Page 1 HPE FlexNetwork 10500 Switch Series Security Configuration Guide Part number: 5998-7134R Software version: 10500-CMW710-R7178 Document version: 6W100-20160129...
Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Configuring AAA ····························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 7 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 11 AAA for MPLS L3VPNs ···························································································································· 13 Protocols and standards ·························································································································· 13 RADIUS attributes ···································································································································· 14 FIPS compliance ·············································································································································· 17 AAA configuration considerations and task list ································································································...
Page 4 802.1X VLAN manipulation ······························································································································ 76 Authorization VLAN ·································································································································· 76 Guest VLAN ············································································································································· 78 Auth-Fail VLAN ········································································································································ 79 Critical VLAN ············································································································································ 80 Using 802.1X authentication with other features ····························································································· 82 ACL assignment ······································································································································· 82 EAD assistant ··········································································································································· 82 Redirect URL assignment ························································································································ 83 SmartOn ···················································································································································...
Page 5 User account policies ····························································································································· 114 Authentication methods ·························································································································· 114 VLAN assignment ·································································································································· 115 ACL assignment ····································································································································· 116 Redirect URL assignment ······················································································································ 117 Periodic MAC reauthentication ··············································································································· 117 Configuration prerequisites ···························································································································· 117 General guidelines and restrictions ················································································································ 117 Configuration task list ····································································································································· 118 Enabling MAC authentication ·························································································································...
Page 6 Configuring portal Web server detection ································································································ 149 Configuring portal user synchronization ································································································· 150 Configuring the portal fail-permit feature ········································································································ 151 Configuring BAS-IP for portal packets sent to the portal authentication server ············································· 151 Applying a NAS-ID profile to an interface ······································································································ 152 Configuring the local portal Web server feature ·····························································································...
Page 7 Logging ·················································································································································· 215 FIPS compliance ············································································································································ 216 Password control configuration task list ········································································································· 216 Enabling password control ····························································································································· 216 Setting global password control parameters ·································································································· 217 Setting user group password control parameters ·························································································· 218 Setting local user password control parameters ···························································································· 219 Setting super password control parameters ··································································································...
Page 8 Verifying certificates with CRL checking ································································································ 251 Verifying certificates without CRL checking ··························································································· 252 Specifying the storage path for the certificates and CRLs ············································································· 253 Exporting certificates ······································································································································ 253 Removing a certificate ··································································································································· 254 Configuring a certificate-based access control policy ···················································································· 254 Displaying and maintaining PKI ·····················································································································...
Page 9 IKE negotiation process ························································································································· 313 IKE security mechanism ························································································································· 314 Protocols and standards ························································································································ 315 FIPS compliance ············································································································································ 315 IKE configuration prerequisites ······················································································································ 315 IKE configuration task list ······························································································································· 315 Configuring an IKE profile ······························································································································ 316 Configuring an IKE proposal ·························································································································· 318 Configuring an IKE keychain ··························································································································...
Page 10 Enabling the SCP server ························································································································ 361 Enabling NETCONF over SSH ·············································································································· 361 Configuring the user lines for SSH login ································································································ 361 Configuring a client's host public key ····································································································· 362 Configuring an SSH user ······················································································································· 363 Configuring the SSH management parameters ····················································································· 364 Specifying a PKI domain for the SSH server ·························································································...
Page 11 Dynamic IPv4SG using DHCP snooping configuration example ··························································· 424 Dynamic IPv4SG using DHCP relay configuration example ·································································· 425 Static IPv6SG configuration example ····································································································· 426 Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 427 Configuring ARP attack protection ······························································ 428 ARP attack protection configuration task list ·································································································· 428 Configuring unresolvable IP attack protection ·······························································································...
Page 12 Configuration procedure ································································································································ 456 Displaying and maintaining IPv6 uRPF ·········································································································· 456 IPv6 uRPF configuration example ················································································································· 456 Configuring FIPS ························································································· 458 Overview ························································································································································ 458 Configuration restrictions and guidelines ······································································································· 458 Configuring FIPS mode ·································································································································· 459 Entering FIPS mode ······························································································································· 459 Configuration changes in FIPS mode ····································································································...
Page 13 Enabling MACsec desire ································································································································ 494 Configuring a preshared key ·························································································································· 495 Configuring the MKA key server priority ········································································································ 495 Configuring MACsec protection parameters in interface view ······································································· 495 Configuring the MACsec confidentiality offset ························································································ 496 Configuring MACsec replay protection ··································································································· 496 Configuring the MACsec validation mode ······························································································...
Page 14 Verifying the configuration ······················································································································ 524 Document conventions and icons ······························································· 527 Conventions ··················································································································································· 527 Network topology icons ·································································································································· 528 Support and other resources ······································································ 529 Accessing Hewlett Packard Enterprise Support ···························································································· 529 Accessing updates ········································································································································· 529 Websites ················································································································································ 530 Customer self repair ······························································································································· 530 Remote support ······································································································································...
Page 15: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
Page 16: Radius
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 17 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 18 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Packet type Description From the client to the server.
Page 19 Type—Type of the attribute. Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
Page 20 Attribute Attribute NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.
Page 21: Hwtacacs
HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for VPDN and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.
Page 22 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 23: Ldap
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 24 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
Page 25: Aaa Implementation On The Device
After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server, which checks whether the user password is correct.
Page 26 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.
Page 27: Aaa For Mpls L3Vpns
command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide. • User role authentication—Authenticates each user who wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.
Page 28: Radius Attributes
RADIUS attributes Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated. User password for PAP authentication, only present in Access-Request User-Password packets when PAP authentication is used. Digest of the user password for CHAP authentication, only present in CHAP-Password Access-Request packets when CHAP authentication is used.
Page 29 Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP-Challenge CHAP authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...
Page 30 Subattribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.
Page 31: Fips Compliance
Subattribute Description Output-Interval-Gigaword Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. User-defined attribute pair. Available attribute pairs include: • Dynamically assigned WEP key in the format of leap:session-key=xxx.
Page 32: Configuring Aaa Schemes
Figure 10 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all attributes types of users Authentication method none/ local (the default)/scheme Create an ISP domain No AAA and enter ISP domain view...
Page 33 the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types: • Device management user—User who logs in to the device for device management. • Network access user—User who accesses network resources through the device.
Page 34 • When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed. • You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.
Page 35: Configuring User Group Attributes
Step Command Remarks The following default settings apply: • FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory. authorization-attribute { acl •...
Page 36 By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks...
Page 37: Configuring Radius Schemes
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Optional.)
Page 38 • The RADIUS server is manually set to the blocked state. • The RADIUS scheme is deleted. To configure a test profile for RADIUS server status detection: Step Command Remarks Enter system view. system-view Configure a test profile for By default, no test profiles exist. radius-server test-profile detecting the status of profile-name username name...
Page 39 Step Command Remarks • Specify the primary RADIUS authentication server: By default, no authentication primary authentication server is specified. { host-name | ipv4-address | ipv6 To support server status ipv6-address } [ port-number | detection, specify an existing test key { cipher | simple } string | profile for the RADIUS test-profile profile-name | authentication server.
Page 40 Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { host-name By default, no accounting | ipv4-address | ipv6 server is specified. ipv6-address } [ port-number | key Two accounting servers in a { cipher | simple } string | scheme, primary or vpn-instance secondary, cannot have the...
Page 41 Step Command Remarks By default, a RADIUS Specify a VPN for the RADIUS vpn-instance vpn-instance-name scheme belongs to the public scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
Page 42 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers act as the backup of the primary server.
Page 43 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: By default, every server state primary accounting { active specified in a RADIUS...
Page 44 receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. • If it is the IP address of a managed NAS, the server processes the packet. •...
Page 45 • Realtime accounting timer (realtime-accounting)—Defines the interval at which the device sends realtime accounting packets to the RADIUS accounting server for online users. When you set RADIUS timers, follow these guidelines: • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the number of secondary servers.
Page 46 Step Command Remarks accounting-on enable [ interval By default, the accounting-on Enable accounting-on. seconds | send send-times ] * feature is disabled. Configuring the IP addresses of the security policy servers The NAS verifies the validity of received control packets and accepts only control packets from known servers.
Page 47: Configuring Hwtacacs Schemes
• RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
Page 48 Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure up to 16 HWTACACS schemes. An HWTACACS scheme can be referenced by multiple ISP domains. To create an HWTACACS scheme: Step Command Remarks Enter system view.
Page 49 Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS authorization server: primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no authorization server single-connection | is specified.
Page 50 Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication. Perform this task to configure shared keys for servers in an HWTACACS scheme.
