HP 3600 v2 Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Network Router
  5. 3600 v2 Series
  6. Security configuration manual

HP 3600 v2 Series Security Configuration Manual

Hide thumbs Also See for 3600 v2 Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Installation Manual
HP 3600 v2 Switch Series
Security

Configuration Guide

Part number: 5998-2355
Software version: Release 2101
Document version: 6W101-20130930

Advertisement

Table of Contents
loading

Related Manuals for HP 3600 v2 Series

Summary of Contents for HP 3600 v2 Series

  • Page 1: Configuration Guide

    HP 3600 v2 Switch Series Security Configuration Guide Part number: 5998-2355 Software version: Release 2101 Document version: 6W101-20130930...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents AAA configuration ······················································································································································· 1   AAA overview ··································································································································································· 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   Domain-based user management ··························································································································· 9   RADIUS server feature of the switch ···················································································································· 10   AAA across MPLS L3VPNs ··································································································································· 11  ...
  • Page 4 EAP relay ································································································································································ 82   EAP termination ····················································································································································· 84   802.1X configuration ················································································································································ 85   HP implementation of 802.1X ······································································································································ 85   Access control methods ········································································································································ 85   Using 802.1X authentication with other features ······························································································ 85   Configuring 802.1X ······················································································································································ 88  ...
  • Page 5 Configuration prerequisites ································································································································ 113   Configuration procedure ···································································································································· 113   Specifying an authentication domain for MAC authentication users ····································································· 114   Configuring a MAC authentication guest VLAN ······································································································ 115   Configuration prerequisites ································································································································ 115   Configuration procedure ···································································································································· 115   Displaying and maintaining MAC authentication ····································································································...
  • Page 6 Portal configuration examples ···································································································································· 156   Configuring direct portal authentication ··········································································································· 156   Configuring re-DHCP portal authentication ······································································································ 161   Configuring cross-subnet portal authentication ································································································ 163   Configuring direct portal authentication with extended functions·································································· 165   Configuring re-DHCP portal authentication with extended functions ···························································· 167  ...
  • Page 7 User profile configuration task list ······························································································································ 222   Creating a user profile ················································································································································ 222   Configuration prerequisites ································································································································ 222   Creating a user profile ········································································································································ 223   Configuring a user profile ··········································································································································· 223   Configuration guidelines ···································································································································· 223   Configuration procedure ···································································································································· 223  ...
  • Page 8 Troubleshooting PKI ····················································································································································· 259   Failed to retrieve a CA certificate ······················································································································ 259   Failed to request a local certificate ··················································································································· 259   Failed to retrieve CRLs ········································································································································ 260   IPsec configuration ·················································································································································· 261   IPsec overview ······························································································································································ 261   IPsec implementation ···········································································································································...
  • Page 9 SFTP client configuration example ····························································································································· 300   SFTP server configuration example ···························································································································· 303   SSL configuration ···················································································································································· 306   SSL overview ································································································································································· 306   SSL security mechanism ······································································································································ 306   SSL protocol stack ··············································································································································· 307   SSL configuration task list ············································································································································ 307  ...
  • Page 10 ARP defense against IP packet attack configuration example ········································································ 332   Configuring ARP packet rate limit ······························································································································ 334   Introduction ·························································································································································· 334   Configuring ARP packet rate limit ····················································································································· 334   Configuring source MAC address based ARP attack detection·············································································· 335  ...
  • Page 11 Blacklist configuration example ·································································································································· 381   Network requirements ········································································································································· 381   Verifying the configuration ································································································································· 381   Support and other resources ·································································································································· 382   Contacting HP ······························································································································································ 382   Subscription service ············································································································································ 382   Related information ······················································································································································ 382   Documents ···························································································································································· 382  ...

  • Page 12: Aaa Configuration

    AAA configuration AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: • Authentication—Identifies users and determines whether a user is valid. Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 13: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.
  • Page 14 Figure 3 Basic RADIUS message exchange process RADIUS client Host RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources 7) Accounting-Request (stop) 8) Accounting-Response 9) Notification of access termination RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client.
  • Page 15 Figure 4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
  • Page 16 The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type, Length, and Value. • Type (1 byte long)—Indicates the type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
  • Page 17 Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see “HP proprietary RADIUS sub-attributes.“...

  • Page 18: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
  • Page 19 Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 20: Domain-Based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

  • Page 21: Radius Server Feature Of The Switch

    Portal users—Users who must pass portal authentication to access the network. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.

  • Page 22: Aaa Across Mpls L3Vpns

    A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server.

  • Page 23: Radius Attributes

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access service Calling-Station-Id provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...
  • Page 24 Access-Requests. This attribute is used when RADIUS supports EAP ator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 25 Sub-attribute Description Operation for the session, used for session control. It can be: • 1—Trigger-Request • 2—Terminate-Request Command • 3—SetPolicy • 4—Result • 5—PortalClear Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value; for retransmitted packets of different sessions, this attribute may take the same value.

  • Page 26: Aaa Configuration Considerations And Task List

    Sub-attribute Description Backup-NAS-IP Backup source IP address for sending RADIUS packets Product_ID Product name AAA configuration considerations and task list To configure AAA, you must complete these tasks on the NAS: Configure the required AAA schemes. Local authentication—Configure local users and the related attributes, including the usernames and •...

  • Page 27: Configuring Aaa Schemes

    Task Remarks Configuring HWTACACS schemes Creating an ISP domain Required Configuring ISP domain attributes Optional Configuring AAA authentication methods for Configuring AAA an ISP domain methods for ISP domains Required Configuring AAA authorization methods for an ISP domain Complete at least one task. Configuring AAA accounting methods for an ISP domain Tearing down user connections...
  • Page 28 create a guest account and specify a validity time and an expiration time for the account to control the validity of the account. User group • Each local user belongs to a local user group and bears all attributes of the group, such as the authorization attributes.
  • Page 29 To do… Use the command… Remarks Optional If you do not configure any password for a local user, the local user does not need to provide any password during authentication, and can pass authentication after entering the Configure a password for the local password [ { cipher | simple } correct local user name and passing user...
  • Page 30 To do… Use the command… Remarks Optional Set the validity time of the local validity-date time user Not set by default Optional Set the expiration time of the local expiration-date time user Not set by default Optional Assign the local user to a user group group-name By default, a local user belongs to the group...

  • Page 31: Configuring Radius Schemes

    To do… Use the command… Remarks authorization-attribute { acl Optional acl-number | callback-number By default, no Configure the authorization attributes for callback-number | idle-cut minute | authorization attribute is the user group level level | user-profile profile-name | configured for a user vlan vlan-id | work-directory group.
  • Page 32 Task Remarks Setting the maximum number of RADIUS request transmission attempts Optional Setting the status of RADIUS servers Optional Specifying the source IP address for outgoing RADIUS packets Optional Specifying a backup source IP address for outgoing RADIUS packets Optional Setting timers for controlling communication with RADIUS servers Optional Configuring RADIUS accounting-on...
  • Page 33 To do… Use the command… Remarks Enter system view system-view — Enter RADIUS scheme view radius scheme radius-scheme-name — primary authentication { ip-address | ipv6 Required Specify the primary RADIUS ipv6-address } [ port-number | key [ cipher | authentication/authorization Configure at least one simple ] key | vpn-instance vpn-instance-name ] server...
  • Page 34 To do… Use the command… Remarks No accounting server is secondary accounting { ip-address | ipv6 specified by default. Specify the secondary RADIUS ipv6-address } [ port-number | key [ cipher | accounting server simple ] key | vpn-instance vpn-instance-name ] Optional Set the maximum number of retry realtime-accounting retry-times...
  • Page 35 Specifying the VPN to which the servers belong After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.
  • Page 36 Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
  • Page 37 Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control which servers the switch communicates with for authentication, authorization, and accounting or turn to when the current servers are not available anymore. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
  • Page 38 To do… Use the command… Remarks state secondary authentication [ ip Set the status of the secondary RADIUS ipv4-address | ipv6 ipv6-address ] authentication/authorization server { active | block } state secondary accounting [ ip Set the status of the secondary RADIUS ipv4-address | ipv6 ipv6-address ] accounting server { active | block }...
  • Page 39 To do… Use the command… Remarks radius scheme Enter RADIUS scheme view — radius-scheme-name Required Specify a source IP address for nas-ip { ip-address | ipv6 By default, the IP address of the outbound outgoing RADIUS packets ipv6-address } interface is used as the source IP address. Specifying a backup source IP address for outgoing RADIUS packets In a stateful failover scenario, the active switch authenticates portal users by interacting with the RADIUS server, and synchronizes its online portal user information to the standby switch through the backup link...
  • Page 40 NOTE: The backup source IP address specified for outgoing RADIUS packets takes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is configured on the standby switch. Setting timers for controlling communication with RADIUS servers The switch uses the following types of timers to control the communication with a RADIUS server: Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission •...
  • Page 41 NOTE: For a type of users, the maximum number of transmission attempts multiplied by the RADIUS server • response timeout period must be less than the client connection timeout time and must not exceed 75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the primary/secondary server switchover cannot take place.
  • Page 42 Configuring the IP address of the security policy server The core of the EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 43 sends a trap message. If the NAS receives a response from a RADIUS server that it considers unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the server to active, and sends a trap message. The ratio of the number of failed transmission attempts to the total number of authentication request •...

  • Page 44: Configuring Hwtacacs Schemes

    To do… Use the command… Remarks reset stop-accounting-buffer Clear the buffered stop-accounting { radius-scheme radius-server-name | requests for which no responses have session-id session-id | time-range Available in user view been receive start-time stop-time | user-name user-name } [ slot slot-number ] Configuring HWTACACS schemes NOTE: You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS...
  • Page 45 Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to one secondary authentication server for an HWTACACS scheme. When the primary server is not available, the secondary server is used, if any. In a scenario where redundancy is not required, specify only the primary server. Follow these steps to specify HWTACACS authentication servers for an HWTACACS scheme: To do…...
  • Page 46 NOTE: An HWTACACS server can function as the primary authorization server of one scheme and as the • secondary authorization server of another scheme at the same time. • The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
  • Page 47 Specifying the shared keys for secure HWTACACS communication The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption. They must use the same key for the same type of communication. Follow these steps to specify a shared key for secure HWTACACS communication: To do…...
  • Page 48 To do… Use the command… Remarks hwtacacs scheme Enter HWTACACS scheme view — hwtacacs-scheme-name Optional Set the format for usernames sent user-name-format { keep-original | By default, the ISP domain name to the HWTACACS servers with-domain | without-domain } is included in a username. Optional data-flow-format { data { byte | Specify the unit for data flows or...
  • Page 49 To do… Use the command… Remarks Required hwtacacs nas-ip ip-address Specify a source IP address for [ vpn-instance By default, the IP address of the outbound outgoing HWTACACS packets vpn-instance-name ] interface is used as the source IP address. Follow these steps to specify a source IP address for a specific HWTACACS scheme: To do…...

