HPE 704654-B21 Скачать руководство пользователя страница 1

Страница: 1 / 540

HPE Moonshot 45Gc/45XGc/180XGc Switch
Module

Security

Configuration Guide

Part number: 859335-00

Software version: Release 242x

Document version: 6W100-20160201

Содержание 704654-B21

Страница 1: ...HPE Moonshot 45Gc 45XGc 180XGc Switch Module Security Configuration Guide Part number 859335 002 Software version Release 242x Document version 6W100 20160201...

Страница 2: ...d 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to thi...

Страница 3: ...f concurrent login users 48 Configuring a NAS ID profile 49 Displaying and maintaining AAA 49 AAA configuration examples 50 AAA for SSH users by an HWTACACS server 50 Local authentication HWTACACS aut...

Страница 4: ...es 86 Configuration prerequisites 87 Configuration procedure 87 Enabling 802 1X guest VLAN assignment delay 87 Configuring an 802 1X Auth Fail VLAN 88 Configuration guidelines 88 Configuration prerequ...

Страница 5: ...em components 123 Portal system using the local portal Web server 125 Interaction between portal system components 125 Portal authentication modes 126 Portal authentication process 126 Portal configur...

Страница 6: ...AC addresses on a port 189 Setting the port security mode 189 Configuring port security features 190 Configuring NTK 190 Configuring intrusion protection 191 Configuring secure MAC addresses 191 Confi...

Страница 7: ...c certificate request 232 Manually requesting a certificate 232 Aborting a certificate request 233 Obtaining certificates 233 Configuration prerequisites 233 Configuration guidelines 233 Configuration...

Страница 8: ...ion examples 279 Configuring a manual mode IPsec tunnel for IPv4 packets 279 Configuring an IKE based IPsec tunnel for IPv4 packets 281 Configuring IPsec for RIPng 284 Configuring IKE 288 Overview 288...

Страница 9: ...server configuration task list 328 Generating local key pairs 328 Enabling the Stelnet server 329 Enabling the SFTP server 329 Enabling the SCP server 330 Configuring NETCONF over SSH 330 Configuring...

Страница 10: ...SSL security services 385 SSL protocol stack 385 FIPS compliance 386 SSL configuration task list 386 Configuring an SSL server policy 386 Configuring an SSL client policy 388 Displaying and maintaini...

Страница 11: ...rotection 418 Configuration guidelines 418 Configuration procedure 419 Configuration example 419 Configuring ARP filtering 420 Configuration guidelines 420 Configuration procedure 420 Configuration ex...

Страница 12: ...an prevent 452 Single packet attacks 452 Scanning attacks 453 Flood attacks 454 TCP fragment attack 455 Login dictionary attack 455 Attack detection and prevention configuration task list 455 Configur...

Страница 13: ...and icons 476 Conventions 476 Network topology icons 477 Support and other resources 478 Accessing Hewlett Packard Enterprise Support 478 Accessing updates 478 Websites 479 Customer self repair 479 R...

Страница 14: ...ure 1 AAA network diagram To access networks or resources beyond the NAS a user sends its identity information to the NAS The NAS transparently passes the user information to AAA servers and waits for...

Страница 15: ...ents 2 Performs user authentication authorization or accounting 3 Returns user access control information for example rejecting or accepting the user access request to the clients The RADIUS server ca...

Страница 16: ...packet 4 The RADIUS client permits or denies the user according to the authentication result If the result permits the user the RADIUS client sends a start accounting request Accounting Request packe...

Страница 17: ...in the packet indicates whether to start or stop accounting 5 Accounting Respo nse From the server to the client The server sends a packet of this type to notify the client that it has received the A...

Страница 18: ...ut Gigawords 9 Framed IP Netmask 53 Acct Output Gigawords 10 Framed Routing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Logi...

Страница 19: ...plement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended functions As shown in Figure...

Страница 20: ...le network transmission Uses UDP which provides high transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the user password field in an authentication packet Pr...

Страница 21: ...ponse to request the login password 8 Upon receipt of the response the HWTACACS client prompts the user for the login password 9 The user enters the password Host HWTACACS client HWTACACS server 1 The...

Страница 22: ...often change The protocol is used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating systems The software stores the user informa...

Страница 23: ...ments the client sends an administrator bind request to the LDAP server This operation obtains the right to search for authorization information about users on the user DN list Basic LDAP packet excha...

Страница 24: ...with the HWTACACS authorization server instead 10 After successful authorization the LDAP client notifies the user of the successful login AAA implementation on the device This section describes AAA...

Страница 25: ...or more information about the default user role feature see Fundamentals Configuration Guide FTP SFTP and SCP login users also have the root directory of the NAS set as the working directory However t...

Страница 26: ...oss the VPNs The PE at the left side of the MPLS backbone acts as a NAS The NAS transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized a...

Страница 27: ...versized EAP packets 14 Login IP Host IP address of the NAS interface that the user accesses 15 Login Service Type of the service that the user uses for login 18 Reply Message Text to be displayed to...

Страница 28: ...1 Input Peak Rate Peak rate in the direction from the user to the NAS in bps 2 Input Average Rate Average rate in the direction from the user to the NAS in bps 3 Input Basic Rate Basic rate in the dir...

Страница 29: ...ackets from the 802 1X user This attribute only exists in Access Accept and Accounting Request packets 140 User_Group User groups assigned after the SSL VPN user passes authentication A user can belon...

Страница 30: ...hemes Required Configure AAA methods for ISP domains 1 Required Creating an ISP domain 2 Optional Configuring ISP domain attributes 3 Required Perform at least one of the following tasks to configure...

Страница 31: ...cal user group and has all attributes of the group The attributes include the password control attributes and authorization attributes For more information about local user group see Configuring user...

Страница 32: ...portal users specify the portal enabled interfaces through which the users access the device Specify the Layer 2 Ethernet interfaces if portal is enabled on VLAN interfaces and the portal roaming ena...

Страница 33: ...cut minute ip pool pool name ipv6 pool ipv6 pool name user profile profile name user role role name vlan vlan id work directory directory name The following default settings apply FTP SFTP and SCP use...

Страница 34: ...iew user group group name By default there is a system defined user group named system which is the default user group 3 Configure authorization attributes for the user group authorization attribute a...

Страница 35: ...for secure RADIUS communication Optional Specifying an MPLS L3VPN instance for the scheme Optional Setting the username format and traffic statistics units Optional Setting the maximum number of RADIU...

Страница 36: ...no test profiles exist You can configure multiple test profiles in the system Creating a RADIUS scheme Create a RADIUS scheme before performing any other RADIUS configurations You can configure a max...

Страница 37: ...ipv6 address port number key cipher simple string test profile profile name vpn instance vpn instance name weight weight value Specify a secondary RADIUS authentication server secondary authenticatio...

Страница 38: ...rs Specify the primary RADIUS accounting server primary accounting host name ipv4 address ipv6 ipv6 address port number key cipher simple string vpn instance vpn instance name weight weight value Spec...

Страница 39: ...domain name By default the ISP domain name is included in a username However older RADIUS servers might not recognize usernames that contain the ISP domain names In this case you can configure the dev...

Страница 40: ...system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Set the maximum number of RADIUS request transmission attempts retry retry times The default setting is 3 Setting the...

Страница 41: ...ver load sharing is enabled the device distributes the workload over all servers without considering the primary and secondary server roles The device checks the weight value and number of currently s...

Страница 42: ...e the device sends a start accounting request to a server for a user it forwards all subsequent accounting requests of the user to the same server If the accounting server is unreachable the device re...

Страница 43: ...of the RADIUS packet outbound interface is used as the source IP address To specify a source IP address for a RADIUS scheme Step Command Remarks 1 Enter system view system view N A 2 Enter RADIUS sch...

Страница 44: ...s 1 Enter system view system view N A 2 Enter RADIUS scheme view radius scheme radius scheme name N A 3 Set the RADIUS server response timeout timer timer response timeout seconds The default setting...

Страница 45: ...device Use the loose check method only when the server does not issue Login Service attribute values 50 51 and 52 for SSH FTP and terminal users To configure the Login Service attribute check method...

Страница 46: ...Tasks at a glance Required Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Optional Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS a...

Страница 47: ...nter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name N A 3 Specify HWTACACS authentication servers Specify the primary HWTACACS authentication server primary authentication host name ipv4 ad...

Страница 48: ...mbination of hostname IP address port number and VPN instance Specifying the HWTACACS accounting servers You can specify one primary accounting server and a maximum of 16 secondary accounting servers...

Страница 49: ...rs in an HWTACACS scheme The keys take effect on all servers for which a shared key is not individually configured To specify a shared key for secure HWTACACS communication Step Command Remarks 1 Ente...

Страница 50: ...packet giga packet kilo packet mega packet one packet By default traffic is counted in bytes and packets Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACA...

Страница 51: ...ter an HWTACACS authentication authorization or accounting request is sent If the device does not receive a response from the server within the timer it sets the server to blocked Then the device send...

Страница 52: ...y even if they are unavailable When an HWTACACS server s status changes automatically the device changes this server s status accordingly in all HWTACACS schemes in which this server is specified To s...

Страница 53: ...dress of the LDAP server Step Command Remarks 1 Enter system view system view N A 2 Enter LDAP server view ldap server server name N A 3 Configure the IP address of the LDAP server ip ip address ipv6...

Страница 54: ...rver name N A 3 Specify the administrator DN login dn dn string By default no administrator DN is specified The administrator DN specified on the device must be the same as configured on the LDAP serv...

Страница 55: ...ss user parameters user object class object class name By default no user object is specified and the default user object class on the LDAP server is used The default user object class for this comman...

Страница 56: ...utes such as different username and password structures different service types and different rights To manage users of different ISPs configure ISP domains and configure AAA methods and domain attrib...

Страница 57: ...for authenticated users in the ISP domain authorization attribute ip pool pool name ipv6 pool ipv6 pool name user profile profile name By default no authorization attributes are specified Configuring...

Страница 58: ...fault authentication method is used for login users The none keyword is not supported in FIPS mode 6 Specify the authentication method for portal users authentication portal ldap scheme ldap scheme na...

Страница 59: ...ne radius scheme radius scheme name local none By default the default authorization method is used for LAN users The none keyword is not supported in FIPS mode 6 Specify the authorization method for l...

Страница 60: ...the default accounting method is used for command accounting 5 Specify the accounting method for LAN users accounting lan access local none none radius scheme radius scheme name local none By default...

Страница 61: ...DAE server to log off specific online users Change of Authorization Messages CoA Messages The DAE client sends CoA requests to the DAE server to change the authorization information of specific onlin...

Страница 62: ...xample map the NAS ID companyA to all VLANs of company A The device will send companyA in the NAS Identifier attribute for the RADIUS server to identify requests from any Company A users You can apply...

Страница 63: ...H user and specify the password Details not shown 2 Configure the switch Configure IP addresses for interfaces Details not shown Create an HWTACACS scheme Switch system view Switch hwtacacs scheme hwt...

Страница 64: ...work operator Switch role default role enable Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the password The user logs in to the switch Deta...

Страница 65: ...hwtacacs scheme hwtac Switch hwtacacs hwtac primary authorization 10 1 1 2 49 Switch hwtacacs hwtac key authorization simple expert Switch hwtacacs hwtac user name format without domain Switch hwtacac...

Страница 66: ...the network operator user role Details not shown Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 13 configure the switch to meet the following...

Страница 67: ...OK The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch The source IP address is chosen in the following order on th...

Страница 68: ...es with the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Create local RSA and DSA key pairs Switch public key local cre...

Страница 69: ...ng login none Switch isp bbb quit Verifying the configuration Initiate an SSH connection to the switch and enter the username hello bbb and the correct password The user logs in to the switch Details...

Страница 70: ...ools b Double click Active Directory Users and Computers The Active Directory Users and Computers window is displayed c From the navigation tree click Users under the ldap com node d Select Action New...

Страница 71: ...sword g Click OK Add user aaa to group Users h From the navigation tree click Users under the ldap com node i In the right pane right click the user aaa and select Properties j In the dialog box click...

Страница 72: ...elect field and click OK User aaa is added to group Users Figure 20 Adding user aaa to group Users Set the administrator password to admin 123456 a In the right pane right click the user Administrator...

