HP 3600 v2 Switch Series Security Configuration Guide Part number: 5998-2355 Software version: Release 2101 Document version: 6W101-20130930...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 7
User profile configuration task list ······························································································································ 222 Creating a user profile ················································································································································ 222 Configuration prerequisites ································································································································ 222 Creating a user profile ········································································································································ 223 Configuring a user profile ··········································································································································· 223 Configuration guidelines ···································································································································· 223 Configuration procedure ···································································································································· 223 ...
Page 8
Troubleshooting PKI ····················································································································································· 259 Failed to retrieve a CA certificate ······················································································································ 259 Failed to request a local certificate ··················································································································· 259 Failed to retrieve CRLs ········································································································································ 260 IPsec configuration ·················································································································································· 261 IPsec overview ······························································································································································ 261 IPsec implementation ···········································································································································...
Page 9
SFTP client configuration example ····························································································································· 300 SFTP server configuration example ···························································································································· 303 SSL configuration ···················································································································································· 306 SSL overview ································································································································································· 306 SSL security mechanism ······································································································································ 306 SSL protocol stack ··············································································································································· 307 SSL configuration task list ············································································································································ 307 ...
Page 10
ARP defense against IP packet attack configuration example ········································································ 332 Configuring ARP packet rate limit ······························································································································ 334 Introduction ·························································································································································· 334 Configuring ARP packet rate limit ····················································································································· 334 Configuring source MAC address based ARP attack detection·············································································· 335 ...
Page 11
Blacklist configuration example ·································································································································· 381 Network requirements ········································································································································· 381 Verifying the configuration ································································································································· 381 Support and other resources ·································································································································· 382 Contacting HP ······························································································································································ 382 Subscription service ············································································································································ 382 Related information ······················································································································································ 382 Documents ···························································································································································· 382 ...
AAA configuration AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: • Authentication—Identifies users and determines whether a user is valid. Authorization—Grants different users different rights and controls their access to resources and •...
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.
Page 14
Figure 3 Basic RADIUS message exchange process RADIUS client Host RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources 7) Accounting-Request (stop) 8) Accounting-Response 9) Notification of access termination RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client.
Page 15
Figure 4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
Page 16
The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type, Length, and Value. • Type (1 byte long)—Indicates the type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
Page 17
Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see “HP proprietary RADIUS sub-attributes.“...
Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
Page 19
Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user authorization request packet to the HWTACACS server.
Portal users—Users who must pass portal authentication to access the network. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.
A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server.
Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access service Calling-Station-Id provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...
Page 24
Access-Requests. This attribute is used when RADIUS supports EAP ator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
Page 25
Sub-attribute Description Operation for the session, used for session control. It can be: • 1—Trigger-Request • 2—Terminate-Request Command • 3—SetPolicy • 4—Result • 5—PortalClear Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value; for retransmitted packets of different sessions, this attribute may take the same value.
Sub-attribute Description Backup-NAS-IP Backup source IP address for sending RADIUS packets Product_ID Product name AAA configuration considerations and task list To configure AAA, you must complete these tasks on the NAS: Configure the required AAA schemes. Local authentication—Configure local users and the related attributes, including the usernames and •...
Task Remarks Configuring HWTACACS schemes Creating an ISP domain Required Configuring ISP domain attributes Optional Configuring AAA authentication methods for Configuring AAA an ISP domain methods for ISP domains Required Configuring AAA authorization methods for an ISP domain Complete at least one task. Configuring AAA accounting methods for an ISP domain Tearing down user connections...
Page 28
create a guest account and specify a validity time and an expiration time for the account to control the validity of the account. User group • Each local user belongs to a local user group and bears all attributes of the group, such as the authorization attributes.
Page 29
To do… Use the command… Remarks Optional If you do not configure any password for a local user, the local user does not need to provide any password during authentication, and can pass authentication after entering the Configure a password for the local password [ { cipher | simple } correct local user name and passing user...
Page 30
To do… Use the command… Remarks Optional Set the validity time of the local validity-date time user Not set by default Optional Set the expiration time of the local expiration-date time user Not set by default Optional Assign the local user to a user group group-name By default, a local user belongs to the group...
To do… Use the command… Remarks authorization-attribute { acl Optional acl-number | callback-number By default, no Configure the authorization attributes for callback-number | idle-cut minute | authorization attribute is the user group level level | user-profile profile-name | configured for a user vlan vlan-id | work-directory group.
Page 32
Task Remarks Setting the maximum number of RADIUS request transmission attempts Optional Setting the status of RADIUS servers Optional Specifying the source IP address for outgoing RADIUS packets Optional Specifying a backup source IP address for outgoing RADIUS packets Optional Setting timers for controlling communication with RADIUS servers Optional Configuring RADIUS accounting-on...
Page 33
To do… Use the command… Remarks Enter system view system-view — Enter RADIUS scheme view radius scheme radius-scheme-name — primary authentication { ip-address | ipv6 Required Specify the primary RADIUS ipv6-address } [ port-number | key [ cipher | authentication/authorization Configure at least one simple ] key | vpn-instance vpn-instance-name ] server...
Page 34
To do… Use the command… Remarks No accounting server is secondary accounting { ip-address | ipv6 specified by default. Specify the secondary RADIUS ipv6-address } [ port-number | key [ cipher | accounting server simple ] key | vpn-instance vpn-instance-name ] Optional Set the maximum number of retry realtime-accounting retry-times...
Page 35
Specifying the VPN to which the servers belong After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.
Page 36
Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
Page 37
Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control which servers the switch communicates with for authentication, authorization, and accounting or turn to when the current servers are not available anymore. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
Page 38
To do… Use the command… Remarks state secondary authentication [ ip Set the status of the secondary RADIUS ipv4-address | ipv6 ipv6-address ] authentication/authorization server { active | block } state secondary accounting [ ip Set the status of the secondary RADIUS ipv4-address | ipv6 ipv6-address ] accounting server { active | block }...
Page 39
To do… Use the command… Remarks radius scheme Enter RADIUS scheme view — radius-scheme-name Required Specify a source IP address for nas-ip { ip-address | ipv6 By default, the IP address of the outbound outgoing RADIUS packets ipv6-address } interface is used as the source IP address. Specifying a backup source IP address for outgoing RADIUS packets In a stateful failover scenario, the active switch authenticates portal users by interacting with the RADIUS server, and synchronizes its online portal user information to the standby switch through the backup link...
Page 40
NOTE: The backup source IP address specified for outgoing RADIUS packets takes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is configured on the standby switch. Setting timers for controlling communication with RADIUS servers The switch uses the following types of timers to control the communication with a RADIUS server: Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission •...
Page 41
NOTE: For a type of users, the maximum number of transmission attempts multiplied by the RADIUS server • response timeout period must be less than the client connection timeout time and must not exceed 75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the primary/secondary server switchover cannot take place.
Page 42
Configuring the IP address of the security policy server The core of the EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
Page 43
sends a trap message. If the NAS receives a response from a RADIUS server that it considers unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the server to active, and sends a trap message. The ratio of the number of failed transmission attempts to the total number of authentication request •...
To do… Use the command… Remarks reset stop-accounting-buffer Clear the buffered stop-accounting { radius-scheme radius-server-name | requests for which no responses have session-id session-id | time-range Available in user view been receive start-time stop-time | user-name user-name } [ slot slot-number ] Configuring HWTACACS schemes NOTE: You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS...
Page 45
Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to one secondary authentication server for an HWTACACS scheme. When the primary server is not available, the secondary server is used, if any. In a scenario where redundancy is not required, specify only the primary server. Follow these steps to specify HWTACACS authentication servers for an HWTACACS scheme: To do…...
Page 46
NOTE: An HWTACACS server can function as the primary authorization server of one scheme and as the • secondary authorization server of another scheme at the same time. • The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
Page 47
Specifying the shared keys for secure HWTACACS communication The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption. They must use the same key for the same type of communication. Follow these steps to specify a shared key for secure HWTACACS communication: To do…...
Page 48
To do… Use the command… Remarks hwtacacs scheme Enter HWTACACS scheme view — hwtacacs-scheme-name Optional Set the format for usernames sent user-name-format { keep-original | By default, the ISP domain name to the HWTACACS servers with-domain | without-domain } is included in a username. Optional data-flow-format { data { byte | Specify the unit for data flows or...