Page 51 Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name Set the format of usernames user-name-format { keep-original By default, the ISP domain name sent to the HWTACACS | with-domain | without-domain } is included in a username. servers. data-flow-format { data { byte | (Optional.) Set the data flow giga-byte | kilo-byte | By default, traffic is counted in...
Page 52 Step Command Remarks By default, the source IP address specified by the hwtacacs nas-ip Specify the source IP nas-ip { ipv4-address | ipv6 command in system view is used. address of outgoing ipv6-address } If the source IP address is not HWTACACS packets.
Page 53: Configuring Ldap Schemes
To set HWTACACS timers: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, the HWTACACS Set the HWTACACS server timer response-timeout server response timeout timer is 5 response timeout timer. seconds seconds. By default, the realtime accounting interval is 12 minutes.
Page 54 Step Command Remarks Create an LDAP server and enter LDAP server ldap server server-name By default, no LDAP server exists. view. Configuring the IP address of the LDAP server Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, an LDAP server has no IP address.
Page 55 Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, no administrator DN is specified. Specify the administrator login-dn dn-string The administrator DN specified on the device must be the same as configured on the LDAP server. Configure the login-password { cipher | By default, no administrator...
Page 56: Configuring Aaa Methods For Isp Domains
Step Command Remarks By default, no user object is user-parameters (Optional.) Specify the user specified, and the default user user-object-class object class. object class on the LDAP server is object-class-name used. Creating an LDAP scheme You can configure up to 16 LDAP schemes. An LDAP scheme can be referenced by multiple ISP domains.
Page 57: Creating An Isp Domain
"Configuring RADIUS schemes," "Configuring HWTACACS schemes," and "Configuring LDAP schemes." Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights.
Page 58: Configuring Authentication Methods For An Isp Domain
whose total traffic in the idle timeout period is less than the specified minimum traffic. If no idle cut attribute is available in the ISP domain, the idle cut feature of the server takes effect. An ISP domain attribute applies to all users in the domain. To configure ISP domain attributes: Step Command...
Page 59: Configuring Authorization Methods For An Isp Domain
Step Command Remarks authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default radius-scheme-name ] [ local ] [ none ] | authentication method is Specify the default ldap-scheme ldap-scheme-name [ local ] local. authentication method for [ none ] | local [ none ] | none | all types of users.
Page 60: Configuring Accounting Methods For An Isp Domain
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name By default, the authorization Specify the default [ radius-scheme radius-scheme-name ] method is local. authorization method for [ local ] [ none ] | local [ none ] | none | The none keyword is not all types of users.
Page 61: Enabling The Session-Control Feature
Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name accounting default { hwtacacs-scheme hwtacacs-scheme-name By default, the accounting [ radius-scheme radius-scheme-name ] Specify the default method is local. [ local ] [ none ] | local [ none ] | none | accounting method for all radius-scheme radius-scheme-name...
Page 62: Configuring The Radius Dae Server Feature
Configuring the RADIUS DAE server feature Dynamic Authorization Extensions (DAE) to RADIUS, defined in RFC 5176, can log off online users, change their authorization information, or shut down their access interfaces. DAE uses the client/server model. In a RADIUS network, the RADIUS server typically acts as the DAE client and the NAS acts as the DAE server.
Page 63: Configuring A Nas-Id Profile
Step Command Remarks • In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } By default, the maximum number Set the maximum number of max-sessions of concurrent login users is 32 for concurrent login users. •...
Page 64 • Use the HWTACACS server for SSH user authentication, authorization, and accounting. • Assign the default user role network-operator to SSH users after they pass authentication. • Exclude domain names from the usernames sent to the HWTACACS server. • Use expert as the shared keys for secure HWTACACS communication. Figure 11 Network diagram Configuration procedure Configure the HWTACACS server:...
Page 65: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users
[Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
Page 66 # Create local RSA and DSA key pairs. system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Page 67: Authentication And Authorization For Ssh Users By A Radius Server
Set the ports for authentication and accounting to 1812 and 1813, respectively. c. Select the service type Device Management Service. d. Select the access device type HP(Comware). e. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
Page 68 IP address of the outbound interface (the default). Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree.
Page 69 Figure 15 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
Page 70: Authentication For Ssh Users By An Ldap Server
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.
Page 71 NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed.
Page 72 Figure 18 Setting the user's password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click the user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
Page 73 Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 74 # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
Page 75: Aaa For 802.1X Users By A Radius Server
Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) AAA for 802.1X users by a RADIUS server Network requirements...
Page 76 Select HP(Comware) as the access device type. e. Select the access device from the device list or manually add the device with the IP address 10.1.1.2. f. Leave the default settings for other parameters and click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch.
Page 77 Figure 23 Adding a service # Add a user. Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: a.
Page 78 Figure 24 Adding an access user account Configure the switch: a. Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter RADIUS scheme view. system-view [Switch] radius scheme rad # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
Page 79: Troubleshooting Radius
# Configure the access control method. By default, an 802.1X-enabled port uses the MAC-based access control. [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration On the host, use the user dot1x@bbb to pass 802.1X authentication: # If the user host runs the Windows XP 802.1X client, configure the network connection properties as follows: a.
Page 80: Radius Packet Delivery Failure
RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. •...
Page 81: Troubleshooting Ldap
Troubleshooting LDAP Symptom User authentication fails. Analysis Possible reasons include: • A communication failure exists between the NAS and the LDAP server. • The LDAP server IP address or port number configured on the NAS is not correct. • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS.
Page 82: 802.1X Overview
802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
Page 83: 802.1X-Related Protocols
Figure 26 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
Page 84: Eap Over Radius
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 28 shows the EAPOL packet format.
Page 85: 802.1X Authentication Initiation
Figure 29 EAP-Message attribute format Message-Authenticator As shown in Figure 30, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.
Page 86: 802.1X Authentication Procedures
802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods. • EAP relay mode. EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure Figure 31 EAP relay...
Page 87: Eap Relay
Packet exchange Benefits Limitations method • Supports only the following EAP authentication methods: MD5-Challenge EAP authentication. Works with any RADIUS server EAP termination that supports PAP or CHAP The username and password authentication. EAP authentication initiated by an HPE iNode 802.1X client. •...
Page 88: Eap Termination
In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the access device. The access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.
Page 89 Figure 34 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Page 90: Configuring 802.1X
Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
Page 91 NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment. Unsupported VLAN types Do not specify the following types of VLANs for VLAN authorization. The access device does not assign these VLANs to 802.1X users. •...
Page 92: Guest Vlan
Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the first authenticated user's authorization VLAN to the port as the port VLAN (PVID). All subsequent 802.1X users can access the VLAN without authentication. Port-based When the first authenticated user logs off, the previous PVID is restored, and all other online users are logged off.
Page 93: Auth-Fail Vlan
Authentication status VLAN manipulation • The device assigns the authorization VLAN of the user to the port as the PVID, and it removes the port from the 802.1X guest VLAN. After the user logs off, the initial PVID of the port is restored. •...
Page 94: Critical Vlan
Authentication status VLAN manipulation The device assigns the Auth-Fail VLAN to the port as the PVID. All A user fails 802.1X 802.1X users on this port can access only resources in the Auth-Fail authentication. VLAN. A user in the 802.1X Auth-Fail VLAN fails 802.1X The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users authentication because of...
Page 95 • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any The device assigns the critical VLAN to the port as the VLAN fails 802.1X authentication PVID. The 802.1X user and all subsequent 802.1X users because all the RADIUS servers are on this port can access only resources in the 802.1X unreachable.
Page 96: Using 802.1X Authentication With Other Features
Authentication status VLAN manipulation The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access 802.1X authentication. device or a RADIUS server) does not authorize a VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.
Page 97: Redirect Url Assignment
The EAD assistant feature enables the access device to redirect a user who is seeking to access the network to download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients. EAD assistant is implemented by the following functionality: •...
Page 98: Configuration Prerequisites
Figure 35 802.1X authentication process with the SmartOn feature If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The access device stops 802.1X authentication for the user. NOTE: After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate].
Page 99: Enabling 802.1X
Tasks at a glance (Optional.) Setting the maximum number of concurrent 802.1X users on a port (Optional.) Setting the maximum number of authentication request attempts (Optional.) Setting the 802.1X authentication timeout timers (Optional.) Configuring the online user handshake feature (Optional.) Configuring the authentication trigger feature (Optional.) Specifying a mandatory authentication domain on a port...
Page 100: Enabling Eap Relay Or Eap Termination
Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: • Support of the RADIUS server for EAP packets. • Authentication methods supported by the 802.1X client and the RADIUS server. You can use both EAP termination and EAP relay in any of the following situations: •...
Page 101: Specifying An Access Control Method
Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number dot1x port-control Set the port authorization By default, the auto state { authorized-force | auto | state. applies. unauthorized-force } Specifying an access control method Step Command Remarks Enter system view.
Page 102: Setting The 802.1X Authentication Timeout Timers
To set the maximum number of authentication request attempts: Step Command Remarks Enter system view. system-view Set the maximum number of attempts The default setting is dot1x retry max-retry-value for sending an authentication request. Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: •...
Page 103: Configuration Guidelines
Configuration guidelines When you configure the online user handshake feature, follow these restrictions and guidelines: • The SmartOn feature and the online user handshake feature are mutually exclusive. Before you enable the online user handshake feature, make sure the SmartOn feature is disabled. •...
Page 104: Configuration Procedure
• Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication. • To avoid duplicate authentication packets, do not enable both triggers on a port. Configuration procedure To configure the authentication trigger feature on a port: Step Command...
Page 105: Enabling The Periodic Online User Reauthentication Feature
Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. (Optional.) Set the quiet dot1x timer quiet-period The default is 60 seconds. timer. quiet-period-value Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server.
Page 106: Manually Reauthenticating All Online 802.1X Users On A Port
Manually reauthenticating all online 802.1X users on a port This feature reauthenticates all online 802.1X users on a port after the dot1x re-authenticate manual command is executed. The feature is independent of the server-assigned reauthentication attribute and the periodic reauthentication feature. When no server is reachable for the reauthentication, the device keeps the users online or logs off the users, depending on the keep-online feature configuration on the port.
Page 107: Configuring An 802.1X Guest Vlan
Configuring an 802.1X guest VLAN Configuration guidelines When you configure an 802.1X guest VLAN, follow these guidelines: • The following matrix shows the location restrictions for the interface configured with 802.1X guest VLAN and the interface connected to the external network on an eIRF system: Location of the interface configured Location restrictions of the interface with 802.1X guest VLAN...
Page 108: Configuration Procedure
• If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port. Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide. Assign the port to the 802.1X guest VLAN as an untagged member.
Page 109: Configuration Procedure
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port. Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see Layer 2—LAN Switching Configuration Guide.
Page 110: Enabling The 802.1X Critical Voice Vlan
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure the 802.1X critical By default, no 802.1X critical dot1x critical vlan vlan-id VLAN on the port. VLAN is configured. Enabling the 802.1X critical voice VLAN This feature assigns the access port of a voice user to the 802.1X critical voice VLAN if the voice user fails authentication because all the RADIUS servers are unreachable.
Page 111: Sending Eap-Success Packets For 802.1X Users Assignment To The 802.1X Critical Vlan
Sending EAP-Success packets for 802.1X users assignment to the 802.1X critical VLAN By default, the device sends an EAP-Failure packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on the port. After receiving the EAP-Failure packet, the client does not respond to the EAP-Request/Identity packet from the device when reachable authentication servers occur.
Page 112: Enabling 802.1X Guest Vlan Assignment Delay
NOTE: If you configure the access device to send usernames with domain names to the RADIUS server, make sure the domain delimiter can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference. Enabling 802.1X guest VLAN assignment delay This feature delays assigning an 802.1X-enabled port to the 802.1X guest VLAN when 802.1X authentication is triggered on the port.
Page 113: Configuring 802.1X Smarton
Step Command Remarks Enter system view. system-view Enable EAD assistant. dot1x ead-assistant enable By default, this feature is disabled. dot1x ead-assistant free-ip Configure a free IP. ip-address { mask-length | By default, no free IP is configured. mask-address } By default, no redirect URL is configured.
Page 114: Displaying And Maintaining 802.1X
Step Command Remarks (Optional.) Configure the By default, the device allows a maximum attempts for maximum of 3 attempts for retransmitting an dot1x smarton retry retries retransmitting an EAP-Request/Notification EAP-Request/Notification packet packet to a client. to a client. Displaying and maintaining 802.1X Execute the display commands in any view and reset commands in user view.
Page 115 Figure 36 Network diagram Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
Page 116: Guest Vlan And Authorization Vlan Configuration Example
NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.
Page 117 Figure 37 Network diagram Configuration procedure Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.
Page 118 [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.1 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
Page 119: 802.1X With Acl Assignment Configuration Example
802.1X with ACL assignment configuration example Network requirements As shown in Figure 38, the host that connects to GigabitEthernet 1/0/1 must pass 802.1X authentication to access the Internet. Perform 802.1X authentication on GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.
Page 120: With Ead Assistant Configuration Example (With Dhcp Relay Agent)
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit...
Page 121 • The intranet 192.168.1.0/24 is attached to GigabitEthernet 1/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
Page 122 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.
Page 123: With Ead Assistant Configuration Example (With Dhcp Server)
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication.
Page 124 Configure an IP address for each interface. (Details not shown.) Configure the DHCP server: # Enable DHCP. system-view [Device] dhcp enable # Enable the DHCP server on VLAN-interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select server [Device-Vlan-interface2] quit # Create DHCP address pool 0.
Page 125: 802.1X Smarton Configuration Example
[Device] dot1x ead-assistant url http://192.168.2.3 # Enable the EAD assistant feature. [Device] dot1x ead-assistant enable # Enable 802.1X on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host.
Page 126 Figure 41 Network diagram Configuration procedure Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. system-view [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.
Page 127: Troubleshooting 802.1X Ead Assistant For Web Browser Users
[Device-GigabitEthernet1/0/1] quit # Set the SmartOn password to 1234 in plain text and the switch ID to XYZ. [Device] dot1x smarton password simple 1234 [Device] dot1x smarton switchid XYZ # Set the SmartOn client timeout timer to 40 seconds. [Device] smarton timer supp-timeout 40 # Enable 802.1X globally.
Page 128: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
Page 129: Vlan Assignment
VLAN assignment MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN. Authorization VLAN You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources. • On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN name.
Page 130: Acl Assignment
Table 10 VLAN manipulation Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails MAC authentication for any The user is still in the MAC authentication guest VLAN. other reason than server unreachable. The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.
Page 131: Redirect Url Assignment
• Specify another authorization ACL on the authentication server. For more information about ACLs, see ACL and QoS Configuration Guide. Redirect URL assignment The device supports the URL attribute assigned by a RADIUS server. During MAC authentication, a user is redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the Web user and uses a DM (Disconnect Message) to log off the Web user.
