H3C S9500E Series Скачать руководство пользователя страница 67

Страница: 67 / 207

•

auto

: Places the port in the unauthorized state initially to allow only EAPOL packets to pass,

and turns the port into the authorized state to allow access to the network after the users pass

authentication. This is the most common choice.

Control direction

In the unauthorized state, the controlled port can be set to deny traffic to and from the client or just

the traffic from the client.

Currently, your switch can only be set to deny traffic from the client.

EAP over LAN

EAPOL packet format

EAPOL, defined in 802.1X, is intended to carry EAP protocol packets between clients and switches

over LANs. Figure 17shows the EAPOL packet format. See Figure 17.

Figure 17

EAPOL packet format

•

PAE Ethernet type: Protocol type. It takes the value 0x888E.

•

Protocol version: Version of the EAPOL protocol supported by the EAPOL packet sender.

•

Type: Type of the EAPOL packet. Table 4 lists the types that the switch currently supports.

Table 4

Types of EAPOL packets

Value Type Description

0x00 EAP-Packet

Packet for carrying authentication information. A packet
of this type is repackaged and transferred by RADIUS

on the switch to get through complex networks to reach

the authentication server.

0x01

EAPOL-Start

Packet for initiating authentication, present between a
client and a switch.

0x02

EAPOL-Logoff

Packet for logoff request, present between a client and
a switch.

Содержание S9500E Series

Страница 1: ...H3C S9500E Series Routing Switches Security Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com...

Страница 2: ...hou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without n...

Страница 3: ...th the S9500E series Conventions This section describes the conventions used in this documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords th...

Страница 4: ...older Symbols Convention Description Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment...

Страница 5: ...ide Guides you through installing SFP SFP XFP transceiver modules Adjustable Slider Rail Installation Guide Guides you through installing adjustable slider rails to a rack H3C High End Network Product...

Страница 6: ...6...

Страница 7: ...chnical Documents Provides hardware installation software upgrading and software feature configuration and maintenance documentation Products Solutions Provides information about products and technolo...

Страница 8: ...isites 28 Creating an ISP domain 28 Configuring ISP domain attributes 29 Configuring AAA authentication method for an ISP domain 30 Configuring AAA authorization methods for an ISP domain 31 Configuri...

Страница 9: ...packets 52 Configuring attributes related to the data sent to HWTACACS server 53 Specifying the source IP address for HWTACACS packets to be sent 53 Setting timers regarding HWTACACS servers 54 Displ...

Страница 10: ...89 Displaying and maintaining MAC authentication 90 MAC authentication configuration examples 91 Local MAC authentication configuration 91 RADIUS based MAC authentication configuration 92 Portal confi...

Страница 11: ...0 Introduction to SSH2 0 120 Operation of SSH 120 Configuring the device as an SSH server 123 Enabling SSH server 123 Configuring the user interfaces for SSH clients 123 Configuring a client public ke...

Страница 12: ...source guard binding function configuration example I 157 Dynamic IP source guard binding function configuration example II 159 Troubleshooting IP source guard 160 Failed to configure static binding e...

Страница 13: ...gister your product 175 Purchase value added services 175 Troubleshoot online 175 Access software downloads 176 Telephone technical support and repair 176 Contact us 176 Appendix A RADIUS attributes 1...

Страница 14: ...n the rights to access other networks or network resources the NAS authenticates you or the corresponding connection The NAS can transparently pass your AAA information to the server RADIUS server or...

Страница 15: ...ient server model RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required Based on UDP RADIUS use...

Страница 16: ...n a RADIUS client and the RADIUS server is authenticated with a shared key that is never transmitted over the network This enhances information exchange security and prevents user passwords from being...

Страница 17: ...sage 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5...

Страница 18: ...the authentication succeeds the server sends an Access Accept response 3 Access Reject From the server to the client If any attribute value carried in the Access Request is unacceptable the server re...

Страница 19: ...details of the request or response This field is represented in triplets of Type Length and Value Type One byte in the range 1 to 255 It indicates the type of the attribute See Table 2 for commonly u...

Страница 20: ...in LAT Port 1 7 unassigned 6 4 Tunnel Type 1 8 Reply Message 6 5 Tunnel Medium Type 1 9 Callback Number 6 6 Tunnel Client Endpoint 2 0 Callback ID 6 7 Tunnel Server Endpoint 2 1 unassigned 6 8 Acct Tu...

Страница 21: ...8 2 Tunnel Assignment id 3 6 Login LAT Group 8 3 Tunnel Preference 3 7 Framed AppleTalk Link 8 4 ARAP Challenge Response 3 8 Framed AppleTalk Network 8 5 Acct Interim Interval 3 9 Framed AppleTalk Zo...

