HP 5920 & 5900 Switch Series Security Configuration Guide Part number: 5998-5310a Software version: Release 23xx Document version: 6W101-20150320...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 5
Configuration restrictions and guidelines ··········································································································· 96 Configuration procedure ······································································································································ 96 Referencing a portal Web server for an interface ······································································································ 96 Controlling portal user access ······································································································································ 97 Configuring a portal-free rule······························································································································· 97 Configuring an authentication source subnet ····································································································· 98 ...
Page 6
macAddressElseUserLoginSecure configuration example ··············································································· 159 Troubleshooting port security ······································································································································ 162 Cannot set the port security mode ····················································································································· 162 Cannot configure secure MAC addresses ········································································································ 163 Configuring password control ································································································································ 164 Overview ······································································································································································· 164 Password setting ·················································································································································· 164 ...
Page 8
Configuring a manual IPsec profile ··················································································································· 238 Configuring SNMP notifications for IPsec ················································································································· 240 Displaying and maintaining IPsec ······························································································································ 240 IPsec configuration examples······································································································································ 241 Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 241 Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································...
Page 9
Configuring the device as an SFTP client ·················································································································· 281 SFTP client configuration task list ······················································································································· 281 Specifying the source IP address for SFTP packets ·························································································· 281 Establishing a connection to an SFTP server ···································································································· 281 Working with SFTP directories ··························································································································· 283 ...
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. AAA specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...
The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
Page 14
Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 15
RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Page 16
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.
Page 17
Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. • Vendor-Type—Type of the sub-attribute. Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
Page 19
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
Page 21
The search operation constructs search conditions and obtains the directory resource information of • the LDAP server. In LDAP authentication, the client completes the following operations: Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search.
To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgment to the LDAP client.
Page 23
Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal • users can access through console ports. Portal—Portal users must pass portal authentication to access the network. • Web—Web users log in to the Web interface of the device through HTTP or HTTPS. •...
No accounting—The NAS does not perform accounting for the users. • • Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account, but does not provide statistics for charging.
Protocols and standards The following protocols and standards are related to AAA, RADIUS, HWTACACS, and LDAP: • RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support •...
Page 26
Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 27
Sub-attribute Description Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps. Total remaining available traffic for the connection, in different units for Remanent_Volume different server types.
Sub-attribute Description Number of packets input within an accounting interval in the unit set on Input-Interval-Packets the NAS. Number of packets output within an accounting interval in the unit set on Output-Interval-Packets the NAS. Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. Amount of bytes output within an accounting interval, in units of 4G Output-Interval-Gigawords bytes.
To configure AAA, perform the following tasks: Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes • Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: (Required.)
Page 30
User group—Each local user belongs to a local user group and has all attributes of the group, such • as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." Binding attributes—Binding attributes control the scope of users, and are checked during local •...
Page 31
For other types of local users, no authorization attributes are effective. To configure local user attributes: Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name [ class By default, no local user exists. local user view. { manage | network } ] Network access user passwords are encrypted with the encryption...
Step Command Remarks By default, no binding attribute is configured for a local user. bind-attribute { ip ip-address | (Optional.) Configure Binding attribute ip applies only to location interface interface-type binding attributes for the LAN users using 802.1X. interface-number | mac local user.
To configure user group attributes: Step Command Remarks Enter system view. system-view By default, there is a Create a user group and system-defined user group named user-group group-name enter its view. system, which is the default user group. authorization-attribute { acl By default, no authorization Configure authorization acl-number | vlan vlan-id |...
Page 34
Configuration task list Tasks at a glance (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers and the relevant parameters (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.)
Page 35
You can specify one primary authentication server and up to 16 secondary authentication servers for a RADIUS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.
Page 36
Configure hostname-to-IP address mappings for the VPN by using the ip host or ipv6 host • command. Configure a DNS server for the VPN by using the dns server or ipv6 dns server command. • For more information about these commands, see Layer 3—IP Services Command Reference. To specify RADIUS accounting servers and the relevant parameters for a RADIUS scheme: Step Command...
Page 37
Specifying a VPN for the scheme The VPN specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN is also configured for an individual RADIUS server, the VPN specified for the RADIUS scheme does not take effect on that server.
Page 38
Step Command Remarks data-flow-format { data { byte | (Optional.) Set the data flow giga-byte | kilo-byte | By default, traffic is counted in and packet measurement mega-byte } | packet bytes and packets. units for traffic statistics. { giga-packet | kilo-packet | mega-packet | one-packet } }* Setting the maximum number of RADIUS request transmission attempts RADIUS uses UDP packets to transfer data.
Page 39
When you remove a server in use, communication with the server times out. The device looks for a • server in active state by first checking the primary server, and then checking secondary servers in the order they are configured. •...
Page 40
You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in a VPN or the public network. Before sending a RADIUS packet, the NAS selects a source IP address in the following order: The source IP address specified for the RADIUS scheme.
Page 41
When a number of secondary servers are configured, the client connections of access modules that • have a short client connection timeout period might still be timed out during initial authentication or accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values.
Page 42
The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS. To configure the IP address of a security policy server for a scheme:...
You can configure SNMP parameters to control the output of these SNMP notifications. For more information, see Network Management and Monitoring Configuration Guide. To enable SNMP notifications for RADIUS: Step Command Remarks Enter system view. system-view snmp-agent trap enable radius [ accounting-server-down | By default, all types of SNMP Enable SNMP notifications for...
Page 44
To create an HWTACACS scheme: Step Command Remarks Enter system view. system-view Create an HWTACACS hwtacacs scheme By default, no HWTACACS scheme and enter its view. hwtacacs-scheme-name scheme is defined. Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme.
Page 45
function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time. To specify an HWTACACS server by hostname in an MPLS VPN network, first complete one of the following tasks on the device: Configure hostname-to-IP address mappings for the VPN by using the ip host or ipv6 host •...
Page 46
Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: By default, no accounting server is primary accounting { host-name | specified. ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | The host-name argument is simple } string | single-connection | available in Release 2310 and...
Page 47
Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, an HWTACACS Specify a VPN for the vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is typically in the userid@isp-name format, where isp-name represents the user's ISP domain name.
Page 48
The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides. The IP address of the outbound interface specified by the route. To specify a source IP address for all HWTACACS schemes of a VPN or the public network: Step Command Remarks...
Page 49
If the secondary server is unreachable, the device does the following: • Changes the server's status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority. •...
Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...
Page 51
Step Command Remarks By default, LDAPv3 is used. Specify the LDAP version. protocol-version { v2 | v3 } A Microsoft LDAP server supports only LDAPv3. Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server but does not receive a response from the server within the LDAP server timeout period, the device considers that the authentication or authorization request has timed out and tries the backup authentication or authorization method.
Page 52
User object class • If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. To improve efficiency, you can change the start point by specifying the search base DN. To configure LDAP user attributes: Step Command...
Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting.
Configuring ISP domain attributes In an ISP domain, you can configure the domain status. By placing the ISP domain in active or blocked state, you allow or deny network service requests from users in the domain. To configure ISP domain attributes: Step Command Remarks...
Step Command Remarks authentication default { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme authentication method is Specify the default radius-scheme-name ] [ local ] [ none ] | local. authentication method for ldap-scheme ldap-scheme-name [ local ] all types of users. [ none ] | local [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ hwtacacs-scheme...
Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme By default, the authorization hwtacacs-scheme-name [ radius-scheme Specify the default method is local. radius-scheme-name ] [ local ] [ none ] | authorization method for local [ none ] | none | radius-scheme...