Page 132: Configuration Task List
Configuration task list Tasks at a glance (Required.) Enabling MAC authentication (Optional.) Specifying a MAC authentication domain (Optional.) Configuring the user account format (Optional.) Setting MAC authentication timers (Optional.) Enabling MAC authentication offline detection (Optional.) Setting the maximum number of concurrent MAC authentication users on a port (Optional.) Enabling MAC authentication multi-VLAN mode on a port (Optional.)
Page 133: Configuring The User Account Format
MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step Command Remarks...
Page 134: Enabling Mac Authentication Offline Detection
Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Set MAC authentication { offline-detect offline-detect-value | timer is 60 seconds, and the timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.
Page 135: Configuring Mac Authentication Delay
nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports. This feature improves transmission of data that is vulnerable to delay and interference.
Page 136: Configuration Restrictions And Guidelines
• Create the VLAN to be specified as the MAC authentication guest VLAN. • Configure the VLAN as an untagged member on the port. Configuration restrictions and guidelines When you configure the MAC authentication guest VLAN on a port, follow these restrictions and guidelines: •...
Page 137: Configuring A Mac Authentication Critical Vlan
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, no MAC authentication guest Specify the MAC VLAN is configured. mac-authentication authentication guest guest-vlan guest-vlan-id You can configure only one MAC VLAN on the port. authentication guest VLAN on a port.
Page 138: Enabling The Mac Authentication Critical Voice Vlan
Step Command Remarks By default, no MAC authentication critical VLAN is configured. Specify the MAC mac-authentication critical vlan authentication critical You can configure only one MAC critical-vlan-id VLAN on the port. authentication critical VLAN on a port. Enabling the MAC authentication critical voice VLAN The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users who have failed authentication because none of the RADIUS servers in their ISP domain are...
Page 139: Including User Ip Addresses In Mac Authentication Requests
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, the keep-online feature is disabled. Enable the keep-online feature mac-authentication for authenticated MAC re-authenticate This command takes effect only authentication users on the server-unreachable when the authentication server port.
Page 140: Configuration Restrictions And Guidelines
• If 802.1X authentication fails, the MAC authentication result takes effect. • If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result. Configuration restrictions and guidelines When you enable parallel processing of MAC authentication and 802.1X authentication on a port, follow these restrictions and guidelines: •...
Page 141: Mac Authentication Configuration Examples
Task Command display mac-authentication connection [ interface Display MAC authentication connections (in interface-type interface-number | slot slot-number | standalone mode). user-mac mac-addr | user-name user-name ] display mac-authentication connection [ chassis Display MAC authentication connections (in chassis-number slot slot-number | interface IRF mode).
Page 142 [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 # Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users. [Device] domain bbb [Device-isp-bbb] authentication lan-access local [Device-isp-bbb] quit # Enable MAC authentication on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-authentication [Device-GigabitEthernet1/0/1] quit...
Page 143: Radius-Based Mac Authentication Configuration Example
Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN Offline detection : Enabled Authentication order : Default Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address...
Page 144 system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication simple abc [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting.
Page 145: Acl Assignment Configuration Example
MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN...
Page 146 Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication simple abc [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
Page 147: Ftp Server
MAC address VLAN ID From port Port index GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured...
Page 148: Configuring Portal Authentication
Configuring portal authentication Overview Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server.
Page 149 Figure 45 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.
Page 150: Interaction Between Portal System Components
Interaction between portal system components The components of a portal system interact as follows: An unauthenticated user initiates authentication by accessing an Internet website through a Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server.
Page 151: Portal Support For Eap
Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP address uniquely identifies the user. After a user passes authentication, the access device generates an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Page 152 Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 47 Direct authentication/cross-subnet authentication process Portal Authentication Portal Web Access Security authentication AAA server client server device policy server server 1) Initiate a connection 2) User information 3) CHAP authentication 4) Authentication request 5) RADIUS authentication Timer...
Page 153: Portal Configuration Task List
Re-DHCP authentication process (with CHAP/PAP authentication) Figure 48 Re-DHCP authentication process The re-DHCP authentication process is as follows: Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP.
Page 154: Configuration Prerequisites
Tasks at a glance (Required.) Configuring a portal Web server (Required.) Enabling portal authentication on an interface (Required.) Specifying a portal Web server on an interface (Optional.) Controlling portal user access • Configuring a portal-free rule • Configuring an authentication source subnet •...
Page 155: Configuring A Portal Authentication Server
Configuring a portal authentication server Configure this feature when user authentication uses an external portal authentication server. Perform this task to configure the following portal authentication server parameters: • IP address of the portal authentication server • VPN instance of the portal authentication server •...
Page 156: Enabling Portal Authentication On An Interface
Step Command Remarks Create a portal Web server By default, no portal Web server portal web-server server-name and enter its view. is created. Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network.
Page 157: Specifying A Portal Web Server On An Interface
Step Command Remarks • To enable IPv4 portal authentication: portal enable method { direct | Enable IPv4 portal layer3 | redhcp } Enable portal authentication authentication, IPv6 portal • on the interface. authentication, or both on the To enable IPv6 portal interface.
Page 158: Configuring An Authentication Source Subnet
Step Command Remarks portal free-rule rule-number { destination ip { ip-address { mask-length | mask } | any } [ tcp Configure an tcp-port-number | udp By default, no IPv4-based IPv4-based portal-free udp-port-number ] | source ip portal-free rule exists. rule.
Page 159: Configuring An Authentication Destination Subnet
Step Command Remarks Enter system view. system-view interface interface-type Enter VLAN interface view. interface-number By default, no IPv4 portal Configure an IPv4 portal portal layer3 source authentication source subnet is authentication source ipv4-network-address configured, and users from any subnet. { mask-length | mask } subnets must pass portal authentication.
Page 160: Setting The Maximum Number Of Portal Users
Step Command Remarks By default, no IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing ipv6-network-address prefix-length destination subnet. any subnets must pass portal authentication. Setting the maximum number of portal users Perform this task to control the total number of IPv4 and IPv6 portal users in the system.
Page 161: Enabling Outgoing Packets Filtering On A Portal-Enabled Interface
Step Command Remarks Enter system view. system-view Enter VLAN interface interface-type interface view. interface-number Specify an IPv6 By default, no ISP domain is portal authentication portal ipv6 domain domain-name specified for IPv6 portal users on domain. the interface. Enabling outgoing packets filtering on a portal-enabled interface When you enable this feature on a portal-enabled interface, the device permits the interface to send the following packets:...
Page 162: Configuring Portal Authentication Server Detection
If the ARP or ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP or ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.
Page 163: Configuring Portal Web Server Detection
• Sending a trap message to the NMS. The trap message contains the name and current state of the portal authentication server. • Sending a log message, which contains the name, the current state, and the original state of the portal authentication server.
Page 164: Configuring Portal User Synchronization
Step Command Remarks Enter system view. system-view Enter portal Web portal web-server server-name server view. By default, portal Web server detection is disabled. Configure portal server-detect [ interval interval ] [ retry Web server This feature takes effect regardless retries ] { log | trap } * detection.
Page 165: Configuring The Portal Fail-Permit Feature
Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication. If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface does the following: •...
Page 166: Applying A Nas-Id Profile To An Interface
Step Command Remarks Enter VLAN interface interface interface-type view. interface-number By default, the BAS-IP attribute of an IPv4 portal reply packet sent to the Configure BAS-IP for IPv4 portal authentication server is the portal packets sent to the source IPv4 address of the packet. The portal bas-ip ipv4-address portal authentication BAS-IP attribute of an IPv4 portal...
Page 167: Configuring The Local Portal Web Server Feature
Configuring the local portal Web server feature To perform local portal authentication for users, perform the following tasks: • Configure a local portal Web server. • Configure a name for the portal Web server and specify a local IP address of the device as the server's URL.
Page 168 • Get requests—Used to get the static files in the authentication pages and allow no recursion. For example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm cannot include any reference to file Logon.htm. • Post requests—Used when users submit username and password pairs, log in, and log out.
Page 169: Configuring A Local Portal Web Server
In logon.htm, set the target attribute of Form to _blank. See the contents in gray:
Add the function for page loading pt_init() to logonSucceess.htm. See the contents in gray: LogonSuccessed ...
Page 170: Logging Out Online Portal Users
• First log out from the current port. • Then re-authenticate on the new Layer 2 port. To enable portal roaming: Step Command Remarks Enter system view. system-view By default, portal roaming is disabled. Enable portal portal roaming enable You cannot enable portal roaming roaming.
Page 171: Portal Configuration Examples
Task Command Display packet statistics for portal authentication display portal packet statistics [ server servers. server-name ] display portal user { all | interface interface-type Display portal user information. interface-number } Clear packet statistics for portal authentication reset portal packet statistics [ server servers.
Page 172 Figure 50 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 173 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
Page 174 Figure 54 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. ...
Page 175: Authentication Server
# Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Specify the portal Web server newpt on VLAN-interface 100.
Page 176: Configuring Re-Dhcp Portal Authentication
Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Page 177 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 55 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 178 # Configure DHCP relay. [Switch] dhcp enable [Switch] dhcp relay client-information record [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub [Switch-Vlan-interface100] dhcp select relay [Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Switch-Vlan-interface100] arp authorized enable [Switch-Vlan-interface100] quit Configure portal authentication:...
Page 179: Configuring Cross-Subnet Portal Authentication
Destination authenticate subnet: IP address Mask IPv6: Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet:...
Page 180 Figure 56 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 56 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 181 # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal authentication server.
Page 182: Configuring Extended Direct Portal Authentication
Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user...
Page 183 Figure 57 Network diagram Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 57 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the switch.
Page 184 [Switch] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit NOTE:...
Page 185: Configuring Extended Re-Dhcp Portal Authentication
Layer3 source network: IP address Mask Destination authenticate subnet: IP address Mask IPv6: Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network:...
Page 186 Configure extended re-DHCP portal authentication. Before passing portal authentication, the host is assigned a private IP address. After passing portal identity authentication, the host obtains a public IP address and accepts security check. If the host fails the security check, it can access only subnet 192.168.0.0/24.
Page 187 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Specify the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
Page 188 [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Specify the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
Page 189: Configuring Extended Cross-Subnet Portal Authentication
IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. • The user can access the resources permitted by ACL 3000 after passing only identity authentication.
Page 190 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 59 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 191 NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. Configure portal authentication: # Configure a portal authentication server. [SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit # Configure a portal Web server.
Page 192: Configuring Portal Server Detection And Portal User Synchronization
BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal.
Page 193 Figure 60 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 60 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 194 Figure 61 Portal authentication server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 195 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
Page 196 Figure 65 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. ...
Page 197 # Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: set the server detection interval to 40 seconds, and send log messages upon reachability status changes. [Switch-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval.
Page 198: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns
Configuring cross-subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 66, the PE device Switch A provides portal authentication for the host in VPN 1. A portal server in VPN 3 acts as the portal authentication server, portal Web server, and RADIUS server.
Page 199 # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures. [SwitchA-radius-rs1] nas-ip 3.3.0.3 [SwitchA-radius-rs1] quit # Enable RADIUS session control.
Page 200: Configuring Direct Portal Authentication Using The Local Portal Web Server
State: Online VPN instance: vpn3 VLAN Interface 0000-0000-0000 3.3.0.1 Vlan-interface3 Authorization information: DHCP IP pool: N/A ACL: N/A CAR: N/A Configuring direct portal authentication using the local portal Web server Network requirements As shown in Figure 67, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP.
Page 201 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 202 Authentication domain: Not configured Pre-auth domain: Not configured User-dhcp-only: Disabled Pre-auth IP pool: Not configured Max Portal users: Not configured Bas-ip: Not configured User Detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Mask Destination authenticate subnet: IP address...
Page 203: Troubleshooting Portal
IP pool: N/A ACL: N/A CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.
Page 204: Cannot Log Out Portal Users On The Radius Server
Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server. Analysis The HPE IMC server uses session control packets to send disconnection requests to the access device.
Page 205 discards the portal notification packet. As a result, the portal authentication server considers that the user has failed the authentication. Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server.
Page 206: Configuring Port Security
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks that require different authentication methods for different users on a port. Port security provides the following functions: •...
Page 207 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.
Page 208 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
Page 209: General Guidelines And Restrictions
In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.
Page 210: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port
Step Command Remarks Enter system view. system-view By default, this feature is Enable port security. port-security enable disabled. You can use the undo port-security enable command to disable port security. Because the command logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: •...
Page 211 • You can specify a port security mode when port security is disabled, but your configuration cannot take effect. • Changing the port security mode of a port logs off the online users of the port. • Do not enable 802.1X authentication or MAC authentication on a port where port security is configured.
Page 212: Configuring Port Security Features
Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. The NTK feature supports the following modes: • ntkonly—Forwards only unicast frames with authenticated destination MAC addresses. •...
Page 213: Configuring Secure Mac Addresses
Step Command Remarks (Optional.) Set the silence port-security timer disableport By default, the port silence timeout period during which time-value timeout is 20 seconds. a port remains disabled. NOTE: On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication fail for the same frame.
Page 214: Configuration Prerequisites
When the maximum number of secure MAC address entries is reached, the port changes to secure mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac-address dynamic or mac-address static command to pass through.
Page 215: Enabling Mac Move
To configure a port to ignore authorization information from the server: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Ignore the authorization By default, a port uses the port-security authorization information received from authorization information received ignore the authentication server.
Page 216: Applying A Nas-Id Profile To Port Security
Applying a NAS-ID profile to port security By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests. A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.
Page 217: Port Security Configuration Examples
Port security configuration examples autoLearn configuration example Network requirements As shown in Figure 68, configure port GigabitEthernet 1/0/1 on the device to meet the following requirements: • Accept up to 64 users without authentication. • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