Страница 22: ...e contents of the sub attribute Figure 5 Segment of a RADIUS packet containing an extended attribute Introduction to HWTACACS HW Terminal Access Controller Access Control System HWTACACS is an enhance...

Страница 23: ...Protocol packets are simple and authorization is combined with authentication Supports authorized use of configuration commands The user level and AAA authorization determine which commands you can us...

Страница 24: ...er 3 The HWTACACS server sends back an authentication response requesting the username 4 Upon receiving the response the HWTACACS client asks the user for the username 5 The user inputs the username 6...

Страница 25: ...accounting response indicating that it has received the start accounting request 17 The user logs off 18 The HWTACACS client sends a stop accounting request to the HWTACACS server 19 The HWTACACS serv...

Страница 26: ...authenticated you can deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs Figure 8 shows that with the AAA across VPNs feature the PE device at the left side o...

Страница 27: ...onfigure local users and related attributes including usernames and passwords of the users to be authenticated Remote authentication Configure the required RADIUS and or HWTACACS schemes and configure...

Страница 28: ...me first For RADIUS scheme configuration see Configuring RADIUS For HWTACACS scheme configuration see Configuring HWTACACS Creating an ISP domain In a networking scenario with multiple ISPs an access...

Страница 29: ...P domain view domain Isp name 3 Place the ISP domain to the state of active or blocked state active block Optional When created an ISP domain is in the active state by default and users in the domain...

Страница 30: ...centralized authentication for multiple devices You can configure local authentication as the backup in case the remote server is not available You can configure AAA authentication to work alone witho...

Страница 31: ...ng AAA authorization methods for an ISP domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the...

Страница 32: ...s scheme name local local none radius scheme radius scheme name local Optional local by default 4 Specify the authorization method for command line users authorization command hwtacacs scheme hwtacacs...

Страница 33: ...nted on the access device collects statistics on the number of users and controls the number of local user connections It does not provide statistics for user charge Remote accounting scheme The acces...

Страница 34: ...heme name local keyword and argument combination configured local accounting is used only when the remote server is not available If the primary accounting method is local or none the system performs...

Страница 35: ...maximum number of user connections using the local user account access limit max user number Optional By default there is no limit on the maximum number of user connections using the same local user a...

Страница 36: ...not pass authentication In authentication methods that require a username and password local authentication RADIUS authentication and HWTACACS authentication the level of the user determines the comma...

Страница 37: ...own AAA user connections forcibly IRF mode cut connection all domain isp name ucibindex ucib index user name user name chassis chassis number slot slot number Required Applies to only LAN access and p...

Страница 38: ...slot number Available in any view 6 Display configuration information about a specified user group or all user groups display user group group name Available in any view Configuring RADIUS The RADIUS...

Страница 39: ...ame 3 Specify a VPN instance for the RADIUS scheme vpn instance vpn instance name Required Currently the VPN instance specified with the vpn instance command is not effective for IPv6 authentication a...

Страница 40: ...and relevant parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations To do Use the command Remarks 1 Enter system view system view 2 Enter RADIUS sch...

Страница 41: ...user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request The IP addresses of the primary and secondar...

Страница 42: ...S packets retry retry times Optional 3 by default The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 For...

Страница 43: ...s of a user starts the switch keeps sending the user s real time accounting requests and stop accounting requests to the same accounting server If you remove the accounting server real time accounting...

Страница 44: ...rap accounting server down authentication server down Optional Disabled by default 3 Enter RADIUS scheme view radius scheme radius scheme name 4 Specify the format of the username to be sent to a RADI...

Страница 45: ...e ratio check the configurations on the NAS and the RADIUS server and the communications between them Follow these steps to enable the RADIUS trap function To do Use the command Remarks 1 Enter system...

Страница 46: ...S request authentication authorization or accounting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response tim...

Страница 47: ...find an available server When a number of secondary servers are configured the client connections of access modules that have a short client connection timeout period may still be timed out during ini...

Страница 48: ...ter system view system view 2 Enable the listening port of the RADIUS client radius client enable Optional Enabled by default Specifying to interpret RADIUS class attribute as CAR parameters According...

Страница 49: ...unting requests that get no responses IRF mode display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name chassis chassis...

Страница 50: ...ifying a server for the scheme the server belongs to the specific VPN instance Follow these steps to specify a VPN instance for an HWTACACS scheme To do Use the command Remarks 1 Enter system view sys...

Страница 51: ...ss port number vpn instance vpn instance name Required Configure at least one of the commands No authorization server by default 4 Specify the secondary HWTACACS authorization server secondary authori...

