentication guest VLAN on a port reset mac authentication guest vlan interface interface type interface number mac address mac address MAC aut...

Page 142: ...e Ten GigabitEthernet1 0 1 mac authentication Device Ten GigabitEthernet1 0 1 quit Specify ISP domain bbb as the MAC authentication domain Device mac authentication domain bbb Configure MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Configure MAC authentication to use MAC based accounts Each MAC address is in the hexadecimal n...

Page 143: ...sers 1 MAC address Auth state 00e0 fc12 3456 Authenticated The output shows that Host A has passed MAC authentication and has come online Host B failed MAC authentication and its MAC address is marked as a silent MAC address RADIUS based MAC authentication configuration example Network requirements As shown in Figure 38 the device uses RADIUS servers to perform authentication authorization and acc...

Page 144: ...it Apply the RADIUS scheme to ISP domain bbb for authentication authorization and accounting Device domain bbb Device isp bbb authentication default radius scheme 2000 Device isp bbb authorization default radius scheme 2000 Device isp bbb accounting default radius scheme 2000 Device isp bbb quit Enable MAC authentication on Ten GigabitEthernet 1 0 1 Device interface ten gigabitethernet 1 0 1 Devic...

Page 145: ...n domain Not configured Auth delay timer Disabled Periodic reauth Disabled Re auth server unreachable Logoff Guest VLAN Not configured Guest VLAN auth period 30 s Critical VLAN Not configured Critical voice VLAN Disabled Host mode Single VLAN Offline detection Enabled Authentication order Default Max online users 4294967295 Authentication attempts successful 1 failed 0 Current online users 1 MAC a...

Page 146: ... accounting 10 1 1 2 1813 Device radius 2000 key authentication simple abc Device radius 2000 key accounting simple abc Device radius 2000 user name format without domain Device radius 2000 quit Apply the RADIUS scheme to an ISP domain for authentication authorization and accounting Device domain bbb Device isp bbb authentication default radius scheme 2000 Device isp bbb authorization default radi...

Page 147: ...detect period 300 s Quiet period 60 s Server timeout 100 s Reauth period 3600 s Authentication domain bbb Online MAC auth users 1 Silent MAC users MAC address VLAN ID From port Port index Ten GigabitEthernet1 0 1 is link up MAC authentication Enabled Carry User IP Disabled Authentication domain Not configured Auth delay timer Disabled Periodic reauth Disabled Re auth server unreachable Logoff Gues...

Page 148: ...est timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss The output shows that ACL 3000 has been assigned to Ten GigabitEthernet 1 0 1 to deny access to the FTP server ...

Page 149: ...ides ISPs with diversified management choices and extended functions For example the ISPs can place advertisements provide community services and publish information on the authentication page Supports multiple authentication modes For example re DHCP authentication implements a flexible address assignment scheme and saves public IP addresses Cross subnet authentication can authenticate users who ...

Page 150: ...racts with the access device to authenticate users Portal Web server The portal Web server pushes the Web authentication page to authentication clients and forwards user authentication information username and password to the portal authentication server The access device also redirects HTTP requests from unauthenticated users to the portal Web server The portal Web server can be integrated with t...

Page 151: ...L Portal page customization To perform local portal authentication you must customize a set of authentication pages that the device will push to users You can customize multiple sets of authentication pages compress each set of the pages to a zip file and upload the compressed files to the storage medium of the device On the device you must specify one of the files as the default authentication pa...

Page 152: ...an that of re DHCP authentication Re DHCP authentication Before a user passes authentication DHCP allocates an IP address a private IP address to the user The user can access only the portal Web server and predefined authentication free websites After the user passes authentication DHCP reallocates an IP address a public IP address to the user The user then can access other network resources No pu...

Page 153: ...n to support EAP authentication NOTE To use portal authentication that supports EAP the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client Local portal authentication does not support EAP authentication Portal authentication process Direct authentication and cross subnet authentication share the same authentication process Re DHCP authenticati...

Page 154: ...o the portal authentication server to notify authentication success or failure 7 The portal authentication server sends an authentication success or failure packet to the client 8 If the authentication is successful the portal authentication server sends an authentication reply acknowledgment packet to the access device If the client is an iNode client the authentication process includes step 9 an...

Page 155: ... following categories of portal packet filtering rules First category The rule permits user packets that are destined for the portal Web server and packets that match the portal free rules to pass through Second category For an authenticated user with no ACL authorized the rule allows the user to access any destination network resources For an authenticated user with an ACL authorized the rule all...

Page 156: ...hentication the access device removes the MAC trigger entry for the user NOTE For information about MAC binding server configuration see the user manual of the server Portal configuration task list Tasks at a glance Optional Configuring a portal authentication server Required Configuring a portal Web server Required Enabling portal authentication Required Specifying a portal Web server Optional Co...

Page 157: ...rtal client access device and servers can reach each other To use the remote RADIUS server configure usernames and passwords on the RADIUS server and configure the RADIUS client on the access device For information about RADIUS client configuration see Configuring AAA To implement extended portal functions install and configure IMC EAD Make sure the ACLs configured on the access device correspond ...

Page 158: ...supports multiple portal Web servers Perform this task to configure the following parameters for a portal Web server VPN instance of the portal Web server URL of the portal Web server Parameters carried in the URL when the device redirects the URL to users Portal Web server type which must be the same as the server type the device actually uses The captive pass feature With this feature enabled th...

Page 159: ...ule for URL redirection if match original url url string redirect url url string url param encryption aes des key cipher simple string user agent string redirect url url string By default no URL redirection match rules exist Enabling portal authentication You must first enable portal authentication on an access interface before it can perform portal authentication for connected clients With portal...

Page 160: ...on Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The interface must be a Layer 3 interface 3 Enable portal authentication To enable IPv4 portal authentication portal enable method direct layer3 redhcp To enable IPv6 portal authentication portal ipv6 enable method direct layer3 Enable IPv4 portal authentication IPv6 portal ...

Page 161: ...mask length mask any tcp tcp port number udp udp port number source ip ip address mask length mask any tcp tcp port number udp udp port number interface interface type interface number By default no IPv4 based portal free rule exists 3 Configure an IPv6 based portal free rule portal free rule rule number destination ipv6 ipv6 address prefix length any tcp tcp port number udp udp port number source...

Page 162: ...subnet as any source IP address In re DHCP mode the access device regards the authentication source subnet on an interface as the subnet to which the private IP address of the interface belongs If both authentication source subnets and destination subnets are configured on an interface only the authentication destination subnets take effect You can configure multiple authentication source subnets ...

Page 163: ...cation destination subnet Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure an IPv6 portal authentication destination subnet portal ipv6 free all except destination ipv6 network address prefix length By default no IPv6 portal authentication destination subnet is configured and users accessing any subnets must p...

Page 164: ...f portal users This allows for flexible portal access control The device selects the authentication domain for a portal user in this order 1 ISP domain specified for the interface 2 ISP domain carried in the username 3 System default ISP domain For information about the default ISP domain see Configuring AAA You can specify an IPv4 portal authentication domain an IPv6 portal authentication domain ...

Page 165: ...oes not exist the device might operate incorrectly You must delete a preauthentication domain by using the undo portal ipv6 pre auth domain command and reconfigure it in the following situations You create the ISP domain after specifying it as the preauthentication domain You delete the specified ISP domain and then re create it To specify a preauthentication domain Step Command Remarks 1 Enter sy...

Page 166: ...nnot obtain the IP address and cannot perform portal authentication To specify an IP address pool before portal authentication Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Specify a preauthentication IP address pool for portal users portal ipv6 pre auth ip pool pool name By default no preauthentication IP address po...

Page 167: ...nly By default both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online Enabling outgoing packets filtering on a portal enabled interface When you enable this feature on a portal enabled interface the device permits the interface to send the following packets Packets whose destination IP addresses are IP addresses of authenticated ...

Page 168: ...ection applies to all portal authentication modes To configure online detection of IPv4 portal users Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure online detection of IPv4 portal users portal user detect type arp icmp retry retries interval interval idle time By default this feature is disabled on the inter...

Page 169: ...rface to have network access When the server recovers it resumes portal authentication on the interface For more information see Configuring the portal fail permit feature To configure portal authentication server detection Step Command Remarks 1 Enter system view system view N A 2 Enter portal authentication server view portal server server name N A 3 Configure portal authentication server detect...

Page 170: ...eature This feature is implemented by sending and detecting portal synchronization packets as follows 1 The portal authentication server sends the online user information to the access device in a synchronization packet at the user heartbeat interval The user heartbeat interval is set on the portal authentication server 2 Upon receiving the synchronization packet the access device compares the use...

Page 171: ...iew N A 2 Enter interface view interface interface type interface number N A 3 Enable portal fail permit for a portal authentication server portal ipv6 fail permit server server name By default portal fail permit is disabled for a portal authentication server 4 Enable portal fail permit for a portal Web server portal ipv6 apply web server server name fail permit By default portal fail permit is di...

Page 172: ...ortal authentication server portal bas ipv6 ipv6 address By default The BAS IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet The BAS IPv6 attribute of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet s output interface Enabling portal roaming Portal roaming ta...

Page 173: ...server Make sure the configured device ID is different than any other access devices communicating with the same portal authentication server To specify the device ID Step Command Remarks 1 Enter system view system view N A 2 Specify the device ID portal device id device id By default a device is not configured with a device ID Logging out online portal users This feature deletes users that have p...

Page 174: ...ce name in the NAS Identifier attribute of all RADIUS requests A NAS ID profile enables you to send different NAS Identifier attribute strings in RADIUS requests from different VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of company A The device will send c...

Page 175: ...ication page file as the default authentication page file for local portal authentication Customizing authentication pages Authentication pages are HTML files Local portal authentication requires the following authentication pages Logon page Logon success page Logon failure page Online page System busy page Logoff success page You must customize the authentication pages including the page elements...

Page 176: ...ontain PtUser PtPwd and PtButton attributes A logoff Post request must contain the PtButton attribute 2 Authentication pages logon htm and logonFail htm must contain the logon Post request The following example shows part of the script in page logon htm form action logon cgi method post p User name input type text name PtUser style width 160px height 22px maxlength 64 p Password input type passwor...

Page 177: ...Configure a PKI policy obtain the CA certificate and request a local certificate For more information see Configuring PKI Configure an SSL server policy and specify the PKI domain configured in the PKI policy For more information see Configuring SSL To configure a local portal Web server Step Command Remarks 1 Enter system view system view N A 2 Create a local portal Web server and enter its view ...

Page 178: ...only on portal users who pass authentication after the feature is enabled or disabled To configure ARP or ND entry conversion for portal clients Step Command Remarks 1 Enter system view system view N A 2 Enable ARP or ND entry conversion for portal clients portal refresh arp nd enable By default ARP or ND entry conversion is enabled for portal clients 3 Disable ARP or ND entry conversion for porta...

Page 179: ...number of query attempts is 3 and the query interval is 1 second 8 Optional Specify the type of the MAC binding server server type imc By default the type of a MAC binding server is IMC 9 Optional Specify the version of the portal protocol version version number By default the version of the portal protocol is 1 10 Optional Specify the timeout the device waits for portal authentication to complete...

Page 180: ...rvers display portal mac trigger server all name server name Display portal rules display portal rule all dynamic static interface interface type interface number slot slot number Display portal configuration and portal running state information display portal interface interface type interface number Display portal authentication server information display portal server server name Display portal...

Page 181: ...ng the authentication Figure 45 Network diagram Configuration prerequisites Configure IP addresses for the host switch and servers as shown in Figure 45 and make sure they can reach each other Configure the RADIUS server correctly to provide authentication and accounting functions Configuring the portal authentication server on IMC PLAT 3 20 In this example the portal server runs on IMC PLAT 3 20 ...

Page 182: ...ice group This example uses the default group Ungrouped f Select the action Normal g Click OK Figure 47 Adding an IP address group 3 Add a portal device a Select Access Service Portal Service Management Device from the navigation tree to open the portal device configuration page b Click Add to open the page as shown in Figure 48 c Enter the device name NAS d Enter the IP address of the switch s in...

Page 183: ...dding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 49 click the icon in the Port Group Information Management column of device NAS to open the port group configuration page Figure 49 Device list b Click Add to open the page as shown in Figure 50 Figure 50 Port group configuration c Enter the port group name d Select the configured IP address group ...

Page 184: ...ment Server from the navigation tree to open the portal server configuration page as shown in Figure 51 c Configure the portal server parameters as needed This example uses the default settings d Click OK Figure 51 Portal server configuration 2 Configure the IP address group a Select User Access Manager Portal Service Management IP Group from the navigation tree to open the portal IP address group...

Page 185: ...e as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authentication and therefore select No from the Reallocate IP list g Select whether to support sever heartbeat and user heartbeat functions In this example select No for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 53 Adding a portal device 4 Associate th...

Page 186: ...he configurations Configuring the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112...

Page 187: ...erver newpt quit Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable direct portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface100 portal enable method direct Reference the portal Web server newpt on VLAN interface 100 Switch Vlan interface...

Page 188: ...tion Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through a Web browser Before passing the authentication the user can access only the authentication page http 192 168 0 111 8080 portal All Web requests from the user will be redirected to the authentication page Afte...

Page 189: ... configure a public address pool 20 20 20 0 24 and a private address pool 10 0 0 0 24 on the DHCP server Details not shown For re DHCP portal authentication The switch must be configured as a DHCP relay agent The portal enabled interface must be configured with a primary IP address a public IP address and a secondary IP address a private IP address For information about DHCP relay agent configurat...

Page 190: ...cheme rs1 Switch isp dm1 quit Configure domain dm1 as the default ISP domain If a user enters the username without the ISP domain name at login the authentication and accounting methods of the default domain are used for the user Switch domain default enable dm1 3 Configure DHCP relay and authorized ARP Configure DHCP relay Switch dhcp enable Switch dhcp relay client information record Switch inte...

Page 191: ...e Not configured Authorization Strict checking ACL Disabled User profile Disabled IPv4 Portal status Enabled Portal authentication method Redhcp Portal web server newpt Authentication domain Not configured Pre auth domain Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not configured Bas ip 20 20 20 1 User detection Not configured Action for server detection...

Page 192: ...e 100 Total portal users 1 Username abc Portal server newpt State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 20 20 20 2 100 Vlan interface100 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL N A CAR N A Configuring cross subnet portal authentication Network requirements As shown in Figure 57 Switch A supports portal authentication The host...

Page 193: ...iew SwitchA radius scheme rs1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers SwitchA radius rs1 primary authentication 192 168 0 112 SwitchA radius rs1 primary accounting 192 168 0 112 SwitchA radius rs1 key authentication simple radius SwitchA radius rs1 key accounting simple radius Exclude the ISP domain name from...

Page 194: ...AN interface 4 SwitchA Vlan interface4 portal apply web server newpt Configure the BAS IP as 20 20 20 1 for portal packets sent from VLAN interface 4 to the portal authentication server SwitchA Vlan interface4 portal bas ip 20 20 20 1 SwitchA Vlan interface4 quit On Switch B configure a default route to subnet 192 168 0 0 24 specifying the next hop address as 20 20 20 1 Details not shown Verifying...

Page 195: ... portal authentication by using the HPE iNode client or through a Web browser Before passing the authentication the user can access only the authentication page http 192 168 0 111 8080 portal All Web requests from the user will be redirected to the authentication page After passing the authentication the user can access other network resources After the user passes authentication use the following...

Page 196: ...r correctly to provide authentication and accounting functions Configuration procedure Perform the following tasks on the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1...

Page 197: ...u specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server 4 Configure portal authentication Configure a portal authentication server Switch portal server newpt Switch portal server newpt ip 192 168 0 111 key simple portal Switch portal server newpt port 50100 Switch portal server newpt quit Configure a portal Web server Switch portal web server newpt Sw...

Page 198: ...figured Authentication domain Not configured Pre auth domain Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not configured Bas ipv6 Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length Before passing port...

Page 199: ... the DHCP server A portal server acts as both a portal authentication server and a portal Web server A RADIUS server acts as the authentication accounting server Configure extended re DHCP portal authentication Before passing portal authentication the host is assigned a private IP address After passing portal identity authentication the host obtains a public IP address and accepts security check I...

Page 200: ...ary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 113 Switch radius rs1 primary accounting 192 168 0 113 Switch radius rs1 key accounting simple radius Switch radius rs1 key authentication simple radius Switch radius rs1 user name format without domain Specify the security policy server Switch radius rs1 security poli...

Page 201: ...tch portal server newpt ip 192 168 0 111 key simple portal Switch portal server newpt port 50100 Switch portal server newpt quit Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable re DHCP portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface...

Page 202: ...ed Bas ipv6 Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length Before passing portal authentication a user that uses the HPE iNode client can access only the authentication page http 192 168 0 111 8080 portal All Web requests from the user wil...

Page 203: ...r passing portal identity authentication the host accepts security check If the host fails the security check it can access only the subnet 192 168 0 0 24 After passing the security check the host can access other network resources Figure 60 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 60 and make sure the host swit...

Page 204: ... portal radius scheme rs1 SwitchA isp dm1 quit Configure domain dm1 as the default ISP domain If a user enters the username without the ISP domain name at login the authentication and accounting methods of the default domain are used for the user SwitchA domain default enable dm1 3 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL SwitchA acl advanced 3000 SwitchA acl ipv4 a...

Page 205: ...s taken effect SwitchA display portal interface vlan interface 4 Portal information of Vlan interface4 NAS ID profile Not configured Authorization Strict checking ACL Disabled User profile Disabled IPv4 Portal status Enabled Portal authentication method Layer3 Portal web server newpt Authentication domain Not configured Pre auth domain Not configured User dhcp only Disabled Pre auth IP pool Not co...

Page 206: ... 4 Total portal users 1 Username abc Portal server newpt State Online VPN instance N A MAC IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 4 Vlan interface4 Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL 3001 CAR N A Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 61 the host is directly connected to th...

