Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Contents Configuring AAA ························································································································································· 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 AAA across MPLS L3VPNs ··································································································································· 10 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 AAA configuration considerations and task list ·········································································································· 14 Configuring AAA schemes ············································································································································ 16 Configuring local users ·········································································································································...
Page 4
Authentication procedure ·············································································································································· 76 EAP relay ································································································································································ 76 EAP termination ····················································································································································· 78 Configuring 802.1X ·················································································································································· 79 HP implementation of 802.1X ······································································································································ 79 Access control methods ········································································································································ 79 Using 802.1X authentication with other features ······························································································ 79 Configuring 802.1X ······················································································································································ 82 Configuration prerequisites ·································································································································· 82 802.1X configuration task list ······························································································································...
Page 5
MAC authentication configuration examples ············································································································ 108 Local MAC authentication configuration example ·························································································· 108 RADIUS-based MAC authentication configuration example ·········································································· 110 ACL assignment configuration example ··········································································································· 112 Configuring portal ··················································································································································· 115 Extended portal functions ··································································································································· 115 Portal system components ··································································································································· 115 Portal authentication modes ·······························································································································...
Page 6
Enabling port security ·················································································································································· 177 Configuration prerequisites ································································································································ 177 Configuration procedure ···································································································································· 177 Setting the maximum number of secure MAC addresses ························································································ 178 Setting the port security mode ···································································································································· 178 Configuration prerequisites ································································································································ 178 Configuration procedure ···································································································································· 179 Configuring port security features ······························································································································ 179 Configuring NTK ·················································································································································...
Page 7
Configuring the local asymmetric key pair ··············································································································· 212 Creating a local asymmetric key pair ··············································································································· 212 Displaying or exporting the local RSA or DSA host public key ····································································· 212 Destroying an asymmetric key pair ··················································································································· 213 Configuring a remote host's public key ····················································································································· 213 Displaying and maintaining public keys ···················································································································...
Page 8
Configuring packet information pre-extraction ································································································ 261 Enabling invalid SPI recovery ···························································································································· 261 Configuring IPsec RRI ·········································································································································· 262 Implementing tunnel interface-based IPsec ················································································································ 263 Configuration task list ········································································································································· 263 Configuring an IPsec profile ······························································································································· 264 Configuring an IPsec tunnel interface ··············································································································· 265 Enabling packet information pre-extraction on the IPsec tunnel interface ·····················································...
Page 9
Configuring first-time authentication support ···································································································· 314 Establishing connection between the SSH client and server ·········································································· 315 Displaying and maintaining SSH ······························································································································· 315 SSH server configuration examples ··························································································································· 316 Configuring the router to act as password authentication server ·································································· 316 Configuring the router to act as public key authentication server ································································· 318 SSH client configuration examples·····························································································································...
Page 11
Invalid characters are present in the configured parameter ··········································································· 383 Invalid use of wildcard ······································································································································· 384 Invalid blocking suffix ········································································································································· 385 ACL configuration failed ····································································································································· 385 Unable to access the HTTP server by IP address ····························································································· 385 Configuring attack detection and protection ········································································································ 386 Types of network attacks the device can defend against ···············································································...
Page 12
Power-up self-tests ················································································································································ 441 Conditional self-tests ············································································································································ 442 Triggered self-test ················································································································································· 442 Displaying and maintaining FIPS ······························································································································· 442 Support and other resources ·································································································································· 443 Contacting HP ······························································································································································ 443 Subscription service ············································································································································ 443 Related information ······················································································································································ 443 Documents ···························································································································································· 443 Websites ······························································································································································ 443 Conventions ··································································································································································...
Configuring AAA AAA provides a uniform framework for implementing network access management. It provides the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...
RADIUS RADIUS is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
Page 15
RADIUS basic message exchange process Figure 3 illustrates the interaction between the host, the RADIUS client, and the RADIUS server. Figure 3 RADIUS basic message exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources...
Page 16
RADIUS packet format RADIUS uses UDP to transmit messages. It ensures smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Page 17
padding and are neglected upon reception. If the length of a received packet is less than this length, the packet is dropped. The value of this field ranges from 20 to 4096. The Authenticator field (16 byte long) is used to authenticate replies from the RADIUS server and to encrypt user passwords.
Page 18
Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes • contains a code that is compliant with RFC 1700. The vendor ID of HP is 25506. For more information about HP proprietary RADIUS sub-attributes, see "Proprietary RADIUS sub-attributes of...
Vendor-Length—Indicates the length of the sub-attribute. • Vendor-Data—Indicates the contents of the sub-attribute. • Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HWTACACS is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
Page 20
HWTACACS basic message exchange process The following takes a Telnet user as an example to describe how HWTACACS performs user authentication, authorization, and accounting. Figure 6 HWTACACS basic message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username...
After receiving the username from the user, the HWTACACS client sends the server a continue- authentication packet that carries the username. The HWTACACS server sends back an authentication response, requesting the login password. Upon receipt of the response, the HWTACACS client asks the user for the login password. The user enters the password.
AAA allows you to manage users based on their access types: LAN users—Users on a LAN who must pass 802.1X authentication or MAC address authentication • to access the network. Login users—Users who want to log in to the router, including SSH users, Telnet users, web users, •...
Figure 8 Network diagram for AAA across MPLS L3VPNs NOTE: Together with the AAA across MPLS L3VPNs feature, implement portal authentication across MPLS MPLS Configuration Guide L3VPNs on MCE devices. For more information, see Protocols and standards The following protocols and standards are related to AAA, RADIUS, and HWTACACS: RFC 2865, Remote Authentication Dial In User Service (RADIUS) •...
Page 24
Maximum idle time permitted for the user before termination of the session. Identification of the user that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.
Page 25
NAS-Port-Id String for describing the port of the NAS that is authenticating the user. Proprietary RADIUS sub-attributes of HP Table 5 Proprietary RADIUS sub-attributes of HP Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
Sub-attribute Description User IP address and MAC address carried in authentication and Ip_Host_Addr accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. Information that needs to be sent from the server to the client User_Notify transparently.
Page 27
Figure 9 illustrates the configuration procedure. Figure 9 AAA configuration procedure Table 6 AAA configuration task list Task Remarks Configuring local users Required. Configuring AAA Configuring RADIUS schemes schemes Complete at least one task. Configuring HWTACACS schemes Creating an ISP domain Required.
Configuring AAA schemes Configuring local users To implement local user authentication, authorization, and accounting, you must create local users and configure user attributes on the router. The local users and attributes are stored in the local user database on the router. A local user is uniquely identified by a username. Configurable local user attributes are as follows: Service type The types of the services that the user can use.
Page 29
Authorization attributes Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work directory. For more information, see "Configuring local user attributes."...
Page 30
To do… Command… Remarks Optional. Place the local user to the When created, a local user is in the active state { active | block } state of active or blocked. state by default, and the user can request network services. Optional.
Page 31
To do… Command… Remarks Optional. By default, no authorization attribute is configured for a local user. authorization-attribute Attributes supported: { acl acl-number | • PPP users—acl, callback-number, idle- callback-number cut, and user-profile. callback-number | idle- • LAN and portal users—acl, idle-cut, user- cut minute | level level Configure the authorization profile, and vlan.
Page 32
Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and has a set of local user attributes. Configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the router can cooperate with and defines a set of parameters that the router uses to exchange information with the RADIUS servers. There may be authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and the RADIUS server type.
Page 34
NOTE: A RADIUS scheme can be referenced by multiple ISP domains at the same time. Specifying the RADIUS authentication/authorization servers Specify primary authentication/authorization server secondary authentication/authorization servers for a RADIUS scheme so that the NAS can find a server for user authentication/authorization when using the scheme.
Page 35
To specify RADIUS accounting servers and set relevant parameters for a scheme: To do… Command… Remarks Enter system view. system-view — Enter RADIUS scheme radius scheme radius-scheme-name — view. primary accounting { ip-address | ipv6 ipv6- Specify the primary Required. address } [ port-number | key string | vpn- RADIUS accounting server.
Page 36
Standard—Uses the standard RADIUS protocol, compliant with RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
Page 37
RADIUS server but receives no response after the response timeout timer expires (defined by timer response-timeout), it retransmits the request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it tries to communicate with other RADIUS servers in the active state. If no other servers are in the active state at the time, it considers the authentication or accounting attempt a failure.
Page 38
If one server is in the active state and all the others are in the blocked state, the router only tries to • communicate with the server in the active state, even if the server is unavailable. After receiving an authentication/accounting response from a server, the router changes the status •...
Page 39
To do… Command… Remarks Optional. user-name-format { keep-original Set the format for usernames | with-domain | without-domain By default, the ISP domain name sent to the RADIUS servers. is included in a username. data-flow-format { data { byte | Optional. Specify the unit for data flows giga-byte | kilo-byte | mega-byte or packets sent to the RADIUS...
Page 40
To specify a source IP address for a specific RADIUS scheme: To do… Command… Remarks Enter system view. system-view — Enter RADIUS scheme radius scheme radius-scheme- — view. name Required. Specify a source IP nas-ip { ip-address | ipv6 address for outgoing By default, the IP address of the outbound ipv6-address } RADIUS packets.
Page 41
NOTE: The backup source IP address specified for outgoing RADIUS packets takes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is configured on the standby router. Setting timers for controlling communication with RADIUS servers The router uses the following types of timers to control the communication with a RADIUS server: Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission •...
Page 42
Disabled by default. interval seconds | send send- configure parameters. The default interval is 3 seconds, and the times ] * default number of send-times is 50. NOTE: The accounting-on feature requires the cooperation of the HP iMC network management system.
Page 43
Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
Page 44
To configure a router to interpret the RADIUS class attribute as CAR parameters: To do… Command… Remarks Enter system view. system-view — radius scheme radius- Enter RADIUS scheme view. — scheme-name Required. Interpret the class attribute as attribute 25 car Be default, RADIUS attribute 25 is not CAR parameters.
Displaying and maintaining RADIUS To do… Command… Remarks Display the configuration information display radius scheme [ radius- of RADIUS schemes (on a centralized scheme-name ] [ | { begin | exclude | Available in any view router) include } regular-expression ] display radius scheme [ radius-scheme- Display the configuration information name ] [ slot slot-number ] [ | { begin...
Page 46
HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers and the relevant Optional parameters Specifying the shared keys for authenticating HWTACACS Required packets Specifying the VPN to which the servers belongs...
Page 47
To do… Command… Remarks command. secondary authentication ip- Specify the secondary HWTACACS address [ port-number | vpn- No authentication server is authentication server. instance vpn-instance-name ] * specified by default. NOTE: An HWTACACS server can function as the primary authentication server of one scheme and as the •...
Page 48
When the router receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. Enable buffering of non-responded stop-accounting requests to allow the router to buffer and resend a stop- accounting request until it receives a response or until the number of stop-accounting attempts reaches the configured limit.
Page 49
NOTE: A shared key configured on the router must be the same as that configured on the HWTACACS server. Specifying the VPN to which the servers belongs After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and accounting servers specified for the scheme belong to the VPN.
Page 50
Specifying a source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS.
Page 51
server, and tries to communicate with another server in the active state. After this timer expires, the router changes the status of the server back to active. Real-time accounting timer (realtime-accounting)—Defines the interval at which the router sends • real-time accounting updates to the HWTACACS accounting server for online users. To implement real-time accounting, the router must periodically send real-time accounting packets to the accounting server for online users.
To do… Command… Remarks Clear buffered stop-accounting reset stop-accounting-buffer hwtacacs- requests that receive no responses (on Available in user view scheme hwtacacs-scheme-name a centralized router) Clear buffered stop-accounting reset stop-accounting-buffer hwtacacs- requests that receive no responses (on scheme hwtacacs-scheme-name [ slot Available in user view a distributed router) slot-number ]...
NOTE: To delete the ISP domain that is functioning as the default ISP domain, you must first change it to a non- default ISP domain by using domain default disable. Configuring ISP domain attributes To do… Command… Remarks Enter system view. system-view —...
Page 54
AAA supports the following authentication methods: No authentication (none)—All users are trusted, and no authentication is performed. Generally, do • not use this method. Local authentication (local)—Authentication is performed by the NAS, which is configured with the • user information, including the usernames, passwords, and attributes. Local authentication provides high speed and low cost, but the amount of information that can be stored is limited by the hardware.
To do… Command… Remarks Optional. Specify the authentication portal { local | none | authentication method radius-scheme radius-scheme-name [ local ] The default authentication for portal users. method is used by default. authentication ppp { hwtacacs-scheme Optional. Specify the hwtacacs-scheme-name [ local ] | local | authentication method The default authentication none | radius-scheme radius-scheme-name [...
Page 56
AAA supports the following authorization methods: No authorization (none)—The router performs no authorization exchange. After passing • authentication, non-login users can access the network, FTP users can access the root directory of the router, and other login users have only the right of Level 0 (visiting). Local authorization (local)—The router performs authorization according to the user attributes •...
To do… Command… Remarks Optional. authorization portal { local | none | Specify the authorization radius-scheme radius-scheme-name [ local The default authorization method for portal users. method is used by default. authorization ppp { hwtacacs-scheme Optional. Specify the authorization hwtacacs-scheme-name [ local ] | local | The default authorization method for PPP users.
Page 58
Determine the access type or service type to be configured. With AAA, configure an accounting method for each access type and service type, limiting the accounting protocols that can be used for access. Determine whether to configure an accounting method for all access types or service types. To configure AAA accounting methods for an ISP domain: To do…...
NOTE: If you configure accounting optional, the limit on the number of local user connections is not • effective. The accounting method specified with accounting default is for all types of users and has a priority • lower than that for a specific access type. radius-scheme-name hwtacacs-scheme- If you specify radius-scheme...
NOTE: Configuring or changing the device ID of a router logs off all online users of the router. • HP recommends that you save the configuration and reboot the router after configuring or changing • the device ID. The device ID is the symbol for stateful failover mode. Do not configure any device ID for a router •...
To configure a RADIUS user: To do… Command… Remarks Enter system view. system-view — Required. Create a RADIUS user and enter RADIUS server user radius-server user user-name No RADIUS user exists by view. default. Optional. Configure a password for password [ cipher | simple ] password By default, no password is the RADIUS user.