Страница 73: ...icated SSH users the default user role network operator Switch role default role enable Configure an LDAP server Switch ldap server ldap1 Specify the IP address of the LDAP authentication server Switc...

Страница 74: ...are configured with different shared keys Solution To resolve the problem 1 Check that the following items The NAS and the RADIUS server can ping each other The username is in the userid isp name form...

Страница 75: ...address configured on the NAS is incorrect For example the NAS is configured to use a single server to provide authentication authorization and accounting services but in fact the services are provide...

Страница 76: ...LDAP server configured on the NAS match those of the server The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS The user is configur...

Страница 77: ...the server returns the authentication results to the access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can use the access device as the...

Страница 78: ...red or wireless LAN Between the access device and the authentication server 802 1X delivers authentication information by using one of the following methods Encapsulates EAP packets in RADIUS by using...

Страница 79: ...art The client sends an EAPOL Start message to initiate 802 1X authentication to the access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff message to tell the access device that the client...

Страница 80: ...thentication server does not support the multicast address you must use an 802 1X client that can send broadcast EAPOL Start packets For example you can use the HPE iNode 802 1X client Access device a...

Страница 81: ...performs the following operations in EAP termination mode a Terminates the EAP packets received from the client b Encapsulates the client authentication information in standard RADIUS packets c Uses P...

Страница 82: ...the username in an EAP Response Identity packet to the access device 4 The access device relays the EAP Response Identity packet in a RADIUS Access Request packet to the authentication server 5 The au...

Страница 83: ...an EAP Success packet to the client b Sets the controlled port in authorized state The client can access the network 11 After the client comes online the access device periodically sends handshake req...

Страница 84: ...AP termination mode the access device rather than the authentication server generates an MD5 challenge for password encryption The access device then sends the MD5 challenge together with the username...

Страница 85: ...zed network resources The authorization VLAN of an 802 1X user can be specified on the local device or be assigned by a remote server Supported VLAN types and forms Support for VLAN types and forms de...

Страница 86: ...port does not have other online users the device selects the VLAN with the lowest ID from the group of VLANs If the port has other online users the device selects the VLAN by using the following proce...

Страница 87: ...r to its own authorization VLAN IMPORTANT An 802 1X enabled access port can be assigned to an authorization VLAN only as an untagged VLAN member A hybrid port is always assigned to a VLAN as an untagg...

Страница 88: ...the 802 1X guest VLAN The user can access only resources in the guest VLAN A user in the 802 1X guest VLAN fails 802 1X authentication If an 802 1X Auth Fail VLAN is available the device remaps the M...

Страница 89: ...2 1X Auth Fail VLAN The user can access only resources in the Auth Fail VLAN A user in the 802 1X Auth Fail VLAN fails 802 1X authentication because of any other reason except for unreachable servers...

Страница 90: ...authorize a VLAN the initial PVID of the port applies The user and all subsequent 802 1X users are assigned to this port VLAN After the user logs off the PVID remains unchanged A user in the 802 1X g...

Страница 91: ...based VLANs see Layer 2 LAN Switching Configuration Guide When a reachable RADIUS server is detected the device performs the following operations If MAC based access control is used the device removes...

Страница 92: ...t feature is implemented by the following functionalities Free IP A free IP is a freely accessible network segment which has a limited set of network resources such as software and DHCP servers To ens...

Страница 93: ...1X guest VLAN assignment delay Optional Configuring an 802 1X Auth Fail VLAN Optional Configuring an 802 1X critical VLAN Optional Enabling 802 1X critical voice VLAN Optional Sending 802 1X protocol...

Страница 94: ...er Specify the eap keyword to enable EAP relay Specify the chap or pap keyword to enable CHAP enabled or PAP enabled EAP termination NOTE If EAP relay mode is used the user name format command configu...

Страница 95: ...ter Layer 2 Ethernet interface view interface interface type interface number N A 3 Set the maximum number of concurrent 802 1X users on a port dot1x max user user number The default setting is 429496...

Страница 96: ...online 802 1X users The access device sends handshake requests EAP Request Identity to online users at the interval specified by the dot1x timer handshake period command If the device does not receiv...

Страница 97: ...he 802 1X online user handshake reply feature dot1x handshake reply enable By default the device does not reply to 802 1X clients EAP Response Identity packets during the online handshake process Conf...

Страница 98: ...omain for a port Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Specify a mandatory 802 1X authenticat...

Страница 99: ...e session timeout timer expires Support for the server configuration and assignment of session timeout timer and termination action depends on the server model If no server is reachable for 802 1X rea...

Страница 100: ...feature See Configuring port security Configuration prerequisites Before you configure an 802 1X guest VLAN complete the following tasks Create the VLAN to be specified as the 802 1X guest VLAN If th...

Страница 101: ...guidelines When you configure an 802 1X Auth Fail VLAN follow these restrictions and guidelines Assign different IDs to the voice VLAN the port VLAN and the 802 1X Auth Fail VLAN on a port The assign...

Страница 102: ...uilt in 802 1X clients this mechanism causes reauthentication failure After receiving an EAP Failure packet such a client does not respond to the EAP Request Identity packet from the device when a rea...

Страница 103: ...s the access port of a voice user to the 802 1X critical voice VLAN if the voice user fails authentication because all the RADIUS servers are unreachable The feature does not take effect if the voice...

Страница 104: ...emarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable the device to send 802 1X protocol packets out of the port wit...

Страница 105: ...uto When global MAC authentication or port security is enabled the free IP does not take effect If you use free IP guest VLAN and Auth Fail VLAN features together make sure the free IP segments are in...

Страница 106: ...examples Basic 802 1X authentication configuration example Network requirements As shown in Figure 31 the access device performs 802 1X authentication for users that connect to port FortyGigE 1 1 1 Im...

Страница 107: ...ng RADIUS servers Device radius radius1 primary authentication 10 1 1 1 Device radius radius1 primary accounting 10 1 1 1 Configure the IP addresses of the secondary authentication and accounting RADI...

Страница 108: ...tion after an 802 1X user passes authentication Device display dot1x connection 802 1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 32 use RADIUS ser...

Страница 109: ...tygige 1 1 1 Device vlan10 quit Device vlan 2 Device vlan2 port fortygige 1 1 4 Device vlan2 quit Device vlan 5 Device vlan5 port fortygige 1 1 3 Device vlan5 quit 4 Configure a RADIUS scheme on the a...

Страница 110: ...ce isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device isp bbb quit 6 Configu...

Страница 111: ...he users Details not shown 3 Assign an IP address to each interface as shown in Figure 33 Details not shown 4 Configure a RADIUS scheme Create RADIUS scheme 2000 and enter RADIUS scheme view Device sy...

Страница 112: ...adv 3000 rule 0 deny ip destination 10 0 0 1 0 time range ftp Device acl adv 3000 quit 8 Configure 802 1X Enable 802 1X globally Device dot1x Enable 802 1X on FortyGigE 1 1 1 Device interface fortygi...

Страница 113: ...e 34 Network diagram Configuration procedure 1 Make sure the DHCP server the Web server and the authentication servers have been configured correctly Details not shown 2 Configure an IP address for ea...

Страница 114: ...on and accounting Device isp bbb authentication lan access radius scheme 2000 Device isp bbb authorization lan access radius scheme 2000 Device isp bbb accounting lan access radius scheme 2000 Device...

Страница 115: ...ollowing reasons The address is in the string format The operating system of the host regards the string as a website name and tries to resolve the string If the resolution fails the operating system...

Страница 116: ...uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You sp...

Страница 117: ...enticated user s authorization VLAN The authorization VLAN becomes the PVID You must assign the same untagged authorization VLAN to all MAC authentication users on the port If a different untagged aut...

Страница 118: ...s still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable A user in the MAC authentication critical VLAN fails MAC authentic...

Страница 119: ...ay the server assigned Session Timeout and Termination Action attributes use the display mac authentication connection command Support for the server configuration and assignment of Session Tmeout and...

Страница 120: ...ou cannot enable MAC authentication on a port already in a link aggregation group or a service loopback group You cannot add a MAC authentication enabled port to a link aggregation group or a service...

Страница 121: ...ice uses the MAC address of a user as the username and password for MAC authentication The MAC address is in the hexadecimal notation without hyphens and letters are in lower case Setting MAC authenti...

Страница 122: ...is feature disables the device from inspecting the online user status To enable MAC authentication offline detection Step Command Remarks 1 Enter system view system view N A 2 Enter Layer 2 Ethernet i...

Страница 123: ...authentication host mode multi vlan By default this feature is disabled on a port When the port receives a packet sourced from an authenticated user in a VLAN not matching the existing MAC VLAN mappin...

Страница 124: ...based access control for 802 1X authentication The port is enabled with the 802 1X unicast trigger For the port to perform MAC authentication before it is assigned to the 802 1X guest VLAN delay assig...

Страница 125: ...ayer 2 LAN Switching Configuration Guide Port intrusion protection The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port int...

Страница 126: ...e shutdown port action of the port intrusion protection feature See Configuring port security To configure the MAC authentication critical VLAN on a port Step Command Remarks 1 Enter system view syste...

Страница 127: ...r Layer 2 Ethernet interface view interface interface type interface number N A 3 Enable the keep online feature for authenticated MAC authentication users on the port mac authentication re authentica...

Страница 128: ...r slot slot number user mac mac addr user name user name Clear MAC authentication statistics reset mac authentication statistics interface interface type interface number Remove users from the MAC aut...

Страница 129: ...ccess local Device isp bbb quit Enable MAC authentication on port FortyGigE 1 1 1 Device interface fortygige 1 1 1 Device FortyGigE1 1 1 mac authentication Device FortyGigE1 1 1 quit Specify the MAC a...

Страница 130: ...1 failed 0 Current online users 1 MAC address Auth state 00e0 fc12 3456 Authenticated The output shows that Host A has passed MAC authentication and has come online Host B failed MAC authentication a...

Страница 131: ...e radius 2000 quit Apply the RADIUS scheme to ISP domain bbb for authentication authorization and accounting Device domain bbb Device isp bbb authentication default radius scheme 2000 Device isp bbb a...

Страница 132: ...Not configured Guest VLAN auth period 30 s Critical VLAN Not configured Critical voice VLAN Disabled Host mode Single VLAN Offline detection Enabled Authentication order Default Max online users 4294...

Страница 133: ...without domain Device radius 2000 quit Apply RADIUS scheme 2000 to ISP domain 2000 for authentication authorization and accounting Device domain 2000 Device isp 2000 authentication default radius sch...

Страница 134: ...ers 4294967295 per slot Online MAC auth users 1 Silent MAC users MAC address VLAN ID From port Port index FortyGigE1 1 1 is link up MAC authentication Enabled Carry User IP Disabled Authentication dom...

Страница 135: ...122 Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss The output shows that ACL 3000 has been assigned to port FortyGigE 1 1 1 to deny access to the FTP server...

Страница 136: ...s It has the following advantages Allows users to perform authentication through Web pages without installing client software Provides ISPs with diversified management choices and extended functions F...

Страница 137: ...on requests from authentication clients and interacts with the access device to authenticate users Portal Web server The portal Web server pushes the Web authentication page to authentication clients...

Страница 138: ...by SSL Portal page customization To perform local portal authentication you must customize a set of authentication pages that the device will push to users You can customize multiple sets of authentic...

Страница 139: ...ources The process of direct authentication is simpler than that of re DHCP authentication Re DHCP authentication Before a user passes authentication DHCP allocates an IP address a private IP address...

Страница 140: ...RADIUS server exchange RADIUS packets 6 The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure 7 The portal authenticati...

Страница 141: ...ed an IP change of the client IP 11 After receiving the IP change notification packets sent by the client and the access device the portal authentication server notifies the client of login success 12...

Страница 142: ...sites The portal feature provides a solution for user identity authentication and security check To complete user identity authentication portal must cooperate with RADIUS The prerequisites for portal...

Страница 143: ...l authentication server To specify an IPv4 portal server ip ipv4 address vpn instance vpn instance name key cipher simple key string To specify an IPv6 portal server ipv6 ipv6 address vpn instance vpn...

Страница 144: ...restrictions and guidelines Make sure the interface has a valid IP address before you enable re DHCP portal authentication on the interface Do not add the interface enabled with portal authentication...