Local accounting does not provide statistics for charging. It only counts and controls the number of • concurrent users who use the same local user account. The threshold is configured by using the access-limit command. Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks...
Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods: no authentication, local authentication, or remote authentication.
Page 59
Figure 11 Network diagram Configuration procedure Configure the HWTACACS server: # Set the shared keys for secure communication with the switch to expert. (Details not shown.) # Add an account named hello for the SSH user, and specify the password. (Details not shown.) Configure the switch: # Assign IP addresses to the interfaces.
# Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Switch] role default-role enable Verifying the configuration # Initiate an SSH connection to the switch, and enter the username hello@bbb and the password.
Page 61
# Create local RSA and DSA key pairs. system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
Page 63
The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch. The source IP address is chosen in the following order on the switch: IP address specified by the nas-ip command. IP address specified by the radius nas-ip command.
Page 64
Figure 15 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
Page 66
Configuration procedure Configure the LDAP server: NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. On the LDAP server, select Start > Control Panel > Administrative Tools. Double-click Active Directory Users and Computers.
Page 67
Figure 18 Setting the user's password Click OK. # Add user aaa to group Users. From the navigation tree, click Users under the ldap.com node. On the right pane, right-click aaa and select Properties. In the dialog box, click the Member Of tab and click Add.
Page 68
Figure 19 Modifying user properties In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 69
# Assign an IP address to VLAN-interface 2, the SSH user access interface. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Troubleshooting RADIUS RADIUS authentication failure...
Solution Check that: • The link between the NAS and the RADIUS server work well at both the physical and data link layers. The IP address of the RADIUS server is correctly configured on the NAS. • The authentication and accounting UDP port numbers configured on the NAS are the same as those •...
Page 72
The administrator DN or password is not configured. • • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server. No user search base DN is specified for the LDAP scheme. •...
802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. It has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Performs unidirectional traffic control to deny traffic from the client. The HP devices support − only unidirectional traffic control. Figure 22 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.
Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • • Type—Type of the EAPOL packet. Table 4 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 4 Types of EAPOL packets Value Type...
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets.
period of time. This process continues until the maximum number of request attempts set by using the dot1x retry command is reached. The username request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. 802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination.
Limitations • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication Works with any RADIUS server that initiated by an HP iNode 802.1X EAP termination supports PAP or CHAP client. authentication. • The processing is complex on the network access device.
In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.
Page 80
Figure 30 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. It is described in "Configuring port...
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP...
NOTE: If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. Setting the port authorization state The port authorization state determines whether the client is granted access to the network.
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number of By default, the maximum concurrent 802.1X users on a dot1x max-user user-number number of concurrent 802.1X port. users on a port is 2048. Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request...
Step Command Remarks Set the server timeout dot1x timer server-timeout The default is 100 seconds. timer. server-timeout-value Configuring the online user handshake feature The online user handshake feature checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command.
Step Command Remarks Enter system view. system-view (Optional.) Set the username dot1x timer tx-period The default is 30 seconds. request timeout timer. tx-period-value Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, the multicast trigger is Enable an authentication dot1x { multicast-trigger | enabled, and the unicast trigger is trigger.
Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The reauthentication interval is user configurable. The periodic online user reauthentication timer can also be set by the authentication server in the session-timeout attribute.
192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
# Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication simple name # Specify the shared key between the access device and the accounting server. [Device-radius-radius1] key accounting simple money # Exclude the ISP domain name from the usernames sent to the RADIUS servers. [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit NOTE:...
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users.
Step Command Remarks Enter Layer 2 Ethernet interface interface interface-type view. interface-number Enable MAC authentication on By default, MAC authentication is mac-authentication the port. disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view.
Step Command Remarks • Use one MAC-based user account for each user: mac-authentication Use either method. user-name-format mac-address By default, the device uses the [ { with-hyphen | without-hyphen } Configure the MAC MAC address of a user as the [ lowercase | uppercase ] ] authentication user username and password for...
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view. interface-number By default, the maximum number Set the maximum number of mac-authentication max-user of concurrent MAC concurrent MAC authentication user-number authentication users on a port is users on the port 2048.
MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 32, configure local MAC authentication on Ten-GigabitEthernet 1/0/1 to control Internet access of users on the hosts, as follows: Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails •...
[Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication globally. [Device] mac-authentication Verifying the configuration # Display MAC authentication settings and statistics.
Page 97
Configure all users to belong to the ISP domain bbb. • • Use a shared user account for all users, with the username aaa and password 123456. Figure 33 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account.
Page 98
# Enable MAC authentication globally. [Device] mac-authentication Verifying the configuration # Display MAC authentication settings and statistics. [Device] display mac-authentication MAC authentication is enabled User name format is fixed account Fixed username: aaa Fixed password: ****** Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s Max number of users is 2048 per slot...
Resource access restriction—Allows an authenticated user to access certain network resources such • as the virus server and the patch server. Users can access more Internet resources after passing security check. Security check must cooperate with the HP IMC security policy server and the iNode client.
Portal system components A typical portal system consists of these basic components: authentication client, access device, portal authentication server, portal Web server, AAA server, and security policy server. Figure 34 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server...
Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.
Re-DHCP authentication saves public IP addresses. For example, an ISP can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Only the HP iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.
Page 103
The portal authentication server and the access device exchange CHAP messages. This step is skipped for PAP authentication. The portal authentication server decides the method (CHAP or PAP) to use. The portal authentication server adds the username and password into an authentication request packet and sends it to the access device.
After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.
Configuration prerequisites The portal feature provides a solution for user identity authentication and security check. To complete user identity authentication, portal must cooperate with RADIUS. The prerequisites for portal authentication configuration are as follows: The portal authentication server, portal Web server, and RADIUS server have been installed and •...
Step Command Remarks • To specify an IPv4 portal server: Specify an IPv4 portal ip ipv4-address [ vpn-instance authentication server, an IPv6 vpn-instance-name] [ key { cipher | authentication portal server, or Specify the IP address of simple } key-string ] both.
With re-DHCP portal authentication, HP recommends that you also configure authorized ARP on the • interface to make sure only valid users can access the network. With authorized ARP configured on the interface, the interface learns ARP entries only from the users who have obtained a public address from DHCP.
An interface can reference both an IPv4 portal Web server and an IPv6 portal Web server. To reference a portal Web server for an interface: Step Command Remarks Enter system view. system-view The interface must be a Layer 3 Enter interface view. interface interface-type interface-number interface.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv4 portal portal layer3 source authentication source subnet is Configure an IPv4 portal ipv4-network-address configured, and users from any authentication source subnet. { mask-length | mask } subnets must pass portal authentication.
Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number By default, no IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing any ipv6-network-address prefix-length destination subnet. subnets must pass portal authentication.
Step Command Remarks By default, no ISP domain is Specify an IPv4 portal portal domain domain-name specified for IPv4 portal users on authentication domain. the interface. To specify an IPv6 portal authentication domain: Step Command Remarks Enter system view. system-view Enter interface view.
Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number Configure online portal ipv6 user-detect type { icmpv6 | By default, this function is disabled detection of IPv6 nd } [ retry retries ] [ interval interval ] on the interface.
Configuring portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken. To address this problem, you can enable portal Web server detection on the access device. With the portal Web server detection function, the access device simulates a Web access process to initiate a TCP connection to the portal Web server.
Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list. If a user contained in the packet does not exist on the access device, the access device informs the portal authentication server to delete the user. The access device starts the synchronization detection timer (timeout timeout) immediately when a user logs in.
