Page 5
User account policies ····························································································································· 114 Authentication methods ·························································································································· 114 VLAN assignment ·································································································································· 115 ACL assignment ····································································································································· 116 Redirect URL assignment ······················································································································ 117 Periodic MAC reauthentication ··············································································································· 117 Configuration prerequisites ···························································································································· 117 General guidelines and restrictions ················································································································ 117 Configuration task list ····································································································································· 118 Enabling MAC authentication ·························································································································...
Page 6
Configuring portal Web server detection ································································································ 149 Configuring portal user synchronization ································································································· 150 Configuring the portal fail-permit feature ········································································································ 151 Configuring BAS-IP for portal packets sent to the portal authentication server ············································· 151 Applying a NAS-ID profile to an interface ······································································································ 152 Configuring the local portal Web server feature ·····························································································...
Page 7
Logging ·················································································································································· 215 FIPS compliance ············································································································································ 216 Password control configuration task list ········································································································· 216 Enabling password control ····························································································································· 216 Setting global password control parameters ·································································································· 217 Setting user group password control parameters ·························································································· 218 Setting local user password control parameters ···························································································· 219 Setting super password control parameters ··································································································...
Page 8
Verifying certificates with CRL checking ································································································ 251 Verifying certificates without CRL checking ··························································································· 252 Specifying the storage path for the certificates and CRLs ············································································· 253 Exporting certificates ······································································································································ 253 Removing a certificate ··································································································································· 254 Configuring a certificate-based access control policy ···················································································· 254 Displaying and maintaining PKI ·····················································································································...
Page 9
IKE negotiation process ························································································································· 313 IKE security mechanism ························································································································· 314 Protocols and standards ························································································································ 315 FIPS compliance ············································································································································ 315 IKE configuration prerequisites ······················································································································ 315 IKE configuration task list ······························································································································· 315 Configuring an IKE profile ······························································································································ 316 Configuring an IKE proposal ·························································································································· 318 Configuring an IKE keychain ··························································································································...
Page 10
Enabling the SCP server ························································································································ 361 Enabling NETCONF over SSH ·············································································································· 361 Configuring the user lines for SSH login ································································································ 361 Configuring a client's host public key ····································································································· 362 Configuring an SSH user ······················································································································· 363 Configuring the SSH management parameters ····················································································· 364 Specifying a PKI domain for the SSH server ·························································································...
Page 11
Dynamic IPv4SG using DHCP snooping configuration example ··························································· 424 Dynamic IPv4SG using DHCP relay configuration example ·································································· 425 Static IPv6SG configuration example ····································································································· 426 Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 427 Configuring ARP attack protection ······························································ 428 ARP attack protection configuration task list ·································································································· 428 Configuring unresolvable IP attack protection ·······························································································...
Page 12
Configuration procedure ································································································································ 456 Displaying and maintaining IPv6 uRPF ·········································································································· 456 IPv6 uRPF configuration example ················································································································· 456 Configuring FIPS ························································································· 458 Overview ························································································································································ 458 Configuration restrictions and guidelines ······································································································· 458 Configuring FIPS mode ·································································································································· 459 Entering FIPS mode ······························································································································· 459 Configuration changes in FIPS mode ····································································································...
Page 13
Enabling MACsec desire ································································································································ 494 Configuring a preshared key ·························································································································· 495 Configuring the MKA key server priority ········································································································ 495 Configuring MACsec protection parameters in interface view ······································································· 495 Configuring the MACsec confidentiality offset ························································································ 496 Configuring MACsec replay protection ··································································································· 496 Configuring the MACsec validation mode ······························································································...
Page 14
Verifying the configuration ······················································································································ 524 Document conventions and icons ······························································· 527 Conventions ··················································································································································· 527 Network topology icons ·································································································································· 528 Support and other resources ······································································ 529 Accessing Hewlett Packard Enterprise Support ···························································································· 529 Accessing updates ········································································································································· 529 Websites ················································································································································ 530 Customer self repair ······························································································································· 530 Remote support ······································································································································...
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 17
Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 18
Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Packet type Description From the client to the server.
Page 19
Type—Type of the attribute. Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for VPDN and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.
Page 22
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 24
Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server, which checks whether the user password is correct.
Page 26
AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.
command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide. • User role authentication—Authenticates each user who wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.
RADIUS attributes Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated. User password for PAP authentication, only present in Access-Request User-Password packets when PAP authentication is used. Digest of the user password for CHAP authentication, only present in CHAP-Password Access-Request packets when CHAP authentication is used.
Page 29
Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP-Challenge CHAP authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...
Page 30
Subattribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.
Subattribute Description Output-Interval-Gigaword Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. User-defined attribute pair. Available attribute pairs include: • Dynamically assigned WEP key in the format of leap:session-key=xxx.
Figure 10 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all attributes types of users Authentication method none/ local (the default)/scheme Create an ISP domain No AAA and enter ISP domain view...
Page 33
the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types: • Device management user—User who logs in to the device for device management. • Network access user—User who accesses network resources through the device.
Page 34
• When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed. • You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.
Step Command Remarks The following default settings apply: • FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory. authorization-attribute { acl •...
Page 36
By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks...
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Optional.)
Page 38
• The RADIUS server is manually set to the blocked state. • The RADIUS scheme is deleted. To configure a test profile for RADIUS server status detection: Step Command Remarks Enter system view. system-view Configure a test profile for By default, no test profiles exist. radius-server test-profile detecting the status of profile-name username name...
Page 39
Step Command Remarks • Specify the primary RADIUS authentication server: By default, no authentication primary authentication server is specified. { host-name | ipv4-address | ipv6 To support server status ipv6-address } [ port-number | detection, specify an existing test key { cipher | simple } string | profile for the RADIUS test-profile profile-name | authentication server.
Page 40
Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { host-name By default, no accounting | ipv4-address | ipv6 server is specified. ipv6-address } [ port-number | key Two accounting servers in a { cipher | simple } string | scheme, primary or vpn-instance secondary, cannot have the...
Page 41
Step Command Remarks By default, a RADIUS Specify a VPN for the RADIUS vpn-instance vpn-instance-name scheme belongs to the public scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
Page 42
Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers act as the backup of the primary server.
Page 43
Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: By default, every server state primary accounting { active specified in a RADIUS...
Page 44
receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. • If it is the IP address of a managed NAS, the server processes the packet. •...
Page 45
• Realtime accounting timer (realtime-accounting)—Defines the interval at which the device sends realtime accounting packets to the RADIUS accounting server for online users. When you set RADIUS timers, follow these guidelines: • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the number of secondary servers.
Page 46
Step Command Remarks accounting-on enable [ interval By default, the accounting-on Enable accounting-on. seconds | send send-times ] * feature is disabled. Configuring the IP addresses of the security policy servers The NAS verifies the validity of received control packets and accepts only control packets from known servers.
• RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
Page 48
Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure up to 16 HWTACACS schemes. An HWTACACS scheme can be referenced by multiple ISP domains. To create an HWTACACS scheme: Step Command Remarks Enter system view.
Page 49
Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS authorization server: primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no authorization server single-connection | is specified.
Page 50
Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication. Perform this task to configure shared keys for servers in an HWTACACS scheme.
Page 51
Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name Set the format of usernames user-name-format { keep-original By default, the ISP domain name sent to the HWTACACS | with-domain | without-domain } is included in a username. servers. data-flow-format { data { byte | (Optional.) Set the data flow giga-byte | kilo-byte | By default, traffic is counted in...
Page 52
Step Command Remarks By default, the source IP address specified by the hwtacacs nas-ip Specify the source IP nas-ip { ipv4-address | ipv6 command in system view is used. address of outgoing ipv6-address } If the source IP address is not HWTACACS packets.
To set HWTACACS timers: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, the HWTACACS Set the HWTACACS server timer response-timeout server response timeout timer is 5 response timeout timer. seconds seconds. By default, the realtime accounting interval is 12 minutes.
Page 54
Step Command Remarks Create an LDAP server and enter LDAP server ldap server server-name By default, no LDAP server exists. view. Configuring the IP address of the LDAP server Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, an LDAP server has no IP address.
Page 55
Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, no administrator DN is specified. Specify the administrator login-dn dn-string The administrator DN specified on the device must be the same as configured on the LDAP server. Configure the login-password { cipher | By default, no administrator...
Step Command Remarks By default, no user object is user-parameters (Optional.) Specify the user specified, and the default user user-object-class object class. object class on the LDAP server is object-class-name used. Creating an LDAP scheme You can configure up to 16 LDAP schemes. An LDAP scheme can be referenced by multiple ISP domains.
"Configuring RADIUS schemes," "Configuring HWTACACS schemes," and "Configuring LDAP schemes." Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights.
whose total traffic in the idle timeout period is less than the specified minimum traffic. If no idle cut attribute is available in the ISP domain, the idle cut feature of the server takes effect. An ISP domain attribute applies to all users in the domain. To configure ISP domain attributes: Step Command...
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name By default, the authorization Specify the default [ radius-scheme radius-scheme-name ] method is local. authorization method for [ local ] [ none ] | local [ none ] | none | The none keyword is not all types of users.
Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name accounting default { hwtacacs-scheme hwtacacs-scheme-name By default, the accounting [ radius-scheme radius-scheme-name ] Specify the default method is local. [ local ] [ none ] | local [ none ] | none | accounting method for all radius-scheme radius-scheme-name...
Configuring the RADIUS DAE server feature Dynamic Authorization Extensions (DAE) to RADIUS, defined in RFC 5176, can log off online users, change their authorization information, or shut down their access interfaces. DAE uses the client/server model. In a RADIUS network, the RADIUS server typically acts as the DAE client and the NAS acts as the DAE server.
Step Command Remarks • In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } By default, the maximum number Set the maximum number of max-sessions of concurrent login users is 32 for concurrent login users. •...