Страница 145: ...ipv6 apply web server server name fail permit Reference an IPv4 portal Web server an IPv6 portal Web server or both for the interface By default the interface does not reference any portal Web server...

Страница 146: ...specify both a VLAN and an interface the interface must belong to the VLAN Otherwise the portal free rule does not take effect Configuring an authentication source subnet By configuring authenticatio...

Страница 147: ...ource subnet portal ipv6 layer3 source ipv6 network address prefix length By default no IPv6 portal authentication source subnet is configured and IPv6 users from any subnets must pass portal authenti...

Страница 148: ...er of portal users portal max user max number By default no limit is set on the number of portal users Specifying a portal authentication domain An authentication domain defines a set of authenticatio...

Страница 149: ...ortal users Packets that match portal free rules Other outgoing packets on the interface are dropped To enable outgoing packets filtering on a portal enabled interface Step Command Remarks 1 Enter sys...

Страница 150: ...tion of IPv4 portal users portal user detect type arp icmp retry retries interval interval idle time By default this feature is disabled on the interface To configure online detection of IPv6 portal u...

Страница 151: ...erver detection server detect timeout timeout log trap By default portal authentication server detection is disabled This feature takes effect regardless of whether portal authentication is enabled on...

Страница 152: ...erver 2 Upon receiving the synchronization packet the access device compares the users carried in the packet with its own user list If a user contained in the packet does not exist on the access devic...

Страница 153: ...server name fail permit By default portal fail permit is disabled for a portal Web server Configuring BAS IP for unsolicited portal packets sent to the portal authentication server If the device runs...

Страница 154: ...erent VLANs The strings can be organization names service names or any user categorization criteria depending on the administrative requirements For example map the NAS ID companyA to all VLANs of com...

Страница 155: ...or the user or removes the user from the authenticated users list To log out users Step Command 1 Enter system view system view 2 Log out IPv4 portal users portal delete user ipv4 address all interfac...

Страница 156: ...nline htm System busy page Pushed when the system is busy or the user is in the logon process busy htm Logoff success page logoffSuccess htm Page request rules The local portal Web server supports onl...

Страница 157: ...le can contain only letters numbers and underscores The authentication pages must be placed in the root directory of the zip file Zip files can be transferred to the device through FTP or TFTP and mus...

Страница 158: ...tional Configure the listening TCP port for the local portal Web server tcp port port number By default the HTTP service listening port number is 80 and the HTTPS service listening port number is 443...

Страница 159: ...authentication Figure 42 Network diagram Configuration prerequisites Configure IP addresses for the host switch and servers as shown in Figure 42 and make sure they can reach each other Configure the...

Страница 160: ...oup This example uses the default group Ungrouped f Select Normal from the Action list g Click OK Figure 44 Adding an IP address group 3 Add a portal device a Select Access Service Portal Service Mana...

Страница 161: ...ing a portal device 4 Associate the portal device with the IP address group a As shown in Figure 46 click the icon in the Port Group Information Management column of device NAS to enter the port group...

Страница 162: ...nt Server from the navigation tree to enter the portal server configuration page as shown in Figure 48 c Configure the portal server parameters as needed This example uses the default settings d Click...

Страница 163: ...me as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authentication Therefore select No from the Reallocate IP list g Select whether to s...

Страница 164: ...e configurations Configuring the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Specify the primary authentication s...

Страница 165: ...port 50100 Switch portal server newpt quit Configure a portal Web server Switch portal web server newpt Switch portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit E...

Страница 166: ...e authentication the user can access Internet resources After the user passes authentication use the following command to display information about the portal user Switch display portal user interface...

Страница 167: ...private IP address range for the IP address group associated with the portal device is the private subnet 10 0 0 0 24 where the host resides The public IP address range for the IP address group is the...

Страница 168: ...an interface100 dhcp relay server address 192 168 0 112 Enable authorized ARP Switch Vlan interface100 arp authorized enable Switch Vlan interface100 quit 4 Configure portal authentication Configure a...

Страница 169: ...Server name Action Layer3 source network IP address Prefix length Destination authenticate subnet IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a...

Страница 170: ...sure the IP address of the portal device added on the portal authentication server is the IP address 20 20 20 1 of the switch s interface connecting the host The IP address group associated with the...

Страница 171: ...0 111 8080 portal SwitchA portal websvr newpt quit Enable cross subnet portal authentication on VLAN interface 4 SwitchA interface vlan interface 4 SwitchA Vlan interface4 portal enable method layer3...

Страница 172: ...resources After the user passes authentication use the following command to display information about the portal user SwitchA display portal user interface vlan interface 4 Total portal users 1 Usern...

Страница 173: ...ing 192 168 0 112 Switch radius rs1 key accounting simple radius Switch radius rs1 key authentication simple radius Switch radius rs1 user name format without domain Specify the security policy server...

Страница 174: ...h portal websvr newpt url http 192 168 0 111 8080 portal Switch portal websvr newpt quit Enable direct portal authentication on VLAN interface 100 Switch interface vlan interface 100 Switch Vlan inter...

Страница 175: ...that match ACL 3001 After the user passes authentication use the following command to display information about the portal user Switch display portal user interface vlan interface 100 Total portal use...

Страница 176: ...the IP address of the portal device added on the portal server is the public IP address 20 20 20 1 of the switch s interface connecting the host The private IP address range for the IP address group a...

Страница 177: ...nation 192 168 0 0 0 0 0 255 Switch acl adv 3000 rule deny ip Switch acl adv 3000 quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit NOTE Make sure you specify ACL...

Страница 178: ...fy that the portal configuration has taken effect Switch display portal interface vlan interface 100 Portal information of Vlan interface100 Nas id profile Not configured IPv4 Portal status Enabled Au...

Страница 179: ...interface100 Configuring extended cross subnet portal authentication Network requirements As shown in Figure 57 Switch A supports portal authentication The host accesses Switch A through Switch B A po...

Страница 180: ...able RADIUS session control SwitchA radius session control enable 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view SwitchA domain dm1 Configure AAA methods for th...

Страница 181: ...ortal bas ip 20 20 20 1 SwitchA Vlan interface4 quit On Switch B configure a default route to subnet 192 168 0 0 24 specifying the next hop address as 20 20 20 1 Details not shown Verifying the config...

Страница 182: ...r newpt State Online Authorization ACL 3001 VPN instance MAC IP VLAN Interface 0015 e9a6 7cfe 8 8 8 2 4 Vlan interface4 Configuring portal server detection and portal user synchronization Network requ...

Страница 183: ...n detect the reachability of the portal authentication server by cooperating with the portal server heartbeat function Configure portal user synchronization so that the switch can synchronize portal u...

Страница 184: ...oup This example uses the default group Ungrouped f Select Normal from the Action list g Click OK Figure 60 Adding an IP address group 3 Add a portal device a Select Access Service Portal Service Mana...

Страница 185: ...ding a portal device 4 Associate the portal device with the IP address group a As shown in Figure 62 click the icon in the Port Group Information Management column of device NAS to enter the port grou...

Страница 186: ...ment Server from the navigation tree to enter the portal server configuration page as shown in Figure 64 c Configure the portal server heartbeat interval and user heartbeat interval d Use the default...

Страница 187: ...switch s interface connected to the host e Enter the key which must be the same as that configured on the switch f Set whether to enable IP address reallocation This example uses direct portal authent...

Страница 188: ...User Access Manager Service Parameters Validate System Configuration from the navigation tree to validate the configurations Configuring the switch 1 Configure a RADIUS scheme Create a RADIUS scheme...

Страница 189: ...nterval as 40 seconds and send log messages upon reachability status changes Switch portal server newpt server detect timeout 40 log NOTE The value of timeout must be greater than or equal to the port...

Страница 190: ...thentication Configuring cross subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 69 the PE device Switch A provides portal authentication for the host in VPN 1 A por...

Страница 191: ...tion domain Create an ISP domain named dm1 and enter its view SwitchA domain dm1 Configure AAA methods for the ISP domain SwitchA isp dm1 authentication portal radius scheme rs1 SwitchA isp dm1 author...

Страница 192: ...the switch the access device The host is assigned a public IP address either manually or through DHCP The switch acts as both a portal authentication server and a portal Web server A RADIUS server ac...

Страница 193: ...he authentication and accounting methods of the default domain are used for the user Switch domain default enable dm1 3 Configure portal authentication Create a local portal Web server Use HTTP to exc...

Страница 194: ...configured Authentication domain Not configured BAS IPv6 Not configured User detection Not configured Action for server detection Server type Server name Action Layer3 source network IP address Prefi...

Страница 195: ...er can log out by clicking the Disconnect button on the portal authentication client Analysis When you execute the portal delete user command on the access device to log out a user the access device s...

Страница 196: ...e portal authentication server the portal authentication server discards the logout notification When sending of the logout notifications times out the access device logs out the user However the port...

Страница 197: ...erver considers that the user has failed the authentication Solution Configure the BAS IP or BAS IPv6 attribute on the interface enabled with portal authentication Make sure the attribute value is the...

Страница 198: ...security for scenarios that require only 802 1X authentication or MAC authentication For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication...

Страница 199: ...is disabled on the port and access to the port is not restricted N A Controlling MAC address learning autoLearn NTK intrusion protection secure Performing 802 1X authentication userLogin N A userLogin...

Страница 200: ...rt based access control The port can service multiple 802 1X users Once an 802 1X user passes authentication on the port any subsequent 802 1X users can access the network through the port without aut...

Страница 201: ...xt keyword implies Configuration task list Tasks at a glance Remarks Required Enabling port security N A Optional Setting port security s limit on the number of secure MAC addresses on a port N A Requ...

Страница 202: ...pendent of the MAC learning limit described in MAC address table configuration For more information about MAC address table configuration see Layer 2 LAN Switching Configuration Guide To set the maxim...

Страница 203: ...erating in noRestrictions the default mode To change the port security mode for a port in any other mode first use the undo port security port mode command to restore the default port security mode Co...

Страница 204: ...port security intrusion mode blockmac disableport disableport temporarily By default intrusion protection is disabled 4 Return to system view quit N A 5 Optional Set the silence timeout period during...

Страница 205: ...er counts up regardless of whether traffic data has been sent from the sticky MAC address If both the aging timer and the inactivity aging feature are configured the aging timer restarts once traffic...

Страница 206: ...authorization information from the server You can configure a port to ignore the authorization information received from the server local or remote after an 802 1X or MAC authentication user passes a...

Страница 207: ...y If no NAS ID profile is applied or no matching binding is found in the selected profile the device uses the device name as the NAS ID For more information about the NAS ID profile configuration see...

Страница 208: ...d count Display information about blocked MAC addresses display port security mac address block interface interface type interface number vlan vlan id count Port security configuration examples autoLe...

Страница 209: ...min Disableport timeout 30 s MAC move Denied Authorization fail Online NAS ID profile is not configured OUI value list FortyGigE1 1 1 is link up Port mode autoLearn NeedToKnow mode Disabled Intrusion...

Страница 210: ...can learn MAC addresses again Details not shown userLoginWithOUI configuration example Network requirements As shown in Figure 72 a client is connected to the device through port FortyGigE 1 1 1 The d...

Страница 211: ...ation lan access radius scheme radsun Device isp sun authorization lan access radius scheme radsun Device isp sun accounting lan access radius scheme radsun Device isp sun quit 2 Set the 802 1X authen...

Страница 212: ...15 NAS IP Address Not configured VPN Not configured User Name Format without domain Data flow unit Byte Packet unit one Attribute 15 check mode strict After users pass authentication display port secu...

Страница 213: ...uthentication succeeds the client is authorized to access the Internet Configure port FortyGigE 1 1 1 of the device to meet the following requirements Allow more than one MAC authenticated user to log...

Страница 214: ...gE1 1 1 port security ntk mode ntkonly Device FortyGigE1 1 1 quit Verifying the configuration Verify the port security configuration Device display port security interface fortygige 1 1 1 Port securit...

Страница 215: ...tection Enabled Authentication order Default Max online users 4294967295 Authentication attempts successful 3 failed 7 Current online users 3 MAC address Auth state 1234 0300 0011 authenticated 1234 0...