Page 207: ...l authentication server detection so that the switch can detect the reachability of the portal authentication server by cooperating with the portal server heartbeat function Configure portal user synchronization so that the switch can synchronize portal user information with the portal authentication server by cooperating with the portal user heartbeat function Configuring the portal authenticatio...

Page 208: ...e group This example uses the default group Ungrouped f Select the action Normal g Click OK Figure 63 Adding an IP address group 3 Add a portal device a Select Access Service Portal Service Management Device from the navigation tree to open the portal device configuration page b Click Add to open the page as shown in Figure 64 c Enter the device name NAS d Enter the IP address of the switch s inte...

Page 209: ...dding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 65 click the icon in the Port Group Information Management column of device NAS to open the port group configuration page Figure 65 Device list b Click Add to open the page as shown in Figure 66 Figure 66 Port group configuration c Enter the port group name d Select the configured IP address group ...

Page 210: ... Server from the navigation tree to open the portal server configuration page as shown in Figure 67 c Configure the portal server heartbeat interval and user heartbeat interval d Use the default settings for other parameters e Click OK Figure 67 Portal authentication server configuration 2 Configure the IP address group a Select User Access Manager Portal Service Management IP Group from the navig...

Page 211: ... as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authentication and therefore select No from the Reallocate IP list g Select whether to support sever heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat h Click OK Figure 69 Adding a portal device 4 Associate th...

Page 212: ...he configurations Configuring the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112...

Page 213: ...es Switch portal server newpt server detect timeout 40 log NOTE The value of timeout must be greater than or equal to the portal server heartbeat interval Configure portal user synchronization with the portal authentication server and set the synchronization detection interval to 600 seconds Switch portal server newpt user sync timeout 600 Switch portal server newpt quit NOTE The value of timeout ...

Page 214: ...ion with a preauthentication domain Network requirements As shown in Figure 72 the host is directly connected to the switch the access device The host is assigned a public IP address through DHCP A portal server acts as both a portal authentication server and a portal Web server A RADIUS server acts as the authentication accounting server Configure direct portal authentication so the host can acce...

Page 215: ...t 3 Configure portal authentication Configure a portal authentication server Switch portal server newpt Switch portal server newpt ip 192 168 0 111 key simple portal Switch portal server newpt port 50100 Switch portal server newpt quit Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable di...

Page 216: ...ntication the host is assigned a private IP address and can access only the subnet 192 168 0 0 24 After passing the authentication the host gets a public IP address and can access other network resources Figure 73 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 73 and make sure the host switch and servers can reach eac...

Page 217: ... in the domain Switch isp abc authorization attribute acl 3010 Switch isp abc quit Configure a rule to permit access to the subnet 192 168 0 0 24 Switch acl advanced 3010 Switch acl ipv4 adv 3010 rule 1 permit ip destination 192 168 0 0 24 Switch acl ipv4 adv 3010 quit Configure preauthentication domain abc on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan interface100 portal p...

Page 218: ...witch display portal user pre authenticate interface vlan interface 100 MAC IP VLAN Interface 0015 e9a6 7cfe 10 10 10 4 100 Vlan interface100 State Online VPN instance Authorization information DHCP IP pool N A User profile N A Session group profile N A ACL number 3010 Inbound CAR N A Outbound CAR N A Configuring direct portal authentication using local portal Web server Network requirements As sh...

Page 219: ...gure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure AAA methods for the ISP domain Switch isp dm1 authentication portal radius scheme rs1 Switch isp dm1 authorization portal radius scheme rs1 Switch isp dm1 accounting portal radius scheme rs1 Switch isp dm1 quit Configure domain dm1 as the default ISP domain If a user enters the username with...

Page 220: ...isabled IPv4 Portal status Enabled Portal authentication method Direct Portal web server newpt Authentication domain Not configured Pre auth domain Not configured User dhcp only Disabled Pre auth IP pool Not configured Max Portal users Not configured Bas ip Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Mask ...

Page 221: ...mation IP pool N A User profile N A Session group profile N A ACL N A CAR N A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server no portal authentication page or error message is prompted for the user The login page is blank Analysis The key configured on the portal access device and that configured on ...

Page 222: ...er command to display the listening port of the portal authentication server configured on the access device 2 Use the portal server command in system view to change the listening port number to the actual listening port of the portal authentication server Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity aut...

Page 223: ... private and public IP addresses However the authentication result for the user is failure Analysis When the access device detects that the client IP address is changed it sends an unsolicited portal packet to notify of the IP change to the portal authentication server The portal authentication server notifies of the authentication success only after it receives the IP change notification from bot...

Page 224: ...y for scenarios that require only 802 1X authentication or MAC authentication For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features NTK The need to know NTK feature prevents traffic interception by checking the destination MAC address in the outbound frames The feature ensures that frames are sent only to the follo...

Page 225: ...y is disabled on the port and access to the port is not restricted N A Controlling MAC address learning autoLearn NTK intrusion protection secure Performing 802 1X authentication userLogin N A userLoginSecure NTK intrusion protection userLoginSecureExt userLoginWithOUI Performing MAC authentication macAddressWithRadius NTK intrusion protection Performing a combination of MAC authentication and 802...

Page 226: ...t based access control The port can service multiple 802 1X users Once an 802 1X user passes authentication on the port any subsequent 802 1X users can access the network through the port without authentication userLoginSecure A port in this mode performs 802 1X authentication and implements MAC based access control The port services only one user passing 802 1X authentication userLoginSecureExt T...

Page 227: ...ion user and multiple MAC authentication users to log in In this mode the port performs MAC authentication upon receiving non 802 1X frames Upon receiving 802 1X frames the port performs MAC authentication and then if the authentication fails 802 1X authentication macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode except that this mode supports multiple...

Page 228: ...ng the number of concurrent users on the port For a port operating in a security mode except for autoLearn and secure the upper limit equals the smaller of the following values The limit of the secure MAC addresses that port security allows The limit of concurrent users allowed by the authentication mode in use Controlling the number of secure MAC addresses on the port in autoLearn mode The port s...

Page 229: ...n cannot take effect Changing the port security mode of a port logs off the online users of the port Do not enable 802 1X authentication or MAC authentication on a port where port security is configured The device supports the URL attribute assigned by a RADIUS server in the following port security modes mac authentication mac else userlogin secure mac else userlogin secure ext userlogin secure us...

Page 230: ...de command to restore the default port security mode Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices The NTK feature supports the following modes ntkonly Forwards only unicast frames with authenticated destination MAC addresses ntk withbroadcasts Forwards only ...

Page 231: ...rn to system view quit N A 5 Optional Set the silence timeout period during which a port remains disabled port security timer disableport time value By default the port silence timeout is 20 seconds NOTE On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode intrusion protection is triggered only after both MAC authentication and 802 1X authentica...

Page 232: ...resses are lost at reboot When the maximum number of secure MAC address entries is reached the port changes to secure mode In secure mode the port cannot add or learn any more secure MAC addresses The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac address dynamic or mac address static command to pass through Configuration prerequisites Before...

Page 233: ...e a port to ignore authorization information from the server Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Ignore the authorization information received from the authentication server port security authorization ignore By default a port uses the authorization information received from the authentication server Enabli...

Page 234: ...me in the NAS Identifier attribute of all RADIUS requests A NAS ID profile enables you to send different NAS Identifier attribute strings in RADIUS requests from different VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of company A The device will send compan...

Page 235: ... enable port security address learned dot1x failure dot1x logoff dot1x logon intrusion mac auth failure mac auth logoff mac auth logon By default SNMP notifications are disabled for port security Displaying and maintaining port security Execute display commands in any view Task Command Display the port security configuration operation information and statistics display port security interface inte...

Page 236: ...t1 0 1 port security max mac count 64 Set the port security mode to autoLearn Device Ten GigabitEthernet1 0 1 port security port mode autolearn Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered Device Ten GigabitEthernet1 0 1 port security intrusion mode disableport temporarily Device Ten GigabitEthernet1 0 1 quit Device port security timer disablep...

Page 237: ... address security sticky 0002 0000 0015 vlan 1 port security mac address security sticky 0002 0000 0014 vlan 1 port security mac address security sticky 0002 0000 0013 vlan 1 port security mac address security sticky 0002 0000 0012 vlan 1 port security mac address security sticky 0002 0000 0011 vlan 1 Device Ten GigabitEthernet1 0 1 quit Verify that the port security mode changes to secure after t...

Page 238: ...and sends usernames without domain names to the RADIUS server Configure Ten GigabitEthernet 1 0 1 to allow only one 802 1X user and a user that uses one of the specified OUI values to be authenticated Figure 76 Network diagram Configuration procedure The following configuration steps cover some AAA RADIUS configuration commands For more information about the commands see Security Command Reference...

Page 239: ...ess 1234 0100 1111 Device port security oui index 2 mac address 1234 0200 1111 Device port security oui index 3 mac address 1234 0300 1111 Device port security oui index 4 mac address 1234 0400 1111 Device port security oui index 5 mac address 1234 0500 1111 Set the port security mode to userLoginWithOUI Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 port security port ...

Page 240: ... Learned XGE1 0 1 Y macAddressElseUserLoginSecure configuration example Network requirements As shown in Figure 77 a client is connected to the device through Ten GigabitEthernet 1 0 1 The device authenticates the client by a RADIUS server in ISP domain sun If the authentication succeeds the client is authorized to access the Internet Configure Ten GigabitEthernet 1 0 1 of the device to meet the f...

Page 241: ...evice dot1x authentication method chap Set port security s limit on the number of MAC addresses to 64 on the port Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 port security max mac count 64 Set the port security mode to macAddressElseUserLoginSecure Device Ten GigabitEthernet1 0 1 port security port mode mac else userlogin secure Specify ISP domain sun as the mandator...

Page 242: ... authentication display MAC authentication information Verify that Ten GigabitEthernet 1 0 1 allows multiple MAC authentication users to be authenticated Device display mac authentication interface ten gigabitethernet 1 0 1 Global MAC authentication parameters MAC authentication Enabled User name format MAC address in uppercase XX XX XX XX XX XX Username mac Password Not configured Offline detect ...

Page 243: ...al 802 1X parameters 802 1X authentication Enabled CHAP authentication Enabled Max tx period 30 s Handshake period 15 s Quiet timer Disabled Quiet period 60 s Supp timeout 30 s Server timeout 100 s Reauth period 3600 s Max auth requests 2 EAD assistant function Disabled EAD timeout 30 min Domain delimiter Online 802 1X wired users 1 Ten GigabitEthernet1 0 1 is link up 802 1X authentication Enabled...

Page 244: ...ination MAC address multicast address or broadcast address are discarded Details not shown Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode for a port Analysis For a port operating in a port security mode other than noRestrictions you cannot change the port security mode by using the port security port mode command Solution To resolve the pr...

Page 245: ... security mode to autoLearn Device Ten GigabitEthernet1 0 1 undo port security port mode Device Ten GigabitEthernet1 0 1 port security max mac count 64 Device Ten GigabitEthernet1 0 1 port security port mode autolearn Device Ten GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 2 If the problem persists contact Hewlett Packard Enterprise Support ...

Page 246: ...d Configuring a user profile Configuration restrictions and guidelines When you configure user profiles follow these restrictions and guidelines Configure authentication parameters before you create a user profile The user profile supports working with the 802 1X and MAC authentication methods Specify a user profile for each user account In remote authentication specify a user profile on the authe...

Page 247: ...y day even if User A passes 802 1X authentication User B has an upload speed of 2 Mbps after passing 802 1X authentication User C has a download speed of 4 Mbps after passing 802 1X authentication Figure 78 Network diagram Configuration procedure 1 Configure a QoS policy for User A Create a periodic time range from 8 30 to 12 00 every day Device system view Device time range for_usera 8 30 to 12 0...

Page 248: ...0 kbps Device traffic behavior for_userb Device behavior for_userb car cir 2000 Device behavior for_userb quit Create a QoS policy named for_userb and associate traffic class class and traffic behavior for_userb in the QoS policy Device qos policy for_userb Device qospolicy for_userb classifier class behavior for_userb Device qospolicy for_userb quit 4 Create a user profile for User B and apply th...

Page 249: ...b to use the LAN access service Device luser network userb service type lan access Specify user profile userb as the authorization user profile for user userb Device luser network userb authorization attribute user profile userb Device luser network userb quit Create a local user named userc Device local user userc class network New local user added Set the password to c12345 for user userc Device...

Page 250: ... user profile information Device display user profile User Profile usera Inbound Policy for_usera slot 1 User Authentication type 802 1X Network attributes Interface Ten GigabitEthernet1 0 1 MAC address 6805 ca06 557b Service VLAN 1 User Profile userb Inbound Policy for_userb slot 1 User Authentication type 802 1X Network attributes Interface Ten GigabitEthernet1 0 1 MAC address 80c1 6ee0 2664 Ser...

Page 251: ...238 ...

Page 252: ...ser passwords If a user enters a password that is shorter than the minimum length the system rejects the password Password composition policy A password can be a combination of characters from the following types Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters in Table 19 Table 19 Special Characters Character name Symbol Character name Symbol Ampersand sign Apost...

Page 253: ...e password is complexity incompliant the configuration will fail You can apply the following password complexity requirements A password cannot contain the username or the reverse of the username For example if the username is abc a password such as abc982 or 2cba is not complex enough A character or number cannot be included three or more times consecutively For example password a111 is not compl...

Page 254: ... The four characters must be different from one another Otherwise the system will display an error message and the password will not be changed You can set the maximum number of history password records for the system to maintain for each user When the number of history password records exceeds your setting the most recent record overwrites the earliest one Current login passwords of device manage...

Page 255: ...ds and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode Password control configuration task list The password control features can be configured in several different views and different views support different features The settings configured in different views or for different objects have the following application ranges Settings for super passwords apply only to super...

Page 256: ...boot The inconsistency will cause the password expiration feature to malfunction For information about NTP see Network Management and Monitoring Configuration Guide To enable password control Step Command Remarks 1 Enter system view system view N A 2 Enable the global password control feature password control enable In non FIPS mode the global password control feature is disabled by default In FIP...

Page 257: ...d complexity checking 7 Set the maximum number of history password records for each user password control history max record number The default setting is 4 8 Configure the login attempt limit password control login attempt login times exceed lock lock time time unlock By default the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait...

Page 258: ...the user group equals the global login attempt policy Setting local user password control parameters Step Command Remarks 1 Enter system view system view N A 2 Create a device management user and enter its view local user user name class manage By default no local users exist Local user password control applies to device management users instead of network access users For information about how to...

Page 259: ... to the device For more information see Fundamentals Configuration Guide To set super password control parameters Step Command Remarks 1 Enter system view system view N A 2 Set the password expiration time for super passwords password control super aging aging time The default setting is 90 days 3 Configure the minimum length for super passwords password control super length length In non FIPS mod...

Page 260: ...provide the correct password in two successive login attempts is permanently prohibited from logging in A user can log in five times within 60 days after the password expires A password expires after 30 days The minimum password update interval is 36 hours The maximum account idle time is 30 days A password cannot contain the username or the reverse of the username No character appears consecutive...

Page 261: ...ition type number 4 type length 4 Set the minimum super password length to 24 characters Sysname password control super length 24 Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type Sysname password control super composition type number 4 type length 5 Configure a super password used for switching to user role network operator...

Page 262: ...omplexity Enabled username checking Enabled repeated characters checking Display the password control configuration for super passwords Sysname display password control super Super password control configurations Password aging Enabled 90 days Password length Enabled 24 characters Password composition Enabled 4 types 5 characters per type Display the password control configuration for local user t...

Page 263: ... to authenticate packets to a peer set non overlapping sending lifetimes for the keys in the keychain The keys used by the local device and the peer device must have the same authentication algorithm and key string To configure a keychain Step Command Remarks 1 Enter system view system view N A 2 Create a keychain and enter keychain view keychain keychain name mode absolute By default no keychains...

Page 264: ...he receiving lifetime in UTC mode for the key accept lifetime utc start time start date duration duration value infinite to end time end date By default the receiving lifetime is not configured for a key 11 Optional Specify the key as the default send key default send key By default no key in a keychain is specified as the default send key Displaying and maintaining keychain Execute display comman...

Page 265: ... SwitchA keychain abc key 2 key string plain pwd123 SwitchA keychain abc key 2 send lifetime utc 11 00 00 2015 02 06 to 12 00 00 2015 02 06 SwitchA keychain abc key 2 accept lifetime utc 11 00 00 2015 02 06 to 12 00 00 2015 02 06 SwitchA keychain abc key 2 quit SwitchA keychain abc quit Configure VLAN interface 100 to use keychain abc for authentication SwitchA interface vlan interface 100 SwitchA...

Page 266: ...vlan interface 100 SwitchB Vlan interface100 ospf authentication mode keychain abc SwitchB Vlan interface100 quit Verifying the configuration 1 When the system time is within the lifetime from 10 00 00 to 11 00 00 on the day 2015 02 06 verify the status of the keys in keychain abc Display keychain information on Switch A The output shows that key 1 is the valid key SwitchA display keychain Keychai...

Page 267: ...ept lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06 Accept status Active Key ID 2 Key string c 3 t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw Algorithm hmac md5 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Send status Inactive Accept lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Accept status Inactive 2 When the system time is within the lifetime from 11 00 00 to 12 00 00 on the day 20...

Page 268: ...e output shows that key 2 becomes the valid key SwitchB display keychain Keychain name abc Mode absolute Accept tolerance 0 TCP kind value 254 TCP algorithm value HMAC MD5 5 MD5 3 Default send key ID None Active send key ID 1 Active accept key IDs 1 Key ID 1 Key string c 3 G Shnh6heXWprlSQy XDmftHa2JZJBSgg Algorithm md5 Send lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06 Send status Inactive ...