Page 49
To do… Use the command… Remarks Required hwtacacs nas-ip ip-address Specify a source IP address for [ vpn-instance By default, the IP address of the outbound outgoing HWTACACS packets vpn-instance-name ] interface is used as the source IP address. Follow these steps to specify a source IP address for a specific HWTACACS scheme: To do…...
Displaying and maintaining HWTACACS To do… Use the command… Remarks display hwtacacs Display the configuration information [ hwtacacs-server-name [ statistics ] ] Available in any view or statistics of HWTACACS schemes [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display stop-accounting-buffer Display information about buffered...
To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter domain isp-name Required ISP domain view Return to system view quit — Optional domain default enable Specify the default ISP domain By default, the default ISP domain is the isp-name system predefined ISP domain system.
To do… Use the command… Remarks Enable the self-service server Optional location function and specify the self-service-url enable url-string Disabled by default URL of the self-service server Optional Specify the default authorization authorization-attribute By default, an ISP domain has no user profile user-profile profile-name default authorization user profile.
To do… Use the command… Remarks Enter system view system-view — Enter ISP domain view domain isp-name — authentication default { hwtacacs-scheme Specify the default Optional hwtacacs-scheme-name [ local ] | local | authentication method for all none | radius-scheme radius-scheme-name local by default types of users [ local ] }...
Page 54
authorization information to users after successful authorization. Authorization method configuration is optional in AAA configuration. AAA supports the following authorization methods: No authorization (none)—The NAS performs no authorization exchange. After passing • authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have only the rights of Level 0 (visiting).
NOTE: The authorization method specified with the authorization default command is for all types of users and • has a priority lower than that for a specific access type. • If you configure an authentication method and an authorization method that use RADIUS schemes for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication.
To do… Use the command… Remarks Optional Disabled by default With the accounting optional Enable the accounting optional feature, a switch allows users to accounting optional feature use network resources when no accounting server is available or communication with all accounting servers fails.
To do… Use the command… Remarks cut connection { access-type { dot1x | Required mac-authentication | portal } | all | domain isp-name | interface interface-type Applicable to only Tear down AAA user connections interface-number | ip ip-address | mac LAN and portal user mac-address | ucibindex ucib-index | user-name connections.
Configuring or changing the device ID of a switch will log out all online users of the switch. • • HP recommends to save the configuration and reboot the switch after configuring or changing the device ID. The device ID is the symbol for stateful failover mode. Do not configure any device ID for a switch •...
NOTE: You can use the authorization-attribute command to specify an authorization ACL and authorized VLAN, which will be assigned by the RADIUS server to the RADIUS client (the NAS) after the RADIUS user passes authentication. The NAS then uses the assigned ACL and VLAN to control user access. If the assigned ACL does not exist on the NAS, ACL assignment will fail and the NAS will forcibly log the RADIUS user out.
AAA configuration examples AAA for Telnet users by an HWTACACS server Network requirements As shown in Figure 1 1, configure the switch to use the HWTACACS server to provide authentication, authorization, and accounting services for Telnet users. Set the shared keys for secure communication with the HWTACACS server to expert. Configure the switch to remove the domain name from a username before sending the username to the HWTACACS server.
[Switch-hwtacacs-hwtac] key accounting simple expert # Configure the scheme to remove the domain name from a username before sending the username to the HWTACACS server. [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac...
Page 63
Select Device Management Service as the service type • • Select HP(A-Series) as the access device type Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2 • Click OK to finish the operation •...
Page 64
Figure 14 Add an access device # Add a user for device management Log in to the iMC management platform, click the User tab, and select Device Management User from the navigation tree to enter the Device Management User page. Then, click Add to enter the Add Device Management User window and perform the following configurations as shown in Figure Add a user named hello@bbb and specify the password...
Page 65
Figure 15 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.
[Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs iMC.
Page 67
Specify the ports for authentication and accounting as 1812 and 1813 respectively • • Select LAN Access Service as the service type Select HP(A-Series) as the access device type • Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2 •...
Page 68
Figure 17 Add an access device # Add a charging plan. Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging plan configuration page. Then, click Add to enter the Add Charging Plan page and perform the following configurations: Add a plan named UserAcct •...
Page 69
Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page and perform the following configurations: Add a service named Portal-auth/acct and set the Service Suffix to dm1, which indicates the •...
Page 70
Figure 20 Add an access user account Configure the Portal server (iMC PLAT 5.0) # Configure the Portal server. Log in to the iMC management platform and click the Service tab. Then, select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Input the URL address of the portal authentication main page in the format http://ip:port/portal,...
Page 71
Figure 21 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page for adding an IP address group, as shown in Figure •...
Page 72
Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown Figure Type the device name NAS. •...
Page 73
On the port group configuration page, click Add to enter the page for adding a port group, as shown Figure 25. Perform the following configurations: Type the port group name. • Select the configured IP address group. The IP address used by the user to access the network must •...
Page 74
[Switch] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain will be used for the user.
AAA for 802.1X users by a RADIUS server Network requirements As shown in Figure 26, configure the switch to: • Use the RADIUS server for authentication, authorization, and accounting of 802.1X users. Use MAC-based access control on Ethernet 1/0/1 to authenticate all 802.1X users on the port •...
Page 76
Select LAN Access Service as the service type • Select HP(A-Series) as the access device type • Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2 • • Adopt the default settings for other parameters and click OK to finish the operation.
Page 77
Figure 28 Add a charging policy # Add a service. Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page and perform the following configurations: Add a service named Dot1x auth and set the Service Suffix to bbb, which indicates the •...
Page 78
Figure 29 Add a service # Add a user. Click the User tab, and select All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to enter the Add Access User page and perform the following configurations: Select the user or add a user named test •...
Page 79
Figure 30 Add an access user account Configure the switch Configure a RADIUS scheme • # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When you use the iMC server, set the server type to extended.
Page 80
# Configure bbb as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain will be used for the user. [Switch] domain default enable bbb Configure 802.1X authentication •...
User Profile=N/A CAR=Disable Priority=Disable Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure...
Page 82
Configuration procedure Configure the switch # Configure the IP address of VLAN-interface 2, through which the Telnet user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit...
Page 83
[Switch-luser-test] authorization-attribute level 0 [Switch-luser-test] quit # Configure the password for local privilege level switching authentication to 654321. [Switch] super password simple 654321 [Switch] quit Configure the HWTACACS server NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named test on the HWTACACS server and configure advanced attributes for the user as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3.
Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** Login authentication Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit...
Page 85
Set the shared keys for secure communication between the NAS and the RADIUS server to abc. Figure 33 Network diagram Configuration procedure # Configure an IP address for each interface as shown in Figure 33. (Details not shown) Configure the NAS # Enable the Telnet server on Switch A.
Configure the RADIUS server # Create RADIUS user aaa and enter its view. <SwitchB> system-view [SwitchB] radius-server user aaa # Configure simple-text password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key abc Verify the configuration After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.
Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications.
802.1X fundamentals 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Performs unidirectional traffic control to deny traffic from the client. • NOTE: The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.
Protocol version: The EAPOL protocol version used by the EAPOL packet sender. Type: Type of the EAPOL packet. Table 5 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 5 Types of EAPOL packets...
Value Type Description The client sends an EAPOL-Logoff message to tell the 0x02 EAPOL-Logoff network access device that it is logging off. Length: Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.
A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the authentication methods. EAP-Message and EAP relay • Message-Authenticator attributes, The configuration and processing is and the EAP authentication method simple on the network access used by the client.
Page 94
When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
EAP termination Figure 43 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 43 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).
802.1X configuration This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter.
Page 97
Access control VLAN manipulation IMPORTANT: • With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. • On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed.
Page 98
Authentication status VLAN manipulation Re-maps the MAC address of the user to the VLAN specified for the user. A user in the 802.1X guest VLAN passes 802.1X If the authentication server assigns no VLAN, re-maps the MAC address of the authentication user to the initial default VLAN on the port.
Authentication status VLAN manipulation Re-maps the MAC address of the user to the server-assigned VLAN. A user in the Auth-Fail VLAN If the authentication server assigns no VLAN, re-maps the MAC address of the passes 802.1X authentication user to the initial default VLAN on the port. NOTE: To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you •...