Step Command Remarks Enable portal By default, portal fail-permit is portal [ ipv6 ] fail-permit server fail-permit for a portal disabled for a portal server-name authentication server. authentication server. Enable portal portal [ ipv6 ] apply web-server By default, portal fail-permit is fail-permit for a portal server-name fail-permit disabled for a portal Web server.
Enabling portal roaming Portal roaming takes effect only on portal users logging in from VLAN interfaces. If portal roaming is enabled on a VLAN interface, an online portal user can access resources from any Layer 2 port in the VLAN without re-authentication. If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: First log out from the current port.
Task Command Display portal Web server information. display portal web-server [ server-name ] Display packet statistics for portal authentication display portal packet statistics [ server server-name ] servers. display portal user { all | interface interface-type Display portal user information. interface-number } Clear packet statistics for portal authentication reset portal packet statistics [ server server-name ]...
Page 119
Select Access Service > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed. This example uses the default values. Click OK. Figure 38 Portal authentication server configuration Configure the IP address group: Select Access Service >...
Page 120
Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch. Set whether to enable IP address reallocation.
Page 121
Figure 42 Port group configuration Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
Page 122
Figure 43 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
Page 123
Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.
Page 124
Figure 46 Device list Figure 47 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. ...
Page 125
[Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
Page 127
Figure 48 Network diagram Portal Server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Switch 192.168.0.112/24 automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 48 and make sure the host, •...
Page 128
[Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 129
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
VPN instance: -- VLAN Interface 0015-e9a6-7cfe 20.20.20.2 Vlan-interface100 Configuring cross-subnet portal authentication Network requirements As shown in Figure 49, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server.
Page 131
# Exclude the ISP domain name from the username sent to the RADIUS server. [SwitchA-radius-rs1] user-name-format without-domain [SwitchA-radius-rs1] quit # Enable RADIUS session control. [SwitchA] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain.
Page 132
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
Configuring extended direct portal authentication Network requirements As shown in Figure 50, the host is directly connected to the switch (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server.
Page 134
# Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 135
IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page. If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
VPN instance: -- VLAN Interface 0015-e9a6-7cfe 2.2.2.2 Vlan-interface100 Configuring extended re-DHCP portal authentication Network requirements As shown in Figure 51, the host is directly connected to the switch (the access device). The host obtains an IP address through the DHCP server. A portal server serves as both a portal authentication server and a portal Web server.
Page 137
address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides. The public IP address range for the IP address group is the public subnet 20.20.20.0/24. Configuration procedure Perform the following tasks on the switch. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page. If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
Page 140
Figure 52 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 52 and make sure the host, • switch, and servers can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions. •...
Page 141
[SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
Page 142
IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page. If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 53, the host is directly connected to the switch (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server.
Page 144
Configuring the portal authentication server on IMC PLAT 3.20 This example assumes that the portal server runs on IMC PLAT 3.20-R2602P13 and IMC UAM 3.60-E6301. Configure the portal authentication server: Log in to IMC and click the Service tab. Select Access Service > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server heartbeat interval and user heartbeat interval.
Page 145
Figure 55 Adding an IP address group Add a portal device: Select Access Service > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS.
Page 146
Figure 57 Device list Click Add to enter the page shown in Figure Figure 58 Port group configuration Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. User default values for other parameters.
Page 147
Figure 59 Portal authentication server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
Page 148
Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.
Page 149
Figure 62 Device list Figure 63 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. ...
Page 150
[Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log User synchronization : Timeout 600s Status : Up The Up status of the portal authentication server indicates that the portal authentication server is reachable.
Page 152
[SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key accounting simple radius [SwitchA-radius-rs1] key authentication simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.
[SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration Verify the portal configuration by executing the display portal interface command. After the user passes authentication, execute the display portal user command to display the portal user information. [SwitchA] display portal user all Total portal users: 1 Username: abc Portal server: newpt...
Cannot log out portal users on the RADIUS server Symptom The access device uses the HP IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server. Re-DHCP portal authenticated users cannot log in successfully Symptom The device performs re-DHCP portal authentication for users.
This automatic mechanism enhances network security, and reduces human intervention. NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you use the 802.1X authentication or MAC authentication feature rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
Page 157
Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode.
Page 158
TIP: userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure • specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI. The port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames.
Tasks at a glance Remarks (Optional.) Ignoring authorization information from the server (Optional.) Enabling MAC move Enabling port security Before you enable port security, disable 802.1X and MAC authentication globally. When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state.
Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number of By default, port security does not port-security max-mac-count secure MAC addresses limit the number of secure MAC count-value allowed on a port. addresses on a port. Setting the port security mode Before you set a port security mode for a port, complete the following tasks: Disable 802.1X and MAC authentication.
Step Command Remarks By default, a port operates in noRestrictions mode. port-security port-mode { autolearn | mac-authentication | After enabling port security, you mac-else-userlogin-secure | can change the port security mode mac-else-userlogin-secure-ext | of a port only when the port is secure | userlogin | operating in noRestrictions (the Set the port security mode.
A blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed. disableport—Disables the port until you bring it up manually. • disableport-temporarily—Disables the port for a specific period of time. The period can be •...
Can be saved and Type Address sources Aging mechanism survive a device reboot? NOTE: When the maximum number of secure MAC address entries is reached, the port changes to secure mode, and it cannot add or learn any more secure MAC addresses. The port allows only frames sourced from a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address static command to pass through.
If MAC move is disabled and an 802.1X authenticated user moves to another port, it is not reauthenticated. HP recommends you enable MAC move for wireless users that roam between ports to access the network. To enable MAC move:...
Port security configuration examples autoLearn configuration example Network requirements Figure 65. Configure port Ten-GigabitEthernet 1/0/1 on the device, as follows: Accept up to 64 users on the port without authentication. • Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC •...
Ten-GigabitEthernet1/0/1 is link-up Port mode: autoLearn NeedToKnow mode: Disabled Intrusion protection mode: DisablePortTemporarily Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 5 Authorization is permitted The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, and the intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds.
The RADIUS server response timeout time is 5 seconds and the maximum number of RADIUS packet • retransmission attempts is five. The Device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server. Configure port Ten-GigabitEthernet 1/0/1 of the device to allow only one 802.1X user and a user that uses one of the specified OUI values to be authenticated.
Page 169
# Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111 [Device] port-security oui index 3 mac-address 1234-0300-1111 [Device] port-security oui index 4 mac-address 1234-0400-1111...
Access-limit: Disabled Access-Count: 0 lan-access Authentication Scheme: radius: radsun lan-access Authorization Scheme: radius: radsun lan-access Accounting Scheme: radius: radsun default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local # Display the port security configuration. [Device] display port-security interface ten-gigabitethernet 1/0/1 Port security is enabled globally AutoLearn aging time is 0 minutes Disableport Timeout: 20s...
Page 171
Use the MAC address of each user as the username and password for authentication, and require • that the MAC addresses are hyphenated and in upper case. Set the total number of MAC authenticated users and 802.1X authenticated users to 64. •...
Page 172
Disableport Timeout: 20s OUI value: Ten-GigabitEthernet1/0/1 is link-up Port mode: macAddressElseUserLoginSecure NeedToKnow mode: NeedToKnowOnly Intrusion protection mode: NoAction Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 0 Authorization is permitted After users pass authentication, you can use the following commands to display the user authentication information on the port: # Display MAC authentication information.
Max number of 802.1X users is 2048 per slot Current number of online 802.1X users is 1 Ten-GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled 802.1X unicast-trigger is disabled Periodic reauthentication is disabled The port is an authenticator Authentication mode is Auto Port access control type is MAC-based 802.1X multicast-trigger is enabled...
Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Device-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-Ten-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1...
