hit counter code
HP FlexFabric 5700 Series Security Configuration Manual

HP FlexFabric 5700 Series Security Configuration Manual

Hide thumbs Also See for FlexFabric 5700 Series:
Table of Contents

Advertisement

HP FlexFabric 5700 Switch Series
Security

Configuration Guide

Part number: 5998-6696
Software version: Release 2416
Document version: 6W100-20150130

Advertisement

Table of Contents
loading

Summary of Contents for HP FlexFabric 5700 Series

  • Page 1: Configuration Guide

    HP FlexFabric 5700 Switch Series Security Configuration Guide Part number: 5998-6696 Software version: Release 2416 Document version: 6W100-20150130...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   Overview ············································································································································································ 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   LDAP ·········································································································································································· 9   AAA implementation on the device ····················································································································· 11   Protocols and standards ······································································································································· 13   RADIUS attributes ·················································································································································· 13  ...
  • Page 4 EAP relay ································································································································································ 67   EAP termination ····················································································································································· 69   Configuring 802.1X ·················································································································································· 71   Access control methods ················································································································································· 71   802.1X VLAN manipulation ········································································································································· 71   Authorization VLAN ·············································································································································· 71   Guest VLAN ··························································································································································· 73   Auth-Fail VLAN ······················································································································································ 74  ...
  • Page 5 Configuring MAC authentication ··························································································································· 101   Overview ······································································································································································· 101   User account policies ·········································································································································· 101   Authentication methods······································································································································· 101   VLAN assignment ················································································································································ 102   ACL assignment ··················································································································································· 104   User profile assignment ······································································································································ 104   Periodic MAC reauthentication ·························································································································· 104  ...
  • Page 6 Enabling portal roaming ············································································································································· 136   Logging out portal users ·············································································································································· 136   Displaying and maintaining portal ···························································································································· 136   Portal configuration examples ···································································································································· 137   Configuring direct portal authentication ··········································································································· 137   Configuring re-DHCP portal authentication ······································································································ 145   Configuring cross-subnet portal authentication ································································································...
  • Page 7 Setting global password control parameters ············································································································ 198   Setting user group password control parameters ····································································································· 199   Setting local user password control parameters ······································································································· 200   Setting super password control parameters ·············································································································· 201   Displaying and maintaining password control ········································································································· 202  ...
  • Page 8 PKI configuration examples ········································································································································· 230   Requesting a certificate from an RSA Keon CA server ···················································································· 230   Requesting a certificate from a Windows Server 2003 CA server ······························································· 233   Requesting a certificate from an OpenCA server ···························································································· 236  ...
  • Page 9 IKE configuration prerequisites ··································································································································· 283   IKE configuration task list ············································································································································ 283   Configuring an IKE profile ·········································································································································· 284   Configuring an IKE proposal ······································································································································ 286   Configuring an IKE keychain ······································································································································ 287   Configuring the global identity information ·············································································································· 288  ...
  • Page 10 Password authentication enabled Stelnet client configuration example ························································ 325   Publickey authentication enabled Stelnet client configuration example ························································ 329   SFTP configuration examples ······································································································································ 331   Password authentication enabled SFTP server configuration example ·························································· 331   Publickey authentication enabled SFTP client configuration example ··························································· 334  ...
  • Page 11 Configuring ARP packet source MAC consistency check ························································································ 363   Configuring ARP active acknowledgement ··············································································································· 363   Configuring authorized ARP ······································································································································· 364   Configuration procedure ···································································································································· 364   Configuring ARP detection ·········································································································································· 364   Configuring user validity check ························································································································· 364  ...
  • Page 12 Overview ······································································································································································· 402   Configuring source MAC consistency check for ND packets ················································································· 402   Support and other resources ·································································································································· 403   Contacting HP ······························································································································································ 403   Subscription service ············································································································································ 403   Related information ······················································································································································ 403   Documents ···························································································································································· 403  ...
  • Page 13: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights, and controls the users' access to resources •...
  • Page 14: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
  • Page 15 User authentication methods The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP. Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 16 The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting for the user. The RADIUS client notifies the user of the termination. RADIUS packet format RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client.
  • Page 17 The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code, • Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered padding and are ignored by the receiver. If the length of a received packet is less than this length, the packet is dropped.
  • Page 18 Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a code • compliant to RFC 1700. • Vendor-Type—Type of the sub-attribute. Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
  • Page 19: Hwtacacs

    Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
  • Page 20 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
  • Page 21: Ldap

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
  • Page 22 Obtain the access rights to the LDAP server. Check the validity of user information. The search operation constructs search conditions and obtains the directory resource information of • the LDAP server. In LDAP authentication, the client completes the following tasks: Uses the LDAP server administrator DN to bind with the LDAP server.
  • Page 23: Aaa Implementation On The Device

    After receiving the request, the LDAP client establishes a TCP connection with the LDAP server. To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server. The LDAP server processes the request.
  • Page 24 LAN—LAN users must pass 802.1X or MAC authentication to come online. • • Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal users can access through console ports. Portal—Portal users must pass portal authentication to access the network. •...
  • Page 25: Protocols And Standards

    The device supports the following accounting methods: • No accounting—The NAS does not perform accounting for the users. Local accounting—Local accounting is implemented on the NAS. It counts and controls the number • of concurrent users who use the same local user account, but does not provide statistics for charging.
  • Page 26 Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 27 Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 28: Fips Compliance

    Sub-attribute Description Connect_ID Index of the user connection. FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client.
  • Page 29 Configure the required AAA schemes. Local authentication—Configure local users and the related attributes, including the usernames and passwords, for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP schemes. Configure AAA methods for the users' ISP domains. To use remote AAA methods, you must specify the configured RADIUS, HWTACACS, or LDAP schemes in ISP domain view.
  • Page 30: Configuring Aaa Schemes

    Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type.
  • Page 31 You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."...
  • Page 32 Step Command Remarks Network access user passwords are encrypted with the encryption algorithm and saved in ciphertext. Device management user passwords • For a network access user: are encrypted with the hash password { cipher | simple } algorithm and saved in ciphertext. password In non-FIPS mode, a •...
  • Page 33: Configuring User Group Attributes

    Step Command Remarks The following default settings apply: • FTP, SFTP, and SCP users have the root directory of the NAS set as authorization-attribute { acl the working directory. However, (Optional.) Configure acl-number | idle-cut minute | the users do not have permission authorization attributes for user-profile profile-name | user-role to access the root directory.
  • Page 34: Configuring Radius Schemes

    Step Command Remarks By default, there is a Create a user group and system-defined user group named user-group group-name enter user group view. system, which is the default user group. authorization-attribute { acl acl-number | idle-cut minute | By default, no authorization Configure authorization user-profile profile-name | vlan attribute is configured for a user...
  • Page 35 Configuration task list Tasks at a glance (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers and the relevant parameters (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Setting the username format and traffic statistics units (Optional.) Setting the maximum number of RADIUS request transmission attempts (Optional.)
  • Page 36 You can specify one primary authentication server and a maximum of 16 secondary authentication servers for a RADIUS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
  • Page 37 Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { host-name | By default, no accounting ipv4-address | ipv6 ipv6-address } server is specified. [ port-number | key { cipher | Two accounting servers in a simple } string ] * Specify RADIUS accounting scheme, primary or servers.
  • Page 38 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme view. radius-scheme-name The default setting depends on the type of the startup configuration: • If the device starts up with initial settings, the ISP domain name is included in a username. •...
  • Page 39 RADIUS server and multiple secondary RADIUS servers. The secondary servers function as the backup of the primary server. The device chooses servers based on the following rules: When the primary server is in active state, the device communicates with the primary server. •...
  • Page 40 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS By default, every server accounting server: specified in a RADIUS scheme state primary accounting { active | is in active state.
  • Page 41 Step Command Remarks By default, the IP address of the Specify a source IP address radius nas-ip { ipv4-address | ipv6 RADIUS packet outbound interface for outgoing RADIUS packets. ipv6-address } is used as the source IP address. To specify a source IP address for a RADIUS scheme: Step Command Remarks...
  • Page 42 NAS. The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
  • Page 43 Step Command Remarks By default, no security policy server is specified for a scheme. Specify a security policy security-policy-server { ipv4-address You can specify a maximum of eight server. | ipv6 ipv6-address } security policy servers for a RADIUS scheme. Configuring the Login-Service attribute check method for SSH, FTP, and terminal users The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users:...
  • Page 44: Configuring Hwtacacs Schemes

    Step Command Remarks snmp-agent trap enable radius [ accounting-server-down | By default, all types of SNMP Enable SNMP notifications for authentication-error-threshold | notifications are enabled for RADIUS. authentication-server-down | RADIUS. accounting-server-up | authentication-server-up ] * Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view. Task Command Display the RADIUS scheme...
  • Page 45 Specifying the HWTACACS authentication servers You can specify one primary authentication server and a maximum of 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
  • Page 46 Step Command Remarks • Specify the primary HWTACACS authorization server: primary authorization { host-name | ipv4-address | ipv6 ipv6-address } By default, no authorization server [ port-number | key { cipher | is specified. simple } string | single-connection ] Two HWTACACS authorization Specify HWTACACS servers in a scheme, primary or...
  • Page 47 Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication.
  • Page 48 Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. When the HWTACACS server receives a packet, it checks whether the source IP address of the packet is the IP address of a managed NAS.
  • Page 49 Server response timeout timer (response-timeout)—Defines the HWTACACS server response • timeout timer. The device starts this timer immediately after an HWTACACS authentication, authorization, or accounting request is sent. If the device does not receive a response from the server within the timer, it sets the server to blocked. Then, the device sends the request to another HWTACACS server.
  • Page 50: Configuring Ldap Schemes

    Step Command Remarks By default, the HWTACACS server Set the HWTACACS server timer response-timeout seconds response timeout timer is 5 response timeout timer. seconds. By default, the real-time accounting interval is 12 minutes. A short interval helps improve Set the real-time accounting timer realtime-accounting minutes accounting precision but requires interval.
  • Page 51 Step Command Remarks Create an LDAP server and ldap server server-name By default, no LDAP server exists. enter LDAP server view. Configuring the IP address of the LDAP server Step Command Remarks Enter system view. System-view Enter LDAP server view. ldap server server-name By default, an LDAP server has no IP address.
  • Page 52 Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, no administrator DN is specified. Specify the administrator login-dn dn-string The administrator DN specified on the device must be the same as configured on the LDAP server. Configure the login-password { cipher | simple } By default, no administrator...
  • Page 53: Configuring Aaa Methods For Isp Domains

    Step Command Remarks By default, no user object is specified, and the default user object class on the LDAP server is (Optional.) Specify the user user-parameters user-object-class used. object class. object-class-name The default user object class for this command varies by device model. Creating an LDAP scheme You can configure a maximum of 16 LDAP schemes.
  • Page 54: Configuration Prerequisites

    Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. "Configuring local user attributes." To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS, or LDAP schemes. For more information about the scheme configuration, see "Configuring RADIUS schemes,"...
  • Page 55: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name By default, an ISP domain is in Place the ISP domain in active active state, and users in the state { active | block } or blocked state. domain can request network services.
  • Page 56: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks By default, the default authentication lan-access { ldap-scheme authentication method is Specify the authentication ldap-scheme-name [ local ] [ none ] | local used for LAN users. method for LAN users. [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ local ] [ none ] } supported in FIPS mode.
  • Page 57: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization default { hwtacacs-scheme By default, the authorization hwtacacs-scheme-name [ radius-scheme Specify the default method is local. radius-scheme-name ] [ local ] [ none ] | authorization method for local [ none ] | none | radius-scheme The none keyword is not all types of users.
  • Page 58: Enabling The Session-Control Feature

    Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name accounting default { hwtacacs-scheme By default, the accounting hwtacacs-scheme-name [ radius-scheme Specify the default method is local. radius-scheme-name ] [ local ] [ none ] | accounting method for all local [ none ] | none | radius-scheme...
  • Page 59: Setting The Maximum Number Of Concurrent Login Users

    Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication.
  • Page 60: Displaying And Maintaining Aaa

    Displaying and maintaining AAA Execute the display command in any view. Task Command Display the configuration of ISP domains. display domain [ isp-name ] AAA configuration examples AAA for SSH users by an HWTACACS server Network requirements As shown in Figure 10, configure the switch to meet the following requirements: Use the HWTACACS server for SSH user authentication, authorization, and accounting.
  • Page 61: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys for secure HWTACACS communication to expert in plain text. [Switch-hwtacacs-hwtac] key authentication simple expert [Switch-hwtacacs-hwtac] key authorization simple expert [Switch-hwtacacs-hwtac] key accounting simple expert # Exclude domain names from the usernames sent to the HWTACACS server.
  • Page 62 Assign the default user role network-operator to SSH users after they pass authentication. • Configure an account with the username hello for the SSH user. Configure the shared keys for secure communication with the HWTACACS server and RADIUS server to expert. Figure 11 Network diagram Configuration procedure Configure the HWTACACS server.
  • Page 63: Authentication And Authorization For Ssh Users By A Radius Server