Page 218: Userloginwithoui Configuration Example
MAC move : Denied Authorization fail : Online OUI value list GigabitEthernet1/0/1 is link-up Port mode : autoLearn NeedToKnow mode : Disabled Intrusion protection mode : DisablePortTemporarily Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization...
Page 219 • The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary accounting server. The RADIUS server at 192.168.1.3 functions as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and the shared key for accounting is money. •...
Page 220: Configure Port Security
Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111...
Page 221: Macaddresselseuserloginsecure Configuration Example
Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 15 NAS IP Address : Not configured : Not configured User Name Format : without-domain Data flow unit : Million Byte Packet unit : one Attribute 15 check-mode : Strict # After users pass authentication, display port security configuration.
Page 222 Configure port GigabitEthernet 1/0/1 of the device to meet the following requirements: • Allow more than one MAC authenticated user to log on. • For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on. •...
Page 223 Port security parameters: Port security : Enabled AutoLearn aging time : 0 min Disableport timeout : 30 s MAC move : Denied Authorization fail : Online OUI value list GigabitEthernet1/0/1 is link-up Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute...
Page 224 Max online users : 4294967295 Authentication attempts : successful 3, failed 7 Current online users MAC address Auth state 1234-0300-0011 Authenticated 1234-0300-0012 Authenticated 1234-0300-0013 Authenticated # Display 802.1X authentication information. Verify that GigabitEthernet 1/0/1 allows only one 802.1X user to be authenticated. [Device] display dot1x interface gigabitethernet 1/0/1 Global 802.1X parameters: 802.1X authentication...
Page 225: Troubleshooting Port Security
Reauth period : 3600 s EAPOL packets: Tx 16331, Rx 102 Sent EAP Request/Identity packets : 16316 EAP Request/Challenge packets: 6 EAP Success packets: 4 EAP Failure packets: 5 Received EAPOL Start packets : 6 EAPOL LogOff packets: 2 EAP Response/Identity packets : 80 EAP Response/Challenge packets: 6 Error packets: 0 Online 802.1X users: 1...
Page 226 [Device-GigabitEthernet1/0/1] undo port-security port-mode [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 If the problem persists, contact Hewlett Packard Enterprise Support.
Page 227: Configuring Password Control
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
Page 228: Password Updating And Expiration
when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
Page 229: User Login Control
Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.
Page 230: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.
Page 231: Setting Global Password Control Parameters
Step Command Remarks • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled, and cannot be disabled by default. password-control { aging | (Optional.) Enable a specific By default, all four password...
Page 232: Setting User Group Password Control Parameters
Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user. By default, the maximum number password-control login-attempt of login attempts is 3 and a user Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit.
Page 233: Setting Local User Password Control Parameters
Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.
Page 234: Displaying And Maintaining Password Control
Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.
Page 235: Configuration Procedure
• An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • A password expires after 30 days. •...
Page 236: Verifying The Configuration
[Sysname] password-control super length 24 # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.
Page 237 Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type) # Display the password control configuration for local user test. display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type:...
Page 238: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 71.
Page 239 • Enter an appropriate key modulus length at the prompt (see Table 17). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Page 240: Distributing A Local Host Public Key
Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...
Page 241: Destroying A Local Key Pair
Task Command Display local DSA public keys. display public-key local dsa public [ name key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...
Page 242: Entering A Peer Host Public Key
Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
Page 243 Figure 72 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Page 244: Example For Importing A Public Key From A Public Key File
[DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA...
Page 245 system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 246 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s)
Page 247: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Page 248: Fips Compliance
Figure 75 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
Page 249 Step Command Remarks By default: • • In non-FIPS mode: In non-FIPS mode, the ssl version { ssl3.0 | tls1.0 | device supports SSL 3.0, (Optional.) Disable specific tls1.1 } * disable TLS 1.0, TLS 1.1, and SSL protocol versions on the •...
Page 250 Step Command Remarks • In non-FIPS mode: ciphersuite { dhe_rsa_aes_128_cbc_sh dhe_rsa_aes_128_cbc_sha 256 | dhe_rsa_aes_256_cbc_sha dhe_rsa_aes_256_cbc_sha 256 | ecdhe_rsa_aes_128_cbc_s ha256 | ecdhe_rsa_aes_256_cbc_s ha384 | ecdhe_rsa_aes_128_gcm_s ha256 | ecdhe_rsa_aes_256_gcm_s ha384 | ecdhe_ecdsa_aes_128_cbc _sha256 | ecdhe_ecdsa_aes_256_cbc _sha384 | ecdhe_ecdsa_aes_128_gc m_sha256 | ecdhe_ecdsa_aes_256_gc m_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 |...
Page 251: Configuring An Ssl Client Policy
Step Command Remarks Set the maximum number of By default, an SSL server can sessions that the SSL server session cachesize size cache a maximum of 500 can cache. sessions. By default, SSL client authentication is disabled. When authenticating a client by using the digital certificate, Enable the SSL server to the SSL server verifies the...
Page 252 Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s ha | dhe_rsa_aes_128_cbc_sh a256 | dhe_rsa_aes_256_cbc_sh dhe_rsa_aes_256_cbc_sh a256 | ecdhe_rsa_aes_128_cbc_ sha256 | ecdhe_rsa_aes_256_cbc_ sha384 | ecdhe_rsa_aes_128_gcm _sha256 | ecdhe_rsa_aes_256_gcm _sha384 | ecdhe_ecdsa_aes_128_c bc_sha256 | ecdhe_ecdsa_aes_256_c bc_sha384 | ecdhe_ecdsa_aes_128_g cm_sha256 | ecdhe_ecdsa_aes_256_g cm_sha384 | •...
Page 253: Displaying And Maintaining Ssl
Step Command Remarks • In non-FIPS mode: By default, an SSL client policy version { ssl3.0 | tls1.0 | uses TLS 1.0. Specify the SSL protocol tls1.1 | tls1.2 } version for the SSL client As a best practice to ensure •...
Page 254 Configuration procedure Make sure the device, the host, and the CA server can reach each other. (Details not shown.) Configure the device: # Create a PKI entity named en. Specify http-server1 as the common name and ssl.security.com as the FQDN. ...
Page 255 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera. Set the password to 123, service type to https, and user role to network-admin.
Page 256: Configuring Pki
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
Page 257: Pki Architecture
• The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
Page 258: Pki Applications
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
Page 259: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)
Page 260: Configuring A Pki Domain
Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.
Page 261 Step Command Remarks (Optional.) Set the By default, the device polls the CA SCEP polling interval server for the certificate request certificate request polling { count and maximum status every 20 minutes. The count | interval minutes } number of polling maximum number of polling attempts.
Page 262: Requesting A Certificate
Step Command Remarks By default, the certificate can be used by both SSL clients and SSL servers. The extension options contained 11. (Optional.) Specify in an issued certificate depend on the intended use for usage { ike | ssl-client | ssl-server } * the CA policy, and they might be the certificate.
Page 263: Configuring Automatic Certificate Request
• After a new certificate is obtained, do not use the public-key local create or public-key local destroy command to generate or destroy a key pair with the same name as the key pair in the local certificate. Otherwise, the existing local certificate becomes unavailable. •...
Page 264: Aborting A Certificate Request
Step Command Remarks Obtain a CA certificate. "Obtaining certificates." This command is not saved in the configuration file. This command triggers the PKI Submit a certificate entity to automatically generate pki request-certificate domain request or generate a a key pair if the key pair domain-name [ password password ] certificate request in specified in the PKI domain...
Page 265: Configuration Guidelines
Configuration guidelines • To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA administrator to obtain the password. • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first.
Page 266: Verifying Certificates Without Crl Checking
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained. When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA certificate chain of the domain.
Page 267: Specifying The Storage Path For The Certificates And Crls
Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs. The device has a default storage path for certificates and CRLs. You can change the storage path and specify different paths for the certificates and CRLs.
Page 268: Removing A Certificate
Removing a certificate You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs in the domain. You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate's private key is compromised.
Page 269: Displaying And Maintaining Pki
Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. groups exist. group-name attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer By default, not attribute rules are subject-name } { dn | fqdn | ip } }...
Page 270: Requesting A Certificate From An Rsa Keon Ca Server
Requesting a certificate from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 79 Network diagram Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.
Page 271 [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url ldap://1.1.2.22:389/CN=myca # Specify a 1024-bit general-purpose RSA key pair named abc for certificate request. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair.
Page 272: Requesting A Certificate From A Windows Server 2003 Ca Server
Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40: 3e:36:36:0d:c8:33:90:f3:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command.
Page 273 d. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: By default, Windows Server 2003 does not support SCEP. You must install the SCEP add-on on the server for a PKI entity to register and obtain a certificate from the server. After the SCEP add-on installation is complete, you will see a URL.
Page 274 [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 275 f8:dd:f8:a7:2a:94:58:d9:c7:f8:1a:78:bd:f5:42: 51:3b:31:5d:ac:3e:c3:af:fa:33:2c:fc:c2:ed:b9: ee:60:83:b3:d3:e5:8e:e5:02:cf:b0:c8:f0:3a:a4: b7:ac:a0:2c:4d:47:5f:39:4b:2c:87:f2:ee:ea:d0: c3:d0:8e:2c:80:83:6f:39:86:92:98:1f:d2:56:3b: d7:94:d2:22:f4:df:e3:f8:d1:b8:92:27:9c:50:57: f3:a1:18:8b:1c:41:ba:db:69:07:52:c1:9a:3d:b1: 2d:78:ab:e3:97:47:e2:70:14:30:88:af:f8:8e:cb: 68:f9:6f:07:6e:34:b6:38:6a:a2:a8:29:47:91:0e: 25:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encip herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access:...
Page 276: Requesting A Certificate From An Openca Server
To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 81 Network diagram Configuring the OpenCA server The configuration is not shown.
Page 277 Generate RSA key pair abc. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 278 0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B...
Page 279: Certificate-Based Access Control Policy Configuration Example
81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate-based access control policy configuration example Network requirements As shown in Figure 82, the host accesses the device through HTTPS. Configure a certificate-based access control policy on the device to authenticate the host and verify the validity of the host's certificate.
Page 280: Certificate Import And Export Configuration Example
[Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup2] quit Configure a certificate-based access control policy: # Create a certificate-based access control policy named myacp. [Device] pki certificate access-control-policy myacp # Define a statement to deny the certificates that match the attribute rules in certificate attribute group mygroup1.
Page 281 Figure 83 Network diagram Configuration procedure Export the certificate on Device A: # Export the CA certificate to a .pem file. system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with password 111111.
Page 282 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: ...
Page 283 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00: ee:a3:aa:03:cb:b3:49:c4:f8:ae:55:ee:43:93:69: 6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83: ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42: ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2: 9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c: bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12:...
Page 284 Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info:...
Page 285: Troubleshooting Pki Configuration
Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:[email protected] X509v3 Issuer Alternative Name: DNS:[email protected], DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points:...
Page 286: Failed To Obtain The Ca Certificate
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...
Page 287: Failed To Request Local Certificates
Specify the key pair for certificate request, or remove the existing key pair, specify a new key pair, and submit a local certificate request again. Check the registration policy on the CA or RA, and make sure the attributes of the PKI entity meet the policy requirements.
Page 288: Failed To Obtain Crls
Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • The PKI domain does not have a CA certificate before you try to obtain CRLs. •...
Page 289: Failed To Import The Local Certificate
Solution Use the undo crl check enable command to disable CRL checking in the PKI domain. Make sure the format of the imported file is correct. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to import the local certificate Symptom The local certificate cannot be imported.
Page 290: Failed To Set The Storage Path
Solution Obtain or request local certificates first. Use the mkdir command to create the required path. Specify a correct export path. Configure the correct key pair in the PKI domain. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set.
Page 291: Configuring Ipsec
Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Page 292 algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.
Page 293: Security Association
Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA comprises the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...
Page 294: Ipsec Implementation
• AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. Crypto engine The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks. The crypto engine processes all IPsec protected packets and hands the processed packets back to the device for forwarding.
Page 295: Ipsec Rri
Application-based IPsec Application-based IPsec does not require any ACL. You can implement application-based IPsec by binding an IPsec profile to an application protocol. All packets of the application protocol are encapsulated with IPsec. This method can be used to protect IPv6 routing protocols. The supported IPv6 routing protocols include OSPFv3, IPv6 BGP, and RIPng.
Page 296: Protocols And Standards
IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a headquarters gateway). Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload •...
Page 297: Configuring An Acl
Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode. Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required keys, and the SA lifetime.
Page 298: Configuring An Ipsec Transform Set
permit statement are processed. Other packets are dropped. If ACL checking for de-encapsulated IPsec packets is disabled, the de-encapsulated packets are not compared against the ACL rules and are directly processed by other modules. When defining ACL rules for IPsec, follow these guidelines: •...
Page 299 Step Command Remarks • (In non-FIPS mode.) Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | Configure at least one command. aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | By default, no security algorithm camellia-cbc-192 | is specified.
Page 300: Configuring A Manual Ipsec Policy
Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • "Configuring IKE." In non-FIPS mode: pfs { dh-group1 | dh-group2 | The security level of the dh-group5 | dh-group14 | Diffie-Hellman (DH) group of the (Optional.) Enable the dh-group24 | dh-group19 |...
Page 301 Step Command Remarks (Optional.) Configure a description for the description text By default, no description is configured. IPsec policy. By default, no ACL is specified for an IPsec policy. Specify an ACL for the security acl [ ipv6 ] { acl-number IPsec policy.
Page 302: Configuring An Ike-Based Ipsec Policy
Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA.
Page 303 • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. •...
Page 304 Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 Specify the local IP address local-address { ipv4-address | address of the interface to which...
Page 305 Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy policy-template } template-name template and enter its view. template exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec description text configured.
Page 306: Applying An Ipsec Policy To An Interface
Step Command Remarks 12. (Optional.) Enable the Traffic By default, the TFC padding Flow Confidentiality (TFC) tfc enable feature is disabled. padding feature. 13. Return to system view. quit By default, time-based SA lifetime ipsec sa global-duration 14. Configure the global SA is 3600 seconds, and { time-based seconds | lifetime.
Page 307: Enabling Acl Checking For De-Encapsulated Packets
Step Command Remarks By default, no service module or Ethernet interface module is specified. • In standalone mode: It is required when the following service slot slot-number Specify a service module or conditions are met: • an Ethernet interface module •...
Page 308: Configuring Ipsec Anti-Replay Redundancy
IMPORTANT: • IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial of services. Use caution when you disable IPsec anti-replay. • Specify an anti-replay window size that is as small as possible to reduce the impact on system performance.
Page 309: Binding A Source Interface To An Ipsec Policy
Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
Page 310: Enabling Logging Of Ipsec Packets
Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or • IPsec policy template view. To enter IPsec policy template view: ipsec { policy-template | ipv6-policy-template } template-name seq-number By default, QoS pre-classify is...
Page 311: Configuring The Df Bit Of Ipsec Packets
Step Command Remarks Enter system view. system-view • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number isakmp Enter IPsec policy view or • To enter IPsec policy template IPsec policy template view. view: ipsec { policy-template | ipv6-policy-template } template-name seq-number By default, IPsec RRI is...
Page 312: Configuring Ipsec For Ipv6 Routing Protocols