  • Page 50: Configuring Aaa Methods For Isp Domains

    Displaying and maintaining HWTACACS To do… Use the command… Remarks display hwtacacs Display the configuration information [ hwtacacs-server-name [ statistics ] ] Available in any view or statistics of HWTACACS schemes [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display stop-accounting-buffer Display information about buffered...

  • Page 51: Configuring Isp Domain Attributes

    To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter domain isp-name Required ISP domain view Return to system view quit — Optional domain default enable Specify the default ISP domain By default, the default ISP domain is the isp-name system predefined ISP domain system.

  • Page 52: Configuring Aaa Authentication Methods For An Isp Domain

    To do… Use the command… Remarks Enable the self-service server Optional location function and specify the self-service-url enable url-string Disabled by default URL of the self-service server Optional Specify the default authorization authorization-attribute By default, an ISP domain has no user profile user-profile profile-name default authorization user profile.

  • Page 53: Configuring Aaa Authorization Methods For An Isp Domain

    To do… Use the command… Remarks Enter system view system-view — Enter ISP domain view domain isp-name — authentication default { hwtacacs-scheme Specify the default Optional hwtacacs-scheme-name [ local ] | local | authentication method for all none | radius-scheme radius-scheme-name local by default types of users [ local ] }...
  • Page 54 authorization information to users after successful authorization. Authorization method configuration is optional in AAA configuration. AAA supports the following authorization methods: No authorization (none)—The NAS performs no authorization exchange. After passing • authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have only the rights of Level 0 (visiting).

  • Page 55: Configuring Aaa Accounting Methods For An Isp Domain

    NOTE: The authorization method specified with the authorization default command is for all types of users and • has a priority lower than that for a specific access type. • If you configure an authentication method and an authorization method that use RADIUS schemes for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication.

  • Page 56: Tearing Down User Connections

    To do… Use the command… Remarks Optional Disabled by default With the accounting optional Enable the accounting optional feature, a switch allows users to accounting optional feature use network resources when no accounting server is available or communication with all accounting servers fails.

  • Page 57: Configuring A Nas Id-Vlan Binding

    To do… Use the command… Remarks cut connection { access-type { dot1x | Required mac-authentication | portal } | all | domain isp-name | interface interface-type Applicable to only Tear down AAA user connections interface-number | ip ip-address | mac LAN and portal user mac-address | ucibindex ucib-index | user-name connections.

  • Page 58: Configuring A Switch As A Radius Server

    Configuring or changing the device ID of a switch will log out all online users of the switch. • • HP recommends to save the configuration and reboot the switch after configuring or changing the device ID. The device ID is the symbol for stateful failover mode. Do not configure any device ID for a switch •...

  • Page 59: Specifying A Radius Client

    NOTE: You can use the authorization-attribute command to specify an authorization ACL and authorized VLAN, which will be assigned by the RADIUS server to the RADIUS client (the NAS) after the RADIUS user passes authentication. The NAS then uses the assigned ACL and VLAN to control user access. If the assigned ACL does not exist on the NAS, ACL assignment will fail and the NAS will forcibly log the RADIUS user out.

  • Page 60: Aaa Configuration Examples

    AAA configuration examples AAA for Telnet users by an HWTACACS server Network requirements As shown in Figure 1 1, configure the switch to use the HWTACACS server to provide authentication, authorization, and accounting services for Telnet users. Set the shared keys for secure communication with the HWTACACS server to expert. Configure the switch to remove the domain name from a username before sending the username to the HWTACACS server.

  • Page 61: Aaa For Telnet Users By Separate Servers

    [Switch-hwtacacs-hwtac] key accounting simple expert # Configure the scheme to remove the domain name from a username before sending the username to the HWTACACS server. [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac...

  • Page 62: Authentication/Authorization For Ssh/Telnet Users By A Radius Server

    # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit...
  • Page 63 Select Device Management Service as the service type • • Select HP(A-Series) as the access device type Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2 • Click OK to finish the operation •...
  • Page 64 Figure 14 Add an access device # Add a user for device management Log in to the iMC management platform, click the User tab, and select Device Management User from the navigation tree to enter the Device Management User page. Then, click Add to enter the Add Device Management User window and perform the following configurations as shown in Figure Add a user named hello@bbb and specify the password...
  • Page 65 Figure 15 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 66: Aaa For Portal Users By A Radius Server

    [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs iMC.
  • Page 67 Specify the ports for authentication and accounting as 1812 and 1813 respectively • • Select LAN Access Service as the service type Select HP(A-Series) as the access device type • Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2 •...
  • Page 68 Figure 17 Add an access device # Add a charging plan. Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging plan configuration page. Then, click Add to enter the Add Charging Plan page and perform the following configurations: Add a plan named UserAcct •...
  • Page 69 Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page and perform the following configurations: Add a service named Portal-auth/acct and set the Service Suffix to dm1, which indicates the •...
  • Page 70 Figure 20 Add an access user account Configure the Portal server (iMC PLAT 5.0) # Configure the Portal server. Log in to the iMC management platform and click the Service tab. Then, select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Input the URL address of the portal authentication main page in the format http://ip:port/portal,...
  • Page 71 Figure 21 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page for adding an IP address group, as shown in Figure •...
  • Page 72 Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown Figure Type the device name NAS. •...
  • Page 73 On the port group configuration page, click Add to enter the page for adding a port group, as shown Figure 25. Perform the following configurations: Type the port group name. • Select the configured IP address group. The IP address used by the user to access the network must •...
  • Page 74 [Switch] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain will be used for the user.

  • Page 75: Aaa For 802.1X Users By A Radius Server

    AAA for 802.1X users by a RADIUS server Network requirements As shown in Figure 26, configure the switch to: • Use the RADIUS server for authentication, authorization, and accounting of 802.1X users. Use MAC-based access control on Ethernet 1/0/1 to authenticate all 802.1X users on the port •...
  • Page 76 Select LAN Access Service as the service type • Select HP(A-Series) as the access device type • Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2 • • Adopt the default settings for other parameters and click OK to finish the operation.
  • Page 77 Figure 28 Add a charging policy # Add a service. Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page and perform the following configurations: Add a service named Dot1x auth and set the Service Suffix to bbb, which indicates the •...
  • Page 78 Figure 29 Add a service # Add a user. Click the User tab, and select All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to enter the Add Access User page and perform the following configurations: Select the user or add a user named test •...
  • Page 79 Figure 30 Add an access user account Configure the switch Configure a RADIUS scheme • # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When you use the iMC server, set the server type to extended.
  • Page 80 # Configure bbb as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain will be used for the user. [Switch] domain default enable bbb Configure 802.1X authentication •...

  • Page 81: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    User Profile=N/A CAR=Disable Priority=Disable Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure...
  • Page 82 Configuration procedure Configure the switch # Configure the IP address of VLAN-interface 2, through which the Telnet user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit...
  • Page 83 [Switch-luser-test] authorization-attribute level 0 [Switch-luser-test] quit # Configure the password for local privilege level switching authentication to 654321. [Switch] super password simple 654321 [Switch] quit Configure the HWTACACS server NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named test on the HWTACACS server and configure advanced attributes for the user as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3.

  • Page 84: Radius Authentication And Authorization For Telnet Users By A Switch

    Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** Login authentication Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit...
  • Page 85 Set the shared keys for secure communication between the NAS and the RADIUS server to abc. Figure 33 Network diagram Configuration procedure # Configure an IP address for each interface as shown in Figure 33. (Details not shown) Configure the NAS # Enable the Telnet server on Switch A.

  • Page 86: Troubleshooting Aaa

    Configure the RADIUS server # Create RADIUS user aaa and enter its view. <SwitchB> system-view [SwitchB] radius-server user aaa # Configure simple-text password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key abc Verify the configuration After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.

  • Page 87: Troubleshooting Hwtacacs

    Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications.

  • Page 88: 802.1X Fundamentals

    802.1X fundamentals 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 89: 802.1X-Related Protocols

    Performs unidirectional traffic control to deny traffic from the client. • NOTE: The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 90: Packet Formats

    Protocol version: The EAPOL protocol version used by the EAPOL packet sender. Type: Type of the EAPOL packet. Table 5 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 5 Types of EAPOL packets...

  • Page 91: Eap Over Radius

    Value Type Description The client sends an EAPOL-Logoff message to tell the 0x02 EAPOL-Logoff network access device that it is logging off. Length: Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows.

  • Page 92: Access Device As The Initiator

    802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.

  • Page 93: A Comparison Of Eap Relay And Eap Termination

    A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the authentication methods. EAP-Message and EAP relay • Message-Authenticator attributes, The configuration and processing is and the EAP authentication method simple on the network access used by the client.
  • Page 94 When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.

  • Page 95: Eap Termination

    EAP termination Figure 43 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 43 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).

  • Page 96: 802.1X Configuration

    802.1X configuration This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter.
  • Page 97 Access control VLAN manipulation IMPORTANT: • With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. • On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed.
  • Page 98 Authentication status VLAN manipulation Re-maps the MAC address of the user to the VLAN specified for the user. A user in the 802.1X guest VLAN passes 802.1X If the authentication server assigns no VLAN, re-maps the MAC address of the authentication user to the initial default VLAN on the port.

  • Page 99: Configuring 802.1X

    Authentication status VLAN manipulation Re-maps the MAC address of the user to the server-assigned VLAN. A user in the Auth-Fail VLAN If the authentication server assigns no VLAN, re-maps the MAC address of the passes 802.1X authentication user to the initial default VLAN on the port. NOTE: To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you •...

  • Page 100: Enabling 802.1X

    Task Remarks Specifying a mandatory authentication domain on a port Optional Configuring the quiet timer Optional Enabling the periodic online user re-authentication function Optional Configuring an 802.1X guest VLAN Optional Configuring an Auth-Fail VLAN Optional Specifying supported domain name delimiters Optional Enabling 802.1X Configuration guidelines...