Displaying and maintaining AAA To do… Command… Remarks Display the configuration display domain [ isp-name ] [ | { begin | Available in any view information of ISP domains exclude | include } regular-expression ] display connection [ access-type portal | domain isp-name | interface interface-type Display information about user interface-number | ip ip-address | mac mac-...
Page 63
Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP as the access device type. Select the access device from the device list, or manually add the device with the IP address of 10.1.1.2.
Page 64
Figure 11 Add an access device # Add a user for device management. Log in to the iMC management platform, click the User tab, and select Device Management User from the navigation tree to enter the Device Management User page. Then, click Add to enter the Add Device Management User page, and perform the following configurations as shown in Figure Add a user named hello@bbb and specify the password,...
Page 65
Figure 12 Add a user for device management Configure the router. # Configure the IP address of interface GigabitEthernet 1/0/1, through which the Telnet user accesses the router. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet1/0/1] quit # Configure the IP address of interface GigabitEthernet 1/0/2, through which the router communicates with the server.
[Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for authenticating authentication packets to expert. [Router-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs iMC. [Router-radius-rad] server-type extended # Specify the scheme to include the domain names in usernames to be sent to the RADIUS server.
Configuration procedure Configure the router. # Configure the IP address of interface GigabitEthernet 1/0/1, through which the Telnet user accesses the router. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet1/0/1] quit # Enable the Telnet server on the router. [Router] telnet server enable # Configure the router to use AAA for Telnet users.
Page 68
Figure 14 Configure AAA for PPP users by an HWTACACS server Configuration procedure Configure the HWTACACS server. # On the HWTACACS server, set the shared keys for authenticating packets exchanged with the router to expert. Add the PPP user and specify the password. (Omitted) Configure the router.
# You can achieve the same result by configuring default AAA methods for all types of users in domain bbb. [Router] domain bbb [Router-isp-bbb] authentication default hwtacacs-scheme hwtac [Router-isp-bbb] authorization default hwtacacs-scheme hwtac [Router-isp-bbb] accounting default hwtacacs-scheme hwtac [Router-isp-bbb] ip pool 1 200.1.1.1 200.1.1.99 [Router-isp-bbb] quit # Configure the serial interface.
Page 70
Figure 15 Configure RADIUS authentication for level switching users Configuration considerations Configure the router to use AAA, particularly, local authentication for Telnet users. Create ISP domain bbb and configure it to use local authentication for Telnet users. Create a local user account, configure the password, and assign the privilege level for the user to use after login.
Page 71
# Configure the router to use AAA for Telnet users. [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Use RADIUS authentication for user privilege level switching authentication and, if RADIUS authentication is not available, use local authentication. [Router] super authentication-mode scheme local # Create RADIUS scheme rad.
Page 72
Table 7 Add username and passwords for user privilege level switching authentication Username Password Switching to level $enab1$ pass1 $enab2$ pass2 $enab3$ pass3 NOTE: level level A username configured on the RADIUS server is in the format of $enab where specifies the privilege level to which the user wants to switch.
Page 73
Figure 17 List of the usernames for privilege level switching Verify the configuration. After you complete the configuration, the Telnet user should be able to Telnet to the router and use username test@bbb and password aabbcc to enter the user interface of the router, and access all level 0 commands.
If the RADIUS authentication is not available, the Telnet user needs to enter password 654321 as prompted for local authentication. <Router> super 3 Password: Enter the password for RADIUS privilege level switch authentication Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local.
Page 75
Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP as the access device type. Select the access device from the device list, or manually add the device whose IP address is 10.1.1.2.
Page 76
# Add a charging plan. Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging plan configuration page. Then, click Add to enter the Add Charging Plan page, and perform the following configurations as shown in Figure Add a plan named UserAcct.
Page 77
Figure 21 Add a service # Add a user. Click the User tab, and select All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to enter the Add Access User page, and perform the following configurations as shown in Figure Select the user, or add a user named hello.
Page 78
Configure the Portal server (iMC PLAT 5.0). # Configure the portal server. Log in to the iMC management platform and click the Service tab. Then, select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Enter the URL address of the portal authentication main page, in the format of...
Page 79
Figure 24 Add an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure Enter the device name NAS.
Page 80
# Associate the portal device with the IP address group. As shown in Figure 26, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 26 Device list On the port group configuration page, click Add enter the page for adding a port group, as shown in Figure Enter the port group name.
Page 81
# Enable portal authentication on the interface connecting the host. [Router] interface gigabitethernet 1/0/1 [Router–GigabitEthernet1/0/1] portal server newpt method direct [Router–GigabitEthernet1/0/1] quit Verify the configuration. The user can initiate portal authentication by using the HP iNode client or by accessing a webpage. All initiated requests redirected portal...
# After the user passes portal authentication, view the portal user information on the router. [Router] display portal user interface gigabitethernet 1/0/1 Index:19 State:ONLINE SubState:NONE ACL:NONE Work-mode:stand-alone Vlan Interface --------------------------------------------------------------------- 0015-e9a6-7cfe 192.168.1.58 GigabitEthernet1/0/1 On interface GigabitEthernet1/0/1:total 1 user(s) matched, 1 listed. # View the connection information on the router.
Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization, and accounting are being used by other applications.
802.1X fundamentals This chapter describes the fundamentals of 802.1X. 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of WLANs. It has been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
Unidirectional traffic control to deny traffic from a client. • NOTE: The HP devices support only unidirectional traffic control. EAP over LAN EAPOL packet format EAPOL, defined in 802.1X, is intended to carry EAP protocol packets between clients and devices over LANs.
Table 8 Types of EAPOL packets Value Type Description Packet for carrying authentication information. A packet of this type is repackaged and transferred by 0x00 EAP-Packet RADIUS on the device to get through complex networks to reach the authentication server. Packet for initiating authentication, present between a 0x01 EAPOL-Start...
00-00-03 or the broadcast MAC address. If any intermediate device between the client and the server does not support this multicast address, you must use an 802.1X client (the HP iNode 802.1X client, for example) that can send broadcast EAPOL-Start packets.
Authentication procedure The 802.1X authentication procedure varies with the way the network access device handles EAP messages. EAP relay EAP relay is defined in IEEE 802.1X. In this mode, EAP packets are carried in an upper layer protocol such as RADIUS so that they can go through complex networks to reach the authentication server. EAP relay requires that the RADIUS server support the EAP-Message and Message-Authenticator attributes.
Page 89
When the client receives the EAP-Request/Identity packet, it encapsulates the username in an EAP- Response/Identity packet and sends the packet to the device. Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS Access- Request packet to the authentication server. When it receives the RADIUS Access-Request packet, the RADIUS server compares the identify information against its user information database to obtain the corresponding password information.
EAP termination In EAP termination mode, EAP packets are terminated at the device and then repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS server for authentication, authorization, and accounting. Figure 35 shows the message exchange procedure with CHAP authentication. Figure 35 Message exchange in EAP termination mode Client Device...
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. Also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different authentication methods for different users on a port.
Page 92
VLAN and can access authorized network resources. Guest VLAN is supported only on a port that performs port-based access control for the HP A6600 Router. The following describes the way that the network access device handles VLANs on the port that performs port-based access control.
Page 93
The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode. On a port that performs port-based access control: Authentication status VLAN manipulation A user fails 802.1X...
Configuring 802.1X Configuration prerequisites Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. • If RADIUS authentication is used, create user accounts on the RADIUS server. • If local authentication is used, create local user accounts on the access device, and set the service •...
Enabling 802.1X To do… Command… Remarks Enter system view. system-view — Required. Enable 802.1X globally. dot1x Disabled by default. In system view dot1x interface interface-list Required. Enable interface interface-type interface- 802.1X on Use either approach. In Ethernet number a port. interface view Disabled by default.
Setting the port authorization state The port authorization state determines whether the client is granted access to the network. Control the authorization state of a port by using dot1x port-control and the following keywords: authorized-force—Places the port in the authorized state, enabling users on the port to access the •...
Setting the maximum number of concurrent 802.1X users on a port Set the maximum number of concurrent 802.1X users for one port in interface view or for multiple ports in system view. If different settings are configured for a port in interface view and system view, the setting configured later takes effect.
Page 98
Handshake timer (handshake-period)—Sets the interval at which the access device sends client • handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
If not, the device tears down the connections with such online users for not receiving handshake responses. HP recommends that you use the iNode client software and iMC server to ensure normal operation of •...
To configure the unicast trigger function: To do… Command… Remarks Enter system view. system-view — interface interface-type interface- Enter Ethernet interface view. — number Required Enable the unicast trigger function. dot1x unicast-trigger Disabled by default Specifying a mandatory authentication domain on a port Place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port.
Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. Use dot1x timer reauth-period to configure the interval for re-authentication. To enable the periodic online user re-authentication function: To do…...
Configuration procedure To do… Command… Remarks Enter system view. system-view — dot1x guest-vlan guest-vlan-id [ In system view interface interface-list ] Configure Required. an 802.1X interface interface-type interface- Use either approach. guest VLAN number By default, no 802.1X guest for one or In Ethernet VLAN is configured on any port.
Displaying and maintaining 802.1X To do… Command… Remarks Display 802.1X session display dot1x [ sessions | information, statistics, or statistics ] [ interface interface-list ] Available in any view configuration information of [ | { begin | exclude | include } specified or all ports regular-expression ] reset dot1x statistics [ interface...
Page 105
Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Configuration omitted) Configure the RADIUS servers, and add user accounts for the 802.1X users. (Configuration omitted) Assign an IP address for each interface on the access device. (Omitted) Configure user accounts for the 802.1X users on the access device.
Configure the ISP domain. # Create the ISP domain aabbcc.net and enter its view. [Router] domain aabbcc.net # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method. [Router-isp-aabbcc.net] authentication lan-access radius-scheme radius1 local [Router-isp-aabbcc.net] authorization lan-access radius-scheme radius1 local [Router-isp-aabbcc.net] accounting lan-access radius-scheme radius1 local # Set the maximum number of concurrent users in the domain to 30.
Page 107
GigabitEthernet 1/0/2 implements port-based access control. • GigabitEthernet 1/0//3 is in VLAN 5 and is for accessing the Internet. • The authentication server runs RADIUS and is in VLAN 2. • The update server in VLAN 10 is for client software download and upgrade. •...
Page 108
[Router-vlan1] port gigabitethernet 1/0/2 [Router-vlan1] quit [Router] vlan 10 [Router-vlan10] port gigabitethernet 1/0/1 [Router-vlan10] quit [Router] vlan 2 [Router-vlan2] port gigabitethernet 1/0/4 [Router-vlan2] quit [Router] vlan 5 [Router-vlan5] port gigabitethernet 1/0/3 [Router-vlan5] quit Configure a RADIUS scheme. # Configure RADIUS scheme 2000 and enter its view. <Router>...
# Create VLAN 10. [Router] vlan 10 [Router-vlan10] quit # Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2. [Router] dot1x guest-vlan 10 interface gigabitethernet 1/0/2 Verifying the configuration Use display dot1x interface gigabitethernet 1/0/2 to verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2.
Page 110
# Assign IP addresses to interfaces. (Omitted) # Configure the RADIUS scheme. <Router> system-view [Router] radius scheme 2000 [Router-radius-2000] primary authentication 10.1.1.1 1812 [Router-radius-2000] primary accounting 10.1.1.2 1813 [Router-radius-2000] key authentication abc [Router-radius-2000] key accounting abc [Router-radius-2000] user-name-format without-domain [Router-radius-2000] quit # Create an ISP domain, and specify the RADIUS scheme 2000 as the default AAA scheme for the domain.
This feature is available on a SAP interface card in bridging mode. EAD is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defense capability of a network.
To configure a free IP: To do… Command… Remarks Enter system view. system-view — Required. dot1x free-ip ip-address { mask- Configure a free IP. By default, no free IP is address | mask-length } configured. Configuring the redirect URL To do… Command…...
Page 113
Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network. To allow all intranet users to install and update 802.1X client program from a web server, configure the following: Allow unauthenticated users to access the segment of 192.168.2.0/24 and to obtain IP address •...
Page 114
[Router] interface vlan-interface 2 [Router-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Router-Vlan-interface2] dhcp relay server-select 1 [Router-Vlan-interface2] quit Configure a RADIUS scheme and an ISP domain. For more information about the configuration procedure, see "Configuring 802.1X."...
Troubleshooting EAD fast deployment Users cannot be correctly redirected Symptom When a user enters an external website address in the web browser, the user is not redirected to the specified redirect URL. Analysis The address is in the string format. The operating system of the host considers the string to be a •...
Configuring MAC authentication MAC authentication is available only on a SAP interface card in bridging mode. MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user as idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
Configuration task list Task Remarks Configuring MAC authentication globally Required Basic configuration for MAC authentication Configuring MAC authentication on a port Required Specifying MAC authentication user Optional Basic configuration for MAC authentication Configuration prerequisites Create and configure an authentication domain, also called an "ISP domain." •...
Configuring MAC authentication on a port To do… Command… Remarks Enter system view. system-view — mac-authentication interface Required. In system view interface-list Disabled by default. Enable MAC interface interface-type interface- Enable MAC authentication for authenticatio number ports in bulk in system view or In interface view an individual port in interface mac-authentication...
Displaying and maintaining MAC authentication To do… Command… Remarks display mac-authentication [ Display MAC authentication interface interface-list ] [ | { begin Available in any view information | exclude | include } regular- expression ] Clear MAC authentication reset mac-authentication statistics Available in user view statistics [ interface interface-list ]...
Page 121
# Enable MAC authentication globally. [Router] mac-authentication # Enable MAC authentication on port GigabitEthernet 1/0/1. [Router] mac-authentication interface gigabitethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Router] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Router] mac-authentication timer offline-detect 180 [Router] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts.
RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 41, a host connects to port GigabitEthernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure of the following: The device detects whether a user has gone offline every 180 seconds.
Page 123
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Enable MAC authentication globally. [Router] mac-authentication # Enable MAC authentication on port GigabitEthernet 1/0/1.