Step Command Remarks interface interface-type Enter interface view. interface-number Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface. To configure the DF bit of IPsec packets globally: Step Command Remarks...
Page 313: Configuring Snmp Notifications For Ipsec
the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group. • The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the key at one end is entered as a string of characters, the key on the other end must also be entered as a string of characters.
Page 314: Displaying And Maintaining Ipsec
displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide. To generate and output SNMP notifications for a specific IPsec failure or event type, perform the following tasks: Enable SNMP notifications for IPsec globally. Enable SNMP notifications for the failure or event type. To configure SNMP notifications for IPsec: Step Command...
Page 315: Ipsec Configuration Examples
IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 88, establish an IPsec tunnel between Switch A and Switch B to protect the data flows in between. Configure the tunnel as follows: •...
Page 316 [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the...
Page 317: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets
[SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface. [SwitchB-Vlan-interface1] service slot 3 [SwitchB-Vlan-interface1] quit Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established,...
Page 318 Figure 89 Network diagram Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
Page 319 # Apply the IKE profile profile1. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface.
Page 320: Configuring An Ike-Based Ipsec Tunnel For Ipv6 Packets
[SwitchB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1 [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1 # Apply the IKE profile profile1. [SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 # Specify a service module or an Ethernet interface module for forwarding the traffic on the interface.
Page 321 # Specify the ESP encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [SwitchA] ike keychain keychain1 [SwitchA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&! [SwitchA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1.
Page 322: Configuring Ipsec For Ripng
# Specify the security protocol as ESP. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [SwitchB] ike keychain keychain1 [SwitchB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&! [SwitchB-ike-keychain-keychain1] quit...
Page 323 Figure 91 Network diagram Requirements analysis To meet the network requirements, perform the following tasks: Configure basic RIPng. For more information about RIPng configurations, see Layer 3—IP Routing Configuration Guide. Configure an IPsec profile. The IPsec profiles on all the switches must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.
Page 324 Configure Switch B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. system-view [SwitchB] ripng 1 [SwitchB-ripng-1] quit [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.
Page 325 # Create and configure the IPsec profile named profile001. [SwitchC] ipsec profile profile001 manual [SwitchC-ipsec-profile-profile001] transform-set tran1 [SwitchC-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchC-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchC-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
Page 326 No duration limit for this SA...
Page 327: Configuring Ike
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...
Page 328: Ike Security Mechanism
Figure 93 IKE exchange process in main mode As shown in Figure 93, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
Page 329: Protocols And Standards
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Page 330: Configuring An Ike Profile
Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
Page 331 c. If a tie still exists, the device prefers an IKE profile configured earlier. To configure an IKE profile: Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view.
Page 332: Configuring An Ike Proposal
Step Command Remarks (Optional.) Specify the match local address { interface-type By default, an IKE profile can local interface or IP address interface-number | { ipv4-address | be applied to any local to which the IKE profile can ipv6 ipv6-address } [ vpn-instance interface or IP address.
Page 333: Configuring An Ike Keychain
Step Command Remarks Specify an authentication authentication-method By default, an IKE proposal method for the IKE { dsa-signature | pre-share | uses the pre-shared key proposal. rsa-signature } authentication method. • In non-FIPS mode: authentication-algorithm { md5 | sha | sha256 | sha384 | Specify an authentication By default, an IKE proposal sha512 }...
Page 334: Configuring The Global Identity Information
Step Command Remarks • In non-FIPS mode: pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | By default, no pre-shared key is hostname host-name } key configured. { cipher cipher-key | simple For security purposes, all Configure a pre-shared simple-key }...
Page 335: Configuring The Ike Keepalive Feature
Configuring the IKE keepalive feature IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Page 336: Enabling Invalid Spi Recovery
The local device sends a DPD message to the peer, and waits for a response from the peer. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message. If still no response is received within the retry interval, the local end sends the DPD message again.
Page 337: Setting The Maximum Number Of Ike Sas
Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs. • The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
Page 338: Displaying And Maintaining Ike
Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Command Display configuration information about all IKE display ike proposal proposals. display ike sa [ verbose [ connection-id Display information about the current IKE SAs. connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Delete IKE SAs.
Page 339 # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create an IKE keychain named keychain1. [SwitchA] ike keychain keychain1 # Specify plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.2.2.
Page 340 [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set.
Page 341: Aggressive Mode With Rsa Signature Authentication Configuration Example
Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected. Aggressive mode with RSA signature authentication configuration example This configuration example is not available when the device is operating in FIPS mode.
Page 342 # Set the common name as switcha for the PKI entity. [SwitchA-pki-entity-entity1] common-name switcha [SwitchA-pki-entity-entity1] quit # Create a PKI domain named domain1. [SwitchA] pki domain domain1 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [SwitchA-pki-domain-domain1] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
Page 343 # Specify IPsec transform set tran1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify ACL 3101 to identify the traffic to be protected. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Specify IKE profile profile1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to VLAN-interface 1.
Page 344 [SwitchB-pki-domain-domain2] ca identifier 8088 # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses the URL of http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7. [SwitchB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [SwitchB-pki-domain-domain2] certificate request from ca # Specify the PKI entity for certificate request as entity2.
Page 345: Troubleshooting Ike
Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected. Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state.
Page 346: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found
IKE packet debugging message: Construct notification packet: PAYLOAD_MALFORMED. Analysis • If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal: Failed to find proposal 1 in profile profile1. • If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain: Failed to find keychain keychain1 in profile profile1.
Page 347 Analysis Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows: Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy has an IKE profile specified, the IPsec SA negotiation fails.
Page 348 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL used by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
Page 349 For example: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address).
Page 350: Configuring Ikev2
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
Page 351: New Features In Ikev2
New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.
Page 352: Configuring An Ikev2 Profile
• The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
Page 353 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
Page 354 Step Command Remarks authentication-method { local | Configure the local and remote } { dsa-signature | By default, no local or remote identity remote identity ecdsa-signature | pre-share | authentication method is configured. authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile.
Page 355: Configuring An Ikev2 Policy
Step Command Remarks 14. (Optional.) Set the By default, the global IKEv2 NAT IKEv2 NAT keepalive nat-keepalive seconds keepalive setting is used. interval. 15. (Optional.) Enable the config-exchange { request | set By default, all configuration configuration exchange { accept | send } } exchange options are disabled.
Page 356: Configuring An Ikev2 Proposal
Configuring an IKEv2 proposal An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority. A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
Page 357: Configuring An Ikev2 Keychain
Step Command Remarks In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does Specify the integrity not have any integrity protection protection algorithms. algorithms. In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode:...
Page 358: Configure Global Ikev2 Parameters
Step Command Remarks • To configure a host name for the peer: hostname host-name • To configure a host IP address or address range for the peer: By default, no hostname, host IP address { ipv4-address address, address range, or [ mask | mask-length ] | ipv6 identity information is configured Configure the information...
Page 359: Configuring The Ikev2 Nat Keepalive Feature
Step Command Remarks Enter system view. system-view Configure global IKEv2 ikev2 dpd interval interval [ retry By default, global DPD is DPD. seconds ] { on-demand | periodic } disabled. Configuring the IKEv2 NAT keepalive feature Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
Page 360: Ikev2 Configuration Examples
Task Command Display the IKEv2 policy configuration. display ikev2 policy [ policy-name | default ] Display the IKEv2 profile configuration. display ikev2 profile [ profile-name ] display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance Display the IKEv2 SA information.
Page 361 # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create an IKEv2 keychain named keychain1. [SwitchA] ikev2 keychain keychain1 # Create an IKEv2 peer named peer1. [SwitchA-ikev2-keychain-keychain1] peer peer1 # Specify the peer IP address 2.2.2.2/24. [SwitchA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 24 # Specify the peer ID, which is the IP address 2.2.2.2.
Page 362 system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify the traffic between Switch B and Switch A. [SwitchB] acl advanced 3101 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1.
Page 363: Ikev2 With Rsa Signature Authentication Configuration Example
# Specify the IPsec transform set tran1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # # Specify the IKEv2 profile profile1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy use1 to VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 # Specify an Ethernet interface module or a service module for forwarding the traffic on the interface.
Page 364 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create a PKI entity named entity1.
Page 365 [SwitchA-ikev2-profile-profile1] quit # Create an IKEv2 proposal named 10. [SwitchA] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchA-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchA-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1. [SwitchA-ikev2-proposal-10] dh group1 # Specify the PRF algorithm as HMAC-MD5.
Page 366 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create a PKI entity named entity2.
Page 367 [SwitchB] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchB-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1. [SwitchB-ikev2-proposal-10] dh group1 # Specify the PRF algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] prf md5 [SwitchB-ikev2-proposal-10] quit # Create an IKEv2 policy named 1.
Page 368: Troubleshooting Ikev2
Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status. display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 123.234.234.124/500 123.234.234.123/500 IN-NEGO Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting Analysis Certain IKEv2 proposal settings are incorrect.
Page 369 Solution Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.
Page 370: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
Page 371: Ssh Authentication Methods
Stages Description Version negotiation The two parties determine a version to use after negotiation. SSH supports multiple algorithms. Based on the local algorithms, the two parties determine to use the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation •...
Page 372: Ssh Support For Suite B
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
Page 373: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks...
Page 374: Enabling The Stelnet Server
• SSH supports locally generated DSA, RSA, and ECDSA key pairs only with default names. • To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key pairs on the SSH server. • The SSH server operating in FIPS mode supports only RSA and ECDSA key pairs. If both RSA and ECDSA key pairs exist on the server, the server uses the ECDSA key pair.
Page 375: Enabling The Scp Server
Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...
Page 376: Configuring A Client's Host Public Key
Step Command Remarks By default, the authentication mode is password. Set the login authentication authentication-mode scheme For more information about this mode to scheme. command, see Fundamentals Command Reference. Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key.
Page 377: Configuring An Ssh User
Step Command Enter system view. system-view Import a client's public key public-key peer keyname import sshkey filename from the public key file. Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server.
Page 378: Configuring The Ssh Management Parameters
For a client that sends the user's public key information to the server through a digital certificate, specify a PKI domain on the server to verify the client's digital certificate. For successful verification, the specified PKI domain must have the correct CA certificate. To specify the PKI domain, use the ssh user or ssh server pki-domain command.
Page 379: Specifying A Pki Domain For The Ssh Server
Step Command Remarks • Control IPv4 SSH user connections: ssh server acl acl-number By default, all SSH users are Specify an ACL to control • allowed to initiate connections Control IPv6 SSH user SSH user connections. with the SSH server. connections: ssh server ipv6 acl [ ipv6 ] acl-number...
Page 380: Specifying The Source Ip Address For Ssh Packets
Tasks at a glance (Optional.) Establishing a connection to an Stelnet server based on Suite B Specifying the source IP address for SSH packets As a best practice, specify the IP address of the loopback interface as the source address of SSH packets for the following purposes: •...
Page 381 Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |...
Page 382 Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv6 Stelnet server: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc |...
Page 383: Establishing A Connection To An Stelnet Server Based On Suite B
Establishing a connection to an Stelnet server based on Suite Task Command Remarks • Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value |...
Page 384: Establishing A Connection To An Sftp Server
Step Command Remarks Enter system view. system-view By default, the source IP address • Specify the source IPv4 address for SFTP packets is not for SFTP packets: configured. sftp client source { ip ip-address The IPv4 SFTP packets use the | interface interface-type Specify the source primary IP address of the output...
Page 385 Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |...
Page 386: Establishing A Connection To An Sftp Server Based On Suite B
Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv6 SFTP server: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc |...
Page 387: Working With Sftp Directories
Task Command Remarks • Establish a connection to an IPv4 SFTP server based on Suite B: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type Available in user view.
Page 388: Displaying Help Information
Task Command Remarks Available in SFTP client view. • dir [ -a | -l ] [ remote-path ] Display files under a directory. The dir command has the same • ls [ -a | -l ] [ remote-path ] function as the ls command. Available in SFTP client view.
Page 389 Task Command Remarks • (In non-FIPS mode.) Connect to an IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |...
Page 390 Task Command Remarks • (In non-FIPS mode.) Connect to an IPv6 SCP server, and transfer files with this server: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain...
Page 391: Establishing A Connection To An Scp Server Based On Suite B
Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain...
Page 392: Specifying Public Key Algorithms For Ssh2
Step Command Remarks • In non-FIPS mode: ssh2 algorithm key-exchange By default, SSH2 uses the key { dh-group-exchange-sha1 exchange algorithms | dh-group1-sha1 | ecdh-sha2-nistp256, dh-group14-sha1 | ecdh-sha2-nistp384, ecdh-sha2-nistp256 | Specify key exchange dh-group-exchange-sha1, ecdh-sha2-nistp384 } * algorithms for SSH2. dh-group14-sha1, and •...
Page 393: Specifying Mac Algorithms For Ssh2
Specifying MAC algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: ssh2 algorithm mac { md5 | By default, SSH2 uses the MAC md5-96 | sha1 | sha1-96 | algorithms sha2-256, sha2-512, sha2-256 | sha2-512 } * Specify MAC algorithms for sha1, md5, sha1-96, and •...
Page 394 Establish an Stelnet connection between the host and the switch, so you can log in to the switch to manage configurations. Figure 99 Network diagram Stelnet client Stelnet server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure Configure the Stelnet server: # Generate RSA key pairs.
Page 395 [Switch-line-vty0-15] authentication-mode scheme [Switch-line-vty0-15] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize the local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001.
Page 396: Publickey Authentication Enabled Stelnet Server Configuration Example
If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server. Publickey authentication enabled Stelnet server configuration example Network requirements As shown in...
Page 397 Figure 102 Generating a key pair on the client b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 103. Otherwise, the progress bar stops moving and the key pair generating progress stops.
Page 398 c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 104 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save. e.
Page 399 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.
Page 400 Figure 105 Specifying the host name (or IP address) c. Select Connection > SSH from the navigation tree. The window shown in Figure 106 appears. d. Specify the Preferred SSH protocol version as 2. Figure 106 Specifying the preferred SSH version...
Page 401: Password Authentication Enabled Stelnet Client Configuration Example
e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 107 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 107 Specifying the private key file a.