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. Control user login status based on predefined policies. • Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.
Password history With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters.
Logging The system logs all successful password changing events and user adding events to the password control blacklist. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
To enable password control: Step Command Remarks Enter system view. system-view • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • In FIPS mode, the global control feature. password control feature is enabled by default, and cannot be disabled.
Step Command Remarks password-control complexity By default, the system does not Configure the password { same-character | user-name } perform password complexity complexity checking policy. check checking. Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user.
Step Command Remarks Specify the maximum number of login attempts and the password-control login-attempt By default, the login-attempt policy action to be taken when a login-times [ exceed { lock | of the user group equals the global user in the user group fails to lock-time time | unlock } ] login-attempt policy.
Step Command Remarks Specify the maximum number By default, the settings equal those of login attempts and the for the user group to which the password-control login-attempt action to be taken for the local local user belongs. If no login-times [ exceed { lock | user when the user fails to log login-attempt policy is configured lock-time time | unlock } ]...
NOTE: The reset password-control history-record command can delete the history password records of one or all users even when the password history feature is disabled. Password control configuration example Network requirements Configure a global password control policy to meet the following requirements: •...
[Sysname] password-control update-interval 36 # Specify that a user can log in 5 times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days. [Sysname] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username.
Page 185
Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 4 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days Maximum login attempts: Action for exceeding login attempts: Lock Minimum interval between two updates: 36 hours...
Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the following: • Revest-Shamir-Adleman Algorithm (RSA). Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). • Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 68.
• In FIPS mode: 2048 bits. pair, and both key pairs use their default names. HP recommendation: a minimum of 768 bits. • In FIPS mode: If you do not specify a key pair name, the system creates a host key pair with the default name.
Configuration procedure To create a local key pair: Step Command Remarks Enter system view. system-view • In Release 2307 and Release 2310: public-key local create { dsa | ecdsa | rsa } [ name key-name ] • In Release 231 1P04 and later versions: In non-FIPS mode: Create a local key pair.
Step Command Remarks • Export an RSA host public key: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } filename In FIPS mode: public-key local export rsa [ name The public-key local export ecdsa Export a local host key-name ] { openssh | ssh2 } command is available in Release...
IMPORTANT: key displayed by the display Manually enter (type or copy) If the peer device is an HP device, use public-key local public command, the peer host public key the display public-key local public the system saves the key.
For information about displaying or exporting host public keys, see "Distributing a local host public key." Importing a peer host public key from a public key file Step Command Remarks Enter system view. system-view Import a peer host public key public-key peer keyname import sshkey By default, no peer host from a public key file.
Page 192
Figure 69 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Enter public key view. Return to system view with "peer-public-key end" command. [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea...
Page 194
# Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 195
# Use FTP in binary mode to get the public key file devicea.pub from Device A. ftp 10.1.1.1 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files.
PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).
A certificate must be revoked when, for example, the username changes, the private key is compromised, or the user is no longer certified by the CA. The CA periodically publishes a CRL that contains the serial numbers of all revoked certificates. CRLs provide an effective way for verifying the validity of certificates. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other certificate repositories to provide directory navigation services.
Figure 72 PKI support for MPLS L3VPN FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity...
FQDN of the entity. • • IP address of the entity. Whether the categories are required or optional depends on the CA policy. Follow the CA policy to configure the entity settings. For example, if the CA policy requires the entity DN, but you configure only the IP address, the CA rejects the certificate request from the entity.
Page 201
Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. The trusted CA name uniquely Specify the trusted CA. ca identifier name identifies the CA to be used if multiple CAs exist on the same CA server.
Page 202
Step Command Remarks Before a PKI entity can enroll with a CA, it must authenticate the CA by obtaining the self-signed certificate of the CA and verifying the fingerprint of the CA certificate. If a fingerprint is not entered in the PKI domain, and if the CA In non-FIPS mode: certificate is imported or obtained...
Requesting a certificate To request a certificate, a PKI entity must provide its identity information and public key to a CA. A certificate request can be submitted to a CA in offline or online mode. Offline mode—A certificate request is submitted by an out-of-band means, such as phone, disk, or •...
entity automatically submits a certificate request and saves the certificate locally after obtaining it from the CA. A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request. To configure automatic certificate request: Step Command...
Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request to change some parameters, such as the common name, country code, and FQDN, in the certificate request. You can use display pki certificate request-status to display the certificate request status. Alternatively, you can also remove a PKI domain to abort the certificate request.
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be • obtained has been revoked, the certificate cannot be obtained. The device compares the validity period of a certificate with the local system time to determine •...
Step Command Remarks Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. Enable CRL checking. crl check enable By default, CRL checking is enabled.
After you change the storage path for the certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...
You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs in the domain. You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate's private key is compromised.
Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. group-name group exists. attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer name, By default, not attribute rule is subject-name } { dn | fqdn | ip } }...
Requesting a certificate from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 73 Network diagram Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.
Page 212
[Device-pki-domain-torsa] certificate request from ca # Specify the PKI entity name as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair.
Page 214
Select Control Panel > Add or Remove Programs from the start menu. Select Add/Remove Windows Components > Certificate Services. Click Next to begin the installation. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: By default, Windows Server 2003 does not support SCEP.
Page 215
[Device-pki-domain-winserver] certificate request from ra # Specify the PKI entity name as aaa. [Device-pki-domain-winserver] certificate request entity aaa # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-winserver] public-key rsa general name abc length 1024 [Device-pki-domain-winserver] quit Generate an RSA local key pair: [Device] public-key local create rsa name abc...
0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 75 Network diagram Configuring the OpenCA server Configure the OpenCA server as instructed in related manuals.
Page 218
# Configure the certificate request URL. The URL is in the format http://host/cgi-bin/pki/scep, where host is the host IP address of the OpenCA server. [Device-pki-domain-openca] certificate request url http://192.168.222.218/cgi-bin/pki/scep # Configure the device to send certificate requests to the RA. [Device-pki-domain-openca] certificate request from ra # Specify PKI entity aaa for certificate request.
ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate import and export configuration example Network requirements As shown in Figure 76, Device B will replace Device A in the network.
Page 221
# Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111. [DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename pkilocal.pem Now, Device A has three certificate files in PEM format: A CA certificate file named pkicachain.pem.
Page 222
… -----END ENCRYPTED PRIVATE KEY----- Download the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from Device A to the host through FTP. (Details not shown.) Upload the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from the host to Device B through FTP. (Details not shown.) Import the certificate files to Device B: # Disable CRL checking.
Page 223
6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83: ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42: ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2: 9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c: bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12: 01:31:69:bf:e3:91:71:ec:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier:...
Page 224
5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption...
The fingerprint information is illegal. • Solution Make sure the network connection is physically proper. Verify that the required configurations are correct. Use ping to verify that the registration server is reachable. Synchronize the system time of the device with the CA server. Specify the correct source IP address for PKI protocol packets that the CA server can accept.
Failed to request local certificates Symptom Local certificate requests cannot be submitted. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No CA certificate has been obtained before you submit the certificate request. •...
The URL of the CRL repository is not configured, and the proper URL cannot be obtained from the • CA certificate or local certificates in the PKI domain. The specified URL of the CRL repository is incorrect. • The device tries to obtain CRLs through SCEP, but the PKI domain does not have local certificates, •...
CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. • • The specified format does not match the actual format of the imported file. The device and the certificate do not have the local key pair. •...
Page 230
The specified storage path is illegal. • • The disk space is full. Solution Use mkdir to create the path. Specify the correct storage path for certificates or CRLs. Clear up the disk space of the device.
Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match •...
Good compatibility. You can apply IPsec to all IP-based application systems and services without • modifying them. Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility • and greatly enhances IP security. Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP.
• IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration mode is simple and has good expansibility. In medium- and large-scale dynamic networks, HP recommends setting up SAs through IKE negotiations. A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types: •...
Traffic-based lifetime—Defines the maximum traffic that the SA can process. • If both lifetime timers are configured for an SA, the SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after its creation. Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication.
ACL-based IPsec To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and encapsulated with IPsec.
interface (see "Implementing ACL-based IPsec"). The IPsec tunnel establishment steps are the same in an IPv4 network and in an IPv6 network. Application-based IPsec tunnel—Protects the packets of an application. This method can be used to • protect IPv6 routing protocols. It does not require any ACL. To establish application-based IPsec tunnels, configure manual IPsec profiles and bind the profiles to an IPv6 routing protocol.
Tasks at a glance (Optional.) Binding a source interface to an IPsec policy (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging of IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected.
Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms. Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.
Step Command Remarks By default, the security protocol encapsulates IP packets in tunnel mode. Specify the mode in The transport mode applies only which the security encapsulation-mode { transport | when the source and destination IP protocol encapsulates IP tunnel } addresses of data flows match packets.
Page 240
Step Command Remarks Enter system view. system-view Create a manual IPsec ipsec { ipv6-policy | policy } policy entry and enter its By default, no IPsec policy exists. policy-name seq-number manual view. (Optional.) Configure a description for the IPsec description text By default, no description is configured.
Step Command Remarks • Configure an authentication key in hexadecimal format for sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication By default, no keys are configured for the key in character format for AH: IPsec SA.
Page 242
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional • on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
Page 243
Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the Specify the local IP address of local-address { ipv4-address | ipv6 interface to which the IPsec policy...
Page 244
Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy template policy-template } template-name template and enter its view. exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec policy description text configured.
Step Command Remarks (Optional.) Enable the global IPsec SA idle timeout function, By default, the global IPsec SA idle ipsec sa idle-time seconds and set the global SA idle timeout function is disabled. timeout. Create an IPsec policy by ipsec { ipv6-policy | policy } referencing the IPsec policy policy-name seq-number isakmp By default, no IPsec policy exists.
Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.
Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface.
Page 250
consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group. The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For •...
Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
Task Command Clear IPsec statistics. reset ipsec statistics [ tunnel-id tunnel-id ] IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 80, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches.
Page 253
# Apply ACL 3101. [SwitchA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchA-ipsec-policy-manual-map1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP.
[SwitchB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [SwitchB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the inbound and outbound SA keys for ESP. [SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba [SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration...
Page 255
Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as • AES-CBC- 1 92, and the authentication algorithm as HMAC-SHA1. Set up SAs through IKE negotiation. • Figure 81 Network diagram Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1.
Page 256
# Apply ACL 3101. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1. [SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1 [SwitchA-ipsec-policy-isakmp map1-10] remote-address 2.2.3.1 # Apply the IKE profile profile1.
[SwitchB-ike-profile-profile1] quit # Create an IKE mode IPsec policy entry, with the policy name use1, and sequence number 10. [SwitchB] ipsec policy use1 10 isakmp # Apply ACL 3101. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.
Page 258
Apply the IPsec profile to a RIPng process or to an interface. Configuration procedure Configure Switch A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.
Page 259
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [SwitchB] ipsec profile profile001 manual [SwitchB-ipsec-profile-profile001] transform-set tran1 [SwitchB-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchB-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
Page 260
Verifying the configuration After the previous configurations, Switch A, Switch B, and Switch C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the switches to protect RIPng packets. The following example uses Switch A to illustrate how to view the IPsec-related information. # Use the display ripng command to display the RIPng configuration.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
Figure 84 IKE exchange process in main mode As shown in Figure 84, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. Key exchange—Used for exchanging the DH public value and other values, such as the random •...
the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.
Tasks at a glance Remarks Required when the IKE profile needs to (Optional.) Configuring an IKE proposal reference IKE proposals. Required when pre-shared authentication is (Optional.) Configuring an IKE keychain used in IKE negotiation phase 1. (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive function (Optional.)
Page 265
Specify a priority number for the IKE profile. To determine the priority of an IKE profile: First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers.
Step Command Remarks By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in (Optional.) Configure IKE dpd interval interval-seconds [ retry system view. If the IKE DPD DPD.
Step Command Remarks Enter system view. system-view By default, there is an IKE Create an IKE proposal and ike proposal proposal-number proposal that is used as the enter its view. default IKE proposal. By default: • In non-FIPS mode: • In non-FIPS mode, an IKE encryption-algorithm { 3des-cbc | proposal uses the 56-bit DES...
You can specify a priority number for the IKE keychain. To determine the priority of an IKE keychain: The device examines the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers.
When pre-shared key authentication is used, you cannot set the DN as the identity. • To configure the global identity information: Step Command Remarks Enter system view. system-view ike identity { address By default, the IP address of the { ipv4-address | ipv6 Configure the global identity interface to which the IPsec policy or ipv6-address } | dn | fqdn...
Configuring the IKE NAT keepalive function If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted, disabling the tunnel from transmitting data to the intended end.
Step Command Remarks ike dpd interval interval-seconds Enable sending IKE DPD [ retry seconds ] { on-demand | By default, IKE DPD is disabled. messages. periodic } Enabling invalid SPI recovery An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer.
Configuring SNMP notifications for IKE After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
IKE configuration examples Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in Figure 85, configure an IPsec tunnel that uses IKE negotiation between Switch A and Switch B to secure the communication. Configure Switch A and Switch B to use the default IKE proposal for the IKE negotiation to set up the IPsec SA.
Page 274
[SwitchA-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchA] ike profile profile1 # Specify IKE keychain keychain1. [SwitchA-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 2.2.2.2. [SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0 [SwitchA-ike-profile-profile1] quit # Create an IPsec policy entry, and specify the IPsec policy name as map1, the sequence number as 10, and the IPsec SA setup mode as IKE.
# Specify the plaintext abcde as the pre-shared key to be used with the remote peer at 1.1.1.1. [SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchB-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchB] ike profile profile1 # Specify IKE keychain keychain1 [SwitchB-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 1.1.1.1.
When IKE event debugging and packet debugging are enabled, the following messages appear: IKE event debugging message: The attributes are unacceptable. IKE packet debugging message: Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IKE proposal settings are incorrect. Solution Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals.
IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
Page 278
Local IP: 192.168.222.5 Local ID type: IPV4_ADDR Local ID: 192.168.222.5 Remote IP: 192.168.222.71 Remote ID type: IPV4_ADDR Remote ID: 192.168.222.71 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Verify that the IPsec policy is referencing an IKE profile.
Page 279
# On the responder: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0 Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
CLI. The text pasted at one time must be no more than 2000 bytes. Interaction HP recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.
Informs the client of the authentication result. If the remote AAA server requires the user to enter a password for secondary authentication, it send the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password. After the user enters the correct password and passes validity check by the remote AAA server, the SSH server returns an authentication success message to the client.
Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks (Optional.) Generating local key pairs (Required.) Enabling the SSH server function Required for Stelnet and SCP servers. (Required.) Enabling the SFTP server function Required for SFTP servers.
The public-key local create rsa command generates a server key pair and a host key pair for RSA. • SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key. Because SSH2 uses the DH algorithm to separately generate the session key on the SSH server and the client, no session key transmission is required and thus the server key pair is not used in SSH2.