    [Switch-luser-manage-hello] service-type ssh # Set a password for the local user to 123456TESTplat&! in plain text. In FIPS mode, you must set the password in interactive mode. [Switch-luser-manage-hello] password simple 123456TESTplat&! [Switch-luser-manage-hello] quit # Create ISP domain bbb and configure the login users to use local authentication, HWTACACS authorization, and RADIUS accounting.
  • Page 64 Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
  • Page 65 Click OK. NOTE: The IP address range must contain the IP address of the switch. Figure 14 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch>...
  • Page 66: Authentication For Ssh Users By An Ldap Server

    [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Switch] role default-role enable # Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text.
  • Page 67 Figure 15 Network diagram Configuration procedure Configure the LDAP server: NOTE: This example assumes that the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. On the LDAP server, select Start > Control Panel > Administrative Tools. Double-click Active Directory Users and Computers.
  • Page 68 Figure 17 Setting the user password Click OK. # Add user aaa to group Users. From the navigation tree, click Users under the ldap.com node. In the right pane, right-click the user aaa and select Properties. In the dialog box, click the Member Of tab and click Add.
  • Page 69 Figure 18 Modifying user properties In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 19 Adding user aaa to group Users # Set the administrator password to admin!123456.
  • Page 70 # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
  • Page 71: Troubleshooting Radius

    The user is configured on the RADIUS server. The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. If the problem persists, contact HP Support. RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server.
  • Page 72: Radius Accounting Error

    The authentication and accounting UDP port numbers configured on the NAS are the same as those of the RADIUS server. The RADIUS server's authentication and accounting port numbers are available. If the problem persists, contact HP Support. RADIUS accounting error Symptom A user is authenticated and authorized, but accounting for the user is not normal.
  • Page 73 The administrator DN and the administrator password are correctly configured. The user attributes (for example, the username attribute) configured on the NAS are consistent with those configured on the LDAP server. The user search base DN for authentication is specified. If the problem persists, contact HP Support.
  • Page 74: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
  • Page 75: 802.1X-Related Protocols

    Performs unidirectional traffic control to deny traffic from the client. The HP devices support − only unidirectional traffic control. Figure 21 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server.
  • Page 76: Eap Over Radius

    Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • • Type—Type of the EAPOL packet. Table 4 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 4 Types of EAPOL packets Value Type...
  • Page 77: 802.1X Authentication Initiation

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HP iNode 802.1X client. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets.
  • Page 78: 802.1X Authentication Procedures

    This process continues until the maximum number of request attempts set by using the dot1x retry command is reached. The username request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. 802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination.
  • Page 79: Comparing Eap Relay And Eap Termination

    Works with any RADIUS server that supports PAP or CHAP The username and password EAP EAP termination authentication. authentication initiated by an HP iNode 802.1X client. • The processing is complex on the access device. EAP relay Figure 28 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5...
  • Page 80 Figure 28 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...
  • Page 81: Eap Termination

    The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the access device. Upon receiving the RADIUS Access-Accept packet, the access device performs the following operations: Sends an EAP-Success packet to the client.
  • Page 82 Figure 29 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
  • Page 83: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. For more information about the port security feature, see "Configuring port...
  • Page 84 VLAN ID with suffix. The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.
  • Page 85: Guest Vlan

    Table 6 describes how the access device handles VLANs (except for the VLANs specified with suffixes) on an 802.1X-enabled port. Table 6 VLAN manipulation Port access control method VLAN manipulation The device assigns the authorization VLAN to the port as the PVID. The authenticated 802.1X user and all subsequent 802.1X users can access the VLAN without authentication.
  • Page 86: Auth-Fail Vlan

    Authentication status VLAN manipulation If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, the device assigns the Auth-Fail VLAN to the port as the PVID. All users on this A user in the 802.1X guest port can access only resources in the Auth-Fail VLAN. VLAN fails 802.1X authentication.
  • Page 87 The Auth-Fail VLAN does not accommodate 802.1X users who have failed authentication for authentication timeouts or network connection problems. The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. On a port that performs port-based access control: •...
  • Page 88: Critical Vlan

    Critical VLAN The 802.1X critical VLAN on a port accommodates 802.1X users who have failed authentication because none of the RADIUS servers in their ISP domain is reachable. Users in the critical VLAN can access a limited set of network resources depending on the configuration. The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers.
  • Page 89: Using 802.1X Authentication With Other Features

    Authentication status VLAN manipulation A user that has not been assigned to any The device maps the MAC address of the user to the VLAN fails 802.1X authentication because all 802.1X critical VLAN. The user can access only the RADIUS servers are unreachable. resources in the 802.1X critical VLAN.
  • Page 90: User Profile Assignment

    EAD assistant Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
  • Page 91: Configuration Prerequisites

    Configuration prerequisites Before you configure 802.1X, complete the following tasks: • Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. If RADIUS authentication is used, create user accounts on the RADIUS server. • If local authentication is used, create local user accounts on the access device and set the service •...
  • Page 92: Enabling Eap Relay Or Eap Termination

    You can use both EAP termination and EAP relay in any of the following situations: The client is using only MD5-Challenge EAP authentication. • The client is using only the username and password EAP authentication initiated by an HP iNode • 802.1X client.
  • Page 93: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network or not. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: •...
  • Page 94: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks Set the maximum number of The default setting is concurrent 802.1X users on a dot1x max-user user-number 4294967295. port. Setting the maximum number of authentication request attempts The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time.
  • Page 95: Configuring The Online User Handshake Feature

    Configuring the online user handshake feature The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If the device does not receive any responses from an online user after it has made the maximum handshake attempts, the device sets the user to offline state.
  • Page 96: Configuration Guidelines

    This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in "802.1X overview"). Configuration guidelines When you configure the authentication trigger feature, follow these guidelines: Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start •...
  • Page 97: Configuring The Quiet Timer

    Configuring the quiet timer The quiet timer enables the access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can edit the quiet timer, depending on the network conditions. In a vulnerable network, set the quiet timer to a high value.
  • Page 98: Configuring An 802.1X Guest Vlan

    Step Command Remarks (Optional.) Set the periodic dot1x timer reauth-period The default is 3600 seconds. reauthentication timer. reauth-period-value Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable periodic online user dot1x re-authenticate By default, the feature is disabled. reauthentication. By default, this feature is disabled, (Optional.) Enable the and the device logs off online...
  • Page 99: Configuration Procedure

    Enable MAC-based VLAN on the port. For more information about the MAC-based VLAN feature, see Layer 2—LAN Switching Configuration Guide. Assign the port to the 802.1X guest VLAN as an untagged member. Configuration procedure To configure an 802.1X guest VLAN: Step Command Remarks...
  • Page 100: Configuration Procedure

    If the 802.1X-enabled port performs MAC-based access control, perform the following operations • for the port: Configure the port as a hybrid port. Enable MAC-based VLAN on the port. For more information about the MAC-based VLAN feature, see Layer 2—LAN Switching Configuration Guide. Assign the port to the Auth-Fail VLAN as an untagged member.
  • Page 101: Specifying Supported Domain Name Delimiters

    Step Command Remarks Enter system view. system-view interface interface-type Enter Ethernet interface view. interface-number Configure the 802.1X critical By default, no 802.1X critical dot1x critical vlan vlan-id VLAN on the port. VLAN is configured. Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users who use other domain name delimiters.
  • Page 102: Displaying And Maintaining 802.1X

    To allow a user to obtain a dynamic IP address before it passes 802.1X authentication, make sure • the DHCP server is on the free IP segment. The server that provides the redirect URL must be on the free IP accessible to unauthenticated users. •...
  • Page 103 192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
  • Page 104 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication simple name # Specify the shared key between the access device and the accounting server. [Device-radius-radius1] key accounting simple money # Exclude the ISP domain name from the usernames sent to the RADIUS servers.
  • Page 105: Guest Vlan And Authorization Vlan Configuration Example

    802.1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 31, use RADIUS servers to perform authentication, authorization, and accounting for 802.1X users who connect to Ten-GigabitEthernet 1/0/2. Implement port-based access control on the port. If no user performs 802.1X authentication on Ten-GigabitEthernet 1/0/2 within a period of time, the device adds Ten-GigabitEthernet 1/0/2 to the guest VLAN, VLAN 10.
  • Page 106 [Device] vlan 1 [Device-vlan1] port ten-gigabitethernet 1/0/2 [Device-vlan1] quit [Device] vlan 10 [Device-vlan10] port ten-gigabitethernet 1/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port ten-gigabitethernet 1/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port ten-gigabitethernet 1/0/3 [Device-vlan5] quit Configure a RADIUS scheme on the access device: # Create RADIUS scheme 2000 and enter RADIUS scheme view.
  • Page 107: 802.1X With Acl Assignment Configuration Example

    [Device-Ten-GigabitEthernet1/0/2] dot1x port-control auto # Set VLAN 10 as the 802.1X guest VLAN on port Ten-GigabitEthernet 1/0/2. [Device-Ten-GigabitEthernet1/0/2] dot1x guest-vlan 10 [Device-Ten-GigabitEthernet1/0/2] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X guest VLAN configuration on Ten-GigabitEthernet 1/0/2. [Device] display dot1x interface ten-gigabitethernet 1/0/2 # Verify that Ten-GigabitEthernet 1/0/2 is assigned to VLAN 10 when no user passes authentication on the port.
  • Page 108 Assign an IP address to each interface, as shown in Figure 32. (Details not shown.) Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. <Device> system-view [Device] radius scheme 2000 # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.
  • Page 109: 802.1X With Ead Assistant Configuration Example

    # Verify that the user cannot ping the FTP server at any time from 8:00 to 18:00 on any weekday. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server.
  • Page 110 Figure 33 Network diagram Configuration procedure Make sure the DHCP server, the Web server, and the authentication servers have been configured correctly. (Details not shown.) Configure an IP address for each interface. (Details not shown.) Configure DHCP relay: # Enable DHCP. <Device>...
  • Page 111 # Set the shared key to abc in plain text for secure communication between the accounting server and the device. [Device-radius-2000] key accounting simple abc # Exclude the ISP domain name from the usernames sent to the RADIUS server. [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view.
  • Page 112: Troubleshooting 802.1X Ead Assistant For Web Browser Users

    No server is using the redirect URL, or the server with the URL does not provide Web services. • Solution To resolve the problem: Enter a dotted decimal IP address that is not in any free IP segments. Verify that the access device and the server are configured correctly. If the problem persists, contact HP Support.
  • Page 113: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
  • Page 114: Vlan Assignment

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." VLAN assignment MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN. Authorization VLAN You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources.
  • Page 115 Table 10 shows the way that the network access device handles guest VLANs for MAC authentication users. Table 10 VLAN manipulation Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails MAC The user is still in the MAC authentication guest VLAN. authentication for any other reason than server unreachable.
  • Page 116: Acl Assignment

    ACL assignment You can specify an authorization ACL in the user account for a MAC authentication user to control the user's access to network resources. After the user passes MAC authentication, the authentication server (local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for this user.
  • Page 117: Configuration Task List

    Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users. For RADIUS authentication, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server.
  • Page 118: Specifying A Mac Authentication Domain

    Step Command Remarks Enable MAC authentication on By default, MAC authentication is mac-authentication the port. disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users: Specify a global authentication domain in system view.
  • Page 119: Setting Mac Authentication Timers

    Setting MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user.
  • Page 120: Enabling Mac Authentication Multi-Vlan Mode On A Port

    The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. HP recommends that you configure this feature on hybrid or trunk ports. This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users.
  • Page 121: Configuring A Mac Authentication Guest Vlan

    Configuring a MAC authentication guest VLAN You must configure the MAC authentication guest VLAN on a hybrid port. Before you configure the MAC authentication guest VLAN on a hybrid port, complete the following tasks: • Enable MAC authentication globally and on the port. Enable MAC-based VLAN on the port.
  • Page 122: Configuring The Keep-Online Feature

    Table 13 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no Quiet feature of MAC "Setting MAC RADIUS authentication server is reachable, the user authentication authentication...
  • Page 123: Displaying And Maintaining Mac Authentication

    Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view. Task Command display mac-authentication [ interface interface-type Display MAC authentication information. interface-number ] display mac-authentication connection [ interface Display MAC authentication connections. interface-type interface-number | slot slot-number | user-mac mac-addr | user-name user-name ] reset mac-authentication statistics [ interface interface-type Clear MAC authentication statistics.
  • Page 124 Configuration procedure # Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc- 1 2-34-56. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 # Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users.
  • Page 125: Radius-Based Mac Authentication Configuration Example

    Ten-GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Critical VLAN : Not configured Host mode : Single VLAN Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users...
  • Page 126 # Set the username aaa and password 123456 for the account. (Details not shown.) Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication simple abc [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain...
  • Page 127: Acl Assignment Configuration Example

    Silent MAC users: MAC address VLAN ID From port Port index Ten-GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Critical VLAN : Not configured Host mode : Single VLAN Max online users...
  • Page 128 [Sysname-acl-adv-3000] quit Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication simple abc [Sysname-radius-2000] key accounting simple abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply RADIUS scheme 2000 to ISP domain 2000 for authentication, authorization, and accounting.
  • Page 129 Silent MAC users: MAC address VLAN ID From port Port index Ten-GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Critical VLAN : Not configured Host mode : Single VLAN Max online users...
  • Page 130: Configuring Portal Authentication

    Users can access more Internet resources after passing security check. Security check must cooperate with the HP IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device, portal...
  • Page 131 Figure 37 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.
  • Page 132: Interaction Between Portal System Components

    Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.
  • Page 133: Portal Authentication Process

    Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP address uniquely identifies the user. After a user passes authentication, the access device generates an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
  • Page 134 The access device and the RADIUS server exchange RADIUS packets. The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure. The portal authentication server sends an authentication success or failure packet to the client. If the authentication is successful, the portal authentication server sends an authentication reply acknowledgment packet to the access device.
  • Page 135: Portal Configuration Task List

    After receiving the IP change notification packets sent by the client and the access device, the portal authentication server notifies the client of login success. The portal authentication server sends an IP change acknowledgment packet to the access device. Step 13 and step 14 are for extended portal functions. The client and the security policy server exchanges security check information.
  • Page 136: Configuring A Portal Authentication Server

    The portal authentication server, portal Web server, and RADIUS server have been installed and • configured properly. To use the re-DHCP portal authentication mode, make sure the DHCP relay agent is enabled on the • access device, and the DHCP server is installed and configured properly. The portal client, access device, and servers can reach each other.
  • Page 137: Configuring A Portal Web Server

    With re-DHCP portal authentication, HP recommends that you also configure authorized ARP on the • interface to make sure only valid users can access the network. With authorized ARP configured on the interface, the interface learns ARP entries only from the users who have obtained a public address from DHCP.
  • Page 138: Configuration Procedure

    Configuration procedure To enable portal authentication on an interface: Step Command Remarks Enter system view. system-view interface interface-type The interface must be a Layer Enter interface view. interface-number 3 interface. • To enable IPv4 portal authentication: portal enable method { direct | Enable IPv4 portal layer3 | redhcp } Enable portal authentication...
  • Page 139: Configuring An Authentication Source Subnet

    You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the system prompts that the rule already exists. Regardless of whether portal authentication is enabled or not, you can only add or remove a portal-free rule. You cannot modify it. To configure an IP-based portal-free rule: Step Command...
  • Page 140: Configuring An Authentication Destination Subnet

    When you configure a portal authentication source subnet, follow these restrictions and guidelines: • Authentication source subnets apply only to cross-subnet portal authentication. In direct or re-DHCP portal authentication mode, a portal user and its access interface • (portal-enabled) are on the same subnet. It is not necessary to specify the subnet as the authentication source subnet.
  • Page 141: Setting The Maximum Number Of Portal Users

    You can configure multiple authentication destination subnets. If the destination subnets overlap, the subnet with the largest address scope (with the smallest mask or prefix) takes effect. To configure an IPv4 portal authentication destination subnet: Step Command Remarks Enter system view. system-view Enter interface view.
  • Page 142: Configuring Portal Detection Features

    The device selects the authentication domain for a portal user on an interface in this order: ISP domain specified for the interface. ISP domain carried in the username. System default ISP domain. For information about the default ISP domain, see "Configuring AAA."...
  • Page 143: Configuring Portal Authentication Server Detection

    If the ARP or ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP or ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires. If the ARP or ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.
  • Page 144: Configuring Portal Web Server Detection

    server recovers, it resumes portal authentication on the interface. For more information, see "Configuring the portal fail-permit feature." Portal packets include user login packets, user logout packets, and heartbeat packets. Heartbeat packets are periodically sent by a server. By detecting heartbeat packets, the device can detect the server's actual status more quickly than by detecting other portal packets.
  • Page 145: Configuring Portal User Synchronization

    Step Command Remarks Enter system view. system-view Enter portal Web portal web-server server-name server view. By default, portal Web server detection is disabled. Configure portal server-detect [ interval interval ] [ retry Web server This feature takes effect regardless of retries ] log detection.
  • Page 146: Configuring The Portal Fail-Permit Feature

    Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication. If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface does the following: Disables portal authentication when either server is unreachable.
  • Page 147: Applying A Nas-Id Profile To An Interface

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the BAS-IP attribute of an IPv4 Configure BAS-IP for IPv4 portal response packet sent to the portal portal packets sent to the authentication server is the source IPv4 portal bas-ip ipv4-address portal authentication address of the packet, and that of an IPv4...
  • Page 148: Enabling Portal Roaming

    Enabling portal roaming Portal roaming takes effect only on portal users logging in from VLAN interfaces. If portal roaming is enabled on a VLAN interface, an online portal user can access resources from any Layer 2 port in the VLAN without re-authentication. If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: •...
  • Page 149: Portal Configuration Examples

    Task Command Display portal configuration and portal running state display portal interface interface-type information on an interface. interface-number Display portal authentication server information. display portal server [ server-name ] Display portal Web server information. display portal web-server [ server-name ] Display packet statistics for portal authentication display portal packet statistics [ server server-name ] servers.
  • Page 150 Log in to IMC and click the Service tab. Select Access Service > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed. This example uses the default values.
  • Page 151 Select Access Service > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.
  • Page 152 Figure 45 Port group configuration Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
  • Page 153 Figure 46 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
  • Page 154 Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.
  • Page 155 Figure 49 Device list Figure 50 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 156 [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
  • Page 157: Configuring Re-Dhcp Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 158 Figure 51 Network diagram Portal Server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Switch 192.168.0.112/24 automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 51 and make sure the host, •...
  • Page 159 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
  • Page 160 Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 161: Configuring Cross-Subnet Portal Authentication

    Authorization ACL: None VPN instance: -- VLAN Interface 0015-e9a6-7cfe 20.20.20.2 Vlan-interface100 Configuring cross-subnet portal authentication Network requirements As shown in Figure 52, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
  • Page 162 [SwitchA-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server. [SwitchA-radius-rs1] user-name-format without-domain [SwitchA-radius-rs1] quit # Enable RADIUS session control. [SwitchA] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain.
  • Page 163 Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 164: Configuring Extended Direct Portal Authentication

    Configuring extended direct portal authentication Network requirements As shown in Figure 53, the host is directly connected to the switch (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server and a portal Web server.
  • Page 165 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
  • Page 166 IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
  • Page 167: Configuring Extended Re-Dhcp Portal Authentication

    Portal server: newpt State: Online Authorization ACL: 3001 VPN instance: -- VLAN Interface 0015-e9a6-7cfe 2.2.2.2 Vlan-interface100 Configuring extended re-DHCP portal authentication Network requirements As shown in Figure 54, the host is directly connected to the switch (the access device). The host obtains an IP address through the DHCP server.
  • Page 168 Make sure the IP address of the portal device added on the portal server is the public IP address • (20.20.20.1) of the switch's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides.
  • Page 169 NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. Configure DHCP relay and authorized ARP: # Configure DHCP relay. [Switch] dhcp enable [Switch] dhcp relay client-information record [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub...
  • Page 170 IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
  • Page 171: Configuring Extended Cross-Subnet Portal Authentication

    Configuring extended cross-subnet portal authentication Network requirements As shown in Figure 55, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
  • Page 172 # Specify the security policy server. [SwitchA-radius-rs1] security-policy-server 192.168.0.113 [SwitchA-radius-rs1] quit # Enable RADIUS session control. [SwitchA] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain. [SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1...
  • Page 173 IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
  • Page 174: Configuring Portal Server Detection And Portal User Synchronization

    After passing both the authentication and the security check, the user can access Internet resources • that match ACL 3001. # After the user passes authentication, use the following command to display information about the portal user. [SwitchA] display portal user interface vlan-interface 4 Total portal users: 1 Username: abc Portal server: newpt...
  • Page 175 Configure the RADIUS server properly to provide authentication and accounting functions. • • Configure the portal authentication server. Be sure to enable the server heartbeat function and the user heartbeat function. Configure the switch (access device) as follows: • Configure direct portal authentication on VLAN-interface 100, the interface to which the host is connected.
  • Page 176 Select Normal from the Action list. Click OK. Figure 58 Adding an IP address group Add a portal device: Select Access Service > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS.
  • Page 177 Figure 60 Device list Click Add to enter the page shown in Figure Figure 61 Port group configuration Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. User default values for other parameters.
  • Page 178 Figure 62 Portal authentication server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
  • Page 179 Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.
  • Page 180 Figure 65 Device list Figure 66 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 181 [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
  • Page 182: Troubleshooting Portal

    Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log User synchronization : Timeout 600s Status : Up The Up status of the portal authentication server indicates that the portal authentication server is reachable.
  • Page 183: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HP IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
  • Page 184: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully

    Re-DHCP portal authenticated users cannot log in successfully Symptom The device performs re-DHCP portal authentication for users. A user enters the correct username and password, and the client successfully obtains the private and public IP addresses. However, the authentication result for the user is failure. Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server.
  • Page 185: Configuring Port Security

    This automatic mechanism enhances network security and reduces human intervention. NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you use the 802.1X authentication or MAC authentication feature rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
  • Page 186 MAC learning control—Includes two modes: autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
  • Page 187 TIP: userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure • specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.
  • Page 188: Configuration Task List

    userLoginWithOUI. • This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI. In this mode, the port performs OUI check first. If the OUI check fails, the port performs 802.1X authentication.
  • Page 189: Enabling Port Security

    Tasks at a glance Remarks (Optional.) Ignoring authorization information from the server (Optional.) Enabling MAC move (Optional.) Applying NAS-ID profile to port security (Optional.) Enabling the authorization-fail-offline feature Enabling port security Before you enable port security, disable 802.1X and MAC authentication globally. When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state.
  • Page 190: Setting The Port Security Mode

    The port security's limit on the number of secure MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration. For more information about MAC address table configuration, see Layer 2—LAN Switching Configuration Guide. To set the maximum number of secure MAC addresses allowed on a port: Step Command...
  • Page 191: Configuring Port Security Features

    Step Command Remarks By default, a port operates in noRestrictions mode. port-security port-mode { autolearn | mac-authentication | After enabling port security, you mac-else-userlogin-secure | can change the port security mode mac-else-userlogin-secure-ext | of a port only when the port is secure | userlogin | operating in noRestrictions (the Set the port security mode.
  • Page 192: Configuring Secure Mac Addresses

    blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed. disableport—Disables the port until you bring it up manually. • disableport-temporarily—Disables the port for a period of time. The period can be configured with •...
  • Page 193: Configuration Prerequisites

    Table 15 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. The static addresses never age out unless Manually added (by using the you perform any of the following tasks: port-security mac-address Static •...
  • Page 194: Ignoring Authorization Information From The Server

    Step Command Remarks (Optional.) Set the port-security timer autolearn aging By default, secure MAC addresses secure MAC aging time-value do not age out. timer. • In system view: port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan By default, no secure MAC vlan-id address exists.
  • Page 195: Applying Nas-Id Profile To Port Security

    If MAC move is disabled and an 802.1X authenticated user moves to another port, the user is not reauthenticated. HP recommends you enable MAC move for wireless users that roam between ports to access the network. To enable MAC move:...
  • Page 196: Enabling The Authorization-Fail-Offline Feature

    Enabling the authorization-fail-offline feature The authorization-fail-offline feature logs off port security users who fail ACL or user profile authorization. A user fails ACL or user profile authorization in the following situations: The device fails to authorize the specified ACL or user profile to the user. •...
  • Page 197 Figure 67 Network diagram XGE1/0/1 Internet Device Host Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Set port security's limit on the number of secure MAC addresses to 64 on port Ten-GigabitEthernet 1/0/1.
  • Page 198: Userloginwithoui Configuration Example