# After a user passes MAC authentication, use display connection to display online user information. <Router> display connection Index=29 ,Username=aaa@2000 MAC=00e0-fc12-3456 IP=N/A IPv6=N/A Total 1 connection(s) matched. ACL assignment configuration example Network requirements As shown in Figure 42, a host connects to port GigabitEthernet 1/0/1 on an access device and the device uses RADIUS servers to perform authentication, authorization, and accounting.
Page 125
Configure RADIUS-based MAC authentication on the device # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication abc [Sysname-radius-2000] key accounting abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000...
Page 126
Ping the FTP server from the host to verify that the ACL 3000 has been assigned to port GigabitEthernet 1/0/1 to deny access to the FTP server. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out.
Configuring portal On VLAN interfaces, portal does not support accounting. Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a "portal website." With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.
Page 128
Figure 43 Portal system components Authentication client The authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or portal client software for portal authentication. The security check for a client is implemented through the communications between the client and the security policy server.
Internet resources. NOTE: Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode. • When the portal authentication client is on a private network but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.
Message attributes but only transports them between the portal server and the RADIUS server. Therefore, no additional configuration is needed on the access device. NOTE: To use portal authentication that supports EAP, the portal server and client must be the HP iMC portal • server and the HP iNode portal client.
Layer 2 portal authentication process The router does not support Layer 2 portal authentication and local portal server. Figure 45 illustrates the process of local Layer 2 portal authentication. Figure 45 Local Layer 2 portal authentication process Local Layer 2 portal authentication works as follows: The portal authentication client sends an HTTP or HTTPS request.
traffic from a user in the Auth-Fail VLAN during a specified period of time (90 seconds by default), it removes the user from the Auth-Fail VLAN and adds the user to the initial VLAN of the port. NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to ensure that the client can communicate with the hosts in the VLAN.
Page 133
The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication acknowledgment message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. The access device sends an authentication reply to the portal server.
Page 134
The portal server notifies the authentication client of logon success. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes these additional steps: The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.
After receiving the certificate request, the portal server sends an EAP authentication reply to the authentication client, carrying the EAP-Message attribute values. The authentication client sends another EAP request to continue the EAP authentication with the RADIUS server, during which there may be several portal authentication requests. The subsequent authentication processes are the same as those initiated by the first EAP request, except that the EAP request types vary with the EAP authentication phases.
Page 136
Figure 49 Network diagram for portal stateful failover configuration Server Internet Router B Router A Stateful failover interface Gateway A Gateway B Failover link Portal enabled Switch A Switch B Intranet Host A Host B In a typical portal stateful failover networking environment, as shown in Figure 49, users access the network after passing portal authentication.
state. It only receives and processes the synchronization messages and does not process packets from the server. Portal authentication across VPNs In a scenario where the branches belong to different VPNs that are isolated from each other and all portal users in the branches must be authenticated by the server at the headquarters, deploy portal authentication across MPLS VPNs.
Configuration task list Task Remarks Specifying a portal server for Layer 3 portal authentication Required Enabling Layer 3 portal authentication Required Configuring a portal-free rule Configuring an authentication source subnet Controlling access of portal Setting the maximum number of online portal Optional users users...
NOTE: iMC EAD Security Policy Help For installation and configuration about the security policy server, see • The ACL for resources in the quarantined area and that for restricted resources correspond to • isolation ACL and security ACL on the security policy server, respectively. Modify the authorized ACLs on the access device.
Enabling Layer 3 portal authentication Before enabling Layer 3 portal authentication on an interface, make sure of the following: An IP address is configured for the interface. • The interface is not added to any port aggregation group. • The portal server to be referenced on the interface exists. •...
To configure a portal-free rule: To do… Command… Remarks Enter system view. system-view — portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | netmask } | any } } | source { any | [ Configure a portal-free rule.
Setting the maximum number of online portal users Use this feature to control the total number of online portal users in the system. To set the maximum number of online portal users allowed in the system: To do… Command… Remarks Enter system view.
Configuring RADIUS related attributes Specifying NAS-Port-Type for an interface NAS-Port-Type is a standard RADIUS attribute for indicating a user access port type. With this attribute specified on an interface, when a portal user logs on from the interface, the router uses the specified NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server.
Only Layer 3 portal authentication supports this feature. Only the HP A6602 routers support this feature. To implement stateful failover for portal, configure VRRP or dynamic routing (such as OSPF) for traffic switchover, and perform the following configurations for service backup on each of the two devices that...
Page 145
Specify an interface for backing up portal services, which is called a "portal service backup • interface" in this document, and enable portal on the portal service backup interface. The portal service backup interface is different from the stateful failover interface. Stateful failover interfaces only forward state negotiation messages and backup data.
To do… Command… Remarks address for outgoing RADIUS Use either approach. packets. By default, no backup source IP address is specified. You do not need to specify the radius scheme radius-scheme- backup source IP address if the name router uses the virtual IP address of the uplink's VRRP group as the nas-backup-ip ip-address source IP address of the outgoing...
Configuring portal detection functions Configuring online Layer 3 portal user detection Only Layer 3 portal authentication supports this feature. Only the A6602 routers support this feature. With online portal user detection enabled on an interface, the router periodically sends probe packets (ARP requests) to the portal users of the interface to check whether the portal users are still online, to discover portal users who get offline without logging off.
Page 148
With the portal server detection function, the router (access device) can detect the status of a specific portal server. The specific configurations include the following: Detection methods (choose either or both): Probing HTTP connections—The access device periodically sends TCP connection requests to the HTTP service port of the portal servers configured on its interfaces.
To do… Command… Remarks display portal server statistics { all Display portal server statistics on | interface interface-type a specified interface or all interface-number } [ | { begin | Available in any view interfaces exclude | include } regular- expression ] display portal tcp-cheat statistics [ Display TCP spoofing statistics...
Page 152
Configure IP addresses for the host, router, and servers as shown in Figure 51 and make sure that they can reach each other. Perform configurations on the RADIUS server to ensure that the user authentication and accounting functions can work normally. The following example describes how to configure the portal server on the iMC.
Page 153
Figure 53 Add an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure Enter the device name NAS.
Page 154
# Associate the portal device with the IP address group. As shown in Figure 55, in the device list on the portal device configuration page, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 55 Device list On the port group configuration page, click Add to enter the page for adding a port group, as shown in Figure...
Page 155
# Set the server type for the RADIUS scheme. When using the iMC server, you must set the server type to extended. [Router-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
The user can initiate portal authentication by using the HP iNode client or by accessing a webpage. All initiated requests redirected portal authentication page http://192.168.0.111:8080/portal. Before passing portal authentication, the user can access only the authentication page. After passing portal authentication, the user can access Internet resources.
Page 157
For re-DHCP authentication, the router must be configured as a DHCP relay agent (instead of a DHCP server), and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide.
[Router] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Configure the router as a DHCP relay agent, and enable the IP address check function. [Router] dhcp enable [Router] dhcp relay server-group 0 ip 192.168.0.112 [Router] interface gigabitethernet 1/0/2 [Router–Gigabitethernet1/0/2] ip address 20.20.20.1 255.255.255.0 [Router–Gigabitethernet1/0/2] ip address 10.0.0.1 255.255.255.0 sub [Router-Gigabitethernet1/0/2] dhcp select relay [Router-Gigabitethernet1/0/2] dhcp relay server-select 0...
Page 159
Configuration procedure Configure Router A: Configure a RADIUS scheme. # Create a RADIUS scheme named rs1 and enter its view. <RouterA> system-view [RouterA] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, you must set the server type to extended.
# Enable Layer 3 portal authentication on the interface connecting Router B. [RouterA] interface gigabitethernet 1/0/2 [RouterA–Gigabitethernet1/0/2] portal server newpt method layer3 [RouterA–Gigabitethernet1/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. The configuration steps are omitted.
Page 161
[Router-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key accounting radius [Router-radius-rs1] key authentication radius [Router-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server.
Configure extended portal authentication. # Configure the portal server as needed: [Router] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Enable extended portal authentication on the interface connecting the host. [Router] interface gigabitethernet 1/0/2 [Router–Gigabitethernet1/0/2] portal server newpt method direct [Router–Gigabitethernet1/0/2] quit Configuring re-DHCP portal authentication with extended functions...
Page 163
Make sure that the IP address of the portal device added on the portal server is the private IP address of the interface connecting users (10.0.0.1, in this example) and that the IP address group associated with the portal device is the private network segment where the users reside (10.0.0.0/24, in this example). Configure IP addresses for the router and servers as shown in Figure 60 and make sure that the host,...
[Router] acl number 3000 [Router-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Router-acl-adv-3000] rule deny ip [Router-acl-adv-3000] quit [Router] acl number 3001 [Router-acl-adv-3001] rule permit ip [Router-acl-adv-3001] quit Configure extended portal authentication. # Configure the portal server as needed: [Router] portal server newpt ip 192.168.0.111 key portal port 50100 url http://192.168.0.111:8080/portal # Configure the router as a DHCP relay agent, and enable the IP address check function.
Page 165
Figure 61 Configure cross-subnet portal authentication with extended functions Router A Portal server GE1/0/1 192.168.0.100/24 192.168.0.111/24 GE1/0/2 20.20.20.1/24 GE1/0/1 20.20.20.2/24 Radius server GE1/0/2 192.168.0.112/24 8.8.8.1/24 Router B Host 8.8.8.2/24 Security policy server 192.168.0.113/24 Make sure that the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1, in this example) and that the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24, in this example).
Configure an authentication domain. # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain. [RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure dm1 as the default ISP domain for all users.
Page 167
When Router A works normally, Host accesses Router A for portal authentication before accessing • the Internet. When Router A fails, Host accesses the Internet through Router B. The VRRP uplink/downlink detection mechanism is used to ensure non-stop traffic forwarding. Use the RADIUS server as the authentication/accounting server.
Page 168
Log on to the iMC management platform and click the Service tab. Then, select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed. This example uses the default values. •...
Page 169
Figure 64 Add an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure Enter the device name NAS.
Page 170
Figure 66 Device list On the port group configuration page, click Add to enter the page for adding a port group, as shown in Figure 67. Perform the following configurations: Enter the port group name. Select the configured IP address group. The IP address used by a user to access the network must be within this IP address group.
Page 171
[RouterA–Gigabitethernet0/1] quit # Create VRRP group 2, and configure the virtual IP address of the VRRP group 2 as 192.168.0.1. [RouterA] interface gigabitethernet 0/2 [RouterA–Gigabitethernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1 # Set the priority of Gigabitethernet 0/2 in VRRP group 2 to 200. [RouterA–Gigabitethernet0/2] vrrp vrid 2 priority 200 # On Gigabitethernet 0/2, configure the interface to be tracked as Gigabitethernet 0/1, and reduce the priority of Gigabitethernet 0/2 in VRRP group 2 by 150 when the interface state of Gigabitethernet 0/1...
Page 172
Configure a RADIUS scheme. • # Create RADIUS scheme rs1 and enter its view. [RouterA] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the iMC server, you must configure the RADIUS server type as extended. [RouterA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
Page 173
[RouterA] nas device-id 1 # Specify the source IP address for outgoing RADIUS packets as 192.168.0.1, the virtual IP address of VRRP group 2. [RouterA] radius nas-ip 192.168.0.1 NOTE: Make sure that you have added the access device with IP address 192.168.0.1 on the RADIUS server. Configure the stateful failover function.
Page 174
Configure an authentication domain. • # Create ISP domain dm1 and enter its view. [RouterB] domain dm1 # Configure AAA methods for the ISP domain. [RouterB-isp-dm1] authentication portal radius-scheme rs1 [RouterB-isp-dm1] authorization portal radius-scheme rs1 [RouterB-isp-dm1] accounting portal radius-scheme rs1 [RouterB-isp-dm1] quit # Configure dm1 as the default ISP domain for all users.
Verification # After user Host logs in through Router A, display the user authentication information by using display portal user on Router A and Router B. [RouterA] display portal user all Index:3 State:ONLINE SubState:NONE ACL:NONE Work-mode: primary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac...
Page 176
Figure 68 Network diagram for configuring portal server detection and portal user synchronization Configuration considerations Configure the portal server, and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication and accounting. Configure direct portal authentication on interface Gigabitethernet 1/0/2, which is directly connected with the host.
Page 177
Figure 69 Portal server configuration # Configure an IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page for adding an IP address group, as shown in Figure Enter the IP group name.
Page 178
# Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure Enter the device name NAS.
Page 179
Figure 73 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to make the above configurations take effect. Configure the router. Configure a RADIUS scheme. • # Create RADIUS scheme rs1 and enter its view. <Router>...
Page 180
[Router] portal server newpt user-sync interval 600 retry 2 NOTE: The product of interval and retry must be greater than or equal to the portal user heartbeat interval. HP recommends that you configure the interval to be greater than the portal user heartbeat interval...
Verification After the above configurations, perform the following command to view information about the portal server. <Router> display portal server newpt Portal server: 1)newpt: : 192.168.0.111 : portal Port : 50100 : http://192.168.0.111:8080/portal Status : Up Cross-subnet portal authentication across VPNs Network requirements As shown in Figure...
Page 182
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [RouterA-radius-rs1] primary authentication 192.168.0.111 [RouterA-radius-rs1] primary accounting 192.168.0.111 [RouterA-radius-rs1] key accounting radius [RouterA-radius-rs1] key authentication radius # Configure the router to not carry the ISP domain name in the username sent to the RADIUS server. [RouterA-radius-rs1] user-name-format without-domain # Specify the source IP address for outgoing RADIUS packets as 3.3.0.3.
# Enable Layer 3 portal authentication on the interface connecting the user side. [RouterA] interface gigabitethernet 1/0/1 [RouterA–Gigabitethernet1/0/1] portal server newpt method layer3 [RouterA–Gigabitethernet1/0/1] quit Verification Execute display portal server to check whether the portal configuration has taken effect. After Host passes portal authentication, perform display portal user to view information about online portal users on Router A.
Incorrect server port number on the access device Symptom After a user passes the portal authentication, you cannot force the user to log off by executing portal delete-user on the access device. The user can, however, log off by using disconnect attribute on the authentication client.
MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
Port security modes Port security supports the following categories of security modes: MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes of this category use MAC authentication, 802.1X authentication, •...