Enabling the SFTP server function This SFTP server function enables clients to log in to the device through SFTP. To enable the SFTP server function: Step Command Remarks Enter system view. system-view Enable the SFTP server By default, the SFTP server function sftp server enable function.
PKCS format. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...
Step Command Remarks Return to system view. peer-public-key end To import a client's host public key from a public key file: Step Command Enter system view. system-view Import a client's public key public-key peer keyname import sshkey filename from a public key file. Configuring an SSH user To configure an SSH user that uses publickey authentication, perform the procedure in this section.
If a client directly sends the user's public key information to the server, you must specify the client's public key on the server and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."...
Step Command Remarks The default setting is 60 seconds. If a user does not finish the Set the SSH user ssh server authentication-timeout authentication when the timeout authentication timeout period. time-out-value timer expires, the connection cannot be established. The default setting is 3. If the authentication method is any, Set the maximum number of ssh server authentication-retries...
Specifying the source IP address for SSH packets HP recommends that you specify a loopback interface as the source interface for SSH packets for the following purposes: • Ensuring the communication between the Stelnet client and the Stelnet server. Improving the manageability of Stelnet clients in authentication service.
Terminating the connection with the SFTP server Specifying the source IP address for SFTP packets HP recommends that you specify a loopback interface as the source interface for SFTP packets for the following purposes: Ensuring the communication between the SFTP client and the SFTP server.
Page 293
In an insecure network, HP recommends that you configure the server's host public key on the device. After the connection is established, you can directly enter SFTP client view on the server to perform operations, such as working with directories or files.
Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.
If you choose to continue, the device accesses the server and downloads the server's host public key. If you choose to not continue, the connection cannot be established. • In an insecure network, HP recommends that you configure the server's host public key on the device. To transfer files with an SCP server:...
Page 296
Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...
Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address configured for the display sftp client source SFTP client. Display the source IP address configured for the display ssh client source Stelnet client. Display SSH server status or sessions.
Page 298 system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 299
To establish a connection to the Stelnet server: Launch PuTTY.exe to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 87 Specifying the host name (or IP address) Click Open to connect to the server.
Publickey authentication enabled Stelnet server configuration example Network requirements As shown in Figure 88, you can log in to the switch through the Stelnet client (SSH2) that runs on the host and are assigned the user role network-admin for configuration management. The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm.
Page 301
Continuously move the mouse and do not place the mouse over the green progress bar shown Figure 90. Otherwise, the progress bar stops moving and the key pair generating progress stops. Figure 90 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save.
Page 302
Figure 91 Saving a key pair on the client Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs.
Page 303
Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Enable the SSH server function. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit...
Page 304
Figure 92 Specifying the host name (or IP address) Select Connection > SSH from the navigation tree. The window shown in Figure 93 appears. Specify the Preferred SSH protocol version as 2 in the Protocol options area. Figure 93 Specifying the preferred SSH version...
Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 94 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 94 Specifying the private key file Click Open to connect to the server.
Page 306
Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 307
Establish a connection to the Stelnet server 192.168.1.40: # Assign an IP address to VLAN-interface 2. system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.
[SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. ssh2 192.168.1.40 publickey key1 Username: client001 [email protected]'s password: After you enter the correct password, you log in to Switch B successfully. If you do not configure the server's host public key on the client, when you access the server, the system will ask you whether to continue with the access.
Page 309
If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.
[SwitchB-line-vty0-63] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002 with the service type ssh and the user role...
Page 311
Configuration procedure Configure the SFTP server: # Generate RSA key pairs. system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
NOTE: PSFTP supports only password authentication. To establish a connection to the SFTP server: Run the psftp.exe to launch the client interface shown in Figure 98, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 98 SFTP client interface Publickey authentication enabled SFTP client configuration example...
Page 313
Configure the SFTP client: # Assign an IP address to VLAN-interface 2. system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit # Generate RSA key pairs. [SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
Page 314
# Enable the SFTP server function. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. The SFTP client uses the address as the destination for SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey.
SCP file transfer with password authentication Network requirements As shown in Figure 100, you can log in to Switch B through the SCP client that runs on Switch A. After login, you are assigned the user role network-admin and can securely transfer files with Switch B. Switch B uses the password authentication method and the client 's username and password are saved on Switch B.
# Create a local device management user named client001 with the plaintext password aabbcc, the service type ssh, and the user role network-admin. [SwitchB] local-user client001 class manage [SwitchB-luser-manage-client001] password simple aabbcc [SwitchB-luser-manage-client001] service-type ssh [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure an SSH user client001 with service type scp and authentication method password.
Figure 101 Network diagram Configuration procedure # Generate RSA key pairs. system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
[Switch] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize the local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001. [Switch-luser-manage-client001] authorization-attribute user-role network-admin [Switch-luser-manage-client001] quit # Configure an SSH user client001.
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...
Figure 103 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to • the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), authenticates the server and client, and securely exchanges the key between the server and client.
Page 322
Step Command Remarks Enter system view. system-view By default, the device supports SSL 3.0. (Optional.) Disable SSL 3.0. ssl version ssl3.0 disable This command is available in Release 2311P05 and later versions. Create an SSL server policy and By default, no SSL server ssl server-policy policy-name enter its view.
If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable SSL • 3.0 or not. To ehance system security, HP recommends disabling SSL 3.0 on the device and specifying TLS 1.0 for an SSL client policy. To configure an SSL client policy:...
Configuring IP source guard Overview IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops all packets that do not match the table. The IP source guard binding table can include the following binding entries: Global binding entries •...
Static IP source guard binding entries Static IP source guard binding entries are configured manually. They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static IP source guard binding entry on an interface that connects to a server.
Dynamic IPv6 source guard IPv6 source guard on an interface obtains information from DHCPv6 snooping entries to generate IPv6 source guard binding entries for packet filtering. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. IP source guard configuration task list To configure IPv4 source guard, perform the following tasks: Tasks at a glance (Required.)
Step Command Remarks The following interface types are supported: • Layer 2 Ethernet port. interface interface-type • Enter interface view. Layer 3 Ethernet interface. interface-number • Layer 3 Ethernet subinterface. • VLAN interface. • Layer 3 aggregate interface. By default, the function is disabled on an interface.
Step Command Remarks By default, no static IPv4 source guard binding entry is configured on an interface. The vlan vlan-id option is supported only in Layer 2 Ethernet interface view. ip source binding { ip-address Configure a static IPv4 ip-address | ip-address To configure a static binding entry for the source guard binding ip-address mac-address...
Step Command Remarks By default, the function is disabled on an interface. ipv6 verify source { ip-address | Enable the IPv6 source guard If you configure this command on ip-address mac-address | function. an interface multiple times, the mac-address } most recent configuration takes effect.
Dynamic IPv4 source guard using DHCP snooping configuration example Network requirements As shown in Figure 106, the host (the DHCP client) obtains an IP address from the DHCP server. Enable DHCP snooping on the device to record the IPv4 address and the MAC address of the host in a DHCP snooping entry.
The output shows that a dynamic IPv4 source guard binding entry is generated based on a DHCP snooping entry. Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 107, DHCP relay is enabled on the switch. The host obtains an IP address from the DHCP server through the DHCP relay agent.
192.168.0.1 0001-0203-0406 Vlan100 DHCP relay The output shows that a dynamic IPv4 source guard binding entry is generated based on a DHCP relay entry. Static IPv6 source guard configuration example Network requirements As shown in Figure 108, configure a static IPv6 source guard binding entry for Ten-GigabitEthernet 1/0/1 of the device to allow only IPv6 packets from the host to pass.