Страница 52: ...esses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails You can remove an accounting server only when no active TCP connection for sending accounting...

Страница 53: ...e the switch to remove the domain name before sending the username to the server Specifying the source IP address for HWTACACS packets to be sent You can specify an IP address as the source address fo...

Страница 54: ...servers To do Use the command Remarks 1 Enter system view system view 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name 3 Set the HWTACACS server response timeout timer timer response...

Страница 55: ...ew 5 Clear HWTACACS statistics standalone mode reset hwtacacs statistics accounting all authentication authorization slot slot number Available in user view 6 Clear HWTACACS statistics IRF mode reset...

Страница 56: ...ious interfaces omitted Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0 4 Switch ui v...

Страница 57: ...bbb for authentication using domain bbb AAA for telnet users by separate servers Network requirements Configure the switch to provide local authentication HWTACACS authorization and RADIUS accounting...

Страница 58: ...ch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary...

Страница 59: ...the RADIUS server to provide authentication authorization and accounting services for SSH users The IP address of the RADIUS server is 10 1 1 1 24 Set both the shared keys for authentication and acco...

Страница 60: ...H3C as the access device type e Select the access device from the device list or manually add the device with the IP address of 10 1 1 2 f Click OK to finish the operation Figure 13 Add an access dev...

Страница 61: ...face 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs...

Страница 62: ...rad quit Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login radius scheme rad Switch isp bbb authorization login radius scheme rad Switch isp bbb accountin...

Страница 63: ...by other applications Solution Check that 1 The communication links between the NAS and the RADIUS server work well at both physical and link layers 2 The IP address of the RADIUS server is correctly...

Страница 64: ...64 Troubleshooting HWTACACS Refer to Troubleshooting RADIUS if you encounter an HWTACACS fault...

Страница 65: ...l over LAN EAPOL Device residing at the other end of the LAN segment is the entity that authenticates connected clients Device is usually an 802 1X enabled network device and provides access ports for...

Страница 66: ...ays send and receive authentication packets The controlled port is open to allow data traffic to pass only when it is in the authorized state The controlled port and uncontrolled port are two parts of...

Страница 67: ...s and switches over LANs Figure 17shows the EAPOL packet format See Figure 17 Figure 17 EAPOL packet format PAE Ethernet type Protocol type It takes the value 0x888E Protocol version Version of the EA...

Страница 68: ...of the EAP packet including the Code Identifier Length and Data fields in bytes Data Content of the EAP packet This field is zero or more bytes and its format is determined by the Code field EAP over...

Страница 69: ...st MAC address as the destination address Currently the iNode 802 1X client is required for the client to send EAPOL Start packets Unsolicited triggering by the device z The switch can trigger authent...

Страница 70: ...hentication process 2 Upon receiving the EAPOL Start packet the switch responds with an EAP Request Identity packet for the username of the client 3 When the client receives the EAP Request Identity p...

Страница 71: ...cally sends handshake requests to the client to check whether the client is still online By default if two consecutive handshake attempts end up with failure the switch concludes that the client has l...

Страница 72: ...or encrypting the user password information in EAP termination authentication process Consequently the switch sends the challenge together with the username and encrypted password information from the...

Страница 73: ...est packet to the authentication server it starts this timer If this timer expires but it receives no response from the server it retransmits the request Handshake timer handshake period After a clien...

Страница 74: ...er initiates authentication on the port in a certain period of time 90 seconds by default the port will be added to the guest VLAN and all users accessing the port will be authorized to access the res...

Страница 75: ...signs no VLAN the port returns to its initial VLAN After the client logs off the port still stays in its initial VLAN If the user initiates authentication again and passes the authentication the switc...

Страница 76: ...bled by default 3 Specify the authentication method dot1x authentication method chap eap pap Optional CHAP by default 4 Specify the port authorization mode for specified or all ports dot1x port contro...

Страница 77: ...tions and configurations on a port lies in the applicable scope If both a global setting and a local setting exist for an argument of a port the one configured later takes effect When enabling both po...

Страница 78: ...this case you can configure the user name format command but it does not take effect For information about the user name format command see AAA in the Security Command Reference If the username of a...

Страница 79: ...steps to configure the multicast trigger function To do Use the command Remarks 1 Enter system view system view 2 Enter Ethernet interface view interface interface type interface number 3 Enable the...

Страница 80: ...er Ethernet interface view interface interface type interface number 3 Enable periodic re authentication dot1x re authenticate Required Disabled by default After an 802 1X user passes authentication i...