Page 64
• Use the HWTACACS server for SSH user authentication, authorization, and accounting. • Assign the default user role network-operator to SSH users after they pass authentication. • Exclude domain names from the usernames sent to the HWTACACS server. • Use expert as the shared keys for secure HWTACACS communication. Figure 11 Network diagram Configuration procedure Configure the HWTACACS server:...
[Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
Page 66
# Create local RSA and DSA key pairs. system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Set the ports for authentication and accounting to 1812 and 1813, respectively. c. Select the service type Device Management Service. d. Select the access device type HP(Comware). e. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
Page 68
IP address of the outbound interface (the default). Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree.
Page 69
Figure 15 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.
Page 71
NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed.
Page 72
Figure 18 Setting the user's password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click the user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
Page 73
Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 74
# Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) AAA for 802.1X users by a RADIUS server Network requirements...
Page 76
Select HP(Comware) as the access device type. e. Select the access device from the device list or manually add the device with the IP address 10.1.1.2. f. Leave the default settings for other parameters and click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch.
Page 77
Figure 23 Adding a service # Add a user. Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: a.
Page 78
Figure 24 Adding an access user account Configure the switch: a. Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter RADIUS scheme view. system-view [Switch] radius scheme rad # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
# Configure the access control method. By default, an 802.1X-enabled port uses the MAC-based access control. [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration On the host, use the user dot1x@bbb to pass 802.1X authentication: # If the user host runs the Windows XP 802.1X client, configure the network connection properties as follows: a.
RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. •...
Troubleshooting LDAP Symptom User authentication fails. Analysis Possible reasons include: • A communication failure exists between the NAS and the LDAP server. • The LDAP server IP address or port number configured on the NAS is not correct. • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS.
802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
Figure 26 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 28 shows the EAPOL packet format.
Figure 29 EAP-Message attribute format Message-Authenticator As shown in Figure 30, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.
802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods. • EAP relay mode. EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure Figure 31 EAP relay...
Packet exchange Benefits Limitations method • Supports only the following EAP authentication methods: MD5-Challenge EAP authentication. Works with any RADIUS server EAP termination that supports PAP or CHAP The username and password authentication. EAP authentication initiated by an HPE iNode 802.1X client. •...
In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the access device. The access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.
Page 89
Figure 34 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
Page 91
NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment. Unsupported VLAN types Do not specify the following types of VLANs for VLAN authorization. The access device does not assign these VLANs to 802.1X users. •...
Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the first authenticated user's authorization VLAN to the port as the port VLAN (PVID). All subsequent 802.1X users can access the VLAN without authentication. Port-based When the first authenticated user logs off, the previous PVID is restored, and all other online users are logged off.
Authentication status VLAN manipulation • The device assigns the authorization VLAN of the user to the port as the PVID, and it removes the port from the 802.1X guest VLAN. After the user logs off, the initial PVID of the port is restored. •...
Authentication status VLAN manipulation The device assigns the Auth-Fail VLAN to the port as the PVID. All A user fails 802.1X 802.1X users on this port can access only resources in the Auth-Fail authentication. VLAN. A user in the 802.1X Auth-Fail VLAN fails 802.1X The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users authentication because of...
Page 95
• On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any The device assigns the critical VLAN to the port as the VLAN fails 802.1X authentication PVID. The 802.1X user and all subsequent 802.1X users because all the RADIUS servers are on this port can access only resources in the 802.1X unreachable.
Authentication status VLAN manipulation The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access 802.1X authentication. device or a RADIUS server) does not authorize a VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.
The EAD assistant feature enables the access device to redirect a user who is seeking to access the network to download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients. EAD assistant is implemented by the following functionality: •...
Figure 35 802.1X authentication process with the SmartOn feature If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The access device stops 802.1X authentication for the user. NOTE: After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate].
Tasks at a glance (Optional.) Setting the maximum number of concurrent 802.1X users on a port (Optional.) Setting the maximum number of authentication request attempts (Optional.) Setting the 802.1X authentication timeout timers (Optional.) Configuring the online user handshake feature (Optional.) Configuring the authentication trigger feature (Optional.) Specifying a mandatory authentication domain on a port...
Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: • Support of the RADIUS server for EAP packets. • Authentication methods supported by the 802.1X client and the RADIUS server. You can use both EAP termination and EAP relay in any of the following situations: •...
Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number dot1x port-control Set the port authorization By default, the auto state { authorized-force | auto | state. applies. unauthorized-force } Specifying an access control method Step Command Remarks Enter system view.
To set the maximum number of authentication request attempts: Step Command Remarks Enter system view. system-view Set the maximum number of attempts The default setting is dot1x retry max-retry-value for sending an authentication request. Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: •...
Configuration guidelines When you configure the online user handshake feature, follow these restrictions and guidelines: • The SmartOn feature and the online user handshake feature are mutually exclusive. Before you enable the online user handshake feature, make sure the SmartOn feature is disabled. •...
• Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication. • To avoid duplicate authentication packets, do not enable both triggers on a port. Configuration procedure To configure the authentication trigger feature on a port: Step Command...
Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. (Optional.) Set the quiet dot1x timer quiet-period The default is 60 seconds. timer. quiet-period-value Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server.
Manually reauthenticating all online 802.1X users on a port This feature reauthenticates all online 802.1X users on a port after the dot1x re-authenticate manual command is executed. The feature is independent of the server-assigned reauthentication attribute and the periodic reauthentication feature. When no server is reachable for the reauthentication, the device keeps the users online or logs off the users, depending on the keep-online feature configuration on the port.
Configuring an 802.1X guest VLAN Configuration guidelines When you configure an 802.1X guest VLAN, follow these guidelines: • The following matrix shows the location restrictions for the interface configured with 802.1X guest VLAN and the interface connected to the external network on an eIRF system: Location of the interface configured Location restrictions of the interface with 802.1X guest VLAN...
• If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port. Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide. Assign the port to the 802.1X guest VLAN as an untagged member.
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port. Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure the 802.1X critical By default, no 802.1X critical dot1x critical vlan vlan-id VLAN on the port. VLAN is configured. Enabling the 802.1X critical voice VLAN This feature assigns the access port of a voice user to the 802.1X critical voice VLAN if the voice user fails authentication because all the RADIUS servers are unreachable.
Sending EAP-Success packets for 802.1X users assignment to the 802.1X critical VLAN By default, the device sends an EAP-Failure packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on the port. After receiving the EAP-Failure packet, the client does not respond to the EAP-Request/Identity packet from the device when reachable authentication servers occur.
NOTE: If you configure the access device to send usernames with domain names to the RADIUS server, make sure the domain delimiter can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference. Enabling 802.1X guest VLAN assignment delay This feature delays assigning an 802.1X-enabled port to the 802.1X guest VLAN when 802.1X authentication is triggered on the port.
Step Command Remarks Enter system view. system-view Enable EAD assistant. dot1x ead-assistant enable By default, this feature is disabled. dot1x ead-assistant free-ip Configure a free IP. ip-address { mask-length | By default, no free IP is configured. mask-address } By default, no redirect URL is configured.
Step Command Remarks (Optional.) Configure the By default, the device allows a maximum attempts for maximum of 3 attempts for retransmitting an dot1x smarton retry retries retransmitting an EAP-Request/Notification EAP-Request/Notification packet packet to a client. to a client. Displaying and maintaining 802.1X Execute the display commands in any view and reset commands in user view.
Page 115
Figure 36 Network diagram Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.
Page 117
Figure 37 Network diagram Configuration procedure Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.
Page 118
[Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.1 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
802.1X with ACL assignment configuration example Network requirements As shown in Figure 38, the host that connects to GigabitEthernet 1/0/1 must pass 802.1X authentication to access the Internet. Perform 802.1X authentication on GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit...
Page 121
• The intranet 192.168.1.0/24 is attached to GigabitEthernet 1/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
Page 122
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication.
Page 124
Configure an IP address for each interface. (Details not shown.) Configure the DHCP server: # Enable DHCP. system-view [Device] dhcp enable # Enable the DHCP server on VLAN-interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select server [Device-Vlan-interface2] quit # Create DHCP address pool 0.
[Device] dot1x ead-assistant url http://192.168.2.3 # Enable the EAD assistant feature. [Device] dot1x ead-assistant enable # Enable 802.1X on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host.
Page 126
Figure 41 Network diagram Configuration procedure Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. system-view [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.
[Device-GigabitEthernet1/0/1] quit # Set the SmartOn password to 1234 in plain text and the switch ID to XYZ. [Device] dot1x smarton password simple 1234 [Device] dot1x smarton switchid XYZ # Set the SmartOn client timeout timer to 40 seconds. [Device] smarton timer supp-timeout 40 # Enable 802.1X globally.
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
VLAN assignment MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN. Authorization VLAN You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources. • On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN name.
Table 10 VLAN manipulation Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails MAC authentication for any The user is still in the MAC authentication guest VLAN. other reason than server unreachable. The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.
• Specify another authorization ACL on the authentication server. For more information about ACLs, see ACL and QoS Configuration Guide. Redirect URL assignment The device supports the URL attribute assigned by a RADIUS server. During MAC authentication, a user is redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the Web user and uses a DM (Disconnect Message) to log off the Web user.
Configuration task list Tasks at a glance (Required.) Enabling MAC authentication (Optional.) Specifying a MAC authentication domain (Optional.) Configuring the user account format (Optional.) Setting MAC authentication timers (Optional.) Enabling MAC authentication offline detection (Optional.) Setting the maximum number of concurrent MAC authentication users on a port (Optional.) Enabling MAC authentication multi-VLAN mode on a port (Optional.)
MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step Command Remarks...
Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Set MAC authentication { offline-detect offline-detect-value | timer is 60 seconds, and the timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.
nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports. This feature improves transmission of data that is vulnerable to delay and interference.
• Create the VLAN to be specified as the MAC authentication guest VLAN. • Configure the VLAN as an untagged member on the port. Configuration restrictions and guidelines When you configure the MAC authentication guest VLAN on a port, follow these restrictions and guidelines: •...
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, no MAC authentication guest Specify the MAC VLAN is configured. mac-authentication authentication guest guest-vlan guest-vlan-id You can configure only one MAC VLAN on the port. authentication guest VLAN on a port.
Step Command Remarks By default, no MAC authentication critical VLAN is configured. Specify the MAC mac-authentication critical vlan authentication critical You can configure only one MAC critical-vlan-id VLAN on the port. authentication critical VLAN on a port. Enabling the MAC authentication critical voice VLAN The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users who have failed authentication because none of the RADIUS servers in their ISP domain are...
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, the keep-online feature is disabled. Enable the keep-online feature mac-authentication for authenticated MAC re-authenticate This command takes effect only authentication users on the server-unreachable when the authentication server port.
• If 802.1X authentication fails, the MAC authentication result takes effect. • If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result. Configuration restrictions and guidelines When you enable parallel processing of MAC authentication and 802.1X authentication on a port, follow these restrictions and guidelines: •...
Page 142
[Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 # Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users. [Device] domain bbb [Device-isp-bbb] authentication lan-access local [Device-isp-bbb] quit # Enable MAC authentication on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-authentication [Device-GigabitEthernet1/0/1] quit...
MAC address VLAN ID From port Port index GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured...
Configuring portal authentication Overview Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server.
Page 149
Figure 45 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.
Interaction between portal system components The components of a portal system interact as follows: An unauthenticated user initiates authentication by accessing an Internet website through a Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server.
Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP address uniquely identifies the user. After a user passes authentication, the access device generates an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Page 152
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 47 Direct authentication/cross-subnet authentication process Portal Authentication Portal Web Access Security authentication AAA server client server device policy server server 1) Initiate a connection 2) User information 3) CHAP authentication 4) Authentication request 5) RADIUS authentication Timer...
Re-DHCP authentication process (with CHAP/PAP authentication) Figure 48 Re-DHCP authentication process The re-DHCP authentication process is as follows: Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP.
Tasks at a glance (Required.) Configuring a portal Web server (Required.) Enabling portal authentication on an interface (Required.) Specifying a portal Web server on an interface (Optional.) Controlling portal user access • Configuring a portal-free rule • Configuring an authentication source subnet •...
Configuring a portal authentication server Configure this feature when user authentication uses an external portal authentication server. Perform this task to configure the following portal authentication server parameters: • IP address of the portal authentication server • VPN instance of the portal authentication server •...
Step Command Remarks Create a portal Web server By default, no portal Web server portal web-server server-name and enter its view. is created. Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network.
Step Command Remarks • To enable IPv4 portal authentication: portal enable method { direct | Enable IPv4 portal layer3 | redhcp } Enable portal authentication authentication, IPv6 portal • on the interface. authentication, or both on the To enable IPv6 portal interface.
Step Command Remarks Enter system view. system-view interface interface-type Enter VLAN interface view. interface-number By default, no IPv4 portal Configure an IPv4 portal portal layer3 source authentication source subnet is authentication source ipv4-network-address configured, and users from any subnet. { mask-length | mask } subnets must pass portal authentication.
Step Command Remarks By default, no IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing ipv6-network-address prefix-length destination subnet. any subnets must pass portal authentication. Setting the maximum number of portal users Perform this task to control the total number of IPv4 and IPv6 portal users in the system.
Step Command Remarks Enter system view. system-view Enter VLAN interface interface-type interface view. interface-number Specify an IPv6 By default, no ISP domain is portal authentication portal ipv6 domain domain-name specified for IPv6 portal users on domain. the interface. Enabling outgoing packets filtering on a portal-enabled interface When you enable this feature on a portal-enabled interface, the device permits the interface to send the following packets:...
If the ARP or ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP or ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.
• Sending a trap message to the NMS. The trap message contains the name and current state of the portal authentication server. • Sending a log message, which contains the name, the current state, and the original state of the portal authentication server.
Step Command Remarks Enter system view. system-view Enter portal Web portal web-server server-name server view. By default, portal Web server detection is disabled. Configure portal server-detect [ interval interval ] [ retry Web server This feature takes effect regardless retries ] { log | trap } * detection.
Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication. If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface does the following: •...
Step Command Remarks Enter VLAN interface interface interface-type view. interface-number By default, the BAS-IP attribute of an IPv4 portal reply packet sent to the Configure BAS-IP for IPv4 portal authentication server is the portal packets sent to the source IPv4 address of the packet. The portal bas-ip ipv4-address portal authentication BAS-IP attribute of an IPv4 portal...
Configuring the local portal Web server feature To perform local portal authentication for users, perform the following tasks: • Configure a local portal Web server. • Configure a name for the portal Web server and specify a local IP address of the device as the server's URL.
Page 168
• Get requests—Used to get the static files in the authentication pages and allow no recursion. For example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm cannot include any reference to file Logon.htm. • Post requests—Used when users submit username and password pairs, log in, and log out.
• First log out from the current port. • Then re-authenticate on the new Layer 2 port. To enable portal roaming: Step Command Remarks Enter system view. system-view By default, portal roaming is disabled. Enable portal portal roaming enable You cannot enable portal roaming roaming.
Task Command Display packet statistics for portal authentication display portal packet statistics [ server servers. server-name ] display portal user { all | interface interface-type Display portal user information. interface-number } Clear packet statistics for portal authentication reset portal packet statistics [ server servers.
Page 172
Figure 50 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 173
a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
Page 174
Figure 54 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. ...
# Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Specify the portal Web server newpt on VLAN-interface 100.
Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Page 177
Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 55 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Destination authenticate subnet: IP address Mask IPv6: Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet:...
Page 180
Figure 56 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 56 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 181
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal authentication server.
Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user...
Page 183
Figure 57 Network diagram Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 57 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the switch.
Page 184
[Switch] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit NOTE:...
Layer3 source network: IP address Mask Destination authenticate subnet: IP address Mask IPv6: Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network:...
Page 186
Configure extended re-DHCP portal authentication. Before passing portal authentication, the host is assigned a private IP address. After passing portal identity authentication, the host obtains a public IP address and accepts security check. If the host fails the security check, it can access only subnet 192.168.0.0/24.
Page 187
[Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Specify the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
Page 188
[Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Specify the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. • The user can access the resources permitted by ACL 3000 after passing only identity authentication.
Page 190
Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 59 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 191
NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. Configure portal authentication: # Configure a portal authentication server. [SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit # Configure a portal Web server.
BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal.
Page 193
Figure 60 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 60 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 194
Figure 61 Portal authentication server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 195
a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
Page 196
Figure 65 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. ...
Page 197
# Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: set the server detection interval to 40 seconds, and send log messages upon reachability status changes. [Switch-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval.
Configuring cross-subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 66, the PE device Switch A provides portal authentication for the host in VPN 1. A portal server in VPN 3 acts as the portal authentication server, portal Web server, and RADIUS server.
Page 199
# Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures. [SwitchA-radius-rs1] nas-ip 3.3.0.3 [SwitchA-radius-rs1] quit # Enable RADIUS session control.
State: Online VPN instance: vpn3 VLAN Interface 0000-0000-0000 3.3.0.1 Vlan-interface3 Authorization information: DHCP IP pool: N/A ACL: N/A CAR: N/A Configuring direct portal authentication using the local portal Web server Network requirements As shown in Figure 67, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP.
Page 201
# Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 202
Authentication domain: Not configured Pre-auth domain: Not configured User-dhcp-only: Disabled Pre-auth IP pool: Not configured Max Portal users: Not configured Bas-ip: Not configured User Detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Mask Destination authenticate subnet: IP address...
IP pool: N/A ACL: N/A CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.
Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server. Analysis The HPE IMC server uses session control packets to send disconnection requests to the access device.
Page 205
discards the portal notification packet. As a result, the portal authentication server considers that the user has failed the authentication. Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server.
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks that require different authentication methods for different users on a port. Port security provides the following functions: •...
Page 207
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.
Page 208
A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.
Step Command Remarks Enter system view. system-view By default, this feature is Enable port security. port-security enable disabled. You can use the undo port-security enable command to disable port security. Because the command logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: •...
Page 211
• You can specify a port security mode when port security is disabled, but your configuration cannot take effect. • Changing the port security mode of a port logs off the online users of the port. • Do not enable 802.1X authentication or MAC authentication on a port where port security is configured.
Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. The NTK feature supports the following modes: • ntkonly—Forwards only unicast frames with authenticated destination MAC addresses. •...
Step Command Remarks (Optional.) Set the silence port-security timer disableport By default, the port silence timeout period during which time-value timeout is 20 seconds. a port remains disabled. NOTE: On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication fail for the same frame.
When the maximum number of secure MAC address entries is reached, the port changes to secure mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac-address dynamic or mac-address static command to pass through.
To configure a port to ignore authorization information from the server: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Ignore the authorization By default, a port uses the port-security authorization information received from authorization information received ignore the authentication server.
Applying a NAS-ID profile to port security By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests. A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.
Port security configuration examples autoLearn configuration example Network requirements As shown in Figure 68, configure port GigabitEthernet 1/0/1 on the device to meet the following requirements: • Accept up to 64 users without authentication. • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
MAC move : Denied Authorization fail : Online OUI value list GigabitEthernet1/0/1 is link-up Port mode : autoLearn NeedToKnow mode : Disabled Intrusion protection mode : DisablePortTemporarily Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization...
Page 219
• The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary accounting server. The RADIUS server at 192.168.1.3 functions as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and the shared key for accounting is money. •...
Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111...
Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 15 NAS IP Address : Not configured : Not configured User Name Format : without-domain Data flow unit : Million Byte Packet unit : one Attribute 15 check-mode : Strict # After users pass authentication, display port security configuration.
Page 222
Configure port GigabitEthernet 1/0/1 of the device to meet the following requirements: • Allow more than one MAC authenticated user to log on. • For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on. •...
Page 223
Port security parameters: Port security : Enabled AutoLearn aging time : 0 min Disableport timeout : 30 s MAC move : Denied Authorization fail : Online OUI value list GigabitEthernet1/0/1 is link-up Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute...
Page 224
Max online users : 4294967295 Authentication attempts : successful 3, failed 7 Current online users MAC address Auth state 1234-0300-0011 Authenticated 1234-0300-0012 Authenticated 1234-0300-0013 Authenticated # Display 802.1X authentication information. Verify that GigabitEthernet 1/0/1 allows only one 802.1X user to be authenticated. [Device] display dot1x interface gigabitethernet 1/0/1 Global 802.1X parameters: 802.1X authentication...
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.
Step Command Remarks • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled, and cannot be disabled by default. password-control { aging | (Optional.) Enable a specific By default, all four password...
Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user. By default, the maximum number password-control login-attempt of login attempts is 3 and a user Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit.
Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.
Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.
• An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • A password expires after 30 days. •...
[Sysname] password-control super length 24 # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.
Page 237
Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type) # Display the password control configuration for local user test. display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type:...
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 71.
Page 239
• Enter an appropriate key modulus length at the prompt (see Table 17). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...
Task Command Display local DSA public keys. display public-key local dsa public [ name key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...
Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
Page 243
Figure 72 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
[DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA...
Page 245 system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 246
220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s)
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Figure 75 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
Page 249
Step Command Remarks By default: • • In non-FIPS mode: In non-FIPS mode, the ssl version { ssl3.0 | tls1.0 | device supports SSL 3.0, (Optional.) Disable specific tls1.1 } * disable TLS 1.0, TLS 1.1, and SSL protocol versions on the •...
Step Command Remarks Set the maximum number of By default, an SSL server can sessions that the SSL server session cachesize size cache a maximum of 500 can cache. sessions. By default, SSL client authentication is disabled. When authenticating a client by using the digital certificate, Enable the SSL server to the SSL server verifies the...
Step Command Remarks • In non-FIPS mode: By default, an SSL client policy version { ssl3.0 | tls1.0 | uses TLS 1.0. Specify the SSL protocol tls1.1 | tls1.2 } version for the SSL client As a best practice to ensure •...
Page 254
Configuration procedure Make sure the device, the host, and the CA server can reach each other. (Details not shown.) Configure the device: # Create a PKI entity named en. Specify http-server1 as the common name and ssl.security.com as the FQDN. ...
Page 255
# Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera. Set the password to 123, service type to https, and user role to network-admin.
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
• The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)
Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.
Page 261
Step Command Remarks (Optional.) Set the By default, the device polls the CA SCEP polling interval server for the certificate request certificate request polling { count and maximum status every 20 minutes. The count | interval minutes } number of polling maximum number of polling attempts.
Step Command Remarks By default, the certificate can be used by both SSL clients and SSL servers. The extension options contained 11. (Optional.) Specify in an issued certificate depend on the intended use for usage { ike | ssl-client | ssl-server } * the CA policy, and they might be the certificate.
• After a new certificate is obtained, do not use the public-key local create or public-key local destroy command to generate or destroy a key pair with the same name as the key pair in the local certificate. Otherwise, the existing local certificate becomes unavailable. •...
Step Command Remarks Obtain a CA certificate. "Obtaining certificates." This command is not saved in the configuration file. This command triggers the PKI Submit a certificate entity to automatically generate pki request-certificate domain request or generate a a key pair if the key pair domain-name [ password password ] certificate request in specified in the PKI domain...
Configuration guidelines • To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA administrator to obtain the password. • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained. When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA certificate chain of the domain.
Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs. The device has a default storage path for certificates and CRLs. You can change the storage path and specify different paths for the certificates and CRLs.
Removing a certificate You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs in the domain. You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate's private key is compromised.
Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. groups exist. group-name attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer By default, not attribute rules are subject-name } { dn | fqdn | ip } }...
Requesting a certificate from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 79 Network diagram Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.
Page 271
[Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url ldap://1.1.2.22:389/CN=myca # Specify a 1024-bit general-purpose RSA key pair named abc for certificate request. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair.
Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40: 3e:36:36:0d:c8:33:90:f3:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command.
Page 273
d. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: By default, Windows Server 2003 does not support SCEP. You must install the SCEP add-on on the server for a PKI entity to register and obtain a certificate from the server. After the SCEP add-on installation is complete, you will see a URL.
Page 274
[Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 275
f8:dd:f8:a7:2a:94:58:d9:c7:f8:1a:78:bd:f5:42: 51:3b:31:5d:ac:3e:c3:af:fa:33:2c:fc:c2:ed:b9: ee:60:83:b3:d3:e5:8e:e5:02:cf:b0:c8:f0:3a:a4: b7:ac:a0:2c:4d:47:5f:39:4b:2c:87:f2:ee:ea:d0: c3:d0:8e:2c:80:83:6f:39:86:92:98:1f:d2:56:3b: d7:94:d2:22:f4:df:e3:f8:d1:b8:92:27:9c:50:57: f3:a1:18:8b:1c:41:ba:db:69:07:52:c1:9a:3d:b1: 2d:78:ab:e3:97:47:e2:70:14:30:88:af:f8:8e:cb: 68:f9:6f:07:6e:34:b6:38:6a:a2:a8:29:47:91:0e: 25:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encip herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access:...
To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 81 Network diagram Configuring the OpenCA server The configuration is not shown.
Page 277
Generate RSA key pair abc. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 278
0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B...
81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate-based access control policy configuration example Network requirements As shown in Figure 82, the host accesses the device through HTTPS. Configure a certificate-based access control policy on the device to authenticate the host and verify the validity of the host's certificate.
[Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup2] quit Configure a certificate-based access control policy: # Create a certificate-based access control policy named myacp. [Device] pki certificate access-control-policy myacp # Define a statement to deny the certificates that match the attribute rules in certificate attribute group mygroup1.
Page 281
Figure 83 Network diagram Configuration procedure Export the certificate on Device A: # Export the CA certificate to a .pem file. system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with password 111111.
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...
Specify the key pair for certificate request, or remove the existing key pair, specify a new key pair, and submit a local certificate request again. Check the registration policy on the CA or RA, and make sure the attributes of the PKI entity meet the policy requirements.
Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • The PKI domain does not have a CA certificate before you try to obtain CRLs. •...
Solution Use the undo crl check enable command to disable CRL checking in the PKI domain. Make sure the format of the imported file is correct. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to import the local certificate Symptom The local certificate cannot be imported.
Solution Obtain or request local certificates first. Use the mkdir command to create the required path. Specify a correct export path. Configure the correct key pair in the PKI domain. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set.
Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Page 292
algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.
Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA comprises the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...
• AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. Crypto engine The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks. The crypto engine processes all IPsec protected packets and hands the processed packets back to the device for forwarding.
Application-based IPsec Application-based IPsec does not require any ACL. You can implement application-based IPsec by binding an IPsec profile to an application protocol. All packets of the application protocol are encapsulated with IPsec. This method can be used to protect IPv6 routing protocols. The supported IPv6 routing protocols include OSPFv3, IPv6 BGP, and RIPng.
IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a headquarters gateway). Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload •...
Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode. Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required keys, and the SA lifetime.
permit statement are processed. Other packets are dropped. If ACL checking for de-encapsulated IPsec packets is disabled, the de-encapsulated packets are not compared against the ACL rules and are directly processed by other modules. When defining ACL rules for IPsec, follow these guidelines: •...
Page 299
Step Command Remarks • (In non-FIPS mode.) Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | Configure at least one command. aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | By default, no security algorithm camellia-cbc-192 | is specified.
Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • "Configuring IKE." In non-FIPS mode: pfs { dh-group1 | dh-group2 | The security level of the dh-group5 | dh-group14 | Diffie-Hellman (DH) group of the (Optional.) Enable the dh-group24 | dh-group19 |...
Page 301
Step Command Remarks (Optional.) Configure a description for the description text By default, no description is configured. IPsec policy. By default, no ACL is specified for an IPsec policy. Specify an ACL for the security acl [ ipv6 ] { acl-number IPsec policy.
Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA.
Page 303
• The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. •...
Page 304
Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 Specify the local IP address local-address { ipv4-address | address of the interface to which...
Page 305
Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy policy-template } template-name template and enter its view. template exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec description text configured.
Step Command Remarks 12. (Optional.) Enable the Traffic By default, the TFC padding Flow Confidentiality (TFC) tfc enable feature is disabled. padding feature. 13. Return to system view. quit By default, time-based SA lifetime ipsec sa global-duration 14. Configure the global SA is 3600 seconds, and { time-based seconds | lifetime.
Step Command Remarks By default, no service module or Ethernet interface module is specified. • In standalone mode: It is required when the following service slot slot-number Specify a service module or conditions are met: • an Ethernet interface module •...
IMPORTANT: • IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial of services. Use caution when you disable IPsec anti-replay. • Specify an anti-replay window size that is as small as possible to reduce the impact on system performance.
Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
Step Command Remarks interface interface-type Enter interface view. interface-number Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface. To configure the DF bit of IPsec packets globally: Step Command Remarks...
the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group. • The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the key at one end is entered as a string of characters, the key on the other end must also be entered as a string of characters.
displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide. To generate and output SNMP notifications for a specific IPsec failure or event type, perform the following tasks: Enable SNMP notifications for IPsec globally. Enable SNMP notifications for the failure or event type. To configure SNMP notifications for IPsec: Step Command...
IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 88, establish an IPsec tunnel between Switch A and Switch B to protect the data flows in between. Configure the tunnel as follows: •...
Page 316
[SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the...
[SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface. [SwitchB-Vlan-interface1] service slot 3 [SwitchB-Vlan-interface1] quit Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established,...
Page 318
Figure 89 Network diagram Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
Page 319
# Apply the IKE profile profile1. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface.
[SwitchB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1 [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1 # Apply the IKE profile profile1. [SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface.
Page 321
# Specify the ESP encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [SwitchA] ike keychain keychain1 [SwitchA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&! [SwitchA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1.
# Specify the security protocol as ESP. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [SwitchB] ike keychain keychain1 [SwitchB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&! [SwitchB-ike-keychain-keychain1] quit...
Page 323
Figure 91 Network diagram Requirements analysis To meet the network requirements, perform the following tasks: Configure basic RIPng. For more information about RIPng configurations, see Layer 3—IP Routing Configuration Guide. Configure an IPsec profile. The IPsec profiles on all the switches must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.
Page 324
Configure Switch B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. system-view [SwitchB] ripng 1 [SwitchB-ripng-1] quit [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.
Page 325
# Create and configure the IPsec profile named profile001. [SwitchC] ipsec profile profile001 manual [SwitchC-ipsec-profile-profile001] transform-set tran1 [SwitchC-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchC-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchC-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...
Figure 93 IKE exchange process in main mode As shown in Figure 93, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
Page 331
c. If a tie still exists, the device prefers an IKE profile configured earlier. To configure an IKE profile: Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view.
Step Command Remarks (Optional.) Specify the match local address { interface-type By default, an IKE profile can local interface or IP address interface-number | { ipv4-address | be applied to any local to which the IKE profile can ipv6 ipv6-address } [ vpn-instance interface or IP address.
Step Command Remarks Specify an authentication authentication-method By default, an IKE proposal method for the IKE { dsa-signature | pre-share | uses the pre-shared key proposal. rsa-signature } authentication method. • In non-FIPS mode: authentication-algorithm { md5 | sha | sha256 | sha384 | Specify an authentication By default, an IKE proposal sha512 }...
Configuring the IKE keepalive feature IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
The local device sends a DPD message to the peer, and waits for a response from the peer. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message. If still no response is received within the retry interval, the local end sends the DPD message again.
Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs. • The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Command Display configuration information about all IKE display ike proposal proposals. display ike sa [ verbose [ connection-id Display information about the current IKE SAs. connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Delete IKE SAs.
Page 339
# Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create an IKE keychain named keychain1. [SwitchA] ike keychain keychain1 # Specify plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.2.2.
Page 340
[SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set.
Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected. Aggressive mode with RSA signature authentication configuration example This configuration example is not available when the device is operating in FIPS mode.
Page 342
# Set the common name as switcha for the PKI entity. [SwitchA-pki-entity-entity1] common-name switcha [SwitchA-pki-entity-entity1] quit # Create a PKI domain named domain1. [SwitchA] pki domain domain1 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [SwitchA-pki-domain-domain1] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
Page 343
# Specify IPsec transform set tran1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify ACL 3101 to identify the traffic to be protected. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Specify IKE profile profile1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to VLAN-interface 1.
Page 344
[SwitchB-pki-domain-domain2] ca identifier 8088 # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses the URL of http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7. [SwitchB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [SwitchB-pki-domain-domain2] certificate request from ca # Specify the PKI entity for certificate request as entity2.
Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected. Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state.
IKE packet debugging message: Construct notification packet: PAYLOAD_MALFORMED. Analysis • If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal: Failed to find proposal 1 in profile profile1. • If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain: Failed to find keychain keychain1 in profile profile1.
Page 347
Analysis Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows: Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy has an IKE profile specified, the IPsec SA negotiation fails.
Page 348
IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL used by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
Page 349
For example: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address).
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.
• The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
Page 353
Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
Page 354
Step Command Remarks authentication-method { local | Configure the local and remote } { dsa-signature | By default, no local or remote identity remote identity ecdsa-signature | pre-share | authentication method is configured. authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile.
Step Command Remarks 14. (Optional.) Set the By default, the global IKEv2 NAT IKEv2 NAT keepalive nat-keepalive seconds keepalive setting is used. interval. 15. (Optional.) Enable the config-exchange { request | set By default, all configuration configuration exchange { accept | send } } exchange options are disabled.
Configuring an IKEv2 proposal An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority. A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
Step Command Remarks In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does Specify the integrity not have any integrity protection protection algorithms. algorithms. In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode:...
Step Command Remarks • To configure a host name for the peer: hostname host-name • To configure a host IP address or address range for the peer: By default, no hostname, host IP address { ipv4-address address, address range, or [ mask | mask-length ] | ipv6 identity information is configured Configure the information...
Step Command Remarks Enter system view. system-view Configure global IKEv2 ikev2 dpd interval interval [ retry By default, global DPD is DPD. seconds ] { on-demand | periodic } disabled. Configuring the IKEv2 NAT keepalive feature Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
Task Command Display the IKEv2 policy configuration. display ikev2 policy [ policy-name | default ] Display the IKEv2 profile configuration. display ikev2 profile [ profile-name ] display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance Display the IKEv2 SA information.
Page 361
# Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create an IKEv2 keychain named keychain1. [SwitchA] ikev2 keychain keychain1 # Create an IKEv2 peer named peer1. [SwitchA-ikev2-keychain-keychain1] peer peer1 # Specify the peer IP address 2.2.2.2/24. [SwitchA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 24 # Specify the peer ID, which is the IP address 2.2.2.2.
Page 362 system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify the traffic between Switch B and Switch A. [SwitchB] acl advanced 3101 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1.
# Specify the IPsec transform set tran1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # # Specify the IKEv2 profile profile1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy use1 to VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 # Specify an Ethernet interface module or a service module for forwarding the traffic on the interface.
Page 364
# Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create a PKI entity named entity1.
Page 365
[SwitchA-ikev2-profile-profile1] quit # Create an IKEv2 proposal named 10. [SwitchA] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchA-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchA-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1. [SwitchA-ikev2-proposal-10] dh group1 # Specify the PRF algorithm as HMAC-MD5.
Page 366
# Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create a PKI entity named entity2.
Page 367
[SwitchB] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchB-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1. [SwitchB-ikev2-proposal-10] dh group1 # Specify the PRF algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] prf md5 [SwitchB-ikev2-proposal-10] quit # Create an IKEv2 policy named 1.
Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status. display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 123.234.234.124/500 123.234.234.123/500 IN-NEGO Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting Analysis Certain IKEv2 proposal settings are incorrect.
Page 369
Solution Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
Stages Description Version negotiation The two parties determine a version to use after negotiation. SSH supports multiple algorithms. Based on the local algorithms, the two parties determine to use the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation •...
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks...
• SSH supports locally generated DSA, RSA, and ECDSA key pairs only with default names. • To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key pairs on the SSH server. • The SSH server operating in FIPS mode supports only RSA and ECDSA key pairs. If both RSA and ECDSA key pairs exist on the server, the server uses the ECDSA key pair.
Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...
Step Command Remarks By default, the authentication mode is password. Set the login authentication authentication-mode scheme For more information about this mode to scheme. command, see Fundamentals Command Reference. Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key.
Step Command Enter system view. system-view Import a client's public key public-key peer keyname import sshkey filename from the public key file. Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server.
For a client that sends the user's public key information to the server through a digital certificate, specify a PKI domain on the server to verify the client's digital certificate. For successful verification, the specified PKI domain must have the correct CA certificate. To specify the PKI domain, use the ssh user or ssh server pki-domain command.
Step Command Remarks • Control IPv4 SSH user connections: ssh server acl acl-number By default, all SSH users are Specify an ACL to control • allowed to initiate connections Control IPv6 SSH user SSH user connections. with the SSH server. connections: ssh server ipv6 acl [ ipv6 ] acl-number...
Tasks at a glance (Optional.) Establishing a connection to an Stelnet server based on Suite B Specifying the source IP address for SSH packets As a best practice, specify the IP address of the loopback interface as the source address of SSH packets for the following purposes: •...
Establishing a connection to an Stelnet server based on Suite Task Command Remarks • Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value |...
Step Command Remarks Enter system view. system-view By default, the source IP address • Specify the source IPv4 address for SFTP packets is not for SFTP packets: configured. sftp client source { ip ip-address The IPv4 SFTP packets use the | interface interface-type Specify the source primary IP address of the output...
Task Command Remarks • Establish a connection to an IPv4 SFTP server based on Suite B: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type Available in user view.
Task Command Remarks Available in SFTP client view. • dir [ -a | -l ] [ remote-path ] Display files under a directory. The dir command has the same • ls [ -a | -l ] [ remote-path ] function as the ls command. Available in SFTP client view.
Page 389
Task Command Remarks • (In non-FIPS mode.) Connect to an IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |...
Page 390
Task Command Remarks • (In non-FIPS mode.) Connect to an IPv6 SCP server, and transfer files with this server: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain...
Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain...
Specifying MAC algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: ssh2 algorithm mac { md5 | By default, SSH2 uses the MAC md5-96 | sha1 | sha1-96 | algorithms sha2-256, sha2-512, sha2-256 | sha2-512 } * Specify MAC algorithms for sha1, md5, sha1-96, and •...
Page 394
Establish an Stelnet connection between the host and the switch, so you can log in to the switch to manage configurations. Figure 99 Network diagram Stelnet client Stelnet server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure Configure the Stelnet server: # Generate RSA key pairs.
Page 395
[Switch-line-vty0-15] authentication-mode scheme [Switch-line-vty0-15] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize the local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001.