  • Page 101: Setting The Port Authorization State

    To do… Use the command… Remarks Enter system view system-view — Optional By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Configure EAP relay or EAP dot1x authentication-method termination { chap | eap | pap } Specify the eap keyword to enable EAP termination.

  • Page 102: Specifying An Access Control Method

    Specifying an access control method You can specify an access control method for one port in Ethernet interface view, or for multiple ports in system view. If different access control methods are specified for a port in system view and Ethernet interface view, the one specified later takes effect.

  • Page 103: Setting The 802.1X Authentication Timeout Timers

    Follow these steps to set the maximum number of authentication request attempts: To do… Use the command… Remarks Enter system view system-view — Set the maximum number of Optional attempts for sending an dot1x retry max-retry-value 2 by default. authentication request Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: •...

  • Page 104: Configuring The Authentication Trigger Function

    To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and iMC server to guarantee the normal operation of the online user handshake security function.

  • Page 105: Specifying A Mandatory Authentication Domain On A Port

    Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these • clients cannot initiate authentication. To avoid duplicate authentication packets, do not enable both triggers on a port. • Configuration procedure Follow these steps to configure the authentication trigger function on a port: To do…...

  • Page 106: Enabling The Periodic Online User Re-Authentication Function

    To do… Use the command… Remarks Required Enable the quiet timer dot1x quiet-period Disabled by default. Optional dot1x timer quiet-period Set the quiet timer quiet-period-value The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.
  • Page 107 With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. • After the assignment, do not re-configure the port as a tagged member in the VLAN. Table 6 when configuring multiple security features on a port. •...

  • Page 108: Configuring An Auth-Fail Vlan

    Configuring an Auth-Fail VLAN Configuration guidelines Follow these guidelines when configuring an 802.1X Auth-Fail VLAN: • Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic. You can configure only one 802.1X Auth-Fail VLAN on a port.

  • Page 109: Specifying Supported Domain Name Delimiters

    Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.
  • Page 110 Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device. If RADIUS accounting fails, the access device logs the user off. Configure the host at 10.1.1.1 as the primary authentication and accounting servers, and the host at 10.1.1.2 as the secondary authentication and accounting servers.
  • Page 111 [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication name # Specify the shared key between the access device and the accounting server.

  • Page 112: With Guest Vlan And Vlan Assignment Configuration Example

    Verifying the configuration Use the display dot1x interface ethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is performed. 802.1X with guest VLAN and VLAN assignment configuration example Network requirements...
  • Page 113 Configuration procedure NOTE: The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about Security Command Reference AAA/RADIUS configuration commands, see Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.

  • Page 114: 802.1X With Acl Assignment Configuration Example

    Configure 802.1X. # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port Ethernet 1/0/2. [Device] interface ethernet 1/0/2 [Device-Ethernet1/0/2] dot1x # Implement port-based access control on the port. [Device-Ethernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. [Device-Ethernet1/0/2] dot1x port-control auto [Device-Ethernet1/0/2] quit # Set VLAN 10 as the 802.1X guest VLAN for port Ethernet 1/0/2.
  • Page 115 NOTE: The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference Configure 802.1X client.
  • Page 116 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.

  • Page 117: Ead Fast Deployment Configuration

    EAD fast deployment configuration EAD fast deployment overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
  • Page 118 To do… Use the command… Remarks Enter system view system-view — Required dot1x free-ip ip-address Configure a free IP { mask-address | mask-length } By default, no free IP is configured. NOTE: When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP •...

  • Page 119: Displaying And Maintaining Ead Fast Deployment

    Displaying and maintaining EAD fast deployment To do… Use the command… Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements...
  • Page 120 NOTE: In addition to the configuration on the access device, complete the following tasks: • Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24. Configure the web server so that users can log in to the web page to download 802.1X clients. •...

  • Page 121: Troubleshooting Ead Fast Deployment

    Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication.

  • Page 122: Mac Authentication Configuration

    MAC authentication configuration MAC authentication overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 123: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see the chapter “AAA configuration.” MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle.

  • Page 124: Mac Authentication Configuration Task List

    MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources. If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. NOTE: A hybrid port is always assigned to a guest VLAN as an untagged member.

  • Page 125: Specifying An Authentication Domain For Mac Authentication Users

    To do… Use the command… Remarks Optional mac-authentication timer By default, the offline detect timer is Configure MAC { offline-detect offline-detect-value | 300 seconds, the quiet timer is 60 authentication timers quiet quiet-value | server-timeout seconds, and the server timeout server-timeout-value } timer is 100 seconds.

  • Page 126: Configuring A Mac Authentication Guest Vlan

    Specify a global authentication domain in system view. This domain setting applies to all ports. • Specify an authentication domain for an individual port in Ethernet interface view. • MAC authentication chooses an authentication domain for users on a port in this order: the interface-specific domain, the global domain, and the default domain.

  • Page 127: Displaying And Maintaining Mac Authentication

    Table 8 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship description Reference The MAC authentication guest VLAN Quiet function of MAC function has higher priority. A user can “MAC authentication timers” authentication access any resources in the guest VLAN. You cannot specify a VLAN as both a super See the chapter “Super VLAN configuration”...
  • Page 128 Figure 48 Network diagram Configuration procedure # Add a local user account, set both the username and password to 00-e0-fc- 1 2-34-56, the MAC address of the user host, and enable LAN access service for the account. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit...

  • Page 129: Radius-Based Mac Authentication Configuration Example

    Silent Mac User info: MAC Addr From Port Port Index Ethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 2048 Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS...
  • Page 130 NOTE: Make sure that the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. # Configure a RADIUS scheme. <Device>...

  • Page 131: Acl Assignment Configuration Example

    MAC ADDR From Port Port Index Ethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 2048 Current online user number is 1 MAC ADDR Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After a user passes MAC authentication, use the display connection command to display online user information.
  • Page 132 Configure the ACL assignment. # Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit Configure RADIUS-based MAC authentication on the device. # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813...
  • Page 133 Total 1 connection(s) matched on slot 1. Total 1 connection(s) matched. Ping the FTP server from the host to verify that the ACL 3000 has been assigned to port Ethernet 1/0/1 to deny access to the FTP server. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.

  • Page 134: Portal Configuration

    Portal configuration Portal overview Introduction to portal Portal authentication helps control access to the Internet. It is also called “web authentication.” A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...
  • Page 135 Figure 51 Portal system components Authentication client Security policy server Authentication client Access device Portal server Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 136: Portal System Using The Local Portal Server

    NAT, network address translations performed on the access device do not affect portal authentication. However, in such a case, HP recommends using an interface’s public IP address as the source address of outgoing portal packets.

  • Page 137: Portal Authentication Modes

    Authentication page customization support The local portal server function allows you to customize authentication pages. You can customize authentication pages by editing the corresponding HTML files and then compress and save the files to the storage medium of the device. A set of customized authentication pages consists of six authentication pages—the logon page, the logon success page, the online page, the logoff success page, the logon failure page, and the system busy page.

  • Page 138: Portal Support For Eap

    NOTE: The local portal server function does not support re-DHCP authentication. Cross-subnet authentication • Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to be present between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client’s IP address is used for client identification.

  • Page 139: Layer 2 Portal Authentication Process

    Layer 2 portal authentication process Figure 54 Local Layer 2 portal authentication process Local Layer 2 portal authentication takes the following procedure: The portal authentication client sends an HTTP or HTTPS request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which then pushes a web authentication page to the authentication client.

  • Page 140: Layer 3 Portal Authentication Process

    NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to make sure that the client can communicate with the hosts in the VLAN. Assignment of authorized ACLs The device can use ACLs to control user access to network resources and limit user access rights.
  • Page 141 The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication acknowledgment message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. The access device sends an authentication reply to the portal server.
  • Page 142 The portal server notifies the authentication client of logon success. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.
  • Page 143 Portal support for EAP authentication process Figure 58 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following takes the direct portal authentication as an example to show the EAP authentication process: The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process.

  • Page 144: Portal Stateful Failover

    The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. The portal server notifies the authentication client of the authentication success. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication.

  • Page 145: Portal Authentication Across Vpns

    online user information of each other through the failover link. When one of them (Gateway A or Gateway B) fails, the other can guarantee the normal data communication of the online portal users and perform portal authentication for new portal users. Basic concepts Device states •...

  • Page 146: Portal Configuration Task List

    NOTE: Portal authentication configured on MCE devices can also support authentication across VPNs. For • Layer 3 - IP Routing Configuration Guide information about MCE, see • For information about AAA implementation across VPNs, see the chapter “AAA configuration.” This feature is not applicable to VPNs with overlapping address spaces. •...

  • Page 147: Configuration Prerequisites

    Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. HP...

  • Page 148: Specifying A Portal Server For Layer 3 Portal Authentication

    recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: The status of a loopback interface is stable. There will be no authentication page access failures • caused by interface failures. A loopback interface does not forward received packets to any network, avoiding impact on system •...

  • Page 149: Configuring The Local Portal Server

    Configuring the local portal server Configuring a local portal server is required only for local portal authentication. During local portal authentication, the local portal server pushes authentication pages to users. You can define the authentication pages for users; otherwise, the default authentication pages will be used during the authentication process.
  • Page 150 Post requests are used when users submit username and password pairs, log on the system, and log • off the system. Rules on Post request attributes Observe the following requirements when editing a form of an authentication page: • An authentication page can have multiple forms, but there must be one and only one form whose action is logon.cgi.
  • Page 151 Rules on file size and contents For the system to push customized authentication pages smoothly, you need comply with the following size and content requirements on authentication pages. The size of the zip file of each set of authentication pages, including the main authentication pages •...

  • Page 152: Configuring The Local Portal Server

    ..</body> </html> NOTE: HP recommends using browser IE 6.0 or above on the authentication clients. • Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the • access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.

  • Page 153: Enabling Layer 2 Portal Authentication

    Enabling Layer 2 portal authentication Before enabling Layer 2 portal authentication, make sure that: The listening IP address of the local portal server is specified. • Layer 3 portal authentication is not enabled on any interface. • Follow these steps to enable Layer 2 portal authentication: To do…...

  • Page 154: Controlling Access Of Portal Users

    NOTE: The destination port number that the device uses for sending unsolicited packets to the portal server must • be the same as the port number that the remote portal server actually uses. • The portal server and its parameters can be deleted or modified only when the portal server is not referenced by any interface.