Task Remarks Specifying a mandatory authentication domain on a port Optional Configuring the quiet timer Optional Enabling the periodic online user re-authentication function Optional Configuring an 802.1X guest VLAN Optional Configuring an Auth-Fail VLAN Optional Specifying supported domain name delimiters Optional Enabling 802.1X Configuration guidelines...
To do… Use the command… Remarks Enter system view system-view — Optional By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Configure EAP relay or EAP dot1x authentication-method termination { chap | eap | pap } Specify the eap keyword to enable EAP termination.
Specifying an access control method You can specify an access control method for one port in Ethernet interface view, or for multiple ports in system view. If different access control methods are specified for a port in system view and Ethernet interface view, the one specified later takes effect.
Follow these steps to set the maximum number of authentication request attempts: To do… Use the command… Remarks Enter system view system-view — Set the maximum number of Optional attempts for sending an dot1x retry max-retry-value 2 by default. authentication request Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: •...
To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and iMC server to guarantee the normal operation of the online user handshake security function.
Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these • clients cannot initiate authentication. To avoid duplicate authentication packets, do not enable both triggers on a port. • Configuration procedure Follow these steps to configure the authentication trigger function on a port: To do…...
To do… Use the command… Remarks Required Enable the quiet timer dot1x quiet-period Disabled by default. Optional dot1x timer quiet-period Set the quiet timer quiet-period-value The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.
Page 107
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. • After the assignment, do not re-configure the port as a tagged member in the VLAN. Table 6 when configuring multiple security features on a port. •...
Configuring an Auth-Fail VLAN Configuration guidelines Follow these guidelines when configuring an 802.1X Auth-Fail VLAN: • Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic. You can configure only one 802.1X Auth-Fail VLAN on a port.
Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.
Page 110
Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device. If RADIUS accounting fails, the access device logs the user off. Configure the host at 10.1.1.1 as the primary authentication and accounting servers, and the host at 10.1.1.2 as the secondary authentication and accounting servers.
Page 111
[Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication name # Specify the shared key between the access device and the accounting server.
Verifying the configuration Use the display dot1x interface ethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is performed. 802.1X with guest VLAN and VLAN assignment configuration example Network requirements...
Page 113
Configuration procedure NOTE: The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about Security Command Reference AAA/RADIUS configuration commands, see Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.
Configure 802.1X. # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port Ethernet 1/0/2. [Device] interface ethernet 1/0/2 [Device-Ethernet1/0/2] dot1x # Implement port-based access control on the port. [Device-Ethernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. [Device-Ethernet1/0/2] dot1x port-control auto [Device-Ethernet1/0/2] quit # Set VLAN 10 as the 802.1X guest VLAN for port Ethernet 1/0/2.
Page 115
NOTE: The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference Configure 802.1X client.
Page 116
Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.
EAD fast deployment configuration EAD fast deployment overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
Page 118
To do… Use the command… Remarks Enter system view system-view — Required dot1x free-ip ip-address Configure a free IP { mask-address | mask-length } By default, no free IP is configured. NOTE: When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP •...
Displaying and maintaining EAD fast deployment To do… Use the command… Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements...
Page 120
NOTE: In addition to the configuration on the access device, complete the following tasks: • Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24. Configure the web server so that users can log in to the web page to download 802.1X clients. •...
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication.
MAC authentication configuration MAC authentication overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
For more information about configuring local authentication and RADIUS authentication, see the chapter “AAA configuration.” MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle.
MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources. If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. NOTE: A hybrid port is always assigned to a guest VLAN as an untagged member.
To do… Use the command… Remarks Optional mac-authentication timer By default, the offline detect timer is Configure MAC { offline-detect offline-detect-value | 300 seconds, the quiet timer is 60 authentication timers quiet quiet-value | server-timeout seconds, and the server timeout server-timeout-value } timer is 100 seconds.
Specify a global authentication domain in system view. This domain setting applies to all ports. • Specify an authentication domain for an individual port in Ethernet interface view. • MAC authentication chooses an authentication domain for users on a port in this order: the interface-specific domain, the global domain, and the default domain.
Table 8 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship description Reference The MAC authentication guest VLAN Quiet function of MAC function has higher priority. A user can “MAC authentication timers” authentication access any resources in the guest VLAN. You cannot specify a VLAN as both a super See the chapter “Super VLAN configuration”...
Page 128
Figure 48 Network diagram Configuration procedure # Add a local user account, set both the username and password to 00-e0-fc- 1 2-34-56, the MAC address of the user host, and enable LAN access service for the account. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit...
Silent Mac User info: MAC Addr From Port Port Index Ethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 2048 Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS...
Page 130
NOTE: Make sure that the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. # Configure a RADIUS scheme. <Device>...
MAC ADDR From Port Port Index Ethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 2048 Current online user number is 1 MAC ADDR Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After a user passes MAC authentication, use the display connection command to display online user information.
Page 132
Configure the ACL assignment. # Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit Configure RADIUS-based MAC authentication on the device. # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813...
Page 133
Total 1 connection(s) matched on slot 1. Total 1 connection(s) matched. Ping the FTP server from the host to verify that the ACL 3000 has been assigned to port Ethernet 1/0/1 to deny access to the FTP server. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.
Portal configuration Portal overview Introduction to portal Portal authentication helps control access to the Internet. It is also called “web authentication.” A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...
Page 135
Figure 51 Portal system components Authentication client Security policy server Authentication client Access device Portal server Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
NAT, network address translations performed on the access device do not affect portal authentication. However, in such a case, HP recommends using an interface’s public IP address as the source address of outgoing portal packets.
Authentication page customization support The local portal server function allows you to customize authentication pages. You can customize authentication pages by editing the corresponding HTML files and then compress and save the files to the storage medium of the device. A set of customized authentication pages consists of six authentication pages—the logon page, the logon success page, the online page, the logoff success page, the logon failure page, and the system busy page.
NOTE: The local portal server function does not support re-DHCP authentication. Cross-subnet authentication • Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to be present between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client’s IP address is used for client identification.
Layer 2 portal authentication process Figure 54 Local Layer 2 portal authentication process Local Layer 2 portal authentication takes the following procedure: The portal authentication client sends an HTTP or HTTPS request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which then pushes a web authentication page to the authentication client.
NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to make sure that the client can communicate with the hosts in the VLAN. Assignment of authorized ACLs The device can use ACLs to control user access to network resources and limit user access rights.
Page 141
The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication acknowledgment message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. The access device sends an authentication reply to the portal server.
Page 142
The portal server notifies the authentication client of logon success. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.
Page 143
Portal support for EAP authentication process Figure 58 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following takes the direct portal authentication as an example to show the EAP authentication process: The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process.
The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. The portal server notifies the authentication client of the authentication success. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication.
online user information of each other through the failover link. When one of them (Gateway A or Gateway B) fails, the other can guarantee the normal data communication of the online portal users and perform portal authentication for new portal users. Basic concepts Device states •...
NOTE: Portal authentication configured on MCE devices can also support authentication across VPNs. For • Layer 3 - IP Routing Configuration Guide information about MCE, see • For information about AAA implementation across VPNs, see the chapter “AAA configuration.” This feature is not applicable to VPNs with overlapping address spaces. •...
Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. HP...
recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: The status of a loopback interface is stable. There will be no authentication page access failures • caused by interface failures. A loopback interface does not forward received packets to any network, avoiding impact on system •...
Configuring the local portal server Configuring a local portal server is required only for local portal authentication. During local portal authentication, the local portal server pushes authentication pages to users. You can define the authentication pages for users; otherwise, the default authentication pages will be used during the authentication process.
Page 150
Post requests are used when users submit username and password pairs, log on the system, and log • off the system. Rules on Post request attributes Observe the following requirements when editing a form of an authentication page: • An authentication page can have multiple forms, but there must be one and only one form whose action is logon.cgi.
Page 151
Rules on file size and contents For the system to push customized authentication pages smoothly, you need comply with the following size and content requirements on authentication pages. The size of the zip file of each set of authentication pages, including the main authentication pages •...
..</body> </html> NOTE: HP recommends using browser IE 6.0 or above on the authentication clients. • Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the • access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.
Enabling Layer 2 portal authentication Before enabling Layer 2 portal authentication, make sure that: The listening IP address of the local portal server is specified. • Layer 3 portal authentication is not enabled on any interface. • Follow these steps to enable Layer 2 portal authentication: To do…...
NOTE: The destination port number that the device uses for sending unsolicited packets to the portal server must • be the same as the port number that the remote portal server actually uses. • The portal server and its parameters can be deleted or modified only when the portal server is not referenced by any interface.