Страница 216: ...Without Tag Disabled Add Guest VLAN delay Disabled EAPOL packets Tx 16331 Rx 102 Sent EAP Request Identity packets 16316 EAP Request Challenge packets 6 EAP Success packets 4 EAP Failure packets 5 Re...

Страница 217: ...MAC addresses Symptom Cannot configure secure MAC addresses Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn Solution To resolve the p...

Страница 218: ...he password control composition command in Security Command Reference Depending on the system s security requirements you can set the minimum number of character types a password must contain and the...

Страница 219: ...asswords for FTP users Early notice on pending password expiration When a user logs in the system checks whether the password will expire in a time equal to or less than the specified notification per...

Страница 220: ...t limits the user and user account in any of the following ways Disables the user account until the account is manually removed from the password control blacklist Allows the user to continue using th...

Страница 221: ...erform the following tasks Tasks at a glance Required Enabling password control Optional Setting global password control parameters Optional Setting user group password control parameters Optional Set...

Страница 222: ...the password expiration time password control aging aging time The default setting is 90 days 3 Set the minimum password update interval password control update interval interval The default setting i...

Страница 223: ...time for the user group password control aging aging time By default the password expiration time of the user group equals the global password expiration time 4 Configure the minimum password length f...

Страница 224: ...type number type length type length By default the settings equal those for the user group to which the local user belongs If no password composition policy is configured for the user group the global...

Страница 225: ...w Task Command Display password control configuration display password control super Display information about users in the password control blacklist display password control blacklist user name name...

Страница 226: ...ser account Sysname password control login attempt 2 exceed lock Set all passwords to expire after 30 days Sysname password control aging 30 Globally set the minimum password length to 16 characters S...

Страница 227: ...gure the password of the local user in interactive mode Sysname luser manage test password Password Confirm Updating user information Please wait Sysname luser manage test quit Verifying the configura...

Страница 228: ...matched Device management user test State Active Service type Telnet User group system Bind attributes Authorization attributes Work directory flash User role list network operator Password control c...

Страница 229: ...pt information but only the private key owner can decrypt the information Digital signature The key owner uses the private key to sign information to be sent The receiver decrypts the information with...

Страница 230: ...ost key pair if you do not specify a key pair name Both key pairs use their default names In FIPS mode One host key pair NOTE Only SSH 1 5 uses the RSA server key pair In non FIPS mode 512 to 2048 bit...

Страница 231: ...d record the key for example copy it to an unformatted file On the peer device you must literally enter the key Exporting a host public key Step Command 1 Enter system view system view 2 Export a loca...

Страница 232: ...ods Import the peer host public key form a public key file recommended Manually enter type or copy the peer host public key Importing a peer host public key from a public key file Before you perform t...

Страница 233: ...but the system does not save them 4 Return to system view peer public key end When you exit public key view the system automatically saves the public key Displaying and maintaining public keys Execute...

Страница 234: ...31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Key name serverkey default Key type RSA Time when key pair created 16 48 31 2011 05 12 Key code 307C300D06092A864886F70...

Страница 235: ...0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements As shown in Figure 76 Device B authenticate...

Страница 236: ...634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 Export the RSA host public key to the file devicea pub DeviceA publ...

Страница 237: ...ic key peer devicea import sshkey devicea pub Verifying the configuration Verify that the host public key is the same as it is on Device A DeviceB display public key peer name devicea Key name devicea...

Страница 238: ...y with the international standards of ITU T X 509 of which X 509 v3 is the most commonly used This chapter covers the following types of certificates CA certificate Certificate of a CA Multiple CAs in...

Страница 239: ...SCEP to communicate with the CA or RA CA Certification authority that grants and manages certificates A CA issues certificates defines the certificate validity periods and revokes certificates by pub...

Страница 240: ...e emails PKI can address the email requirements for confidentiality integrity authentication and non repudiation A common secure email protocol is Secure Multipurpose Internet Mail Extensions S MIME w...

Страница 241: ...ity categories Distinguished name DN of the entity which further includes the common name county code locality organization unit in the organization and state If you configure the DN for an entity a c...

Страница 242: ...in contains enrollment information for a PKI entity It is locally significant and is intended only for reference by other applications like IKE and SSL To configure a PKI domain Step Command Remarks 1...

Страница 243: ...certificate request you must verify the fingerprint that is displayed during authentication of the CA certificate If the CA certificate is obtained through automatic certificate request the certificat...

Страница 244: ...sing an out of band method to submit the request Online mode A certificate request can be automatically or manually submitted This section describes the online request mode Configuration guidelines Th...

Страница 245: ...password cipher simple password By default the manual request mode applies In auto request mode set a password for certificate revocation as required by the CA policy Manually requesting a certificate...

Страница 246: ...ertificates by an out of band means like FTP disk or email and then import them locally Use this mode when the CRL repository is not specified the CA server does not support SCEP or the CA server gene...

Страница 247: ...rtificates in online mode pki retrieve certificate domain domain name ca local peer entity name The pki retrieve certificate command is not saved in the configuration file Verifying PKI certificates A...

Страница 248: ...ertificates pki validate certificate domain domain name ca local N A Verifying certificates without CRL checking Step Command Remarks 1 Enter system view system view N A 2 Enter PKI domain view pki do...

Страница 249: ...t certificates Step Command Remarks 1 Enter system view system view N A 2 Export certificates Export certificates in DER format pki export domain domain name der all ca local filename filename Export...

Страница 250: ...ction defined in the access control rule The following conditions describe how a certificate based access control policy verifies the validity of a certificate If a certificate matches a permit statem...

Страница 251: ...oup information display pki certificate attribute group group name Display certificate based access control policy information display pki certificate access control policy policy name PKI configurati...

Страница 252: ...e pki entity aaa quit 3 Configure a PKI domain Create a PKI domain named torsa and enter its view Device pki domain torsa Specify the name of the trusted CA as myca Device pki domain torsa ca identifi...

Страница 253: ...ation about the local certificate in PKI domain torsa Device display pki certificate domain torsa local Certificate Data Version 3 0x2 Serial Number 15 79 75 ec d2 33 af 5e 46 35 83 bc bd 6e e3 b8 Sig...

Страница 254: ...Add or Remove Programs from the start menu b Select Add Remove Windows Components Certificate Services c Click Next to begin the installation d Set the CA name In this example set the CA name to myca...

Страница 255: ...rtificate request URL The URL format is http host port certsrv mscep mscep dll where host port is the host IP address and port number of the CA server Device pki domain winserver certificate request u...

Страница 256: ...hm rsaEncryption Public Key 2048 bit Modulus 00 c3 b5 23 a0 2d 46 0b 68 2f 71 d2 14 e1 5a 55 6e c5 5e 26 86 c1 5a d6 24 68 02 bf 29 ac dc 31 41 3f 5d 5b 36 9e 53 dc 3a bc 0d 11 fb d6 7d 4f 94 3c c1 90...

Страница 257: ...dc 1e 4d 03 d5 d3 f5 9d ad 9b 8d 03 7f be 1e 29 28 87 f7 ad 88 1c 8f 98 41 9a db 59 ba 0a eb 33 ec cf aa 9b fc 0f 69 3a 70 f2 fa 73 ab c1 3e 4d 12 fb 99 31 51 ab c2 84 c0 2f e5 f6 a7 c3 20 3c 9a b0 ce...

Страница 258: ...A as myca Device pki domain openca ca identifier myca Configure the certificate request URL The URL is in the format http host cgi bin pki scep where host is the host IP address of the OpenCA server D...

Страница 259: ...subdomain DC mydomain sub DC com Validity Not Before Jun 30 09 09 09 2011 GMT Not After May 1 09 09 09 2012 GMT Subject CN rnd O test OU software C CN Subject Public Key Info Public Key Algorithm rsaE...

Страница 260: ...a 24 b1 f5 51 1d 0f 5a 07 e6 15 7a 02 31 05 8c 03 72 52 7c ff 28 37 1e 7e 14 97 80 0b 4e b9 51 2d 50 98 f2 e4 5a 60 be 25 06 f6 ea 7c aa df 7b 8d 59 79 57 8f d4 3e 4f 51 c1 34 e6 c1 1e 71 b5 0d 85 86...

Страница 261: ...amed pkilocal pem signature and pkilocal pem encryption and contain the private key for signature and encryption respectively Display the local certificate file pkilocal pem signature DeviceA quit Dev...

Страница 262: ...ystem view DeviceB pki domain importdomain DeviceB pki domain importdomain undo crl check enable Specify the RSA key pair for signature as sign and the RSA key pair for encryption as encr for certific...

Страница 263: ...onent 65537 0x10001 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Cert Type SSL Client S MIME X509v3 Key Usage Digital Signature Non Repudiation X509v3 Extended Key Usage TLS Web Client...

Страница 264: ...9 1d 46 d7 bf 1a 86 22 78 87 3e 67 fe 4b ed 37 3d d6 0a 1c 0b Certificate Data Version 3 0x2 Serial Number 08 7c 67 01 5c b3 5a 12 0f 2f Signature Algorithm sha256WithRSAEncryption Issuer C CN L shang...

Страница 265: ...f1 29 fa 15 16 90 71 e2 98 e3 5c c6 e3 d4 5f 7a f6 a9 4f a2 7f ca af c4 c8 c7 2c c0 51 0a 45 d4 56 e2 81 30 41 be 9f 67 a1 23 a6 09 50 99 a1 40 5f 44 6f be ff 00 67 9d 64 98 fb 72 77 9e fd f2 4c 3a b2...

Страница 266: ...f the problem persists contact Hewlett Packard Enterprise Support Failed to obtain local certificates Symptom No local certificates can be obtained Analysis The network connection is down No CA certif...

Страница 267: ...ed during a certificate request process Exclusive certificate request applications are running in the PKI domain The PKI domain is not specified with the source IP address of the PKI protocol packets...

Страница 268: ...nd fix any network connection problems 2 Obtain or import the CA certificate 3 If the URL of the CRL repository cannot be obtained verify that the following conditions exist The URL for certificate re...

Страница 269: ...rmat of the file to be imported is correct 4 Make sure the certificate file contains the private key 5 Make sure the certificate is not revoked 6 Make sure the certificate is within the validity perio...

Страница 270: ...s cannot be set Analysis The specified storage path does not exist The specified storage path is illegal The storage space of the device is full Solution 1 Use mkdir to create the path 2 Specify a val...

Страница 271: ...KE IPsec provides the following security services for data packets in the IP layer Confidentiality The sender encrypts packets before transmitting them over the Internet protecting the packets from be...

Страница 272: ...lation are placed after the original IP header You can use the transport mode when end to end security protection is required the secured transmission start and end points are the actual start and end...

Страница 273: ...port some advanced features such as periodic key update but it can implement IPsec without IKE This mode is mainly used in small and static networks or when the number of IPsec peers in the network is...

Страница 274: ...When an IPsec peer identifies the packets to be protected according to the IPsec policy it sets up an IPsec tunnel and sends the packet to the remote peer through the tunnel The IPsec tunnel can be m...

Страница 275: ...and standards RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2406 IP Encapsulating Security Payload RFC 4552 Authentication Confidentiality for OSPFv3 F...

Страница 276: ...ls authentication and encryption algorithms and the encapsulation mode 3 Configure an IPsec policy to associate data flows with the IPsec transform sets specify the SA negotiation mode the peer IP add...

Страница 277: ...matching the permit statement will be protected by IPsec All inbound IPsec packets matching the permit statement will be received and processed but all inbound non IPsec packets will be dropped This w...

Страница 278: ...ecify the authentication algorithm for AH ah authentication algorithm sha1 sha256 sha384 sha512 Configure at least one command By default no security algorithm is specified You can specify security al...

Страница 279: ...configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end The remote IPv6 address configured on the local end must be th...

Страница 280: ...A sa spi outbound ah esp spi number By default no SPI is configured for the inbound or outbound IPsec SA 8 Configure keys for the IPsec SA Configure an authentication key in hexadecimal format for AH...

Страница 281: ...tion IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel If no match is found no SA can be set up and the packets expecting to be protected will be dropped The rem...

Страница 282: ...ied and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied The local IP address specified by this command must be the same as th...

Страница 283: ...al Configure a description for the IPsec policy template description text By default no description is configured 4 Optional Specify an ACL for the IPsec policy template security acl ipv6 acl number n...