    NAS-ID profile is not configured The output shows the following information: The port security's limit on the number of secure MAC addresses on the port is 64. • • The port security mode is autoLearn. The intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds. •...
  • Page 199: Configure Aaa

    The RADIUS server response timeout time is 5 seconds. The maximum number of RADIUS packet • retransmission attempts is five. The device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server. Configure port Ten-GigabitEthernet 1/0/1 of the device to allow only one 802.1X user and a user who uses one of the specified OUI values to be authenticated.
  • Page 200 [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111 [Device] port-security oui index 3 mac-address 1234-0300-1111 [Device] port-security oui index 4 mac-address 1234-0400-1111 [Device] port-security oui index 5 mac-address 1234-0500-1111...
  • Page 201: Macaddresselseuserloginsecure Configuration Example

    Port security parameters: Port security : Enabled AutoLearn aging time : 0 min Disableport timeout : 20 s MAC move : Denied Authorization fail : Online NAS-ID profile is not configured OUI value list Index : Value : 123401 Index : Value : 123402 Index : Value : 123403...
  • Page 202 Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses. • Figure 69 Network diagram Configuration procedure Make sure the host and the RADIUS server can reach each other. Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI configuration example.")
  • Page 203 Authorization fail : Online NAS-ID profile is not configured OUI value list Ten-GigabitEthernet1/0/1 is link-up Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses...
  • Page 204 # Display 802.1X authentication information. Verify that Ten-GigabitEthernet 1/0/1 allows only one 802.1X user to be authenticated. [Device] display dot1x interface ten-gigabitethernet 1/0/1 Global 802.1X parameters: 802.1X authentication : Enabled CHAP authentication : Enabled Max-tx period : 30 s Handshake period : 15 s Quiet timer : Disabled...
  • Page 205: Troubleshooting Port Security

    Set the port security mode to noRestrictions. [Device-Ten-GigabitEthernet1/0/1] undo port-security port-mode Set a new port security mode for the port, for example, autoLearn. [Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn If the problem persists, contact HP Support. Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses.
  • Page 206: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. Control user login status based on predefined policies. • Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
  • Page 207: Password Updating And Expiration

    Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.
  • Page 208: User Login Control

    Password history With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters.
  • Page 209: Password Not Displayed In Any Form

    Maximum account idle time You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid. Password not displayed in any form For security purposes, nothing is displayed when a user enters a password.
  • Page 210: Enabling Password Control

    Enabling password control To successfully enable the global password control feature and allow device management users to log in to the device, the device must have sufficient storage space. Enabling the global password control feature is the prerequisite for all password control configurations to take effect.
  • Page 211: Setting User Group Password Control Parameters

    Step Command Remarks • In non-FIPS mode, the default setting is 10 characters. Set the minimum password password-control length length length. • In FIPS mode, the default length is 15 characters. • In non-FIPS mode, by default, a password must contain at least one character type and at least one character for each type.
  • Page 212: Setting Local User Password Control Parameters

    Step Command Remarks Configure the minimum By default, the minimum password password length for the user password-control length length length of the user group equals the group. global minimum password length. By default, the password Configure the password password-control composition composition policy of the user composition policy for the type-number type-number...
  • Page 213: Setting Super Password Control Parameters

    Step Command Remarks By default, the settings equal those for the user group to which the Configure the password password-control composition local user belongs. If no password composition policy for the type-number type-number composition policy is configured local user. [ type-length type-length ] for the user group, the global settings apply to the local user.
  • Page 214: Displaying And Maintaining Password Control

    Displaying and maintaining password control Execute display commands in any view and reset commands in user view. Task Command Display password control configuration. display password-control [ super ] Display information about users in the display password-control blacklist [ user-name name | ip password control blacklist.
  • Page 215: Configuration Procedure

    Configuration procedure # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable # Disable a user account permanently if a user fails two consecutive login attempts on the user account. [Sysname] password-control login-attempt 2 exceed lock # Set all passwords to expire after 30 days. [Sysname] password-control aging 30 # Globally set the minimum password length to 16 characters.
  • Page 216: Verifying The Configuration

    # Set the password for the local user to expire after 20 days. [Sysname-luser-manage-test] password-control aging 20 # Configure the password of the local user in interactive mode. [Sysname-luser-manage-test] password Password: Confirm : Updating user information. Please wait ..[Sysname-luser-manage-test] quit Verifying the configuration # Display the global password control configuration.
  • Page 217 Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type)
  • Page 218: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). • Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 70.
  • Page 219: Creating A Local Key Pair

    In non-FIPS mode: 512 to 2048 bits and pair, if you do not specify a key pair defaults to 1024 bits. name. HP recommends using 768 bits or longer. Both key pairs use their default names. • In FIPS mode: 2048 bits.
  • Page 220: Distributing A Local Host Public Key

    Step Command Remarks Enter system view. system-view • In non-FIPS mode: public-key local create { dsa | ecdsa { secp192r1 | secp256r1 } | rsa } [ name key-name ] Create a local key pair. By default, no local key pairs exist. •...
  • Page 221: Displaying A Host Public Key

    Step Command • Export an RSA host public key: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ] Export a local host public key.
  • Page 222: Configuring A Peer Host Public Key

    Configuring a peer host public key You can configure the peer host public key by using the following methods: • Import the peer host public key form a public key file (recommended). Manually enter (type or copy) the peer host public key. •...
  • Page 223: Displaying And Maintaining Public Keys

    Displaying and maintaining public keys Execute display commands in any view. Task Command display public-key local { dsa | ecdsa | rsa } public [ name Display local public keys. key-name ] Display peer host public keys. display public-key peer [ brief | name publickey-name ] Examples of public key management Example for entering a peer host public key Network requirements...
  • Page 224 ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001...
  • Page 225: Example For Importing A Public Key From A Public Key File

    Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements As shown in Figure 72, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B. Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A.
  • Page 226 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to the file devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit # Enable the FTP server function, create an FTP user with the username ftp and password 123, and configure the FTP user role as network-admin.
  • Page 227 Verifying the configuration # Verify that the host public key is the same as it is on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001...
  • Page 228: Configuring Pki

    PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is an electronic document signed by a CA that binds a public key with the identity of its owner.
  • Page 229: Pki Architecture

    Certificate revocation list A certificate revocation list (CRL) is a list of serial numbers for certificates that have been revoked. A CRL is created and signed by the CA that originally issued the certificates. The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the revoked certificates should not be trusted.
  • Page 230: Pki Operation

    delegate some of the tasks to an RA and leave the CA to concentrate on its primary tasks of signing certificates and CRLs. Certificate/CRL repository—A certificate distribution point that stores certificates and CRLs, and • distributes these certificates and CRLs to PKI entities. It also provides the query function. A PKI repository can be a directory server using the LDAP or HTTP protocol, of which LDAP is commonly used.
  • Page 231: Configuring A Pki Entity

    Tasks at a glance • Configuring automatic certificate request • Manually requesting a certificate (Optional.) Aborting a certificate request (Optional.) Obtaining certificates (Optional.) Verifying PKI certificates (Optional.) Specifying the storage path for the certificates and CRLs (Optional.) Exporting certificates (Optional.) Removing a certificate (Optional.) Configuring a certificate-based access control policy...
  • Page 232: Configuring A Pki Domain

    Step Command Remarks Set the unit of the entity in organization-unit org-unit-name By default, the unit is not set. the organization. Set the state where the entity state state-name By default, the state is not set. resides. Set the FQDN of the entity. fqdn fqdn-name-string By default, the FQDN is not set.
  • Page 233 Step Command Remarks This task is required only when the CRL repository is an LDAP server and the URL of the CRL repository (Optional.) Specify the ldap-server host hostname [ port does not contain the host name of LDAP server. port-number ] the LDAP server.
  • Page 234: Requesting A Certificate

    Step Command Remarks • Specify the source IPv4 address for the This task is required if the CA PKI protocol packets: policy requires that the CA server source ip { ip-address | interface (Optional.) Specify a accept certificate requests from a {interface-type interface-number } source IP address for specific IP address or subnet.
  • Page 235: Configuring Automatic Certificate Request

    A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, or • RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one local certificate for encryption. Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover.
  • Page 236: Aborting A Certificate Request

    Step Command Remarks Return to system view. quit Obtain the CA "Obtaining certificates." certificate. This command is not saved in the configuration file. This command triggers the PKI Submit a certificate pki request-certificate domain entity to automatically generate request or generate a domain-name [ password password ] a key pair if the key pair certificate request in...
  • Page 237: Configuration Guidelines

    Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not • available, display and copy the contents of a certificate to a file on the device. Make sure the certificate is in PEM format because only certificates in PEM format can be imported.
  • Page 238: Verifying Certificates With Crl Checking

    Verifying certificates with CRL checking CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and its home entity is not trusted. To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order: CRL repository specified in the PKI domain by using this command.
  • Page 239: Specifying The Storage Path For The Certificates And Crls

    Step Command Remarks Obtain the CA certificate. "Obtaining certificates." Verify the validity of the pki validate-certificate domain This command is not saved in the certificates. domain-name { ca | local } configuration file. Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid...
  • Page 240: Removing A Certificate

    Step Command Remarks • Export certificates in DER format: pki export domain domain-name der { all | ca | local } filename filename • Export certificates in PKCS12 format: pki export domain domain-name p12 { all | If you do not specify a file name local } passphrase p12passwordstring when you export a certificate in Export certificates.
  • Page 241: Displaying And Maintaining Pki

    A certificate-based access control policy is a set of access control rules (permit or deny statements), each associated with a certificate attribute group. A certificate attribute group contains multiple attribute rules, each defining a matching criterion for an attribute in the certificate issuer name, subject name, or alternative subject name field.
  • Page 242: Pki Configuration Examples

    Task Command display pki certificate domain domain-name { ca | local | peer Display the contents of a certificate. [ serial serial-num ] } Display certificate request status. display pki certificate request-status [ domain domain-name ] Display locally stored CRLs in a PKI display pki crl domain domain-name domain.
  • Page 243 Select the correct extension profiles. Enable the SCEP autovetting function to enable the CA server to automatically approve certificate requests without manual intervention. Specify the IP address list for SCEP autovetting. Configuring the device Synchronize the system time of the device with the CA server for the device to correctly request certificates or obtain CRLs.
  • Page 244 SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. You must specify a password for certificate revocation when an RSA Keon CA server is used. [Device] pki request-certificate domain torsa password 1111 Start to request the general certificate ...
  • Page 245: Requesting A Certificate From A Windows Server 2003 Ca Server

    f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA server.
  • Page 246 Right-click Default Web Site and select Properties > Home Directory. Specify the path for certificate service in the Local path box. Specify a unique port number for the default website to avoid conflict with existing services. In this example, port 8080 is used. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
  • Page 247 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request the general certificate ... …… Certificate requested successfully. Verifying the configuration # Display information about the local certificate in PKI domain winserver. [Device] display pki certificate domain winserver local Certificate: Data:...
  • Page 248: Requesting A Certificate From An Openca Server

    herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:...
  • Page 249 Figure 76 Network diagram Configuring the OpenCA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP.
  • Page 250 Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain openca ca The trusted CA's finger print is: fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y...
  • Page 251 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier:...
  • Page 252: Certificate Import And Export Configuration Example

    Certificate import and export configuration example Network requirements As shown in Figure 77, Device B will replace Device A in the network. The PKI domain exportdomain on Device A has two local certificates containing the private key and one CA certificate. To make sure the certificates are still valid after Device B replaces Device A, copy the certificates on Device A to Device B and follow these guidelines: Encrypt the private key in the local certificates using 3DES_CBC with the password 1 1 1 1 1 1 when you...
  • Page 253 -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZtjSjfslJCoCAggA … -----END ENCRYPTED PRIVATE KEY----- # Display the local certificate file pkilocal.pem-encryption.
  • Page 254 [DeviceB] pki import domain importdomain pem local filename pkilocal.pem-signature Please input the password:****** # Import the local certificate file pkilocal.pem-encryption in PEM format to the PKI domain. The certificate file contains a key pair. [DeviceB] pki import domain importdomain pem local filename pkilocal.pem-encryption Please input the password:****** # Display the imported local certificate information on Device B.
  • Page 255 keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subsign@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36:...
  • Page 256 00:db:26:13:d3:d1:a4:af:11:f3:6d:37:cf:d0:d4: 48:50:4e:0f:7d:54:76:ed:50:28:c6:71:d4:48:ae: 4d:e7:3d:23:78:70:63:18:33:f6:94:98:aa:fa:f6: 62:ed:8a:50:c6:fd:2e:f4:20:0c:14:f7:54:88:36: 2f:e6:e2:88:3f:c2:88:1d:bf:8d:9f:45:6c:5a:f5: 94:71:f3:10:e9:ec:81:00:28:60:a9:02:bb:35:8b: bf:85:75:6f:24:ab:26:de:47:6c:ba:1d:ee:0d:35: 75:58:10:e5:e8:55:d1:43:ae:85:f8:ff:75:81:03: 8c:2e:00:d1:e9:a4:5b:18:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD...
  • Page 257: Troubleshooting Pki Configuration