NOTE: If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. • Otherwise, the rule does not take effect. • You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the system prompts that the rule already exists.
To do… Use the command… Remarks Enter system view system-view — Required Set the maximum number of online portal max-user max-number portal users 1024 by default. NOTE: • The maximum number of online portal users the switch actually assigns depends on the ACL resources on the switch.
Configuration prerequisites Different clients may have different web proxy configurations. For these clients to trigger portal authentication, you must satisfy the following prerequisites: Web proxy configuration on clients Configuration prerequisites • If an iMC portal server is used, perform the following configurations on the iMC portal server: Select NAT as the type of the IP group associated with the Scenario 1:...
NOTE: Only Layer 2 portal authentication supports this feature. In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled port of the device without logging off, the user cannot get online when the original port is still up.
To do… Use the command… Remarks Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Specify an Auth-Fail VLAN for portal auth-fail vlan authfail-vlan-id portal authentication on the port Not specified by default NOTE: To make the Auth-Fail VLAN of portal authentication on a port take effect, you also need to enable the •...
Specifying a NAS ID profile for an interface In some networks, users’ access points are identified by their access VLANs. Network carriers need to use NAS-identifiers to identify user access points. With a NAS ID profile specified on an interface, when a user logs in from the interface, the access device checks the specified profile to obtain the NAS ID that is bound with the access VLAN.
IP address of the outgoing Specify a source IP address for portal nas-ip ip-address portal packets. outgoing portal packets In NAT environments, HP recommends specifying the interface’s public IP address as the source IP address of outgoing portal packets.
Page 162
To do… Use the command… Remarks Required By default, the portal service backup interface does not belong Specify the portal group to which to any portal group. the portal service backup interface portal backup-group group-id The portal service backup belongs interfaces on the two devices for stateful failover must belong to the same portal group.
Specifying an auto redirection URL for authenticated portal users After a user passes portal authentication, if the access device is configured with an auto redirection URL, it redirects the user to the URL after a specified period of time. Follow these steps to specify an auto redirection URL for authenticated portal users: To do…...
To do… Use the command… Remarks Required Set the Layer 2 portal user portal offline-detect interval detection interval offline-detect-interval 300 seconds by default Configuring the portal server detection function NOTE: Only Layer 3 portal authentication supports this feature. During portal authentication, if the communication between the access device and portal server is broken, new portal users are not able to log on and the online portal users are not able to log off normally.
To do… Use the command… Remarks display portal connection statistics Display portal connection statistics { all | interface interface-type on a specific interface or all interface-number } [ | { begin | Available in any view interfaces exclude | include } regular-expression ] Display information about a display portal free-rule...
Page 168
The host is directly connected to the switch and the switch is configured for direct authentication. The • host is assigned with a public network IP address either manually or through DHCP. Before passing portal authentication, users can access only the portal server. After passing portal authentication, users can access Internet resources.
Page 169
Figure 62 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Type the IP group name.
Page 170
Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Type the device name NAS. • Type the IP address of the switch’s interface connected to the user. •...
Page 171
Figure 66 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme • # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure portal authentication •...
Page 173
NOTE: For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) • and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) • For re-DHCP portal authentication, the switch must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
# Configure the portal server as follows: Name: newpt • IP address: 192.168.0.1 1 1 • • Key: portal Port number: 50100 • URL: http://192.168.0.1 1 1:8080/portal. • [Switch] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100...
Page 175
NOTE: Make sure that the IP address of the portal device added on the portal server is the IP address of the • interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). •...
[SwitchA] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting Switch B. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal server newpt method layer3 [SwitchA–Vlan-interface4] quit On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown) Configuring direct portal authentication with extended functions...
Page 177
[Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[Switch] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal server newpt method direct [Switch–Vlan-interface100] quit Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for re-DHCP authentication.
Page 179
NOTE: For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) • and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) • For re-DHCP portal authentication, the switch must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources NOTE: On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit...
Page 181
Figure 71 Network diagram Configuration procedure NOTE: • Make sure that the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example).
# Configure AAA methods for the ISP domain. [SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.
Page 183
When Switch A works normally, Host accesses Switch A for portal authentication before accessing • the Internet; when Switch A fails, Host accesses the Internet through Switch B. The VRRP uplink/downlink detection mechanism is used to ensure non-stop traffic forwarding. Use the RADIUS server as the authentication/accounting server.
Page 184
Log in to the iMC management platform and select the Service tab. Then, select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed. This example uses the default settings. •...
Page 185
# Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure • Type the device name NAS. Type the virtual IP address of the VRRP group that holds the portal-enabled interface.
Page 186
Figure 77 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure Switch A • Configure VRRP # Create VRRP group 1, and configure the virtual IP address of the VRRP group 1 as 9.9.1.1. <SwitchA>...
Page 187
# Configure the server type for the RADIUS scheme. When using the iMC server, configure the RADIUS server type as extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key authentication expert...
Page 188
[SwitchA] radius nas-ip 192.168.0.1 NOTE: Make sure that you have added the access device with IP address 192.168.0.1 on the RADIUS server. • Configure the stateful failover function # Configure the VLAN for stateful failover as VLAN 8. [SwitchA] dhbk vlan 8 # Enable stateful failover and configure it to support the symmetric path.
Page 189
# Configure AAA methods for the ISP domain. [SwitchB-isp-dm1] authentication portal radius-scheme rs1 [SwitchB-isp-dm1] authorization portal radius-scheme rs1 [SwitchB-isp-dm1] accounting portal radius-scheme rs1 [SwitchB-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.
ACL:NONE Work-mode: primary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 Vlan-interface10 Total 1 user(s) matched, 1 listed. [SwitchB] display portal user all Index:2 State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 Vlan-interface10 Total 1 user(s) matched, 1 listed. In the above output, you can see the information of user Host on both Switch A and Switch B.
Page 191
Figure 78 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway:2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration considerations Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication and accounting. Configure direct portal authentication on interface VLAN-interface 100, which is connected with the user host.
Page 192
Figure 79 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Type the IP group name.
Page 193
Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Type the device name NAS. • Type the IP address of the switch’s interface connected to the user. •...
Page 194
Figure 83 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme • # Create RADIUS scheme rs1 and enter its view. <Switch>...
Page 195
NOTE: The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.
: http://192.168.0.111:8080/portal Status : Up Configuring Layer 2 portal authentication Network requirements As shown in Figure 84, a host is directly connected to a switch. The switch performs Layer 2 portal authentication on users connected to port Ethernet 1/0/1. More specifically, Use the remote RADIUS server for authentication, authorization and accounting.
Page 197
NOTE: Make sure that the host, switch, and servers can reach each other before portal authentication is • enabled. • Configure the RADIUS server properly to provide normal authentication/authorization/accounting functions for users. In this example, you must create a portal user account with the account name userpt on the RADIUS server, and configure an authorized VLAN for the account.
Page 198
# Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
# Correlate DHCP server group 1 with VLAN-interface 3. [Switch-Vlan-interface3] dhcp relay server-select 1 [Switch-Vlan-interface3] quit Verifying the configuration Before user userpt accesses a web page, the user is in VLAN 8 (the initial VLAN), and is assigned with an IP address on subnet 192.168.1.0/24. When the user accesses a web page on the external network, the web request will be redirected to authentication page https://4.4.4.4/portal/logon.htm.
Analysis The keys configured on the access device and the portal server are inconsistent, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page. Solution Use the display portal server command to display the key for the portal server on the access device •...
Triple authentication configuration Triple authentication overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services.
authentication, the other types of authentication being performed are terminated. Then, whether the other types of authentication can be triggered varies: If a terminal passes 802.1X or portal authentication, no other types of authentication will be • triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the •...
Configure Layer-2 portal authentication See the chapter “Portal configuration” NOTE: 802.1X authentication must use MAC-based access control. • HP does not recommend you configure 802.1X guest VLANs for triple authentication. • Triple authentication configuration examples Triple authentication basic function configuration example Network requirements...
Page 204
NOTE: Make sure that the terminals, the server, and the switch can reach each other. • • The host of the web user must have a route to the listening IP address of the local portal server. Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally.
Page 205
[Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain.
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example Network requirement As shown in Figure 87, the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch which connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network.