Страница 284: ...y by referencing the IPsec policy template ipsec ipv6 policy policy policy name seq number isakmp template template name By default no IPsec policy exists Applying an IPsec policy to an interface You...

Страница 285: ...replay The IPsec anti replay feature protects networks against anti replay attacks by using a sliding window mechanism called anti replay window This feature checks the sequence number of each receive...

Страница 286: ...ti replay window width The default size is 64 Configuring IPsec anti replay redundancy This feature synchronizes the following information from the master device to all subordinate devices in an IRF f...

Страница 287: ...a source interface the IPsec policy uses the IP address of the bound source interface to perform IKE negotiation If a local address is specified the IPsec policy uses the local address to perform IKE...

Страница 288: ...ng of IPsec packets ipsec logging packet enable By default the logging of IPsec packets is disabled Configuring the DF bit of IPsec packets Perform this task to configure the Don t Fragment DF bit in...

Страница 289: ...nal Enabling logging of IPsec packets Optional Configuring SNMP notifications for IPsec Configuring a manual IPsec profile An IPsec profile is similar to an IPsec policy The difference is that an IPse...

Страница 290: ...ipher simple key value Configure an authentication key in character format for AH sa string key inbound outbound ah cipher simple key value Configure a key in character format for ESP sa string key in...

Страница 291: ...display commands in any view and reset commands in user view Task Command Display IPsec policy information display ipsec ipv6 policy policy policy name seq number Display IPsec policy template inform...

Страница 292: ...itchA acl adv 3101 rule 0 permit ip source 2 2 2 1 0 destination 2 2 3 1 0 SwitchA acl adv 3101 quit Create an IPsec transform set named tran1 SwitchA ipsec transform set tran1 Specify the encapsulati...

Страница 293: ...tchB ipsec transform set tran1 encapsulation mode tunnel Specify the security protocol as ESP SwitchB ipsec transform set tran1 protocol esp Specify the ESP encryption and authentication algorithms Sw...

Страница 294: ...remote address 2 2 3 1 Flow as defined in ACL 3101 Inbound ESP SA SPI 54321 0x0000d431 Transform set ESP ENCRYPT AES CBC 192 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 12345 0x000...

Страница 295: ...keychain1 SwitchA ike keychain keychain1 Configure the pre shared key used with the peer 2 2 3 1 as plaintext string of 12345zxcvb ZXCVB SwitchA ike keychain keychain1 pre shared key address 2 2 3 1...

Страница 296: ...orithm sha1 SwitchB ipsec transform set tran1 quit Create the IKE keychain named keychain1 SwitchB ike keychain keychain1 Configure the pre shared key used with the peer 2 2 2 1 as plaintext string of...

Страница 297: ...equirements perform the following tasks 1 Configure basic RIPng For more information about RIPng configurations see Layer 3 IP Routing Configuration Guide 2 Configure an IPsec profile The IPsec profil...

Страница 298: ...itchB interface vlan interface 200 SwitchB Vlan interface200 ripng 1 enable SwitchB Vlan interface200 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ripng 1 enable SwitchB Vlan in...

Страница 299: ...hC ipsec profile profile001 sa string key outbound esp simple abcdefg SwitchC ipsec profile profile001 sa string key inbound esp simple abcdefg SwitchC ipsec profile profile001 quit Apply the IPsec pr...

Страница 300: ...ode manual Encapsulation mode transport Inbound ESP SA SPI 123456 0x3039 Transform set ESP ENCRYPT AES CBC 128 ESP AUTH SHA1 No duration limit for this SA Outbound ESP SA SPI 123456 0x3039 Transform s...

Страница 301: ...ameters Performs DH exchanges to calculate shared keys making sure each SA has a key that is independent of other keys Automatically negotiates SAs when the sequence number in the AH or ESP header ove...

Страница 302: ...on key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers Th...

Страница 303: ...wing parameters prior to IKE configuration The algorithms to be used during IKE negotiation including the identity authentication method encryption algorithm authentication algorithm and DH group Diff...

Страница 304: ...h is not found the negotiation fails 5 Configure the local ID the ID that the device uses to identify itself to the peer during IKE negotiation For digital signature authentication the device can use...

Страница 305: ...ange mode main By default the main mode is used during IKE negotiation phase 1 6 Specify the IKE proposals for the IKE profile to reference proposal proposal number 1 6 By default an IKE profile refer...

Страница 306: ...ller number has a higher priority The peer searches its own IKE proposals for a match The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority unt...

Страница 307: ...icy template view using the local address command for the IKE keychain to be applied If no local address is configured specify the IP address of the interface that references the IPsec policy 3 You ca...

Страница 308: ...em view N A 2 Configure the global identity to be used by the local end ike identity address ipv4 address ipv6 ipv6 address dn fqdn fqdn name user fqdn user fqdn name By default the IP address of the...

Страница 309: ...IKE gateway behind the NAT device to send NAT keepalive packets to its peer periodically to keep the NAT session alive To configure the IKE NAT keepalive feature Step Command Remarks 1 Enter system vi...

Страница 310: ...ies to send an SPI invalid notification to the data originator This notification is sent by using the IKE SA Because no IKE SA is available the notification is not sent The originating peer continues...

Страница 311: ...ration Guide To generate and output SNMP notifications for a specific IKE failure or event type perform the following tasks 1 Enable SNMP notifications for IKE globally 2 Enable SNMP notifications for...

Страница 312: ...er 1 Configure Switch A Assign an IP address to VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA vlan interface1 ip address 1 1 1 1 255 255 0 0 SwitchA vlan interface1 q...

Страница 313: ...orm set tran1 Specify IKE profile profile1 for the IPsec policy SwitchA ipsec policy isakmp map1 10 ike profile profile1 SwitchA ipsec policy isakmp map1 10 quit Apply IPsec policy map1 to VLAN interf...

Страница 314: ...y isakmp use1 10 remote address 1 1 1 1 Reference ACL 3101 to identify the traffic to be protected SwitchB ipsec policy isakmp use1 10 security acl 3101 Reference IPsec transform set tran1 for the IPs...

Страница 315: ...ags RD READY RL REPLACED FD FADING 2 The following IKE event debugging or packet debugging message appeared IKE event debugging message Notification PAYLOAD_MALFORMED is received IKE packet debugging...

Страница 316: ...ows that the IKE SA negotiation succeeded and the IKE SA is in RD state but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet 2 The following IKE debugging mess...

Страница 317: ...2 168 222 71 Transform set transform1 IKE profile profile1 SA duration time based SA duration traffic based SA idle time 2 Verify that the ACL referenced by the IPsec policy is correctly configured If...

Страница 318: ...l address 192 168 222 5 Remote address Transform set transform1 IKE profile profile1 SA duration time based SA duration traffic based SA idle time Solution 1 If no matching IKE profiles were found and...

Страница 319: ...hanges during the initial exchange process IKE_SA_INIT and IKE_AUTH each with two messages IKE_SA_INIT exchange Negotiates IKE SA parameters and exchanges keys IKE_AUTH exchange Authenticates the iden...

Страница 320: ...ers the initiator valid and proceeds with the negotiation If the carried cookie is incorrect the responder terminates the negotiation The cookie challenging mechanism automatically stops working when...

Страница 321: ...e challenging feature takes effect only on IKEv2 responders Configuring an IKEv2 profile An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation To configure an IKEv2 profile...

Страница 322: ...ets after it de encapsulates them If you specify an inside VPN instance the device looks for a route in the specified VPN instance to forward the packets If you do not specify an inside VPN instance t...

Страница 323: ...address interface type interface number ipv4 address ipv6 ipv6 address By default an IKEv2 profile can be applied to any local interface or IP address 9 Optional Specify a priority for the IKEv2 profi...

Страница 324: ...ew N A 2 Create an IKEv2 policy and enter IKEv2 policy view ikev2 policy policy name By default an IKEv2 policy named default exists 3 Specify the local interface or address used for IKEv2 policy matc...

Страница 325: ...d HMAC SHA256 PRF algorithms HMAC SHA1 and HMAC SHA256 DH groups 14 and 19 3 Specify the encryption algorithms In non FIPS mode encryption 3des cbc aes cbc 128 aes cbc 192 aes cbc 256 aes ctr 128 aes...

Страница 326: ...e an IKEv2 keychain Step Command Remarks 1 Enter system view system view N A 2 Create an IKEv2 keychain and enter IKEv2 keychain view ikev2 keychain keychain name By default no IKEv2 keychains exist 3...

Страница 327: ...terval exceeds the DPD interval it sends a DPD message to the peer to detect its liveliness If the device has no data to send it never sends DPD messages If you configure IKEv2 DPD in both IKEv2 profi...

Страница 328: ...s reset ikev2 sa local remote ipv4 address ipv6 ipv6 address vpn instance vpn instance name tunnel tunnel id fast IKEv2 configuration examples IKEv2 with pre shared key authentication configuration ex...

Страница 329: ...pre shared key to be used with the peer at 2 2 2 2 SwitchA ikev2 keychain keychain1 peer peer1 pre shared key plaintext abcde SwitchA ikev2 keychain keychain1 peer peer1 quit SwitchA ikev2 keychain k...

Страница 330: ...encryption algorithm des cbc SwitchB ipsec transform set tran1 esp authentication algorithm sha1 SwitchB ipsec transform set tran1 quit Create an IKEv2 keychain named keychain1 SwitchB ikev2 keychain...

Страница 331: ...y IPsec policy use1 to VLAN interface 1 SwitchB interface vlan interface 1 SwitchB Vlan interface1 ipsec apply policy use1 SwitchB Vlan interface1 quit Verifying the configuration Initiate a connectio...

Страница 332: ...password simple 123 Set an MD5 fingerprint for verifying the validity of the CA root certificate SwitchA pki domain domain1 root certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e Specify th...

Страница 333: ...uit Create an IKE based IPsec policy entry with name map1 and sequence number 10 SwitchA ipsec policy map1 10 isakmp Specify remote IP address 2 2 2 2 for the IPsec tunnel SwitchA ipsec policy isakmp...

Страница 334: ...ede6c56b102e Specify the trusted CA 8088 SwitchB pki domain domain2 ca identifier 8088 Specify the URL of the registration server for certificate request through the SCEP protocol This example uses a...

Страница 335: ...1 1 1 for the IPsec tunnel SwitchB ipsec policy template template1 1 remote address 1 1 1 1 Specify ACL 3101 to identify the traffic to be protected SwitchB ipsec policy template template1 1 security...

Страница 336: ...m sets were found Symptom The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status The display ipsec sa command shows that the expected IPsec SAs ha...

Страница 337: ...the other end by using the reset ikev2 sa command and trigger new negotiation If an IKEv2 SA exists on both ends go to the next step 2 Use the display ipsec sa command to examine whether IPsec SAs ex...

Страница 338: ...ofing and plain text password interception The device can act as an Stelnet server or an Stelnet client SFTP Based on SSH2 it uses SSH connections to provide secure file transfer The device can act as...

Страница 339: ...sted at one time must be no more than 2000 bytes As a best practice to ensure successful execution of commands paste commands that are in the same view To execute commands of more than 2000 bytes save...

Страница 340: ...n SSH client the device supports using the public key algorithms RSA DSA and ECDSA to generate digital signatures For more information about public key configuration see Managing public keys Password...

Страница 341: ...uthentication method is publickey password publickey or any Configuring the PKI domain for verifying the client certificate See Configuring PKI Required if the following conditions exist The authentic...

Страница 342: ...or secure transmission of the session key Because SSH2 uses the DH algorithm to generate each session key on the SSH server and the client no session key transmission is required The server key pair i...

Страница 343: ...NETCONF over SSH connection When the device acts as a server in the NETCONF over SSH connection connection requests initiated by SSH1 clients are not supported For more information about NETCONF over...

Страница 344: ...erver 2 Specify the associated host private key on the client to generate the digital signature If the device acts as an SSH client specify the public key algorithm on the client The algorithm determi...

Страница 345: ...mmand to create them If such an SSH user has been created make sure you have specified the correct service type and authentication method If the authentication method is password publickey or any you...

Страница 346: ...ter system view system view 2 Create an SSH user and specify the service type and authentication method In non FIPS mode ssh user username service type all netconf scp sftp stelnet authentication type...