Page 269: ... Encryption and decryption Any public key receiver can use the public key to encrypt information but only the private key owner can decrypt the information Digital signature The key owner uses the private key to digitally sign information to be sent The receiver decrypts the information with the sender s public key to verify information authenticity RSA DSA and ECDSA can all perform digital signat...

Page 270: ...tically saved and can survive system reboots Table 21 A comparison of different types of asymmetric key algorithms Type Generated key pairs Modulus key length RSA In non FIPS mode One host key pair if you specify a key pair name One server key pair and one host key pair if you do not specify a key pair name Both key pairs use their default names In FIPS mode One host key pair NOTE Only SSH 1 5 use...

Page 271: ...When you export a host public key follow these restrictions and guidelines If you specify a file name in the command the command exports the key to the specified file If you do not specify a file name the command exports the key to the monitor screen You must manually save the exported key to a file To export a local host public key Step Command 1 Enter system view system view 2 Export a local hos...

Page 272: ...re of the peer device you must configure the peer device s public key on the local device You can configure the peer host public key by using the following methods Import the peer host public key from a public key file recommended Manually enter type or copy the peer host public key Importing a peer host public key from a public key file Before you perform this task make sure you have exported the...

Page 273: ...ter public key view public key peer keyname By default no peer host public keys exist 3 Type or copy the key N A You can use spaces and carriage returns but the system does not save them 4 Return to system view peer public key end When you exit public key view the system automatically saves the peer host public key Displaying and maintaining public keys Execute display commands in any view Task Co...

Page 274: ...7347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Key name serverkey default Key type RSA Time when key pair created 16 48 31 2011 05 12 Key code 307C300D06092A864886F70D0101010500036B003068...

Page 275: ...A DeviceB display public key peer name devicea Key name devicea Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD47...

Page 276: ...5D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Key name serverkey default Key type RSA Time when key pair created 16 48 31 2011 05 12 Key code 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953F...

Page 277: ...rt the host public key from the key file devicea pub DeviceB system view DeviceB public key peer devicea import sshkey devicea pub Verifying the configuration Verify that the peer host public key configured on Device B is the same as the key displayed on Device A DeviceB display public key peer name devicea Key name devicea Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050...

Page 278: ...ith the international standards of ITU T X 509 of which X 509 v3 is the most commonly used This chapter covers the following types of certificates CA certificate Certificate of a CA Multiple CAs in a PKI system form a CA tree with the root CA at the top The root CA generates a self signed certificate and each lower level CA holds a CA certificate issued by the CA immediately above it The chain of ...

Page 279: ...e with the CA or RA CA Certification authority that grants and manages certificates A CA issues certificates defines the certificate validity periods and revokes certificates by publishing CRLs RA Registration authority which offloads the CA by processing certificate enrollment requests The RA accepts certificate requests verifies user identity and determines whether to ask the CA to issue certifi...

Page 280: ...can address the email requirements for confidentiality integrity authentication and non repudiation A common secure email protocol is Secure Multipurpose Internet Mail Extensions S MIME which is based on PKI and allows for transfer of encrypted mails with signature Web security PKI can be used in the SSL handshake phase to verify the identities of the communicating parties by digital certificates ...

Page 281: ...entity and enter its view pki entity entity name By default no PKI entities exist To create multiple PKI entities repeat this step 3 Set a common name for the entity common name common name sting By default the common name is not set 4 Set the country code of the entity country country code string By default the country code is not set 5 Set the locality of the entity locality locality name By def...

Page 282: ...y entity name By default no entity is specified 5 Specify the type of certificate request reception authority certificate request from ca ra By default no authority type is specified 6 Specify the certificate request URL certificate request url url string vpn instance vpn instance name By default the certificate request URL is not specified 7 Optional Set the SCEP polling interval and maximum numb...

Page 283: ... packets source ip ip address interface interface type interface number Specify the source IPv6 address for the PKI protocol packets source ipv6 ipv6 address interface interface type interface number This task is required if the CA policy requires that the CA server accept certificate requests from a specific IP address or subnet By default the source IP address of PKI protocol packets is the IP a...

Page 284: ...r RSA If DSA or ECDSA is used a PKI domain can have only one local certificate If RSA is used a PKI domain can have one local certificate for signature and one local certificate for encryption Configuring automatic certificate request IMPORTANT The device does not support automatic certificate rollover To avoid service interruptions you must manually submit a certificate renewal request before the...

Page 285: ...in domain name password password pkcs10 filename filename This command is not saved in the configuration file This command triggers the PKI entity to automatically generate a key pair if the key pair specified in the PKI domain does not exist The name algorithm and length of the key pair are configured in the PKI domain Aborting a certificate request Before the CA issues a certificate you can abor...

Page 286: ...u must provide the challenge password Contact the CA administrator to obtain the password If a CA certificate already exists locally you cannot obtain it again in online mode If you want to obtain a new one use the pki delete certificate command to remove the existing CA certificate and local certificates first If local or peer certificates already exist you can obtain new local or peer certificat...

Page 287: ...til the root CA certificate is reached 5 Verifies that each CA certificate in the certificate chain is issued by the named parent CA starting from the root CA Verifying certificates with CRL checking CRL checking checks whether a certificate is in the CRL If it is the certificate has been revoked and its home entity is not trusted To use CRL checking a CRL must be obtained from a CRL repository Th...

Page 288: ...is command is not saved in the configuration file Specifying the storage path for the certificates and CRLs CAUTION If you change the storage path save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs The device has a default storage path for certificates and CRLs You can change the storage path and specify different paths for the certificat...

Page 289: ...on the terminal When you export a local certificate with RSA key pairs to a file the certificate file name might be different from the file name specified in the command The actual certificate file name depends on the purpose of the key pair contained in the certificate For more information see Security Command Reference Removing a certificate You can remove the CA certificate local certificate or...

Page 290: ...r does not match any statements in the policy the certificate is regarded invalid If a statement is associated with a non existing attribute group or the attribute group does not have attribute rules the certificate matches the statement If the certificate based access control policy referenced by a security application for example HTTPS does not exist all certificates in the application pass the ...

Page 291: ...as the CA server If you use Windows server or OpenCA you must install the SCEP add on for Windows server or enable SCEP for OpenCA In either case when you configure a PKI domain you must use the certificate request from ra command to specify the RA to accept certificate requests If you use RSA Keon the SCEP add on is not required When you configure a PKI domain you must use the certificate request...

Page 292: ...le uses myca Device pki domain torsa ca identifier myca Configure the URL of the CA server The URL format is http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server Device pki domain torsa certificate request url http 1 1 2 22 446 80f6214aa8865301d07929ae481c7ceed99f95bd Configure the device to send certificate requests to ca Device p...

Page 293: ...domain torsa local Certificate Data Version 3 0x2 Serial Number 15 79 75 ec d2 33 af 5e 46 35 83 bc bd 6e e3 b8 Signature Algorithm sha1WithRSAEncryption Issuer CN myca Validity Not Before Jan 6 03 10 58 2013 GMT Not After Jan 6 03 10 58 2014 GMT Subject CN Device Subject Public Key Info Public Key Algorithm rsaEncryption Public Key 1024 bit Modulus 00 ab 45 64 a8 6c 10 70 3b b9 46 34 8d eb 1a a1 ...

Page 294: ...example set the CA name to myca 2 Install the SCEP add on By default Windows Server 2003 does not support SCEP You must install the SCEP add on on the server for a PKI entity to register and obtain a certificate from the server After the SCEP add on installation is complete you will see a URL Specify this URL as the certificate request URL on the device 3 Modify the certificate service attributes ...

Page 295: ...st url http 4 4 4 1 8080 certsrv mscep mscep dll Configure the device to send certificate requests to ra Device pki domain winserver certificate request from ra Set the PKI entity name to aaa Device pki domain winserver certificate request entity aaa Configure a general purpose RSA key pair named abc with a length of 1024 bits Device pki domain winserver public key rsa general name abc length 1024...

Page 296: ...3f 5d 5b 36 9e 53 dc 3a bc 0d 11 fb d6 7d 4f 94 3c c1 90 4a 50 ce db 54 e0 b3 27 a9 6a 8e 97 fb 20 c7 44 70 8f f0 b9 ca 5b 94 f0 56 a5 2b 87 ac 80 c5 cc 04 07 65 02 39 fc db 61 f7 07 c6 65 4c e4 5c 57 30 35 b4 2e ed 9c ca 0b c1 5e 8d 2e 91 89 2f 11 e3 1e 12 8a f8 dd f8 a7 2a 94 58 d9 c7 f8 1a 78 bd f5 42 51 3b 31 5d ac 3e c3 af fa 33 2c fc c2 ed b9 ee 60 83 b3 d3 e5 8e e5 02 cf b0 c8 f0 3a a4 b7 a...

Page 297: ...a 70 f2 fa 73 ab c1 3e 4d 12 fb 99 31 51 ab c2 84 c0 2f e5 f6 a7 c3 20 3c 9a b0 ce 5a bc 0f d9 34 56 bc 1e 6f ee 11 3f 7c b2 52 f9 45 77 52 fb 46 8a ca b7 9d 02 0d 4e c3 19 8f 81 46 4e 03 1f 58 03 bf 53 c6 c4 85 95 fb 32 70 e6 1b f3 e4 10 ed 7f 93 27 90 6b 30 e7 81 36 bb e2 ec f2 dd 2b bb b9 03 1c 54 0a 00 3f 14 88 de b8 92 63 1e f5 b3 c2 cf 0a d5 f4 80 47 6f fa 7e 2d e3 a7 38 46 f6 9e c7 57 9d 7f...

Page 298: ...nCA server Device pki domain openca certificate request url http 192 168 222 218 cgi bin pki scep Configure the device to send certificate requests to the RA Device pki domain openca certificate request from ra Specify PKI entity aaa for certificate request Device pki domain openca certificate request entity aaa Configure a general purpose RSA key pair named abc with a length of 1024 bits Device p...

Page 299: ...ublic Key Info Public Key Algorithm rsaEncryption Public Key 1024 bit Modulus 00 b8 7a 9a b8 59 eb fc 70 3e bf 19 54 0c 7e c3 90 a5 d3 fd ee ff c6 28 c6 32 fb 04 6e 9c d6 5a 4f aa bb 50 c4 10 5c eb 97 1d a7 9e 7d 53 d5 31 ff 99 ab b6 41 f7 6d 71 61 58 97 84 37 98 c7 7c 79 02 ac a6 85 f3 21 4d 3c 8e 63 8d f8 71 7d 28 a1 15 23 99 ed f9 a1 c3 be 74 0d f7 64 cf 0a dd 39 49 d7 3f 25 35 18 f4 1c 59 46 2...

Page 300: ... 40 44 f3 ab e4 5a a0 06 8f af 22 a9 05 74 43 b6 e4 96 a5 d4 52 32 c2 a8 53 37 58 c7 2f 75 cf 3e 8e ed 46 c9 5a 24 b1 f5 51 1d 0f 5a 07 e6 15 7a 02 31 05 8c 03 72 52 7c ff 28 37 1e 7e 14 97 80 0b 4e b9 51 2d 50 98 f2 e4 5a 60 be 25 06 f6 ea 7c aa df 7b 8d 59 79 57 8f d4 3e 4f 51 c1 34 e6 c1 1e 71 b5 0d 85 86 a5 ed 63 1e 08 7f d2 50 ac a0 a3 9e 88 48 10 0b 4a 7d ed c1 03 9f 87 97 a3 5e 7d 75 1d ac ...

Page 301: ...ttribute group mygroup1 Device pki cert attribute group mygroup1 attribute 1 subject name dn ctn aabbcc Device pki cert attribute group mygroup1 attribute 2 issuer name ip equ 10 0 0 1 Device pki cert attribute group mygroup1 quit Create a certificate attribute group named mygroup2 and add two attribute rules The first rule defines that the FQDN in the alternative subject name does not contain the...

Page 302: ...rtificate import and export configuration example Network requirements As shown in Figure 88 Device B will replace Device A in the network PKI domain exportdomain on Device A has two local certificates containing the private key and one CA certificate To make sure the certificates are still valid after Device B replaces Device A copy the certificates on Device A to Device B as follows 1 Export the...

Page 303: ...4 70 F5 17 17 20 2B 9E AC 20 F3 99 89 Key Attributes No Attributes BEGIN ENCRYPTED PRIVATE KEY MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZtjSjfslJCoCAggA END ENCRYPTED PRIVATE KEY Display the local certificate file pkilocal pem encryption DeviceA more pkicachain pem encr Bag Attributes friendlyName localKeyID D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject C CN O OpenCA L...

Page 304: ...ocal pem signature Please input the password Import the local certificate file pkilocal pem encryption in PEM format to the PKI domain The certificate file contains a key pair DeviceB pki import domain importdomain pem local filename pkilocal pem encryption Please input the password Display the imported local certificate information on Device B DeviceB display pki certificate domain importdomain l...

Page 305: ...titan 2560 1 3 6 1 5 5 7 48 12 URI http titan 830 X509v3 CRL Distribution Points Full Name URI http 192 168 40 130 pki pub crl cacrl crl Signature Algorithm sha256WithRSAEncryption 18 e7 39 9a ad 84 64 7b a3 85 62 49 e5 c9 12 56 a6 d2 46 91 53 8e 84 ba 4a 0a 6f 28 b9 43 bc e7 b0 ca 9e d4 1f d2 6f 48 c4 b9 ba c5 69 4d 90 f3 15 c4 4e 4b 1e ef 2b 1b 2d cb 47 1e 60 a9 0f 81 dc f2 65 6b 5f 7a e2 36 29 ...

Page 306: ...f3 10 e9 ec 81 00 28 60 a9 02 bb 35 8b bf 85 75 6f 24 ab 26 de 47 6c ba 1d ee 0d 35 75 58 10 e5 e8 55 d1 43 ae 85 f8 ff 75 81 03 8c 2e 00 d1 e9 a4 5b 18 39 Exponent 65537 0x10001 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Cert Type SSL Server X509v3 Key Usage Key Encipherment Data Encipherment Netscape Comment VPN Server of OpenCA Labs X509v3 Subject Key Identifier CC 96 03 2F FC...

Page 307: ...72 57 72 5e 78 d6 97 ef b8 d8 6d 0c 05 28 ea 81 3a 06 a0 2e c3 79 05 cd c3 To display detailed information about the CA certificate use the display pki certificate domain command Troubleshooting PKI configuration This section provides troubleshooting information for common problems with PKI Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained Analysis The network conne...

Page 308: ...evice is not synchronized with the CA server Solution 1 Check for and fix any network connection problems 2 Obtain or import the CA certificate 3 Configure the correct LDAP server 4 Specify the key pair used for certificate request in the PKI domain or remove the existing key pair and submit a certificate request again 5 Check the registration policy on the CR or RA and make sure the attributes of...

Page 309: ...ress that the CA server can accept For the correct settings contact the CA administrator 9 Synchronize the system time of the device with the CA server 10 If the problem persists contact Hewlett Packard Enterprise Support Failed to obtain CRLs Symptom CRLs cannot be obtained Analysis The network connection is down for example because the network cable is damaged or the connectors have bad contact ...

Page 310: ...tain one The specified format does not match the actual format of the file to be imported Solution 1 Use undo crl check enable to disable CRL checking 2 Make sure the format of the imported file is correct 3 If the problem persists contact Hewlett Packard Enterprise Support Failed to import a local certificate Symptom A local certificate cannot be imported Analysis The PKI domain has no CA certifi...

Page 311: ...e PKI domain The storage space of the device is full Solution 1 If the PKI domain does not have local certificates obtain or request local certificates first 2 Use mkdir to create the required path 3 Specify a correct export path 4 Configure the correct key pair in the PKI domain 5 Clear up the storage space of the device 6 If the problem persists contact Hewlett Packard Enterprise Support Failed ...

Page 312: ...plicate packets IPsec delivers the following benefits Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol IKE provides automatic key negotiation and automatic IPsec security association SA setup and maintenance Good compatibility You can apply IPsec to all IP based application systems and services without modifying them Encryption on a per packet rather than ...

Page 313: ...The security protocols protect the entire IP packet The entire IP packet is used to calculate the security protocol headers The calculated security protocol headers and the encrypted data only for ESP encapsulation are encapsulated in a new IP packet In this mode the encapsulated packet has two IP headers The inner IP header is the original IP header The outer IP header is added by the network dev...

Page 314: ...ough IKE negotiations in medium and large scale dynamic networks A manually configured SA never ages out An IKE created SA has a lifetime which comes in two types Time based lifetime Defines how long the SA can be valid after it is created Traffic based lifetime Defines the maximum traffic that the SA can process If both lifetime timers are configured for an SA the SA becomes invalid when either o...

Page 315: ...e an ACL to define the data flows to be protected specify the ACL in an IPsec policy and then apply the IPsec policy to an interface When packets sent by the interface match a permit rule of the ACL the packets are protected by the outbound IPsec SA and encapsulated with IPsec When the interface receives an IPsec packet destined for the local device it searches for the inbound IPsec SA according t...

Page 316: ...y Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured IPsec tunnels can be established in different methods Choose a correct method to establish IPsec tunnels according to your network conditions ACL based IPsec tunnel Protects packets identified by an ACL To establish an ACL based IPsec tunnel configure an IPsec policy specify an ACL in the policy and...

Page 317: ...Optional Enabling ACL checking for de encapsulated packets Optional Configuring IPsec anti replay Optional Configuring IPsec anti replay redundancy Optional Binding a source interface to an IPsec policy Optional Enabling QoS pre classify Optional Enabling logging of IPsec packets Optional Configuring the DF bit of IPsec packets Optional Configuring SNMP notifications for IPsec Optional Configuring...

Page 318: ...ts will be sent out as normal packets If they match a permit statement at the receiving end they will be dropped by IPsec Mirror image ACLs To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly between two IPsec peers create mirror image ACLs on the IPsec peers ACL for MPLS L3VPN IPsec protection To use IPsec to protect the data of an MPLS L3VPN you must spec...