Page 402 Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 403 # Assign the user role network-admin to the local user client001. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user client001. Specify the service type as stelnet and the authentication method as password for the user. [SwitchB] ssh user client001 service-type stelnet authentication-type password Establish a connection to the Stelnet server: # Assign an IP address to VLAN-interface 2.
Page 404: Publickey Authentication Enabled Stelnet Client Configuration Example
01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. ssh2 192.168.1.40 publickey key1 Username: client001 [email protected]'s password: After you enter the correct password, you successfully log in to Switch B. If the client does not have the server's host public key, the system will notify you to confirm the further access when you access the server.
Page 405 # Generate a DSA key pair. [SwitchA] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 406: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms
[SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002.
Page 407 Figure 110 Network diagram Configuration procedure Generate the client's certificate and the server's certificate. (Details not shown.) You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties. In this example, the server's certificate file is ssh-server-ecdsa256.p12 and the client's certificate file is ssh-client-ecdsa256.p12.
Page 408 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view.
Page 409 Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1:...
Page 410: Sftp Configuration Examples
[SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user client001.
Page 411: Password Authentication Enabled Sftp Server Configuration Example
Password authentication enabled SFTP server configuration example Network requirements As shown in Figure 111: • The switch acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the switch. Establish an SFTP connection between the host and the switch, so you can log in to the switch to manage and transfer files.
Page 412 # Enable the SFTP server. [Switch] sftp server enable # Assign an IP address to VLAN-interface 2. The client uses this address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0 [Switch-Vlan-interface2] quit # Create a local device management user client002. [Switch] local-user client002 class manage # Set the password to aabbcc in plain text for the local user client002.
Page 413: Publickey Authentication Enabled Sftp Client Configuration Example
Figure 112 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 113, Switch B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Switch A and Switch B, so you can log in to Switch B to manage and transfer files.
Page 414 If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Export the host public key to the file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit # Transmit the public key file pubkey to the server through FTP or TFTP.
Page 415 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001. Specify the service type as sftp and the authentication method as publickey for the user. Assign the public key switchkey to the user. [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey switchkey # Create a local device management user client001.
Page 416: Sftp Configuration Example Based On 192-Bit Suite B Algorithms
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and verify the result. sftp> rename new1 new2 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup...
Page 417 Figure 114 Network diagram Configuration procedure Generate the client's certificate and the server's certificate. (Details not shown.) You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties. In this example, the server's certificate file is ssh-server-ecdsa384.p12 and the client's certificate file is ssh-client-ecdsa384.p12.
Page 418 b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1: e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60: 10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7: bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34: d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7: 07:01:f9:dc:a5:6f:81 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da: c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3: 33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02: 30:45:d1:bf:51:fd:da:22:11:90:03:f9:d4:05:ec:d6:7c:41: fc:9d:a1:fd:5b:8c:73:f8:b6:4c:c3:41:f7:c6:7f:2f:05:2d: 37:f8:52:52:26:99:28:97:ac:6e:f9:c7:01 # Create a PKI domain named client384 for the client's certificate and enter its view.
Page 419 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69: d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89: 41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc: df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6: b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b: 01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13: 91:70:31:2a:92:00:76 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22...
Page 420: Scp Configuration Examples
# Enable the SFTP server. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user client001.
Page 421 Figure 115 Network diagram Configuration procedure Configure the SCP server: # Generate RSA key pairs. system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 422: Scp Configuration Example Based On Suite B Algorithms
# Authorize the local user client001 to use the SSH service. [SwitchB-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure the SSH user client001. Specify the service type as scp and the authentication method as password for the user.
Page 423 In this example, the server's certificate files are ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12. The client's certificate files are ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12. Configure the SCP client: NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client.
Page 424 CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate ecdsa256 and enter its view. [SwitchA] pki domain client256 # Disable CRL checking.
Page 425 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1: 5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02: 31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6: 18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11: 66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6 # Create a PKI domain named server384 for verifying the server's certificate ecdsa384 and enter its view.
Page 426 e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60: 10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7: bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34: d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7: 07:01:f9:dc:a5:6f:81 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da: c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3: 33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02: 30:45:d1:bf:51:fd:da:22:11:90:03:f9:d4:05:ec:d6:7c:41: fc:9d:a1:fd:5b:8c:73:f8:b6:4c:c3:41:f7:c6:7f:2f:05:2d: 37:f8:52:52:26:99:28:97:ac:6e:f9:c7:01 # Create a PKI domain named client384 for the client's certificate ecdsa384 and enter its view.
Page 427 Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69: d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89: 41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc: df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6: b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b: 01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13: 91:70:31:2a:92:00:76 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:d2:06:fa:2c:0b:0d:f0:81:90:01:c3:3d:bf:...
Page 428 [SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 # Enable the SCP server. [SwitchB] scp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit...
Page 429: Netconf Over Ssh Configuration Example With Password Authentication
# Establish an SCP connection to the SCP server 192.168.0.1 based on the 192-bit Suite B algorithms. scp 192.168.0.1 get src.cfg suite-b 192-bit pki-domain client384 server-pki -domain server384 Username: client002 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s...
Page 430 ......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 431: Verifying The Configuration
Verifying the configuration # Verify that you can perform NETCONF operations after logging in to the switch. (Details not shown.)
Page 432: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. IPSG is a per-interface packet filter. The feature configured on one interface does not affect packet forwarding on another interface. The IPSG binding table can include the following bindings: •...
Page 433: Dynamic Ipsg Bindings
Dynamic IPSG bindings IPSG automatically obtains user information from other modules to generate dynamic bindings. The source modules include 802.1X, DHCP relay, DHCP snooping, DHCPv6 snooping, and DHCP server. DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP.
Page 434: Configuring The Ipv4Sg Feature
Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled. •...
Page 435: Configuring The Ipv6Sg Feature
Step Command Remarks The following interface types are interface interface-type Enter interface view. supported: Layer 2 Ethernet port, Layer 3 interface-number Ethernet interface, VLAN interface. By default, no static IPv4SG binding is configured on an interface. The vlan vlan-id option is supported only in Layer 2 Ethernet interface view.
Page 436: Displaying And Maintaining Ipsg
Interface-specific static bindings take priority over global static bindings. An interface first uses the static bindings on the interface to match packets. If no match is found, the interface uses the global bindings. Configuring a global static IPv6SG binding Step Command Remarks Enter system view.
Page 437: Ipsg Configuration Examples
IPSG configuration examples Static IPv4SG configuration example Network requirements As shown in Figure 119, all hosts use static IP addresses. Configure static IPv4SG bindings on Device A and Device B to meet the following requirements: • GigabitEthernet 1/0/2 of Device A allows only IP packets from Host C to pass. •...
Page 438: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example
[DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/2] quit # Configure a static IPv4SG binding for Host A. [DeviceB] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 # Enable IPv4SG on GigabitEthernet 1/0/1. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host B.
Page 439: Dynamic Ipv4Sg Using Dhcp Relay Configuration Example
Configuration procedure Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Configure the device: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. system-view [Device] dhcp snooping enable # Configure GigabitEthernet 1/0/2 as a trusted interface.
Page 440: Static Ipv6Sg Configuration Example
system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent: # Enable the DHCP service. [Switch] dhcp enable # Enable recording DHCP relay client entries. [Switch] dhcp relay client-information record # Configure VLAN-interface 100 to operate in DHCP relay mode. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] dhcp select relay # Specify the IP address of the DHCP server.
Page 441: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example
Total entries found: 1 IPv6 Address MAC Address Interface VLAN Type 2001::1 0001-0202-0202 GE1/0/1 Static Dynamic IPv6SG using DHCPv6 snooping configuration example Network requirements As shown in Figure 123, the host (the DHCPv6 client) obtains an IP address from the DHCPv6 server. Perform the following tasks: •...
Page 442: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 443: Configuring Arp Source Suppression
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.
Page 444: Configuration Example
Configuration example Network requirements As shown in Figure 124, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets.
Page 445: Configuring Arp Packet Rate Limit
Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash.
Page 446: Configuring Source Mac-Based Arp Attack Detection
Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.
Page 447: Configuration Example
Task Command Display ARP attack entries detected by source display arp source-mac { slot slot-number | interface MAC-based ARP attack detection (in interface-type interface-number } standalone mode). Display ARP attack entries detected by source display arp source-mac { chassis chassis-number slot MAC-based ARP attack detection (in IRF slot-number | interface interface-type interface-number } mode).
Page 448: Configuring Arp Packet Source Mac Consistency Check
[Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet...
Page 449: Configuring Authorized Arp
Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.
Page 450: Configuration Example (On A Dhcp Relay Agent)
[DeviceA-GigabitEthernet1/0/1] port link-mode route [DeviceA-GigabitEthernet1/0/1] arp authorized enable [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address dhcp-alloc [DeviceB-GigabitEthernet1/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A. [DeviceA] display arp all Type: S-Static D-Dynamic O-Openflow...
Page 451: Configuring Arp Detection
[DeviceA-dhcp-pool-1] gateway-list 10.10.1.1 [DeviceA-dhcp-pool-1] quit [DeviceA] ip route-static 10.10.1.0 24 10.1.1.2 Configure Device B: # Enable DHCP. system-view [DeviceB] dhcp enable # Specify the IP addresses of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip address 10.10.1.1 24...
Page 452: Configuring User Validity Check
• ARP packet validity check. • ARP restricted forwarding. • ARP detection logging. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. Configuring user validity check The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows: Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet.
Page 453: Configuring Arp Packet Validity Check
Step Command Remarks (Optional.) Configure the By default, an interface is interface as a trusted interface arp detection trust untrusted. excluded from ARP detection. Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked: •...
Page 454: Enabling Arp Detection Logging
To enable ARP restricted forwarding: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id arp restricted-forwarding By default, ARP restricted Enable ARP restricted forwarding. enable forwarding is disabled. Enabling ARP detection logging The ARP detection logging feature enables a device to generate ARP detection log messages when illegal ARP packets are detected.
Page 455 Figure 128 Network diagram Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. ...
Page 456: User Validity Check And Arp Packet Validity Check Configuration Example
[SwitchB-GigabitEthernet1/0/3] quit After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries. User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 129, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts.
Page 457: Configuring Arp Scanning And Fixed Arp
[SwitchB-GigabitEthernet1/0/1] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.
Page 458: Configuration Procedure
Configuration procedure To configure ARP scanning and fixed ARP: Step Command Enter system view. system-view Enter Layer 3 Ethernet interface, VLAN interface, or Layer 3 aggregate interface interface interface-type interface-number view. Trigger an ARP scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view.
Page 459: Configuration Example
Configuration example Network requirements As shown in Figure 130, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 130 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.
Page 460: Configuration Procedure
• If ARP filtering works with ARP detection, MFF, ARP snooping, and ARP fast-reply, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 interface-number aggregate interface view.
Page 461: Configuring The Checking Of Sender Ip Addresses For Arp Packets
Verifying the configuration # Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets. # Verify that GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets. Configuring the checking of sender IP addresses for ARP packets This feature allows a gateway to check the sender IP address of an ARP packet before ARP learning.
Page 462: Configuring Urpf
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 463: Urpf Operation
uRPF operation Figure 133 shows how uRPF works. Figure 133 uRPF work flow uRPF checks address validity: uRPF permits a packet with a multicast destination address. For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast destination address.
Page 464: Network Application
255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) The packet is discarded if it has a non-broadcast destination address. uRPF proceeds to step 2 for other packets. uRPF checks whether the source address matches a unicast route: If yes, uRPF proceeds to step 3.
Page 465: Configuration Procedure
Configuration procedure A device supports uRPF configuration globally. Global uRPF configuration takes effect on all interfaces. Follow these guidelines when you configure uRPF: • uRPF is not supported on the LSUM1TGS48SG0(JH197A, JH205A) module. • uRPF checks only incoming packets on an interface. •...
Page 466 system-view [SwitchB] ip urpf strict Configure strict uRPF check on Switch A and allow using the default route for uRPF check. system-view [SwitchA] ip urpf strict allow-default-route...
Page 467: Configuring Ipv6 Urpf
Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 468: Ipv6 Urpf Operation
IPv6 uRPF operation Figure 137 shows how IPv6 uRPF works. Figure 137 IPv6 uRPF work flow IPv6 uRPF checks whether the received packet carries a multicast destination address: If yes, IPv6 uRPF permits the packet. If no, IPv6 uRPF proceeds to step 2. IPv6 uRPF checks whether the source address matches a unicast route: If yes, IPv6 uRPF proceeds to step 3.
Page 469: Network Application
If no, IPv6 uRPF discards the packet. A non-unicast source address matches a non-unicast route. IPv6 uRPF checks whether the matching route is to the host itself: If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface.
Page 470: Configuration Procedure
Configuration procedure A device supports IPv6 uRPF configuration globally. Global IPv6 uRPF configuration takes effect on all interfaces. Follow these guidelines when you configure IPv6 uRPF: • IPv6 uRPF is not supported on the LSUM1TGS48SG0(JH197A, JH205A) module. • IPv6 uRPF does not check packets received on the SA interface modules if the source IPv6 addresses of the packets have a prefix length longer than 64.
Page 471 Configuration procedure Configure strict IPv6 uRPF check on Switch B. system-view [SwitchB] ipv6 urpf strict Configure strict uRPF check on Switch A and allow using the default route for IPv6 uRPF check. system-view [SwitchA] ipv6 urpf strict allow-default-route...
Page 472: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.
Page 473: Configuring Fips Mode
e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.
Page 474: Configuration Changes In Fips Mode
A username. A password that complies with the password control policies as described in step 2 and step 3. A user role of network-admin or mdc-admin. A service type of terminal. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode.
Page 475: Exiting Fips Mode
The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.
Page 476: Power-Up Self-Tests
self-test fails, the card where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests Power-up self-tests include the following types: • Known-answer test (KAT) This test examines the availability of FIPS-allowed cryptographic algorithms.
Page 477: Triggering Self-Tests
• Signature and authentication PWCT test—This test is run when a DSA/RSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds. •...
Page 478: Entering Fips Mode Through Manual Reboot
Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
Page 479 # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.
Page 480: Exiting Fips Mode Through Automatic Reboot
Updating user information. Please wait ..… # Display the current FIPS mode state. display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
Page 481 [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to mainboard device successfully. [Sysname] quit # Delete the startup configuration file in binary format.
Page 482: Configuring Attack Detection And Prevention