Page 336
Figure 109 Network diagram Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. system-view [Switch] ipv6 dhcp snooping enable # Configure the interface connecting to the DHCP server as a trusted interface. [Switch] interface ten-gigabitethernet 1/0/2 [Switch-Ten-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Switch-Ten-GigabitEthernet1/0/2] quit Enable IPv6 source guard: # Enable IPv6 source guard on Ten-GigabitEthernet 1/0/1 and verify the source IP address and...
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
ARP source suppression—Stops resolving packets from a host if the upper limit on unresolvable IP • packets from the host is reached within an interval of 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.
Displaying and maintaining unresolvable IP attack protection Execute display commands in any view. Task Command Display ARP source suppression configuration information. display arp source-suppression Configuration example Network requirements As shown in Figure 1 10, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20.
Configuration procedure # Enable ARP source suppression and set the threshold to 100. system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 # Enable ARP blackhole routing. [Device] arp resolving-route enable Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection.
Exclude the MAC address of the server from this detection. Configuration procedure # Enable source MAC-based ARP attack detection, and specify the handling method as filter. system-view [Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds.
Step Command Remarks Enter system view. system-view Enable the ARP active arp active-ack [ strict ] By default, ARP active acknowledgement acknowledgement function. enable function is disabled. Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.
# Enable recording of relay entries on the relay agent. [SwitchB] dhcp relay client-information record Configure Switch C: system-view [SwitchC] ip route-static 10.1.1.0 24 10.10.1.1 [SwitchC] interface ten-gigabitethernet 1/0/2 [SwitchC-Ten-GigabitEthernet1/0/1] port link-mode route [SwitchC-Ten-GigabitEthernet1/0/2] ip address dhcp-alloc [SwitchC-Ten-GigabitEthernet1/0/2] quit Verifying the configuration # Display authorized ARP information on Switch B.
Make sure at least one of static IP source guard binding and DHCP snooping is configured for user • validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded. You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can •...
Step Command Remarks Enter Layer 2 Ethernet interface view interface interface-type or Layer 2 aggregate interface view. interface-number (Optional.) Configure the interface as a trusted interface excluded from arp detection trust By default, an interface is untrusted. ARP detection. Configuring ARP restricted forwarding NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses.
User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 1 14, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 114 Network diagram Gateway DHCP server...
[SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [SwitchB-vlan10] interface ten-gigabitethernet 1/0/3 [SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust [SwitchB-Ten-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/0/2 for user validity check.
To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address • [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries. Configuration procedure To configure ARP scanning and fixed ARP: Step...
Step Command Remarks Enable ARP gateway protection By default, ARP gateway arp filter source ip-address for the specified gateway. protection is disabled. Configuration example Network requirements As shown in Figure 1 15, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded. Configuration guidelines Follow these guidelines when you configure ARP filtering: You can configure a maximum of eight permitted entries on an interface.
Page 355
Figure 116 Network diagram Configuration procedure # Configure ARP filtering on Switch B. system-view [SwitchB] interface ten-gigabitethernet 1/0/1 [SwitchB-Ten-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-Ten-GigabitEthernet1/0/1] quit [SwitchB] interface ten-gigabitethernet 1/0/2 [SwitchB-Ten-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that Ten-GigabitEthernet 1/0/1 permits ARP packets from Host A, and discards other ARP packets.
Configuring MFF Overview Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. When a large number of hosts need to be isolated at Layer 2, you have to assign a network segment for each VLAN and an IP address for each VLAN interface for Layer 3 communication.
VLAN mapping (see Layer 2—LAN Switching Configuration Guide). • NOTE: When MFF works with static IP source guard entries, you must configure VLAN IDs in the static entries. Otherwise, IP packets allowed by IP source guard are permitted even if their destination MAC addresses are not the MAC address of the gateway.
MFF operation modes The manual mode applies to networks where IP addresses are statically assigned to the hosts, and the hosts cannot obtain the gateway information through DHCP. A VLAN maintains only the MAC address of the default gateway. In manual mode, after receiving an ARP request for a host's MAC address from the gateway, the MFF device directly replies the host's MAC address to the gateway according to the ARP snooping entries.
To specify the IP addresses of servers: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, no server IP address is specified. If the server's interface connecting Specify the IP addresses of mac-forced-forwarding server to the MFF device uses secondary IP servers.
Page 361
Figure 118 Network diagram Configuration procedure Assign IP addresses to the hosts and the gateway. (Details not shown.) Configure Switch A: # Configure manual-mode MFF on VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100.
Manual-mode MFF configuration example in a ring network Network requirements As shown in Figure 1 19, all the devices are in VLAN 100, and the switches form a ring. Hosts A, B, and C are assigned IP addresses manually. Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through the gateway at Layer 3.
Page 363
# Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure Ten-GigabitEthernet 1/0/4 and Ten-GigabitEthernet 1/0/6 as network ports. [SwitchB] interface ten-gigabitethernet 1/0/4 [SwitchB-Ten-GigabitEthernet1/0/4] mac-forced-forwarding network-port [SwitchB-Ten-GigabitEthernet1/0/4] quit...
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 365
Figure 121 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route?...
Page 366
uRPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If no, proceeds to step 6. uRPF checks whether the check mode is loose: If yes, proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: If yes, proceeds to step 5.
Network application Figure 122 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuring uRPF When you configure uRPF, follow these restrictions and guidelines: Global uRPF configuration takes effect on both IPv4 and IPv6 routes.
Displaying and maintaining uRPF Execute display commands in any view. Task Command Display uRPF configuration. display ip urpf [ slot slot-number ] uRPF configuration example Network requirements As shown in Figure 123, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks.
Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device supports Level 2.
save. Other commands used for configuration preparation to enter FIPS mode. Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and • non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: Delete the local user and configure a new local user.
The system automatically uses the startup configuration file to reboot the device and enter FIPS mode. You can only use the configured username and password to log in to the FIPS device. After login, you are assigned a user role of crypto officer. Manual reboot To use manual reboot to enter FIPS mode: Enable the password control function globally.
When the device acts as a server to authenticate a client through public keys, the key pairs for the client must also have a modulus length of 2048 bits. SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, and MD5. •...
You can also trigger a self-test. If the power-up self-test fails, the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact HP Support. Power-up self-tests Power-up self-tests include the following types: Known-answer test (KAT) •...
Table 11 Power-up self-test list Type Operations Tests the following algorithms: • DSA (signature and authentication). • RSA (signature and authentication). • RSA (encryption and decryption). Cryptographic algorithm • AES. self-test • 3DES. • SHA1. • HMAC-SHA1. • Random number generator algorithms. Table 12 Power-up self-test list Type Operations...
Triggering self-tests To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device where the self-test process exists reboots. To trigger a self-test: Step Command...
Verifying the configuration After the device reboots, enter the username root and the password 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters.
Page 378
[Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal. [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin...
Updating user information. Please wait ..… # Display the current FIPS mode state. display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
Page 380
# Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions, such as packet dropping, to protect a private network. The device supports only TCP fragment attack prevention. Configuring TCP fragment attack prevention The TCP fragment attack prevention feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect.
HWTACACS, EAP-Message attribute, displaying LDAP, EAPOL packet format, displaying local users/local user groups, enable, displaying RADIUS, HP MAC-based access control, FIPS compliance, HP port-based access control, HWTACACS accounting server specification, maintaining, HWTACACS authentication server specification, mandatory port authentication domain,...
Page 394
Hypertext Transfer Protocol. Use HTTP security SSH local key pair, identity security IPsec IKE global identity information configuration, security AAA RADIUS HP proprietary attributes, ignoring handshake feature (802.1X online user), port security server authorization information, handshake protocol (SSL), IKE, 250, See also...