Page 319: ...ier has a higher priority The aes ctr 128 aes ctr 192 aes ctr 256 camellia cbc 128 camellia cbc 192 camellia cbc 256 gmac 128 gmac 192 gmac 256 gcm 128 gcm 192 and gcm 256 encryption algorithms and the aes xcbc mac authentication algorithm are available only for IKEv2 5 Specify the mode in which the security protocol encapsulates IP packets encapsulation mode transport tunnel By default the securi...

Page 320: ...tbound SA The same is true of the local outbound SA and remote inbound SA The keys for the local and remote inbound and outbound SAs must be in the same format For example if the local inbound SA uses a key in characters the local outbound SA and remote inbound and outbound SAs must use keys in characters Configuration procedure To configure a manual IPsec policy Step Command Remarks 1 Enter syste...

Page 321: ...the IPsec SA Configure keys correctly for the security protocol AH ESP or both you have specified in the IPsec transform set used by the IPsec policy If you configure a key in both the character and the hexadecimal formats only the most recent configuration takes effect If you configure a key in character format for ESP the device automatically generates an authentication key and an encryption key...

Page 322: ...no IPsec policies exist 3 Optional Configure a description for the IPsec policy description text By default no description is configured 4 Specify an ACL for the IPsec policy security acl ipv6 acl number name acl name aggregation per host By default no ACL is specified for an IPsec policy You can specify only one ACL for an IPsec policy 5 Specify IPsec transform sets for the IPsec policy transform...

Page 323: ...olicy template Except the IPsec transform sets and the IKE profile all other parameters are optional A device using an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation but it can respond to a negotiation request The parameters not defined in the template are determined by the initiator For example in an IPsec policy template the ACL is optional If...

Page 324: ...ified by this command must be the same as the IP address used as the local IKE identity 9 Optional Specify the remote IP address of the IPsec tunnel remote address ipv6 host name ipv4 address ipv6 ipv6 address By default the remote IP address of the IPsec tunnel is not specified 10 Optional Configure the IPsec SA lifetime sa duration time based seconds traffic based kilobytes By default the global...

Page 325: ...iew interface interface type interface number N A 3 Apply an IPsec policy to the interface ipsec apply policy ipv6 policy policy name By default no IPsec policy is applied to an interface On an interface you can apply a maximum of two IPsec policies one IPv4 IPsec policy and one IPv6 IPsec policy An IKE based IPsec policy can be applied to multiple interfaces As a best practice apply an IKE based ...

Page 326: ...c anti replay make sure you understand the impact of the operation on network security Set the anti replay window size as small as possible to reduce the impact on system performance IPsec anti replay requires that packets on the same interface be processed on the same slot To perform IPsec anti replay on a multichassis IRF fabric for a global interface use the service command in interface view to...

Page 327: ...ke some time to renegotiate SAs resulting in service interruption To solve these problems bind a source interface to an IPsec policy and apply the policy to both interfaces This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs As long as the source interface is up the negotiated IPsec SAs will not be removed and will keep working regardless of link failov...

Page 328: ... A 2 Enter IPsec policy view or IPsec policy template view To enter IPsec policy view ipsec policy ipv6 policy policy name seq number isakmp manual To enter IPsec policy template view ipsec policy template ipv6 policy template template name seq number N A 3 Enable QoS pre classify qos pre classify By default QoS pre classify is disabled Enabling logging of IPsec packets Perform this task to enable...

Page 329: ...Psec packet size To configure the DF bit of IPsec packets on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the DF bit of IPsec packets on the interface ipsec df bit clear copy set By default the interface uses the global DF bit setting To configure the DF bit of IPsec packets globally Step Comm...

Page 330: ...le Step Command Remarks 1 Enter system view system view N A 2 Create a manual IPsec profile and enter its view ipsec profile profile name manual By default no IPsec profile exists The manual keyword is not needed if you enter the view of an existing IPsec profile 3 Optional Configure a description for the IPsec profile description text By default no description is configured 4 Specify an IPsec tra...

Page 331: ... globally snmp agent trap enable ipsec global By default SNMP notifications for IPsec are disabled 3 Enable SNMP notifications for the specified failure or event types snmp agent trap enable ipsec auth failure decrypt failure encrypt failure invalid sa failure no sa failure policy add policy attach policy delete policy detach tunnel start tunnel stop By default SNMP notifications for all failure a...

Page 332: ... Execute display commands in any view and reset commands in user view Task Command Display IPsec policy information display ipsec ipv6 policy policy policy name seq number Display IPsec policy template information display ipsec ipv6 policy template policy template template name seq number Display IPsec profile information display ipsec profile profile name Display IPsec transform set information d...

Page 333: ...chA acl ipv4 adv 3101 rule 0 permit ip source 2 2 2 1 0 destination 2 2 3 1 0 SwitchA acl ipv4 adv 3101 quit Create an IPsec transform set named tran1 SwitchA ipsec transform set tran1 Specify the encapsulation mode as tunnel SwitchA ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP RouterA ipsec transform set tran1 protocol esp Specify the ESP encryption and...

Page 334: ...tion mode as tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms SwitchB ipsec transform set tran1 esp encryption algorithm aes cbc 192 SwitchB ipsec transform set tran1 esp authentication algorithm sha1 SwitchB ipsec transform set tran1 quit C...

Page 335: ...Path MTU 1443 Tunnel local address 2 2 2 1 remote address 2 2 3 1 Flow as defined in ACL 3101 Inbound ESP SA SPI 54321 0x0000d431 Transform set ESP ENCRYPT AES CBC 192 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 12345 0x00003039 Transform set ESP ENCRYPT AES CBC 192 ESP AUTH SHA1 No duration limit for this SA Configuring IPsec for RIPng Network requirements As shown in Figure 9...

Page 336: ...00 quit Create and configure the IPsec transform set named tran1 SwitchA ipsec transform set tran1 SwitchA ipsec transform set tran1 encapsulation mode transport SwitchA ipsec transform set tran1 protocol esp SwitchA ipsec transform set tran1 esp encryption algorithm aes cbc 128 SwitchA ipsec transform set tran1 esp authentication algorithm sha1 SwitchA ipsec transform set tran1 quit Create and co...

Page 337: ...chB ipsec profile profile001 quit Apply the IPsec profile to RIPng process 1 SwitchB ripng 1 SwitchB ripng 1 enable ipsec profile profile001 SwitchB ripng 1 quit 3 Configure Switch C Configure IPv6 addresses for interfaces Details not shown Configure basic RIPng SwitchC system view SwitchC ripng 1 SwitchC ripng 1 quit SwitchC interface vlan interface 200 SwitchC Vlan interface200 ripng 1 enable Sw...

Page 338: ...IPng process 1 SwitchA display ripng 1 RIPng process 1 Preference 100 Checkzero Enabled Default Cost 0 Maximum number of balanced paths 8 Update time 30 sec s Timeout time 180 sec s Suppress time 120 sec s Garbage Collect time 120 sec s Number of periodic updates sent 186 Number of trigger updates sent 1 IPsec profile name profile001 Use the display ipsec sa command to display the established IPse...

Page 339: ...otiates SAs when the sequence number in the AH or ESP header overflows making sure IPsec can provide the anti replay service by using the sequence number As shown in Figure 94 IKE negotiates SAs for IPsec and transfers the SAs to IPsec and IPsec uses the SAs to protect IP packets Figure 94 Relationship between IKE and IPsec IKE negotiation process IKE negotiates keys and SAs for IPsec in two phase...

Page 340: ...ion key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers The device supports the following identity authentication methods Pre shared key authentication Two communicating peers use the pre configured shared key for identity authentication RSA signature authe...

Page 341: ... FIPS and non FIPS mode IKE configuration prerequisites Determine the following parameters prior to IKE configuration The algorithms to be used during IKE negotiation including the identity authentication method encryption algorithm authentication algorithm and DH group Different algorithms provide different levels of protection A stronger algorithm provides more resistance to decryption but uses ...

Page 342: ...gure the local ID the ID that the device uses to identify itself to the peer during IKE negotiation For digital signature authentication the device can use an ID of any type If the local ID is an IP address that is different from the IP address in the local certificate the device uses the FQDN the device name configured by using the sysname command instead For pre shared key authentication the dev...

Page 343: ...ture authentication certificate domain domain name Configure at least one command as required By default no IKE keychain or PKI domain is specified for an IKE profile 5 Specify the IKE negotiation mode for phase 1 In non FIPS mode exchange mode aggressive main In FIPS mode exchange mode main By default the main mode is used during IKE negotiation phase 1 6 Specify IKE proposals for the IKE profile...

Page 344: ...ls specified in the IKE profile to the peer An IKE proposal specified earlier for the IKE profile has a higher priority If the initiator is using an IPsec policy with no IKE profile the initiator sends all its IKE proposals to the peer An IKE proposal with a smaller number has a higher priority The peer searches its own IKE proposals for a match The search starts from the IKE proposal with the hig...

Page 345: ...on Follow these guidelines when you configure an IKE keychain 1 Two peers must be configured with the same pre shared key to pass pre shared key authentication 2 You can specify the local address configured in IPsec policy or IPsec policy template view using the local address command for the IKE keychain to be applied If no local address is configured specify the IP address of the interface that u...

Page 346: ...tication is used you cannot set the DN as the identity To configure the global identity information Step Command Remarks 1 Enter system view system view N A 2 Configure the global identity to be used by the local end ike identity address ipv4 address ipv6 ipv6 address dn fqdn fqdn name user fqdn user fqdn name By default the IP address of the interface to which the IPsec policy or IPsec policy tem...

Page 347: ...tting data to the intended end To prevent NAT sessions from being aged configure the NAT keepalive feature on the IKE gateway behind the NAT device to send NAT keepalive packets to its peer periodically to keep the NAT session alive To configure the IKE NAT keepalive feature Step Command Remarks 1 Enter system view system view N A 2 Set the IKE NAT keepalive interval ike nat keepalive seconds The ...

Page 348: ... find an SA an invalid SPI is encountered The peer drops the data packet and tries to send an SPI invalid notification to the data originator This notification is sent by using the IKE SA Because no IKE SA is available the notification is not sent The originating peer continues sending the data by using the IPsec SA that has the invalid SPI and the receiving peer keeps dropping the traffic The inv...

Page 349: ...generate and output SNMP notifications for a specific IKE failure or event type perform the following tasks 1 Enable SNMP notifications for IKE globally 2 Enable SNMP notifications for the failure or event type To configure SNMP notifications for IKE Step Command Remarks 1 Enter system view system view N A 2 Enable SNMP notifications for IKE globally snmp agent trap enable ike global By default SN...

Page 350: ...gure Switch A Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 2 2 2 1 255 255 255 0 SwitchA Vlan interface1 quit Configure an IPv4 advanced ACL to identify the data flows between Switch A and Switch B SwitchA acl advanced 3101 SwitchA acl ipv4 adv 3101 rule 0 permit ip source 2 2 2 1 0 destination 2 2 3 1 0 Swit...

Page 351: ...1 SwitchA ipsec policy isakmp map1 10 remote address 2 2 3 1 Specify IKE profile profile1 SwitchA ipsec policy isakmp map1 10 ike profile profile1 SwitchA ipsec policy isakmp map1 10 quit Apply IPsec policy map1 to VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ipsec apply policy map1 2 Configure Switch B Configure an IP address for VLAN interface 1 SwitchB system view...

Page 352: ...m set tran1 Specify the local and remote IP addresses of the IPsec tunnel as 2 2 3 1 and 2 2 2 1 SwitchB ipsec policy isakmp use1 10 local address 2 2 3 1 SwitchB ipsec policy isakmp use1 10 remote address 2 2 2 1 Specify IKE profile profile1 SwitchB ipsec policy isakmp use1 10 ike profile profile1 SwitchB ipsec policy isakmp use1 10 quit Apply IPsec policy use1 to VLAN interface 1 SwitchB interfa...

Page 353: ...witchA ipsec transform set tran1 esp encryption algorithm aes cbc 192 SwitchA ipsec transform set tran1 esp authentication algorithm sha1 SwitchA ipsec transform set tran1 quit Create an IKE keychain named keychain1 SwitchA ike keychain keychain1 Specify 12345zxcvb ZXCVB in plain text as the pre shared key to be used with the remote peer at 2 2 2 2 SwitchA ike keychain keychain1 pre shared key add...

Page 354: ... the packet encapsulation mode to tunnel SwitchB ipsec transform set tran1 encapsulation mode tunnel Use the ESP protocol for the IPsec transform set SwitchB ipsec transform set tran1 protocol esp Specify the encryption and authentication algorithms SwitchB ipsec transform set tran1 esp encryption algorithm aes cbc 192 SwitchB ipsec transform set tran1 esp authentication algorithm sha1 SwitchB ips...

Page 355: ...tch A and Switch B to trigger IKE negotiation After IPsec SAs are successfully negotiated by IKE the traffic between the two switches is IPsec protected Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom 1 The IKE SA is in Unknown state Sysname display ike sa Connection ID Remote Flag DOI 1 192 168 222 5 Unknown IPSEC Flags RD READY RL REPLACED FD FADIN...

Page 356: ...the matched IKE profile is not using the matched IKE keychain Failed to find keychain keychain1 in profile profile1 Solution Verify that the matched IKE proposal IKE proposal 1 in this debugging message example is specified for the IKE profile IKE profile 1 in the example Verify that the matched IKE keychain IKE keychain 1 in this debugging message example is specified for the IKE profile IKE prof...

Page 357: ...ATION Analysis Certain IPsec policy settings of the responder are incorrect Verify the settings as follows 1 Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1 If no matching IKE profiles were found and the IPsec policy is using an IKE profile the IPsec SA negotiation fails Verify that matching IKE profiles were found in IKE negotiatio...

Page 358: ...es a flow from one network segment to another but the responder s ACL defines a flow from one host to another host IPsec proposal matching will fail On the initiator Sysname display acl 3000 Advanced IPv4 ACL 3000 1 rule ACL s step is 5 rule 0 permit ip source 192 168 222 0 0 0 0 255 destination 192 168 222 0 0 0 0 255 On the responder Sysname display acl 3000 Advanced IPv4 ACL 3000 1 rule ACL s s...

Page 359: ...move the specified IKE profile from the IPsec policy Modify the specified IKE profile to match the IKE profile of the initiator 2 If the flow range defined by the responder s ACL is smaller than that defined by the initiator s ACL modify the responder s ACL so the ACL defines a flow range equal to or greater than that of the initiator s ACL For example Sysname display acl 3000 Advanced IPv4 ACL 30...

Page 360: ...changes during the initial exchange process IKE_SA_INIT and IKE_AUTH each with two messages IKE_SA_INIT exchange Negotiates IKE SA parameters and exchanges keys IKE_AUTH exchange Authenticates the identity of the peer and establishes IPsec SAs After the four message initial exchanges IKEv2 sets up one IKE SA and one pair of IPsec SAs For IKEv1 to set up one IKE SA and one pair of IPsec SAs it must...

Page 361: ...ders the initiator valid and proceeds with the negotiation If the carried cookie is incorrect the responder terminates the negotiation The cookie challenging mechanism automatically stops working when the number of half open IKE SAs drops below the threshold IKEv2 SA rekeying For security purposes both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the lifetime expires An IKEv1 SA ...

Page 362: ...ie challenging feature takes effect only on IKEv2 responders Configuring an IKEv2 profile An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation To configure an IKEv2 profile perform the following tasks 1 Specify the local and remote identity authentication methods The local and remote identity authentication methods must both be specified and they can be different You c...

Page 363: ...kets after it de encapsulates them If you specify an inside VPN instance the device looks for a route in the specified VPN instance to forward the packets If you do not specify an inside VPN instance the internal and external networks are in the same VPN instance The device looks for a route in this VPN instance to forward the packets 11 Configure the NAT keepalive interval Configure this task whe...

Page 364: ... address interface type interface number ipv4 address ipv6 ipv6 address By default an IKEv2 profile can be applied to any local interface or IP address 9 Optional Specify a priority for the IKEv2 profile priority priority By default the priority of an IKEv2 profile is 100 10 Optional Specify a VPN instance for the IKEv2 profile match vrf name vrf name any By default an IKEv2 profile belongs to the...

Page 365: ...view ikev2 policy policy name By default an IKEv2 policy named default exists 3 Specify the local interface or address used for IKEv2 policy matching match local address interface type interface number ipv4 address ipv6 ipv6 address By default no local interface or address is used for IKEv2 policy matching and the policy matches any local interface or address 4 Specify a VPN instance for IKEv2 pol...

Page 366: ...n FIPS mode encryption 3des cbc aes cbc 128 aes cbc 192 aes cbc 256 aes ctr 128 aes ctr 192 aes ctr 256 camellia cbc 128 camellia cbc 192 camellia cbc 256 des cbc In FIPS mode encryption aes cbc 128 aes cbc 192 aes cbc 256 aes ctr 128 aes ctr 192 aes ctr 256 By default an IKEv2 proposal does not have any encryption algorithms 4 Specify the integrity protection algorithms In non FIPS mode integrity...

Page 367: ...tem view N A 2 Create an IKEv2 keychain and enter IKEv2 keychain view ikev2 keychain keychain name By default no IKEv2 keychains exist 3 Create an IKEv2 peer and enter IKEv2 peer view peer name By default no IKEv2 peers exist 4 Configure the information for identifying the IKEv2 peer To configure a host name for the peer hostname host name To configure a host IP address or address range for the pe...

Page 368: ...nterval exceeds the DPD interval it sends a DPD message to the peer to detect its liveliness If the device has no data to send it never sends DPD messages If you configure IKEv2 DPD in both IKEv2 profile view and system view the IKEv2 DPD settings in IKEv2 profile view apply If you do not configure IKEv2 DPD in IKEv2 profile view the IKEv2 DPD settings in system view apply To configure global IKEv...