Page 187
Control MAC address learning autoLearn A port in this mode can learn MAC addresses and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. also configure secure MAC addresses by using port-security mac-address security. A secure MAC address never ages out by default.
Perform a combination of MAC authentication and 802.1X authentication macAddressOrUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. macAddressOrUserLoginSecureExt This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
Configuration task list Task Remarks Enabling port security Required Setting the maximum number of secure MAC addresses Optional Setting the port security mode Required Configuring NTK Optional Configuring port security Configuring intrusion protection Configure one or more features features as required. Enabling port security traps Configuring secure MAC addresses Optional...
Setting the maximum number of secure MAC addresses The maximum number of users a port supports in a port security mode is determined by the maximum number of secure MAC addresses or the maximum number of authenticated users that the security mode supports, whichever is smaller.
Configuration procedure To do… Command… Remarks Enter system view. system-view — Optional. Set an OUI value for port-security oui oui-value index Not configured by default. user authentication. index-value The command is required for the userlogin-withoui mode. • The autoLearn mode applies to only to Layer 2 Ethernet ports.
ntkonly—Forwards only unicast frames with authenticated destination MAC addresses. • ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated • destination MAC addresses. ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with • authenticated destination MAC addresses. To configure the NTK feature: To do…...
NOTE: This feature is available only on a SAP interface card in bridging mode. • On a port operating in either the macAddressElseUserLoginSecure mode or the • macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail. Enabling port security traps configure the port security module to send traps for the following categories of events: addresslearned—Learning of new MAC addresses.
Configuration procedure To do… Command… Remarks Enter system view. system-view — port-security mac-address security mac- In system view address interface interface-type interface- Required. Configure number vlan vlan-id a secure Use either approach. interface interface-type interface-number No secure MAC address In interface address.
Displaying and maintaining port security To do… Command… Remarks Display port security configuration display port-security [ interface information, operation interface-list ] [ | { begin | Available in any view information, and statistics about exclude | include } regular- one or more ports or all ports expression ] display port-security mac-address security [ interface interface-type...
Page 196
# Enable intrusion protection traps. [Router] port-security trap intrusion [Router] interface gigabitethernet 1/0/1 # Set the maximum number of secure MAC addresses allowed on the port to 64. [Router-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Router-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
Issuing display port-security interface after the number of MAC addresses learned by the port reaches 64, you see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered, and you see the following traps: #Jul 14 10:39:47:135 2009 Router PORTSEC/4/VIOLATION:Trap1.3.6.1.4.1.25506.2.26.1.3.2 An intrusion occurs! IfIndex: 9437185...
Page 198
Figure 76 Network diagram for configuring the userLoginWithOUI mode The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see "Configuring AAA." Configurations on the host and RADIUS servers are omitted. Configuration procedure Configure the RADIUS protocol. # Configure a RADIUS scheme named radsun.
Page 199
Configure port security. # Enable port security. [Router] port-security enable # Add five OUI values. [Router] port-security oui 1234-0100-1111 index 1 [Router] port-security oui 1234-0200-1111 index 2 [Router] port-security oui 1234-0300-1111 index 3 [Router] port-security oui 1234-0400-1111 index 4 [Router] port-security oui 1234-0500-1111 index 5 [Router] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.
Page 200
Packet unit : one Use the following command to view the configuration information of the ISP domain named sun: <Router> display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme...
Page 201
EAD quick deploy configuration: EAD timeout: The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled...
Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 76, a client is connected to the Router through GigabitEthernet 1/0/1. The Router authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the Router as follows: Allow more than one MAC authenticated user to log on.
Page 203
Verify the configuration. After completing the configurations, use the following command to view the port security configuration information: [Router] display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64...
Page 204
Use the following command to view 802.1X authentication information: <Router> display dot1x interface GigabitEthernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled Proxy trap checker is disabled Proxy logoff checker is disabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s...
1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1 In addition, as NTK is enabled, frames with unknown destination MAC addresses, multicast addresses, and broadcast addresses should be discarded. Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode.
Cannot change port security mode when a user is online Symptom Port security mode cannot be changed when an 802.1X-authenticated or MAC-authenticated user is online. [Router-GigabitEthernet1/0/1] undo port-security port-mode Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet1/0/1.
Configuring user profiles A user profile provides a configuration template to save predefined configurations, such as a CAR policy or a QoS policy. Different user profiles apply to different application scenarios. The user profile supports working with PPPoE, 802.1X, and portal authentications. It is capable of restricting authenticated users' behaviors.
Creating a user profile To do… Command… Remarks Enter system view. system-view — Required. Create a user profile, user-profile profile-name Use the command to enter the view of an and enter its view. existing user profile. Configuring a user profile After a user profile is created, perform configurations in user profile view.
Configuring password control Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length By setting a minimum password length, enforce users to use passwords long enough for system security.
Page 210
maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires. Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones to see whether it was used before and, if so, displays an error message.
Password complexity checking A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, configure a password complexity checking policy to ensure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.
Task Remarks Enabling password control Required Setting global password control parameters Optional Setting user group password control parameters Optional Setting local user password control parameters Optional Setting super password control parameters Optional Setting a local user password in interactive mode Optional Configuring password control Enabling password control...
Setting global password control parameters To do… Command… Remarks Enter system view. system-view — Optional. Set the password aging time. password-control aging aging-time 90 days by default. Optional. Set the minimum password password-control password update interval. update interval interval 24 hours by default. Optional.
CAUTION: The specified action to be taken after a user fails to log in for the specified number of attempts takes effect immediately and can affect the users already in the blacklist. Other password control configurations take effect only for users logging in later and passwords configured later. Setting user group password control parameters To do…...
To do… Command… Remarks Optional. By default, the settings for the user Configure the password password-control composition group to which the local user composition policy for the type-number type-number [ type- belongs are used. If no password local user. length type-length ] composition policy is configured for the user group, the settings in system view are used.
Displaying and maintaining password control To do… Command… Remarks display password-control [ super ] Display password control [ | { begin | exclude | include } Available in any view configuration information regular-expression ] display password-control blacklist Display information about users [ user-name name | ip ipv4- blacklisted due to authentication address | ipv6 ipv6-address ] [ | {...
Page 217
Configuration procedure # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable # Prohibit the user from logging in forever after two successive login failures. [Sysname] password-control login-attempt 2 exceed lock # Set the password aging time to 30 days for all passwords. [Sysname] password-control aging 30 # Set the minimum password update interval to 36 hours.
Page 218
Verification # Display the global password control configuration information. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days User authentication timeout:...
Configuring RSH RSH allows you to execute the commands provided by the OS on a remote host. The remote host must run the RSH daemon. The router can serve as an RSH client and provides rsh as the tool for the RSH feature. Figure 77 shows a typical application scenario.
RSH configuration example Network requirements As shown in Figure 78, the remote host runs Windows 2000 and has had RSH daemon service started. Set the time of the host remotely from the router. Figure 78 Network diagram for RSH configuration Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon.
Page 221
Figure 80 Services window Check for the Remote Shell Daemon entry. If it does not exist, install the daemon first. Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. Double-click the Remote Shell Daemon service row.
Page 222
Configure the router. # Configure a route to the remote host. The configuration procedure is omitted. # Set the time of the host remotely. <Router>rsh 192.168.1.10 command time Trying 192.168.1.10 ... Press CTRL+K to abort The current time is: 6:56:42.57 Enter the new time: 12:00 12:00...
Configuring public keys Asymmetric key algorithm overview Basic concepts Algorithm—A set of transformation rules for encryption and decryption. • Plain text—Information without being encrypted. • Cipher text—Encrypted information. • Key—A string of characters that controls the transformation between plain text and cipher text. It is •...
Asymmetric key algorithm applications Asymmetric key algorithms can be used for encryption and digital signature. Encryption—The sender uses the public key of the intended receiver to encrypt the information to be • sent. Only the intended receiver, the holder of the paired private key, can decrypt the information. This mechanism ensures confidentiality.
TFTP (in binary mode) first, and then import the public key from the file. During the import process, the system automatically converts the public key to a string in PKCS format. HP recommends that you follow this method to configure the remote host's public key.
To do… Command… Remarks Import the host public key of a public-key peer keyname import remote host from the public Required sshkey filename key file. To configure a remote host's public key manually: To do… Command… Remarks Enter system view. system-view —...
Public key configuration examples Configuring a remote host's public key manually Network requirements As shown in Figure 83, to prevent illegal access, Router B authenticates Router A through a digital signature. Before configuring authentication parameters on Router B, configure the public key of Router A on Router B.
===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E3 5000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B 9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Router B. # Configure the host public key of Router A on Router B. In public key code view, enter the host public key of Router A.
Page 229
Figure 84 Network diagram for importing a remote host's public key from a public key file Configuration procedure Create key pairs on Router A and export the host public key. # Create RSA key pairs on Router A. <RouterA> system-view [RouterA] public-key local create rsa The range of public key size is (512 ~ 2048).
Page 230
Enable the FTP server function on Router B. # Enable the FTP server function, create an FTP user with the username ftp, password 123, and user level <RouterB> system-view [RouterB] ftp server enable [RouterB] local-user ftp [RouterB-luser-ftp] password simple 123 [RouterB-luser-ftp] service-type ftp [RouterB-luser-ftp] authorization-attribute level 3 [RouterB-luser-ftp] quit...
With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terms Digital certificate A digital certificate is a file signed by a CA for an entity.
PKI architecture A PKI system consists of entities, a CA, an RA, and a PKI repository, as shown in Figure Figure 85 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer.
VPN is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryption and digital signature technologies for confidentiality. Secure email Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs.
Task Remarks Configuring an access control policy Optional Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity DN. A CA identifies a certificate applicant uniquely by entity DN. An entity DN is defined by these parameters: Common name of the entity.
Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. HP recommends that you deploy an independent RA. URL of the registration server—An entity sends a certificate request to the registration server through •...
Page 236
To configure a PKI domain: To do… Command… Remarks Enter system view. system-view — Required. Create a PKI domain and pki domain domain-name enter its view. No PKI domain exists by default. Required. Specify the trusted CA. ca identifier name No trusted CA is specified by default.
Submitting a PKI certificate request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which are the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an out-of-band means such as phone, disk, or email.
To submit a certificate request in manual mode: To do… Command… Remarks Enter system view. system-view — Enter PKI domain view. pki domain domain-name — Optional Set the certificate request certificate request mode manual mode to manual. Manual by default Return to system view.
Prepares for certificate verification • Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration. CAUTION: If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This • restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes.
To do… Command… Remarks "Retrieving a certificate Retrieve the CA certificate. Required. manually." pki retrieval-crl domain domain- Retrieve CRLs. Required. name Verify the validity of a pki validate-certificate { ca | local Required. certificate. } domain domain-name NOTE: The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. •...
Deleting a certificate When a certificate requested manually is about to expire or when you want to request a new certificate, delete the current local certificate or CA certificate. To do… Command… Remarks Enter system view. system-view — pki delete-certificate { ca | local } Delete certificates.
Displaying and maintaining PKI To do… Command… Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view status of a certificate exclude | include } regular- expression ] display pki crl domain domain-...
Page 243
In this example, you must configure these basic attributes on the CA server at first: Nickname—Name of the trusted CA. • Subject DN—DN information of the CA, including the CN, OU, O, and C. • The other attributes might be left using the default values. # Configure extended attributes.
Page 244
Generate a local key pair using RSA. • [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys...
Page 245
Verify your configuration. # Use the following command to view information about the local certificate acquired. [Router] display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2) Serial Number: 9A96A48F 9A509FD7 05FFF4DF 104AD094 Issuer: C=cn O=org OU=test CN=myca Validity Not Before: Jan 8 09:26:53 2007 GMT Not After : Jan...
Requesting a certificate from a CA server running Windows 2003 Server Network requirements Configure PKI entity Router to request a local certificate from the CA server. Figure 87 Request a certificate from a CA server running Windows 2003 server Configuration procedure Configure the CA server.
Page 247
[Router-pki-entity-aaa] quit Configure the PKI domain. • # Create PKI domain torsa and enter its view. [Router] pki domain torsa # Configure the name of the trusted CA as myca. [Router-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server.
Page 248
# Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..[Router] Enrolling the local certificate,please wait a while..Certificate request Successfully! Saving the local certificate to device..Done! Verify your configuration. # Use the following command to view information about the local certificate acquired. [Router] display pki certificate local domain torsa Certificate: Data:...
Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e also use some other display commands to view more information about the CA certificate. For more information about display pki certificate ca domain, see Security Command Reference. Applying RSA digital signature in IKE negotiation Network requirements An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on...
Page 250
Configuration procedure Configure Router A. # Configure the entity DN. <RouterA> system-view [RouterA] pki entity en [RouterA-pki-entity-en] ip 2.2.2.1 [RouterA-pki-entity-en] common-name routera [RouterA-pki-entity-en] quit # Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterA] pki domain 1 [RouterA-pki-domain-1] ca identifier CA1 [RouterA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll...
Page 251
# Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterB] pki domain 1 [RouterB-pki-domain-1] ca identifier CA2 [RouterB-pki-domain-1] certificate request url http://2.1.1.100/certsrv/mscep/mscep.dll [RouterB-pki-domain-1] certificate request entity en [RouterB-pki-domain-1] ldap-server ip 2.1.1.102 # Set the registration authority to RA. [RouterB-pki-domain-1] certificate request from ra # Configure the CRL distribution URL.
Configuring a certificate attribute-based access control policy Network requirements The client accesses the remote HTTPS server through the HTTPS protocol. • Configure SSL to ensure that only legal clients log into the HTTPS server. • Create a certificate attribute-based access control policy to control access to the HTTPS server. •...
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc. [Router] pki certificate attribute-group mygroup2 [Router-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Router-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc...
Failed to request a local certificate Symptom Failed to request a local certificate. Analysis Possible reasons include: The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved. •...
Configuring IPsec IPsec is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints. IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at the IP layer in an insecure network environment: Confidentiality—The sender encrypts packets before transmitting them over the Internet.
Basic concepts Security association A security association is an agreement negotiated between two communicating parties called "IPsec peers." It comprises a set of parameters for data protection, including security protocols, encapsulation mode, authentication and encryption algorithms, and shared keys and their lifetime. SAs can be set up manually or through IKE.