Страница 81: ...ce view interface interface type interface number dot1x guest vlan guest vlan id Different ports can be configured with different guest VLANs but a port can be configured with only one guest VLAN Conf...

Страница 82: ...figuration example By default Ethernet interfaces VLAN interfaces and aggregate interfaces are in the state of DOWN To configure such an interface use the undo shutdown command to bring it up first Ne...

Страница 83: ...rocedure covers most AAA RADIUS configuration commands for the switch while configuration on the 802 1X client and RADIUS server are omitted For information about AAA RADIUS configuration commands see...

Страница 84: ...specify to use local authentication as the secondary scheme Device isp aabbcc net authentication default radius scheme radius1 local Device isp aabbcc net authorization default radius scheme radius1 l...

Страница 85: ...re 25 On port GigabitEthernet 3 0 2 enable 802 1X and set VLAN 10 as the guest VLAN of the port If the number of attempts of the switch for sending EAP Request Identity messages from GigabitEthernet 3...

Страница 86: ...wing configuration procedure covers most AAA RADIUS configuration commands for the switch while configuration on the 802 1X client and RADIUS server are omitted For information about AAA RADIUS config...

Страница 87: ...auto Device GigabitEthernet3 0 2 dot1x port control auto Device GigabitEthernet3 0 2 quit Create VLAN 10 Device vlan 10 Device vlan10 quit Specify port GigabitEthernet 3 0 2 to use VLAN 10 as its gue...

Страница 88: ...resses RADIUS based MAC authentication In RADIUS based MAC authentication the switch serves as a RADIUS client and requires a RADIUS server to cooperate with it If the type of username is MAC address...

Страница 89: ...AC address which means that any packets from the MAC address will be discarded silently by the switch until the quiet timer expires This prevents the switch from authenticating an illegal user repeate...

Страница 90: ...password for MAC authentication mac authentication user name format fixed account name password cipher simple password mac address with hyphen without hyphen lowercase uppercase Optional By default th...

Страница 91: ...diagram for local MAC authentication Configuration procedure 1 Configure MAC authentication on the device Add a local user setting the username and password as 00 e0 fc 12 34 56 the MAC address of th...

Страница 92: ...s 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is aabbcc net Silent Mac User info MAC ADDR From Port Port Index Gigabitethernet3 0 1 is link up MAC...

Страница 93: ...1 2 1813 Device radius 2000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Specify the AAA schemes for the ISP...

Страница 94: ...aaa Fixed password 123456 Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current...

Страница 95: ...ent advertisements and deliver community and personalized services In this way broadband network providers equipment providers and content service providers form an industrial ecological system Introd...

Страница 96: ...thenticated to the portal server During authentication interacting with the portal server security policy server and the authentication accounting server for identity authentication security checking...

Страница 97: ...ver communicates to perform security checking of the user and the security policy server authorizes the user to access resources depending on the security checking result Since a portal client uses an...

Страница 98: ...to the access device Meanwhile the portal server starts a timer to wait for an authentication acknowledgment message 4 The access device and the RADIUS server exchange RADIUS packets to authenticate t...

Страница 99: ...on see AAA in the Security Configuration Guide To implement extended portal functions you need install and configure the security policy server CAMS EAD or iMC EAD and ensure that the ACLs configured...

Страница 100: ...erface and ports in the VLAN or for the switch ACLs that are related with the network segment to which the VLAN interface belongs Configuring a portal free rule A portal free rule allows specified use...

Страница 101: ...cated Configuration of authentication subnets applies to only Layer 3 portal authentication Logging out users Logging out a user terminates the authentication process for the user or removes the user...

Страница 102: ...sent to the RADIUS server A NAS ID profile defines the binding relationship between VLANs and NAS IDs A NAS ID VLAN binding is defined by the nas id id value bind vlan vlan id command which is descri...

Страница 103: ...al users to log in until the number drops down below the limit Displaying and maintaining a portal To do Use the command Remarks 1 Display the ACLs on a specified interface display portal acl all dyna...

Страница 104: ...tistics reset portal tcp cheat statistics Available in user view Portal configuration examples By default Ethernet VLAN and aggregate interfaces are in the state of DOWN To configure such an interface...

Страница 105: ...92 168 0 112 SwitchA radius rs1 key authentication radius SwitchA radius rs1 key accounting radius Specify that the ISP domain name should not be included in the username sent to the RADIUS server Swi...

Страница 106: ...sed identity authentication but have not passed security checking they can access only subnet 192 168 0 0 24 After passing security checking they can access Internet resources The host accesses Switch...