Page 369: ... tunnel id Display IKEv2 statistics display ikev2 statistics Delete IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs reset ikev2 sa local remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name tunnel tunnel id fast Clear IKEv2 statistics reset ikev2 statistics Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 S...

Page 370: ...nd IKEv2 proposals are correctly configured on both ends The two ends cannot establish an IPsec tunnel or cannot communicate through the established IPsec tunnel Analysis The IKEv2 SA or IPsec SAs on either end are lost The reason might be that the network is unstable and the device reboots Solution 1 Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends If the IKEv2 ...

Page 371: ... allowing a user to log in to the device for file upload and download The device can also act as an SCP client enabling a user to log in from the device to a remote device for secure file transfer NETCONF over SSH Based on SSH2 it enables users to securely log in to the device through SSH and perform NETCONF operations on the device through the NETCONF over SSH connections The device can act only ...

Page 372: ...cute commands of more than 2000 bytes save the commands in a configuration file upload the file to the server through SFTP and use it to restart the server SSH authentication methods This section describes authentication methods that are supported by the device when it acts as an SSH server Password authentication The SSH server authenticates a client through the AAA mechanism The password authent...

Page 373: ...t public key configuration see Managing public keys Password publickey authentication The server requires SSH2 clients to pass both password authentication and publickey authentication However an SSH1 client only needs to pass either authentication Any authentication The server requires clients to pass password authentication or publickey authentication SSH support for Suite B Suite B contains a s...

Page 374: ...ny Optional if the authentication method is password Optional Configuring the SSH management parameters N A Optional Specifying a PKI domain for the SSH server N A Generating local key pairs The DSA ECDSA or RSA key pairs on the SSH server are required for generating the session keys and session ID in the key exchange stage They can also be used by a client to authenticate the server When a client...

Page 375: ... create ecdsa secp384r1 command generates only one ECDSA host key pair Configuration procedure To generate local key pairs on the SSH server Step Command Remarks 1 Enter system view system view N A 2 Generate local key pairs public key local create dsa ecdsa secp256r1 secp384r1 rsa By default no local key pairs exist on the server Enabling the Stelnet server After you enable the Stelnet server on ...

Page 376: ...Enter system view system view N A 2 Enable NETCONF over SSH netconf ssh server enable By default NETCONF over SSH is disabled For more information about NETCONF over SSH commands see Network Management and Monitoring Command Reference Configuring the user lines for SSH login Depending on the SSH application an SSH client can be an Stelnet client SFTP client SCP client or NETCONF over SSH client On...

Page 377: ... best practice Entering a client s host public key Before you enter the client s host public key you must use the display public key local public command on the client to obtain the client s host public key To enter a client s host public key Step Command Remarks 1 Enter system view system view N A 2 Enter public key view public key peer keyname N A 3 Configure a client s host public key Enter the...

Page 378: ...directory depends on the authentication method If the authentication method is password the working directory is authorized by AAA If the authentication method is publickey or password publickey the working folder is specified by the authorization attribute command in the associated local user view For an SSH user the user role also depends on the authentication method If the authentication method...

Page 379: ...al for updating the RSA server key pair ssh server rekey interval interval By default the RSA server key pair is not updated This command takes effect only on SSH1 users This command is not available in FIPS mode 4 Set the SSH user authentication timeout timer ssh server authentication timeout time out value The default setting is 60 seconds If a user does not finish the authentication when the ti...

Page 380: ...t affect online SSH users Specifying a PKI domain for the SSH server The PKI domain specified for the SSH server has the following functions The SSH server uses the PKI domain to send its certificate to the client in the key exchange stage The SSH server uses the PKI domain to authenticate the client s certificate if no PKI domain is specified for the client authentication by using the ssh user co...

Page 381: ...rposes Ensuring the communication between the Stelnet client and the Stelnet server Improving the manageability of Stelnet clients in authentication service To specify the source IP address for SSH packets Step Command Remarks 1 Enter system view system view N A 2 Specify the source address for SSH packets Specify the source IPv4 address for SSH packets ssh client source interface interface type i...

Page 382: ...3des cbc aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm des cbc prefer stoc hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 dscp dscp value escape character public key keyname server pki domain domain name source interface interface type interface number ip ip address In FIPS mode ssh2 server port number vpn instance vpn instance name identity key ecdsa sha2 nistp256 e...

Page 383: ...istp384 rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain domain name prefer compress zlib prefer ctos cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm prefer ctos hmac sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ...

Page 384: ...P directories N A Optional Working with SFTP files N A Optional Displaying help information N A Optional Terminating the connection with the SFTP server N A Generating local key pairs Generate local key pairs on the SFTP client when the SFTP server uses the authentication method publickey password publickey or any Configuration restrictions and guidelines When you generate local key pairs on an SF...

Page 385: ...ishing a connection to an SFTP server When you try to access an SFTP server the device must use the server s host public key to authenticate the server If the server s host public key is not configured on the device the device will notify you to confirm whether to continue with the access If you choose to continue the device accesses the server and downloads the server s host public key If you cho...

Page 386: ...6 sha2 256 sha2 512 public key keyname server pki domain domain name source interface interface type interface number ip ip address To establish a connection to an IPv6 SFTP server Task Command Remarks Establish a connection to an IPv6 SFTP server In non FIPS mode sftp ipv6 server port number vpn instance vpn instance name i interface type interface number identity key dsa ecdsa sha2 nistp256 ecds...

Page 387: ...To establish a connection to an SFTP server based on Suite B Task Command Remarks Establish a connection to an SFTP server based on Suite B Establish a connection to an IPv4 SFTP server based on Suite B sftp server port number vpn instance vpn instance name suite b 128 bit 192 bit pki domain domain name server pki domain domain name prefer compress zlib dscp dscp value source interface interface t...

Page 388: ...Download a file from the SFTP server and save it locally get remote file local file Available in SFTP client view Upload a local file to the SFTP server put local file remote file Available in SFTP client view Display files under a directory dir a l remote path ls a l remote path Available in SFTP client view The dir command has the same function as the ls command Delete one or more directories fr...

Page 389: ... pairs The key modulus length must be less than 2048 bits when you generate a DSA key pair Configuration procedure To generate local key pairs on the SCP client Step Command Remarks 1 Enter system view system view N A 2 Generate local key pairs public key local create dsa ecdsa secp256r1 secp384r1 rsa By default no local key pairs exist on an SCP client Establishing a connection to an SCP server W...

Page 390: ... get source file name destination file name identity key ecdsa sha2 nistp256 ecdsa sha2 nistp384 rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain domain name prefer compress zlib prefer ctos cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm prefer ctos hmac sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 n...

Page 391: ...mac sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc cipher aes128 cbc aes128 ctr aes128 gcm aes192 ctr aes256 cbc aes256 ctr aes256 gcm prefer stoc hmac sha1 sha1 96 sha2 256 sha2 512 public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 address Establishing a connection to an SCP serv...

Page 392: ...ct SSH1 sessions Specifying key exchange algorithms for SSH2 Step Command Remarks 1 Enter system view system view N A 2 Specify key exchange algorithms for SSH2 In non FIPS mode ssh2 algorithm key exchange dh group exchange sha1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 In FIPS mode ssh2 algorithm key exchange dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 By defa...

Page 393: ... encryption algorithms aes128 ctr aes192 ctr aes256 ctr aes128 gcm aes256 gcm aes128 cbc 3des cbc aes256 cbc and des cbc in descending order of priority for algorithm negotiation Specifying MAC algorithms for SSH2 Step Command Remarks 1 Enter system view system view N A 2 Specify MAC algorithms for SSH2 In non FIPS mode ssh2 algorithm mac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 In FIPS mode ssh2...

Page 394: ... RSA key pairs are supported Do not generate a DSA key pair on the Stelnet server Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure 99 The switch acts as the Stelnet server and uses password authentication The username and password of the client are saved on the switch Establish an Stelnet connection between the host and the switch so you ...

Page 395: ...tion mode scheme Switch line vty0 63 quit Create a local device management user named client001 Switch local user client001 class manage Set the password to aabbcc in plain text for local user client001 Switch luser manage client001 password simple aabbcc Authorize local user client001 to use the SSH service Switch luser manage client001 service type ssh Assign the network admin user role to local...

Page 396: ...ample and password aabbcc in this example you can enter the CLI of the server Publickey authentication enabled Stelnet server configuration example Network requirements As shown in Figure 101 the switch acts as the Stelnet server and it uses publickey authentication and the RSA public key algorithm Establish an Stelnet connection between the host and the switch so you can log in to the switch to c...

Page 397: ...example uses an Stelnet client that runs PuTTY version 0 58 The configuration procedure is as follows 1 Generate RSA key pairs on the Stelnet client a Run PuTTYGen exe on the client select SSH 2 RSA and click Generate Figure 102 Generating a key pair on the client a Continue moving the mouse during the key generating process but do not place the mouse over the green progress bar shown in Figure 10...

Page 398: ...ting process a After the key pair is generated click Save public key to save the public key A file saving window appears Figure 104 Saving a key pair on the client d Enter a file name key pub in this example and click Save ...

Page 399: ...enerate a DSA key pair Switch public key local create dsa The range of public key modulus is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully ...

Page 400: ... user client002 to use the SSH service Switch luser manage client002 service type ssh Assign the network admin user role to local user client002 Switch luser manage client002 authorization attribute user role network admin Switch luser manage client002 quit 3 Specify the private key file and establish a connection to the Stelnet server a Launch PuTTY exe on the Stelnet client to enter the interfac...

Page 401: ...lect Connection SSH Auth from the navigation tree The window shown in Figure 107 appears f Click Browse to bring up the file selection window navigate to the private key file private ppk in this example and click OK Figure 107 Specifying the private key file ...

Page 402: ...you can log in to Switch B to configure and manage Switch B Figure 108 Network diagram Configuration procedure 1 Configure the Stelnet server Generate RSA key pairs SwitchB system view SwitchB public key local create rsa The range of public key modulus is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generatin...

Page 403: ...SSH user named client001 Specify the service type as stelnet and the authentication method as password for the user SwitchB ssh user client001 service type stelnet authentication type password 2 Establish a connection to the Stelnet server Assign an IP address to VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 1 56 255 255 255 0 Sw...

Page 404: ...866991113B2D SwitchA pkey public key key1 485348 SwitchA pkey public key key1 peer public key end SwitchA quit Establish an SSH connection to the server and specify the host public key of the server SwitchA ssh2 192 168 1 40 public key key1 Username client001 Press CTRL C to abort Connecting to 192 168 1 40 port 22 client001 192 168 1 40 s password Enter a character and a dot to abort Copyright c ...

Page 405: ...can log in to Switch B to configure and manage Switch B Figure 109 Network diagram Configuration procedure In the server configuration the client s host public key is required Generate a DSA key pair on the client before configuring the Stelnet server 1 Configure the Stelnet client Assign an IP address to VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interfac...

Page 406: ... Create the key pair successfully Generate an ECDSA key pair SwitchB public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server SwitchB ssh server enable Assign an IP address to VLAN interface 2 The Stelnet client uses this address as the destination address for SSH connection SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip addr...

Page 407: ...nd a dot to abort Copyright c 2010 2016 Hewlett Packard Enterprise Development LP Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB Select Yes to access the server and download the server s host public key At the next connection attempt the client authenticates the server by using the saved server s host public key on the client Stelnet config...

Page 408: ...r ecdsa256 p12 to PKI domain server256 SwitchA pki import domain server256 p12 local filename ssh server ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name server256 Display information about local certifi...

Page 409: ...a256 p12 to PKI domain client256 SwitchA pki import domain client256 p12 local filename ssh client ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name client256 Display information about local certificates ...

Page 410: ... the client s certificate file ssh client ecdsa256 p12 to the Stelnet server through FTP or TFTP Details not shown Create a PKI domain named client256 for verifying the client s certificate and import the file of the client s certificate to this domain Details not shown Create a PKI domain named server256 for the server s certificate and import the file of the server s certificate to this domain D...

Page 411: ...2 192 168 1 40 suite b 128 bit pki domain client256 server pki domain server256 Username client001 Press CTRL C to abort Connecting to 192 168 1 40 port 22 Enter a character and a dot to abort Copyright c 2010 2016 Hewlett Packard Enterprise Development LP Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB SFTP configuration examples Unless oth...

Page 412: ...er than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the SFTP server Switch sftp server enable Assign an IP address to VLAN interface 2 The client uses this address as the des...

Page 413: ...assword and service type as sftp for the user Switch ssh user client002 service type sftp authentication type password 2 Establish a connection between the SFTP client and the SFTP server The device supports different types of SFTP client software This example uses an SFTP client that runs PSFTP of PuTTy version 0 58 NOTE PSFTP supports only password authentication To establish a connection to the...

Page 414: ...face vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface2 quit Generate RSA key pairs SwitchA public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Export the ho...

Page 415: ... peer public key from the public key file pubkey and name it switchkey SwitchB public key peer switchkey import sshkey pubkey Create an SSH user named client001 Specify the service type as sftp and the authentication method as publickey for the user Assign the public key switchkey to the user SwitchB ssh user client001 service type sftp authentication type publickey assign publickey switchkey Crea...

Page 416: ... verify the result sftp mkdir new1 sftp dir l rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Change the name of directory new1 to new2 and verify the r...

Page 417: ...erver s certificate Details not shown You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties In this example the server s certificate file is ssh server ecdsa384 p12 and the client s certificate file is ssh client ecdsa384 p12 2 Configure the SFTP client NOTE You can modify the pkix version of the client ...

Page 418: ...4 3a 7c 5d b7 be d1 e6 9e f0 ce 95 39 ca fd a0 86 cd 54 ab 49 60 10 be 67 9f 90 3a 18 e2 7d d9 5f 72 27 09 e7 bf 7e 64 0a 59 bb b3 7d ae 88 14 94 45 b9 34 d2 f3 93 e1 ba b4 50 15 eb e5 45 24 31 10 c7 07 01 f9 dc a5 6f 81 ASN1 OID secp384r1 NIST CURVE P 384 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier 10 16 64 2C DA...

Page 419: ...ter Aug 19 10 10 59 2016 GMT Subject C CN ST BBB O AAA OU Software CN ssh client Subject Public Key Info Public Key Algorithm id ecPublicKey Public Key 384 bit pub 04 85 7c 8b f4 7a 36 bf 74 f6 7c 72 f9 08 69 d0 b9 ac 89 98 17 c9 fc 89 94 43 da 9a a6 89 41 d3 72 24 9b 9a 29 a8 d1 ba b4 e5 77 ba fc df ae c6 dd 46 72 ab bc d1 7f 18 7d 54 88 f6 b4 06 54 7e e7 4d 49 b4 07 dc 30 54 4b b6 5b 01 10 51 6b...

Page 420: ... an IP address to VLAN interface 2 SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface2 quit Set the authentication mode to AAA for user lines SwitchB line vty 0 15 SwitchB line vty0 15 authentication mode scheme SwitchB line vty0 15 quit Create a local device management user named client001 Authorize the user to use the SSH servic...

Page 421: ...tablish an SCP connection between Switch A and Switch B so you can log in to Switch B to transfer files Figure 115 Network diagram Configuration procedure 1 Configure the SCP server Generate RSA key pairs SwitchB system view SwitchB public key local create rsa The range of public key modulus is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input t...

Page 422: ...er role network admin SwitchB luser manage client001 quit Create an SSH user named client001 Specify the service type as scp and the authentication method as password for the user SwitchB ssh user client001 service type scp authentication type password 2 Configure an IP address for VLAN interface 2 on the SCP client SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip ...

Page 423: ...ient ecdsa256 p12 and ssh client ecdsa384 p12 to the SCP client through FTP or TFTP Details not shown Create a PKI domain named server256 for verifying the server s certificate ecdsa256 and enter its view SwitchA system view SwitchA pki domain server256 Disable CRL checking SwitchA pki domain server256 undo crl check enable SwitchA pki domain server256 quit Import local certificate file ssh server...

Page 424: ...04 1c 61 78 f6 6b 7e f9 f9 42 8d 7c a7 bb 47 7c 2a 85 67 0d 81 12 0b 02 98 bc 06 1f c1 3c 9b c2 1b 4c 44 38 5a 14 b2 48 63 02 2b Create a PKI domain named client256 for the client s certificate ecdsa256 and enter its view SwitchA pki domain client256 Disable CRL checking SwitchA pki domain client256 undo crl check enable SwitchA pki domain client256 quit Import local certificate file ssh client ec...

Page 425: ...d 5a 2e dc 1d b3 8a bf ce ee 71 4e 8f d9 93 7f a3 48 a1 5c 17 cb 22 fa 8f b3 e5 76 89 06 9f 96 47 dc 34 87 02 31 00 e3 af 2a 8f d6 8d 1f 3a 2b ae 2f 97 b3 52 63 b6 18 67 70 2c 93 2a 41 c0 e7 fa 93 20 09 4d f4 bf d0 11 66 0f 48 56 01 1e c3 be 37 4e 49 19 cf c6 Create a PKI domain named server384 for verifying the server s certificate ecdsa384 and enter its view SwitchA pki domain server384 Disable ...

Page 426: ...enSSL Generated Certificate X509v3 Subject Key Identifier 10 16 64 2C DA C1 D1 29 CD C0 74 40 A9 70 BD 62 8A BB F4 D5 X509v3 Authority Key Identifier keyid 5A BE 85 49 16 E5 EB 33 80 25 EB D8 91 50 B4 E6 3E 4F B8 22 Signature Algorithm ecdsa with SHA384 30 65 02 31 00 80 50 7a 4f c5 cd 6a c3 57 13 7f e9 da c1 72 7f 45 30 17 c2 a7 d3 ec 73 3d 5f 4d e3 96 f6 a3 33 fb e4 b9 ff 47 f1 af 9d e3 03 d2 24...