If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server. Publickey authentication enabled Stelnet server configuration example Network requirements As shown in...
Page 397
Figure 102 Generating a key pair on the client b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 103. Otherwise, the progress bar stops moving and the key pair generating progress stops.
Page 398
c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 104 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save. e.
Page 399
The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.
Page 400
Figure 105 Specifying the host name (or IP address) c. Select Connection > SSH from the navigation tree. The window shown in Figure 106 appears. d. Specify the Preferred SSH protocol version as 2. Figure 106 Specifying the preferred SSH version...
e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 107 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 107 Specifying the private key file a.
Page 402
Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 403
# Assign the user role network-admin to the local user client001. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user client001. Specify the service type as stelnet and the authentication method as password for the user. [SwitchB] ssh user client001 service-type stelnet authentication-type password Establish a connection to the Stelnet server: # Assign an IP address to VLAN-interface 2.
01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. ssh2 192.168.1.40 publickey key1 Username: client001 [email protected]'s password: After you enter the correct password, you successfully log in to Switch B. If the client does not have the server's host public key, the system will notify you to confirm the further access when you access the server.
Page 405
# Generate a DSA key pair. [SwitchA] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
[SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002.
Page 407
Figure 110 Network diagram Configuration procedure Generate the client's certificate and the server's certificate. (Details not shown.) You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties. In this example, the server's certificate file is ssh-server-ecdsa256.p12 and the client's certificate file is ssh-client-ecdsa256.p12.
Page 408
04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view.
[SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user client001.
Password authentication enabled SFTP server configuration example Network requirements As shown in Figure 111: • The switch acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the switch. Establish an SFTP connection between the host and the switch, so you can log in to the switch to manage and transfer files.
Page 412
# Enable the SFTP server. [Switch] sftp server enable # Assign an IP address to VLAN-interface 2. The client uses this address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0 [Switch-Vlan-interface2] quit # Create a local device management user client002. [Switch] local-user client002 class manage # Set the password to aabbcc in plain text for the local user client002.
Figure 112 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 113, Switch B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Switch A and Switch B, so you can log in to Switch B to manage and transfer files.
Page 414
If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Export the host public key to the file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit # Transmit the public key file pubkey to the server through FTP or TFTP.
Page 415
[SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001. Specify the service type as sftp and the authentication method as publickey for the user. Assign the public key switchkey to the user. [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey switchkey # Create a local device management user client001.
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and verify the result. sftp> rename new1 new2 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup...
Page 417
Figure 114 Network diagram Configuration procedure Generate the client's certificate and the server's certificate. (Details not shown.) You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties. In this example, the server's certificate file is ssh-server-ecdsa384.p12 and the client's certificate file is ssh-client-ecdsa384.p12.
Page 418
b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1: e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60: 10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7: bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34: d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7: 07:01:f9:dc:a5:6f:81 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da: c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3: 33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02: 30:45:d1:bf:51:fd:da:22:11:90:03:f9:d4:05:ec:d6:7c:41: fc:9d:a1:fd:5b:8c:73:f8:b6:4c:c3:41:f7:c6:7f:2f:05:2d: 37:f8:52:52:26:99:28:97:ac:6e:f9:c7:01 # Create a PKI domain named client384 for the client's certificate and enter its view.
# Enable the SFTP server. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user client001.
Page 421
Figure 115 Network diagram Configuration procedure Configure the SCP server: # Generate RSA key pairs. system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
# Authorize the local user client001 to use the SSH service. [SwitchB-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure the SSH user client001. Specify the service type as scp and the authentication method as password for the user.
Page 423
In this example, the server's certificate files are ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12. The client's certificate files are ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12. Configure the SCP client: NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client.
Page 424
CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate ecdsa256 and enter its view. [SwitchA] pki domain client256 # Disable CRL checking.
Page 425
NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1: 5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02: 31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6: 18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11: 66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6 # Create a PKI domain named server384 for verifying the server's certificate ecdsa384 and enter its view.
Page 426
e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60: 10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7: bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34: d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7: 07:01:f9:dc:a5:6f:81 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da: c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3: 33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02: 30:45:d1:bf:51:fd:da:22:11:90:03:f9:d4:05:ec:d6:7c:41: fc:9d:a1:fd:5b:8c:73:f8:b6:4c:c3:41:f7:c6:7f:2f:05:2d: 37:f8:52:52:26:99:28:97:ac:6e:f9:c7:01 # Create a PKI domain named client384 for the client's certificate ecdsa384 and enter its view.
Page 428
[SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 # Enable the SCP server. [SwitchB] scp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit...
# Establish an SCP connection to the SCP server 192.168.0.1 based on the 192-bit Suite B algorithms. scp 192.168.0.1 get src.cfg suite-b 192-bit pki-domain client384 server-pki -domain server384 Username: client002 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s...
Page 430
......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. IPSG is a per-interface packet filter. The feature configured on one interface does not affect packet forwarding on another interface. The IPSG binding table can include the following bindings: •...
Dynamic IPSG bindings IPSG automatically obtains user information from other modules to generate dynamic bindings. The source modules include 802.1X, DHCP relay, DHCP snooping, DHCPv6 snooping, and DHCP server. DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP.
Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled. •...
Step Command Remarks The following interface types are interface interface-type Enter interface view. supported: Layer 2 Ethernet port, Layer 3 interface-number Ethernet interface, VLAN interface. By default, no static IPv4SG binding is configured on an interface. The vlan vlan-id option is supported only in Layer 2 Ethernet interface view.
Interface-specific static bindings take priority over global static bindings. An interface first uses the static bindings on the interface to match packets. If no match is found, the interface uses the global bindings. Configuring a global static IPv6SG binding Step Command Remarks Enter system view.
IPSG configuration examples Static IPv4SG configuration example Network requirements As shown in Figure 119, all hosts use static IP addresses. Configure static IPv4SG bindings on Device A and Device B to meet the following requirements: • GigabitEthernet 1/0/2 of Device A allows only IP packets from Host C to pass. •...
Configuration procedure Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Configure the device: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. system-view [Device] dhcp snooping enable # Configure GigabitEthernet 1/0/2 as a trusted interface.
Total entries found: 1 IPv6 Address MAC Address Interface VLAN Type 2001::1 0001-0202-0202 GE1/0/1 Static Dynamic IPv6SG using DHCPv6 snooping configuration example Network requirements As shown in Figure 123, the host (the DHCPv6 client) obtains an IP address from the DHCPv6 server. Perform the following tasks: •...
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.
Configuration example Network requirements As shown in Figure 124, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets.
Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash.
Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.
[Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet...
Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.
• ARP packet validity check. • ARP restricted forwarding. • ARP detection logging. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. Configuring user validity check The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows: Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet.
Step Command Remarks (Optional.) Configure the By default, an interface is interface as a trusted interface arp detection trust untrusted. excluded from ARP detection. Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked: •...
To enable ARP restricted forwarding: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id arp restricted-forwarding By default, ARP restricted Enable ARP restricted forwarding. enable forwarding is disabled. Enabling ARP detection logging The ARP detection logging feature enables a device to generate ARP detection log messages when illegal ARP packets are detected.
Page 455
Figure 128 Network diagram Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. ...
[SwitchB-GigabitEthernet1/0/3] quit After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries. User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 129, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts.
[SwitchB-GigabitEthernet1/0/1] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.
Configuration procedure To configure ARP scanning and fixed ARP: Step Command Enter system view. system-view Enter Layer 3 Ethernet interface, VLAN interface, or Layer 3 aggregate interface interface interface-type interface-number view. Trigger an ARP scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view.
Configuration example Network requirements As shown in Figure 130, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 130 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.
• If ARP filtering works with ARP detection, MFF, ARP snooping, and ARP fast-reply, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 interface-number aggregate interface view.
Verifying the configuration # Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets. # Verify that GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets. Configuring the checking of sender IP addresses for ARP packets This feature allows a gateway to check the sender IP address of an ARP packet before ARP learning.
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
uRPF operation Figure 133 shows how uRPF works. Figure 133 uRPF work flow uRPF checks address validity: uRPF permits a packet with a multicast destination address. For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast destination address.
255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) The packet is discarded if it has a non-broadcast destination address. uRPF proceeds to step 2 for other packets. uRPF checks whether the source address matches a unicast route: If yes, uRPF proceeds to step 3.
Configuration procedure A device supports uRPF configuration globally. Global uRPF configuration takes effect on all interfaces. Follow these guidelines when you configure uRPF: • uRPF is not supported on the LSUM1TGS48SG0(JH197A, JH205A) module. • uRPF checks only incoming packets on an interface. •...
Page 466 system-view [SwitchB] ip urpf strict Configure strict uRPF check on Switch A and allow using the default route for uRPF check. system-view [SwitchA] ip urpf strict allow-default-route...
Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
IPv6 uRPF operation Figure 137 shows how IPv6 uRPF works. Figure 137 IPv6 uRPF work flow IPv6 uRPF checks whether the received packet carries a multicast destination address: If yes, IPv6 uRPF permits the packet. If no, IPv6 uRPF proceeds to step 2. IPv6 uRPF checks whether the source address matches a unicast route: If yes, IPv6 uRPF proceeds to step 3.
If no, IPv6 uRPF discards the packet. A non-unicast source address matches a non-unicast route. IPv6 uRPF checks whether the matching route is to the host itself: If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface.
Configuration procedure A device supports IPv6 uRPF configuration globally. Global IPv6 uRPF configuration takes effect on all interfaces. Follow these guidelines when you configure IPv6 uRPF: • IPv6 uRPF is not supported on the LSUM1TGS48SG0(JH197A, JH205A) module. • IPv6 uRPF does not check packets received on the SA interface modules if the source IPv6 addresses of the packets have a prefix length longer than 64.