  • Page 155: Configuring An Authentication Source Subnet

    NOTE: If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. • Otherwise, the rule does not take effect. • You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the system prompts that the rule already exists.

  • Page 156: Specifying An Authentication Domain For Portal Users

    To do… Use the command… Remarks Enter system view system-view — Required Set the maximum number of online portal max-user max-number portal users 1024 by default. NOTE: • The maximum number of online portal users the switch actually assigns depends on the ACL resources on the switch.

  • Page 157: Enabling Support For Portal User Moving

    Configuration prerequisites Different clients may have different web proxy configurations. For these clients to trigger portal authentication, you must satisfy the following prerequisites: Web proxy configuration on clients Configuration prerequisites • If an iMC portal server is used, perform the following configurations on the iMC portal server: Select NAT as the type of the IP group associated with the Scenario 1:...

  • Page 158: Specifying An Auth-Fail Vlan For Portal Authentication

    NOTE: Only Layer 2 portal authentication supports this feature. In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled port of the device without logging off, the user cannot get online when the original port is still up.

  • Page 159: Configuring Radius Related Attributes

    To do… Use the command… Remarks Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Specify an Auth-Fail VLAN for portal auth-fail vlan authfail-vlan-id portal authentication on the port Not specified by default NOTE: To make the Auth-Fail VLAN of portal authentication on a port take effect, you also need to enable the •...

  • Page 160: Specifying A Nas Id Profile For An Interface

    Specifying a NAS ID profile for an interface In some networks, users’ access points are identified by their access VLANs. Network carriers need to use NAS-identifiers to identify user access points. With a NAS ID profile specified on an interface, when a user logs in from the interface, the access device checks the specified profile to obtain the NAS ID that is bound with the access VLAN.

  • Page 161: Configuring Portal Stateful Failover

    IP address of the outgoing Specify a source IP address for portal nas-ip ip-address portal packets. outgoing portal packets In NAT environments, HP recommends specifying the interface’s public IP address as the source IP address of outgoing portal packets.
  • Page 162 To do… Use the command… Remarks Required By default, the portal service backup interface does not belong Specify the portal group to which to any portal group. the portal service backup interface portal backup-group group-id The portal service backup belongs interfaces on the two devices for stateful failover must belong to the same portal group.

  • Page 163: Specifying An Auto Redirection Url For Authenticated Portal Users

    Specifying an auto redirection URL for authenticated portal users After a user passes portal authentication, if the access device is configured with an auto redirection URL, it redirects the user to the URL after a specified period of time. Follow these steps to specify an auto redirection URL for authenticated portal users: To do…...

  • Page 164: Configuring The Portal Server Detection Function

    To do… Use the command… Remarks Required Set the Layer 2 portal user portal offline-detect interval detection interval offline-detect-interval 300 seconds by default Configuring the portal server detection function NOTE: Only Layer 3 portal authentication supports this feature. During portal authentication, if the communication between the access device and portal server is broken, new portal users are not able to log on and the online portal users are not able to log off normally.

  • Page 165: Configuring Portal User Information Synchronization

    HP recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server.

  • Page 166: Logging Off Portal Users

    HP recommends configuring the interval to be greater than the portal user heartbeat interval configured on the portal server.

  • Page 167: Portal Configuration Examples

    To do… Use the command… Remarks display portal connection statistics Display portal connection statistics { all | interface interface-type on a specific interface or all interface-number } [ | { begin | Available in any view interfaces exclude | include } regular-expression ] Display information about a display portal free-rule...
  • Page 168 The host is directly connected to the switch and the switch is configured for direct authentication. The • host is assigned with a public network IP address either manually or through DHCP. Before passing portal authentication, users can access only the portal server. After passing portal authentication, users can access Internet resources.
  • Page 169 Figure 62 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Type the IP group name.
  • Page 170 Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Type the device name NAS. • Type the IP address of the switch’s interface connected to the user. •...
  • Page 171 Figure 66 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme • # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 172: Configuring Re-Dhcp Portal Authentication

    # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure portal authentication •...
  • Page 173 NOTE: For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) • and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) • For re-DHCP portal authentication, the switch must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).

  • Page 174: Configuring Cross-Subnet Portal Authentication

    # Configure the portal server as follows: Name: newpt • IP address: 192.168.0.1 1 1 • • Key: portal Port number: 50100 • URL: http://192.168.0.1 1 1:8080/portal. • [Switch] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100...
  • Page 175 NOTE: Make sure that the IP address of the portal device added on the portal server is the IP address of the • interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). •...

  • Page 176: Configuring Direct Portal Authentication With Extended Functions

    [SwitchA] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting Switch B. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal server newpt method layer3 [SwitchA–Vlan-interface4] quit On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown) Configuring direct portal authentication with extended functions...
  • Page 177 [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 178: Configuring Re-Dhcp Portal Authentication With Extended Functions

    [Switch] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal server newpt method direct [Switch–Vlan-interface100] quit Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for re-DHCP authentication.
  • Page 179 NOTE: For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) • and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) • For re-DHCP portal authentication, the switch must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).

  • Page 180: Configuring Cross-Subnet Portal Authentication With Extended Functions

    Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources NOTE: On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit...
  • Page 181 Figure 71 Network diagram Configuration procedure NOTE: • Make sure that the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example).

  • Page 182: Configuring Portal Stateful Failover

    # Configure AAA methods for the ISP domain. [SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.
  • Page 183 When Switch A works normally, Host accesses Switch A for portal authentication before accessing • the Internet; when Switch A fails, Host accesses the Internet through Switch B. The VRRP uplink/downlink detection mechanism is used to ensure non-stop traffic forwarding. Use the RADIUS server as the authentication/accounting server.
  • Page 184 Log in to the iMC management platform and select the Service tab. Then, select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed. This example uses the default settings. •...
  • Page 185 # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure • Type the device name NAS. Type the virtual IP address of the VRRP group that holds the portal-enabled interface.
  • Page 186 Figure 77 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure Switch A • Configure VRRP # Create VRRP group 1, and configure the virtual IP address of the VRRP group 1 as 9.9.1.1. <SwitchA>...
  • Page 187 # Configure the server type for the RADIUS scheme. When using the iMC server, configure the RADIUS server type as extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key authentication expert...
  • Page 188 [SwitchA] radius nas-ip 192.168.0.1 NOTE: Make sure that you have added the access device with IP address 192.168.0.1 on the RADIUS server. • Configure the stateful failover function # Configure the VLAN for stateful failover as VLAN 8. [SwitchA] dhbk vlan 8 # Enable stateful failover and configure it to support the symmetric path.
  • Page 189 # Configure AAA methods for the ISP domain. [SwitchB-isp-dm1] authentication portal radius-scheme rs1 [SwitchB-isp-dm1] authorization portal radius-scheme rs1 [SwitchB-isp-dm1] accounting portal radius-scheme rs1 [SwitchB-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.

  • Page 190: Configuring Portal Server Detection And Portal User Information Synchronization

    ACL:NONE Work-mode: primary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 Vlan-interface10 Total 1 user(s) matched, 1 listed. [SwitchB] display portal user all Index:2 State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 Vlan-interface10 Total 1 user(s) matched, 1 listed. In the above output, you can see the information of user Host on both Switch A and Switch B.
  • Page 191 Figure 78 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway:2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration considerations Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication and accounting. Configure direct portal authentication on interface VLAN-interface 100, which is connected with the user host.
  • Page 192 Figure 79 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Type the IP group name.
  • Page 193 Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Type the device name NAS. • Type the IP address of the switch’s interface connected to the user. •...
  • Page 194 Figure 83 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme • # Create RADIUS scheme rs1 and enter its view. <Switch>...
  • Page 195 NOTE: The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.

  • Page 196: Configuring Layer 2 Portal Authentication

    : http://192.168.0.111:8080/portal Status : Up Configuring Layer 2 portal authentication Network requirements As shown in Figure 84, a host is directly connected to a switch. The switch performs Layer 2 portal authentication on users connected to port Ethernet 1/0/1. More specifically, Use the remote RADIUS server for authentication, authorization and accounting.
  • Page 197 NOTE: Make sure that the host, switch, and servers can reach each other before portal authentication is • enabled. • Configure the RADIUS server properly to provide normal authentication/authorization/accounting functions for users. In this example, you must create a portal user account with the account name userpt on the RADIUS server, and configure an authorized VLAN for the account.
  • Page 198 # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 199: Troubleshooting Portal

    # Correlate DHCP server group 1 with VLAN-interface 3. [Switch-Vlan-interface3] dhcp relay server-select 1 [Switch-Vlan-interface3] quit Verifying the configuration Before user userpt accesses a web page, the user is in VLAN 8 (the initial VLAN), and is assigned with an IP address on subnet 192.168.1.0/24. When the user accesses a web page on the external network, the web request will be redirected to authentication page https://4.4.4.4/portal/logon.htm.

  • Page 200: Incorrect Server Port Number On The Access Device

    Analysis The keys configured on the access device and the portal server are inconsistent, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page. Solution Use the display portal server command to display the key for the portal server on the access device •...

  • Page 201: Triple Authentication Configuration

    Triple authentication configuration Triple authentication overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services.

  • Page 202: Using Triple Authentication With Other Features

    authentication, the other types of authentication being performed are terminated. Then, whether the other types of authentication can be triggered varies: If a terminal passes 802.1X or portal authentication, no other types of authentication will be • triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the •...

  • Page 203: Configuring Triple Authentication

    Configure Layer-2 portal authentication See the chapter “Portal configuration” NOTE: 802.1X authentication must use MAC-based access control. • HP does not recommend you configure 802.1X guest VLANs for triple authentication. • Triple authentication configuration examples Triple authentication basic function configuration example Network requirements...
  • Page 204 NOTE: Make sure that the terminals, the server, and the switch can reach each other. • • The host of the web user must have a route to the listening IP address of the local portal server. Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally.
  • Page 205 [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain.