    Synchronize the system time of the device with the CA server. Specify the correct source IP address for PKI protocol packets that the CA server can accept. Verify the CA certificate's fingerprint on the CA server. If the problem persists, contact HP Support. Failed to obtain local certificates Symptom No local certificates can be obtained.
  • Page 258: Failed To Request Local Certificates

    Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator. Synchronize the system time of the device with the CA server. If the problem persists, contact HP Support. Failed to request local certificates Symptom Local certificate requests cannot be submitted.
  • Page 259: Failed To Obtain Crls

    Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator. Synchronize the system time of the device with the CA server. If the problem persists, contact HP Support. Failed to obtain CRLs Symptom CRLs cannot be obtained.
  • Page 260: Failed To Import The Ca Certificate

    Make sure the CA server support publishing CRLs. Specify a correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator. If the problem persists, contact HP Support. Failed to import the CA certificate Symptom The CA certificate cannot be imported.
  • Page 261: Failed To Export Certificates

    Make sure the certificate is within the validity period. Configure the correct system time for the device. If the problem persists, contact HP Support. Failed to export certificates Symptom Certificates cannot be exported. Analysis The PKI domain does not have local certificates when you export all certificates in PKCS12 format.
  • Page 262: Configuring Ipsec

    Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces. CAUTION: ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the device. They do not take effect on traffic forwarded through the device. Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptographically-based security for IP communications.
  • Page 263: Security Protocols And Encapsulation Modes

    Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure •...
  • Page 264: Security Association

    IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration • mode is simple and has good expansibility. In medium- and large-scale dynamic networks, HP recommends setting up SAs through IKE negotiations. A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types: Time-based lifetime—Defines how long the SA can be valid after it is created.
  • Page 265: Authentication And Encryption

    Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid.
  • Page 266: Protocols And Standards

    IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the device processes the packet. Otherwise, it drops the packet. The device supports the following data flow protection modes: Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule •...
  • Page 267: Implementing Acl-Based Ipsec

    Application-based IPsec tunnel—Protects the packets of an application. This method can be used to • protect IPv6 routing protocols. It does not require an ACL. To establish application-based IPsec tunnels, configure manual IPsec profiles and bind the profiles to an IPv6 routing protocol. For more information about IPv6 routing protocols, see "Configuring IPsec for IPv6 routing protocols."...
  • Page 268: Configuring An Acl

    Tasks at a glance (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging of IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. Keywords in ACL rules An ACL is a collection of ACL rules.
  • Page 269: Configuring An Ipsec Transform Set

    Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms. Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.
  • Page 270: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the security protocol encapsulates IP packets in tunnel mode. Specify the mode in The transport mode applies only which the security encapsulation-mode { transport | when the source and destination IP protocol encapsulates IP tunnel } addresses of data flows match packets.
  • Page 271 Step Command Remarks Enter system view. system-view Create a manual IPsec ipsec { ipv6-policy | policy } policy entry and enter its By default, no IPsec policy exists. policy-name seq-number manual view. (Optional.) Configure a description for the IPsec description text By default, no description is configured.
  • Page 272: Configuring An Ike-Based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format for sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication By default, no keys are configured for the key in character format for AH: IPsec SA.
  • Page 273 The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional • on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
  • Page 274 Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the Specify the local IP address of local-address { ipv4-address | ipv6 interface to which the IPsec policy...
  • Page 275 Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy template policy-template } template-name template and enter its view. exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec policy description text configured.
  • Page 276: Applying An Ipsec Policy To An Interface

    Step Command Remarks (Optional.) Enable the global IPsec SA idle timeout function, By default, the global IPsec SA idle ipsec sa idle-time seconds and set the global SA idle timeout function is disabled. timeout. Create an IPsec policy by ipsec { ipv6-policy | policy } referencing the IPsec policy policy-name seq-number isakmp By default, no IPsec policy exists.
  • Page 277: Configuring The Ipsec Anti-Replay Function

    Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.
  • Page 278: Configuring Ipsec Anti-Replay Redundancy

    Configuring IPsec anti-replay redundancy This feature synchronizes the following information from the master device to all subordinate devices in an IRF fabric at configurable packet-based intervals: • Lower bound values of the IPsec anti-replay window for inbound packets. IPsec anti-replay sequence numbers for outbound packets. •...
  • Page 279: Enabling Qos Pre-Classify

    If the source interface bound to an IPsec policy is removed, the IPsec policy becomes a common • IPsec policy. If no local address is specified for an IPsec policy that has been bound to a source interface, the • IPsec policy uses the IP address of the bound source interface to perform IKE negotiation.
  • Page 280: Enabling Logging Of Ipsec Packets

    Enabling logging of IPsec packets Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded IPsec packet, and the reason for the failure.
  • Page 281: Configuring Ipsec For Ipv6 Routing Protocols

    Step Command Remarks Enter system view. system-view By default, IPsec copies the DF bit Configure the DF bit of ipsec global-df-bit { clear | copy | set } in the original IP header to the IPsec packets globally. new IP header. Configuring IPsec for IPv6 routing protocols Configuration task list Complete the following tasks to configure IPsec for IPv6 routing protocols:...
  • Page 282: Configuring Snmp Notifications For Ipsec

    Step Command Remarks (Optional.) Configure a By default, no description is description for the IPsec description text configured. profile. By default, no IPsec transform set is Reference an IPsec referenced for an IPsec profile. transform set for the IPsec transform-set transform-set-name The referenced IPsec transform set profile.
  • Page 283: Displaying And Maintaining Ipsec

    To configure SNMP notifications for IPsec: Step Command Remarks Enter system view system-view Enable SNMP notifications By default, SNMP notifications for snmp-agent trap enable ipsec global for IPsec globally. IPsec are disabled. snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | Enable SNMP notifications encrypt-failure | invalid-sa-failure | By default, SNMP notifications for...
  • Page 284: Ipsec Configuration Examples

    IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 81, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches. Configure the tunnel as follows: Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as •...
  • Page 285 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit...
  • Page 286: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    [SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba [SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec protected.
  • Page 287 Figure 82 Network diagram   Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
  • Page 288 [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1. [SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1 [SwitchA-ipsec-policy-isakmp map1-10] remote-address 2.2.3.1 # Apply the IKE profile profile1. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 Configure Switch B:...
  • Page 289: Configuring Ipsec For Ripng

    # Apply ACL 3101. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1. [SwitchB-ipsec-policy-isakmp-map1-10] local-address 2.2.3.1 [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1 # Apply the IKE profile profile1.
  • Page 290 Configuration procedure Configure Switch A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchA> system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 [SwitchA-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchA-ipsec-transform-set-tran1] protocol esp...
  • Page 291 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [SwitchB] ipsec profile profile001 manual [SwitchB-ipsec-profile-profile001] transform-set tran1 [SwitchB-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchB-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
  • Page 292 # Use the display ripng command to display the RIPng configuration. The output shows that the IPsec profile profile001 has been applied to RIPng process 1. [SwitchA] display ripng 1 RIPng process : 1 Preference : 100 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time...
  • Page 293: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec.
  • Page 294: Ike Security Mechanism

    Figure 85 IKE exchange process in main mode As shown in Figure 85, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. Key exchange—Used for exchanging the DH public value and other values, such as the random •...
  • Page 295: Protocols And Standards

    the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.
  • Page 296: Configuring An Ike Profile

    Tasks at a glance Remarks Required when the IKE profile needs to (Optional.) Configuring an IKE proposal reference IKE proposals. Required when pre-shared authentication is (Optional.) Configuring an IKE keychain used in IKE negotiation phase 1. (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive function (Optional.)
  • Page 297 Specify a priority number for the IKE profile. To determine the priority of an IKE profile: First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers.
  • Page 298: Configuring An Ike Proposal

    Step Command Remarks By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in (Optional.) Configure IKE dpd interval interval-seconds [ retry system view. If the IKE DPD DPD.
  • Page 299: Configuring An Ike Keychain

    Step Command Remarks By default: • In non-FIPS mode: • In non-FIPS mode, an IKE encryption-algorithm { 3des-cbc | proposal uses the 56-bit DES aes-cbc-128 | aes-cbc-192 | Specify an encryption encryption algorithm in CBC aes-cbc-256 | des-cbc } algorithm for the IKE mode.
  • Page 300: Configuring The Global Identity Information

    Step Command Remarks Enter system view. system-view Create an IKE keychain and By default, no IKE keychain ike keychain keychain-name enter its view. exists. • In non-FIPS mode: pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address By default, no pre-shared key is [ prefix-length ] } | hostname configured.
  • Page 301: Configuring The Ike Keepalive Function

    Step Command Remarks By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. Configure this command on the local (Optional.) Configure the device when the following conditions local device to always obtain exist: ike signature-identity the identity information from...
  • Page 302: Configuring Ike Dpd

    To configure the IKE NAT keepalive function: Step Command Remarks Enter system view. system-view Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. Periodic DPD—Sends a DPD message at regular intervals.
  • Page 303: Enabling Invalid Spi Recovery

    Enabling invalid SPI recovery An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered.
  • Page 304: Displaying And Maintaining Ike

    information about SNMP notifications, see Network Management and Monitoring Configuration Guide. To generate and output SNMP notifications for a specific IKE failure or event type, perform the following tasks: Enable SNMP notifications for IKE globally. Enable SNMP notifications for the failure or event type. To configure SNMP notifications for IKE: Step Command...
  • Page 305 Configure Switch A and Switch B to use the default IKE proposal for the IKE negotiation to set up the IPsec SA. Configure the two switches to use the pre-shared key authentication method. Figure 86 Network diagram Configuration procedure Make sure Switch A and Switch B can reach each other. Configure Switch A: # Assign an IP address to VLAN-interface 1.
  • Page 306 # Specify the remote IP address 2.2.2.2 for the IPsec tunnel. [SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2 # Reference ACL 3101 to identify the traffic to be protected. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IPsec transform set tran1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy.
  • Page 307: Verifying The Configuration

    # Create an IKE-based IPsec policy entry with the name use1 and the sequence number 10. [SwitchB] ipsec policy use1 10 isakmp # Specify the remote IP address 1.1.1.1 for the IPsec tunnel. [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Reference ACL 3101 to identify the traffic to be protected. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Reference IPsec transform set tran1 for the IPsec policy.
  • Page 308: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Referenced Correctly

    Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals. IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag...
  • Page 309: Ipsec Sa Negotiation Failed Due To Invalid Identity Information

    Analysis Certain IPsec policy settings are incorrect. Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated...
  • Page 310 NAT traversal: Not detected # Verify that the IPsec policy is referencing an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: Vlan-interface1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.71 Transform set:...
  • Page 311 ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove the reference.
  • Page 312: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
  • Page 313: Ssh Authentication Methods

    CLI. The text pasted at one time must be no more than 2000 bytes. Interaction To execute the commands successfully, HP recommends that you paste commands that are in the same view. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload the file to the server through SFTP, and use it to restart the server.
  • Page 314: Fips Compliance

    Informs the client of the authentication result. If the AAA server requires the user to enter a password for secondary authentication, it sends the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password.
  • Page 315: Configuring The Device As An Ssh Server

    Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks (Optional.) Generating local key pairs (Required.) Enabling the Stelnet server Required for Stelnet servers. (Required.) Enabling the SFTP server Required for SFTP servers. (Required.) Enabling the SCP server Required for SCP servers.
  • Page 316: Enabling The Stelnet Server

    To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key • pairs on the SSH server. The SSH server operating in FIPS mode supports only RSA and ECDSA key pairs. • The public-key local create rsa command generates a server key pair and a host key pair for RSA. •...
  • Page 317: Enabling The Scp Server

    Enabling the SCP server After you enable the SCP server on the device, clients can log in to the device through SCP. The device that acts as an SCP server does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command Remarks...
  • Page 318: Configuring A Client's Host Public Key

    Configure the client's DSA, RSA, or ECDSA host public key on the server. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. Specify the associated host private key on the client to generate the digital signature.
  • Page 319: Configuring An Ssh User

    Importing the client's host public key from the public key file Before you import the host public key, upload the client's public key file (in binary) to the server, for example, through FTP or TFTP. During the import process, the server automatically converts the host public key in the public key file to a string in PKCS format.
  • Page 320: Configuring The Ssh Management Parameters