Page 471
Configuration procedure Configure strict IPv6 uRPF check on Switch B. system-view [SwitchB] ipv6 urpf strict Configure strict uRPF check on Switch A and allow using the default route for IPv6 uRPF check. system-view [SwitchA] ipv6 urpf strict allow-default-route...
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.
e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.
A username. A password that complies with the password control policies as described in step 2 and step 3. A user role of network-admin or mdc-admin. A service type of terminal. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode.
The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.
self-test fails, the card where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests Power-up self-tests include the following types: • Known-answer test (KAT) This test examines the availability of FIPS-allowed cryptographic algorithms.
• Signature and authentication PWCT test—This test is run when a DSA/RSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds. •...
Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
Page 479
# Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.
Updating user information. Please wait ..… # Display the current FIPS mode state. display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
Page 481
[Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to mainboard device successfully. [Sysname] quit # Delete the startup configuration file in binary format.
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, and blacklisting. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.
Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.
The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port scanning from multiple hosts to the target host, distributed port scan attacks occur. Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time.
An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • ICMPv6 flood attack. An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate.
Attack detection and prevention configuration task list Tasks at a glance (Required.) Configuring an attack defense policy: • (Required.) Creating an attack defense policy • (Required.) Perform at least one of the following tasks to configure attack detection: Configuring a single-packet attack defense policy Configuring a scanning attack defense policy Configuring a flood attack defense policy •...
Page 487
To configure a single-packet attack defense policy: Step Command Remarks Enter system view. system-view Enter attack defense attack-defense policy policy-name policy view. • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment |...
Step Command Remarks The default action is logging for single-packet attacks of the (Optional.) Specify the informational and low levels. signature level { high | info | low | actions against medium } action { { drop | logging } * | The default actions are single-packet attacks of a none }...
Page 489
You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings. Configuring a SYN flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view.
Page 490
Step Command Remarks Set the global trigger syn-ack-flood threshold threshold for SYN-ACK The default setting is 1000. threshold-value flood attack prevention. Specify global actions By default, no global action is syn-ack-flood action { drop | against SYN-ACK flood specified for SYN-ACK flood logging } * attacks.
Page 491
Step Command Remarks rst-flood detect { ip ipv4-address | ipv6 Configure IP By default, IP address-specific RST ipv6-address } [ vpn-instance address-specific RST flood flood attack detection is not vpn-instance-name ] [ threshold attack detection. configured. threshold-value ] [ action { drop | logging } * ] Configuring an ICMP flood attack defense policy Step...
Page 492
Step Command Remarks Enter attack defense policy attack-defense policy view. policy-name Enable global UDP flood By default, global UDP flood attack udp-flood detect non-specific attack detection. detection is disabled. Set the global trigger udp-flood threshold threshold for UDP flood The default setting is 1000. threshold-value attack prevention.
Step Command Remarks Set the global trigger http-flood threshold threshold for HTTP flood The default setting is 1000. threshold-value attack prevention. (Optional.) Specify the By default, HTTP flood attack global ports to be protected http-flood port port-list prevention protects port 80. against HTTP flood attacks.
If you apply an attack defense policy to a global interface, specify a service card to process traffic for the interface. If you do not specify a service card, the policy cannot correctly detect and prevent scanning and flood attacks. To apply an attack defense policy to an interface: Step Command...
As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. To enable log non-aggregation for single-packet attack events: Step Command Remarks Enter system view. system-view Enable log By default, log non-aggregation is non-aggregation for attack-defense signature log disabled for single-packet attack...
Step Command Remarks By default, the login delay feature is disabled. The device does not Enable the login delay attack-defense login delay accepting a login request feature. reauthentication-delay seconds from a user who has failed a login attempt. Displaying and maintaining attack detection and prevention Use the display commands in any view and the reset commands in user view.
Page 500
# Create the attack defense policy a1. [Device] attack-defense policy a1 # Configure signature detection for smurf attacks, and specify logging as the prevention action. [Device-attack-defense-policy-a1] signature detect smurf action logging # Configure low-level scanning attack detection, specify logging and block-source as the prevention actions, and set the blacklist entry aging time to 10 minutes.
Page 501
TCP FIN only flag Disabled medium TCP Land Disabled medium Winnuke Disabled medium UDP Bomb Disabled medium UDP Snork Disabled medium UDP Fraggle Disabled medium IP option record route Disabled info IP option internet timestamp Disabled info IP option security Disabled info IP option loose source routing...
UDP flood 1000(default) Disabled ICMP flood 1000(default) Disabled ICMPv6 flood 1000(default) Disabled DNS flood 1000(default) Disabled HTTP flood 1000(default) Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 10.1.1.2 SYN-FLOOD 5000 # Verify that the attack detection and prevention takes effect on GigabitEthernet 1/0/2. [Device] display attack-defense statistics interface gigabitethernet 1/0/2 Attack policy name: a1 Scan attack defense statistics:...
Page 503 system-view [Device] blacklist global enable # Add an IPv4 blacklist entry for Host D. [Device] blacklist ip 5.5.5.5 # Add an IPv4 blacklist entry for Host C and set the blacklist entry aging time to 50 minutes. [Device] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Verify that the IPv4 blacklist entries are successfully added.
Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Secure connectivity association (CA) is a group of CA participants that use the same key and key algorithm.
out-of-order packets within the replay protection window size and drop other out-of-order packets. MACsec applications MACsec supports the following application modes: • Client-oriented mode—Operates with 802.1X authentication and secures data transmission between the client and the access device. In this mode, the authentication server generates and distributes the CAK to the client and the access device.
Page 506
Figure 144 MACsec interactive process in client-oriented mode The following shows the MACsec process: After the client passes 802.1X authentication, the RADIUS server distributes the generated CAK to the client and the access device. After receiving the CAK, the client and the access device exchange EAPOL-MKA packets. The client and the access device exchange the MACsec capability and required parameters for session establishment.
Operating mechanism for device-oriented mode As shown in Figure 145, the devices use the configured preshared keys to start the session negotiation. In this mode, the session negotiation, secure communication, and session termination processes are the same as the processes in client-oriented mode. However, MACsec performs a key server selection in this mode.
MACsec configuration task list Tasks at a glance (Required.) Enabling MKA (Optional.) Enabling MACsec desire (Required.) Configuring a preshared key (Optional.) Configuring the MKA key server priority (Optional.) Use one of the following methods to configure MACsec protection parameters: • Configuring MACsec protection parameters in interface view: Configuring the MACsec confidentiality offset...
Step Command Remarks interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames. Configuring a preshared key In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation. To successfully establish an MKA session between two devices, make sure the connected MACsec ports are configured with the same preshared key.
also removes the MKA policy application from the port. However, other parameter settings of the MKA policy are effective on the port. If the parameter value in interface view is the same as the value in the MKA policy, your configuration does not take effect.
To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure. After you use the display macsec command to verify that MKA negotiation has succeeded, change the validation mode to strict. To configure the MACsec validation mode: Step Command...
Applying an MKA policy MKA policy provides a centralized method to configure MACsec confidentiality offset, replay protection, and validation mode. An MKA policy can be applied to a port or multiple ports. When you apply an MKA policy to a port, follow these restrictions and guidelines: •...
To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively: • Set the MACsec confidentiality offset to 30 bytes. • Enable MACsec replay protection, and set the replay protection window size to 100. •...
[DeviceB-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1 # Set the MACsec confidentiality offset to 30 bytes. [DeviceB-GigabitEthernet1/0/1] macsec confidentiality-offset 30 # Enable MACsec replay protection. [DeviceB-GigabitEthernet1/0/1] macsec replay-protection enable # Set the MACsec replay protection window size to 100. [DeviceB-GigabitEthernet1/0/1] macsec replay-protection window-size 100 # Set the MACsec validation mode to strict.
Page 515
Confidentiality offset: 30 bytes Current SAK status : Rx & Tx Current SAK AN Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI...
Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI 85E004AF49934720AC5131D3 1216 00E00100000A0006 Troubleshooting MACsec Symptom The devices cannot establish MKA sessions when the following conditions exist: • The link connecting the devices is up. •...
Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.
Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows DHCP packets and multicast packets to pass. •...
Automatic mode The automatic mode applies to networks that allocate IP addresses to hosts through DHCP. In automatic mode, the device configured with DHCP snooping resolves Option 3 (Router IP option) in the received DHCP ACK message to obtain a gateway for the DHCP snooping entry. If the DHCP ACK message contains multiple gateway addresses, only the first one is recorded for the entry.
When the MFF device receives an ARP request from a server, the device searches IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server. As a result, packets from a host to a server are forwarded by the gateway. However, packets from a server to a host are not forwarded by the gateway.
Page 522
Figure 148 Network diagram Configuration procedure Configure the IP address of GigabitEthernet 1/0/1 on Gateway. system-view [Gateway] interface gigabitethernet 1/0/1 [Gateway-GigabitEthernet1/0/1] ip address 10.1.1.100 24 Configure the DHCP server: # Enable DHCP and configure DHCP address pool 1. system-view [Device] dhcp enable [Device] dhcp server ip-pool 1 [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0...
# Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp snooping trust Enable STP on Switch C globally to make sure STP is enabled on interfaces. ...
Configuring ND attack defense Overview Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Configuration procedure To configure ND attack detection: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, ND attack detection is Enable ND attack detection. ipv6 nd detection enable disabled. Return to system view. quit Enter Layer 2 Ethernet or interface interface-type aggregate interface view.
Specifying the role of the attached device Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet or interface interface-type aggregate interface view. interface-number By default, the role of the device attached to the port is not Specify the role of the device ipv6 nd raguard role { host | specified.
Enabling the RA guard logging feature This feature allows a device to generate logs when it detects forged RA messages. Each log records the following information: • Name of the interface that received the forged RA message. • Source IP address of the forged RA message. •...