Страница 107: ...med dm1 and enter its view SwitchA domain dm1 Configure the ISP domain to use RADIUS scheme rs1 SwitchA isp dm1 authentication portal radius scheme rs1 SwitchA isp dm1 authorization portal radius sche...

Страница 108: ...s a result the portal server does not display the authentication page Solution Use the display portal server command to display the key for the portal server on the access device and view the key for...

Страница 109: ...ice The source port is 50100 and the destination port of the ACK_LOGOUT message from the access device is the source port of the REQ_LOGOUT message so that the portal server can receive the ACK_LOGOUT...

Страница 110: ...same algorithm also with the help of a key to obtain the original plain text Figure 33 Encryption and decryption There are two types of key algorithms based on whether the keys for encryption and dec...

Страница 111: ...digital signature applications for peer identity authentication because they involve complex calculations and are time consuming In digital signature applications only the digests which are relativel...

Страница 112: ...sh1 ssh2 filename Select a command according to the type of the key to be exported 3 Display the local DSA host public key on the screen in a specified format or export it to a specified file public k...

Страница 113: ...nfigure a public key of the peer Enter the key Required Spaces and carriage returns are allowed between characters 5 Return to public key view public key code end When you exit public key code view th...

Страница 114: ...so the public key of Device A should be configured on Device B in advance In this example RSA is used The host public key of Device A is configured manually on Device B Figure 34 Network diagram for m...

Страница 115: ...809098C525304CA0F00E877F8D4BE08487EBA636C227C7F58871B5E98CD0B83A0B1F1 829D3 07FDDD537AAE5A9633A06D459F0C22B23DDA988DACFBAB13CFD4DE7C53123A64850203010001 2 Configure Device B Configure the host public...

Страница 116: ...2B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3B C3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 Importing the public key of a peer from a public key file Network requirem...

Страница 117: ...1 5E1BC 06551672B4344F6CA5EEB7E75749BEF4B5A3C3E399EA77F9B36078946B4FBD51E600FFC5E1E9366B4F1 D80F2 BCC5455FC9891747B62BB3284C0DF13052184D551379C9FC570203010001 Time of Key pair created 13 11 20 2007 10...

Страница 118: ...Type set to I ftp put devicea pub 227 Entering Passive Mode 10 1 1 2 5 148 125 BINARY mode data connection already open transfer starting for devicea pub 226 Transfer complete FTP 299 byte s sent in 0...

Страница 119: ...119 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3B C3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001...

Страница 120: ...36 Stages in session establishment and interaction between an SSH client and the server Stages Description Version negotiation SSH1 and SSH2 0 are supported The two parties negotiate a version to use...

Страница 121: ...of any type of algorithm fails the algorithm negotiation fails and the server tears down the connection with the client The server and the client use the DH key exchange algorithm and parameters such...

Страница 122: ...authentication times exceed the maximum of authentication attempts and the session is torn down Besides password authentication and publickey authentication SSH2 0 provides another two authentication...

Страница 123: ...the user interfaces for SSH clients An SSH client accesses the switch through a VTY user interface Therefore you need to configure the user interfaces for SSH clients to allow SSH login Note that the...

Страница 124: ...rmat Import it from the public key file During the import process the system will automatically convert the public key to a string coded using the Public Key Cryptography Standards PKCS Before importi...

Страница 125: ...H user and specify the service type and authentication mode Follow these steps to configure an SSH user and specify the service type and authentication mode To do Use the command Remarks 1 Enter syste...

Страница 126: ...and on the user interface For users using password authentication You can configure the accounting information either on the switch or on the remote authentication server such as RADIUS authentication...

Страница 127: ...s the SSH server Specify a source IPv6 address or interface for the SSH client ssh client ipv6 source ipv6 ipv6 address interface interface type interface number Configuring whether first time authent...

Страница 128: ...Configuring a client public key Required The method of configuring server public key on the client is similar to that of configuring client public key on the server 4 Specify the host public key name...

Страница 129: ...or session information on an SSH server display ssh server status session Available in any view 4 Display the mappings between SSH servers and their host public keys saved on an SSH client display ssh...

Страница 130: ...onnection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode for the user interfaces to AAA Switch u...

Страница 131: ...Figure 38 SSH client configuration interface Click Open If the connection is normal you will be prompted to enter the username and password After entering the correct username client001 and password...

Страница 132: ...entication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0...

Страница 133: ...t key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar See Figure 41 Otherwise the process bar stops moving and the key pair gener...

Страница 134: ...134 Figure 41 Generate a client key pair 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key...

Страница 135: ...ase Figure 43 Generate a client key pair 4 After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the se...

Страница 136: ...SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection window navigate to the private key fil...