Page 427: ...a6 89 41 d3 72 24 9b 9a 29 a8 d1 ba b4 e5 77 ba fc df ae c6 dd 46 72 ab bc d1 7f 18 7d 54 88 f6 b4 06 54 7e e7 4d 49 b4 07 dc 30 54 4b b6 5b 01 10 51 6b 0c 6d a3 b1 4b c9 d9 6c d6 be 13 91 70 31 2a 92 00 76 ASN1 OID secp384r1 NIST CURVE P 384 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier BD 5F 8E 4F 7B FE 74 03 5A D...

Page 428: ...ce 2 SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface2 quit Set the authentication mode to AAA for user lines SwitchB line vty 0 15 SwitchB line vty0 15 authentication mode scheme SwitchB line vty0 15 quit Create a local device management user named client001 Authorize the user to use the SSH service and assign the network admin...

Page 429: ...ablish an SCP connection to the SCP server at 192 168 0 1 based on the 192 bit Suite B algorithms SwitchA scp 192 168 0 1 get src cfg suite b 192 bit pki domain client384 server pki domain server384 Username client002 Press CTRL C to abort Connecting to 192 168 0 1 port 22 src cfg 100 4814 4 7KB s 00 00 SwitchA NETCONF over SSH configuration example with password authentication Unless otherwise no...

Page 430: ...l take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable NETCONF over SSH Switch netconf ssh server enable Configure an IP address for VLAN interface 2 The client uses this address as the destinati...

Page 431: ...ce type ssh Assign the network admin user role to local user client001 Switch luser manage client001 authorization attribute user role network admin Switch luser manage client001 quit Create an SSH user named client001 Specify the service type as NETCONF and the authentication method as password for the user Switch ssh user client001 service type netconf authentication type password Verifying the ...

Page 432: ...message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the original message will result in a change to the calculated fixed length message As shown in Figure 118 the message integrity verification process is as follows a The sender uses a MAC algorithm and a key to calculate a MAC va...

Page 433: ... FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode SSL configuration task list Tasks at a glance Remarks Configuring an SSL server policy Perform this configuration task on the SSL server Configuring an SSL client policy Perform this configuration task on the SSL client Configuring an SSL server policy An SSL serve...

Page 434: ...no PKI domain is specified for an SSL server policy If SSL server authentication is required you must specify a PKI domain and request a local certificate for the SSL server in the domain For information about configuring a PKI domain see Configuring PKI 6 Specify the cipher suites that the SSL server policy supports In non FIPS mode ciphersuite dhe_rsa_aes_128_cbc_sh a dhe_rsa_aes_128_cbc_sha 256...

Page 435: ...lient verify enable optional By default SSL client authentication is disabled The SSL server does not perform digital certificate based authentication on SSL clients When authenticating a client by using the digital certificate the SSL server verifies the certificate chain presented by the client It also verifies that the certificates in the certificate chain except the root CA certificate are not...

Page 436: ...a256 dhe_rsa_aes_256_cbc_sh a dhe_rsa_aes_256_cbc_sh a256 ecdhe_ecdsa_aes_128_c bc_sha256 ecdhe_ecdsa_aes_128_g cm_sha256 ecdhe_ecdsa_aes_256_c bc_sha384 ecdhe_ecdsa_aes_256_g cm_sha384 ecdhe_rsa_aes_128_cbc_ sha256 ecdhe_rsa_aes_128_gcm _sha256 ecdhe_rsa_aes_256_cbc_ sha384 ecdhe_rsa_aes_256_gcm _sha384 exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha r...

Page 437: ... default an SSL client policy uses TLS 1 0 To ensure security do not specify SSL 3 0 for an SSL client policy 7 Enable the SSL client to authenticate servers through digital certificates server verify enable By default SSL server authentication is enabled Displaying and maintaining SSL Execute display commands in any view Task Command Display cryptographic library version information display crypt...

Page 438: ...attack Description ICMP redirect An attacker sends ICMP redirect messages to modify the victim s routing table The victim cannot forward packets correctly ICMP destination unreachable An attacker sends ICMP destination unreachable messages to cut off the connections between the victim and its destinations ICMP type A receiver responds to an ICMP packet according to its type An attacker sends forge...

Page 439: ...ns Windows system The malicious packets contain an illegal Urgent Pointer which causes the victim s operating system to crash UDP bomb An attacker sends a malformed UDP packet The length value in the IP header is larger than the IP header length plus the length value in the UDP header When the target system processes the packet a buffer overflow can occur which causes a system crash UDP Snork An a...

Page 440: ...his causes the server to be busy searching for SYN packets and the server is unable to process packets for normal services FIN flood attack FIN packets are used to shut down TCP connections A FIN flood attacker sends a large number of forged FIN packets to a server The victim might shut down correct connections or be unable to provide services because it is busy searching for matching connections ...

Page 441: ...eceiving host reassembles the fragments a TCP fragment attack occurs To prevent TCP fragment attacks enable TCP fragment attack prevention to drop attack TCP fragments Login dictionary attack The login dictionary attack is an automated process to attempt to log in by trying all possible passwords from a pre arranged list of values the dictionary Multiple login attempts can occur in a short period ...

Page 442: ... a single packet attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense policy policy name N A 3 Configure signature detection for single packet attacks signature detect fraggle fragment impossible land large icmp large icmpv6 smurf snork tcp all flags tcp fin only tcp invalid flags tcp null flag tcp syn fin tiny fragment tr...

Page 443: ...ow medium action drop logging none The default action is logging for single packet attacks of the informational and low levels The default actions are logging and drop for single packet attacks of the medium and high levels 6 Optional Enable signature detection for single packet attacks of a specific level signature level high info low medium detect By default signature detection is disabled for a...

Page 444: ... The default setting is 1000 5 Specify global actions against SYN flood attacks syn flood action drop logging By default no global action is specified for SYN flood attacks 6 Configure IP address specific SYN flood attack detection syn flood detect ip ipv4 address ipv6 ipv6 address vpn instance vpn instance name threshold threshold value action drop logging none By default IP address specific SYN ...

Page 445: ...onfigured Configuring a FIN flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense policy policy name N A 3 Enable global FIN flood attack detection fin flood detect non specific By default global FIN flood attack detection is disabled 4 Set the global trigger threshold for FIN flood attack prevention fin flood thresho...

Page 446: ...fy global actions against ICMP flood attacks icmp flood action drop logging By default no global action is specified for ICMP flood attacks 6 Configure IP address specific ICMP flood attack detection icmp flood detect ip ip address vpn instance vpn instance name threshold threshold value action drop logging none By default IP address specific ICMP flood attack detection is not configured Configuri...

Page 447: ...ttack defense policy policy name N A 3 Enable global DNS flood attack detection dns flood detect non specific By default global DNS flood attack detection is disabled 4 Set the global trigger threshold for DNS flood attack prevention dns flood threshold threshold value The default setting is 1000 5 Optional Specify the global ports to be protected against DNS flood attacks dns flood port port list...

Page 448: ...dentify packets from trusted servers The exemption feature reduces the false alarm rate and improves packet processing efficiency For example the attack defense policy identifies multicast packets with the same source addresses and different destination addresses as scanning attack packets for example OSPF or PIM packets You can configure an ACL to exempt such packets from attack detection If an A...

Page 449: ...o which the victim IP address belongs As a best practice do not disable log aggregation A large number of logs will consume the display resources of the console To enable log non aggregation for single packet attack events Step Command Remarks 1 Enter system view system view N A 2 Enable log non aggregation for single packet attack events attack defense signature log non aggregate By default log n...

Page 450: ...ing attackers display attack defense scan attacker ipv6 local slot slot number count Display information about IPv4 scanning attack victims display attack defense scan victim ip local slot slot number count Display information about IPv6 scanning attack victims display attack defense scan victim ipv6 local slot slot number count Display flood attack detection and prevention statistics for an IPv4 ...

Page 451: ...ion Configure the device to output logs if it detects such attacks To prevent the SYN flood attacks that aim at the external interface of the switch enable IP address specific SYN flood attack detection for 192 168 2 1 24 When the device receives 5000 or more SYN packets sent to the protected IP address per second it outputs logs and drops the packets To prevent the SYN flood attacks that aim at t...

Page 452: ...evention action Switch attack defense policy a1 syn flood detect non specific Switch attack defense policy a1 syn flood threshold 2000 Switch attack defense policy a1 syn flood action logging Switch attack defense policy a1 quit Apply the attack defense policy to the device Switch attack defense local apply policy a1 Verifying the configuration Verify that attack defense policy a1 is correctly con...

Page 453: ...d Disabled info L ICMP parameter problem Disabled info L ICMP timestamp request Disabled info L ICMP timestamp reply Disabled info L ICMP information request Disabled info L ICMP information reply Disabled info L ICMP address mask request Disabled info L ICMP address mask reply Disabled info L ICMPv6 echo request Disabled info L ICMPv6 echo reply Disabled info L ICMPv6 group membership query Disab...

Page 454: ...lood attack packets that are destined for the protected IP address the device outputs logs and drops the attack packets If the device receives TCP SYN flood attack packets that are destined for the device but not to the protected IP address the device outputs logs Display the attack detection and prevention statistics Switch display attack defense statistics local Attack policy name a1 Slot 1 Scan...

Page 455: ... If the number of TCP connections in a state exceeds the limit the device will accelerate the aging of the TCP connections in that state to mitigate the Naptha attack To configure Naptha attack prevention Step Command Remarks 1 Enter system view system view N A 2 Enable Naptha attack prevention tcp anti naptha enable By default Naptha attack prevention is disabled 3 Optional Set the maximum number...

Page 456: ... Generated based on information from other modules For more information about dynamic bindings see Dynamic IPSG bindings As shown in Figure 121 IPSG forwards only the packets that match an IPSG binding Figure 121 IPSG application Static IPSG bindings Static IPSG bindings are configured manually They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually confi...

Page 457: ... IPSG allows only packets from the DHCP clients to pass through Dynamic IPv4SG Dynamic bindings generated based on different source modules are for different usages Interface types Source modules Binding usage Layer 2 Ethernet port DHCP snooping 802 1X ARP snooping Packet filtering Layer 3 Ethernet interface VLAN interface DHCP relay agent Packet filtering DHCP server For cooperation with modules ...

Page 458: ...nooping 802 1X DHCP snooping DHCP relay agent or DHCP server operates correctly on the network To enable the IPv4SG feature on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The following interface types are supported Layer 2 Ethernet port Layer 3 Ethernet interface Layer 3 Ethernet subinterface Layer 3 aggrega...

Page 459: ...tack detection feature the vlan vlan id option must be specified and ARP attack detection must be enabled for the specified VLAN You can configure the same static IPv4SG binding on different interfaces Configuring the IPv6SG feature You cannot configure the IPv6SG feature on a service loopback interface If IPv6SG is enabled on an interface you cannot assign the interface to a service loopback grou...

Page 460: ...a global static IPv6SG binding Step Command Remarks 1 Enter system view system view N A 2 Configure a global static IPv6SG binding ipv6 source binding ip address ipv6 address mac address mac address No global static IPv6SG bindings exist Configuring a static IPv6SG binding on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type inter...

Page 461: ...ly IP packets from Host C to pass Ten GigabitEthernet 1 0 1 of Device A allows only IP packets from Host A to pass All interfaces of Device B allow IP packets from Host A to pass Ten GigabitEthernet 1 0 1 of Device B allows IP packets from Host B to pass Figure 122 Network diagram Configuration procedure 1 Configure Device A Configure IP addresses for the interfaces Details not shown Enable IPv4SG...

Page 462: ...g for Host B DeviceB interface ten gigabitethernet 1 0 1 DeviceB Ten GigabitEthernet1 0 1 ip source binding mac address 0001 0203 0407 DeviceB Ten GigabitEthernet1 0 1 quit Verifying the configuration Verify that the static IPv4SG bindings are configured successfully on Device A DeviceA display ip source binding static Total entries found 2 IP Address MAC Address Interface VLAN Type 192 168 0 1 00...

Page 463: ...P address and MAC address for dynamic IPSG Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 ip verify source ip address mac address Enable recording of client information in DHCP snooping entries on Ten GigabitEthernet 1 0 1 Device Ten GigabitEthernet1 0 1 dhcp snooping binding record Device Ten GigabitEthernet1 0 1 quit Verifying the configuration Verify that a dynamic I...

Page 464: ...e VLAN interface 100 to operate in DHCP relay mode Switch interface vlan interface 100 Switch Vlan interface100 dhcp select relay Specify the IP address of the DHCP server Switch Vlan interface100 dhcp relay server address 10 1 1 1 Switch Vlan interface100 quit Verifying the configuration Verify that a dynamic IPv4SG binding is generated based on a DHCP relay entry Switch display ip source binding...

Page 465: ...ins an IP address from the DHCPv6 server Perform the following tasks Enable DHCPv6 snooping on the device to make sure the DHCPv6 client obtains an IPv6 address from the authorized DHCPv6 server To generate a DHCPv6 snooping entry for the DHCPv6 client enable recording of client information in DHCPv6 snooping entries Enable dynamic IPv6SG on Ten GigabitEthernet 1 0 1 to filter incoming packets by ...

Page 466: ...e 127 DHCPv6 relay agent is enabled on the switch The clients obtain IPv6 addresses from the DHCPv6 server through the DHCPv6 relay agent Enable dynamic IPv6SG on VLAN interface 3 to filter incoming packets by using the IPv6SG bindings generated based on DHCPv6 relay entries Figure 127 Network diagram Configuration procedure 1 Configure the DHCPv6 relay agent Create VLAN 2 and VLAN 3 assign interf...

Page 467: ...ce 3 Switch Vlan interface3 ipv6 verify source ip address mac address Switch Vlan interface3 quit Verifying the configuration Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 relay entry Switch display ipv6 source binding dhcpv6 relay Total entries found 1 IP Address MAC Address Interface VLAN Type 1 2 0001 0203 0406 Vlan3 3 DHCPv6 relay ...

Page 468: ...istency check configured on gateways Configuring ARP active acknowledgement configured on gateways Configuring authorized ARP configured on gateways Configuring ARP attack detection configured on access devices Configuring ARP scanning and fixed ARP configured on gateways Configuring ARP gateway protection configured on access devices Configuring ARP filtering configured on access devices Configur...

Page 469: ...in 5 seconds arp source suppression limit limit value By default the maximum number is 10 Configuring ARP blackhole routing Step Command Remarks 1 Enter system view system view N A 2 Enable ARP blackhole routing arp resolving route enable By default ARP blackhole routing is enabled 3 Optional Set the number of ARP blackhole route probes for each unresolved IP address arp resolving route probe coun...

Page 470: ... Device arp source suppression enable Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds Device arp source suppression limit 100 If the attack packets have different source addresses configure ARP blackhole routing Enable ARP blackhole routing Device arp resolving route enable Configuring ARP packet rate limit The ARP packet rate limit feat...

Page 471: ...center see Network Management and Monitoring Configuration Guide To configure ARP packet rate limit Step Command Remarks 1 Enter system view system view N A 2 Optional Enable notification sending for ARP packet rate limit snmp agent trap enable arp rate limit By default notification sending for ARP packet rate limit is disabled 3 Optional Enable logging for ARP packet rate limit arp rate limit log...

Page 472: ...rp source mac filter monitor By default this feature is disabled When you change the handling method from monitor to filter the configuration takes effect immediately When you change the handling method from filter to monitor the device continues filtering packets that match existing attack entries 3 Set the threshold arp source mac threshold threshold value The default threshold is 30 4 Set the a...

Page 473: ...re the gateway in the following steps 1 Enable source MAC based ARP attack detection and specify the handling method as filter 2 Set the threshold 3 Set the lifetime for ARP attack entries 4 Exclude the MAC address of the server from this detection Configuration procedure Enable source MAC based ARP attack detection and specify the handling method as filter Device system view Device arp source mac...

Page 474: ...y sends an ARP reply but does not create an ARP entry Upon receiving an ARP reply the gateway determines whether it has resolved the sender IP address If yes the gateway performs active acknowledgement When the ARP reply is verified as valid the gateway creates an ARP entry If no the gateway discards the packet For ARP active acknowledgement to take effect in strict mode make sure ARP blackhole ro...

Page 475: ...rized ARP on Ten GigabitEthernet 1 0 1 of Device A a DHCP server to ensure user validity Figure 130 Network diagram Configuration procedure 1 Configure Device A Specify the IP address for Ten GigabitEthernet 1 0 1 DeviceA system view DeviceA interface ten gigabitethernet 1 0 1 DeviceA Ten GigabitEthernet1 0 1 ip address 10 1 1 1 24 DeviceA Ten GigabitEthernet1 0 1 quit Configure DHCP DeviceA dhcp ...

Page 476: ...e communication fails Thus user validity is ensured Configuration example on a DHCP relay agent Network requirements As shown in Figure 131 configure authorized ARP on Ten GigabitEthernet 1 0 2 of Device B a DHCP relay agent to ensure user validity Figure 131 Network diagram Configuration procedure 1 Configure Device A Specify the IP address for Ten GigabitEthernet 1 0 1 DeviceA system view Device...

Page 477: ...C Ten GigabitEthernet1 0 2 ip address dhcp alloc DeviceC Ten GigabitEthernet1 0 2 quit Verifying the configuration Display authorized ARP information on Device B DeviceB display arp all Type S Static D Dynamic O Openflow R Rule M Multiport I Invalid IP Address MAC Address VID Interface Link ID Aging Type 10 10 1 2 0012 3f86 e94c N A XGE1 0 2 16 D The output shows that Device A assigned the IP addr...

Page 478: ...curity entry The 802 1X client must be enabled to upload its IP address to the device For more information see Configuring 802 1X Configuration guidelines When you configure user validity check follow these guidelines Make sure one or more of the following items are configured for user validity check User validity check rules Static IP source guard bindings DHCP snooping 802 1X If none of the item...