Page 207
Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7), and an authorized VLAN (VLAN 3).
Page 208
[Switch-dhcp-pool-3] quit # Configure IP address pool 4, and bind the printer MAC address 0015-e9a6-7cfe to the IP address 3.3.3.1 1 1/24 in this address pool. [Switch] dhcp server ip-pool 4 [Switch-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0 [Switch-dhcp-pool-4] static-bind mac-address 0015-e9a6-7cfe [Switch-dhcp-pool-4] quit Configure portal authentication.
Page 209
[Switch–Ethernet1/0/1] mac-authentication guest-vlan 2 [Switch–Ethernet1/0/1] quit Configure a RADIUS scheme. # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the iMC server is used. [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys.
Page 210
IP=N/A IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched. Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the authorized VLAN. [Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static D:Dynamic MAC ADDR...
NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see the chapters “802.1X configuration” and “MAC authentication configuration ”...
Page 212
MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication — Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
Page 213
A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default.
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For non-802.1X frames, a port in this mode performs only MAC authentication. For 802.1X frames, it performs MAC authentication and then, if the authentication fails, 802.1X authentication. macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users as the keyword Ext implies.
Enabling port security Configuration prerequisites Disable 802.1X and MAC authentication globally. Configuration procedure Follow these steps to enable port security: To do… Use the command… Remarks Enter system view system-view — Required Enable port security port-security enable By default, the port security is disabled. Enabling or disabling port security resets the following security settings to the default: •...
To do… Use the command… Remarks Required Set the limit of port security on the port-security max-mac-count number of MAC addresses count-value Not limited by default NOTE: The port security’s limit on the number of MAC addresses on a port is independent of the MAC learning Layer 2—LAN Switching Configuration Guide limit described in MAC address table configuration in the Setting the port security mode...
To do… Use the command… Remarks port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | Required mac-else-userlogin-secure-ext | secure Set the port security mode | userlogin | userlogin-secure | By default, a port operates in userlogin-secure-ext | noRestrictions mode. userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } NOTE:...
blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list • and discards the frames. All subsequent frames sourced from a blocked MAC address will be dropped. A blocked MAC address is restored to normal state after being blocked for three minutes. The interval is fixed and cannot be changed.
Configuring secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up events. You can bind a secure MAC address to only one port in a VLAN. Secure MAC addresses fall into static, sticky and dynamic secure MAC addresses. Table 11 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type...
Configuration procedure Follow these steps to configure a secure MAC address: To do… Use the command… Remarks Enter system view system-view — Optional By default, secure MAC addresses do note age out, and you can port-security timer autolearn aging remove them only by performing the Set the secure MAC aging timer time-value undo port-security mac-address...
Follow these steps to configure a port to ignore the authorization information from the RADIUS server: To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Ignore the authorization By default, a port uses the information from the RADIUS port-security authorization ignore...
Page 222
Figure 88 Network diagram Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Enable intrusion protection traps on port Ethernet 1/0/1. [Device] port-security trap intrusion [Device] interface ethernet 1/0/1 # Set port security’s limit on the number of MAC addresses to 64 on the port.
Page 223
# Repeatedly perform the display port-security command to track the number of MAC addresses learned by the port, or use the display this command in Layer 2 Ethernet interface view to display the secure MAC addresses. <Device> system-view [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] display this interface Ethernet1/0/1 port-security max-mac-count 64...
Configuring the userLoginWithOUI mode Network requirements As shown in Figure 89, a client is connected to the Device through port Ethernet 1/0/1. The Device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Page 225
[Device-radius-radsun] secondary accounting 192.168.1.2 [Device-radius-radsun] key authentication name [Device-radius-radsun] key accounting money [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users.
Page 226
Second Auth Server: IP: 192.168.1.3 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Second Acct Server: IP: 192.168.1.2 Port: 1813 State: active Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : name Acct Server Encryption Key : money Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second)
Page 227
Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. # Display 802.1X information.
Controlled User(s) amount to 1 In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. # Display MAC address information for interface Ethernet 1/0/1. <Device> display mac-address interface ethernet 1/0/1 MAC ADDR VLAN ID STATE...
Page 229
[Device] dot1x authentication-method chap # Set port security’s limit on the number of MAC addresses to 64 on the port. [Device-Ethernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure. [Device-Ethernet1/0/1] port-security port-mode mac-else-userlogin-secure # Set the NTK mode of the port to ntkonly. [Device-Ethernet1/0/1] port-security ntk-mode ntkonly Verifying the configuration # Display the port security configuration.
Page 230
1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS # Display 802.1X authentication information. <Device> display dot1x interface ethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout...
Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Device-Ethernet1/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
Page 232
Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode. [Device-Ethernet1/0/1] quit [Device] cut connection interface ethernet 1/0/1 [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] undo port-security port-mode...
User profile configuration User profile overview A user profile provides a configuration template to save predefined configurations, such as a Committed Access Rate (CAR) policy or a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile supports working with 802.1X authentication and portal authentication.
Creating a user profile Follow these steps to create a user profile: To do… Use the command… Remarks Enter system view system-view — Required Create a user profile, and user-profile profile-name You can use the command to enter the view of enter its view an existing user profile.
Enabling a user profile Enable a user profile so that configurations in the profile can be applied by the device to restrict user behaviors. If the device detects that the user profile is disabled, the device denies the associated user even the user has been verified by the authentication server.
HABP configuration HABP overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 90, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.
CAUTION: In a cluster, if a member switch with 802.1X authentication or MAC authentication enabled is attached • with some other member switches of the cluster, you also need to configure HABP server on this device. Otherwise, the cluster management device will not be able to manage the devices attached to this member switch.
To do… Use the command… Remarks Optional Configure HABP to work in client undo habp server HABP works in client mode by mode default. Optional Specify the VLAN to which the habp client vlan vlan-id By default, an HABP client belongs HABP client belongs to VLAN 1.
Page 239
Figure 91 Network diagram Configuration procedure Configure Switch A. # Perform 802.1X related configurations on Switch A. For detailed configurations, see the chapter “802.1X configuration.” # Enable HABP. (HABP is enabled by default. This configuration is optional.) <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, and specify VLAN 1 for HABP packets.
Page 240
Verify your configuration. # Display HABP configuration information. <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA> display habp table Holdtime Receive Port 001f-3c00-0030 Ethernet1/0/2 001f-3c00-0031...
Public key configuration Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 92 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...
Task Remarks Creating a local asymmetric key pair Required Configuring a local asymmetric key pair on the Displaying or exporting the local host public key Optional local device Destroying a local asymmetric key pair Optional Specifying the peer public key on the local device Optional Configuring a local asymmetric key pair on the local device...
Displaying or exporting the local host public key In SSH, to allow your local device to be authenticated by a peer device through digital signature, you must display or export the local host public key, which will then be specified on the peer device. To display or export the local host public key, choose one of the following methods: Displaying and recording the host public key information •...
Always use the first method if its public key. A public key you are not sure about the displayed by other methods for format of the recorded public the HP device may not be in a key. correct format.
NOTE: The device supports up to 20 peer public keys. • • For information about displaying or exporting the host public key, see "Displaying or exporting the local host public key." Follow these steps to import the host public key from a public key file to the local device: To do…...
Public key configuration examples Manually specifying the peer public key on the local device Network requirements As shown in Figure 93, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
Time of Key pair created: 09:50:07 2011/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B. # Configure the host public key of Device A's RSA key pairs on Device B. In public key code view, input the host public key of Device A.
Page 248
Figure 94 Network diagram Configuration procedure Create key pairs on Device A and export the host public key. # Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048).
Page 249
# Enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3. This user level guarantees that the user has the permission to perform FTP operations. [DeviceA] ftp server enable [DeviceA] local-user ftp [DeviceA-luser-ftp] password simple 123 [DeviceA-luser-ftp] service-type ftp [DeviceA-luser-ftp] authorization-attribute level 3...
Page 250
The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A.
With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms Digital certificate •...
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.
PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples. • A virtual private network (VPN) is a private data communication network built on the public communication infrastructure.
Task Remarks Optional Retrieving a certificate manually Optional Configuring PKI certificate verification Optional Destroying a local RSA key pair Optional Deleting a certificate Optional Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN).
To do… Use the command… Remarks Optional Configure the FQDN for the entity fqdn name-str No FQDN is specified by default. Optional Configure the IP address for the ip ip-address No IP address is specified by entity default. Optional Configure the locality for the entity locality locality-name No locality is specified by default.