Страница 347: ...timeout time out value The default setting is 10 minutes When the idle timeout timer expires the system automatically terminates the connection 9 Specify the maximum number of concurrent online SSH u...

Страница 348: ...interface interface type interface number ipv6 ipv6 address By default the source IP address for SSH packets is not configured The IPv4 SSH packets use the primary IPv4 address of the output interface...

Страница 349: ...prefer compress zlib prefer ctos cipher aes128 cbc aes256 cbc aes128 ctr aes192 ctr aes256 ctr aes128 gcm aes256 gcm prefer ctos hmac sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group14 sha1 ecdh sh...

Страница 350: ...512 escape character public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 address Establishing a connection to an Stelnet server based on Suite...

Страница 351: ...Specify the source IPv4 address for SFTP packets sftp client source ip ip address interface interface type interface number Specify the source IPv6 address for SFTP packets sftp client ipv6 source ip...

Страница 352: ...FIPS mode establish a connection to an IPv4 SFTP server sftp server port number vpn instance vpn instance name identity key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 pki domain...

Страница 353: ...2 public key keyname server pki domain domain name source interface interface type interface number ipv6 ipv6 addres Establishing a connection to an SFTP server based on Suite B After the connection i...

Страница 354: ...SFTP server rmdir remote path Available in SFTP client view Working with SFTP files Task Command Remarks Change the name of a file on the SFTP server rename old name new name Available in SFTP client...

Страница 355: ...with an SCP server Task Command Remarks Connect to the SCP server and transfer files with the server In non FIPS mode connect to the IPv4 SCP server and transfer files with this server scp server port...

Страница 356: ...aes128 gcm aes256 gcm prefer ctos hmac md5 md5 96 sha1 sha1 96 sha2 256 sha2 512 prefer kex dh group exchange sha1 dh group1 sha1 dh group14 sha1 ecdh sha2 nistp256 ecdh sha2 nistp384 prefer stoc ciph...

Страница 357: ...92 bit pki domain domain name server pki domain domain name prefer compress zlib source interface interface type interface number ipv6 ipv6 address Available in user view The client cannot establish c...

Страница 358: ...thm public key dsa ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 In FIPS mode ssh2 algorithm public key ecdsa rsa x509v3 ecdsa sha2 nistp384 x509v3 ecdsa sha2 nistp256 By default SSH...

Страница 359: ...on the SSH server display ssh user information username Display the public keys of the local key pairs display public key local dsa ecdsa rsa public name publickey name Display the public keys of the...

Страница 360: ...The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key p...

Страница 361: ...t001 quit Create an SSH user client001 Specify the service type as stelnet and the authentication method as password for the user By default password authentication is used if no SSH user is created S...

Страница 362: ...figuration management The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm Figure 97 Network diagram Configuration procedure In the server configura...

Страница 363: ...ir on the client a Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 99 Otherwise the progress bar stops moving and the key pair generating progress st...

Страница 364: ...saving window appears g Enter a file name private ppk in this example and click Save h Transmit the public key file to the server through FTP or TFTP Details not shown 2 Configure the Stelnet server G...

Страница 365: ...0 63 quit Import the client s public key from file key pub and name it switchkey Switch public key peer switchkey import sshkey key pub Create an SSH user client002 Specify the authentication method a...

Страница 366: ...name or IP address c Select Connection SSH from the navigation tree The window shown in Figure 102 appears d Specify the Preferred SSH protocol version as 2 in the Protocol options area Figure 102 Sp...

Страница 367: ...he system notifies you to enter the username After entering the username client002 you can enter the CLI of the server Password authentication enabled Stelnet client configuration example Network requ...

Страница 368: ...ECDSA key pair SwitchB public key local create ecdsa secp256r1 Generating Keys Create the key pair successfully Enable the Stelnet server SwitchB ssh server enable Assign an IP address to VLAN interf...

Страница 369: ...ils not shown Enter public key view of the client and copy the host public key of the server to the client SwitchA public key peer key1 Enter public key view Return to system view with peer public key...

Страница 370: ...witchB After you enter the correct password you log in to Switch B successfully If the client does not have the server s host public key the system notifies you to confirm whether to continue with the...

Страница 371: ...VLAN interface 2 SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 1 56 255 255 255 0 SwitchA Vlan interface2 quit Generate a DSA key pair SwitchA publi...

Страница 372: ...255 255 255 0 SwitchB Vlan interface2 quit Set the authentication mode to AAA for the user lines SwitchB line vty 0 63 SwitchB line vty0 63 authentication mode scheme SwitchB line vty0 63 quit Import...

Страница 373: ...an Stelnet client SSH2 Switch B acts as the Stelnet server SSH2 and it uses publickey authentication Switch B uses the following algorithms for the algorithm negotiation with the Stelnet client Key ex...

Страница 374: ...ir name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A to Z 0 to 9 and hyphens Please enter the key pair name default name server256 Display information abo...

Страница 375: ...l filename ssh client ecdsa256 p12 The system is going to save the key pair You must specify a key pair name which is a case insensitive string of 1 to 64 characters Valid characters include a to z A...

Страница 376: ...for verifying the client s certificate and import the file of the client s certificate to this domain Details not shown Create a PKI domain named server256 for the server s certificate and import the...

Страница 377: ...ithout the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB SFTP configuration examples Unless otherwise noted devices in the configuration examples are in...

Страница 378: ...to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate an ECDSA key pair Switch public key local create ecdsa secp256r1 Generating Keys Create the ke...

Страница 379: ...a connection between the SFTP client and the SFTP server The device supports different types of SFTP client software This example uses an SFTP client that runs PSFTP of PuTTy version 0 58 NOTE PSFTP...

Страница 380: ...SwitchA Vlan interface2 quit Generate RSA key pairs SwitchA public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press...

Страница 381: ...itchkey import sshkey pubkey Create an SSH user client001 Specify the service type as sftp and the authentication method as publickey for the user Assign the public key switchkey to the user SwitchB s...

Страница 382: ...pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new2 and verify the result...

Страница 383: ...e and the server s certificate Details not shown You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties In...

Страница 384: ...24 7b 32 6a ed b6 36 e1 4d cc 8c 05 22 f4 3a 7c 5d b7 be d1 e6 9e f0 ce 95 39 ca fd a0 86 cd 54 ab 49 60 10 be 67 9f 90 3a 18 e2 7d d9 5f 72 27 09 e7 bf 7e 64 0a 59 bb b3 7d ae 88 14 94 45 b9 34 d2 f3...

Страница 385: ...ot After Aug 19 10 10 59 2016 GMT Subject C CN ST aaa O ccc OU Software CN ssh client Subject Public Key Info Public Key Algorithm id ecPublicKey Public Key 384 bit pub 04 85 7c 8b f4 7a 36 bf 74 f6 7...

Страница 386: ...rver pki domain server384 Enable the SFTP server SwitchB sftp server enable Assign an IP address to VLAN interface 2 SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 0 1 2...

Страница 387: ...n you are assigned the user role network admin and can securely transfer files with Switch B Switch B uses the password authentication method The client s username and password are saved on Switch B F...

Страница 388: ...age client001 authorization attribute user role network admin SwitchB luser manage client001 quit Configure an SSH user client001 Specify the service type as scp and the authentication method as passw...

Страница 389: ...re ssh server ecdsa256 p12 and ssh server ecdsa384 p12 The client s certificate files are ssh client ecdsa256 p12 and ssh client ecdsa384 p12 2 Configure the SCP client NOTE You can modify the pkix ve...

Страница 390: ...ALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier 08 C1 F1 AA 97 45 19 6A DA 4A F2 87 A1 1A E8 30 BD 31 30 D7 X509v3 Authority Key Identifier keyid 5A BE 85 49 16 E5 EB...

Страница 391: ...9a 4c 70 61 35 db e4 39 b8 38 c4 60 4a 65 28 49 14 32 3c cc 6d cd 34 29 83 84 74 a7 2d 0e 75 1c c2 52 58 1e 22 16 12 d0 b4 8a 92 ASN1 OID prime256v1 NIST CURVE P 256 X509v3 extensions X509v3 Basic Co...

Страница 392: ...ver Subject Public Key Info Public Key Algorithm id ecPublicKey Public Key 384 bit pub 04 4a 33 e5 99 8d 49 45 a7 a3 24 7b 32 6a ed b6 36 e1 4d cc 8c 05 22 f4 3a 7c 5d b7 be d1 e6 9e f0 ce 95 39 ca fd...

Страница 393: ...2 Signature Algorithm ecdsa with SHA384 Issuer C CN ST aaa L bbb O ccc OU Software CN SuiteB CA Validity Not Before Aug 20 10 10 59 2015 GMT Not After Aug 19 10 10 59 2016 GMT Subject C CN ST aaa O cc...

Страница 394: ...he file of this certificate to this domain Details not shown Specify Suite B algorithms for algorithm negotiation SwitchB system view SwitchB ssh2 algorithm key exchange ecdh sha2 nistp256 ecdh sha2 n...

Страница 395: ...erver pki domain server384 Create an SSH user client002 Specify the authentication method publickey for the user and specify client384 as the PKI domain for verifying the client s certificate Switch s...

Страница 396: ...of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair succes...

Страница 397: ...y the plaintext password as aabbcc and the service type as ssh for the user Switch luser manage client001 password simple aabbcc Switch luser manage client001 service type ssh Assign the user role net...

Страница 398: ...message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the original message will re...

Страница 399: ...at complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode SSL configuration task list Tasks at a glanc...

Страница 400: ...er policy If SSL server authentication is required you must specify a PKI domain and request a local certificate for the SSL server in the domain For information about how to create and configure a PK...

Страница 401: ...is a set of SSL parameters that the client uses to establish a connection to the server An SSL client policy takes effect only after it is associated with an application such as DDNS To configure an S...

Страница 402: ..._256_cbc_sha rsa_aes_256_cbc_sha256 rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha In FIPS mode prefer cipher ecdhe_ecdsa_aes_128_ cbc_sha256 ecdhe_ecdsa_aes_128_g cm_sha256 ecdhe_ecdsa_aes_256_c bc_...

Страница 403: ...certificates server verify enable By default SSL server authentication is enabled Displaying and maintaining SSL Execute display commands in any view Task Command Display cryptographic library versio...

Страница 404: ...SG bindings As shown in Figure 116 IPSG on the interface forwards only the packets that match one of the IPSG bindings Figure 116 Diagram for the IPSG feature NOTE IPSG is a per interface packet filte...

Страница 405: ...LAN obtain IP addresses through DHCP IPSG is configured on the DHCP snooping device or the DHCP relay agent It generates dynamic IPSG bindings based on the DHCP snooping entries or DHCP relay entries...

Страница 406: ...rrectly on the network To enable the IPv4SG feature on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The follow...

Страница 407: ...or the ARP detection function the vlan vlan id option must be specified and ARP detection must be enabled for the specified VLAN You can configure the same static IPv4SG binding on different interface...

Страница 408: ...the global bindings Configuring a global static IPv6SG binding Step Command Remarks 1 Enter system view system view N A 2 Configure a global static IPv6SG binding ipv6 source binding ip address ipv6...

Страница 409: ...c IPv4SG configuration example Network requirements As shown in Figure 117 all hosts use static IP addresses Configure static IPv4SG bindings on Switch A and Switch B to meet the following requirement...

Страница 410: ...yGigE 1 1 1 SwitchB interface fortygige 1 1 1 SwitchB FortyGigE1 1 1 ip verify source ip address mac address On FortyGigE 1 1 1 configure a static IPv4SG binding for Host B SwitchB FortyGigE1 1 1 ip s...

Страница 411: ...Switch FortyGigE1 1 2 dhcp snooping trust Switch FortyGigE1 1 2 quit Enable IPv4SG on FortyGigE 1 1 1 and verify the source IP address and MAC address for dynamic IPSG Switch interface fortygige 1 1 1...

Страница 412: ...onfigure VLAN interface 100 to operate in DHCP relay mode Switch interface vlan interface 100 Switch Vlan interface100 dhcp select relay Specify the IP address of the DHCP server Switch Vlan interface...

Страница 413: ...from the DHCPv6 server Perform the following tasks Enable DHCPv6 snooping on the switch to make sure the DHCPv6 client obtains an IPv6 address from the authorized DHCPv6 server To generate a DHCPv6 s...