  • Page 206: Triple Authentication Supporting Vlan Assignment And Auth-Fail Vlan Configuration Example

    Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example Network requirement As shown in Figure 87, the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch which connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network.
  • Page 207 Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7), and an authorized VLAN (VLAN 3).
  • Page 208 [Switch-dhcp-pool-3] quit # Configure IP address pool 4, and bind the printer MAC address 0015-e9a6-7cfe to the IP address 3.3.3.1 1 1/24 in this address pool. [Switch] dhcp server ip-pool 4 [Switch-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0 [Switch-dhcp-pool-4] static-bind mac-address 0015-e9a6-7cfe [Switch-dhcp-pool-4] quit Configure portal authentication.
  • Page 209 [Switch–Ethernet1/0/1] mac-authentication guest-vlan 2 [Switch–Ethernet1/0/1] quit Configure a RADIUS scheme. # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the iMC server is used. [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys.
  • Page 210 IP=N/A IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched. Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the authorized VLAN. [Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static D:Dynamic MAC ADDR...

  • Page 211: Port Security Configuration

    NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see the chapters “802.1X configuration” and “MAC authentication configuration ”...
  • Page 212 MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication — Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
  • Page 213 A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default.

  • Page 214: Working With Guest Vlan And Auth-Fail Vlan

    This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For non-802.1X frames, a port in this mode performs only MAC authentication. For 802.1X frames, it performs MAC authentication and then, if the authentication fails, 802.1X authentication. macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users as the keyword Ext implies.

  • Page 215: Enabling Port Security

    Enabling port security Configuration prerequisites Disable 802.1X and MAC authentication globally. Configuration procedure Follow these steps to enable port security: To do… Use the command… Remarks Enter system view system-view — Required Enable port security port-security enable By default, the port security is disabled. Enabling or disabling port security resets the following security settings to the default: •...

  • Page 216: Setting The Port Security Mode

    To do… Use the command… Remarks Required Set the limit of port security on the port-security max-mac-count number of MAC addresses count-value Not limited by default NOTE: The port security’s limit on the number of MAC addresses on a port is independent of the MAC learning Layer 2—LAN Switching Configuration Guide limit described in MAC address table configuration in the Setting the port security mode...

  • Page 217: Configuring Port Security Features

    To do… Use the command… Remarks port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | Required mac-else-userlogin-secure-ext | secure Set the port security mode | userlogin | userlogin-secure | By default, a port operates in userlogin-secure-ext | noRestrictions mode. userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } NOTE:...

  • Page 218: Enabling Port Security Traps

    blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list • and discards the frames. All subsequent frames sourced from a blocked MAC address will be dropped. A blocked MAC address is restored to normal state after being blocked for three minutes. The interval is fixed and cannot be changed.

  • Page 219: Configuring Secure Mac Addresses

    Configuring secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up events. You can bind a secure MAC address to only one port in a VLAN. Secure MAC addresses fall into static, sticky and dynamic secure MAC addresses. Table 11 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type...

  • Page 220: Configuration Procedure

    Configuration procedure Follow these steps to configure a secure MAC address: To do… Use the command… Remarks Enter system view system-view — Optional By default, secure MAC addresses do note age out, and you can port-security timer autolearn aging remove them only by performing the Set the secure MAC aging timer time-value undo port-security mac-address...

  • Page 221: Displaying And Maintaining Port Security

    Follow these steps to configure a port to ignore the authorization information from the RADIUS server: To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required Ignore the authorization By default, a port uses the information from the RADIUS port-security authorization ignore...
  • Page 222 Figure 88 Network diagram Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Enable intrusion protection traps on port Ethernet 1/0/1. [Device] port-security trap intrusion [Device] interface ethernet 1/0/1 # Set port security’s limit on the number of MAC addresses to 64 on the port.
  • Page 223 # Repeatedly perform the display port-security command to track the number of MAC addresses learned by the port, or use the display this command in Layer 2 Ethernet interface view to display the secure MAC addresses. <Device> system-view [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] display this interface Ethernet1/0/1 port-security max-mac-count 64...

  • Page 224: Configuring The Userloginwithoui Mode

    Configuring the userLoginWithOUI mode Network requirements As shown in Figure 89, a client is connected to the Device through port Ethernet 1/0/1. The Device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
  • Page 225 [Device-radius-radsun] secondary accounting 192.168.1.2 [Device-radius-radsun] key authentication name [Device-radius-radsun] key accounting money [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users.
  • Page 226 Second Auth Server: IP: 192.168.1.3 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Second Acct Server: IP: 192.168.1.2 Port: 1813 State: active Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : name Acct Server Encryption Key : money Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second)
  • Page 227 Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. # Display 802.1X information.

  • Page 228: Configuring The Macaddresselseuserloginsecure Mode

    Controlled User(s) amount to 1 In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. # Display MAC address information for interface Ethernet 1/0/1. <Device> display mac-address interface ethernet 1/0/1 MAC ADDR VLAN ID STATE...
  • Page 229 [Device] dot1x authentication-method chap # Set port security’s limit on the number of MAC addresses to 64 on the port. [Device-Ethernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure. [Device-Ethernet1/0/1] port-security port-mode mac-else-userlogin-secure # Set the NTK mode of the port to ntkonly. [Device-Ethernet1/0/1] port-security ntk-mode ntkonly Verifying the configuration # Display the port security configuration.
  • Page 230 1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS # Display 802.1X authentication information. <Device> display dot1x interface ethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout...

  • Page 231: Troubleshooting Port Security

    Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Device-Ethernet1/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
  • Page 232 Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode. [Device-Ethernet1/0/1] quit [Device] cut connection interface ethernet 1/0/1 [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] undo port-security port-mode...

  • Page 233: User Profile Configuration

    User profile configuration User profile overview A user profile provides a configuration template to save predefined configurations, such as a Committed Access Rate (CAR) policy or a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile supports working with 802.1X authentication and portal authentication.

  • Page 234: Creating A User Profile

    Creating a user profile Follow these steps to create a user profile: To do… Use the command… Remarks Enter system view system-view — Required Create a user profile, and user-profile profile-name You can use the command to enter the view of enter its view an existing user profile.

  • Page 235: Enabling A User Profile

    Enabling a user profile Enable a user profile so that configurations in the profile can be applied by the device to restrict user behaviors. If the device detects that the user profile is disabled, the device denies the associated user even the user has been verified by the authentication server.

  • Page 236: Habp Configuration

    HABP configuration HABP overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 90, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.

  • Page 237: Configuring Habp

    CAUTION: In a cluster, if a member switch with 802.1X authentication or MAC authentication enabled is attached • with some other member switches of the cluster, you also need to configure HABP server on this device. Otherwise, the cluster management device will not be able to manage the devices attached to this member switch.

  • Page 238: Displaying And Maintaining Habp

    To do… Use the command… Remarks Optional Configure HABP to work in client undo habp server HABP works in client mode by mode default. Optional Specify the VLAN to which the habp client vlan vlan-id By default, an HABP client belongs HABP client belongs to VLAN 1.
  • Page 239 Figure 91 Network diagram Configuration procedure Configure Switch A. # Perform 802.1X related configurations on Switch A. For detailed configurations, see the chapter “802.1X configuration.” # Enable HABP. (HABP is enabled by default. This configuration is optional.) <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, and specify VLAN 1 for HABP packets.
  • Page 240 Verify your configuration. # Display HABP configuration information. <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA> display habp table Holdtime Receive Port 001f-3c00-0030 Ethernet1/0/2 001f-3c00-0031...

  • Page 241: Public Key Configuration

    Public key configuration Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 92 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...

  • Page 242: Configuring A Local Asymmetric Key Pair On The Local Device

    Task Remarks Creating a local asymmetric key pair Required Configuring a local asymmetric key pair on the Displaying or exporting the local host public key Optional local device Destroying a local asymmetric key pair Optional Specifying the peer public key on the local device Optional Configuring a local asymmetric key pair on the local device...

  • Page 243: Displaying Or Exporting The Local Host Public Key

    Displaying or exporting the local host public key In SSH, to allow your local device to be authenticated by a peer device through digital signature, you must display or export the local host public key, which will then be specified on the peer device. To display or export the local host public key, choose one of the following methods: Displaying and recording the host public key information •...

  • Page 244: Destroying A Local Asymmetric Key Pair

    Always use the first method if its public key. A public key you are not sure about the displayed by other methods for format of the recorded public the HP device may not be in a key. correct format.

  • Page 245: Displaying And Maintaining Public Keys

    NOTE: The device supports up to 20 peer public keys. • • For information about displaying or exporting the host public key, see "Displaying or exporting the local host public key." Follow these steps to import the host public key from a public key file to the local device: To do…...

  • Page 246: Public Key Configuration Examples

    Public key configuration examples Manually specifying the peer public key on the local device Network requirements As shown in Figure 93, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.

  • Page 247: Importing A Peer Public Key From A Public Key File

    Time of Key pair created: 09:50:07 2011/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B. # Configure the host public key of Device A's RSA key pairs on Device B. In public key code view, input the host public key of Device A.
  • Page 248 Figure 94 Network diagram Configuration procedure Create key pairs on Device A and export the host public key. # Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048).
  • Page 249 # Enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3. This user level guarantees that the user has the permission to perform FTP operations. [DeviceA] ftp server enable [DeviceA] local-user ftp [DeviceA-luser-ftp] password simple 123 [DeviceA-luser-ftp] service-type ftp [DeviceA-luser-ftp] authorization-attribute level 3...
  • Page 250 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A.

  • Page 251: Pki Configuration

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms Digital certificate •...

  • Page 252: Pki Architecture

    A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.

  • Page 253: Pki Applications

    PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples. • A virtual private network (VPN) is a private data communication network built on the public communication infrastructure.

  • Page 254: Configuring An Entity Dn

    Task Remarks Optional Retrieving a certificate manually Optional Configuring PKI certificate verification Optional Destroying a local RSA key pair Optional Deleting a certificate Optional Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN).

  • Page 255: Configuring A Pki Domain

    To do… Use the command… Remarks Optional Configure the FQDN for the entity fqdn name-str No FQDN is specified by default. Optional Configure the IP address for the ip ip-address No IP address is specified by entity default. Optional Configure the locality for the entity locality locality-name No locality is specified by default.
  • Page 256 Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity • needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.

  • Page 257: Submitting A Pki Certificate Request

    Submitting a PKI certificate request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an “out-of-band”...

  • Page 258: Retrieving A Certificate Manually

    To do… Use the command… Remarks “Retrieving a certificate Retrieve a CA certificate manually Required manually“ Required Generate a local RSA key pair public-key local create rsa No local RSA key pair exists by default. pki request-certificate domain Submit a local certificate request domain-name [ password ] Required manually...