Страница 137: ...By default Ethernet interfaces VLAN interfaces and aggregate interfaces are in the state of DOWN To configure such an interface use the undo shutdown command to bring it up first When switch acts as...

Страница 138: ...e Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 SwitchB local user client001 SwitchB luser client001 password simp...

Страница 139: ...m View with peer public key end SwitchA pkey public key public key code begin Public key code view return to last view with public key code end SwitchA pkey key code 308201B73082012C06072A8648CE380401...

Страница 140: ...itchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 Enter password All rights reserved 2004 2006 Without the owner s prior written consent...

Страница 141: ...the SSH client below Import the peer public key from the file key pub SwitchB public key peer Switch001 import sshkey key pub Specify the authentication type for user client002 as publickey and assig...

Страница 142: ...cted to 10 165 87 136 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n All rights reserved 2004 2006 Without the owner s prior written consent no decompil...

Страница 143: ...or all For the configuration procedure see Configuring an SSH user Enabling the SFTP server This configuration task is to enable the SFTP service so that a client can log into the SFTP server through...

Страница 144: ...face number Required Use either command By default an SFTP client uses the interface address specified by the route of the switch to access the SFTP server Specify a source IPv6 address or interface f...

Страница 145: ...ory Follow these steps to work with the SFTP directories To do Use the command Remarks 1 Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher 3des aes128 des pre...

Страница 146: ...5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view 2 Change the n...

Страница 147: ...command in user view 2 Display a list of all commands or the help information of an SFTP client command help all command name Required Terminating the connection to the remote SFTP server Follow thes...

Страница 148: ...Enable the SFTP server SwitchB sftp server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB interface vlan interface 1 Switch...

Страница 149: ...the configuration on the server done before continuing configuration of the client Establish a connection to the remote SFTP server and enter SFTP client view SwitchA sftp 192 168 0 1 identity key rsa...

Страница 150: ...new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39...

Страница 151: ...rd authentication with the username being client002 and the password being aabbcc The username and password are saved on the switch Figure 49 Network diagram for SFTP server configuration Configuratio...

Страница 152: ...e user authentication type as password and service type as SFTP Switch ssh user client002 service type sftp authentication type password 2 Configure the SFTP client There are many kinds of SFTP client...

Страница 153: ...up in the binding entries of the IP source guard See Figure 51 If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard bindings are on a per port basis...

Страница 154: ...ou add a port configured with IP source guard to an aggregation group Configuring a static IP source guard binding entry Follow these steps to configure a static IP source guard binding entry To do Us...

Страница 155: ...w interface interface type interface number 3 Configure the dynamic IP source guard binding function ip check source ip address ip address mac address mac address Required Not configured by default Th...

Страница 156: ...thernet 3 0 1 of Switch A only IP packets from Host A can pass On port GigabitEthernet 3 0 2 of Switch B only IP packets from Host A can pass On port GigabitEthernet 3 0 1 of Switch B only IP packets...

Страница 157: ...ss of 192 168 0 2 to pass SwitchB interface gigabitethernet 3 0 1 SwitchB GigabitEthernet3 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static...

Страница 158: ...itEthernet3 0 1 quit Enable DHCP snooping SwitchA dhcp snooping Configure the port connecting to the DHCP server as a trusted port SwitchA interface gigabitethernet 3 0 2 SwitchA GigabitEthernet3 0 2...

Страница 159: ...by using the generated DHCP Relay entries For detailed configuration of a DHCP relay agent see DHCP in the Layer 3 IP Services Configuration Guide Figure 54 Network diagram for configuring dynamic bin...

Страница 160: ...0203 0406 192 168 0 1 100 Vlan interface100 DHCP RLY Troubleshooting IP source guard Failed to configure static binding entries and dynamic binding function Symptom Configuring static binding entries...

Страница 161: ...up in the binding entries of the IP source guard See Figure 51 If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard bindings are on a per port basis...

Страница 162: ...ou add a port configured with IP source guard to an aggregation group Configuring a static IP source guard binding entry Follow these steps to configure a static IP source guard binding entry To do Us...

Страница 163: ...w interface interface type interface number 3 Configure the dynamic IP source guard binding function ip check source ip address ip address mac address mac address Required Not configured by default Th...

Страница 164: ...thernet 3 0 1 of Switch A only IP packets from Host A can pass On port GigabitEthernet 3 0 2 of Switch B only IP packets from Host A can pass On port GigabitEthernet 3 0 1 of Switch B only IP packets...

Страница 165: ...ss of 192 168 0 2 to pass SwitchB interface gigabitethernet 3 0 1 SwitchB GigabitEthernet3 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static...