Страница 414: ...ch FortyGigE1 1 1 ipv6 dhcp snooping binding record Switch FortyGigE1 1 1 quit Verifying the configuration Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 snooping entry Switch dis...

Страница 415: ...cket rate limit configured on access devices Configuring source MAC based ARP attack detection configured on gateways User and gateway spoofing prevention Configuring ARP packet source MAC consistency...

Страница 416: ...dresses Configuring ARP source suppression Step Command Remarks 1 Enter system view system view N A 2 Enable ARP source suppression arp source suppression enable By default ARP source suppression is d...

Страница 417: ...ce suppression Enable ARP source suppression Device system view Device arp source suppression enable Configure the device to receive a maximum of 100 unresolvable packets from a host in 5 seconds Devi...

Страница 418: ...center see Network Management and Monitoring Configuration Guide To configure ARP packet rate limit Step Command Remarks 1 Enter system view system view N A 2 Optional Enable notification sending for...

Страница 419: ...igure the aging timer for ARP attack entries arp source mac aging time time By default the lifetime is 300 seconds 5 Optional Exclude specific MAC addresses from this detection arp source mac exclude...

Страница 420: ...method as filter Device system view Device arp source mac filter Set the threshold to 30 Device arp source mac threshold 30 Set the lifetime for ARP attack entries to 60 seconds Device arp source mac...

Страница 421: ...the gateway discards the packet To configure ARP active acknowledgement Step Command Remarks 1 Enter system view system view N A 2 Enable the ARP active acknowledgement feature arp active ack strict...

Страница 422: ...e SwitchA FortyGigE1 1 1 ip address 10 1 1 1 24 SwitchA FortyGigE1 1 1 quit Configure DHCP SwitchA dhcp enable SwitchA dhcp server ip pool 1 SwitchA dhcp pool 1 network 10 1 1 0 mask 255 255 255 0 Swi...

Страница 423: ...figuration procedure 1 Configure Switch A Specify the IP address for FortyGigE 1 1 1 SwitchA system view SwitchA interface fortygige 1 1 1 SwitchA FortyGigE1 1 1 port link mode route SwitchA FortyGigE...

Страница 424: ...the configuration Display authorized ARP information on Switch B SwitchB display arp all Type S Static D Dynamic O Openflow M Multiport I Invalid IP Address MAC Address VLAN Interface Aging Type 10 10...

Страница 425: ...uide Configuration guidelines You must specify a VLAN for an IP source guard binding Otherwise no ARP packets can match the IP source guard binding Configuration procedure To configure user validity c...

Страница 426: ...t ARP packet validity check is disabled 6 Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number N A 7 Optional Configure the interface as...

Страница 427: ...ining ARP detection Execute display commands in any view and reset commands in user view Task Command Display the VLANs enabled with ARP detection display arp detection Display the ARP detection stati...

Страница 428: ...tchB interface fortygige 1 1 3 SwitchB FortyGigE1 1 3 dhcp snooping trust SwitchB FortyGigE1 1 3 quit Enable recording of client information in DHCP snooping entries on FortyGigE 1 1 1 SwitchB interfa...

Страница 429: ...ents As shown in Figure 127 configure ARP restricted forwarding on Switch B where ARP detection is configured Port isolation configured on Switch B can take effect for broadcast ARP requests Figure 12...

Страница 430: ...1 1 2 If the ARP packets are confirmed as valid the switch performs user validity check by using the static IP source guard bindings and DHCP snooping entries However ARP broadcast requests sent from...

Страница 431: ...mmand 1 Enter system view system view 2 Enter Layer 3 Ethernet interface Layer 3 Ethernet subinterface VLAN interface Layer 3 aggregate interface Layer 3 aggregate subinterface view interface interfac...

Страница 432: ...launches gateway spoofing attacks to Switch B As a result traffic that Switch B intends to send to Switch A is sent to Host B Configure Switch B to block such attacks Figure 128 Network diagram Config...

Страница 433: ...ith ARP detection MFF ARP fast reply and ARP snooping ARP filtering applies first Configuration procedure To configure ARP filtering Step Command Remarks 1 Enter system view system view N A 2 Enter La...

Страница 434: ...der IP address is within the allowed IP address range the gateway continues ARP learning If the sender IP address is out of the range the gateway determines the ARP packet as an attack packet and disc...

Страница 435: ...422 Step Command Remarks for ARP sender IP address checking start ip address end ip address specified for ARP sender IP address checking...

Страница 436: ...ts from hosts to the gateway for further forwarding The hosts are isolated at Layer 2 but they can communicate at Layer 3 An MFF enabled device and a host cannot ping each other Figure 130 Network dia...

Страница 437: ...n a cascaded network a network with multiple MFF devices connected to one another Ports between devices in a ring network Link aggregation is supported by network ports in an MFF enabled VLAN but it i...

Страница 438: ...d gateways If the source MAC addresses of ARP requests from gateways are different from those recorded the MFF device updates and broadcasts the IP and MAC addresses of the gateways Protocols and stan...

Страница 439: ...Interfaces on a router in a VRRP group When the MFF device receives an ARP request from a server the MFF device searches IP to MAC address entries it has stored Then the device replies with the reques...

Страница 440: ...other through Gateway at Layer 3 Figure 131 Network diagram Configuration procedure 1 Configure the IP addresses of the hosts and Gateway as shown in Figure 131 2 Configure Switch A Configure manual m...

Страница 441: ...example in a ring network Network requirements As shown in Figure 132 all the devices are in VLAN 100 and the switches form a ring Hosts A B and C are assigned IP addresses manually Configure MFF to i...

Страница 442: ...anual mode MFF on VLAN 100 SwitchB vlan 100 SwitchB vlan100 mac forced forwarding default gateway 10 1 1 100 Specify the IP address of the server SwitchB vlan100 mac forced forwarding server 10 1 1 20...

Страница 443: ...t forged source addresses or attack multiple servers simultaneously to block connections or even break down the network uRPF can prevent these source address spoofing attacks It checks whether an inte...

Страница 444: ...packets 2 uRPF checks whether the source address matches a FIB entry Checks the received packet Broadcast source address All zero source address Matching FIB entry found Broadcast destination address...

Страница 445: ...o step 9 5 uRPF checks whether the source IP address matches an ARP entry If yes uRPF proceeds to step 8 If no uRPF proceeds to step 9 6 uRPF checks whether the FIB table has a default route If yes uR...

Страница 446: ...hecks only incoming packets on an interface After you enable the uRPF function on the switch the routing table size might decrease by half If the number of routes exceeds half the routing table size o...

Страница 447: ...itch A directly connects to an ISP switch Switch B Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks Figure 136 Network diagram Configuration procedure 1 Ena...

Страница 448: ...cannot enable or disable software crypto engines The switch only supports software crypto engines in the current software version Crypto engines provide encryption decryption services for service modu...

Страница 449: ...password control policies such as password length complexity and aging policy When the aging timer for a password expires the system prompts you to change the password If you adjust the system time af...

Страница 450: ...omatic reboot and manual reboot Automatic reboot To use automatic reboot to enter FIPS mode 1 Enable FIPS mode 2 Select the automatic reboot method The system automatically performs the following task...

Страница 451: ...is available The SSL server only supports TLS1 0 TLS1 1 and TLS1 2 The SSH server does not support SSHv1 clients and DSA key pairs The generated RSA and DSA key pairs must have a modulus length of 20...

Страница 452: ...fault authentication mode is none for a console port After you disable FIPS mode follow these restrictions and guidelines before you manually reboot the device If you are logged into the device throug...

Страница 453: ...en uses the private key to decrypt the encrypted text If the decryption is successful the test succeeds Table 21 lists the cryptographic algorithms examined by the power up self test Table 21 Power up...

Страница 454: ...ode state display fips status FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode and use a console port to...

Страница 455: ...password confirm Updating user information Please wait Sysname Display the current FIPS mode state Sysname display fips status FIPS mode is enabled Display the default configuration file Sysname more...

Страница 456: ...ation will be written to the device Are you sure Y N y Please input the file name cfg flash startup cfg To leave the existing filename unchanged press the enter key flash startup cfg exists overwrite...

Страница 457: ...s A user has logged in to the device in FIPS mode through SSH with a username of test and a password of 12345zxcvb ZXCVB Use the manual reboot method to exit FIPS mode Configuration procedure Disable...

Страница 458: ...tartup mdb Delete flash startup mdb Y N y Deleting file flash startup mdb Done Reboot the device Sysname reboot Verifying the configuration After the device reboots enter a username of test and a pass...

Страница 459: ...equired Configuring parameters for a user profile Configuration restrictions and guidelines Before creating a user profile perform the following tasks 1 Plan the authentication method for your network...

Страница 460: ...Displaying and maintaining user profiles Execute display commands in any view Task Command Display configuration and online user information for the specified user profile or all user profiles displa...

Страница 461: ...traffic filtering action as deny Switch traffic behavior for_usera Switch behavior for_usera filter deny Switch behavior for_usera quit Create QoS policy for_usera and associate traffic class for_use...

Страница 462: ...vior for_userc Switch behavior for_userc car cir 4000 Switch behavior for_userc quit Create QoS policy for_userc and associate traffic class class with traffic behavior for_userc Switch qos policy for...

Страница 463: ...od for local users Configure ISP domain user to use local authentication and authorization without accounting for local users Switch domain user Switch isp user authentication lan access local Switch...

Страница 464: ...licy for_userb slot 1 User Authentication type 802 1X Network attributes Interface Ten GigabitEthernet1 0 1 MAC address 80c1 6ee0 2664 Service VLAN 1 User Profile userc Outbound Policy for_userc slot...

Страница 465: ...cription ICMP redirect An attacker sends ICMP redirect messages to modify the victim s routing table The victim cannot forward packets correctly ICMP destination unreachable An attacker sends ICMP des...

Страница 466: ...indows system The malicious packets contain an illegal Urgent Pointer which causes the victim s operating system to crash UDP bomb An attacker sends a malformed UDP packet The length value in the IP h...

Страница 467: ...is causes the server to be busy searching for SYN packets and the server is unable to process packets for normal services FIN flood attack FIN packets are used to shut down TCP connections A FIN flood...

Страница 468: ...receiving host reassembles the fragments a TCP fragment attack occurs To prevent TCP fragment attacks enable TCP fragment attack prevention to drop attack TCP fragments Login dictionary attack The log...

Страница 469: ...view attack defense policy policy name N A 3 Configure signature detection for single packet attacks signature detect fraggle fragment impossible ip option abnormal land large icmp large icmpv6 ping...

Страница 470: ...logging and drop for single packet attacks of the medium and high levels 6 Optional Enable signature detection for single packet attacks of a specific level signature level high info low medium detec...

Страница 471: ...is disabled 4 Set the global trigger threshold for SYN flood attack prevention syn flood threshold threshold value The default setting is 1000 5 Specify global actions against SYN flood attacks syn f...

Страница 472: ...ic SYN ACK flood attack detection is not configured Configuring a FIN flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack def...

Страница 473: ...od threshold threshold value The default setting is 1000 5 Specify global actions against ICMP flood attacks icmp flood action drop logging By default no global action is specified for ICMP flood atta...

Страница 474: ...DP flood attack detection is not configured Configuring a DNS flood attack defense policy Step Command Remarks 1 Enter system view system view N A 2 Enter attack defense policy view attack defense pol...

Страница 475: ...detection is not configured Configuring attack detection exemption The attack defense policy uses the ACL to identify exempted packets The policy does not check the packets permitted by the ACL You ca...

Страница 476: ...Disable log aggregation for single packet attack events attack defense signature log non aggregate By default log aggregation is enabled for single packet attack events Configuring TCP fragment attack...

Страница 477: ...ctim ipv6 count Display flood attack detection and prevention statistics for an IPv4 address display attack defense ack flood dns flood fin flood flood http flood icmp flood rst flood syn ack flood sy...

Страница 478: ...face of the switch enable global SYN flood attack detection When the device receives 2000 or more SYN packets that are destined to the switch but not to the protected IP address per second it outputs...

Страница 479: ...apply policy a1 Verifying the configuration Verify that the attack defense policy a1 is correctly configured Switch display attack defense policy a1 Attack defense Policy Information Policy name a1 A...