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, and blacklisting. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.
Page 483: Scanning Attacks
Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.
Page 484: Flood Attacks
The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port scanning from multiple hosts to the target host, distributed port scan attacks occur. Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time.
Page 485: Tcp Fragment Attack
An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • ICMPv6 flood attack. An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate.
Page 486: Attack Detection And Prevention Configuration Task List
Attack detection and prevention configuration task list Tasks at a glance (Required.) Configuring an attack defense policy: • (Required.) Creating an attack defense policy • (Required.) Perform at least one of the following tasks to configure attack detection: Configuring a single-packet attack defense policy Configuring a scanning attack defense policy Configuring a flood attack defense policy •...
Page 487 To configure a single-packet attack defense policy: Step Command Remarks Enter system view. system-view Enter attack defense attack-defense policy policy-name policy view. • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment |...
Page 488: Configuring A Scanning Attack Defense Policy
Step Command Remarks The default action is logging for single-packet attacks of the (Optional.) Specify the informational and low levels. signature level { high | info | low | actions against medium } action { { drop | logging } * | The default actions are single-packet attacks of a none }...
Page 489 You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings. Configuring a SYN flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view.
Page 490 Step Command Remarks Set the global trigger syn-ack-flood threshold threshold for SYN-ACK The default setting is 1000. threshold-value flood attack prevention. Specify global actions By default, no global action is syn-ack-flood action { drop | against SYN-ACK flood specified for SYN-ACK flood logging } * attacks.
Page 491 Step Command Remarks rst-flood detect { ip ipv4-address | ipv6 Configure IP By default, IP address-specific RST ipv6-address } [ vpn-instance address-specific RST flood flood attack detection is not vpn-instance-name ] [ threshold attack detection. configured. threshold-value ] [ action { drop | logging } * ] Configuring an ICMP flood attack defense policy Step...
Page 492 Step Command Remarks Enter attack defense policy attack-defense policy view. policy-name Enable global UDP flood By default, global UDP flood attack udp-flood detect non-specific attack detection. detection is disabled. Set the global trigger udp-flood threshold threshold for UDP flood The default setting is 1000. threshold-value attack prevention.
Page 493: Configuring Attack Detection Exemption
Step Command Remarks Set the global trigger http-flood threshold threshold for HTTP flood The default setting is 1000. threshold-value attack prevention. (Optional.) Specify the By default, HTTP flood attack global ports to be protected http-flood port port-list prevention protects port 80. against HTTP flood attacks.
Page 494: Applying An Attack Defense Policy To The Device
If you apply an attack defense policy to a global interface, specify a service card to process traffic for the interface. If you do not specify a service card, the policy cannot correctly detect and prevent scanning and flood attacks. To apply an attack defense policy to an interface: Step Command...
Page 495: Configuring Tcp Fragment Attack Prevention
As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. To enable log non-aggregation for single-packet attack events: Step Command Remarks Enter system view. system-view Enable log By default, log non-aggregation is non-aggregation for attack-defense signature log disabled for single-packet attack...
Page 496: Configuring Login Attack Prevention
Step Command Remarks blacklist ip source-ip-address (Optional.) Add an IPv4 By default, no IPv4 blacklist [ vpn-instance vpn-instance-name ] blacklist entry. entries exist. [ timeout minutes ] blacklist ipv6 source-ipv6-address (Optional.) Add an IPv6 By default, no IPv6 blacklist [ vpn-instance vpn-instance-name ] blacklist entry.
Page 497: Displaying And Maintaining Attack Detection And Prevention
Step Command Remarks By default, the login delay feature is disabled. The device does not Enable the login delay attack-defense login delay accepting a login request feature. reauthentication-delay seconds from a user who has failed a login attempt. Displaying and maintaining attack detection and prevention Use the display commands in any view and the reset commands in user view.
Page 498 Task Command display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood Display flood attack detection and prevention | syn-ack-flood | syn-flood | udp-flood } statistics statistics for an IPv6 address (in standalone ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] mode).
Page 499: Attack Detection And Prevention Configuration Examples
Task Command reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer Clear dynamic IPv4 blacklist entries. ds-lite-peer-address ] | all } reset blacklist ipv6 { source-ipv6-address Clear dynamic IPv6 blacklist entries. [ vpn-instance vpn-instance-name ] | all } Clear blacklist statistics.
Page 500 # Create the attack defense policy a1. [Device] attack-defense policy a1 # Configure signature detection for smurf attacks, and specify logging as the prevention action. [Device-attack-defense-policy-a1] signature detect smurf action logging # Configure low-level scanning attack detection, specify logging and block-source as the prevention actions, and set the blacklist entry aging time to 10 minutes.
Page 501 TCP FIN only flag Disabled medium TCP Land Disabled medium Winnuke Disabled medium UDP Bomb Disabled medium UDP Snork Disabled medium UDP Fraggle Disabled medium IP option record route Disabled info IP option internet timestamp Disabled info IP option security Disabled info IP option loose source routing...
Page 502: Ip Blacklist Configuration Example
UDP flood 1000(default) Disabled ICMP flood 1000(default) Disabled ICMPv6 flood 1000(default) Disabled DNS flood 1000(default) Disabled HTTP flood 1000(default) Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 10.1.1.2 SYN-FLOOD 5000 # Verify that the attack detection and prevention takes effect on GigabitEthernet 1/0/2. [Device] display attack-defense statistics interface gigabitethernet 1/0/2 Attack policy name: a1 Scan attack defense statistics:...
Page 503 system-view [Device] blacklist global enable # Add an IPv4 blacklist entry for Host D. [Device] blacklist ip 5.5.5.5 # Add an IPv4 blacklist entry for Host C and set the blacklist entry aging time to 50 minutes. [Device] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Verify that the IPv4 blacklist entries are successfully added.
Page 504: Configuring Macsec
Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Secure connectivity association (CA) is a group of CA participants that use the same key and key algorithm.
Page 505: Macsec Applications
out-of-order packets within the replay protection window size and drop other out-of-order packets. MACsec applications MACsec supports the following application modes: • Client-oriented mode—Operates with 802.1X authentication and secures data transmission between the client and the access device. In this mode, the authentication server generates and distributes the CAK to the client and the access device.
Page 506 Figure 144 MACsec interactive process in client-oriented mode The following shows the MACsec process: After the client passes 802.1X authentication, the RADIUS server distributes the generated CAK to the client and the access device. After receiving the CAK, the client and the access device exchange EAPOL-MKA packets. The client and the access device exchange the MACsec capability and required parameters for session establishment.
Page 507: Protocols And Standards
Operating mechanism for device-oriented mode As shown in Figure 145, the devices use the configured preshared keys to start the session negotiation. In this mode, the session negotiation, secure communication, and session termination processes are the same as the processes in client-oriented mode. However, MACsec performs a key server selection in this mode.
Page 508: Macsec Configuration Task List
MACsec configuration task list Tasks at a glance (Required.) Enabling MKA (Optional.) Enabling MACsec desire (Required.) Configuring a preshared key (Optional.) Configuring the MKA key server priority (Optional.) Use one of the following methods to configure MACsec protection parameters: • Configuring MACsec protection parameters in interface view: Configuring the MACsec confidentiality offset...
Page 509: Configuring A Preshared Key
Step Command Remarks interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames. Configuring a preshared key In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation. To successfully establish an MKA session between two devices, make sure the connected MACsec ports are configured with the same preshared key.
Page 510: Configuring The Macsec Confidentiality Offset
also removes the MKA policy application from the port. However, other parameter settings of the MKA policy are effective on the port. If the parameter value in interface view is the same as the value in the MKA policy, your configuration does not take effect.
Page 511: Configuring Macsec Protection Parameters By Mka Policy
To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure. After you use the display macsec command to verify that MKA negotiation has succeeded, change the validation mode to strict. To configure the MACsec validation mode: Step Command...
Page 512: Applying An Mka Policy
Applying an MKA policy MKA policy provides a centralized method to configure MACsec confidentiality offset, replay protection, and validation mode. An MKA policy can be applied to a port or multiple ports. When you apply an MKA policy to a port, follow these restrictions and guidelines: •...
Page 513: Configuration Procedure
To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively: • Set the MACsec confidentiality offset to 30 bytes. • Enable MACsec replay protection, and set the replay protection window size to 100. •...
Page 514: Verifying The Configuration
[DeviceB-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1 # Set the MACsec confidentiality offset to 30 bytes. [DeviceB-GigabitEthernet1/0/1] macsec confidentiality-offset 30 # Enable MACsec replay protection. [DeviceB-GigabitEthernet1/0/1] macsec replay-protection enable # Set the MACsec replay protection window size to 100. [DeviceB-GigabitEthernet1/0/1] macsec replay-protection window-size 100 # Set the MACsec validation mode to strict.
Page 515 Confidentiality offset: 30 bytes Current SAK status : Rx & Tx Current SAK AN Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI...
Page 516: Troubleshooting Macsec
Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI 85E004AF49934720AC5131D3 1216 00E00100000A0006 Troubleshooting MACsec Symptom The devices cannot establish MKA sessions when the following conditions exist: • The link connecting the devices is up. •...
Page 517: Configuring Mff
Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.
Page 518: Basic Concepts
Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows DHCP packets and multicast packets to pass. •...
Page 519: Mff Working Mechanism
Automatic mode The automatic mode applies to networks that allocate IP addresses to hosts through DHCP. In automatic mode, the device configured with DHCP snooping resolves Option 3 (Router IP option) in the received DHCP ACK message to obtain a gateway for the DHCP snooping entry. If the DHCP ACK message contains multiple gateway addresses, only the first one is recorded for the entry.
Page 520: Configuring A Network Port
Step Command Remarks • Enable automatic mode: mac-forced-forwarding auto • Enable MFF. By default, MFF is disabled. Enable manual mode: mac-forced-forwarding default-gateway gateway-ip Configuring a network port Step Command Remarks Enter system view. system-view • Layer 2 Ethernet interface view: interface interface-type interface-number Enter Layer 2 Ethernet...
Page 521: Displaying And Maintaining Mff
When the MFF device receives an ARP request from a server, the device searches IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server. As a result, packets from a host to a server are forwarded by the gateway. However, packets from a server to a host are not forwarded by the gateway.
Page 522 Figure 148 Network diagram Configuration procedure Configure the IP address of GigabitEthernet 1/0/1 on Gateway. system-view [Gateway] interface gigabitethernet 1/0/1 [Gateway-GigabitEthernet1/0/1] ip address 10.1.1.100 24 Configure the DHCP server: # Enable DHCP and configure DHCP address pool 1. system-view [Device] dhcp enable [Device] dhcp server ip-pool 1 [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0...
Page 523: Auto-Mode Mff Configuration Example In A Ring Network
# Enable DHCP snooping. system-view [SwitchB] dhcp snooping enable # Enable MFF in automatic mode on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding auto [SwitchB-vlan100] quit # Configure IP address 10.1.1.50 for the DHCP server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.50 # Configure GigabitEthernet 1/0/6 as a network port.
Page 524 # Add gateway's IP address to DHCP address pool 1. [Device-dhcp-pool-1] gateway-list 10.1.1.100 [Device-dhcp-pool-1] quit # Configure the IP address of GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ip address 10.1.1.50 24 Configure Switch A: # Enable DHCP snooping. system-view [SwitchA] dhcp snooping enable # Enable STP globally to make sure STP is enabled on interfaces.
Page 525: Manual-Mode Mff Configuration Example In A Tree Network
# Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp snooping trust Enable STP on Switch C globally to make sure STP is enabled on interfaces. ...
Page 526: Manual-Mode Mff Configuration Example In A Ring Network
[SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port Configure Switch B: # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure GigabitEthernet 1/0/6 as a network port.
Page 527 # Configure manual-mode MFF on VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchA-vlan100] arp snooping enable [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as network ports. [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port [SwitchA-GigabitEthernet1/0/2] quit...
Page 528: Configuring Nd Attack Defense
Configuring ND attack defense Overview Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...
Page 529: Configuring Nd Attack Detection
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Page 530: Configuration Procedure
Configuration procedure To configure ND attack detection: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, ND attack detection is Enable ND attack detection. ipv6 nd detection enable disabled. Return to system view. quit Enter Layer 2 Ethernet or interface interface-type aggregate interface view.
Page 531: Specifying The Role Of The Attached Device
Specifying the role of the attached device Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet or interface interface-type aggregate interface view. interface-number By default, the role of the device attached to the port is not Specify the role of the device ipv6 nd raguard role { host | specified.
Page 532: Enabling The Ra Guard Logging Feature
Enabling the RA guard logging feature This feature allows a device to generate logs when it detects forged RA messages. Each log records the following information: • Name of the interface that received the forged RA message. • Source IP address of the forged RA message. •...
Page 533: Configuration Procedure
Figure 152 Network diagram Configuration procedure # Create an RA guard policy named policy1. system-view [Switch] ipv6 nd raguard policy policy1 # Set the maximum router preference to high for the RA guard policy. [Switch-raguard-policy-policy1] if-match router-preference maximum high # Specify on as the M flag match criterion for the RA guard policy.
Page 534: Verifying The Configuration
[Switch-vlan10] quit # Specify host as the role of the device attached to GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] ipv6 nd raguard role host [Switch-GigabitEthernet1/0/1] quit # Specify router as the role of the device attached to GigabitEthernet 1/0/3. [Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] ipv6 nd raguard role router [Switch-GigabitEthernet1/0/3] quit...
Page 535: Configuring Keychains
Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.
Page 536: Displaying And Maintaining Keychain
Displaying and maintaining keychain Execute display commands in any view. Task Command Display keychain information. display keychain [ name keychain-name [ key key-id ] ] Keychain configuration example Network requirements As shown in Figure 153, establish an OSPF neighbor relationship between Switch A and Switch B, and use a keychain to authenticate packets between the switches.
Page 537: Configuring Switch B
[SwitchA-keychain-abc-key-2] authentication-algorithm hmac-sha-256 [SwitchA-keychain-abc-key-2] key-string plain pwd123 [SwitchA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] quit [SwitchA-keychain-abc] quit # Configure VLAN-interface 100 to use keychain abc for authentication. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ospf authentication-mode keychain abc [SwitchA-Vlan-interface100] quit Configuring Switch B...
Page 538: Verifying The Configuration
Verifying the configuration When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc. # Display keychain information on Switch A. The output shows that key 1 is the valid key. [SwitchA] display keychain Keychain name : abc...
Page 539 Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
Page 540 Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active...
Page 541: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 542: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 543: Support And Other Resources
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Page 544: Websites
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 545 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 546: Index
Index EAP-Success packet sending, Numerics enable, 3DES feature cooperation, IPsec encryption algorithm, guest VLAN, guest VLAN assignment configuration, MACsec configuration, 490, guest VLAN assignment delay, 802.1X guest VLAN configuration, 802.1X protocol packet sending rule, MAC authentication delay, AAA RADIUS server 802.1X user, MAC-based access control, access control method, maintain,...
Page 547 display, RADIUS implementation, displaying local users/user groups, RADIUS maintain, FIPS compliance, RADIUS request transmission attempts max, HWTACACS accounting server, RADIUS scheme, HWTACACS authentication server, RADIUS scheme creation, HWTACACS authorization server, RADIUS scheme VPN, HWTACACS display, RADIUS security policy server IP address, HWTACACS implementation, RADIUS server 802.1X user, HWTACACS maintain,...
Page 548 portal authentication device access, anti-replay account idle time (password control), IPsec anti-replay redundancy, accounting IPsec configuration, AAA configuration, 1, 17, any authentication (SSH), AAA ISP domain accounting method, application AAA RADIUS accounting server IPsec application-based implementation, parameters, IPsec application-based tunnel AAA RADIUS accounting-on, establishment, AAA SSH user local...
Page 549 unresolvable IP attack blackhole routing, IP blacklist configuration, 481, unresolvable IP attack protection display, log non-aggregation enable, unresolvable IP attack source login attack prevention configuration, suppression, login delay, user validity check, login dictionary attack, user validity check configuration, login DoS attack, user+packet validity check, maintain, ARP protection...