    If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view. If you change the authentication method or public key for a logged-in SSH user, the changes take •...
  • Page 321 Step Command Remarks By default, the RSA server key pair is not updated. Set the minimum update This command takes effect only on interval for the RSA server key ssh server rekey-interval hours SSH1 users. pair. This command is not available in FIPS mode.
  • Page 322: Configuring The Device As An Stelnet Client

    Establishing a connection to an Stelnet server Specifying the source IP address for SSH packets HP recommends that you specify the IP address of the loopback interface as the source interface for SSH packets for the following purposes: Ensuring the communication between the Stelnet client and the Stelnet server.
  • Page 323 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher...
  • Page 324: Configuring The Device As An Sftp Client

    Terminating the connection with the SFTP server Specifying the source IP address for SFTP packets HP recommends that you specify the IP address of the loopback interface as the source interface for SFTP packets for the following purposes: Ensuring the communication between the SFTP client and the SFTP server.
  • Page 325 In an insecure network, HP recommends that you configure the server's host public key on the device. After the connection is established, you can directly enter SFTP client view on the server to perform file or directory operations. To establish a connection to an SFTP server:...
  • Page 326: Working With Sftp Directories

    Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.
  • Page 327: Terminating The Connection With The Sftp Server

    If you choose to continue, the device accesses the server and downloads the server's host public key. If you choose to not continue, the connection cannot be established. • In an insecure network, HP recommends that you configure the server's host public key on the device. To transfer files with an SCP server:...
  • Page 328 Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange |...
  • Page 329: Displaying And Maintaining Ssh

    Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address configured for the display sftp client source SFTP client. Display the source IP address configured for the display ssh client source Stelnet client. Display SSH server status or sessions.
  • Page 330 Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 331 [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user. [Switch-luser-manage-client001] authorization-attribute user-role network-admin [Switch-luser-manage-client001] quit # Create an SSH user client001. Specify the service type as stelnet and the authentication method as password for the user. [Switch] ssh user client001 service-type stelnet authentication-type password Establish a connection to the Stelnet server: There are different types of Stelnet client software, such as PuTTY and OpenSSH.
  • Page 332: Publickey Authentication Enabled Stelnet Server Configuration Example

    Publickey authentication enabled Stelnet server configuration example Network requirements As shown in Figure You can log in to the switch through the Stelnet client (SSH2) that runs on the host. • After login, you are assigned the user role network-admin for configuration management. •...
  • Page 333 Figure 90 Generating a key pair on the client Continuously move the mouse and do not place the mouse over the green progress bar shown Figure 91. Otherwise, the progress bar stops moving and the key pair generating progress stops. Figure 91 Generating process...
  • Page 334 After the key pair is generated, click Save public key to save the public key. A file saving window appears. Enter a file name (key.pub in this example), and click Save. Figure 92 Saving a key pair on the client On the page as shown in Figure 92, click Save private key to save the private key.
  • Page 335 # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 336 Figure 93 Specifying the host name (or IP address) Select Connection > SSH from the navigation tree. The window shown in Figure 94 appears. Specify the Preferred SSH protocol version as 2 in the Protocol options area. Figure 94 Specifying the preferred SSH version...
  • Page 337: Password Authentication Enabled Stelnet Client Configuration Example

    Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 95 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 95 Specifying the private key file Click Open to connect to the server.
  • Page 338 Figure 96 Network diagram Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 339 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit # Create a local device management user client001. [SwitchB] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [SwitchB-luser-manage-client001] password simple aabbcc [SwitchB-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user.
  • Page 340 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 Press CTRL+C to abort.
  • Page 341: Publickey Authentication Enabled Stelnet Client Configuration Example

    * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** <SwitchB> After you enter the correct password, you can log in to Switch B successfully. The server's host public key is saved on the client. At the next connection attempt, the system will not notify you to authenticate the server.
  • Page 342 [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048) If the key modulus is greater than 512, it will take a few minutes.
  • Page 343: Sftp Configuration Examples

    # Create an SSH user client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002. Specify the service type as ssh for the user. Assign the user role network-admin to the user.
  • Page 344 After login, you are assigned the user role network-admin to execute file management and transfer • operations. The switch acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the switch. •...
  • Page 345 [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0 [Switch-Vlan-interface2] quit # Create a local device management user client002. Specify the plaintext password as aabbcc and the service type as ssh for the user. Assign the user role network-admin and the working directory flash:/ to the user.
  • Page 346: Publickey Authentication Enabled Sftp Client Configuration Example

    Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 100: You can log in to Switch B through the SFTP client that runs on Switch A. • After login, you are assigned the user role network-admin to execute file management and transfer •...
  • Page 347: Ssh Connection

    [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 348 [SwitchB-luser-manage-client001] quit Establish a connection to the SFTP server: # Establish a connection to the SFTP server and enter SFTP client view. <SwitchA> sftp 192.168.0.1 identity-key rsa Username: client001 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp>...
  • Page 349: Scp File Transfer With Password Authentication

    /pubkey2 100% 225 1.4KB/s 00:00 # Upload the local file pu to the server, save it as puk, and verify the result. sftp> put pu puk Uploading pu to / puk sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup...
  • Page 350 [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 351: Netconf Over Ssh Configuration Example With Password Authentication

    [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin. <SwitchA> scp 192.168.0.1 get remote.bin local.bin Username: client001 Press CTRL+C to abort.
  • Page 352 [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 353: Verifying The Configuration

    # Configure an SSH user client001. Specify the service type as NETCONF and the authentication method as password for the user. [Switch] ssh user client001 service-type netconf authentication-type password Verifying the configuration # Verify that you can perform NETCONF operations after logging in to the switch. (Details not shown.)
  • Page 354: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...
  • Page 355: Fips Compliance

    SSL handshake protocol, SSL change cipher spec protocol, and SSL alert protocol at the upper • layer. Figure 104 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to •...
  • Page 356: Configuring An Ssl Client Policy

    To configure an SSL server policy: Step Command Remarks Enter system view. system-view Create an SSL server policy and By default, no SSL server policy ssl server-policy policy-name enter its view. exists on the device. By default, no PKI domain is specified for an SSL server policy.
  • Page 357: Displaying And Maintaining Ssl

    Step Command Remarks Create an SSL client policy and By default, no SSL client policy ssl client-policy policy-name enter its view. exists on the device. By default, no PKI domain is specified for an SSL client policy. If SSL client authentication is required, you must specify a PKI (Optional.) Specify a PKI domain and request a local...
  • Page 358: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. The IPSG binding table can include the following bindings: IP-interface.
  • Page 359: Static Ipsg Bindings

    Static IPSG bindings Static IPSG bindings are configured manually. They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static IPSG binding on an interface that connects to a server. This binding allows the interface to receive packets only from the server.
  • Page 360: Ipsg Configuration Task List

    IPSG configuration task list To configure IPv4SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv4SG on an interface (Optional.) Configuring a static IPv4SG binding To configure IPv6SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv6SG on an interface (Optional.) Configuring a static IPv6SG binding Configuring the IPv4SG feature...
  • Page 361: Configuring A Static Ipv4Sg Binding

    Configuring a static IPv4SG binding You can configure global static and interface-specific static IPv4SG bindings. Global static bindings take effect on all interfaces. Interface-specific static bindings take priority over global static bindings. An interface first uses the static bindings on the interface to match packets. If no match is found, the interface uses the global bindings. Configuring a global static IPv4SG binding Step Command...
  • Page 362: Configuring A Static Ipv6Sg Binding

    Step Command Remarks Enter system view. system-view The following interface types are supported: interface interface-type Enter interface view. • interface-number Layer 2 Ethernet interface. • VLAN interface. By default, the IPv6SG feature is disabled on an interface. ipv6 verify source { ip-address | If you configure this command on Enable the IPv6SG feature.
  • Page 363: Ipsg Configuration Examples

    Task Command display ip source binding [ static | [ dhcp-relay | dhcp-server | Display IPv4SG bindings. dhcp-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] display ipv6 source binding [ static | [ dhcpv6-snooping ] ] [ ip-address Display IPv6SG bindings.
  • Page 364: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example

    # Enable IPv4SG on Ten-GigabitEthernet 1/0/1. [SwitchA] interface ten-gigabitethernet 1/0/1 [SwitchA-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host A. [SwitchA-Ten-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [SwitchA-Ten-GigabitEthernet1/0/1] quit Configure Switch B: # Configure an IP address for each interface.
  • Page 365: Dynamic Ipv4Sg Using Dhcp Relay Configuration Example

    Enable dynamic IPv4SG on Ten-GigabitEthernet 1/0/1 to filter received packets based on DHCP snooping entries, allowing only packets from the client that obtains an IP address from the DHCP server to pass. Figure 107 Network diagram Configuration procedure Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
  • Page 366: Static Ipv6Sg Configuration Example

    Figure 108 Network diagram Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for dynamic IPSG. <Switch> system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent:...
  • Page 367: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example

    Figure 109 Network diagram Configuration procedure # Enable IPv6SG on Ten-GigabitEthernet 1/0/1. <Switch> system-view [Switch] interface ten-gigabitethernet 1/0/1 [Switch-Ten-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host. [Switch-Ten-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Switch-Ten-GigabitEthernet1/0/1] quit Verifying the configuration...
  • Page 368 [Switch] ipv6 dhcp snooping enable # Configure the interface connecting to the DHCP server as a trusted interface. [Switch] interface ten-gigabitethernet 1/0/2 [Switch-Ten-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Switch-Ten-GigabitEthernet1/0/2] quit Enable IPv6SG: # Enable IPv6SG on Ten-GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv6SG.
  • Page 369: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
  • Page 370: Configuring Arp Source Suppression

    ARP source suppression—Stops resolving packets from a host if the number of unresolvable IP • packets from the host exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.
  • Page 371: Configuration Example

    Task Command Display ARP source suppression configuration information. display arp source-suppression Configuration example Network requirements As shown in Figure 1 1 1, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.
  • Page 372: Configuring Arp Packet Rate Limit

    Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash.
  • Page 373: Configuring Source Mac-Based Arp Attack Detection

    NOTE: If you enable notification sending and logging for ARP packet rate limit on a Layer 2 aggregate interface, the functions apply to all aggregation member ports. Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.
  • Page 374: Configuration Example

    Task Command Display ARP attack entries detected by source display arp source-mac { slot slot-number | interface MAC-based ARP attack detection. interface-type interface-number } Configuration example Network requirements As shown in Figure 1 12, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients.
  • Page 375: Configuring Arp Packet Source Mac Consistency Check

    # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime to 60 seconds for ARP attack entries. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet...
  • Page 376: Configuring Authorized Arp

    Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.
  • Page 377: Configuring Arp Packet Validity Check

    DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide. Configuration guidelines You must specify a VLAN for an IP source guard binding. Otherwise, no ARP packets can match the IP source guard binding. Configuration procedure To configure user validity check: Step...
  • Page 378: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter VLAN view. vlan vlan-id Enable ARP detection. arp detection enable By default, ARP detection is disabled. Return to system view. quit Enable ARP packet validity check arp detection validate By default, ARP packet validity check and specify the objects to be { dst-mac | ip | src-mac } is disabled.
  • Page 379: User Validity Check And Arp Packet Validity Check Configuration Example

    Task Command Clear the ARP detection statistics. reset arp detection statistics [ interface interface-type interface-number ] User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 1 13, configure DHCP snooping on Switch B, and enable ARP detection in VLAN 10. Switch B performs ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.
  • Page 380: Arp Restricted Forwarding Configuration Example

    # Enable recording of client information in DHCP snooping entries on Ten-GigabitEthernet 1/0/1. [SwitchB] interface ten-gigabitethernet 1/0/1 [SwitchB-Ten-GigabitEthernet1/0/1] dhcp snooping binding record [SwitchB-Ten-GigabitEthernet1/0/1] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface.
  • Page 381 Figure 114 Network diagram Configuration procedure Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of the VLAN interface. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0...
  • Page 382: Configuring Arp Scanning And Fixed Arp

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac # Configure port isolation. [SwitchB] port-isolate group 1 [SwitchB] interface ten-gigabitethernet 1/0/1 [SwitchB-Ten-GigabitEthernet1/0/1] port-isolate enable group 1 [SwitchB-Ten-GigabitEthernet1/0/1] quit [SwitchB] interface ten-gigabitethernet 1/0/2 [SwitchB-Ten-GigabitEthernet1/0/2] port-isolate enable group 1...
  • Page 383: Configuration Procedure

    Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the • conversion. To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address command. • Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.
  • Page 384: Configuration Example