Страница 480: ...led info L ICMP information reply Disabled info L ICMP address mask request Disabled info L ICMP address mask reply Disabled info L ICMPv6 echo request Disabled info L ICMPv6 echo reply Disabled info...

Страница 481: ...ice outputs logs and drops the attack packets If the device receives TCP SYN flood attack packets that are destined for the device but not to the protected IP address the device outputs logs Display t...

Страница 482: ...ed on gateways to prevent ND attacks This feature checks the source MAC address and the source link layer address for consistency for each arriving ND packet If source MAC address and the source link...

Страница 483: ...evice and the peer device must have the same authentication algorithm and key string To configure a keychain Step Command Remarks 1 Enter system view system view N A 2 Create a keychain and enter keyc...

Страница 484: ...1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ospfv3 1 area 0 SwitchA Vlan interface100 quit Create a keychain named abc and specify the absolute time mode...

Страница 485: ...keychain abc specify an authentication algorithm and configure a key string and the sending and receiving lifetimes for the key SwitchB keychain abc key 1 SwitchB keychain abc key 1 authentication alg...

Страница 486: ...00 00 2015 02 06 to 11 00 00 2015 02 06 Accept status Active Key ID 2 Key string c 3 7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06...

Страница 487: ...g c 3 dYTC8QeOKJkwFwP2k rWL 1p6uMTw3MqNg Algorithm hmac sha 256 Send lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06 Send status Inactive Accept lifetime 10 00 00 2015 02 06 to 11 00 00 2015 02 06...

Страница 488: ...2015 02 06 Accept status Inactive Key ID 2 Key string c 3 t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw Algorithm hmac sha 256 Send lifetime 11 00 00 2015 02 06 to 12 00 00 2015 02 06 Send status Active Accept...

Страница 489: ...st one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument...

Страница 490: ...Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a...

Страница 491: ...provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to...

Страница 492: ...self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualif...

Страница 493: ...umber edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal no...

Страница 494: ...ontrol 72 maintain 93 mandatory port authentication domain 85 online user handshake 83 overview 64 packet format 65 periodic online user reauthentication 86 port authorization state 81 port authorizat...

Страница 495: ...ername format 26 scheme configuration 18 SSH user local authentication HWTACACS authorization RADIUS accounting 51 troubleshoot HWTACACS 62 troubleshoot LDAP user authentication fails 62 troubleshoot...

Страница 496: ...ation DHCP server 409 configuration 402 detection configuration 411 filtering configuration 420 420 fixed ARP configuration 417 gateway protection 418 419 packet rate limit configuration 404 packet so...

Страница 497: ...68 802 1X EAP termination 70 802 1X EAP termination enable 81 802 1X initiation 67 802 1X mandatory port authentication domain 85 802 1X overview 64 802 1X periodic online user reauthentication 86 802...

Страница 498: ...rization method 45 AAA LDAP authorization 9 AAA RADIUS server SSH user authentication authorization 53 AAA RADIUS session control 47 AAA SSH user local authentication HWTACACS authorization RADIUS acc...

Страница 499: ...ecurity portal authentication system components 123 SSL client policy configuration 388 command AAA command accounting method 12 AAA command authorization method 12 communication peer public key entry...

Страница 500: ...TCP fragment attack prevention 463 authorized ARP 408 authorized ARP DHCP relay agent 410 authorized ARP DHCP server 409 crypto engine 435 FIPS 436 441 FIPS mode 437 fixed ARP 417 IP source guard IPSG...

Страница 501: ...n 455 security local portal Web server feature 142 security password control 205 208 212 security portal authentication 123 128 146 security portal authentication cross subnet for MPLS L3VPN 177 secur...

Страница 502: ...tion 89 MAC authentication 105 MAC authentication configuration 112 critical voice VLAN 802 1X enable 90 MAC authentication enable 113 CRL PKI 225 PKI architecture 226 PKI CA policy 226 PKI certificat...

Страница 503: ...orized ARP DHCP server 409 configuring keychain on switch 471 creating user profile 446 crypto engine configuration 435 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 398 MFF server...

Страница 504: ...t 244 PKI peer certificate 225 PKI RA certificate 225 PKI RSA Keon CA server certificate request 238 PKI verification CRL checking 234 PKI verification w o CRL checking 235 PKI Windows 2003 CA server...

Страница 505: ...cal VLAN 90 802 1X EAP relay 81 802 1X EAP termination 81 802 1X guest VLAN assignment delay 87 802 1X periodic online user reauthentication 86 AAA RADIUS server load sharing 29 AAA RADIUS session con...

Страница 506: ...rtal authentication extended cross subnet 166 security portal authentication extended direct 159 security portal authentication extended re DHCP 162 F fail permit feature portal 140 Federal Informatio...

Страница 507: ...SH SFTP configuration 364 SSH SFTP configuration 192 bit Suite B 370 SSH SFTP directories 341 SSH SFTP files 341 SSH SFTP packet source IP address 338 SSH SFTP server connection establishment 338 SSH...

Страница 508: ...SA 260 IPsec tunnel establishment 262 IPsec tunnel for IPv4 packets IKE based 281 keepalive 295 keychain configuration 294 maintain 298 NAT keepalive 296 negotiation 288 PFS 290 profile configuration...

Страница 509: ...ction configuration 402 ARP filtering configuration 420 ARP gateway protection 419 ARP restricted forwarding 416 ARP user packet validity check 414 authorized ARP DHCP relay agent 410 authorized ARP D...

Страница 510: ...ty info 303 troubleshoot SA negotiation failure no transform set match 303 323 troubleshoot SA negotiation failure tunnel failure 323 tunnel establishment 262 tunnel for IPv4 packets IKE based 281 tun...

Страница 511: ...hain 294 IPsec IKEv2 keychain 313 maintain 471 keyword IPsec ACL rule keywords 264 L LAN 802 1X overview 64 Layer 2 MFF configuration 423 425 427 MFF manual mode in ring network 428 MFF manual mode in...

Страница 512: ...d access control 72 address See MAC addressing ARP attack detection source MAC based 405 authentication See MAC authentication SSL services 385 MAC address 802 1X authentication access device initiate...

Страница 513: ...n 471 MAC authentication 115 security attack detection and prevention 464 security password control 212 security portal authentication 145 managing public keys 216 220 manual FIPS mode manual reboot 4...

Страница 514: ...fense configuration 469 configuring source MAC consistency check 469 IPv6 See IPv6 ND attack defense need to know Use NTK negotiating IPsec IKE negotiation 288 IPsec IKE negotiation mode 260 IPsec IKE...

Страница 515: ...c IKEv2 pre shared key authentication 315 IPsec IKEv2 RSA signature authentication 318 IPsec implementation 261 IPsec IPv6 routing protocol profile manual 276 IPsec IPv6 routing protocols 276 IPsec pa...

Страница 516: ...9 Secure Telnet client user line 330 security ARP detection logging enable 414 security password control global parameters 209 security password control local user parameters 211 security password con...

Страница 517: ...D attack defense configuration 469 PKI configuration 225 228 238 port security configuration 185 188 195 public key import from file 222 public key management 216 220 security password control 208 212...

Страница 518: ...configuring SSH management parameters 333 security password control global parameters 209 security password control local user parameters 211 security password control user group parameters 210 securi...

Страница 519: ...tack D P defense policy single packet 456 attack D P defense policy creation 456 attack D P policy application device 462 attack defense policy configuration 456 IPsec manual 266 IPsec application to...

Страница 520: ...C addresses 204 portal security user profile configuration 446 portal authentication AAA server 124 access device 124 authentication destination subnet 134 authentication modes 126 authentication page...

Страница 521: ...method 43 configuring AAA LDAP administrator attributes 41 configuring AAA LDAP scheme 40 configuring AAA LDAP server IP address 40 configuring AAA LDAP server SSH user authentication 56 configuring...

Страница 522: ...nfiguring IPsec IKEv2 307 configuring IPsec IKEv2 DPD 314 configuring IPsec IKEv2 global parameters 314 configuring IPsec IKEv2 keychain 313 configuring IPsec IKEv2 NAT keepalive 314 configuring IPsec...

Страница 523: ...curity password control 208 212 configuring security portal authentication 128 146 configuring security portal authentication destination subnet 134 configuring security portal authentication detectio...

Страница 524: ...chain 471 displaying MAC authentication 115 displaying MFF 427 displaying port security 195 displaying public key 220 displaying security attack detection and prevention 464 displaying security passwo...

Страница 525: ...ining IPsec IKEv2 315 maintaining IPv4 source guard IPv4SG 396 maintaining IPv6 source guard IPv6SG 396 maintaining keychain 471 maintaining MAC authentication 115 maintaining security attack detectio...

Страница 526: ...fo 303 troubleshooting IPsec SA negotiation failure no transform set match 303 323 troubleshooting IPsec SA negotiation failure tunnel failure 323 troubleshooting PKI CA certificate import failure 255...

Страница 527: ...user profile configuration 447 QoS or CAR parameters configuring 447 quiet MAC authentication quiet timer 108 quiet timer 802 1X 85 R RA PKI architecture 226 PKI certificate 225 RADIUS 802 1X EAP over...

Страница 528: ...In User Service Use RADIUS removing PKI certificate 236 request PKI certificate request abort 233 requesting PKI certificate request 231 resource access restriction portal authentication 123 restricti...

Страница 529: ...1X access control method 82 802 1X ACL assignment 98 802 1X authentication 93 802 1X authentication request attempts max number 82 802 1X Auth Fail VLAN 75 802 1X authorization VLAN 72 802 1X authoriz...

Страница 530: ...ion restrictions 418 HWTACACS protocols and standards 13 keychain configuration 470 470 keychain configuration on switch 471 keychain display 471 keychain maintain 471 LDAP protocols and standards 13...

Страница 531: ...5 802 1X online user handshake 83 802 1X periodic online user reauthentication 86 AAA configuration 17 AAA LDAP implementation 9 AAA local user 18 AAA RADIUS attributes 14 AAA RADIUS scheme 22 AAA RAD...

Страница 532: ...1 PKI certificate request automatic 232 232 PKI certificate request manual 232 PKI certificate request abort 233 PKI certificate verification 234 PKI certificate verification CRL checking 234 PKI cert...

Страница 533: ...ng IPsec IKEv2 323 troubleshooting PKI CA certificate failure 253 troubleshooting PKI CA certificate import failure 255 troubleshooting PKI certificate export failure 256 troubleshooting PKI configura...

Страница 534: ...address 338 SSH application 325 SSH management parameters 333 shared key AAA HWTACACS 36 AAA RADIUS 25 signature authentication IKE 289 single packet attack attack D P defense policy 456 attack D P d...

Страница 535: ...uration 128 bit Suite B 360 Secure Telnet server connection establishment 335 Secure Telnet server connection establishment based on Suite B 337 Secure Telnet server password authentication 346 Secure...

Страница 536: ...ot 444 FIPS mode system changes 438 IPsec authentication 260 IPsec configuration 258 IPsec encryption 260 IPsec IKE configuration 288 290 299 IPsec IKE global identity information 295 IPsec IKE invali...

Страница 537: ...A RADIUS accounting error 62 AAA RADIUS authentication failure 61 AAA RADIUS packet delivery failure 61 IPsec IKE 301 IPsec IKE negotiation failure no proposal match 301 IPsec IKE negotiation failure...

Страница 538: ...ng configuration 397 IPv4 source guard IPv4SG dynamic binding DHCP relay configuration 398 IPv4 source guard IPv4SG static binding configuration 396 IPv6 source guard IPv6SG dynamic binding DHCPv6 sno...

Страница 539: ...258 279 IPsec RIPng configuration 284 IPsec tunnel for IPv4 packets IKE based 281 IPsec tunnel for IPv4 packets manual 279 PKI application 227 security portal authentication cross subnet for MPLS L3VP...

Страница 540: ...527 SSH SFTP files 341 X X 500 AAA LDAP implementation 9...

Результаты поиска

Содержание 704654-B21

Отзывы:

Похожие инструкции для 704654-B21

Бренды по названию

Популярные бренды

HPE 704654-B21, Руководство по настройке безопасности

Результаты поиска

Содержание 704654-B21

Отзывы:

Похожие инструкции для 704654-B21

Бренды по названию

Популярные бренды