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact. IPsec supports two hash algorithms for authentication: MD5—Takes as input a message of arbitrary length and produces a 128-bit message digest.
Page 258
Flexible service application—Apply a service such as NAT or QoS to packets before or after they • are encrypted by IPsec. To handle packets prior to IPsec encryption, apply the service to the IPsec tunnel interface. To handle IPsec encrypted packets, apply the service to the physical outbound interface.
The IPsec tunnel interface de-encapsulates the packet and then delivers the resulting clear text packet back to the forwarding module. The forwarding module looks up the routing table and then forwards the clear text packet out of the physical outbound interface associated with the tunnel interface. IPsec for IPv6 routing protocols use IPsec to protect routing information and defend attacks for these IPv6 routing protocols: OSPFv3, IPv6 BGP, and RIPng.
RFC 4552, Authentication/Confidentiality for OSPFv3 • Configuring IPsec IPsec can be implemented based on ACLs, tunnel interfaces, or applications: ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based • IPsec, configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces (see "Implementing ACL-based IPsec").
Task Remarks Enabling the encryption engine Required Enabling ACL checking of de-encapsulated IPsec packets Optional Configuring the IPsec anti-replay function Optional Configuring packet information pre-extraction Optional Enabling invalid SPI recovery Optional Configuring IPsec RRI Optional Configuring ACLs ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is desired, such as QoS and IPsec.
Page 262
Router A connects the segment 1.1.2.0/24, and Router B connects the segment 3.3.3.0/24. On Router A, apply the IPsec policy group test to the outbound interface of Router A. The IPsec policy group contains two policies, test 1 and test 2. The ACLs referenced by the two policies each contain a rule that matches traffic from 1.1.2.0/24 to 3.3.3.0/24.
Page 263
Mirror image ACLs To ensure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer.
Protection modes Data flows can be protected in the following modes: Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is • protected by one tunnel that is established solely for it. Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This •...
To do… Command… Remarks Optional. Tunnel mode by default. Transport mode applies only when Specify the IP packet encapsulation-mode { the source and destination IP encapsulation mode for the IPsec transport | tunnel } addresses of data flows match those proposal.
Page 266
You do not need to configure ACLs or IPsec tunnel addresses. • Within a certain routed network scope, the IPsec proposals used by the IPsec policies on all routers • must have the same security protocols, security algorithms, and encapsulation mode. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area.
Page 267
Configuration prerequisites Configure ACLs used for identifying protected traffic and IPsec proposals. ACLs are not required for IPsec policies for an IPv6 protocol. Configuration procedure To configure a manual IPsec policy: To do… Command… Remarks Enter system view. system-view — Required.
Page 268
NOTE: An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the • last one takes effect. A manual IPsec policy can reference only one IPsec proposal. To change an IPsec proposal for an •...
Page 269
To do… Command… Remark Optional. Enable and configure the By default, the PFS feature is not pfs { dh-group1 | dh-group2 | perfect forward secrecy used for negotiation. dh-group5 | dh-group14 } feature for the IPsec policy. For more information, see "Configuring IKE."...
Page 270
To do… Command… Remark Optional. Enable and configure the By default, the PFS feature is not pfs { dh-group1 | dh-group2 | perfect forward secrecy used for negotiation. dh-group5 | dh-group14 } feature for the IPsec policy. For more information, see "Configuring IKE."...
Applying an IPsec policy group to an interface An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
To do… Command… Remarks Optional Enable the encryption engine cryptoengine enable [ slot slot- (on a distributed router). number ] Enabled by default Enabling ACL checking of de-encapsulated IPsec packets In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object that is specified by an ACL to be protected.
To do… Command… Remarks Optional Set the size of the IPsec anti- ipsec anti-replay window width replay window. 32 by default NOTE: IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. Configuring packet information pre-extraction If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated...
To do… Command… Remarks Optional Enable invalid SPI recovery. ipsec invalid-spi-recovery enable Disabled by default Configuring IPsec RRI IPsec RRI works in static mode or dynamic mode. Static IPsec RRI Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec policy references.
To do… Command… Remarks Required. Disabled by default. reverse-route [ remote-peer ip- To enable static IPsec RRI, Enable IPsec RRI. address [ gateway | static ] | static ] specify the static keyword. If the keyword is not specified, dynamic IPsec RRI is enabled. Change the preference of Optional.
Task Remarks Enabling packet information pre-extraction on the IPsec tunnel interface Optional Applying a QoS policy to an IPsec tunnel interface Optional Enabling the encryption engine Optional Configuring the IPsec anti-replay function Optional Configuring an IPsec profile As described previously, an IPsec policy is uniquely identified by its name and sequence number. An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.
To do… Command… Remarks Required. Specify the IPsec proposals for the IPsec profile to proposal proposal-name&<1-6> By default, an IPsec profile reference. references no IPsec proposals. Required. An IPsec profile cannot reference Specify the IKE peer for the ike-peer peer-name any IKE peer that is already IPsec profile to reference.
Page 278
The expected IKE SA and IPsec SAs are established between the local security gateway and the • peer gateway. Use display ike sa to view the status of the IKE SA and the IPsec SAs.
Page 279
To configure an IPsec tunnel interface: To do… Command… Remarks Enter system view. system-view — Required. Create a tunnel interface and interface tunnel number By default, no tunnel interface exists enter its view. on the router. Required. Assign an IPv4 address to the ip address ip-address { mask | By default, no IPv4 address is tunnel interface.
Enabling packet information pre-extraction on the IPsec tunnel interface Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of the original packets.
To apply a QoS policy to an IPsec tunnel interface: To do… Command… Remarks Enter system view. system-view — Enter tunnel interface view. interface tunnel number — Required. Apply a QoS policy to the IPsec qos apply policy policy-name { For more information, see ACL and tunnel interface.
To do… Command… Remarks Display IPsec tunnel display ipsec tunnel [ | { begin | exclude | Available in any view information include } regular-expression ] reset ipsec sa [ parameters dest-address protocol Clear SAs spi | policy policy-name [ seq-number ] | remote Available in user view ip-address ] Clear IPsec statistics...
Page 283
# Specify the encapsulation mode as tunnel. [RouterA-ipsec-proposal-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-proposal-tran1] transform esp # Specify the algorithms for the proposal. [RouterA-ipsec-proposal-tran1] esp encryption-algorithm des [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-proposal-tran1] quit # Create manual IPsec policy map1. [RouterA] ipsec policy map1 10 manual # Apply the ACL.
# Specify the encapsulation mode as tunnel. [RouterB-ipsec-proposal-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-proposal-tran1] transform esp # Specify the algorithms for the proposal. [RouterB-ipsec-proposal-tran1] esp encryption-algorithm des [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-proposal-tran1] quit # Create a manual IPsec policy. [RouterB] ipsec policy use1 10 manual # Apply the ACL.
Page 285
Configuration procedure Configure Router A. # Define an ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <RouterA> system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure a static route to Host B. [RouterA] ip route-static 10.1.2.0 255.255.255.0 serial 2/1/1 # Create an IPsec proposal named tran1.
Page 286
Configure Router B. # Define an ACL to identify data flows from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. <RouterB> system-view [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3101] quit # Configure a static route to Host A. [RouterB] ip route-static 10.1.1.0 255.255.255.0 serial 2/1/2 # Create an IPsec proposal named tran1.
Configuring IPsec with IPsec tunnel interfaces example Network requirements As shown in Figure 97, the gateway of the branch accesses the Internet through a dial-up line and obtains the IP address dynamically, and the headquarters access the Internet by using a fixed IP address.
Page 288
# Configure the IPsec profile to reference the IPsec proposal method1. [RouterA-ipsec-profile-atob] proposal method1 [RouterA-ipsec-profile-atob] quit # Create tunnel interface Tunnel 1. [RouterA] interface tunnel 1 # Assign IPv4 address 10.1.1.1/24 to tunnel interface Tunnel 1. [RouterA–Tunnel1] ip address 10.1.1.1 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4.
Page 289
# Configure the IPsec profile to reference the IPsec proposal method1. [RouterB-ipsec-profile-btoa] proposal method1 [RouterB-ipsec-profile-btoa] quit # Create tunnel interface Tunnel 1. This interface is used to protect the data flows between Router B and Router A. Because the public IP address of the remote peer is not known, you do not need to configure the destination address on the tunnel interface.
--- 172.17.17.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/8/15 ms Similarly, view the information on Router A. (Omitted) Configuring IPsec for RIPng example IPsec configurations for protecting RIPng, OSPFv3, and IPv6 BGP are similar. For more information, see Layer 3—IP Routing Configuration Guide.
Page 292
[RouterA-ipsec-proposal-tran1] encapsulation-mode transport [RouterA-ipsec-proposal-tran1] transform esp [RouterA-ipsec-proposal-tran1] esp encryption-algorithm des [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-proposal-tran1] quit # Create an IPsec policy named policy001, specify the manual mode for it, set the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg. [RouterA] ipsec policy policy001 10 manual [RouterA-ipsec-policy-manual-policy001-10] proposal tran1 [RouterA-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345...
Page 293
# Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs as 123456 and the keys for the inbound and outbound SAs using ESP as abcdefg. [RouterB] ipsec policy policy001 10 manual [RouterB-ipsec-policy-manual-policy001-10] proposal tran1 [RouterB-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 [RouterB-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345...
Page 294
Verification After the configuration, Router A, Router B, and Router C learn IPv6 routing information through RIPng. SAs are set up successfully, and the IPsec tunnel between two peers is up for protecting the RIPng packets. Using display ripng on Router A, you see the running status and configuration information of the specified RIPng process.
Configuring IPsec RRI example Network requirements As shown in Figure 99, an IPsec tunnel is required between Router A and Router B to protect the traffic between the headquarters and the branch. Configure the tunnel to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.
Page 296
# Set the pre-shared key. [RouterA-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [RouterA-ike-peer-peer] remote-address 2.2.2.2 [RouterA-ike-peer-peer] quit # Create an IPsec policy that uses IKE. [RouterA] ipsec policy map1 10 isakmp # Reference IPsec proposal tran1. [RouterA-ipsec-policy-isakmp-map1-10] proposal tran1 # Reference ACL 3101 to identify the protected traffic.
Page 297
# Create IKE peer peer. [RouterB] ike peer peer # Set the pre-shared key. [RouterB-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [RouterB-ike-peer-peer] remote-address 1.1.1.1 [RouterB-ike-peer-peer] quit # Create an IPsec policy that uses IKE. [RouterB] ipsec policy use1 10 isakmp # Reference ACL 3101 to identify the protected traffic.
Configuring IKE Built on a framework defined by ISAKMP, IKE provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically. Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them and calculates shared keys respectively.
Figure 100 IKE exchange process in main mode As shown in Figure 100, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange—Used for negotiating the security policy. • Key exchange—Used for exchanging the Diffie-Hellman public value and other values like the •...
Relationship between IKE and IPsec Figure 101 Relationship between IKE and IPsec Figure 101 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...
Complete the following tasks to configure IKE: Task Remarks Configuring a name for the local security gateway Optional Optional Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference Configuring an IKE peer Required Setting keepalive timers Optional...
To configure an IKE proposal: To do… Command… Remarks Enter system view. system-view — Create an IKE proposal and ike proposal proposal-number Required enter its view. Specify an encryption Optional encryption-algorithm { 3des-cbc | algorithm for the IKE aes-cbc [ key-length ] | des-cbc } 56-bit DES by default proposal.
Page 303
Specify the name or IP address of the remote security gateway. For the local end to initiate IKE • negotiation, you must specify the name or IP address of the remote security gateway on the local end so the local end can find the remote end. Enable NAT traversal.
To do… Command… Remarks Optional. Required when a NAT gateway is Enable the NAT traversal function nat traversal present in the VPN tunnel for IPsec/IKE. constructed by IPsec/IKE. Disabled by default. Set the subnet type local { multi-subnet | single- Optional.
Setting the NAT keepalive timer If IPsec traffic must pass through NAT security gateways, you must configure the NAT traversal function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping may get aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data to the intended end.
To do… Command… Remark Enter system view. system-view — Required Disable next payload field checking. ike next-payload check disabled Enabled by default Displaying and maintaining IKE To do… Command… Remarks display ike dpd [ dpd-name ] [ | { Display IKE DPD information begin | exclude | include } Available in any view regular-expression ]...
Page 307
Figure 102 Network diagram for configuring IKE in main mode with pre-shared key authentication Make sure that Router A and Router B can reach each other. Configuration procedure Configure Router A. # Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <RouterA>...
Page 308
# Set the authentication algorithm to MD5. [RouterA-ike-proposal-10] authentication-algorithm md5 # Set the authentication method to pre-shared key. [RouterA-ike-proposal-10] authentication-method pre-share # Set the ISAKMP SA lifetime to 5000 seconds. [RouterA-ike-proposal-10] sa duration 5000 [RouterA-ike-proposal-10] quit # Create an IPsec policy that uses IKE negotiation. [RouterA] ipsec policy map1 10 isakmp # Reference IPsec proposal tran1.
Page 309
# Specify encryption and authentication methods. [RouterB-ipsec-proposal-tran1] esp encryption-algorithm des [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-proposal-tran1] quit # Create IKE peer peer. [RouterB] ike peer peer # Set the pre-shared key. [RouterB-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [RouterB-ike-peer-peer] remote-address 1.1.1.1 [RouterB-ike-peer-peer] quit # Create an IPsec policy that uses IKE negotiation.
Page 310
priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --------------------------------------------------------------------------- default PRE_SHARED DES_CBC MODP_768 86400 Router A and Router B have only one pair of matching IKE proposals. Matching IKE proposals do not necessarily use the same ISAKMP SA lifetime setting. # Send traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
max received sequence-number: 4 anti-replay check enable: Y anti-replay window size: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 89389742 (0x553faae) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3590 max received sequence-number: 5 udp encapsulation used for nat traversal: N Aggressive mode IKE with NAT traversal configuration example Network requirements...