  • Page 259: Configuring Pki Certificate Verification

    To do… Use the command… Remarks Enter system view system-view — pki retrieval-certificate { ca | local } domain Online domain-name Retrieve a Required certificate pki import-certificate { ca | local } domain Use either command. manually Offline domain-name { der | p12 | pem } [ filename filename ] CAUTION: If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it.

  • Page 260: Configuring Crl-Checking-Disabled Pki Certificate Verification

    To do… Use the command… Remarks “Retrieving a certificate Retrieve the CA certificate Required manually“ pki retrieval-crl domain Retrieve CRLs Required domain-name pki validate-certificate { ca | local } Verify the validity of a certificate Required domain domain-name NOTE: The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The •...

  • Page 261: Deleting A Certificate

    Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. Follow these steps to delete a certificate: To do… Use the command… Remarks Enter system view system-view...

  • Page 262: Displaying And Maintaining Pki

    Displaying and maintaining PKI To do… Use the command… Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view status of a certificate exclude | include } regular-expression ] display pki crl domain...
  • Page 263 In this example, configure basic attributes including the Nickname and Subject DN on the CA server at first. The Nickname indicates the name of the trusted CA. The Subject DN is the DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes might be left using the default values.
  • Page 264 Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates • # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 265: Requesting A Certificate From A Ca Server Running Windows 2003 Server

    Subject: CN=device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001)
  • Page 266 Configuration procedure Configure the CA server Install the certificate service suites • From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP add-on •...
  • Page 267 [Device-pki-domain-torsa] certificate request entity aaa Generate a local key pair using RSA • [Device] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 268: Configuring A Certificate Attribute-Based Access Control Policy

    Not After : Feb 21 12:42:16 2011 GMT Subject: CN=device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439...
  • Page 269 Figure 98 Configure a certificate attribute-based access control policy Configuration procedure NOTE: • For more information about SSL configuration, see the chapter “SSL configuration.” Fundamentals Configuration Guide For more information about HTTPS configuration, see • The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a •...

  • Page 270: Troubleshooting Pki

    [Device-pki-cert-acp-myacp] quit Apply the SSL server policy and certificate attribute-based access control policy to HTTPS service and enable HTTPS service. # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute-based access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service.

  • Page 271: Failed To Retrieve Crls

    The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • Some required parameters of the entity DN are not configured. • Solution Make sure that the network connection is physically proper. •...

  • Page 272: Ipsec Configuration

    IPsec configuration IPsec overview IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data in a secure tunnel established between two endpoints. IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at the IP layer in an insecure network environment.

  • Page 273: Basic Concepts

    Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 99 shows the format of IPsec packets.
  • Page 274 Figure 99 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.

  • Page 275: Ipsec For Ipv6 Routing Protocols

    IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for these IPv6 routing protocols: The 3600 v2 EI switches support using IPsec for OSPFv3, IPv6 BGP, and RIPng; the 3600 v2 SI switches only support using IPsec for RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.

  • Page 276: Configuring An Ipsec Policy

    To do… Use the command… Remarks Enter system view system-view — Required Create an IPsec proposal and enter its ipsec proposal view proposal-name By default, no IPsec proposal exists. Optional Specify the security protocol for the transform { ah | ah-esp | proposal esp } ESP by default...
  • Page 277 directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. All SAs (both inbound and outbound) within the routed network scope must use the same SPI and • keys. Configure the keys on all routers within the routed network scope in the same format.

  • Page 278: Displaying And Maintaining Ipsec

    NOTE: A manual IPsec policy can reference only one IPsec proposal. To change an IPsec proposal for an IPsec • policy, you must remove the proposal reference first. • If you configure a key in two modes: string and hexadecimal, only the last configured one will be used. Displaying and maintaining IPsec To do…...
  • Page 279 Configuation considerations To meet the requirements, perform the following configuration tasks: Configure basic RIPng parameters. • Configure a manual IPsec policy. • Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface •...
  • Page 280 [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96. [SwitchB] ipsec proposal tran1 [SwitchB-ipsec-proposal-tran1] encapsulation-mode transport [SwitchB-ipsec-proposal-tran1] transform esp...
  • Page 281 # Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg. [SwitchC] ipsec policy policy001 10 manual [SwitchC-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchC-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchC-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456...
  • Page 282 tunnel: flow: [inbound ESP SAs] spi: 123456 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa [outbound ESP SAs] spi: 123456 (0x3039) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 No duration limit for this sa Similarly, you can view the information on Switch B and Switch C. (Details not shown)

  • Page 283: Ssh2.0 Configuration

    SSH2.0 configuration SSH2.0 overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
  • Page 284 secondary protocol version numbers constitute the protocol version number. The software version number is used for debugging. After receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the server’s protocol version is lower and supportable, the client uses the protocol version of the server;...
  • Page 285 Publickey authentication—The server authenticates the client by the digital signature. During • publickey authentication, the client sends the server a publickey authentication request that contains its username, public key, and publickey algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature.

  • Page 286: Ssh Connection Across Vpns

    SSH connection across VPNs With this function, you can configure the switch as an SSH client to establish connections with SSH servers in different MPLS VPNs. As shown in Figure 101, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the services of the two VPNs isolated.

  • Page 287: Enabling The Ssh Server Function

    To do… Use the command… Remarks Required Generate a DSA or RSA key pair public-key local create { dsa | rsa } By default, neither DSA key pair nor RSA key pair exists. NOTE: Security Command Reference For more information about the public-key local create command, see •...

  • Page 288: Configuring A Client Public Key

    Before importing the public key, you must upload the public key file (in binary) to the server through FTP or TFTP. NOTE: HP recommends you to configure a client public key by importing it from a public key file. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...

  • Page 289: Configuring An Ssh User

    To do… Use the command… Remarks — Return to public key view and save When you exit public key code public-key-code end the configured host public key view, the system automatically saves the public key. Return to system view peer-public-key end —...

  • Page 290: Setting The Ssh Management Parameters

    To do… Use the command… Remarks authentication ssh user username service-type method { all | sftp } authentication-type For all users or { password | { any | SFTP users password-publickey | publickey } assign publickey keyname work-directory directory-name } CAUTION: A user without an SSH account can still pass password authentication and log in to the server through •...

  • Page 291: Configuring The Switch As An Ssh Client

    To do… Use the command… Remarks Optional Set the RSA server key pair update ssh server rekey-interval hours By default, the interval is 0, and the interval RSA server key pair is not updated. Optional Set the SSH user authentication ssh server authentication-timeout timeout period time-out-value...

  • Page 292: Configuring Whether First-Time Authentication Is Supported

    Configuring whether first-time authentication is supported When the switch acts as an SSH client and connects to the SSH server, you can configure whether the switch supports first-time authentication. With first-time authentication, when an SSH client not configured with the server host public key •...

  • Page 293: Displaying And Maintaining Ssh

    To do... Use the command… Remarks ssh2 server [ port-number ] [ vpn-instance Establish a vpn-instance-name ] [ identity-key { dsa | connection rsa } | prefer-ctos-cipher { 3des | aes128 between the | des } | prefer-ctos-hmac { md5 | SSH client and For an IPv4 server md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 294: Ssh Server Configuration Examples

    SSH server configuration examples When the switch acts as a server for password authentication Network requirements As shown in Figure 102, a host (the SSH client) and a switch (the SSH server) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after passing password authentication.
  • Page 295 [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001...

  • Page 296: When The Switch Acts As A Server For Publickey Authentication

    Figure 103 SSH client configuration interface Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server. When the switch acts as a server for publickey authentication Network requirements As shown in...
  • Page 297 NOTE: During SSH server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SSH server. Configure the SSH client. # Generate the RSA key pairs. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 105 Generate a key pair on the client 1) When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in...
  • Page 298 Figure 106 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 107 Generate a key pair on the client 3)
  • Page 299 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Figure 108 Save a key pair on the client 4) Then, transmit the public key file to the server through FTP or TFTP.
  • Page 300 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-4] user privilege level 3 [Switch-ui-vty0-4] quit # Import the client’s public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.

  • Page 301: Ssh Client Configuration Examples

    Figure 110 SSH client configuration interface 2) Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server.
  • Page 302 [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 303 <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit • If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to server 10.165.87.136. <SwitchA>...

  • Page 304: When Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 Press CTRL+K to abort...
  • Page 305 Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server. # Generate the RSA key pairs. <SwitchB>...
  • Page 306 [SwitchB-ui-vty0-4] quit # Import the peer public key from the file key.pub. [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish a connection between the SSH client and the SSH server.

  • Page 307: Sftp Configuration

    SFTP configuration SFTP overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.

  • Page 308: Configuring The Switch An Sftp Client

    Follow these steps to configure the SFTP connection idle timeout period: To do… Use the command… Remarks Enter system view system-view — Optional Configure the SFTP connection idle sftp server idle-timeout timeout period time-out-value 10 minutes by default Configuring the switch an SFTP client Specifying a source ip address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP server, enhancing the service manageability.

  • Page 309: Working With Sftp Directories

    To do… Use the command… Remarks sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | Establish a prefer-ctos-cipher { 3des | aes128 connection to | des } | prefer-ctos-hmac { md5 | the remote IPv6 md5-96 | sha1 | sha1-96 } | SFTP server and prefer-kex { dh-group-exchange |...

  • Page 310: Displaying Help Information

    Uploading a file • Displaying a list of the files • Deleting a file • Follow these steps to work with SFTP files: To do… Use the command… Remarks For more information, see Required Enter SFTP client view “Establishing a connection to the Execute the command in user view.

  • Page 311: Sftp Client Configuration Example

    To do… Use the command… Remarks user view These three commands function in quit the same way. SFTP client configuration example Network requirements As shown in Figure 1 13, an SSH connection is required between Switch A and Switch B. Switch A, an SFTP client, needs to log in to Switch B for file management and file transfer.
  • Page 312 Configure the SFTP server. # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
  • Page 313 Establish a connection between the SFTP client and the SFTP server. # Establish a connection to the remote SFTP server and enter SFTP client view. <SwitchA> sftp 192.168.0.1 identity-key rsa Input Username: client001 Trying 192.168.0.1 ... Press CTRL+K to abort Connected to 192.168.0.1 ...