Page 479: ...marks 1 Enter system view system view N A 2 Enter VLAN view vlan vlan id N A 3 Enable ARP attack detection arp detection enable By default ARP attack detection is disabled 4 Return to system view quit N A 5 Enable ARP packet validity check and specify the objects to be checked arp detection validate dst mac ip src mac By default ARP packet validity check is disabled 6 Enter Layer 2 Ethernet interf...

Page 480: ...dropped ARP packets To enable ARP attack detection logging Step Command Remarks 1 Enter system view system view N A 2 Enable ARP attack detection logging arp detection log enable By default ARP attack detection logging is disabled Displaying and maintaining ARP attack detection Execute display commands in any view and reset commands in user view Task Command Display the VLANs enabled with ARP atta...

Page 481: ... DeviceB Ten GigabitEthernet1 0 1 dot1x DeviceB Ten GigabitEthernet1 0 1 quit DeviceB interface ten gigabitethernet 1 0 2 DeviceB Ten GigabitEthernet1 0 2 dot1x DeviceB Ten GigabitEthernet1 0 2 quit Add a local user test DeviceB local user test DeviceB luser test service type lan access DeviceB luser test password simple test DeviceB luser test quit Enable ARP attack detection for VLAN 10 to check...

Page 482: ... to VLAN 10 and specify the IP address of VLAN interface 10 on Device A Details not shown 2 Configure the DHCP server on Device A and configure DHCP address pool 0 DeviceA system view DeviceA dhcp enable DeviceA dhcp server ip pool 0 DeviceA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 3 Configure Host A DHCP client and Host B Details not shown 4 Configure Device B Enable DHCP snooping DeviceB ...

Page 483: ...address 0001 0203 0607 vlan 10 DeviceB Ten GigabitEthernet1 0 2 quit Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets DeviceB arp detection validate dst mac ip src mac After the configurations are completed Device B first checks the validity of ARP packets received on Ten GigabitEthernet 1 0 1 and Ten GigabitEthernet 1 0 2 If the ARP packets are confir...

Page 484: ...ard entry on interface Ten GigabitEthernet 1 0 2 DeviceB interface ten gigabitethernet 1 0 2 DeviceB Ten GigabitEthernet1 0 2 ip source binding ip address 10 1 1 6 mac address 0001 0203 0607 vlan 10 DeviceB Ten GigabitEthernet1 0 2 quit Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets DeviceB arp detection validate dst mac ip src mac Configure port iso...

Page 485: ... you configure ARP scanning and fixed ARP IP addresses in existing ARP entries are not scanned ARP scanning will take some time To stop an ongoing scan press Ctrl C Dynamic ARP entries are created based on ARP replies received before the scan is terminated The arp fixup command is a one time operation You can use this command again to convert the dynamic ARP entries learned later to static Due to ...

Page 486: ...th ARP attack detection ARP snooping and ARP fast reply ARP gateway protection applies first Configuration procedure To configure ARP gateway protection Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface and Layer 2 aggregate interface view interface interface type interface number N A 3 Enable ARP gateway protection for the specified gateway arp filter sou...

Page 487: ...lines Follow these guidelines when you configure ARP filtering You can configure a maximum of eight permitted entries on an interface Do not configure both the arp filter source and arp filter binding commands on an interface If ARP filtering works with ARP attack detection ARP snooping and ARP fast reply ARP filtering applies first Configuration procedure To configure ARP filtering Step Command R...

Page 488: ...ket in a VLAN before ARP learning If the sender IP address is within the allowed IP address range the gateway continues ARP learning If the sender IP address is out of the range the gateway determines the ARP packet as an attack packet and discards it When you configure the ARP sender IP address checking feature in a VLAN follow these restrictions and guidelines If the VLAN is a sub VLAN and is as...

Page 489: ...er VLAN view vlan vlan id N A 3 Enable the ARP sender IP address checking feature and specify the IP address range arp sender ip range start ip address end ip address By default the ARP sender IP address checking feature is disabled ...

Page 490: ...rce MAC consistency check ND messages in which the Ethernet frame header and the source link layer address option of the ND message contain different source MAC addresses ND attack detection ND messages in which the mapping between the source IPv6 address and the source MAC address is invalid RA guard RA messages incompliant with the RA guard policy or identified to be sent from hosts ND attack de...

Page 491: ... devices ND attack detection defines the following types of interfaces ND trusted interface The device directly forwards ND messages or data packets received by ND trusted interfaces It does not perform user validity check ND untrusted interface The device discards RA and redirect messages received by ND untrusted interfaces For other types of ND messages received by the ND untrusted interfaces th...

Page 492: ...bled 4 Return to system view quit N A 5 Enter Layer 2 Ethernet or aggregate interface view interface interface type interface number N A 6 Optional Configure the interface as ND trusted interface ipv6 nd detection trust By default all interfaces are ND untrusted interfaces Displaying and maintaining ND attack detection Execute display commands in any view and reset commands in user view Task Comma...

Page 493: ...abitEthernet1 0 3 quit Assign IPv6 address 10 1 64 to VLAN interface 10 DeviceA interface vlan interface 10 DeviceA Vlan interface10 ipv6 address 10 1 64 DeviceA Vlan interface10 quit 2 Configure Device B Create VLAN 10 DeviceB system view DeviceB vlan 10 DeviceB vlan10 quit Configure Ten GigabitEthernet 1 0 1 Ten GigabitEthernet 1 0 2 and Ten GigabitEthernet 1 0 3 to trunk VLAN 10 DeviceB interfa...

Page 494: ...Ten GigabitEthernet 1 0 2 based on the ND snooping entries Configuring RA guard About RA guard RA guard allows Layer 2 access devices to analyze and block unwanted and forged RA messages Upon receiving an RA message the device makes the forwarding or dropping decision based on the role of the attached device or the RA guard policy 1 If the role of the device attached to the port is router the devi...

Page 495: ...ult no router preference match criterion exists 6 Optional Specify an M flag match criterion if match autoconfig managed address flag off on By default no M flag match criterion exists 7 Optional Specify an O flag match criterion if match autoconfig other flag off on By default no O flag match criterion exists 8 Optional Specify a maximum or minimum hop limit match criterion if match hop limit max...

Page 496: ...d statistics interface interface type interface number Clear RA guard statistics reset ipv6 nd raguard statistics interface interface type interface number RA guard configuration example Network requirements As shown in Figure 138 Ten GigabitEthernet 1 0 1 Ten GigabitEthernet 1 0 2 and Ten GigabitEthernet 1 0 3 of Device B are in VLAN 10 Configure RA guard on Device B to filter forged and unwanted...

Page 497: ...1 port access vlan 10 DeviceB Ten GigabitEthernet1 0 1 quit DeviceB interface ten gigabitethernet 1 0 2 DeviceB Ten GigabitEthernet1 0 2 port link type access DeviceB Ten GigabitEthernet1 0 2 port access vlan 10 DeviceB Ten GigabitEthernet1 0 2 quit Configure Ten GigabitEthernet 1 0 3 to trunk VLAN 10 DeviceB interface ten gigabitethernet 1 0 3 DeviceB Ten GigabitEthernet1 0 3 port link type trunk...

Page 498: ...hat the device drops RA messages received on Ten GigabitEthernet 1 0 1 Details not shown Verify that the device forwards RA messages received on Ten GigabitEthernet 1 0 3 to other ports in VLAN 10 Details not shown ...

Page 499: ...esses or attack multiple servers simultaneously to block connections or even break down the network uRPF can prevent these source address spoofing attacks It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet If not uRPF considers it a spoofing attack and discards the packet uRPF check modes uRPF supports strict...

Page 500: ...r packets 2 uRPF checks whether the source address matches a FIB entry Checks the received packet Broadcast source address All zero source address Matching FIB entry found Broadcast destination address Default route found Loose uRPF Allows the packet to pass Discards the packet Yes Yes Yes Yes No Yes Yes No No Receiving interface matches the output interface of the default route No No No No Loose ...

Page 501: ... If no uRPF proceeds to step 9 5 uRPF checks whether the source IP address matches an ARP entry If yes uRPF proceeds to step 8 If no uRPF proceeds to step 9 6 uRPF checks whether the FIB table has a default route If yes uRPF proceeds to step 7 If no uRPF proceeds to step 9 7 uRPF checks whether the check mode is loose If yes uRPF proceeds to step 8 If no uRPF checks whether the output interface of...

Page 502: ...fter you enable the uRPF feature on the switch the routing table size might decrease by half If the number of routes exceeds half the routing table size of the switch the uRPF feature cannot be enabled to avoid loss of routes and packets To enable uRPF globally Step Command Remarks 1 Enter system view system view N A 2 Enable uRPF globally ip urpf loose strict By default uRPF is disabled Displayin...

Page 503: ...cts to an ISP switch Switch B To prevent source address spoofing attacks perform the following tasks Enable strict uRPF check on Switch A Enable strict uRPF check on Switch B Figure 142 Network diagram Configuration procedure 1 Enable strict uRPF check on Switch A SwitchA system view SwitchA ip urpf strict 2 Enable strict uRPF check on Switch B SwitchB system view SwitchB ip urpf strict ...

Page 504: ...ules They are always enabled You cannot enable or disable software crypto engines The switch only supports a software crypto engine in the current software version Crypto engines provide encryption decryption services for service modules for example the IPsec module When a service module requires data encryption decryption it sends the desired data to a crypto engine After the crypto engine comple...

Page 505: ...y with the password control policies such as password length complexity and aging policy When the aging timer for a password expires the system prompts you to change the password If you adjust the system time after the device enters FIPS mode the login password might expire before the next login because the original system time is typically much earlier than the actual time If you choose the autom...

Page 506: ... automatic reboot and manual reboot Automatic reboot To use automatic reboot to enter FIPS mode 1 Enable FIPS mode 2 Select the automatic reboot method The system automatically performs the following tasks a Create a default FIPS configuration file named fips startup cfg b Specify the default file as the startup configuration file c Prompt you to configure the username and password for next login ...

Page 507: ...rver and client are disabled The HTTP server is disabled SNMPv1 and SNMPv2c are disabled Only SNMPv3 is available The SSL server supports TLS1 0 TLS1 1 and TLS1 2 The SSH server does not support SSHv1 clients and DSA key pairs The generated RSA and DSA key pairs must have a modulus length of 2048 bits When the device acts as a server to authenticate a client through the public key the key pair for...

Page 508: ...u can modify the default mode as needed The default authentication mode is password for VTY lines The default authentication mode is none for console ports After you disable FIPS mode follow these restrictions and guidelines before you manually reboot the device If you are logged in to the device through Telnet perform the following tasks without exiting the current user line Set the authenticatio...

Page 509: ... string and then uses the private key to decrypt the encrypted text If the decryption result is the same as the original plain text string the test succeeds The power up self test examines the cryptographic algorithms listed in Table 26 Table 26 Power up self test list Type Operations KAT Tests the following algorithms SHA1 SHA224 SHA256 SHA384 and SHA512 HMAC SHA1 HMAC SHA224 HMAC SHA256 HMAC SHA...

Page 510: ...splay the FIPS mode state display fips status FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode and use a console port to log in to the device in FIPS mode Configuration procedure If you want to save the current configuration execute the save command before you enable FIPS mode Enable FIPS mode and choose...

Page 511: ...d new password confirm Updating user information Please wait Sysname Display the FIPS mode state Sysname display fips status FIPS mode is enabled Display the default configuration file Sysname more fips startup cfg password control enable local user root class manage service type terminal authorization attribute user role network admin fips mode enable return Sysname Entering FIPS mode through man...

Page 512: ...n will be written to the device Are you sure Y N y Please input the file name cfg flash startup cfg To leave the existing filename unchanged press the enter key flash startup cfg exists overwrite Y N y Validating file Please wait Saved the current configuration to mainboard device successfully Sysname quit Delete the startup configuration file in binary format Sysname delete flash startup mdb Dele...

Page 513: ...r has logged in to the device in FIPS mode through SSH with a username of test and a password of 12345zxcvb ZXCVB Use the manual reboot method to exit FIPS mode Configuration procedure Disable FIPS mode Sysname undo fips mode enable FIPS mode change requires a device reboot Continue Y N y The system will create a new startup configuration file for non FIPS mode and then reboot automatically Contin...

Page 514: ...te flash startup mdb Delete flash startup mdb Y N y Deleting file flash startup mdb Done Reboot the device Sysname reboot Verifying the configuration After the device reboots enter a username of test and a password of 12345zxcvb ZXCVB to enter non FIPS mode Press ENTER to get started login test Password Last successfully login time Sysname Display the FIPS mode state Sysname display fips status FI...

Page 515: ...ast one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field nam...

Page 516: ... Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gatewa...

Page 517: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 518: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 519: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 520: ...EAP relay termination authentication 75 EAP termination enable 88 EAP termination mode authentication 77 EAP Message attribute 73 EAPOL packet format 73 enable 88 feature cooperation 86 guest VLAN 81 guest VLAN assignment delay 96 guest VLAN configuration 95 104 keep online 95 MAC authentication delay 122 MAC based access control 79 maintain 102 mandatory port authentication domain 92 manual reaut...

Page 521: ...attribute translation 54 RADIUS attributes 14 RADIUS authentication server 26 RADIUS DAE server 53 RADIUS display 35 RADIUS implementation 2 RADIUS maintain 35 RADIUS packet DSCP priority 54 RADIUS request transmission attempts max 29 RADIUS scheme 24 RADIUS scheme creation 26 RADIUS scheme VPN instance 28 RADIUS server SSH user authentication authorization 60 RADIUS server status 29 RADIUS sessio...

Page 522: ...ol 51 299 alert protocol SSL 419 algorithm IPsec authentication 301 IPsec encryption 3DES 301 IPsec encryption AES 301 IPsec encryption DES 301 IPsec IKE DH algorithm 328 keychain configuration 250 251 SSH negotiation 359 SSH2 379 SSH2 encryption 380 SSH2 key exchange 379 SSH2 MAC 380 SSH2 public key 379 anti replay IPsec anti replay redundancy 313 IPsec configuration 313 any authentication SSH 35...

Page 523: ... configuration RST flood attack 432 defense policy configuration scanning attack 430 defense policy configuration single packet attack 429 defense policy configuration SYN flood attack 431 defense policy configuration SYN ACK flood attack 432 defense policy configuration UDP flood attack 434 defense policy creation 429 detection exemption configuration 435 device preventable attacks 425 display 43...

Page 524: ...n 327 IPsec IKE RSA signature authentication 327 IPsec RIPng configuration 322 IPsec tunnel for IPv4 packets IKE based 337 IPsec tunnel for IPv4 packets manual 320 keychain configuration 250 251 MAC authentication 115 119 128 MAC authentication local 128 MAC authentication RADIUS based 130 MAC authentication VLAN assignment 116 MAC local authentication method 115 MAC RADIUS authentication method 1...

Page 525: ...hole ARP attack protection blackhole routing unresolvable IP attack 456 C CA PKI architecture 266 PKI CA policy 266 PKI certificate 265 PKI certificate export 276 PKI certificate obtain 272 PKI certificate removal 276 PKI certificate request 270 PKI certificate request automatic 271 PKI certificate request manual 272 PKI certificate request abort 272 PKI certificate verification 274 PKI CRL 265 PK...

Page 526: ...2 1X periodic reauthentication 94 802 1X protocol packet sending rule 100 802 1X reauthentication 93 802 1X ACL assignment 107 802 1X EAD assistant DHCP relay agent 108 802 1X EAD assistant DHCP server 111 AAA 1 19 57 AAA device ID 57 AAA HWTACACS schemes 36 AAA HWTACACS server SSH user 57 AAA ISP domain accounting method 51 AAA ISP domain attribute 48 AAA ISP domain authentication method 49 AAA I...

Page 527: ...crypto engine 491 direct portal authentication 168 direct portal authentication local portal Web server on router 205 direct portal authentication preauthentication domain 201 dynamic IPv4 source guard IPv4SG DHCP relay agent 450 dynamic IPv4 source guard IPv4SG DHCP snooping 449 dynamic IPv6 source guard IPv6SG DHCPv6 relay agent 453 dynamic IPv6 source guard IPv6SG DHCPv6 snooping 452 extended c...

Page 528: ...ort security secure MAC addresses 218 portal authentication 136 143 168 portal authentication destination subnet 150 portal authentication detection features 154 portal authentication fail permit 158 portal authentication local portal Web server 162 164 portal authentication MAC binding server 165 portal authentication portal free rule 148 portal authentication server 144 portal authentication ser...

Page 529: ...ture 266 PKI CA policy 266 PKI certificate export 276 PKI certificate removal 276 PKI certificate based access control policy 277 PKI storage path 275 troubleshooting PKI CRL obtain failure 296 cross subnet extended cross subnet portal authentication configuration 190 portal authentication configuration 179 portal authentication mode 139 crypto engine configuration 491 display 491 maintain 491 cry...

Page 530: ...server 36 AAA HWTACACS authorization server 37 AAA HWTACACS implementation 6 AAA HWTACACS scheme 36 AAA HWTACACS scheme VPN instance 39 AAA HWTACACS server SSH user 57 AAA HWTACACS shared keys 39 AAA implementation 12 AAA LDAP attribute map for authorization 46 AAA LDAP authentication server 46 AAA LDAP authorization server 46 AAA LDAP implementation 9 AAA LDAP scheme 42 AAA LDAP server SSH user a...

Page 531: ... Telnet server connection establishment 368 SSH Secure Telnet server connection establishment based on Suite B 370 SSH Secure Telnet server enable 362 SSH server configuration 361 SSH SFTP client 371 SSH SFTP client configuration publickey authentication enabled 401 SSH SFTP configuration 398 SSH SFTP configuration 192 bit Suite B 404 SSH SFTP server configuration password authentication enabled 3...