Страница 166: ...itEthernet3 0 1 quit Enable DHCP snooping SwitchA dhcp snooping Configure the port connecting to the DHCP server as a trusted port SwitchA interface gigabitethernet 3 0 2 SwitchA GigabitEthernet3 0 2...

Страница 167: ...by using the generated DHCP Relay entries For detailed configuration of a DHCP relay agent see DHCP in the Layer 3 IP Services Configuration Guide Figure 58 Network diagram for configuring dynamic bin...

Страница 168: ...0203 0406 192 168 0 1 100 Vlan interface100 DHCP RLY Troubleshooting IP source guard Failed to configure static binding entries and dynamic binding function Symptom Configuring static binding entries...

Страница 169: ...ofing Switch A originates a request to the server Switch B by sending a packet with a forged source IP address of 2 2 2 1 8 and Switch B sends a packet to Switch C at 2 2 2 1 8 in response to the requ...

Страница 170: ...ould be disabled Configuring URPF Follow these steps to configure URPF To do Use the command Remarks 1 Enter system view system view 2 Enter VLAN interface view interface interface type interface numb...

Страница 171: ...ork diagram for URPF configuration example Configuration procedure 1 Configure Switch B Create VLAN 10 SwitchB system view SwitchB vlan 10 SwitchB vlan10 quit Specify the IP address for VLAN interface...

Страница 172: ...ofing Switch A originates a request to the server Switch B by sending a packet with a forged source IP address of 2 2 2 1 8 and Switch B sends a packet to Switch C at 2 2 2 1 8 in response to the requ...

Страница 173: ...ould be disabled Configuring URPF Follow these steps to configure URPF To do Use the command Remarks 1 Enter system view system view 2 Enter VLAN interface view interface interface type interface numb...

Страница 174: ...ork diagram for URPF configuration example Configuration procedure 1 Configure Switch B Create VLAN 10 SwitchB system view SwitchB vlan 10 SwitchB vlan10 quit Specify the IP address for VLAN interface...

Страница 175: ...chase value added services To enhance response times or extend warranty benefits contact 3Com or your authorized reseller Value added services like ExpressSM and GuardianSM can include 24x7 telephone...

Страница 176: ...of the warranty and other service benefits available to you When you contact 3Com for assistance please have the following information ready Product model name part number and serial number Proof of p...

Страница 177: ...um transmission unit MTU for the data link between the user and NAS For example with 802 1X EAP authentication NAS uses this attribute to notify the server of the MTU for EAP packets so as to avoid ov...

Страница 178: ...is 201 79 EAP Message Used for encapsulating EAP packets to allow the NAS to authenticate dial in users via EAP without having to understand the EAP protocol 80 Message Authenticator Used for authent...

Страница 179: ...her value Failed 26 Connect_ID Index of the user connection 28 Ftp_Directory Working directory of the FTP user For an FTP user when the RADIUS client acts as the FTP server this attribute is used to s...

Страница 180: ...Digital Subscriber Line AF Assured Forwarding AFI Address Family Identifier ALG Application Layer Gateway AM Accounting Management AMB Active Main Board ANSI American National Standard Institute AP A...

Страница 181: ...sic Rate Interface BSR Bootstrap Router BT BitTorrent BS BSR State BT Burst Tolerance C Return C BSR Candidate Bootstrap Router C RP Candidate Rendezvous Point CA Call Appearance CA Certificate Author...

Страница 182: ...Routing LSP CR LDP Constraint based Routing LDP CSMA CD Carrier Sense Multiple Access Collision Detect CSNP Complete SNP CSPF Constraint Shortest Path First CST Common Spanning Tree CT Call Transfer...

Страница 183: ...tiplexing E Return EBGP External Border Gateway Protocol EACL Enhanced ACL EAD Endpoint Admission Defense EAP Extensible Authentication Protocol EAPOL Extensible Authentication Protocol over LAN EBS E...

Страница 184: ...ocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High level Data Link Control HEC Header Error Control HMAC Hash based Message Authentication Code HoPE Hierarchy of PE Ho...

Страница 185: ...nter Process Communication IPng IP Next Generation IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRDP ICMP Router Discovery Protocol I...

Страница 186: ...ng Information Base LIB Label Information Base LLC Link Layer Control LLDP Link Layer Discovery Protocol LLDPDU Link Layer Discovery Protocol Data Units LOC Loss of continuity LOG Call Logging LR Line...

Страница 187: ...stener Discovery Protocol MLD Snooping Multicast Listener Discovery Snooping MMC Meet Me Conference MODEM Modulator Demodulator MOS Mean Opinion Scores MP Multilink PPP MP BGP Multiprotocol extensions...