Page 312
# Configure an ACL. [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure an IKE proposal. [RouterA] ike proposal 1 [RouterA-ike-proposal-1] authentication-algorithm sha [RouterA-ike-proposal-1] authentication-method pre-share [RouterA-ike-proposal-1] encryption-algorithm 3des-cbc [RouterA-ike-proposal-1] dh group2 # Configure an IKE peer.
Page 313
# Configure a static route to the branch LAN. [RouterA] ip route-static 192.168.0.0 255.255.255.0 serial 2/1/1 Configure Router B. # Specify a name for the local security gateway. <RouterB> system-view [RouterB] ike local-name routerb # Configure an ACL. [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit...
Page 314
# Configure dialer interface Dialer 0. Use the username and password assigned by the ISP for dial and PPP authentication. [RouterB] interface dialer 0 [RouterB-Dialer0] link-protocol ppp [RouterB-Dialer0] ppp pap local-user test password simple 123456 [RouterB-Dialer0] ip address ppp-negotiate [RouterB-Dialer0] dialer user 1 [RouterB-Dialer0] dialer-group 1 [RouterB-Dialer0] dialer bundle 1 [RouterB-Dialer0] ipsec policy policy...
Troubleshooting IKE When configuring parameters to establish an IPsec tunnel, enable IKE error debugging to locate configuration problems: <Router> debugging ike error Invalid user ID Symptom Invalid user ID. Analysis In IPsec, user IDs are used to identify data flows and to set up different IPsec tunnels for different data flows.
Failure to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established. Analysis Sometimes an IPsec tunnel cannot be established, or there is no way to communicate in the presence of an IPsec tunnel in an unstable network. According to examination results, however, ACLs of both parties are configured correctly, and proposals are also matched.
Configuring SSH2.0 SSH offers an approach to logging in to a remote device securely. By encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. The router can work as an SSH server to support connections with SSH clients and also as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
Page 318
client uses the protocol version of the server. Otherwise, the client uses its own protocol version. In either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use. The server compares the version number carried in the packet with that of its own.
Page 319
authentication result. The router supports using the publickey algorithms RSA and DSA for digital signature. An SSH2.0 server might require the client to pass both password authentication and publickey authentication or either of them. However, if the client is running SSH1, the client must only pass either authentication, regardless of the requirement of the server.
SSH connection across VPNs With this function, configure the router as an SSH client to establish connections with SSH servers in different MPLS VPNs. As shown in Figure 104, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the services of the two VPNs isolated.
Generating a DSA or RSA key pair In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session key and session ID and for the client to authenticate the server. To generate a DSA or RSA key pair on the SSH server: To do…...
(in binary) to the server through FTP or TFTP. NOTE: HP recommends that you configure a client public key by importing it from a public key file. • configure up to 20 client public keys on an SSH server.
Configuring a client public key manually To do… Use… Remarks Enter system view. system-view — Enter public key view. public-key peer keyname — Enter public key code view. public-key-code begin — Required. Configure a client public key. Enter the content of the public key Spaces and carriage returns are allowed between characters.
CAUTION: A user without an SSH account can still pass password authentication and log in to the server • through Stelnet or SFTP, as long as the user can pass AAA authentication and the service type is SSH. An SSH server supports up to 1024 SSH users. •...
To set the SSH management parameters: To do… Command… Remarks Enter system view. system-view — Optional. Enable the SSH server to ssh server compatible-ssh1x By default, the SSH server supports support SSH1 clients. enable SSH1 clients. Optional. Set the RSA server key pair ssh server rekey-interval 0 by default.
Configuring first-time authentication support When the router connects to the SSH server as an SSH client, configure whether the router supports first- time authentication. With first-time authentication, when an SSH client not configured with the server host public key • accesses the server for the first time, the user can continue accessing the server and save the host public key on the client.
Establishing connection between the SSH client and server To do... Command… Remarks ssh2 server [ port-number ] [ vpn- instance vpn-instance-name ] [ identity- Establish a key { dsa | rsa } | prefer-ctos-cipher { connection 3des | aes128 | des } | prefer-ctos- between the For an IPv4 hmac { md5 | md5-96 | sha1 | sha1-...
NOTE: Security For more information about display public-key local and display public-key peers, see Command Reference SSH server configuration examples Configuring the router to act as password authentication server Network requirements As shown in Figure 105, a host (the SSH client) and a router (the SSH server) are directly connected through Ethernet interfaces.
Page 329
# Enable the SSH server. [Router] ssh server enable # Configure an IP address for interface GigabitEthernet 1/0/1, which the SSH client uses as the destination for SSH connection. [Router] interface GigabitEthernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.40 255.255.255.0 [Router-GigabitEthernet1/0/1] quit # Set the authentication mode for the user interfaces to AAA.
Figure 106 SSH client configuration interface In the window shown in Figure 106, click Open to connect to the server. If the connection is normal, you are prompted to enter the username and password. After entering the username (client001) and password (aabbcc), enter the configuration interface of the server.
Page 331
Configuration procedure Configure the SSH client. # Generate the RSA key pairs. Run PuTTYGen.exe, select SSH-2 RSA , and click Generate. Figure 108 Generate a key pair on the client 1) When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 109.
Page 332
Figure 109 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 110 Generate a key pair on the client 3)
Page 333
Likewise, to save the private key, click Save private key. A warning window appears to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Figure 111 Save the private key on the client Then, you must transmit the public key file to the server through FTP or TFTP.
Page 334
Establish a connection between the SSH client and the SSH server. # Specify the private key file. and establish a connection to the SSH server Launch PuTTY.exe to enter the following interface. In the Host Name (or IP address) text box, enter the IP address of the server (192.168.1.40).
Figure 113 SSH client configuration interface 2) In the window shown in Figure 113, click Open to connect to the server. If the connection is normal, you are prompted to enter the username. After entering the username (client002), enter the configuration interface of the server.
Page 336
Configuration procedure Configure the SSH server. # Generate the RSA key pairs. <RouterB> system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Page 337
# Specify the service type for user client001 as Stelnet and the authentication method as password. This step is optional. [RouterB] ssh user client001 service-type stelnet authentication-type password Establish a connection between the SSH client and the SSH server. # Configure an IP address for interface GigabitEthernet 1/0/1. <RouterA>...
[RouterA-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD [RouterA-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 [RouterA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [RouterA-pkey-key-code]485348 [RouterA-pkey-key-code] public-key-code end [RouterA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [RouterA] ssh client authentication server 10.165.87.136 assign publickey key1 [RouterA] quit # Establish an SSH connection to SSH server 10.165.87.136. <RouterA>...
Page 339
# Generate a DSA key pair. [RouterA] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Page 340
# Configure an IP address for interface GigabitEthernet 1/0/1, which the SSH client uses as the destination for SSH connection. [RouterB] interface GigabitEthernet 1/0/1 [RouterB-GigabitEthernet1/0/1] ip address 10.165.87.136 255.255.255.0 [RouterB-GigabitEthernet1/0/1] quit # Set the authentication mode for the user interfaces to AAA. [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
Configuring SFTP SFTP is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The router can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The router can also serve as an SFTP client, enabling a user to log in from the router to a remote device for secure file transfer.
Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down. To configure the SFTP connection idle timeout period: To do… Command… Remarks Enter system view. system-view —...
Establishing a connection to the SFTP server This configuration task enables the SFTP client to establish a connection to the remote SFTP server and enter SFTP client view. To enable the SFTP client: To do… Command… Remarks sftp server [ port-number ] [ vpn- instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- Establish a...
To do… Command… Remarks Display the current working directory of the remote SFTP Optional. server. dir [ -a | -l ] [ remote-path ] Optional. Display files under a specified The dir command functions as the directory. ls [ -a | -l ] [ remote-path ] ls command.
Displaying help information This configuration task displays a list of all commands or the help information of an SFTP client command, such as the command format and parameters. To display a list of all commands or the help information of an SFTP client command: To do…...
Page 346
Configuration procedure Configure the SFTP client. # Configure an IP address for interface GigabitEthernet 1/0/1. <RouterA> system-view [RouterA] interface GigabitEthernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ip address 192.168.0.2 255.255.255.0 [RouterA-GigabitEthernet1/0/1] quit # Generate the RSA key pairs. [RouterA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 347
# Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Page 348
# Display files under the current directory of the server, delete file z, and check that the file has been deleted successfully. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
# Upload a local file named pu to the server, save it as puk, and check that the file has been uploaded successfully. sftp-client> put pu puk Local file:pu ---> Remote file: /puk Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg...
Page 350
++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Page 351
# Establish a connection to the remote SFTP server. Run psftp.exe to launch the client interface as shown in Figure 118, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 118 SFTP client interface...
Configuring SSL This feature is available only on centralized routers. SSL is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online bank fields to ensure secure data transmission over the Internet.
SSL protocol stack As shown in Figure 120, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 120 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and •...
Configuration procedure To do... Command... Remarks Enter system view. system-view — Create an SSL server policy ssl server-policy policy-name Required. and enter its view. Required. Specify a PKI domain for the pki-domain domain-name By default, no PKI domain is SSL server policy. specified for an SSL server policy.
Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. Configuration prerequisites If the SSL server is configured to authenticate the SSL client, you must configure the PKI domain for the SSL client policy to use to obtain the certificate of the client.
Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the router fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate, or •...
Configuring a firewall A firewall can block unauthorized accesses from the Internet to a protected network while allowing internal network users to access the Internet through WWW, for example, or to send/receive email messages. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet.
ASPF A packet filtering firewall is a static firewall. A packet filtering firewall cannot solve the following issues: For multi-channel application layer protocols, such as FTP and H.323, the values of some security • policy parameters are unpredictable. Some attacks from the transport layer and application layer, such as TCP SYN flooding and •...
Page 359
Basic concepts Java blocking Java blocking is a feature for blocking malicious Java applets, which are transported by HTTP. With the Java blocking feature enabled, when a user attempts to get a program containing Java applets from a webpage, the ASPF processes the response in order to block the Java applets. While application layer protocols use the standard port numbers for communication, PAM allows you to define a set of new port numbers for different applications.
As the figure shows, to protect the internal network, an ACL is usually required on the router to permit internal hosts to access external networks while prohibiting hosts on external networks from accessing the internal network. However, the ACL also filters out the return packets to internal users, thus failing the connection setup attempts.
Enabling the IPv6 firewall function To do… Command… Remarks Enter system view. system-view — Required Enable the IPv6 firewall firewall ipv6 enable function. Disabled by default Configuring the firewall default filtering action The default filtering action configuration is used for the firewall to determine whether to permit a data packet to pass or to deny the packet when there is no appropriate criterion for judgment.
Configuring IPv4 packet filtering on an interface To do... Command... Remarks Enter system view. system-view — interface interface-type interface- Enter interface view. — number Required. firewall packet-filter { acl-number Configure IPv4 packet filtering | name acl-name } { inbound | IPv4 packets are not filtered by on an interface.
Packet filtering firewall configuration example Network requirements As shown in Figure 122: The internal network of a company is connected to GigabitEthernet 1/0/1 of the router, and the • internal users access the Internet through Serial 2/1/1 of the router. The company provides WWW, FTP, and Telnet services to the outside.
# Create advanced ACL 3002. [Router] acl number 3002 # Configure a rule to allow a specific external user to access internal servers. [Router-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255 # Configure a rule to permit specific data (only packets of which the port number is greater than 1024) to get access to the internal network.
Configuring an ASPF policy To do... Command... Remarks Enter system view. system-view — Create an ASPF policy and enter aspf-policy aspf-policy-number Required. its view. Optional. Specify to drop ICMP error icmp-error drop By default, ICMP error messages messages. are not dropped. Optional.
TCP packets using port 8080 sent to the network segment 10.110.0.0 are regarded as HTTP packets. The address range of hosts can be specified by means of a basic ACL. To configure port mapping: To do... Command... Remarks Enter system view. system-view —...
Page 367
Figure 123 Network diagram for ASPF configuration Router A Router B S2/1/1 10.1.1.1/24 GEth1/0/1 Internal network External network 192.168.1.1/24 Host Server 192.168.1.2/24 Configuration procedure # Enable the firewall function on Router A. <RouterA> system-view [RouterA] firewall enable # Configure ACL 3111 to prohibit all IP packets from entering into the internal network. The ASPF creates a TACL for packets permitted to pass the firewall.
Configuring ALG The ALG feature is used to process application layer packets. Usually, NAT translates only IP address and port information in packet headers; it does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which, if not translated, may cause problems.
Page 369
The following describes the operation of an ALG-enabled router, taking FTP as an example. As shown in Figure 124, the host in the outside network accesses the FTP server in the inside network in passive mode through the ALG-enabled router. Figure 124 Network diagram for ALG-enabled FTP application in passive mode The communication process includes the following stages: Establishing a control connection...
Exchanging data The host and the FTP server exchange data through the established data connection. Enabling ALG To do... Command... Remarks Enter system view. system-view — Optional. alg { all | dns | ftp | gtp | h323 Enable ALG. | ils | msn | nbt | pptp | qq | Enabled for all protocols by rtsp | sccp | sip | sqlnet | tftp }...
# Configure NAT. [Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat outbound 2001 address-group 1 NBT ALG configuration example Network requirements As shown in Figure 127, a company accesses the Internet through a router with NAT and ALG enabled. The company provides NBT services to the outside. The inside network segment of the company is 192.168.1.0/24.
Configuring session management The session management feature is a common feature designed to implement session-based services such as NAT, ASPF, and intrusion protection. This feature regards packet exchanges at transport layer as sessions and updates the status of sessions or ages out sessions according to the information in the initiators' or responders' packet information.
Supporting ICMP error packet mapping and allowing the system to search for original sessions • according to the payload of these packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. Supporting persistent sessions, which are not aged within a long period of time.
To set the session aging times based on protocol state: To do... Command... Remarks Enter system view. system-view — Required. The defaults are as follows: • accelerate: 10 seconds • fin: 30 seconds • icmp-closed: 30 seconds Set the aging time for session aging-time { accelerate | fin | sessions of a specified •...
The maximum value here must not exceed the other A6600 corresponding specification of the interface board. router. Enabling checksum verification To ensure that session tracking is not affected by packets with checksum errors, enable checksum verification for protocol packets.