Page 532: ...solvable IP attack 456 attack D P 437 crypto engine 491 FIPS 497 host public key 258 IP source guard IPSG 447 IPsec 319 IPsec IKE 336 IPsec IKEv2 356 IPv4 source guard IPv4SG 447 IPv6 source guard IPv6SG 447 keychain 251 MAC authentication 128 ND attack detection 479 password control 246 PKI 278 port security 222 portal authentication 167 public key 260 RA guard policy 483 SSH 380 SSH SFTP help in...

Page 533: ...X keep online 95 802 1X user IP freezing 100 AAA RADIUS server load sharing 31 AAA RADIUS SNMP notification 35 ARP attack detection logging 467 attack D P log non aggregation 436 attack D P login delay 437 IPsec ACL de encapsulated packet check 312 IPsec IKE invalid SPI recovery 335 IPsec IKEv2 cookie challenge 355 IPsec packet logging 315 IPsec QoS pre classify 315 IPv4 source guard IPv4SG on int...

Page 534: ...ot 495 500 exporting host public key 258 PKI certificate 276 PKI certificate import export configuration 289 troubleshooting PKI certificate export failure 298 extending extended cross subnet portal authentication configuration 190 extended direct portal authentication configuration 183 extended re DHCP portal authentication configuration 186 F fail portal fail permit feature 158 Federal Informati...

Page 535: ...uration 477 ND attack detection 479 RA guard 483 static IPv4 source guard IPv4SG configuration 448 static IPv6 source guard IPv6SG configuration 451 fragment attack D P TCP fragment attack prevention 436 IPsec packet DF bit 315 fragmenting IPsec packet fragmentation 318 frame port security configuration 211 214 FTP AAA RADIUS Login Service attribute check method 34 local host public key distributi...

Page 536: ...ormat 39 Hypertext Transfer Protocol Use HTTP I ICMP attack D P defense policy ICMP flood attack 433 attack D P defense policy ICMPv6 flood attack 433 ID AAA device ID configuration 57 identity IPsec IKE global identity information 333 ignoring port security server authorization information 220 IKE 326 See also ISAKMP configuration 326 328 337 configuration main mode pre shared key authentication ...

Page 537: ...port temporarily mode 218 port security feature 211 IP global uRPF configuration 490 portal authentication portal free rule 148 security Use IPsec uRPF enable 489 IP address 802 1X user IP freezing enable 100 IP addressing AAA HWTACACS outgoing packet source IP address 40 AAA LDAP server IP address 43 AAA RADIUS outgoing packet source IP address 31 ARP attack detection configuration user packet va...

Page 538: ... configuration restrictions 307 policy configuration restrictions IKE based 308 protocols and standards 303 QoS pre classify enable 315 RIPng configuration 322 SA 301 security protocols 299 SNMP notification configuration 318 source interface policy bind 314 transform set configuration 305 troubleshoot IKE 342 troubleshoot IKE negotiation failure no proposal match 342 troubleshoot IKE negotiation ...

Page 539: ...plementation 12 AAA ISP domain accounting method 51 AAA ISP domain attribute 48 AAA ISP domain authentication method 49 AAA ISP domain authorization method 50 AAA ISP domain creation 47 AAA ISP domain method 46 K keepalive IPsec IKE configuration 333 IPsec IKE NAT configuration 334 IPsec IKEv2 NAT 355 key IPsec IKE pre shared key authentication 327 PKI configuration 265 267 278 key pair Secure Tel...

Page 540: ...out 167 logging in AAA concurrent login user max 56 attack D P login delay 437 attack D P login dictionary attack 428 password expired login 241 password user first login 241 password user login attempt limit 241 password user login control 241 RADIUS Login Service attribute 34 logging off portal authentication online user logout 160 M MAC 802 1X MAC based access control 79 address See MAC address...

Page 541: ...rning port security autoLearn MAC learning control 212 port security MAC learning control modes 211 port security secure MAC learning control 212 maintaining 802 1X 102 AAA HWTACACS 42 AAA RADIUS 35 ARP attack detection 467 attack D P 437 crypto engine 491 IP source guard IPSG 447 IPsec 319 IPsec IKE 336 IPsec IKEv2 356 IPv4 source guard IPv4SG 447 IPv6 source guard IPv6SG 447 MAC authentication 1...

Page 542: ...t 160 NAT IPsec IKE keepalive 334 IPsec IKEv2 keepalive 355 ND portal authentication client ND entry conversion 165 ND attack defense configuration 477 configuring ND attack detection 478 configuring RA guard 481 configuring RA guard logging 482 configuring RA guard policy 482 configuring source MAC consistency check 477 IPv6 See IPv6 ND attack defense specifying the attached device role 481 ND at...

Page 543: ...ble 467 ARP attack detection packet validity check 466 ARP attack detection restricted forwarding 466 ARP attack detection restricted forwarding configuration 470 ARP attack detection user validity check 465 467 ARP attack protection unresolvable IP attack 455 457 ARP attack protection blackhole routing unresolvable IP attack 456 ARP attack protection source suppression unresolvable IP attack 456 ...

Page 544: ...tection enable 127 MAC authentication redirect URL assignment 119 MAC authentication timer 121 MAC authentication user account format 120 MAC authentication user profile assignment 118 MAC authentication VLAN assignment 116 MAC based quick portal authentication 142 ND attack detection 478 NETCONF over SSH client user line 363 NETCONF over SSH enable 363 NETCONF over SSH password authentication con...

Page 545: ... line 363 source MAC consistency check 477 SSH client host public key configuration 364 SSH management parameters 366 SSH SCP client device 376 SSH SCP configuration 408 SSH SCP configuration Suite B 409 SSH SCP file transfer password authentication 408 SSH SCP server connection establishment 376 SSH SCP server connection establishment based on Suite B 378 SSH SCP server enable 363 SSH Secure Teln...

Page 546: ...34 no AAA no accounting method 12 AAA no authentication 12 AAA no authorization 12 notifying AAA RADIUS SNMP notification 35 IPsec IKE SNMP notification 336 IPsec SNMP notification 318 port security SNMP notification 222 NTK ntkonly mode 217 ntk withbroadcasts mode 217 ntk withmulticasts mode 217 port security feature 211 numbering IPsec IKE SA max 335 IPsec tunnel max 319 O obtaining PKI certific...

Page 547: ...les 163 parameter AAA RADIUS accounting server parameters 27 AAA RADIUS class attribute as CAR parameter 34 configuring SSH management parameters 366 password control parameters global 243 password control parameters local user 245 password control parameters super 246 password control parameters user group 244 password SSH password authentication 359 SSH password publickey authentication 359 SSH ...

Page 548: ...olicy scanning attack 430 attack D P defense policy single packet attack 429 attack D P defense policy creation 429 IPsec application to interface 312 IPsec configuration manual 307 IPsec IKEv2 configuration 352 IPsec policy IKE based direct 309 IPsec policy IKE based template 310 IPsec policy configuration IKE based 308 IPsec QoS pre classify enable 315 IPsec source interface policy bind 314 IPse...

Page 549: ...information ignore 220 SNMP notification enable 222 troubleshoot 231 troubleshoot mode cannot be set 231 troubleshoot secure MAC addresses 231 portal authentication AAA server 137 access device 137 authenticated user redirection 164 authentication destination subnet 150 authentication server 137 authentication source subnet 149 BAS IP 158 client 137 client ARP entry conversion enable 165 165 confi...

Page 550: ...ating with 802 1X EAP relay 76 authenticating with 802 1X EAP termination mode 77 binding IPsec source interface to policy 314 changing AAA RADIUS packet DSCP priority 54 configuring 802 1X 87 configuring 802 1X authentication trigger 92 configuring 802 1X Auth Fail VLAN 97 configuring 802 1X authorization VLAN 104 configuring 802 1X basics 102 configuring 802 1X critical VLAN 98 configuring 802 1...

Page 551: ...efense policy 429 configuring attack D P defense policy ACK flood attack 431 configuring attack D P defense policy DNS flood attack 434 configuring attack D P defense policy FIN flood attack 432 configuring attack D P defense policy flood attack 431 configuring attack D P defense policy HTTP flood attack 434 configuring attack D P defense policy ICMP flood attack 433 configuring attack D P defense...

Page 552: ... configuring keychain 250 251 configuring local user auto delete 24 configuring MAC authentication 119 configuring MAC authentication local 128 configuring MAC authentication RADIUS based 130 configuring MAC authentication ACL assignment 132 configuring MAC authentication critical VLAN 125 configuring MAC authentication delay 122 configuring MAC authentication guest VLAN 124 configuring MAC authen...

Page 553: ...onfiguring SSH device as server 361 configuring SSH device as SFTP client 371 configuring SSH management parameters 366 configuring SSH SCP client device 376 configuring SSH SCP file password authentication 408 configuring SSH Secure Telnet client password authentication enabled 389 configuring SSH Secure Telnet client publickey authentication enabled 392 configuring SSH Secure Telnet server publi...

Page 554: ...hentication offline detection 127 enabling NETCONF over SSH 363 enabling parallel processing with 802 1X authentication 123 enabling password control 243 enabling port security 214 enabling port security authorization fail offline 221 enabling port security MAC move 220 enabling port security SNMP notification 222 enabling portal authentication 146 enabling portal authentication client ARP entry c...

Page 555: ...ission attempts max 29 setting AAA RADIUS server status 29 setting AAA RADIUS timer 32 setting AAA RADIUS traffic statistics unit 28 setting AAA RADIUS username format 28 setting IPsec tunnel max 319 setting MAC authentication concurrent port users max 121 setting password control parameters global 243 setting password control parameters local user 245 setting password control parameters super 246...

Page 556: ...rage path set failure 298 troubleshooting port security mode cannot be set 231 troubleshooting port security secure MAC addresses 231 troubleshooting portal authentication cannot log out users access device 209 troubleshooting portal authentication no page pushed for users 208 troubleshooting portal authentication users cannot log in re DHCP 210 troubleshooting portal authentication users logged o...

Page 557: ... the attached device role 481 RA guard policy displaying 483 maintaining 483 RADIUS 802 1X EAP over RADIUS 73 802 1X EAP relay enable 88 802 1X EAP termination enable 88 802 1X RADIUS EAP Message attribute 73 802 1X RADIUS Message Authentication attribute 74 AAA configuration 1 19 57 AAA implementation 2 AAA local user configuration 20 AAA MPLS L3VPN implementation 14 AAA scheme 20 accounting serv...

Page 558: ...HCP relay agent 463 dynamic IPv4 source guard IPv4SG DHCP relay agent configuration 450 dynamic IPv6 source guard IPv6SG DHCPv6 relay agent configuration 453 remote 802 1X authorization VLAN 79 AAA remote accounting method 12 AAA remote authentication 12 AAA remote authentication configuration 19 AAA remote authorization method 12 Remote Authentication Dial In User Service Use RADIUS removing PKI ...

Page 559: ... 357 troubleshooting IPsec SA negotiation failure tunnel failure 357 scanning attack attack D P defense policy 430 attack D P device preventable attacks 426 scheme AAA 20 AAA HWTACACS 36 AAA HWTACACS scheme VPN instance 39 AAA LDAP 42 AAA LDAP scheme creation 45 AAA RADIUS configuration 24 AAA RADIUS scheme VPN instance 28 SCP client device configuration 376 client local key pair generation 376 cl...

Page 560: ... AAA LDAP scheme 42 AAA LDAP server SSH user authentication 64 AAA local user 20 AAA MPLS L3VPN implementation 14 AAA protocols and standards 14 AAA RADIUS attribute translation 54 AAA RADIUS attributes 14 AAA RADIUS DAE server 53 AAA RADIUS implementation 2 AAA RADIUS information exchange security mechanism 2 AAA RADIUS packet DSCP priority 54 AAA RADIUS protocols and standards 14 AAA RADIUS sche...

Page 561: ...tomatic reboot 497 FIPS mode entry manual reboot 498 FIPS mode exit 495 FIPS mode exit automatic reboot 500 FIPS mode exit manual reboot 500 FIPS mode system changes 494 FIPS self test 495 fixed ARP configuration 472 fixed ARP configuration restrictions 472 global uRPF configuration 490 host public key export 258 IP 299 See also IPsec IP source guard IPSG configuration 443 444 448 IP source guard ...

Page 562: ...y 246 password control enable 243 password control maintain 246 password control parameters global 243 password control parameters local user 245 password control parameters super 246 password control parameters user group 244 password event logging 242 password expiration 240 240 password history 241 password not displayed 242 password setting 239 password updating 240 240 password user first log...

Page 563: ...in 152 portal user preauthentication IP address pool 152 public key display 260 public key import from file 262 public key management 256 260 RA guard 483 re DHCP portal authentication configuration 176 re DHCP portal authentication preauthentication domain configuration 203 Secure Telnet client local key pair generation 368 Secure Telnet client user line 363 SSH authentication methods 359 SSH cli...

Page 564: ...leshooting PKI local certificate failure 295 troubleshooting PKI local certificate import failure 297 troubleshooting PKI local certificate request failure 295 troubleshooting PKI storage path set failure 298 uRPF configuration 486 uRPF display 489 uRPF enable 489 user profile configuration 233 233 234 user profile configuration restrictions 233 user profile display 234 server 802 1X authenticatio...

Page 565: ...uration password authentication enabled 398 server connection establishment 372 server connection establishment based on Suite B 374 server connection termination 375 server enable 362 SSH application 358 SSH management parameters 366 shared key AAA HWTACACS 39 AAA RADIUS 28 signature authentication IKE 327 single packet attack attack D P defense policy 429 attack D P device preventable attacks 42...

Page 566: ...60 SCP 358 SCP client device 376 SCP client local key pair generation 376 SCP configuration 408 SCP configuration Suite B 409 SCP file transfer password authentication 408 SCP server connection establishment 376 SCP server connection establishment based on Suite B 378 SCP server enable 363 Secure Copy Use SCP Secure FTP Use SFTP Secure Telnet 358 Secure Telnet client configuration password authent...

Page 567: ...al authentication cross subnet mode 139 portal authentication destination subnet 150 portal authentication direct cross subnet authentication process CHAP PAP authentication 140 portal authentication source subnet 149 super password control parameters 246 suppressing ARP attack protection source suppression unresolvable IP attack 456 switch cross subnet portal authentication configuration 179 dire...

Page 568: ...uration 128 bit Suite B 394 SSH Secure Telnet packet source IP address 368 SSH Secure Telnet server configuration password authentication enabled 381 SSH Secure Telnet server configuration publickey authentication enabled 383 SSH Secure Telnet server connection establishment 368 SSH Secure Telnet server connection establishment based on Suite B 370 terminal AAA RADIUS Login Service attribute check...

Page 569: ...access device 209 portal authentication cannot log out users RADIUS server 209 portal authentication no page pushed for users 208 portal authentication users cannot log in re DHCP 210 portal authentication users logged out still exist on server 209 tunnel IPsec tunnel max 319 tunneling IPsec configuration 299 320 IPsec encapsulation tunnel mode 300 IPsec RIPng configuration 322 IPsec tunnel establ...

Page 570: ... 120 MAC authentication user account policies 115 user authentication password control configuration 239 242 247 password control parameters global 243 password control parameters local user 245 password control parameters super 246 password control parameters user group 244 password event logging 242 password expiration 240 240 password expired login 241 password history 241 password max user acc...

Page 571: ...ication configuration local portal Web server on router 205 direct portal authentication preauthentication domain configuration 201 extended cross subnet portal authentication configuration 190 extended direct portal authentication configuration 183 extended re DHCP portal authentication configuration 186 PKI 267 portal authentication configuration 136 143 168 portal authentication extended functi...

Reviews:

No comments

Related manuals for FlexFabric 5940 SERIES

WAGO 852-111 Mounting, Installation And Handling preview
852-111
Brand: WAGO Pages: 39
Lucent Technologies LambdaUnite MSS Installation Manual preview
LambdaUnite MSS
Brand: Lucent Technologies Pages: 388
REV Ritter RF102R Assembly And Operating Instructions Manual preview
RF102R
Brand: REV Ritter Pages: 15
N-Tron 100-POE4-MDR User Manual & Installation Manual preview
100-POE4-MDR
Brand: N-Tron Pages: 17
Cumberland PowerTrak Installation preview
PowerTrak
Brand: Cumberland Pages: 2
Eaton Cutler-Hammer RTHMFDA20100WSU Instructions Manual preview
Cutler-Hammer RTHMFDA20100WSU
Brand: Eaton Pages: 28
PCB Piezotronics 685B0001A13 Installation And Operating Manual preview
685B0001A13
Brand: PCB Piezotronics Pages: 31
Manhattan SUPERHUB QUATTRO Instructions preview
SUPERHUB QUATTRO
Brand: Manhattan Pages: 2
Kramer VS-28 User Manual preview
VS-28
Brand: Kramer Pages: 10
GenerLink MA23-N Operating Manual preview
MA23-N
Brand: GenerLink Pages: 16
Teltronics SEB NET-PATH Installation And Operation Manual preview
SEB NET-PATH
Brand: Teltronics Pages: 82
J-Tech Digital ProAV Series JTD-MINI0102/4k User Manual preview
ProAV Series JTD-MINI0102/4k
Brand: J-Tech Digital Pages: 21
ATEN KL1108V User Manual preview
KL1108V
Brand: ATEN Pages: 303
Black & Decker Lights Out 90539953 Instruction Manual preview
Lights Out 90539953
Brand: Black & Decker Pages: 5
Kramer VS-3232DVI User Manual preview
VS-3232DVI
Brand: Kramer Pages: 43
Kenwood KVA-S300 Instruction Manual preview
KVA-S300
Brand: Kenwood Pages: 32
Kenwood 3560-X Hardware Installation Manual preview
3560-X
Brand: Kenwood Pages: 110
Siemens SCALANCE XC-100 Operating Instructions Manual preview
SCALANCE XC-100
Brand: Siemens Pages: 60

Brands by name

Popular brands

Load more brands