Page 256
Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity • needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.
Submitting a PKI certificate request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an “out-of-band”...
To do… Use the command… Remarks “Retrieving a certificate Retrieve a CA certificate manually Required manually“ Required Generate a local RSA key pair public-key local create rsa No local RSA key pair exists by default. pki request-certificate domain Submit a local certificate request domain-name [ password ] Required manually...
To do… Use the command… Remarks Enter system view system-view — pki retrieval-certificate { ca | local } domain Online domain-name Retrieve a Required certificate pki import-certificate { ca | local } domain Use either command. manually Offline domain-name { der | p12 | pem } [ filename filename ] CAUTION: If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it.
To do… Use the command… Remarks “Retrieving a certificate Retrieve the CA certificate Required manually“ pki retrieval-crl domain Retrieve CRLs Required domain-name pki validate-certificate { ca | local } Verify the validity of a certificate Required domain domain-name NOTE: The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The •...
Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. Follow these steps to delete a certificate: To do… Use the command… Remarks Enter system view system-view...
Displaying and maintaining PKI To do… Use the command… Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view status of a certificate exclude | include } regular-expression ] display pki crl domain...
Page 263
In this example, configure basic attributes including the Nickname and Subject DN on the CA server at first. The Nickname indicates the name of the trusted CA. The Subject DN is the DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes might be left using the default values.
Page 264
Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates • # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
Page 266
Configuration procedure Configure the CA server Install the certificate service suites • From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP add-on •...
Page 267
[Device-pki-domain-torsa] certificate request entity aaa Generate a local key pair using RSA • [Device] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Not After : Feb 21 12:42:16 2011 GMT Subject: CN=device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439...
Page 269
Figure 98 Configure a certificate attribute-based access control policy Configuration procedure NOTE: • For more information about SSL configuration, see the chapter “SSL configuration.” Fundamentals Configuration Guide For more information about HTTPS configuration, see • The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a •...
[Device-pki-cert-acp-myacp] quit Apply the SSL server policy and certificate attribute-based access control policy to HTTPS service and enable HTTPS service. # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute-based access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service.
The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • Some required parameters of the entity DN are not configured. • Solution Make sure that the network connection is physically proper. •...
IPsec configuration IPsec overview IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data in a secure tunnel established between two endpoints. IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at the IP layer in an insecure network environment.
Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 99 shows the format of IPsec packets.
Page 274
Figure 99 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for these IPv6 routing protocols: The 3600 v2 EI switches support using IPsec for OSPFv3, IPv6 BGP, and RIPng; the 3600 v2 SI switches only support using IPsec for RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.
To do… Use the command… Remarks Enter system view system-view — Required Create an IPsec proposal and enter its ipsec proposal view proposal-name By default, no IPsec proposal exists. Optional Specify the security protocol for the transform { ah | ah-esp | proposal esp } ESP by default...
Page 277
directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. All SAs (both inbound and outbound) within the routed network scope must use the same SPI and • keys. Configure the keys on all routers within the routed network scope in the same format.
NOTE: A manual IPsec policy can reference only one IPsec proposal. To change an IPsec proposal for an IPsec • policy, you must remove the proposal reference first. • If you configure a key in two modes: string and hexadecimal, only the last configured one will be used. Displaying and maintaining IPsec To do…...
Page 279
Configuation considerations To meet the requirements, perform the following configuration tasks: Configure basic RIPng parameters. • Configure a manual IPsec policy. • Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface •...
Page 280
[SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96. [SwitchB] ipsec proposal tran1 [SwitchB-ipsec-proposal-tran1] encapsulation-mode transport [SwitchB-ipsec-proposal-tran1] transform esp...
Page 281
# Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg. [SwitchC] ipsec policy policy001 10 manual [SwitchC-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchC-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchC-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456...
Page 282
tunnel: flow: [inbound ESP SAs] spi: 123456 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 123456 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa Similarly, you can view the information on Switch B and Switch C. (Details not shown)
SSH2.0 configuration SSH2.0 overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
Page 284
secondary protocol version numbers constitute the protocol version number. The software version number is used for debugging. After receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the server’s protocol version is lower and supportable, the client uses the protocol version of the server;...
Page 285
Publickey authentication—The server authenticates the client by the digital signature. During • publickey authentication, the client sends the server a publickey authentication request that contains its username, public key, and publickey algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature.
SSH connection across VPNs With this function, you can configure the switch as an SSH client to establish connections with SSH servers in different MPLS VPNs. As shown in Figure 101, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the services of the two VPNs isolated.
To do… Use the command… Remarks Required Generate a DSA or RSA key pair public-key local create { dsa | rsa } By default, neither DSA key pair nor RSA key pair exists. NOTE: Security Command Reference For more information about the public-key local create command, see •...
Before importing the public key, you must upload the public key file (in binary) to the server through FTP or TFTP. NOTE: HP recommends you to configure a client public key by importing it from a public key file. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...
To do… Use the command… Remarks — Return to public key view and save When you exit public key code public-key-code end the configured host public key view, the system automatically saves the public key. Return to system view peer-public-key end —...
To do… Use the command… Remarks authentication ssh user username service-type method { all | sftp } authentication-type For all users or { password | { any | SFTP users password-publickey | publickey } assign publickey keyname work-directory directory-name } CAUTION: A user without an SSH account can still pass password authentication and log in to the server through •...
To do… Use the command… Remarks Optional Set the RSA server key pair update ssh server rekey-interval hours By default, the interval is 0, and the interval RSA server key pair is not updated. Optional Set the SSH user authentication ssh server authentication-timeout timeout period time-out-value...
Configuring whether first-time authentication is supported When the switch acts as an SSH client and connects to the SSH server, you can configure whether the switch supports first-time authentication. With first-time authentication, when an SSH client not configured with the server host public key •...
To do... Use the command… Remarks ssh2 server [ port-number ] [ vpn-instance Establish a vpn-instance-name ] [ identity-key { dsa | connection rsa } | prefer-ctos-cipher { 3des | aes128 between the | des } | prefer-ctos-hmac { md5 | SSH client and For an IPv4 server md5-96 | sha1 | sha1-96 } | prefer-kex...
SSH server configuration examples When the switch acts as a server for password authentication Network requirements As shown in Figure 102, a host (the SSH client) and a switch (the SSH server) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after passing password authentication.
Page 295
[Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001...
Figure 103 SSH client configuration interface Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server. When the switch acts as a server for publickey authentication Network requirements As shown in...
Page 297
NOTE: During SSH server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SSH server. Configure the SSH client. # Generate the RSA key pairs. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 105 Generate a key pair on the client 1) When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in...
Page 298
Figure 106 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 107 Generate a key pair on the client 3)
Page 299
Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Figure 108 Save a key pair on the client 4) Then, transmit the public key file to the server through FTP or TFTP.
Page 300
[Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-4] user privilege level 3 [Switch-ui-vty0-4] quit # Import the client’s public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.
Figure 110 SSH client configuration interface 2) Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server.
Page 302
[SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Page 303
<SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit • If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
[SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 Press CTRL+K to abort...
Page 305
Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server. # Generate the RSA key pairs. <SwitchB>...
Page 306
[SwitchB-ui-vty0-4] quit # Import the peer public key from the file key.pub. [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish a connection between the SSH client and the SSH server.
SFTP configuration SFTP overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.
Follow these steps to configure the SFTP connection idle timeout period: To do… Use the command… Remarks Enter system view system-view — Optional Configure the SFTP connection idle sftp server idle-timeout timeout period time-out-value 10 minutes by default Configuring the switch an SFTP client Specifying a source ip address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP server, enhancing the service manageability.
Uploading a file • Displaying a list of the files • Deleting a file • Follow these steps to work with SFTP files: To do… Use the command… Remarks For more information, see Required Enter SFTP client view “Establishing a connection to the Execute the command in user view.
To do… Use the command… Remarks user view These three commands function in quit the same way. SFTP client configuration example Network requirements As shown in Figure 1 13, an SSH connection is required between Switch A and Switch B. Switch A, an SFTP client, needs to log in to Switch B for file management and file transfer.