Figure 152 Network diagram Configuration procedure # Create an RA guard policy named policy1. system-view [Switch] ipv6 nd raguard policy policy1 # Set the maximum router preference to high for the RA guard policy. [Switch-raguard-policy-policy1] if-match router-preference maximum high # Specify on as the M flag match criterion for the RA guard policy.
[Switch-vlan10] quit # Specify host as the role of the device attached to GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] ipv6 nd raguard role host [Switch-GigabitEthernet1/0/1] quit # Specify router as the role of the device attached to GigabitEthernet 1/0/3. [Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] ipv6 nd raguard role router [Switch-GigabitEthernet1/0/3] quit...
Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.
Displaying and maintaining keychain Execute display commands in any view. Task Command Display keychain information. display keychain [ name keychain-name [ key key-id ] ] Keychain configuration example Network requirements As shown in Figure 153, establish an OSPF neighbor relationship between Switch A and Switch B, and use a keychain to authenticate packets between the switches.
Verifying the configuration When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc. # Display keychain information on Switch A. The output shows that key 1 is the valid key. [SwitchA] display keychain Keychain name : abc...
Page 539
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
Page 540
Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active...
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 545
part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 563
ARP attack protection blackhole routing authentication algorithms, (unresolvable IP attack), configuration, 277, ARP attack protection source suppression crypto engine, (unresolvable IP attack), display, ARP ip validity check, encapsulation modes, security. Use IPsec encryption, uRPF configuration, 448, 451, encryption algorithms, IP address FIPS compliance, including IP address in MAC authentication IKE configuration, 313, 315,...
Page 567
periodic reauthentication, protocols and standards, port security authentication control mode, replay protection configuration, port security client services, macAddressElseUserLoginSecure, troubleshooting, port security client userLoginWithOUI, troubleshooting device cannot establish MKA port security configuration, 192, 195, session, port security features, validation mode configuration, port security intrusion protection, maintaining port security MAC address autoLearn,...
Page 568
network port, 504, port security MAC learning control autoLearn, operation modes, port security MAC learning control secure, periodic gateway probe enable, port security macAddressWithRadius authentication, protocols and standards, port security secure MAC learning control, server IP address, portal authentication, user port, portal authentication (cross-subnet), minimum password length, portal authentication (direct),...
Page 569
displaying, 802.1X SmartOn feature configuration, maintaining, 802.1X VLAN manipulation, need to know. Use 802.1X+ACL assignment configuration, negotiating AAA device implementation, IPsec IKE negotiation, AAA HWTACACS implementation, IPsec IKE negotiation mode, AAA HWTACACS scheme, IPsec IKEv2 negotiation, AAA HWTACACS server SSH user, NETCONF AAA ISP domain accounting method, enable over SSH,...
Page 571
MFF auto-mode in tree network, port security secure MAC address, MFF configuration, port security secure MAC address port limit, MFF manual-mode in ring network, portal authentication AAA server, MFF manual-mode in tree network, portal authentication client, MFF network port, 504, portal authentication cross-subnet configuration, MFF periodic gateway probe,...
Page 572
SSH SFTP server connection establishment SSH configuration, based on Suite B, SSL configuration, 233, SSH SFTP server connection termination, SSL services, SSH SFTP server enable, uRPF configuration, 448, SSH SFTP server password authentication, AAA no accounting method, SSH Stelnet server enable, AAA no authentication, SSH user configuration, AAA no authorization,...
Page 573
AAA RADIUS outgoing packet source IP AAA RADIUS accounting server parameters, address, configuring SSH management parameters, AAA RADIUS packet exchange process, MACsec protection parameter (interface AAA RADIUS packet format, view), ARP active acknowledgement, MACsec protection parameter (MKA policy), ARP ARP packet sender IP address password control parameters (global), checking, password control parameters (local user),...
Page 574
public key peer configuration, troubleshooting configuration, Perfect Forward Secrecy. See PFS Windows 2003 CA server certificate request configuration, periodic gateway probe (MFF), policy periodic MAC reauthentication, AAA RADIUS security policy server IP PFS (IKE), address, attack D&P defense policy, applications, attack D&P defense policy (flood), architecture, attack D&P defense policy (scanning),...
Page 575
MFF user port, features, portal authentication, intrusion protection, portal authentication configuration, 134, intrusion protection feature, portal authentication cross-subnet MAC address autoLearn, configuration, MAC address learning control, portal authentication direct configuration, MAC authentication, portal authentication extended cross-subnet MAC move enable, configuration, MAC+802.1X authentication, portal authentication extended direct mode set,...
Page 576
fail-permit configuration, applying portal authentication interface NAS-ID profile, interface NAS-ID profile, authenticating with 802.1X EAP relay, local portal Web server configuration, authenticating with 802.1X EAP termination, local portal Web server feature, binding IPsec source interface to policy, maintaining, configuring AAA user group attributes, outgoing packets filtering, configuring portal authentication (cross-subnet portal-free rule,...
Page 578
configuring IPsec IKEv2, configuring MAC authentication critical VLAN, configuring IPsec IKEv2 address pool, configuring MAC authentication delay, configuring IPsec IKEv2 DPD, configuring MAC authentication guest VLAN, configuring IPsec IKEv2 global parameters, configuring MAC authentication keep-online, configuring IPsec IKEv2 keychain, configuring MAC authentication multi-VLAN mode, configuring IPsec IKEv2 NAT keepalive, configuring MAC authentication user account...
Page 579
configuring port security client configuring security local portal Web server macAddressElseUserLoginSecure, feature, configuring port security client configuring security password control, userLoginWithOUI, configuring security portal authentication direct configuring port security features, local portal Web server, configuring port security intrusion configuring security portal authentication local protection, portal Web server, configuring port security MAC address...
Page 580
displaying ARP attack detection (source enabling IPv4 source guard (IPv4SG) on MAC-based), interface, displaying ARP attack protection enabling IPv6 source guard (IPv6SG) on (unresolvable IP attack), interface, displaying ARP detection, enabling MAC authentication, displaying attack D&P, enabling MAC authentication critical voice VLAN, displaying FIPS, enabling MAC authentication offline...
Page 581
implementing security ACL-based IPsec, setting password control parameters (global), importing peer host public key from file, setting password control parameters (local user), importing public key from file, setting password control parameters (super), including IP address in MAC authentication request, setting password control parameters (user group), limiting port security secure MAC addresses,...
Page 582
troubleshooting AAA RADIUS authentication working with SSH SFTP files, failure, processing troubleshooting AAA RADIUS packet delivery parallel processing with 802.1X failure, authentication, troubleshooting IPsec IKE negotiation failure profile (no proposal match), AAA NAS-ID profile configuration, troubleshooting IPsec IKE negotiation failure AAA RADIUS server status detection test (no proposal or keychain specified profile,...
Page 583
SSH client host public key configuration, HWTACACS/RADIUS differences, SSH password-publickey authentication, information exchange security, SSH publickey authentication, Login-Service attribute check method, SSH Secure Telnet server publickey MAC authentication, authentication, MAC authentication (RADIUS-based), SSH SFTP client publickey MAC authentication authorization VLAN, authentication, maintain, SSH user configuration,...
Page 587
IPsec IKEv2 profile configuration, MAC authentication critical voice VLAN, IPsec IKEv2 protocols and standards, MAC authentication delay, 121, IPsec IPv6 routing protocols, MAC authentication display, IPsec maintain, MAC authentication domain, IPsec packet DF bit, MAC authentication enable, IPsec packet logging enable, MAC authentication guest VLAN, IPsec policy configuration restrictions, MAC authentication keep-online,...
Page 588
NETCONF-over-SSH+password PKI OpenCA server certificate request, authentication configuration, PKI operation, outgoing packets filtering on portal PKI RSA Keon CA server certificate request, interface, PKI terminology, parallel processing with 802.1X PKI Windows 2003 CA server certificate authentication, request, password control configuration, 213, 216, port.
Page 589
SSH client host public key configuration, SSH SFTP server password authentication, SSH configuration, SSH Stelnet server enable, SSH display, SSH user configuration, SSH local DSA key pair generation, SSH user configuration restrictions, SSH local ECDSA key pair generation, SSH2 algorithms, SSH local RSA key pair generation, SSH2 algorithms (encryption ), SSH management parameters,...
Page 593
FIPS mode system changes, testing IPsec authentication, AAA RADIUS server status detection test profile, IPsec configuration, FIPS conditional self-test, IPsec encryption, FIPS power-up self-test, IPsec IKE configuration, 313, 315, FIPS triggered self-test, IPsec IKE global identity information, TFTP IPsec IKE invalid SPI recovery, local host public key distribution, IPsec IKE keychain, time...
Page 594
trapping portal authentication users cannot log in (re-DHCP), AAA RADIUS SNMP notification, portal authentication users logged out still exist on IPsec IKE SNMP notification, server, IPsec SNMP notification, tunneling triggering IPsec configuration, 277, 802.1X authentication trigger, IPsec encapsulation tunnel mode, FIPS self-test, IPsec RIPng configuration, troubleshooting...
Page 595
portal authentication roaming, AAA RADIUS format, portal authentication user access, portal authentication user online validating detection, MACsec validation mode, portal authentication user setting max, validity check portal authentication user ARP packet, synchronization, ARP user, 438, SSH user configuration, ARP user+packet, userLogin 802.1X authentication mode, vendor userLoginSecure 802.1X authentication...
Page 596
MAC authentication VLAN assignment, security portal authentication direct local portal Web server, MFF auto-mode in ring network, security portal authentication local portal Web MFF auto-mode in tree network, server, MFF configuration, 503, 505, security portal authentication Web server MFF manual-mode in ring network, specifying, MFF manual-mode in tree network, troubleshooting 802.1X EAD assistant browser...