Page 550 802.1X manual online user port security client reauthentication, macAddressElseUserLoginSecure, 802.1X overview, port security client userLoginWithOUI, 802.1X periodic online user port security configuration, 192, 195, reauthentication, port security MAC address autoLearn, 802.1X RADIUS Message-Authentication portal authentication client, attribute, portal authentication configuration (cross-subnet 802.1X SmartOn feature configuration, for MPLS L3VPN), 802.1X timeout timers,...
Page 551 AAA configuration, 1, 17, PKI certificate export, AAA ISP domain authorization method, PKI certificate obtain, AAA LDAP authorization, PKI certificate removal, AAA RADIUS server SSH user PKI certificate request, authentication+authorization, PKI certificate request (automatic), AAA RADIUS session-control, PKI certificate request (manual), AAA SSH user local PKI certificate request abort, authentication+HWTACACS...
Page 552 client 802.1X guest VLAN assignment, 802.1X authentication, 802.1X manual online user reauthentication, 802.1X authentication (access device 802.1X online user handshake, initiated), 802.1X protocol packet sending rule, 802.1X authentication (client-initiated), 802.1X quiet timer, 802.1X authentication client timeout timer, 802.1X SmartOn, 99, 802.1X authentication configuration, 802.1X+ACL assignment, 802.1X authentication initiation,...
Page 553 ARP packet sender IP address checking, IPsec IKE global identity information, ARP packet source MAC consistency IPsec IKE keepalive, check, IPsec IKE keychain, ARP packet validity check, IPsec IKE NAT keepalive, ARP restricted forwarding, IPsec IKE profile, ARP scanning, IPsec IKE proposal, ARP user validity check, 438, IPsec IKE SNMP notification, ARP user+packet validity check,...
Page 554 MAC authentication guest VLAN, portal authentication, 134, 139, MAC authentication keep-online, portal authentication configuration (cross-subnet for MPLS L3VPN), MAC authentication user account format, portal authentication cross-subnet MACsec, 490, configuration, MACsec (device-oriented), portal authentication destination subnet, MACsec confidentiality offset, portal authentication detection features, MACsec MKA key server priority, portal authentication direct configuration, MACsec MKA policy,...
Page 555 SSH Secure Telnet server password critical voice VLAN authentication, 802.1X enable, SSH Secure Telnet server publickey MAC authentication enable, authentication, SSH SFTP, PKI, SSH SFTP (192-bit Suite B), PKI architecture, SSH SFTP client publickey PKI CA policy, authentication, PKI certificate export, SSH SFTP server password PKI certificate removal, authentication,...
Page 556 attack D&P defense policy configuration (DNS 802.1X configuration, 76, flood), 802.1X EAD assistant, attack D&P defense policy configuration (FIN 802.1X EAD assistant configuration (DHCP relay flood), agent), attack D&P defense policy configuration 802.1X EAD assistant configuration (DHCP (HTTP flood), server), attack D&P defense policy configuration (RST 802.1X guest VLAN assignment flood),...
Page 557 portal authentication server detection+user dictionary synchronization configuration, attack D&P login delay, portal authentication Web server, attack D&P login dictionary attack, SSH SCP client, digital certificate SSH SCP server enable, PKI CA certificate, SSH Secure Telnet client, PKI CA policy, SSH Secure Telnet configuration (128-bit PKI CA storage path, Suite B), PKI certificate export,...
Page 558 IPsec, dst-mac validity check (ARP), IPsec IKE, dynamic IPsec IKEv2, IP source guard (IPSG) dynamic binding, IPv4 source guard (IPv4SG), IPv4 source guard (IPv4SG) dynamic binding configuration, IPv6 source guard (IPv6SG), IPv4 source guard (IPv4SG) dynamic IPv6 uRPF, binding+DHCP relay configuration, keychain, IPv6 source guard (IPv6SG) dynamic MAC authentication,...
Page 559 attack D&P login delay, IPsec encryption algorithm (3DES), IPsec ACL de-encapsulated packet IPsec encryption algorithm (AES), check, IPsec encryption algorithm (DES), IPsec IKE invalid SPI recovery, IPsec RIPng configuration, IPsec IKEv2 cookie challenge, IPsec RRI configuration, IPsec packet logging, IPsec tunnel for IPv4 packets (IKE-based), IPsec QoS pre-classify, IPsec tunnel for IPv4 packets (manual), IPv4 source guard (IPv4SG) on interface,...
Page 560 portal authentication extended re-DHCP attack D&P defense policy (DNS flood), configuration, attack D&P defense policy (FIN flood), attack D&P defense policy (HTTP flood), attack D&P defense policy (ICMP flood), fail-permit feature (portal), attack D&P defense policy (ICMPv6 flood), feature compatibility attack D&P defense policy (RST flood), MACsec, attack D&P defense policy (SYN flood),...
Page 561 SSH SFTP configuration, MACsec, SSH SFTP configuration (192-bit Suite history password history, SSH SFTP directories, HTTP SSH SFTP files, attack D&P defense policy (HTTP flood), SSH SFTP packet source IP address, SSL configuration, 233, SSH SFTP server connection HW Terminal Access Controller Access Control establishment, System.
Page 562 display, protocols and standards, DPD configuration, RSA signature authentication, FIPS compliance, SA rekeying, global identity information, troubleshoot, identity authentication, troubleshoot negotiation failure (no proposal match), invalid SPI recovery, IPsec negotiation mode, AAA RADIUS session-control, IPsec policy (IKE-based/direct), implementing IPsec policy (IKE-based/template), 802.1X MAC-based access control, IPsec policy configuration (IKE-based), 802.1X port-based access control,...
Page 563 ARP attack protection blackhole routing authentication algorithms, (unresolvable IP attack), configuration, 277, ARP attack protection source suppression crypto engine, (unresolvable IP attack), display, ARP ip validity check, encapsulation modes, security. Use IPsec encryption, uRPF configuration, 448, 451, encryption algorithms, IP address FIPS compliance, including IP address in MAC authentication IKE configuration, 313, 315,...
Page 564 policy configuration IPv4 source guard (IPv4SG) (IKE-based/template), configuration, 418, 419, 420, policy configuration (manual), display, policy configuration restrictions, dynamic binding configuration, policy configuration restrictions dynamic binding+DHCP relay configuration, (IKE-based), enable on interface, protocols and standards, maintain, QoS pre-classify enable, static binding configuration, 420, RIPng configuration, IPv6 RRI,...
Page 565 IPsec IKEv2 configuration, 336, 337, IPsec configuration, 277, IPsec IKEv2+pre-shared key IPsec RIPng configuration, authentication, IPsec RRI configuration, IPsec IKEv2+RSA signature IPsec tunnel for IPv4 packets (IKE-based), authentication, IPsec tunnel for IPv4 packets (manual), IPsec tunnel for IPv6 packets (IKE-based), AAA device implementation, PKI MPLS L3VPN support, AAA ISP domain accounting method,...
Page 566 key pair destruction, IP source guard (IPSG) configuration, 418, 419, MAC authentication, IPv4 source guard (IPv4SG) dynamic binding MAC authentication (local), configuration, password control parameters (local user), IPv4 source guard (IPv4SG) dynamic PKI digital certificate, binding+DHCP relay configuration, troubleshooting PKI certificate obtain IPv4 source guard (IPv4SG) static binding failure, configuration,...
Page 567 periodic reauthentication, protocols and standards, port security authentication control mode, replay protection configuration, port security client services, macAddressElseUserLoginSecure, troubleshooting, port security client userLoginWithOUI, troubleshooting device cannot establish MKA port security configuration, 192, 195, session, port security features, validation mode configuration, port security intrusion protection, maintaining port security MAC address autoLearn,...
Page 568 network port, 504, port security MAC learning control autoLearn, operation modes, port security MAC learning control secure, periodic gateway probe enable, port security macAddressWithRadius authentication, protocols and standards, port security secure MAC learning control, server IP address, portal authentication, user port, portal authentication (cross-subnet), minimum password length, portal authentication (direct),...
Page 569 displaying, 802.1X SmartOn feature configuration, maintaining, 802.1X VLAN manipulation, need to know. Use 802.1X+ACL assignment configuration, negotiating AAA device implementation, IPsec IKE negotiation, AAA HWTACACS implementation, IPsec IKE negotiation mode, AAA HWTACACS scheme, IPsec IKEv2 negotiation, AAA HWTACACS server SSH user, NETCONF AAA ISP domain accounting method, enable over SSH,...
Page 570 attack D&P log non-aggregation, IPsec tunnel for IPv4 packets (manual), attack D&P policy application (device), IPsec tunnel for IPv6 packets (IKE-based), authorized ARP (DHCP relay agent), IPv4 source guard (IPv4SG) configuration, authorized ARP (DHCP server), IPv4 source guard (IPv4SG) dynamic binding configuration, authorized ARP configuration, IPv4 source guard (IPv4SG) dynamic...
Page 571 MFF auto-mode in tree network, port security secure MAC address, MFF configuration, port security secure MAC address port limit, MFF manual-mode in ring network, portal authentication AAA server, MFF manual-mode in tree network, portal authentication client, MFF network port, 504, portal authentication cross-subnet configuration, MFF periodic gateway probe,...
Page 572 SSH SFTP server connection establishment SSH configuration, based on Suite B, SSL configuration, 233, SSH SFTP server connection termination, SSL services, SSH SFTP server enable, uRPF configuration, 448, SSH SFTP server password authentication, AAA no accounting method, SSH Stelnet server enable, AAA no authentication, SSH user configuration, AAA no authorization,...
Page 573 AAA RADIUS outgoing packet source IP AAA RADIUS accounting server parameters, address, configuring SSH management parameters, AAA RADIUS packet exchange process, MACsec protection parameter (interface AAA RADIUS packet format, view), ARP active acknowledgement, MACsec protection parameter (MKA policy), ARP ARP packet sender IP address password control parameters (global), checking, password control parameters (local user),...
Page 574 public key peer configuration, troubleshooting configuration, Perfect Forward Secrecy. See PFS Windows 2003 CA server certificate request configuration, periodic gateway probe (MFF), policy periodic MAC reauthentication, AAA RADIUS security policy server IP PFS (IKE), address, attack D&P defense policy, applications, attack D&P defense policy (flood), architecture, attack D&P defense policy (scanning),...
Page 575 MFF user port, features, portal authentication, intrusion protection, portal authentication configuration, 134, intrusion protection feature, portal authentication cross-subnet MAC address autoLearn, configuration, MAC address learning control, portal authentication direct configuration, MAC authentication, portal authentication extended cross-subnet MAC move enable, configuration, MAC+802.1X authentication, portal authentication extended direct mode set,...
Page 576 fail-permit configuration, applying portal authentication interface NAS-ID profile, interface NAS-ID profile, authenticating with 802.1X EAP relay, local portal Web server configuration, authenticating with 802.1X EAP termination, local portal Web server feature, binding IPsec source interface to policy, maintaining, configuring AAA user group attributes, outgoing packets filtering, configuring portal authentication (cross-subnet portal-free rule,...
Page 577 configuring AAA RADIUS accounting-on, configuring attack D&P defense policy (HTTP flood), configuring AAA RADIUS DAE server, configuring attack D&P defense policy (ICMP configuring AAA RADIUS Login-Service flood), attribute check method, configuring attack D&P defense policy (ICMPv6 configuring AAA RADIUS scheme, flood), configuring AAA RADIUS security policy configuring attack D&P defense policy (RST...
Page 578 configuring IPsec IKEv2, configuring MAC authentication critical VLAN, configuring IPsec IKEv2 address pool, configuring MAC authentication delay, configuring IPsec IKEv2 DPD, configuring MAC authentication guest VLAN, configuring IPsec IKEv2 global parameters, configuring MAC authentication keep-online, configuring IPsec IKEv2 keychain, configuring MAC authentication multi-VLAN mode, configuring IPsec IKEv2 NAT keepalive, configuring MAC authentication user account...
Page 579 configuring port security client configuring security local portal Web server macAddressElseUserLoginSecure, feature, configuring port security client configuring security password control, userLoginWithOUI, configuring security portal authentication direct configuring port security features, local portal Web server, configuring port security intrusion configuring security portal authentication local protection, portal Web server, configuring port security MAC address...
Page 580 displaying ARP attack detection (source enabling IPv4 source guard (IPv4SG) on MAC-based), interface, displaying ARP attack protection enabling IPv6 source guard (IPv6SG) on (unresolvable IP attack), interface, displaying ARP detection, enabling MAC authentication, displaying attack D&P, enabling MAC authentication critical voice VLAN, displaying FIPS, enabling MAC authentication offline...
Page 581 implementing security ACL-based IPsec, setting password control parameters (global), importing peer host public key from file, setting password control parameters (local user), importing public key from file, setting password control parameters (super), including IP address in MAC authentication request, setting password control parameters (user group), limiting port security secure MAC addresses,...
Page 582 troubleshooting AAA RADIUS authentication working with SSH SFTP files, failure, processing troubleshooting AAA RADIUS packet delivery parallel processing with 802.1X failure, authentication, troubleshooting IPsec IKE negotiation failure profile (no proposal match), AAA NAS-ID profile configuration, troubleshooting IPsec IKE negotiation failure AAA RADIUS server status detection test (no proposal or keychain specified profile,...
Page 583 SSH client host public key configuration, HWTACACS/RADIUS differences, SSH password-publickey authentication, information exchange security, SSH publickey authentication, Login-Service attribute check method, SSH Secure Telnet server publickey MAC authentication, authentication, MAC authentication (RADIUS-based), SSH SFTP client publickey MAC authentication authorization VLAN, authentication, maintain, SSH user configuration,...
Page 584 IPsec IKE invalid SPI recovery, 802.1X authentication configuration, re-DHCP portal authentication mode, 136, 802.1X basic configuration, redirect URL 802.1X configuration, 76, MAC authentication redirect URL 802.1X EAD assistant configuration (DHCP relay assignment, agent), redundancy 802.1X EAD assistant configuration (DHCP server), IPsec anti-replay redundancy, 802.1X guest VLAN assignment registration authority.
Page 585 troubleshooting IPsec SA negotiation failure 802.1X authorization VLAN, (no transform set match), 332, 802.1X authorization VLAN assignment troubleshooting IPsec SA negotiation failure configuration, (tunnel failure), 802.1X basic configuration, SA (MACsec), 802.1X critical VLAN, 80, SAK (MACsec), 802.1X critical voice VLAN, scanning attack 802.1X display, attack D&P defense policy,...
Page 586 AAA RADIUS attributes, attack D&P device-preventable attacks, AAA RADIUS DAE server, attack D&P display, AAA RADIUS implementation, attack D&P IP blacklist configuration, AAA RADIUS information exchange security attack D&P log non-aggregation, mechanism, attack D&P maintain, AAA RADIUS scheme, attack D&P policy application (device), AAA RADIUS security policy server IP attack D&P policy application (interface), address,...
Page 587 IPsec IKEv2 profile configuration, MAC authentication critical voice VLAN, IPsec IKEv2 protocols and standards, MAC authentication delay, 121, IPsec IPv6 routing protocols, MAC authentication display, IPsec maintain, MAC authentication domain, IPsec packet DF bit, MAC authentication enable, IPsec packet logging enable, MAC authentication guest VLAN, IPsec policy configuration restrictions, MAC authentication keep-online,...
Page 588 NETCONF-over-SSH+password PKI OpenCA server certificate request, authentication configuration, PKI operation, outgoing packets filtering on portal PKI RSA Keon CA server certificate request, interface, PKI terminology, parallel processing with 802.1X PKI Windows 2003 CA server certificate authentication, request, password control configuration, 213, 216, port.
Page 589 SSH client host public key configuration, SSH SFTP server password authentication, SSH configuration, SSH Stelnet server enable, SSH display, SSH user configuration, SSH local DSA key pair generation, SSH user configuration restrictions, SSH local ECDSA key pair generation, SSH2 algorithms, SSH local RSA key pair generation, SSH2 algorithms (encryption ), SSH management parameters,...
Page 590 802.1X basic configuration, 802.1X port users max, 802.1X configuration, 76, AAA concurrent login user max, 802.1X EAD assistant configuration (DHCP AAA HWTACACS timer, relay agent), AAA HWTACACS traffic statistics unit, 802.1X EAD assistant configuration (DHCP AAA HWTACACS username format, server), AAA LDAP server timeout period, 802.1X guest VLAN assignment AAA RADIUS request transmission attempts...
Page 591 802.1X feature, uRPF configuration, 448, 451, 802.1X feature configuration, SNMP AAA HWTACACS server SSH user, AAA RADIUS notifications, AAA LDAP server SSH user authentication, IPsec IKE SNMP notification, AAA RADIUS Login-Service attribute check method, IPsec SNMP notification, AAA RADIUS server SSH user source authentication+authorization, ARP attack detection (source...
Page 592 SFTP, troubleshooting PKI storage path set failure, SFTP client device, subnetting SFTP client publickey authentication, portal authentication configuration (cross-subnet for MPLS L3VPN), SFTP configuration, portal authentication cross-subnet SFTP configuration (192-bit Suite B), configuration, SFTP directories, portal authentication destination subnet, SFTP files, portal authentication extended cross-subnet SFTP help information display, configuration,...
Page 593 FIPS mode system changes, testing IPsec authentication, AAA RADIUS server status detection test profile, IPsec configuration, FIPS conditional self-test, IPsec encryption, FIPS power-up self-test, IPsec IKE configuration, 313, 315, FIPS triggered self-test, IPsec IKE global identity information, TFTP IPsec IKE invalid SPI recovery, local host public key distribution, IPsec IKE keychain, time...
Page 594 trapping portal authentication users cannot log in (re-DHCP), AAA RADIUS SNMP notification, portal authentication users logged out still exist on IPsec IKE SNMP notification, server, IPsec SNMP notification, tunneling triggering IPsec configuration, 277, 802.1X authentication trigger, IPsec encapsulation tunnel mode, FIPS self-test, IPsec RIPng configuration, troubleshooting...
Page 595 portal authentication roaming, AAA RADIUS format, portal authentication user access, portal authentication user online validating detection, MACsec validation mode, portal authentication user setting max, validity check portal authentication user ARP packet, synchronization, ARP user, 438, SSH user configuration, ARP user+packet, userLogin 802.1X authentication mode, vendor userLoginSecure 802.1X authentication...
Page 596 MAC authentication VLAN assignment, security portal authentication direct local portal Web server, MFF auto-mode in ring network, security portal authentication local portal Web MFF auto-mode in tree network, server, MFF configuration, 503, 505, security portal authentication Web server MFF manual-mode in ring network, specifying, MFF manual-mode in tree network, troubleshooting 802.1X EAD assistant browser...

HP FlexNetwork 10500 Series Security Configuration Manual

Configuring AAA

802.1X Overview

Configuring 802.1X

Configuring MAC Authentication

Configuring Portal Authentication

Configuring Port Security

Configuring Password Control

Managing Public Keys

Configuring SSL

Configuring PKI

Quick Links

Troubleshooting

Related Manuals for HP FlexNetwork 10500 Series

Summary of Contents for HP FlexNetwork 10500 Series