Page 312
Configure the SFTP server. # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Page 313
Establish a connection between the SFTP client and the SFTP server. # Establish a connection to the remote SFTP server and enter SFTP client view. <SwitchA> sftp 192.168.0.1 identity-key rsa Input Username: client001 Trying 192.168.0.1 ... Press CTRL+K to abort Connected to 192.168.0.1 ...
sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx...
Page 315
Configuration procedure Configure the SFTP server. # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Page 316
[Switch-luser-client002] quit # Configure the user authentication method as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Establish a connection between the SFTP client and the SFTP server. NOTE: The switch supports a variety of SFTP client software. The following uses PSFTP of PuTTy Version 0.58 as •...
SSL configuration SSL overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the...
SSL protocol stack The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 117 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and •...
Configuration procedure Follow these steps to configure an SSL server policy: To do... Use the command... Remarks Enter system view system-view — Create an SSL server policy and ssl server-policy policy-name Required enter its view Required Specify a PKI domain for the SSL pki-domain domain-name By default, no PKI domain is server policy...
SSL server policy configuration example Network requirements As shown in Figure 1 18, users need to access and control the device through web pages. For security of the device and to make sure that data is not eavesdropped or tampered with, configure the device so that users must use HTTPS (Hypertext Transfer Protocol Secure, which uses SSL) to log in to the web interface of the device.
[Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate for Device. [Device] pki request-certificate domain 1 # Create an SSL server policy named myssl.
Configuration prerequisites If the SSL server is configured to authenticate the SSL client, you must configure the PKI domain for the SSL client policy to use to obtain the certificate of the client. For more information about PKI domain configuration, see the chapter “PKI configuration.” Configuration procedure Follow these steps to configure an SSL client policy: To do…...
Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the switch fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: • The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted.
TCP attack protection configuration TCP attack protection overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.
Displaying and maintaining TCP attack protection To do… Use the command… Remarks display tcp status [ | { begin | exclude | Display current TCP connection state Available in any view include } regular-expression ]...
IP source guard configuration IP source guard overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address. It supports these types of binding entries: IP-port binding entry •...
Dynamic IP source guard binding entries Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP snooping or DHCP relay agent device. They are suitable for scenarios where many hosts reside on a LAN and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the client entry to allow the client to access the network.
On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains • the DHCP snooping entries generated during dynamic IP address allocation, and generates IP source guard entries accordingly. On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP •...
To do… Use the command… Remarks ip source binding { ip-address Required Configure a static IPv4 source ip-address | ip-address ip-address By default, no static IPv4 binding guard binding entry on the port mac-address mac-address | entry is configured on a port. mac-address mac-address } NOTE: •...
Configuring IPv6 source guard on a port The IPv6 source guard function must be configured on a port before the port can obtain dynamic IPv6 source guard binding entries and use static and dynamic IPv6 source guard entries to filter packets. For how to configure a static IPv6 static binding entry, see “Configuring a static IPv6 source guard •...
Follow the steps to configure a static IPv6 source guard binding entry on a port: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Layer 2 interface view — interface-number ipv6 source binding { ipv6-address Required ipv6-address | ipv6-address Configure a static IPv6 binding...
To do… Use the command… Remarks display ip source binding static [ interface interface-type interface-number | Display static IPv4 source guard ip-address ip-address | mac-address Available in any view binding entries mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number |...
Page 333
Figure 120 Network diagram Configuration procedure Configure Device A. # Configure the IPv4 source guard function on Ethernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA> system-view [DeviceA] interface ethernet 1/0/2 [DeviceA-Ethernet1/0/2] ip verify source ip-address mac-address # Configure Ethernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
# Configure the IPv4 source guard function on Ethernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface ethernet 1/0/1 [DeviceB-Ethernet1/0/1] ip verify source ip-address # Configure Ethernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass. [DeviceB-Ethernet1/0/1] ip source binding ip-address 192.168.0.2 [DeviceB-Ethernet1/0/1] quit Verifying the configuration...
# Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port Ethernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface ethernet1/0/2 [Device-Ethernet1/0/2] dhcp-snooping trust [Device-Ethernet1/0/2] quit Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.
Figure 122 Network diagram DHCP client DHCP relay agent DHCP server Vlan-int 200 Vlan-int 100 Host Switch 10.1.1.1/24 MAC: 0001-0203-0406 Configuration procedure Configure the IPv4 source guard function. # Configure the IP addresses of the interfaces. (Details not shown) # Configure the IPv4 source guard binding function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address.
Figure 123 Network diagram Configuration procedure # Configure the IPv6 source guard function on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address. <Device> system-view [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address # Configure Ethernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.
Page 338
Figure 124 Network diagram Configuration procedure Configure DHCPv6 snooping. # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port. [Device] interface ethernet 1/0/2 [Device-Ethernet1/0/2] ipv6 dhcp snooping trust [Device-Ethernet1/0/2] quit...
Dynamic IPv6 source guard binding by ND snooping configuration example Network requirements As shown in Figure 125, the client is connected to the device through port Ethernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port Ethernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.
Troubleshooting IP source guard Neither static binding entries nor the dynamic binding function can be configured Symptom Failed to configure static binding entries or the dynamic binding function on a port. Analysis IP source guard is not supported on a port in an aggregation group. Solution Remove the port from the aggregation group.
ARP attack protection configuration NOTE: interface The term in the ARP attack protection features refers to Layer 3 interfaces, including VLAN interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route Layer 2—LAN Switching Configuration Guide mode by using the port link-mode route command (see ARP attack protection overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network...
Task Remarks prevention Optional Configuring ARP active acknowledgement Configure this function on gateways (recommended). Optional Configuring ARP detection Configure this function on access devices (recommended). Optional Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional Configuring ARP gateway protection Configure this function on access devices (recommended).
To do… Use the command… Remarks Required Enable ARP source suppression arp source-suppression enable Disabled by default. Set the maximum number of packets with the Optional same source IP address but unresolvable arp source-suppression limit destination IP addresses that the device can limit-value 10 by default.
Page 344
Figure 126 Network diagram Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps. Enable ARP source suppression. • • Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in five seconds exceeds 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following five seconds.
Configuring ARP packet rate limit Introduction The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking.
Configuring source MAC address based ARP attack detection Introduction With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the specified threshold.
Displaying and maintaining source MAC address based ARP attack detection To do… Use the command… Remarks display arp anti-attack source-mac Display attacking MAC addresses detected { slot slot-number | interface Available in any by source MAC address based ARP attack interface-type interface-number } [ | view detection...
Configure the MAC address of the server as a protected MAC address so that it can send ARP • packets Configuration procedure # Enable source MAC address based ARP attack detection and specify the filter mode. <Device> system-view [Device] arp anti-attack source-mac filter # Set the threshold to 30.
Configuration procedure Follow these steps to configure ARP active acknowledgement: To do… Use the command… Remarks Enter system view system-view — Required Enable the ARP active arp anti-attack active-ack enable acknowledgement function Disabled by default. Configuring ARP detection Introduction The ARP detection feature is mainly configured on an access device to allow only the ARP packets of authorized clients to be forwarded and prevent user spoofing and gateway spoofing.
NOTE: Static IP source guard binding entries are created by using the ip source binding command. For more • information, see the chapter “IP source guard configuration.” • Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For more information, see Layer 3—IP Services Configuration Guide.
ip: Checks the sender and target IP addresses in an ARP packet. Any all-zero, all-one or multicast IP • addresses are considered invalid and the corresponding packets are discarded. With this object specified, the sender and target IP addresses of ARP replies, and the source IP address of ARP requests are checked.
To do… Use the command… Remarks display arp detection statistics [ interface Display the ARP detection interface-type interface-number ] [ | { begin | Available in any view statistics exclude | include } regular-expression ] Clear the ARP detection reset arp detection statistics [ interface Available in user view statistics interface-type interface-number ]...
[SwitchB-Ethernet1/0/1] dot1x [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] dot1x [SwitchB-Ethernet1/0/2] quit # Add local access user test. [SwitchB] local-user test [SwitchB-luser-test] service-type lan-access [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).
Configuration procedure Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown) Configure Switch A as a DHCP server # Configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0...
Page 355
Figure 130 Network diagram Gateway DHCP server Switch A Eth1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping Eth1/0/3 Switch B Eth1/0/1 Eth1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 126.
ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. NOTE: HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe. Configuration procedure Follow these steps to configure ARP automatic scanning and fixed ARP: To do…...