Страница 188: ...zer NDC Network Data Collector NDP Neighbor Discovery Protocol NET Network Entity Title NetBIOS Network Basic Input Output System NHLFE Next Hop Label Forwarding Entry NLB Network Load Balancing NLPID...

Страница 189: ...Code Modulation PD Powered Device Prefix Delegation or Pure Data PDU Protocol Data Unit PE Provider Edge Provider Edge Device PHP Penultimate Hop Popping PHY Physical layer PIM Protocol Independent Mu...

Страница 190: ...02 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority or Router Advertisement RADIUS Remote Authentication Dial in User S...

Страница 191: ...rt Protocol S Return SA Source Active or Suppress Advertisement SBM Sub network Bandwidth Management SCFF Single Choke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SEL Selector S...

Страница 192: ...STM 16c SDH Transport Module 16c STM 4c SDH Transport Module 4c STP Spanning Tree Protocol SVC Signaling Virtual Connection SVLAN Service Provider Virtual Local Area Network Switch MDT Switch Multicas...

Страница 193: ...e Bit Rate VCI Virtual Channel Identifier VE Virtual Ethernet VF Virtual Forwarder VFS Virtual File System VLAN Virtual Local Area Network VLL Virtual Leased Lines VOD Video On Demand VoIP Voice over...

Страница 194: ...ghted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection WRR Weighted Round Robin WTR Wait to Restore WWW World Wide Web X Return X...

Страница 195: ...ion 79 enabling quiet timer 80 enabling re authentication function 80 features working together 73 guest VLAN 74 maintaining 82 mandatory authentication domain for specified port 75 Message Authentica...

Страница 196: ...g client portal 96 configuring first time authentication support SSH2 0 127 Layer 3 portal 97 local MAC 88 91 mandatory domain for specified port 802 1X 75 mode 802 1X 65 mode portal 97 process 802 1X...

Страница 197: ...hentication portal 104 Layer 3 portal authentication with extended functions 106 local asymmetric pair public key 1 1 1 local user attribute AAA 34 MAC authentication 88 89 91 NAS ID VLAN binding AAA...

Страница 198: ...ssage attribute 802 1X 68 EAPOL 802 1X 67 EAPOL packet format 802 1X 67 Message Authenticator attribute 802 1X 69 over RADIUS 802 1X 68 packet format 802 1X 68 enabling device to support first time au...

Страница 199: ...s device portal 108 information displaying help SFTP 147 interaction SSH 122 interface configuring user for SSH client SSH2 0 123 specifying client SFTP 144 specifying NAS ID profile portal 102 specif...

Страница 200: ...ction configuration IP source guard 157 159 165 167 guest VLAN configuration 85 HWTACACS server configuration for telnet user AAA 55 importing peer public key from public key file 1 16 IP source guard...

Страница 201: ...iguration 104 Layer 3 configuration with extended functions 106 logging out user 101 maintaining 103 security policy server 96 server 96 setting max number online users 103 specifying interface NAS ID...

Страница 202: ...86 creating HWTACACS scheme AAA 50 creating ISP domain AAA 28 creating ISP domain attribute AAA 29 creating RADIUS scheme AAA 38 destroying local asymmetric pair public key 1 12 disabling first time a...

Страница 203: ...pecifying VPN instance for RADIUS scheme AAA 39 terminating remote server connection SFTP 147 working with directory SFTP 145 working with file SFTP 146 process authenticating portal 98 authentication...

Страница 204: ...s for packet AAA 45 specifying VPN for scheme AAA 39 timer 802 1X 73 troubleshooting 62 RADIUS based MAC authentication 88 92 remote authentication dial in user service See RADIUS request setting RADI...

Страница 205: ...144 147 configuring connection idle timeout period 143 configuring server 143 151 displaying help information 147 enabling server 143 establishing server connection 144 specifying client interface 14...

Страница 206: ...121 maintaining 129 operation SSH 120 server configuration 129 session request 122 setting management parameter 126 specifying source IP address interface for SSH client 127 version negotiation 120 s...

Страница 207: ...function 802 1X 78 disconnecting AAA 37 logging out portal 101 specifying max number online portal 103 user group configuring attribute AAA 36 version negotiation SSH2 0 120 VLAN assignment 802 1X 73...

Результаты поиска

Содержание S9500E Series

Отзывы:

Бренды по названию

Популярные бренды

H3C S9500E Series, Руководство по настройке безопасности

Результаты поиска

Содержание S9500E Series

Отзывы:

Бренды по названию

Популярные бренды