    Step Command Remarks Enable ARP gateway protection By default, ARP gateway arp filter source ip-address for the specified gateway. protection is disabled. Configuration example Network requirements As shown in Figure 1 15, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.
  • Page 385: Configuration Guidelines

    An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded. Configuration guidelines Follow these guidelines when you configure ARP filtering: You can configure a maximum of eight permitted entries on an interface.
  • Page 386 Figure 116 Network diagram Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface ten-gigabitethernet 1/0/1 [SwitchB-Ten-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-Ten-GigabitEthernet1/0/1] quit [SwitchB] interface ten-gigabitethernet 1/0/2 [SwitchB-Ten-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that Ten-GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets.
  • Page 387: Configuring Mff

    Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.
  • Page 388: Basic Concepts

    Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: Allows multicast packets to pass. • Delivers ARP packets to the CPU. •...
  • Page 389: Mff Working Mechanism

    gateway's MAC address, the MFF device updates the MAC address upon receiving an ARP packet with a different sender MAC address from the default gateway. MFF working mechanism Hosts connecting to an MFF device use the ARP fast-reply mechanism for Layer 3 communication. This mechanism helps reduce the number of broadcast messages.
  • Page 390: Enabling Periodic Gateway Probe

    Step Command Remarks • Layer 2 Ethernet interface view: interface interface-type Enter Layer 2 Ethernet interface-number interface view or Layer 2 • Layer 2 aggregate interface aggregate interface view. view: interface bridge-aggregation interface-number Configure the port as a mac-forced-forwarding By default, the port is a user port. network port.
  • Page 391: Displaying And Maintaining Mff

    Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Specify the IP addresses of mac-forced-forwarding server By default, no server IP address is servers. server-ip&<1-10> specified. Displaying and maintaining MFF Execute display commands in any view. Task Command Display MFF port configuration information.
  • Page 392: Manual-Mode Mff Configuration Example In A Ring Network

    # Configure manual-mode MFF on VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchA-vlan100] arp snooping enable [SwitchA-vlan100] quit # Configure Ten-GigabitEthernet 1/0/2 as a network port. [SwitchA] interface ten-gigabitethernet 1/0/2 [SwitchA-Ten-GigabitEthernet1/0/2] mac-forced-forwarding network-port Configure Switch B:...
  • Page 393 Figure 119 Network diagram Switch A Switch C Gateway XGE1/0/1 XGE1/0/2 XGE1/0/8 XGE1/0/9 10.1.1.100/24 Host A XGE1/0/3 XGE1/0/10 10.1.1.1/24 XGE1/0/4 XGE1/0/6 XGE1/0/5 Switch B Host B XGE1/0/7 10.1.1.2/24 Server Host C 10.1.1.200/24 10.1.1.3/24 Configuration procedure Configure the IP addresses of the hosts and Gateway as shown in Figure 119.
  • Page 394 # Configure Ten-GigabitEthernet 1/0/4 and Ten-GigabitEthernet 1/0/6 as network ports. [SwitchB] interface ten-gigabitethernet 1/0/4 [SwitchB-Ten-GigabitEthernet1/0/4] mac-forced-forwarding network-port [SwitchB-Ten-GigabitEthernet1/0/4] quit [SwitchB] interface ten-gigabitethernet 1/0/6 [SwitchB-Ten-GigabitEthernet1/0/6] mac-forced-forwarding network-port Enable STP on Switch C globally to make sure STP is enabled on interfaces. <SwitchC>...
  • Page 395: Configuring Crypto Engines

    Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.
  • Page 396: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high. The device supports Level 2.
  • Page 397: Configuring Fips Mode

    save. Other commands used for configuration preparation to enter FIPS mode. Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and • non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: Delete the local user and configure a new local user.
  • Page 398: Configuration Changes In Fips Mode

    The system automatically uses the startup configuration file to reboot the device and enter FIPS mode. You can only use the configured username and password to log in to the FIPS device. After login, you are assigned the role of security administrator Crypto Officer. Manual reboot To use manual reboot to enter FIPS mode: Enable the password control feature globally.
  • Page 399: Exiting Fips Mode

    When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of 2048 bits. SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5. •...
  • Page 400: Fips Self-Tests

    You can also trigger a self-test. If the power-up self-test fails, the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact HP Support. Power-up self-tests Power-up self-tests include the following types: Known-answer test (KAT) •...
  • Page 401: Conditional Self-Tests

    Tests the following algorithms: • RSA (signature and authentication). • PWCT RSA (encryption and decryption). • DSA (signature and authentication). • ECDSA (signature and authentication). Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked.
  • Page 402: Fips Configuration Examples

    FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode. Configuration procedure # If you want to save the current configuration, execute the save command before you enable FIPS mode. # Enable FIPS mode and choose the automatic reboot method to enter FIPS mode.
  • Page 403: Entering Fips Mode Through Manual Reboot

    password-control enable local-user root class manage service-type terminal authorization-attribute user-role network-admin fips mode enable return <Sysname> Entering FIPS mode through manual reboot Network requirements Use the manual reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.
  • Page 404: Exiting Fips Mode Through Automatic Reboot

    flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to device successfully. [Sysname] quit # Delete the startup configuration file in binary format. <Sysname> delete flash:/startup.mdb Delete flash:/startup.mdb?[Y/N]:y Deleting file flash:/startup.mdb...Done. # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter the username test and the password 12345zxcvb!@#$%ZXCVB.
  • Page 405: Exiting Fips Mode Through Manual Reboot

    Verifying the configuration After the device reboots, you can enter the system. <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is disabled. Exiting FIPS mode through manual reboot Network requirements A user has logged in to the device in FIPS mode through SSH with the username test and password 12345zxcvb!@#$%ZXCVB.
  • Page 406 login: test Password: Last successfully login time:… … <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is disabled.
  • Page 407: Configuring User Profiles

    Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a QoS policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user. The user profile restricts authenticated user behaviors as follows: After the authentication server verifies a user, the server sends the device the name of the user profile specified for the user.
  • Page 408: Configuring Parameters For A User Profile

    Step Command Remarks Create a user profile and You can use the command to enter user-profile profile-name enter user profile view. the view of an existing user profile. Configuring parameters for a user profile Configurations in user profile view take effect only after the device applies the user profile to the user. Configuring QoS parameters for traffic management To configure QoS parameters: Step...
  • Page 409 Deny User A's access to the network from 8:30 to 12:00 daily. • • Limit the outgoing traffic rate to 2000 kbps for User B. Limit the incoming traffic rate to 4000 kbps for User C. • Figure 120 Network diagram Configuration procedure Configure a QoS policy to control the access time for User A: # Create periodic time range for_usera, setting it to be active from 8:30 to 12:00 daily.
  • Page 410 # Create traffic class class, and define a match criterion to match all packets. [Switch] traffic classifier class [Switch-classifier-class] if-match any [Switch-classifier-class] quit # Create traffic behavior for_userb, and configure a CAR action in traffic behavior database. Set the CIR to 2000 kbps. [Switch] traffic behavior for_userb [Switch-behavior-for_userb] car cir 2000 [Switch-behavior-for_userb] quit...
  • Page 411 [Switch-luser-network-usera] quit # Add local user userb. [Switch] local-user userb class network New local user added. # Set the password of local user userb to b12345 in plain text. [Switch-luser-network-userb] password simple b12345 # Specify the service type as lan-access for userb. [Switch-luser-network-userb] service-type lan-access # Configure the authorization user profile as userb.
  • Page 412 User-Profile: usera Inbound: Policy: for_usera slot 1: User -: Authentication type: 802.1X Network attributes: Interface : Ten-GigabitEthernet1/0/1 MAC address : 6805-ca06-557b Service VLAN : 1 User-Profile: userb Inbound: Policy: for_userb slot 1: User -: Authentication type: 802.1X Network attributes: Interface : Ten-GigabitEthernet1/0/1 MAC address : 80c1-6ee0-2664...
  • Page 413: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions, such as packet dropping, to protect a private network. The device supports only TCP fragment attack prevention. Configuring TCP fragment attack prevention The TCP fragment attack prevention feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect.
  • Page 414: Configuring Nd Attack Defense

    ND packets. ND packets. By default, the ND logging feature is disabled. (Optional.) Enable the ND logging ipv6 nd check log enable HP recommends that you disable the ND logging feature. feature to avoid excessive ND logs.
  • Page 415: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
  • Page 416: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 417 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 418: Index