Page 395
AAA RADIUS session-control IP addressing feature, security AAA HWTACACS outgoing packet source implementing IP address, security 802.1X HP MAC-based access security AAA LDAP server IP address control, configuration, security 802.1X HP port-based access security AAA RADIUS outgoing packet source IP...
Page 396
displaying, IKE troubleshooting, dynamic binding entry, IKE-based tunnel for IPv4 packets configuration, IPv4. See IPv4 source guard implementation, IPv6. See IPv6 source guard IPv6. See IPv6 IPsec maintaining, maintaining, static binding entry, mirror image ACLs, ip validity check (ARP), non-mirror image ACLs, IPsec packet DF bit configuration, ACL configuration,...
Page 398
version specification, Lightweight Directory Access Protocol. Use LDAP address. See MAC address limiting authentication. See MAC authentication port security secure MAC addresses, security SSL services, security ARP packet rate limit configuration, MAC address local MAC local authentication configuration, host public key export, RADIUS-based MAC authentication configuration, host public key save to file,...
Page 399
max number concurrent port users manual configuration, security MFF manual-mode in ring network, port security authentication control mode, security MFF manual-mode in tree network, port security client security MFF operation mode, macAddressElseUserLoginSecure message configuration, security ARP attack protection configuration, port security client userLoginWithOUI Message Authentication Code.
Page 400
security 802.1X multicast trigger mode, security 802.1X unicast trigger mode, security IPsec IKE keepalive function configuration, security IPsec ACL-based implementation aggregation, need to know. Use security IPsec ACL-based implementation negotiating per-host, security IPsec IKE negotiation, security IPsec ACL-based implementation security IPsec IKE negotiation mode, standard, NETCONF security IPsec application-based...
Page 402
security NETCONF-over-SSH client user line security super password control parameters, configuration, security uRPF application, security password control global security uRPF check modes, parameters, security uRPF configuration, security password control local user security uRPF operation, parameters, SSH packet source IP address, security password control user group SSH SFTP packet source IP address, parameters,...
Page 403
security IPsec tunnel for IPv4 packets security AAA no accounting method, configuration, security AAA no authentication, security IPv4 source guard dynamic security AAA no authorization, configuration with DHCP relay, notifying security IPv4 source guard dynamic security AAA RADIUS SNMP notification, configuration with DHCP snooping, security IPsec IKE SNMP notification, security IPv6 source guard dynamic...
Page 411
maintaining security IPsec IKE, setting security super password control parameters, maintaining security IPv4 source guard, specifying portal authentication domain, maintaining security IPv6 source guard, specifying security 802.1X access control maintaining security MAC authentication, method, maintaining security password control, specifying security 802.1X mandatory port obtaining security PKI certificate, authentication domain, referencing portal Web server,...
Page 412
troubleshooting security AAA RADIUS packet security 802.1X related protocols, delivery failure, security AAA, troubleshooting security IPsec IKE, security AAA HWTACACS, 7, troubleshooting security IPsec IKE negotiation security AAA RADIUS, 2, failure (no proposal match), security IPsec, troubleshooting security IPsec IKE negotiation security IPsec IKE, failure (no proposal or keychain referenced security LDAP, 9,...
Page 413
RADIUS server, common standard attributes, user authentication methods, displaying, username format, extended attributes, rate HP proprietary attributes, security ARP packet rate limit configuration, HWTACACS/RADIUS differences, real-time information exchange security mechanism, security AAA HWTACACS real-time accounting Login-Service attribute check method, timer,...
Page 414
requesting security IKE SA max number set, security PKI certificate request, security IPsec SA negotiation failure (invalid identity info), resource access restriction (portal authentication), security IPsec SA negotiation failure (no transform restricted forwarding configuration (ARP), set match), restrictions security IPsec transform set configuration, FIPS configuration restrictions, saving IPsec policy configuration (IKE-based),...
Page 415
AAA ISP domain creation, crypto engine configuration, AAA ISP domain methods configuration, displaying 802.1X, AAA LDAP implementation, displaying AAA, AAA LDAP scheme configuration, displaying ARP detection, AAA LDAP server SSH user authentication, displaying crypto engine, AAA local user configuration, displaying IPsec IKE, AAA max concurrent logins, displaying MAC authentication, AAA MPLS L3VPN implementation,...
Page 416
IPsec IKE keepalive function configuration, MAC authentication configuration, 79, 80, IPsec IKE keychain configuration, MAC authentication delay configuration, 83, IPsec IKE mechanism, MAC authentication domain specification, IPsec IKE NAT keepalive function MAC authentication enable, configuration, MAC authentication max number concurrent port IPsec IKE negotiation failure (no proposal or users configuration, keychain referenced correctly),...
Page 417
PKI CA storage path specification, SFTP server function enable, PKI certificate access control policy, SSH authentication methods, PKI certificate export, SSH client host public key configuration, PKI certificate export failure, SSH configuration, PKI certificate import/export, SSH local key pair generation, PKI certificate obtain, SSH management parameters, PKI certificate removal,...
Page 418
server security 802.1X authentication timeout timers, authentication, authorization, and accounting security 802.1X port authorization state, (portal authentication), security 802.1X port max number users, configuring portal authentication server, security AAA HWTACACS timer, configuring portal authentication server security AAA HWTACACS traffic statistics unit, detection, security AAA HWTACACS username format, configuring portal fail-permit,...
Page 419
security AAA RADIUS notifications, security uRPF configuration, 353, 356, security IPsec IKE SNMP notification, security IPsec SNMP notification, AAA RADIUS Login-Service attribute check method, software authentication methods, security crypto engine configuration, client host public key configuration, source configuration, configuring a portal authentication subnet, displaying, configuring BAS-IP for unsolicited portal packets sent to portal authentication server,...
Page 420
Stelnet, security SSH server password authentication, Stelnet client device configuration, security SSH server publickey authentication, Stelnet client password authentication, server connection establishment, Stelnet client publickey authentication, sticky secure MAC address, Stelnet client user line configuration, storage Stelnet configuration, security PKI CA storage path, Stelnet server connection establishment, troubleshooting PKI storage path set failure, Stelnet server password authentication,...
Page 421
security SSH SFTP server connection, security MFF manual-mode in ring network, testing security MFF manual-mode in tree network, security FIPS conditional self-test, transform set (IPsec), security FIPS power-up self-test, Transmission Control Protocol. Use security FIPS triggered self-test, transporting TFTP security IPsec encapsulation transport mode, security local host public key distribution, triggered self-test, time...
Page 422
security IPsec encapsulation tunnel mode, security 802.1X port max number users, security IPsec IKE-based tunnel for IPv4 packets security ARP user validity check, configuration, security ARP user/packet validity check, security IPsec RIPng configuration, setting max number portal users, security IPsec tunnel establishment, troubleshooting/cannot log out portal users on security IPsec tunnel for IPv4 packets access device,...
Page 423
security password not displayed, security MFF manual-mode in ring network, security password setting, security MFF manual-mode in tree network, security password updating, 165, security password user first login, cross-subnet portal authentication for MPLS L3VPN, security password user login attempt limit, security AAA HWTACACS scheme VPN security password user login control, specification,...
Page 424
port security client macAddressElseUserLoginSecure configuration, port security client userLoginWithOUI configuration, port security configuration, 145, 148, port security MAC address autoLearn mode configuration, security 802.1X overview, working with security SSH SFTP directories, security SSH SFTP files, X.500 security AAA LDAP implementation,...