  • Page 314: Sftp Server Configuration Example

    sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx...
  • Page 315 Configuration procedure Configure the SFTP server. # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
  • Page 316 [Switch-luser-client002] quit # Configure the user authentication method as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Establish a connection between the SFTP client and the SFTP server. NOTE: The switch supports a variety of SFTP client software. The following uses PSFTP of PuTTy Version 0.58 as •...

  • Page 317: Ssl Configuration

    SSL configuration SSL overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the...

  • Page 318: Ssl Protocol Stack

    SSL protocol stack The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 117 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and •...

  • Page 319: Configuration Procedure

    Configuration procedure Follow these steps to configure an SSL server policy: To do... Use the command... Remarks Enter system view system-view — Create an SSL server policy and ssl server-policy policy-name Required enter its view Required Specify a PKI domain for the SSL pki-domain domain-name By default, no PKI domain is server policy...

  • Page 320: Ssl Server Policy Configuration Example

    SSL server policy configuration example Network requirements As shown in Figure 1 18, users need to access and control the device through web pages. For security of the device and to make sure that data is not eavesdropped or tampered with, configure the device so that users must use HTTPS (Hypertext Transfer Protocol Secure, which uses SSL) to log in to the web interface of the device.

  • Page 321: Configuring An Ssl Client Policy

    [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate for Device. [Device] pki request-certificate domain 1 # Create an SSL server policy named myssl.

  • Page 322: Configuration Prerequisites

    Configuration prerequisites If the SSL server is configured to authenticate the SSL client, you must configure the PKI domain for the SSL client policy to use to obtain the certificate of the client. For more information about PKI domain configuration, see the chapter “PKI configuration.” Configuration procedure Follow these steps to configure an SSL client policy: To do…...

  • Page 323: Troubleshooting Ssl

    Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the switch fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: • The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted.

  • Page 324: Tcp Attack Protection Configuration

    TCP attack protection configuration TCP attack protection overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.

  • Page 325: Displaying And Maintaining Tcp Attack Protection

    Displaying and maintaining TCP attack protection To do… Use the command… Remarks display tcp status [ | { begin | exclude | Display current TCP connection state Available in any view include } regular-expression ]...

  • Page 326: Ip Source Guard Configuration

    IP source guard configuration IP source guard overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address. It supports these types of binding entries: IP-port binding entry •...

  • Page 327: Dynamic Ip Source Guard Binding Entries

    Dynamic IP source guard binding entries Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP snooping or DHCP relay agent device. They are suitable for scenarios where many hosts reside on a LAN and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the client entry to allow the client to access the network.

  • Page 328: Configuring A Static Ipv4 Source Guard Binding Entry

    On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains • the DHCP snooping entries generated during dynamic IP address allocation, and generates IP source guard entries accordingly. On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP •...

  • Page 329: Setting The Maximum Number Of Ipv4 Source Guard Binding Entries

    To do… Use the command… Remarks ip source binding { ip-address Required Configure a static IPv4 source ip-address | ip-address ip-address By default, no static IPv4 binding guard binding entry on the port mac-address mac-address | entry is configured on a port. mac-address mac-address } NOTE: •...

  • Page 330: Configuring Ipv6 Source Guard On A Port

    Configuring IPv6 source guard on a port The IPv6 source guard function must be configured on a port before the port can obtain dynamic IPv6 source guard binding entries and use static and dynamic IPv6 source guard entries to filter packets. For how to configure a static IPv6 static binding entry, see “Configuring a static IPv6 source guard •...

  • Page 331: Setting The Maximum Number Of Ipv6 Source Guard Binding Entries

    Follow the steps to configure a static IPv6 source guard binding entry on a port: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Layer 2 interface view — interface-number ipv6 source binding { ipv6-address Required ipv6-address | ipv6-address Configure a static IPv6 binding...

  • Page 332: Ip Source Guard Configuration Examples

    To do… Use the command… Remarks display ip source binding static [ interface interface-type interface-number | Display static IPv4 source guard ip-address ip-address | mac-address Available in any view binding entries mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number |...
  • Page 333 Figure 120 Network diagram Configuration procedure Configure Device A. # Configure the IPv4 source guard function on Ethernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA> system-view [DeviceA] interface ethernet 1/0/2 [DeviceA-Ethernet1/0/2] ip verify source ip-address mac-address # Configure Ethernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.

  • Page 334: Dynamic Ipv4 Source Guard Binding By Dhcp Snooping Configuration Example

    # Configure the IPv4 source guard function on Ethernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface ethernet 1/0/1 [DeviceB-Ethernet1/0/1] ip verify source ip-address # Configure Ethernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass. [DeviceB-Ethernet1/0/1] ip source binding ip-address 192.168.0.2 [DeviceB-Ethernet1/0/1] quit Verifying the configuration...

  • Page 335: Dynamic Ipv4 Source Guard Binding By Dhcp Relay Configuration Example

    # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port Ethernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface ethernet1/0/2 [Device-Ethernet1/0/2] dhcp-snooping trust [Device-Ethernet1/0/2] quit Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.

  • Page 336: Static Ipv6 Source Guard Binding Entry Configuration Example

    Figure 122 Network diagram DHCP client DHCP relay agent DHCP server Vlan-int 200 Vlan-int 100 Host Switch 10.1.1.1/24 MAC: 0001-0203-0406 Configuration procedure Configure the IPv4 source guard function. # Configure the IP addresses of the interfaces. (Details not shown) # Configure the IPv4 source guard binding function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address.

  • Page 337: Dynamic Ipv6 Source Guard Binding By Dhcpv6 Snooping Configuration Example

    Figure 123 Network diagram Configuration procedure # Configure the IPv6 source guard function on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address. <Device> system-view [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address # Configure Ethernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.
  • Page 338 Figure 124 Network diagram Configuration procedure Configure DHCPv6 snooping. # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port. [Device] interface ethernet 1/0/2 [Device-Ethernet1/0/2] ipv6 dhcp snooping trust [Device-Ethernet1/0/2] quit...

  • Page 339: Dynamic Ipv6 Source Guard Binding By Nd Snooping Configuration Example

    Dynamic IPv6 source guard binding by ND snooping configuration example Network requirements As shown in Figure 125, the client is connected to the device through port Ethernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port Ethernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.

  • Page 340: Troubleshooting Ip Source Guard

    Troubleshooting IP source guard Neither static binding entries nor the dynamic binding function can be configured Symptom Failed to configure static binding entries or the dynamic binding function on a port. Analysis IP source guard is not supported on a port in an aggregation group. Solution Remove the port from the aggregation group.

  • Page 341: Arp Attack Protection Configuration

    ARP attack protection configuration NOTE: interface The term in the ARP attack protection features refers to Layer 3 interfaces, including VLAN interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route Layer 2—LAN Switching Configuration Guide mode by using the port link-mode route command (see ARP attack protection overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network...

  • Page 342: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks prevention Optional Configuring ARP active acknowledgement Configure this function on gateways (recommended). Optional Configuring ARP detection Configure this function on access devices (recommended). Optional Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional Configuring ARP gateway protection Configure this function on access devices (recommended).

  • Page 343: Enabling Arp Black Hole Routing

    To do… Use the command… Remarks Required Enable ARP source suppression arp source-suppression enable Disabled by default. Set the maximum number of packets with the Optional same source IP address but unresolvable arp source-suppression limit destination IP addresses that the device can limit-value 10 by default.
  • Page 344 Figure 126 Network diagram Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps. Enable ARP source suppression. • • Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in five seconds exceeds 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following five seconds.

  • Page 345: Configuring Arp Packet Rate Limit

    Configuring ARP packet rate limit Introduction The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking.

  • Page 346: Configuring Source Mac Address Based Arp Attack Detection

    Configuring source MAC address based ARP attack detection Introduction With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the specified threshold.

  • Page 347: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Displaying and maintaining source MAC address based ARP attack detection To do… Use the command… Remarks display arp anti-attack source-mac Display attacking MAC addresses detected { slot slot-number | interface Available in any by source MAC address based ARP attack interface-type interface-number } [ | view detection...

  • Page 348: Configuring Arp Packet Source Mac Address Consistency Check

    Configure the MAC address of the server as a protected MAC address so that it can send ARP • packets Configuration procedure # Enable source MAC address based ARP attack detection and specify the filter mode. <Device> system-view [Device] arp anti-attack source-mac filter # Set the threshold to 30.

  • Page 349: Configuration Procedure

    Configuration procedure Follow these steps to configure ARP active acknowledgement: To do… Use the command… Remarks Enter system view system-view — Required Enable the ARP active arp anti-attack active-ack enable acknowledgement function Disabled by default. Configuring ARP detection Introduction The ARP detection feature is mainly configured on an access device to allow only the ARP packets of authorized clients to be forwarded and prevent user spoofing and gateway spoofing.

  • Page 350: Configuring Arp Detection Based On Specified Objects

    NOTE: Static IP source guard binding entries are created by using the ip source binding command. For more • information, see the chapter “IP source guard configuration.” • Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For more information, see Layer 3—IP Services Configuration Guide.

  • Page 351: Configuring Arp Restricted Forwarding

    ip: Checks the sender and target IP addresses in an ARP packet. Any all-zero, all-one or multicast IP • addresses are considered invalid and the corresponding packets are discarded. With this object specified, the sender and target IP addresses of ARP replies, and the source IP address of ARP requests are checked.

  • Page 352: Arp Detection Configuration Example I

    To do… Use the command… Remarks display arp detection statistics [ interface Display the ARP detection interface-type interface-number ] [ | { begin | Available in any view statistics exclude | include } regular-expression ] Clear the ARP detection reset arp detection statistics [ interface Available in user view statistics interface-type interface-number ]...

  • Page 353: Arp Detection Configuration Example Ii

    [SwitchB-Ethernet1/0/1] dot1x [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] dot1x [SwitchB-Ethernet1/0/2] quit # Add local access user test. [SwitchB] local-user test [SwitchB-luser-test] service-type lan-access [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).

  • Page 354: Arp Restricted Forwarding Configuration Example

    Configuration procedure Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown) Configure Switch A as a DHCP server # Configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0...
  • Page 355 Figure 130 Network diagram Gateway DHCP server Switch A Eth1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping Eth1/0/3 Switch B Eth1/0/1 Eth1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 126.

  • Page 356: Configuring Arp Automatic Scanning And Fixed Arp

    ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. NOTE: HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe. Configuration procedure Follow these steps to configure ARP automatic scanning and fixed ARP: To do…...