    Index Numerics MAC-based access control, maintain, 3DES mandatory port authentication domain, IPsec encryption algorithm, online user handshake, 802.1X overview, access control method, packet format, ACL assignment, 77, periodic online user reauthentication, architecture, port authorization state, authentication, port authorization status, authentication (access device initiated), port security authentication control mode, authentication (client initiated), port security client...
  • Page 419 HWTACACS authorization server, RADIUS scheme creation, HWTACACS display, RADIUS security policy server IP address, HWTACACS implementation, RADIUS server SSH user authentication+authorization, HWTACACS maintain, RADIUS server status, HWTACACS outgoing packet source IP address, RADIUS session-control, HWTACACS scheme, RADIUS shared keys, HWTACACS scheme creation, RADIUS SNMP notification, HWTACACS server SSH user, RADIUS timers,...
  • Page 420 MFF manual-mode in ring network, 802.1X ACL assignment, 77, MFF manual-mode in tree network, IPsec ACL, scanning configuration restrictions, IPsec ACL de-encapsulated packet check, ARP attack protection IPsec ACL rule keywords, active acknowledgement, IPsec ACL-based implementation, 253, ARP detection display, IPsec ACL-based tunnel establishment, ARP detection maintain, IPsec mirror image ACLs,...
  • Page 421 IPsec IKE configuration (main mode/pre-shared key AAA RADIUS common standard attributes, authentication), AAA RADIUS extended attributes, IPsec IKE DSA signature authentication, AAA RADIUS HP proprietary attributes, IPsec IKE pre-shared key authentication, AAA RADIUS Login-Service attribute check IPsec IKE RSA signature authentication, method,...
  • Page 422 creating user profile, IP source guard (IPSG) static binding, Authentication, Authorization, and Accounting. IPsec source interface to policy, IPv4 source guard (IPv4SG) dynamic binding Auth-Fail VLAN configuration, 802.1X authentication, IPv4 source guard (IPv4SG) dynamic binding+DHCP relay configuration, 802.1X configuration, IPv4 source guard (IPv4SG) static binding authorization VLAN configuration, 349, 802.1X assignment, 72,...
  • Page 423 PKI certificate verification (w/o CRL 802.1X Auth-Fail VLAN, 74, checking), 802.1X authorization VLAN assignment, revocation list. Use 802.1X basics, change cipher spec protocol (SSL), 802.1X critical VLAN, 76, CHAP/PAP authentication 802.1X EAD assistant, 89, direct/cross-subnet portal authentication 802.1X guest VLAN, 73, process, 802.1X guest VLAN assignment, re-DHCP portal authentication process,...
  • Page 424 ARP filtering, 372, IPv4 source guard (IPv4SG) dynamic binding, ARP gateway protection, 371, IPv4 source guard (IPv4SG) dynamic binding+DHCP relay, ARP packet rate limit, IPv4 source guard (IPv4SG) static ARP packet source MAC consistency check, binding, 349, ARP packet validity check, IPv6 source guard (IPv6SG), ARP restricted forwarding, 366, IPv6 source guard (IPv6SG) dynamic...
  • Page 425 port security intrusion protection, SSH management parameters, port security MAC address autoLearn, SSH SCP client device, port security NTK feature, SSH Secure Telnet, port security secure MAC addresses, SSH Secure Telnet client password authentication, public peer key, SSH Secure Telnet client publickey QoS or CAR parameters, authentication, Secure Telnet client user line,...
  • Page 426 PKI CA policy, device PKI certificate export, attack D&P configuration, PKI certificate removal, creating user profile, PKI certificate-based access control policy, crypto engine configuration, troubleshooting PKI CRL obtain failure, IPv4 source guard (IPv4SG) dynamic binding+DHCP relay configuration, cross-subnet MFF server IP address, portal authentication, security password control, 197, portal authentication extended,...
  • Page 427 security portal authentication extended 802.1X, re-DHCP, AAA, security portal authentication modes, AAA HWTACACS, security portal authentication process, AAA LDAP, security portal authentication re-DHCP, AAA local users/user groups, security portal authentication re-DHCP process AAA RADIUS, (with CHAP/PAP authentication), ARP attack detection (source MAC-based), troubleshooting security portal authentication ARP attack protection (unresolvable IP attack), users cannot log in (re-DHCP),...
  • Page 428 public key management, 206, 21 1 802.1X periodic online user reauthentication, SSH client host public key configuration, AAA RADIUS session-control, SSH DSA host key pair, AAA RADIUS SNMP notification, SSH Secure Telnet client publickey IPsec ACL de-encapsulated packet check, authentication, IPsec IKE invalid SPI recovery, dst-mac validity check (ARP), IPsec packet logging,...
  • Page 429 SSH configuration, configuration restrictions, SSH server configuration, display, SSL services, mode configuration, entering mode entry, FIPS mode (automatic reboot), 385, mode entry (automatic reboot), FIPS mode (manual reboot), 385, mode entry (manual reboot), peer host public key, mode exit, peer public key, 21 1 mode exit (automatic reboot), mode exit (manual reboot),...
  • Page 430 IPsec packet DF bit, security password history, TCP fragment attack prevention, frame AAA RADIUS HP proprietary attributes, port security configuration, 173, HTTP SSL configuration, 342, AAA RADIUS Login-Service attribute check HW Terminal Access Controller Access Control System. method,...
  • Page 431 configuration, 281, 283, security application-based IPsec, configuration (main mode/pre-shared key importing authentication), peer host public key from file, DH algorithm, PKI certificate import/export, display, public key from file, DPD configuration, troubleshooting PKI CA certificate import FIPS compliance, failure, global identity information, troubleshooting PKI local certificate import failure, identity authentication,...
  • Page 432 IP source guard implementation, IPv4. See IPv6. See IPv6. See maintain, IP source guard (IPSG) mirror image ACLs, configuration, 346, 348, non-mirror image ACLs, display, packet DF bit, dynamic binding, packet logging enable, maintain, PKI configuration, 216, 218, static binding, policy application to interface, IPoE policy configuration (IKE-based),...
  • Page 433 display, dynamic binding configuration, IPsec IKE pre-shared key authentication, dynamic binding+DHCP relay PKI configuration, 216, 218, configuration, key pair enable on interface, SSH DSA host key pair, maintain, SSH ECDSA host key pair, static binding configuration, 349, SSH RSA host key pair, IPv6 SSH RSA server key pair, IPsec.
  • Page 434 user attribute, logging out versions, security portal authentication users, Lightweight Directory Access Protocol. Use login limiting security password expired login, ARP packet rate limit, security password user first login, port security secure MAC addresses, security password user login attempt limit, local security password user login control, 802.1X authorization VLAN,...
  • Page 435 port security secure MAC address, MAC-forced forwarding. Use port security secure MAC address port limit, maintaining troubleshooting port security secure MAC 802.1X, addresses, AAA HWTACACS, MAC authentication AAA RADIUS, ACL assignment, 104, 1 15 ARP detection, authorization VLAN, crypto engine, concurrent port users max, IP source guard (IPSG), configuration, 101, 105,...
  • Page 436 mode AAA HWTACACS implementation, 802.1X EAP relay/termination comparison, AAA LDAP implementation, 802.1X multicast trigger, AAA NAS-ID profile configuration, 802.1X multicast trigger mode, AAA RADIUS implementation, 802.1X unicast trigger, AAA RADIUS security policy server IP address, 802.1X unicast trigger mode, applying interface NAS-ID profile (RADIUS), FIPS, IPsec ACL-based implementation IPsec IKE keepalive function,...
  • Page 437 AAA ISP domain authentication method, IPsec ACL, AAA ISP domain authorization method, IPsec ACL de-encapsulated packet check, AAA ISP domain creation, IPsec ACL-based implementation, 253, AAA ISP domain method, IPsec anti-replay, AAA LDAP implementation, IPsec anti-replay redundancy, AAA LDAP scheme, IPsec application-based implementation, AAA LDAP server SSH user authentication, IPsec IKE configuration (main mode/pre-shared key...
  • Page 438 MAC authentication authorization VLAN, port security client userLoginWithOUI, MAC authentication concurrent port users port security features, 173, max, port security intrusion protection, MAC authentication critical VLAN, 103, port security MAC address autoLearn, MAC authentication delay, port security MAC address learning control, MAC authentication domain, port security mode, 173, MAC authentication guest VLAN, 102,...
  • Page 439 SSH SFTP packet source IP address, SSL services, SSH SFTP server connection establishment, SSH SFTP server connection termination, AAA no accounting method, SSH SFTP server enable, AAA no authentication, SSH SFTP server password authentication, AAA no authorization, SSH user configuration, notifying SSL client policy configuration, AAA RADIUS SNMP notification,...
  • Page 440 ARP attack protection (unresolvable IP SSH password-publickey authentication, attack), 357, SSH Secure Telnet client password ARP attack protection blackhole routing authentication, (unresolvable IP attack), SSH Secure Telnet server password ARP attack protection source suppression authentication, (unresolvable IP attack), SSH SFTP server password authentication, ARP filtering, 372, password control ARP packet rate limit,...
  • Page 441 applications, IPsec (manual), architecture, IPsec application to interface, CA digital certificate, IPsec policy (IKE-based), CA policy, IPsec policy (IKE-based/direct), CA storage path, IPsec policy (IKE-based/template), certificate export, IPsec QoS pre-classify enable, certificate import/export, IPsec source interface policy bind, certificate obtain, IPsec transform set, certificate removal, MAC authentication user account policies,...
  • Page 442 security portal authentication re-DHCP, access device, 1 19 security portal authentication server authentication destination subnet, detection+user synchronization, authentication modes, port security authentication process, 802.1X access control method, authentication server, 1 19 802.1X authentication, 90, authentication source subnet, 802.1X authorization state, BAS-IP, 802.1X authorization status, client,...
  • Page 443 user online detection, configuring AAA LDAP administrator attributes, user synchronization configuration, configuring AAA LDAP scheme, users cannot log in (re-DHCP), configuring AAA LDAP server IP address, Web server, 1 19 configuring AAA LDAP server SSH user authentication, Web server configuration, configuring AAA LDAP user attributes, Web server detection configuration, configuring AAA local user,...
  • Page 444 configuring FIPS mode entry (automatic configuring IPv4 source guard (IPv4SG) dynamic reboot), binding+DHCP relay, configuring FIPS mode entry (manual configuring IPv4 source guard (IPv4SG) static reboot), binding, 349, configuring FIPS mode exit (automatic configuring IPv6 source guard (IPv6SG), reboot), configuring IPv6 source guard (IPv6SG) dynamic configuring FIPS mode exit (manual binding+DHCPv6 snooping, reboot),...
  • Page 445 configuring port security, configuring security user profile, configuring port security client configuring source MAC consistency check, macAddressElseUserLoginSecure, configuring SSH client host public key, configuring port security client configuring SSH device as Secure Telnet client, userLoginWithOUI, configuring SSH device as server, configuring port security features, configuring SSH device as SFTP client, configuring port security intrusion...
  • Page 446 displaying ARP attack protection (unresolvable enabling security password control, IP attack), enabling security portal authentication, displaying ARP detection, enabling security portal authentication displaying crypto engine, roaming, displaying FIPS, enabling SSH SCP server, displaying host public key, enabling SSH SFTP server, displaying IP source guard (IPSG), enabling Stelnet server, displaying IPsec,...
  • Page 447 removing PKI certificate, specifying AAA HWTACACS shared keys, requesting PKI certificate request, specifying AAA LDAP authentication server, setting 802.1X authentication request attempts specifying AAA LDAP version, max number, specifying AAA RADIUS accounting server setting 802.1X authentication timeout timers, parameters, setting 802.1X concurrent port users max specifying AAA RADIUS authentication server, number, specifying AAA RADIUS outgoing packet source IP...
  • Page 448 troubleshooting PKI storage path set failure, public key troubleshooting port security mode cannot be display, 21 1 set, file import, troubleshooting port security secure MAC FIPS compliance, addresses, host public key display, troubleshooting security portal authentication host public key export, cannot log out users (access device), local host public key distribution, troubleshooting security portal authentication...
  • Page 449 AAA RADIUS real-time accounting timer, common standard attributes, rebooting display, FIPS mode (automatic reboot), extended attributes, FIPS mode (manual reboot), HP proprietary attributes, FIPS mode entry (manual reboot), HWTACACS/RADIUS differences, record protocol (SSL), information exchange security, recoverinng Login-Service attribute check method,...
  • Page 450 fixed ARP configuration, security IKE SA max number set, IPsec policy configuration (IKE-based), troubleshooting IPsec SA negotiation failure (invalid identity info), IPsec policy configuration restrictions, troubleshooting IPsec SA negotiation failure (no security portal authentication, transform set match), security user profile configuration, scheme Revest-Shamir-Adleman Algorithm.
  • Page 451 802.1X guest VLAN, 73, ARP attack detection (source MAC-based), 361, 802.1X guest VLAN assignment, ARP attack protection (unresolvable IP 802.1X maintain, attack), 357, 802.1X mandatory port authentication ARP attack protection blackhole routing domain, (unresolvable IP attack), 802.1X online user handshake, ARP attack protection configuration, 802.1X overview, ARP attack protection source suppression...
  • Page 452 IP, 250, See also MAC authentication ACL assignment, 104, 1 15 IP source guard (IPSG) MAC authentication concurrent port users max, configuration, 346, 348, MAC authentication configuration, IP source guard (IPSG) dynamic binding, MAC authentication critical VLAN, IP source guard (IPSG) static binding, MAC authentication delay, 108, IPsec ACL-based implementation, MAC authentication display,...
  • Page 453 password history, portal authentication detection features, password not displayed, portal authentication direct, password setting, portal authentication domain, password updating, 195, portal authentication extended cross-subnet, password user first login, portal authentication extended direct, password user login control, portal authentication extended re-DHCP, peer host public key entry, portal authentication fail-permit, peer host public key import from file,...
  • Page 454 SSH Secure Telnet client publickey troubleshooting PKI certificate export failure, authentication, troubleshooting PKI configuration, SSH Secure Telnet configuration, troubleshooting PKI CRL obtain failure, SSH Secure Telnet server connection troubleshooting PKI local certificate failure, establishment, troubleshooting PKI local certificate import SSH Secure Telnet server password failure, authentication, troubleshooting PKI local certificate request...
  • Page 455 802.1X port users max number, signature authentication (IKE), AAA concurrent login user max, SNMP AAA HWTACACS timer, AAA RADIUS notifications, AAA HWTACACS traffic statistics unit, IPsec IKE SNMP notification, AAA HWTACACS username format, IPsec SNMP notification, AAA LDAP server timeout period, software AAA RADIUS request transmission attempts crypto engine configuration,...
  • Page 456 AAA RADIUS server SSH user SFTP server connection termination, authentication+authorization, SFTP server enable, AAA SSH user local SFTP server password authentication, authentication+HWTACACS Stelnet server enable, authorization+RADIUS accounting, user configuration, authentication methods, versions, client host public key configuration, configuration, client policy configuration, display, configuration, 342, FIPS compliance,...
  • Page 457 synchronizing SSH Secure Telnet server publickey authentication, security portal authentication server detection+user synchronization, terminal security portal authentication user AAA RADIUS Login-Service attribute check synchronization, method, system administration terminating attack D&P configuration, SSH SFTP server connection, FIPS configuration, 384, testing FIPS mode configuration, FIPS conditional self-test, FIPS mode entry (automatic reboot), FIPS power-up self-test,...
  • Page 458 Transmission Control Protocol. Use tunneling transporting IPsec configuration, 250, IPsec encapsulation transport mode, IPsec encapsulation tunnel mode, triggering IPsec RIPng configuration, 802.1X authentication trigger, IPsec tunnel establishment, FIPS self-test, IPsec tunnel for IPv4 packets (IKE-based), troubleshooting IPsec tunnel for IPv4 packets (manual), 802.1X EAD assistant Web browser users, AAA HWTACACS, AAA LDAP user authentication fails,...
  • Page 459 IPv4 source guard (IPv4SG) dynamic binding MAC authentication user profile assignment, configuration, user profile parameters IPv4 source guard (IPv4SG) dynamic configuring, binding+DHCP relay configuration, userLoginWithOUI, IPv4 source guard (IPv4SG) static binding username configuration, AAA HWTACACS format, IPv6 source guard (IPv6SG) dynamic AAA RADIUS format, binding+DHCPv6 snooping configuration, IPv6 source guard (IPv6SG) static binding...
  • Page 460 MFF manual-mode in ring network, Windows 2003 MFF manual-mode in tree network, PKI CA server certificate request, port security secure MAC address, WLAN security portal authentication portal-free 802.1X overview, rule, port security client security portal authentication roaming, macAddressElseUserLoginSecure, port security client userLoginWithOUI, IPsec configuration, 250, port security configuration, 173, 176, IPsec RIPng configuration,...

Table of Contents