To enable checksum verification for protocol packets: To do... Command... Remarks Enter system view. system-view — Required session checksum { all | { icmp | Enable checksum verification. tcp | udp } * } Disabled by default Specifying the persistent session rule set some sessions that have specific characteristics as persistent sessions.
To do… Command… Remarks Enter system view. system-view — Enter interface view. interface interface-type interface-number — Required session log enable [ acl acl-number ] { Enable session logging. inbound | outbound } Disabled by default Setting session logging thresholds set thresholds to trigger recording and outputting of session logs. The thresholds include the following: Holdtime threshold—When the holdtime of a session reaches the preset threshold, the system •...
Page 379
To do… Command… Remarks Enter system view. system-view — Optional. 1.0 by default. For more information about userlog flow export version Specify the flow log version. flow log commands and version-number functions, see Network Management and Monitoring Configuration Guide.. Optional. Specify the source IP address for userlog flow export source-ip IP address of the interface...
Displaying and maintaining session management To do... Command... Remarks display application aging-time [ | { Display the session aging times for begin | exclude | include } regular- Available in any view application layer protocols expression ] Display the session aging times in display session aging-time [ | { begin | Available in any view different protocol states...
Page 381
To do... Command... Remarks Clear flow logs in the buffer (on a reset userlog flow logbuffer Available in user view. centralized device) Available in user view. For more information, Clear flow logs in the buffer (on a reset userlog flow logbuffer slot slot- see Network distributed device) number...
The limit rules are matched in ascending order of rule ID. When configuring connection limit rules for a policy, check the rules and their order carefully. HP recommends that you arrange the rules in ascending order of granularity and range.
Source-to-destination—Limits connections from a specific internal host or segment to a specific • external host or segment. Source-to-any—Limits connections from a specific internal host or segment to external networks. • Any-to-destination—Limits connections from external networks to a specific internal server. •...
Page 384
Each host on segment 192.168.0.0/24 can establish up to 100 connections to the external • network, and all other hosts can establish as many connections as possible. Permit up to 10,000 connections from the external network to the DNS server. •...
limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000 limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000 Troubleshooting connection limiting Connection limit rules with overlapping segments Symptom On the router, create a connection limit policy, and configure two rules for the policy. One limits connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another limits connections from 192.168.0.100 with the upper connection limit 100.
Configuring web filtering In legacy network security solutions, network protection is mainly against external attacks. With the popularity of network applications in every walk of life, however, the internal network also faces security threats caused by internal users' access to illegal networks. To protect the internal network against such threats, the network devices must be able to filter illegal access requests from internal users.
URL parameter filtering Large quantities of webpages are dynamic, connected with databases, and supporting data query and modification through web requests. This makes it possible to fabricate special SQL statements in web requests to obtain confidential data from databases or break down databases by modifying database information repeatedly.
ActiveX blocking ActiveX blocking can protect networks from being attacked by malicious ActiveX plugins. After the ActiveX blocking function is enabled, requests for ActiveX plugins to all webpages are filtered. If the ActiveX plugins in some webpages are expected, configure ACL rules to permit requests to the ActiveX plugins of these webpages.
Configuring Java blocking To do... Command... Remarks Enter system view. system-view — Required. Enable the Java blocking firewall http java-blocking enable function. Disabled by default. Add a Java blocking suffix firewall http java-blocking suffix Optional. keyword. keywords Optional. Specify an ACL for Java firewall http java-blocking acl acl- By default, no ACL is specified for blocking.
Displaying and maintaining web filtering To do... Command... Remarks display firewall http url-filter host Display information about URL [ all | item keywords | verbose ] [ Available in any view address filtering | { begin | exclude | include } regular-expression ] display firewall http url-filter Display information about URL...
Page 392
Configuration procedure # Configure IP addresses for the interfaces. (Omitted) # Configure the NAT policy for the outbound interface. <Router> system-view [Router] acl number 2200 [Router-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] nat outbound 2200 address-group 1...
URL parameter filtering configuration example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through the router. The router is enabled with the URL parameter filtering function, which uses the user-defined filtering entry group to filter web requests. Figure 130 Network diagram for URL parameter filtering configuration Configuration procedure # Configure IP addresses for the interfaces.
Java blocking configuration example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through the router. Enable Java blocking on the router, add suffix keyword .js, and configure the router to allow only Java applet requests to the website at 5.5.5.5. Figure 131 Network diagram for Java blocking configuration Configuration procedure # Configure IP addresses for the interfaces.
Use display firewall http java-blocking verbose to display detailed Java blocking information. [Router] display firewall http java-blocking verbose Java blocking is enabled. The configured ACL group is 2100. There are 0 packet(s) being filtered. There are 1 packet(s) being passed. Use display firewall http java-blocking all to display Java blocking information about all blocking suffix keywords.
Solution Make sure that all entered characters are valid. Invalid use of wildcard Symptom When you configure a URL address filtering entry or URL parameter filtering entry, the system prompts you that the wildcards are not used correctly. Analysis The wildcards for URL address filtering entries and those for URL parameter filtering entries have different usage restrictions.
Invalid blocking suffix Symptom When you configure a Java blocking suffix keyword or ActiveX blocking suffix keyword, the system prompts you that there are invalid suffix keywords. Analysis A blocking suffix requires a dot (.) as part of it. If no dot or multiple dots are configured, the configuration fails.
Configuring attack detection and protection Attack detection and protection is an important network security feature. It can determine whether received packets are attack packets according to the packet contents and behaviors. If it detects an attack, it can take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
Page 399
Single- packet Description attack An attacker exploits the route record option in the IP header to probe the topology of a Route Record network. An attacker sends an ICMP echo request to the broadcast address of the target network. As Smurf a result, all hosts on the target network reply to the request, causing the network to be congested and hosts on the target network to be unable to provide services.
UDP flood attack An attacker sends a large number of UDP packets to the target in a short time, so that the target gets too busy to process normal services. Blacklist function The blacklist function is an attack protection measure that filters packets by source IP address. Compared with ACL packet filtering, blacklist filtering is simpler in matching packets and can, therefore, filter packets at a high speed.
UDP session establishment rate • Number of ICMP sessions • ICMP session establishment rate • Number of RAW IP sessions • RAW IP session establishment rate • NOTE: The device collects statistics to calculate the session establishment rates at an interval of 5 seconds. •...
Page 402
Figure 133 Network diagram for unidirectional/bidirectional proxy How TCP proxy works In different modes, TCP proxy works in different ways. Unidirectional proxy Figure 134 Data exchange process in unidirectional proxy mode TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (invalid sequence number) 3) RST 4) SYN (retransmitting)
Bidirectional proxy Figure 135 Data exchange process in bidirectional proxy mode TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (win=0) 3) ACK 4) SYN 5) SYN ACK (win=n) 6) ACK 7) ACK (win=n) After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK message with the window size of 0 on behalf of the server.
Complete the following tasks to configure attack detection and protection: Task Remarks Creating an attack protection policy Required Configuring a single-packet attack protection policy Configuring Required Configuring attack Configuring a scanning attack an attack protection functions for Configure one or more protection protection policy an interface...
Page 405
Configuring a single-packet attack protection policy The single-packet attack protection function determines whether a packet is an attack packet mainly by analyzing the characteristics of the packet. It is usually applied to interfaces connecting external networks and inspects only the inbound packets of the interfaces. If detecting an attack packet, the device outputs an alarm log by default and, depending on your configuration, drops or forwards the packet.
Page 406
To do… Command… Remarks function Set the aging time for Optional. entries blacklisted by defense scan blacklist- scanning the scanning attack timeout minutes 10 minutes by default. attack protection function. protection. Return to system view. quit — Required to make the blacklist entries added by the scanning attack protection function take Enable the blacklist function.
Page 407
To do… Command… Remarks Optional. Configure the device to drop defense syn-flood action { drop- SYN flood attack packets or By default, the router only outputs packet | trigger-tcp-proxy } use the TCP proxy. alarm logs if detecting an attack. Configure an ICMP flood attack protection policy: To do…...
Applying an attack protection policy to an interface To make a configured attack protection policy take effect, apply the policy to a specific interface. To apply an attack protection policy to an interface: To do… Command… Remarks Enter system view. system-view —...
To configure the blacklist function: To do… Command… Remarks Enter system view. system-view — Required. Enable the blacklist function. blacklist enable Disabled by default. Optional. blacklist ip source-ip-address [ The scanning attack protection Add a blacklist entry. timeout minutes ] function can add blacklist entries automatically.
Displaying and maintaining attack detection and protection To do… Command… Remarks display attack-defense statistics interface Display the attack protection interface-type interface-number [ | { begin | Available in any view statistics of an interface exclude | include } regular-expression ] Display the configuration display attack-defense policy [ policy- information of one or all attack...
Attack detection and protection configuration examples Configuring attack protection functions on interfaces Network requirements As shown in Figure 136, GigabitEthernet 1/0/1 is connected with the internal network, GigabitEthernet 1/0/2 is connected to the external network, and GigabitEthernet 1/0/3 is connected with an internal server.
Figure 137 Network diagram for blacklist configuration Configuration procedure # Configure IP addresses for interfaces. (Omitted) # Enable the blacklist function. <Router> system-view [Router] blacklist enable # Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it. [Router] blacklist ip 5.5.5.5 # Add Host C's IP address 192.168.1.4 to the blacklist, and configure the aging time as 50 minutes.
Page 414
Figure 138 Network diagram for traffic statistics configuration Configuration procedure # Configure IP addresses for interfaces. (Omitted) # Create attack protection policy 1. <Router> system-view [Router] attack-defense policy 1 # Enable UDP flood attack protection. [Router-attack-defense-policy-1] defense udp-flood enable # Set the global action threshold for UDP flood attack protection to 100 packets per second. [Router-attack-defense-policy-1] defense udp-flood rate-threshold high 100 # Configure the policy to drop the subsequent packets once a UDP flood attack is detected.
Page 416
[Router] attack-defense policy 1 # Enable SYN flood attack protection. [Router-attack-defense-policy-1] defense syn-flood enable # Set the global action threshold for SYN flood attack protection to 100 packets per second. [Router-attack-defense-policy-1] defense syn-flood rate-threshold high 100 # Configure the device to use the TCP proxy for subsequent packets after a SYN flood attack is detected. [Router-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy [Router-attack-defense-policy-1] quit # Apply policy 1 to GigabitEthernet 1/0/2.
Configuring TCP and ICMP attack protection An attacker can attack the device during the process of TCP connection establishment or by sending a large number of ICMP fragments. To prevent such attacks, the device provides the following features: SYN Cookie •...
Enabling Naptha attack protection Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state. Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these connections in the same state (any of the six), and request for no data in order to exhaust the memory resource of the server.
Configuring IP source guard This feature is supported only when the SAP card is working in Layer 2 mode. IP source guard is intended to work on a port connecting users. It filters received packets to block illegal access to network resources, improving the network security. For example, it can prevent illegal hosts from using a legal IP address to access the network.
Static IPv6 source guard binding filters IPv6 packets received by the port or checks the validity of • users by cooperating with the ND detection feature. NOTE: For information about ARP detection, see "Configuring ARP detection." • For information about ND detection, see "Configuring ND attack defense."...
NOTE: You cannot configure the same static binding entry on one port for multiple times, but you can configure the same static entry on different ports. Configuring the dynamic IPv4 source guard binding function After the dynamic IPv4 source guard binding function is enabled on a port, IP source guard generates binding entries dynamically through cooperation with DHCP protocols: On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains •...
# Configure port GigabitEthernet 1/0/1 of Router A to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. [RouterA] interface Gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203- 0406 [RouterA-GigabitEthernet1/0/1] quit Configure Router B.
Page 424
the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass. NOTE: Layer 3—IP Services Configuration Guide. For information about DHCP server configuration, see Figure 142 Network diagram for configuring dynamic IPv4 source guard binding by DHCP snooping DHCP client DHCP snooping DHCP server...
Dynamic IPv4 source guard binding by DHCP relay configuration example Network requirements As shown in Figure 143, the host and the DHCP server are connected to the router through the router interfaces VLAN-interface 100 and VLAN-interface 200, respectively. DHCP relay is enabled on the router.
Verification # Display the generated dynamic IPv4 source guard binding entries. [Router] display ip check source Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 Vlan100 DHCP-RLY Troubleshooting IP source guard Binding entries and function cannot be configured Symptom Failed to configure static binding entries or the dynamic binding function on a port.
Configuring ARP attack protection Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. An attacker may send the following: ARP packets by acting as a trusted user or gateway so that the receiving devices obtain incorrect •...
Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host to unreachable destinations: The device sends a large number of ARP requests to the destination subnets, and thus the load of •...
ARP defense against IP packet attack configuration example Network requirements As shown in Figure 144, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. The two areas connect to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered to be the consequence of an IP flood attack.
ARP black hole routing configuration # Enable ARP black hole routing on the device. <Device> system-view [Device] arp resolving-route enable Configuring ARP packet rate limit This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device becomes overloaded because all the ARP packets are redirected to the CPU for checking.
Configuring ARP active acknowledgement The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets. ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating an incorrect ARP entry. For more information, see ARP Attack Protection Technology White Paper.
To do… Command… Remarks Required. Not enabled by default. With arp authorized enable executed, an Enable authorized ARP on the interface of a DHCP server (or a DHCP arp authorized enable interface. relay agent) that does not support authorized ARP is disabled from dynamically learning ARP entries and cannot generate authorized ARP entries.
Configure Router C. <RouterC> system-view [RouterC] ip route-static 10.1.1.0 24 10.10.1.1 [RouterC] interface gigabitethernet1/0/2 [RouterC-GigabitEthernet1/0/2] ip address dhcp-alloc [RouterC-GigabitEthernet1/0/2] quit After Router C obtains the IP address from Router A, display the authorized ARP information on Router B. [RouterB] display arp all Type: S-Static D-Dynamic A-Authorized...
ip—Checks the sender and target IP addresses in an ARP packet. The all-zero, all-one or multicast • IP addresses are considered invalid, and the corresponding packets are discarded. With this object specified, the sender and target IP addresses of ARP replies, and the source IP address of ARP requests are checked.