  • Page 357: Configuring Arp Gateway Protection

    To do… Use the command… Remarks Return to system view quit — Enable fixed ARP arp fixup Required NOTE: • IP addresses existing in ARP entries are not scanned. ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP •...

  • Page 358: Arp Gateway Protection Configuration Example

    NOTE: You can enable ARP gateway protection for up to eight gateways on a port. • • Commands arp filter source and arp filter binding cannot be both configured on a port. If ARP gateway protection works with ARP detection, MFF, and ARP snooping, ARP gateway protection •...

  • Page 359: Configuring Arp Filtering

    Configuring ARP filtering Introduction To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP packets on a port. The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries.
  • Page 360 Figure 132 Network diagram Switch A Eth1/0/3 Switch B Eth1/0/1 Eth1/0/2 Host A Host B Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface ethernet 1/0/1 [SwitchB-Ethernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, Ethernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets.

  • Page 361: Nd Attack Defense Configuration

    ND attack defense configuration Introduction to ND attack defense The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 362: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. NOTE: Layer 3—IP Services Configuration...

  • Page 363: Configuring Nd Detection

    address, the ND packet is discarded. If no entry matches the source IPv6 address, the ND detection function continues to look up the DHCPv6 snooping table and the ND snooping table. If an exact match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is forwarded.

  • Page 364: Nd Detection Configuration Example

    ND detection configuration example Network requirements As shown in Figure 134, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.
  • Page 365 [SwitchA-Vlan-interface10] ipv6 address 10::1/64 [SwitchA-Vlan-interface10] quit Configuring Switch B # Enable IPv6 forwarding. <SwitchB> system-view [SwitchB] ipv6 # Create VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] quit # Add ports Ethernet 1/0/1 through Ethernet 1/0/3 to VLAN 10. [SwitchB] interface ethernet 1/0/1 [SwitchB-Ethernet1/0/1] port access vlan 10 [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2...

  • Page 366: Urpf Configuration

    URPF configuration NOTE: router The term in this document refers to both routers and Layer 3 switches. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch attacks by creating a series of packets with forged source addresses.

  • Page 367: How Urpf Works

    Loose URPF is often deployed between ISPs, especially in asymmetrical routing. How URPF works NOTE: URPF does not check multicast packets. URPF works in the steps, as shown in Figure 136.
  • Page 368 Figure 136 URPF work flow Check the source address of the received packet A broadcast source address? An all - zero source address? A broadcast destination Discard address ? Does the FIB Is there a default entry match the route ? source address ? Loose URPF? Loose URPF?
  • Page 369 For other packets, precede to step 2. • URPF checks whether the source address matches a FIB entry: If yes, precede to step 3. • • If not, precede to step 6. URPF checks whether the check mode is loose: If yes, precede to step 8.

  • Page 370: Network Application

    Network application Figure 137 Network diagram ISP B URPF(loose) ISP A ISP C URPF(strict) Configure strict URPF between each ISP and its connected users, and loose URPF between ISPs. Configuring URPF Follow these steps to configure URPF globally: To do... Use the command…...
  • Page 371 Figure 138 Network diagram Configuration procedure Configure Switch A # Enable strict URPF check. <SwitchA> system-view [SwitchA] ip urpf strict Configure Switch B # Enable strict URPF check. <SwitchB> system-view [SwitchB] ip urpf strict...

  • Page 372: Mff Configuration

    MFF configuration MFF overview MFF function Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2, many VLAN resources are occupied, and many IP addresses are used because you have to assign a network segment for each VLAN and an IP address for each VLAN interface for Layer 3 communication.

  • Page 373: Basic Concepts

    NOTE: Layer 3—IP Services Configuration Guide For more information about DHCP snooping, see • Layer 3—IP Services Configuration Guide • For more information about ARP snooping, see For more information about IP source guard, see the chapter “IP source guard configuration.” •...

  • Page 374: Working Mechanism

    In manual mode, after receiving an ARP request for a host’s MAC address from the gateway, the MFF device directly replies the host’s MAC address to the gateway according to the ARP snooping entries. The MFF device also forges ARP requests to get the gateway’s MAC address based on ARP snooping entries.
  • Page 375 In MFF manual mode, enable ARP snooping on the device. • Enabling MFF Follow these steps to enable MFF and specify an MFF operating mode: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id —...

  • Page 376: Displaying And Maintaining Mff

    address to the server. As a result, packets from a host to a server are forwarded by the gateway, but packets from a server to a host are not forwarded by the gateway. Follow these steps to specify the IP addresses of servers: To do…...
  • Page 377 Configuration procedure Configure Gateway # Configure the IP address of VLAN-interface 1. <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 Configure the DHCP server # Enable DHCP, and configure a DHCP address pool. <Device> system-view [Device] dhcp enable [Device] dhcp server ip-pool 1 [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 # Add the gateway’s IP address into DHCP address pool 1.

  • Page 378: Auto-Mode Mff Configuration Example In A Ring Network

    [SwitchB-Ethernet1/0/6] dhcp-snooping trust Auto-mode MFF configuration example in a ring network Network requirements As shown in Figure 141, all the devices are in VLAN 100, and the switches form a ring. Host A, Host B, and Host C obtain IP addresses from the DHCP server. They are isolated at Layer 2, and can communicate with each other through Gateway.
  • Page 379 # Enable STP. [SwitchA] stp enable # Enable MFF in automatic mode. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding auto [SwitchA-vlan-100] quit # Configure Ethernet 1/0/2 as a network port. [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] mac-forced-forwarding network-port # Configure Ethernet 1/0/2 as a DHCP snooping trusted port. [SwitchA-Ethernet1/0/2] dhcp-snooping trust [SwitchA-Ethernet1/0/2] quit # Configure Ethernet 1/0/3 as a network port.

  • Page 380: Manual-Mode Mff Configuration Example In A Tree Network

    Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 142, all the devices are in VLAN 100. Host A, Host B, and Host C are configured with IP addresses manually. They are isolated at Layer 2, and can communicate with each other through Gateway.

  • Page 381: Manual-Mode Mff Configuration Example In A Ring Network

    [SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchB-vlan-100] arp-snooping enable [SwitchB-vlan-100] quit # Configure Ethernet 1/0/6 as a network port. [SwitchB] interface ethernet 1/0/6 [SwitchB-Ethernet1/0/6] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network Network requirements As shown in...
  • Page 382 [SwitchA-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchA-vlan-100] arp-snooping enable [SwitchA-vlan-100] quit # Configure Ethernet 1/0/2 and Ethernet 1/0/3 as network ports. [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] mac-forced-forwarding network-port [SwitchA-Ethernet1/0/2] quit [SwitchA] interface ethernet 1/0/3 [SwitchA-Ethernet1/0/3] mac-forced-forwarding network-port...

  • Page 383: Savi Configuration

    SAVI configuration SAVI overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.

  • Page 384: Savi Configuration In Dhcpv6-Only Address Assignment Scenario

    NOTE: If a port on the SAVI enabled device is down for three minutes or more, the device deletes the DHCPv6 snooping entries and ND snooping entries corresponding to the port. SAVI configuration in DHCPv6-only address assignment scenario Network requirements Figure 144 Network diagram Switch A DHCPv6 server...
  • Page 385 Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against link-local address ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks the IPv6 data packets from the clients against dynamic binding entries (including link-local address ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the clients and against static binding entries.

  • Page 386: Savi Configuration In Slaac-Only Address Assignment Scenario

    SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 145 Network diagram Internet Gateway Switch A Eth1/0/3 Vlan-int10 10::1 VLAN 10 Eth1/0/3 Switch B Eth1/0/1 Eth1/0/2 Host A Host B 10::5 10::6 0001-0203-0405 0001-0203-0607 As shown in Figure 145, Switch A serves as the gateway. Switch B connects Host A and Host B. The hosts can obtain IPv6 addresses only through SLAAC.
  • Page 387 Enable DHCPv6 snooping and leave the interface connected to the gateway as its default status • (non-trusted port) so that the hosts cannot obtain IP addresses through DHCPv6. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. Packet check principles Switch B checks ND protocol packets against ND snooping entries and static binding entries;...

  • Page 388: Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario

    SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 146 Network diagram Switch A Switch C DHCPv6 Gateway server Eth1/0/2 Eth1/0/1 Switch B Eth1/0/3 Eth1/0/4 Eth1/0/5 DHCPv6 Host A Host B client As shown in Figure 146, Switch B connects to the DHCPv6 server through interface Ethernet 1/0/1 and connects to the DHCPv6 client through interface Ethernet 1/0/3.
  • Page 389 Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the hosts and against static binding entries.
  • Page 390 [SwitchB] interface ethernet 1/0/5 [SwitchB-Ethernet1/0/5] ipv6 verify source ipv6-address mac-address...

  • Page 391: Blacklist Configuration

    Blacklist configuration Blacklist overview The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature.

  • Page 392: Blacklist Configuration Example

    Blacklist configuration example Network requirements As shown in Figure 147, Host A, Host B, and Host C are internal users, and external user Host D is considered an attacker. Configure Device to always filter packets from Host D, and to prevent internal users from guessing passwords.

  • Page 393: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals • For related documentation, navigate to the Networking section, and select a networking category.

  • Page 394: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 395 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 396: Index

    Index A B C D E G H I L M N O P R S T U Configuring HABP,226 Configuring IPsec for IPv6 routing protocols,264 AAA configuration considerations and task list,15 Configuring MFF,363 AAA configuration examples,49 Configuring PKI certificate verification,248 overview,1 Configuring port security...
  • Page 397 Enabling the SYN Cookie feature,313 Retrieving a certificate manually,247 Global SAVI configuration,372 SAVI configuration in DHCPv6+SLAAC address assignment scenario,377 HP implementation of 802.1X,85 SAVI configuration in DHCPv6-only address HABP configuration example,227 assignment scenario,373 HABP overview,225 SAVI configuration in SLAAC-only address assignment...
  • Page 398 SSH server configuration examples,283 Troubleshooting IP source guard,329 SSH2.0 overview,272 Troubleshooting PKI,259 SSL configuration task list,307 Troubleshooting port security,220 overview,306 Troubleshooting portal,188 Submitting a PKI certificate request,246 Troubleshooting SSL,312 TCP attack protection overview,313 URPF configuration example,359 Tearing down user connections,45 URPF overview,355 Triple authentication configuration...

This manual is also suitable for:

A3100-48 v2

Table of Contents