To do… Use the command… Remarks Return to system view quit — Enable fixed ARP arp fixup Required NOTE: • IP addresses existing in ARP entries are not scanned. ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP •...
NOTE: You can enable ARP gateway protection for up to eight gateways on a port. • • Commands arp filter source and arp filter binding cannot be both configured on a port. If ARP gateway protection works with ARP detection, MFF, and ARP snooping, ARP gateway protection •...
Configuring ARP filtering Introduction To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP packets on a port. The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries.
Page 360
Figure 132 Network diagram Switch A Eth1/0/3 Switch B Eth1/0/1 Eth1/0/2 Host A Host B Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface ethernet 1/0/1 [SwitchB-Ethernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, Ethernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets.
ND attack defense configuration Introduction to ND attack defense The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. NOTE: Layer 3—IP Services Configuration...
address, the ND packet is discarded. If no entry matches the source IPv6 address, the ND detection function continues to look up the DHCPv6 snooping table and the ND snooping table. If an exact match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is forwarded.
ND detection configuration example Network requirements As shown in Figure 134, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.
URPF configuration NOTE: router The term in this document refers to both routers and Layer 3 switches. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch attacks by creating a series of packets with forged source addresses.
Loose URPF is often deployed between ISPs, especially in asymmetrical routing. How URPF works NOTE: URPF does not check multicast packets. URPF works in the steps, as shown in Figure 136.
Page 368
Figure 136 URPF work flow Check the source address of the received packet A broadcast source address? An all - zero source address? A broadcast destination Discard address ? Does the FIB Is there a default entry match the route ? source address ? Loose URPF? Loose URPF?
Page 369
For other packets, precede to step 2. • URPF checks whether the source address matches a FIB entry: If yes, precede to step 3. • • If not, precede to step 6. URPF checks whether the check mode is loose: If yes, precede to step 8.
Network application Figure 137 Network diagram ISP B URPF(loose) ISP A ISP C URPF(strict) Configure strict URPF between each ISP and its connected users, and loose URPF between ISPs. Configuring URPF Follow these steps to configure URPF globally: To do... Use the command…...
Page 371
Figure 138 Network diagram Configuration procedure Configure Switch A # Enable strict URPF check. <SwitchA> system-view [SwitchA] ip urpf strict Configure Switch B # Enable strict URPF check. <SwitchB> system-view [SwitchB] ip urpf strict...
MFF configuration MFF overview MFF function Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2, many VLAN resources are occupied, and many IP addresses are used because you have to assign a network segment for each VLAN and an IP address for each VLAN interface for Layer 3 communication.
NOTE: Layer 3—IP Services Configuration Guide For more information about DHCP snooping, see • Layer 3—IP Services Configuration Guide • For more information about ARP snooping, see For more information about IP source guard, see the chapter “IP source guard configuration.” •...
In manual mode, after receiving an ARP request for a host’s MAC address from the gateway, the MFF device directly replies the host’s MAC address to the gateway according to the ARP snooping entries. The MFF device also forges ARP requests to get the gateway’s MAC address based on ARP snooping entries.
Page 375
In MFF manual mode, enable ARP snooping on the device. • Enabling MFF Follow these steps to enable MFF and specify an MFF operating mode: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id —...
address to the server. As a result, packets from a host to a server are forwarded by the gateway, but packets from a server to a host are not forwarded by the gateway. Follow these steps to specify the IP addresses of servers: To do…...
Page 377
Configuration procedure Configure Gateway # Configure the IP address of VLAN-interface 1. <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 Configure the DHCP server # Enable DHCP, and configure a DHCP address pool. <Device> system-view [Device] dhcp enable [Device] dhcp server ip-pool 1 [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 # Add the gateway’s IP address into DHCP address pool 1.
[SwitchB-Ethernet1/0/6] dhcp-snooping trust Auto-mode MFF configuration example in a ring network Network requirements As shown in Figure 141, all the devices are in VLAN 100, and the switches form a ring. Host A, Host B, and Host C obtain IP addresses from the DHCP server. They are isolated at Layer 2, and can communicate with each other through Gateway.
Page 379
# Enable STP. [SwitchA] stp enable # Enable MFF in automatic mode. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding auto [SwitchA-vlan-100] quit # Configure Ethernet 1/0/2 as a network port. [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] mac-forced-forwarding network-port # Configure Ethernet 1/0/2 as a DHCP snooping trusted port. [SwitchA-Ethernet1/0/2] dhcp-snooping trust [SwitchA-Ethernet1/0/2] quit # Configure Ethernet 1/0/3 as a network port.
Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 142, all the devices are in VLAN 100. Host A, Host B, and Host C are configured with IP addresses manually. They are isolated at Layer 2, and can communicate with each other through Gateway.
[SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchB-vlan-100] arp-snooping enable [SwitchB-vlan-100] quit # Configure Ethernet 1/0/6 as a network port. [SwitchB] interface ethernet 1/0/6 [SwitchB-Ethernet1/0/6] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network Network requirements As shown in...
Page 382
[SwitchA-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchA-vlan-100] arp-snooping enable [SwitchA-vlan-100] quit # Configure Ethernet 1/0/2 and Ethernet 1/0/3 as network ports. [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] mac-forced-forwarding network-port [SwitchA-Ethernet1/0/2] quit [SwitchA] interface ethernet 1/0/3 [SwitchA-Ethernet1/0/3] mac-forced-forwarding network-port...
SAVI configuration SAVI overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.
NOTE: If a port on the SAVI enabled device is down for three minutes or more, the device deletes the DHCPv6 snooping entries and ND snooping entries corresponding to the port. SAVI configuration in DHCPv6-only address assignment scenario Network requirements Figure 144 Network diagram Switch A DHCPv6 server...
Page 385
Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against link-local address ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks the IPv6 data packets from the clients against dynamic binding entries (including link-local address ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the clients and against static binding entries.
SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 145 Network diagram Internet Gateway Switch A Eth1/0/3 Vlan-int10 10::1 VLAN 10 Eth1/0/3 Switch B Eth1/0/1 Eth1/0/2 Host A Host B 10::5 10::6 0001-0203-0405 0001-0203-0607 As shown in Figure 145, Switch A serves as the gateway. Switch B connects Host A and Host B. The hosts can obtain IPv6 addresses only through SLAAC.
Page 387
Enable DHCPv6 snooping and leave the interface connected to the gateway as its default status • (non-trusted port) so that the hosts cannot obtain IP addresses through DHCPv6. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. Packet check principles Switch B checks ND protocol packets against ND snooping entries and static binding entries;...
SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 146 Network diagram Switch A Switch C DHCPv6 Gateway server Eth1/0/2 Eth1/0/1 Switch B Eth1/0/3 Eth1/0/4 Eth1/0/5 DHCPv6 Host A Host B client As shown in Figure 146, Switch B connects to the DHCPv6 server through interface Ethernet 1/0/1 and connects to the DHCPv6 client through interface Ethernet 1/0/3.
Page 389
Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the hosts and against static binding entries.
Blacklist configuration Blacklist overview The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature.
Blacklist configuration example Network requirements As shown in Figure 147, Host A, Host B, and Host C are internal users, and external user Host D is considered an attacker. Configure Device to always filter packets from Host D, and to prevent internal users from guessing passwords.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals • For related documentation, navigate to the Networking section, and select a networking category.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 395
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E G H I L M N O P R S T U Configuring HABP,226 Configuring IPsec for IPv6 routing protocols,264 AAA configuration considerations and task list,15 Configuring MFF,363 AAA configuration examples,49 Configuring PKI certificate verification,248 overview,1 Configuring port security...
Page 397
Enabling the SYN Cookie feature,313 Retrieving a certificate manually,247 Global SAVI configuration,372 SAVI configuration in DHCPv6+SLAAC address assignment scenario,377 HP implementation of 802.1X,85 SAVI configuration in DHCPv6-only address HABP configuration example,227 assignment scenario,373 HABP overview,225 SAVI configuration in SLAAC-only address assignment...
Page 398
SSH server configuration examples,283 Troubleshooting IP source guard,329 SSH2.0 overview,272 Troubleshooting PKI,259 SSL configuration task list,307 Troubleshooting port security,220 overview,306 Troubleshooting portal,188 Submitting a PKI certificate request,246 Troubleshooting SSL,312 TCP attack protection overview,313 URPF configuration example,359 Tearing down user connections,45 URPF overview,355 Triple authentication configuration...