NOTE: Static IP source guard binding entries are created by using user-bind. For more information, see • Security Configuration Guide Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. • Layer 3—IP Services Configuration Guide For more information, see Security Configuration 802.1X security entries are generated in this case.
To do… Command… Remarks Enter VLAN view. vlan vlan-id — Required Enable ARP restricted arp restricted-forwarding enable forwarding. Disabled by default Displaying and maintaining ARP detection To do… Command… Remarks Display the VLANs enabled display arp detection [ | { begin | exclude | Available in any view with ARP detection include } regular-expression ]...
Page 439
Configuration procedure Add all the ports on Router B to VLAN 10, and configure the IP address of VLAN-interface 10 on Router A. (Omitted) Configure Router A as a DHCP server. # Configure DHCP address pool 0. <RouterA> system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A as DHCP client, and Host B as user.
ARP detection with 802.1X support configuration example Network requirements As shown in Figure 148, configure Router A as a DHCP server and Router B to support 802.1X. Enable ARP detection for VLAN 10 to allow only packets from valid clients to pass. Configure Host A and Host B as local 802.1X access users.
# Add local access user test. [RouterB] local-user test [RouterB-luser-test] service-type lan-access [RouterB-luser-test] password simple test [RouterB-luser-test] quit # Enable ARP detection for VLAN 10. [RouterB] vlan 10 [RouterB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).
Page 442
Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 144. (Omitted) Configure the DHCP server on Router A. # Configure DHCP address pool 0. <RouterA> system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure the DHCP client on Hosts A and B.
ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. NOTE: HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe. Configuration procedure To do…...
NOTE: IP addresses already existent in ARP entries are not scanned. • ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP • entries are created based on ARP replies received before the scan is terminated. The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP •...
Figure 150 Network diagram for ARP gateway protection configuration Configuration procedure # Configure ARP gateway protection on Router B. <RouterB> system-view [RouterB] interface gigabitethernet1/0/1 [RouterB-GigabitEthernet1/0/1] arp filter source 10.1.1.1 [RouterB-GigabitEthernet1/0/1] quit [RouterB] interface gigabitethernet1/0/2 [RouterB-GigabitEthernet1/0/2] arp filter source 10.1.1.1 After the configuration is complete, Router B discards the ARP packets whose source IP address is that of the gateway.
NOTE: configure up to eight ARP filtering entries on a port. • Commands arp filter source and arp filter binding cannot be both configured on a port. • If ARP filtering works with ARP detection, MFF, ARP snooping, and ARP fast-reply, ARP filtering •...
Configuring ND attack defense The IPv6 ND protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. NOTE: Layer 3—IP Services Configuration For more information about the functions of the ND protocol, see Guide Enabling source MAC consistency check for ND...
Configuring URPF URPF protects a network against source address spoofing attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attack allows unauthorized users to access the system in the name of authorized users or even to access the system as the administrator.
If both a default route and the allow-default-route keyword are configured, URPF's decision depends on the check approach. In strict approach, URPF lets the packet pass if the outgoing interface of the default route is the receiving interface. Otherwise, URPF rejects it. In loose approach, URPF lets the packet pass directly.
Page 451
Configuration procedure Configure Router B. # Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass. <RouterB> system-view [RouterB] acl number 2010 [RouterB-acl-basic-2010] rule permit source 10.1.1.0 0.0.0.255 [RouterB-acl-basic-2010] quit # Specify the IP address of GigabitEthernet1/0/1. [RouterB] interface GigabitEthernet1/0/1 [RouterB-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.255.0 # Enable strict URPF check on GigabitEthernet1/0/1.
Configuring FIPS FIPS, developed by the NIST of the United States, specifies the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. The device supports Level 2. Unless otherwise noted, in this document, FIPS refers to FIPS 140-2.
Self-tests When the device enters FIPS mode, power-up self-tests and conditional self-tests automatically run to ensure normal operation of cryptography modules. If either type of tests fails, the device restarts. Power-up self-tests Power-up self-tests, also called "known-answer tests," check the availability of FIPS-allowed cryptographic algorithms.
Conditional self-tests A conditional self-tests runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following: Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It • uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 457
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 466
router as RADIUS server, 48 NTK (port security), 179 online Layer 3 portal user detection, 135 router as server (SFTP), 329, 337 online user handshake function (802.1X), 87 router as SSH server (SSH2.0), 308 packet filtering firewall, 348, 351 router to act as password authentication client (SSH2.0), 323 packet filtering on interface, 349 router to act as password authentication server...
Page 467
135 consistency check (MAC address), 418 configuring portal server detection functions, 135 contacting HP, 443 enabling the proxy detection function (802.1X), controlling controlled/uncontrolled port (802.1X), 72 portal server detection configuration, 163...
Page 468
IPv4 source guard dynamic binding by DHCP ARP attack protection configuration, 415 snooping configuration, 411 attack protection restricted forwarding configuration, 429 Layer 3 portal authentication process, 120 ARP detection with 802.1X support configuration, re-DHCP authentication process, 121 digital certificate ARP detection with DHCP snooping configuration, certificate-based authentication (portal), 118 PKI, 219 authentication/accounting server (portal), 116...
Page 469
configuring redirect URL (EAD fast deployment), MAC authentication, 108 packet filtering firewall, 350 displaying fast deployment, 100 password control, 204 fast deployment configuration, 99, 100 PKI, 230 free IP, 99 port security, 183 implementing fast deployment, 99 portal, 138 setting rule timer (EAD fast deployment), 100 public key, 214 troubleshooting fast deployment, 103 RADIUS, 33...
Page 477
web filtering, 379 setting max number of secure MAC addresses, manual SA setup mode (IPsec), 245 MAC authentication manuals, 443 ACL assignment, 105 mapping approaches, 104 configuring port mapping, 353 configuration, 104, 106, 108 general port mapping (ASPF), 347 configuring ACL assignment, 112 host port mapping (ASPF), 347 configuring RADIUS-based, 110 displaying, 108...
Page 478
configuration, 435 loose (URPF check), 437 NTK (port security), 179 enabling source MAC consistency check for packet, 436 performing 802.1X authentication (port security), need to know (NTK), 173 performing MAC authentication (port security), network 802.1X architecture, 72 port security, 174 AAA across MPLS L3VPNs, 10 setting local user password in interactive mode, access device (portal), 116...
Page 479
configuring MAC authentication, 104, 106, 108 SSH2.0 connection across VPNs, 308 SSH2.0 router acts as password authentication connection limit configuration, 370, 371 client configuration, 323 cross-subnet across VPNs portal authentication SSH2.0 router acts as password authentication configuration, 169 server configuration, 316 cross-subnet portal authentication configuration, SSH2.0 router acts as public key authentication server configuration, 318...
Page 480
TCP proxy configuration, 403 password control configuration, 197, 200, 204 peer public local device manual traffic statistics configuration, 401 configuration, 215 URPF configuration, 437, 438 PKI CA certificate request configuration (RSA user profile configuration, 195 Keon), 230 VLAN assignment configuration (802.1X), 94 PKI CA certificate request configuration (Windows web filtering configuration, 374, 376, 379 2003 Server), 234...
Page 481
parameter configuring packet filtering firewall, 351 configuring packet information pre-extraction, 261 configuring parameter filtering, 381 configuring packet rate limit (ARP attack configuring URL filtering, 377 protection), 418 setting global password control parameters, 201 EAP format (802.1X), 74 setting local user password control parameters, EAP over LAN (802.1X), 73 EAP relay, 76 setting local user password in interactive mode,...
Page 482
applying ASPF policy to interface, 353 CA certificate request configuration (RSA Keon), applying attack protection policy on interface, CA certificate request configuration (Windows 2003 Server), 234 applying connection limit policy, 371 CA policy, 219 applying IPsec group (interface), 259 configuration, 219, 230 applying QoS policy to IPsec tunnel interface, 268 configuring access control policy, 229 CA (PKI), 219...
Page 483
guest VLAN support, 176 enabling 802.1X, 83 enabling client listening port (RADIUS), 32 ignoring RADIUS server authorization information, general port mapping (ASPF), 347 intrusion protection, 173 host port mapping (ASPF), 347 IP source guard configuration, 407, 410 macAddressElseUserLoginSecure configuration, IPv4 source guard dynamic binding by DHCP relay configuration, 413 security configuration.
Page 484
stateful failover, 123 configuring server detection functions, 135 configuring stateful failover, 154 support for EAP, 118 configuring user information synchronization, 137 support for EAP authentication process, 122 controlling user access, 128 system components, 115 cross-subnet across VPNs authentication troubleshooting, 171 configuration, 169 user information synchronization configuration, cross-subnet authentication configuration, 146,...
Page 485
configuring defense against IP packet attack (ARP configuring ARP detection (DHCP snooping), 426 attack protection), 416, 417 configuring ARP detection with 802.1X support, configuring detection (ARP attack protection), 423 configuring ASPF, 352, 354 configuring direct portal authentication, 139 configuring ASPF policy, 353 configuring direct portal...
Page 486
configuring local security gateway name (IKE), configuring IP source guard, 407, 410 configuring IPsec, 248 configuring local user (AAA), 16 configuring IPsec anti-replay function, 260 configuring local user attributes (AAA), 17 configuring IPsec for IPv6 routing protocols, 269 configuring MAC authentication, 104, 106, 108 configuring IPsec for RIPng, 279 configuring MAC authentication globally, 106 configuring IPsec policy, 253...
Page 489
setting global password control parameters, 201 establishing client connection to server (SFTP), 331 establishing client-server connection (SSH2.0), setting IKE NAT keepalive timer, 293 setting keepalive timer, 292 exporting local DSA host public key, 212 setting local user password control parameters, exporting local RSA host public key, 212 generating DSA key pair (SSH2.0), 309 setting local user password in interactive mode,...
Page 490
submitting PKI certificate request, 225 setting username format (HWTACACS), 37 specifying access control method (802.1X), 84 submitting PKI certificate request (auto mode), 225 specifying accounting server and parameters submitting PKI certificate request (manual mode), (RADIUS), 22 specifying authentication server (HWTACACS), 34 tearing down user connection (AAA), 47 specifying authentication/authorization...
Page 491
quiet timer SSL configuration, 340 SSL protocol stack, 341 802.1X, 89 transport layer protocol detection, 348 MAC authentication, 105 troubleshooting connection limit rules with RA (PKI), 220 overlapping protocol types, 373 RADIUS proxy AAA for portal users by a RADIUS server, 62 configuring TCP proxy, 396, 403 attribute, 11 enabling the proxy detection function (802.1X),...
Page 492
AAA configuration, 50 packet format, 4 packets cannot reach server (troubleshooting), 70 ARP attack protection configuration, 415 portal support for EAP, 118 attack protection restricted forwarding configuration, 429 protocols and standards, 11 ARP detection with 802.1X support configuration, security mechanism, 2 server authentication/authorization for SSH/Telnet ARP detection with DHCP snooping configuration, user, 50...
Page 493
creating (RADIUS), 21 SSH2.0 router acts as publickey authentication client configuration, 326 secure SSH2.0 server configuration, 316 email (PKI), 221 URPF configuration, 437, 438 file transfer protocol. See SFTP mode (port security MAC address learning), 175 applying RSA digital signature in IKE negotiation, shell.
Page 494
portal, 116 SSL configuration, 340 SSL mechanism, 340 portal server detection configuration, 163 TCP attack protection configuration, 405 portal system components, 115 userLoginWithOUI configuration, 185 portal user information synchronization configuration, 163 web (PKI), 221 RADIUS model, 2 self-tests RADIUS server authentication/authorization for conditional (FIPS), 442 SSH/Telnet user (AAA), 50 FIPS, 441...
Page 495
session logging thresholds, 366 displaying, 368 enabling checksum verification, 364 settings changed by enabling FIPS mode, 440 enabling session logging, 365 super password control parameters, 203 implementation, 361 supported server type (RADIUS), 24 maintaining, 368 timer control server communication (HWTACACS), 38 setting application layer protocol type-based aging times, 363 timer to control server communication (RADIUS),...
Page 496
configuring router as SSH server, 308 backup source IP address for outgoing packets (RADIUS), 28 configuring router password client source IP address/interface (SFTP), 330 authentication client, 323 device ID used in stateful failover mode, 48 configuring router password authentication server, 316 EAP message handling method, 83 configuring router...
Page 497
enabling Naptha attack protection, 406 settings changed by enabling FIPS, 440 troubleshooting, 344 enabling SYN cookie feature, 405 troubleshooting handshake failure, 344 proxy, 389 standard mode (ACL data flow protection), 252 SSL configuration, 340 stateful failover SSL protocol stack, 341 tearing down user connection (AAA), 47 feature (portal), 123 mode (AAA), 48...
Page 498
invalid characters present configured trap parameter, 383 enabling (port security), 181 invalid use of wildcard, 384 function (RADIUS), 32 invalid user ID (IKE), 303 module (port security), 173 IP source guard, 414 trigger packets cannot reach server (RADIUS), 70 802.1X multicast, 88 PKI, 241 802.1X unicast, 88 port security, 193...
Page 499
configuring for HWTACACS server PPP user IPsec tunnel interface, 245 (AAA), 55 IPsec tunnel interface operation, 246 configuring group attributes (AAA), 20 troubleshooting failure to establish IPsec tunnel (IKE), 304 configuring local (AAA), 16 type configuring local attributes (AAA), 17 binding entry (IP source guard), 407 configuring portal...
Page 500
assignment (802.1X), 79 setting max number of concurrent users on a port (802.1X), 85 assignment (MAC authentication), 105 setting max number of online portal users, 130 Auth-Fail (802.1X), 80 specifying authentication domain (MAC Auth-Fail VLAN support (port security), 176 authentication), 107 configuring assignment (802.1X), 94 specifying auto redirect URL (portal), 134 configuring Auth-Fail VLAN (802.1X), 91...
Page 501
re-DHCP portal authentication with extended configuring an authentication source subnet, 129 functions configuration, 150 configuring IP address-supported URL address filtering, 377 security (PKI), 221 configuring Java blocking, 378 setting max number of online portal users, 130 configuring portal server detection function, 135 specifying auto redirect URL (portal), 134 configuring portal server detection functions, 135 specifying portal server, 127...