Page 1 HP 3600 v2 Switch Series Security Configuration Guide Part number: 5998-7625 Software version: Release 2110P02 Document version: 6W100-20150305...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 3: Table Of Contents
Contents Configuring AAA ························································································································································· 1 AAA overview ··································································································································································· 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 RADIUS server feature of the switch ···················································································································· 10 AAA for MPLS L3VPNs ········································································································································· 11 ...
Page 4 EAP relay ································································································································································ 70 EAP termination ····················································································································································· 73 Configuring 802.1X ·················································································································································· 74 HP implementation of 802.1X ······································································································································ 74 Access control methods ········································································································································ 74 Using 802.1X authentication with other features ······························································································ 74 Configuration prerequisites ··········································································································································· 80 ...
Page 5 Configuration procedure ······································································································································ 96 Verifying the configuration ··································································································································· 98 802.1X with guest VLAN and VLAN assignment configuration example ······························································· 98 Network requirements ··········································································································································· 98 Configuration procedure ······································································································································ 99 Verifying the configuration ································································································································· 100 802.1X with ACL assignment configuration example ····························································································· 101 ...
Page 6 Portal system using the local portal server ········································································································ 124 Portal authentication modes ······························································································································· 125 Portal support for EAP ········································································································································· 126 Layer 2 portal authentication process ··············································································································· 127 Layer 3 portal authentication process ··············································································································· 128 Portal stateful failover ·········································································································································· 131 ...
Page 7 Using triple authentication with other features ································································································· 188 Configuring triple authentication ································································································································ 188 Triple authentication configuration examples ··········································································································· 189 Triple authentication basic function configuration example ··········································································· 189 Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ·············· 191 ...
Page 8 Configuring HABP ··················································································································································· 233 Overview ······································································································································································· 233 Configuring HABP ························································································································································ 234 Configuring the HABP server ····························································································································· 234 Configuring an HABP client ······························································································································· 234 Displaying and maintaining HABP ····························································································································· 235 HABP configuration example ······································································································································ 235 ...
Page 9 Configuring IPsec ···················································································································································· 270 Overview ······································································································································································· 270 Basic concepts ····················································································································································· 270 IPsec for IPv6 routing protocols ·························································································································· 273 Protocols and standards ····································································································································· 273 FIPS compliance ··························································································································································· 273 Configuring IPsec ························································································································································· 273 Implementing ACL-based IPsec ··································································································································· 273 ...
Page 10 Enabling the SSH server function ······················································································································· 308 Configuring the user interfaces for SSH clients ································································································ 308 Configuring a client's host public key ··············································································································· 309 Configuring an SSH user ···································································································································· 310 Setting the SSH management parameters ········································································································ 311 ...
Page 11 Configuring TCP attack protection ························································································································· 352 Overview ······································································································································································· 352 Enabling the SYN Cookie feature ······························································································································ 352 Configuring TCP fragment attack protection ············································································································· 353 Displaying and maintaining TCP attack protection ·································································································· 353 Configuring IP source guard ·································································································································· 354 ...
Page 12 Configuring ARP restricted forwarding ············································································································· 382 Configuring the ARP detection logging function ······························································································ 383 Displaying and maintaining ARP detection ······································································································ 383 User validity check configuration example ······································································································· 383 User validity check and ARP packet validity check configuration example ·················································· 385 ...
Page 13 Network requirements ········································································································································· 427 Configuration procedure ···································································································································· 427 Verifying the configuration ································································································································· 428 Support and other resources ·································································································································· 430 Contacting HP ······························································································································································ 430 Subscription service ············································································································································ 430 Related information ······················································································································································ 430 Documents ···························································································································································· 430 ...
Page 14: Configuring Aaa
Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: • Authentication—Identifies users and determines whether a user is valid. Authorization—Grants different users different rights and controls their access to resources and •...
Page 15: Radius
AAA can be implemented through multiple protocols. The switch supports using RADIUS and HWTACACS. RADIUS is often used in practice. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required.
Page 16 Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user's username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
Page 17 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
Page 18 The Attributes field (variable in length) carries the specific authentication, authorization, and • accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
Page 19 Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
Page 20: Hwtacacs
Figure 5 Segment of a RADIUS packet containing an extended attribute Type Length Vendor-ID Vendor-ID (continued) Vendor-Type Vendor-Length Vendor-Data (Specified attribute value……) …… HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
Page 21 Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...
Page 22: Domain-Based User Management
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user an authorization request packet to the HWTACACS server.
Page 23: Radius Server Feature Of The Switch
Portal users—Users who must pass portal authentication to access the network. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.
Page 24: Aaa For Mpls L3Vpns
A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server.
Page 25: Protocols And Standards
Protocols and standards The following protocols and standards are related to AAA, RADIUS, and HWTACACS: • RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support •...
Page 26 Description User identification that the NAS sends to the server. For the LAN access service Calling-Station-Id provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.
Page 27 Sub-attribute Description Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps. Remaining, available total traffic of the connection, in different units for Remanent_Volume different server types.
Page 28: Fips Compliance
Sub-attribute Description Input-Interval-Packets Packets input within an accounting interval, in the unit set on the device. Output-Interval-Packets Packets output within an accounting interval, in the unit set on the device. Input-Interval-Gigawords Result of bytes input within an accounting interval divided by 4G bytes. Output-Interval-Gigawords Result of bytes output within an accounting interval divided by 4G bytes.
Page 29 Figure 10 AAA configuration diagram Local AAA Configure AAA methods Configure local users and related attributes None Authentication method local (the default) scheme Create an ISP domain None No AAA and enter its view Authorization method local (the default) scheme None Accounting method local (the default)
Page 30: Configuring Aaa Schemes
Configuring AAA schemes Configuring local users To implement local user authentication, authorization, and accounting, you must create local users and configure user attributes on the switch. The local users and attributes are stored in the local user database on the switch. A local user is uniquely identified by a username. Configurable local user attributes are as follows: Service type.
Page 31 Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the ACL, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work directory. For more information about authorization attributes, see "Configuring local user attributes."...
Page 32 Step Command Remarks Optional. A local user with no password configured passes authentication after providing the valid local • In non-FIPS mode: username and attributes. To password [ [ hash ] { cipher | enhance security, configure a Configure a password for the simple } password ] password for each local user.
Page 33 Step Command Remarks Optional. By default, no authorization attribute is configured for a local user. For LAN and portal users, only acl, authorization-attribute { acl idle-cut, user-profile, and vlan are acl-number | idle-cut minute | level supported. Configure the authorization level | user-profile profile-name | For SSH, terminal, and Web users, attributes for the local user.
Page 34: Configuring Radius Schemes
Step Command Remarks • Set the password aging time: password-control aging Optional. aging-time By default, the user group uses • Set the minimum password global password control attribute length: Configure password control settings. password-control length length attributes for the user group. For more information about •...
Page 35 Task Remarks Creating a RADIUS scheme Required Specifying the RADIUS authentication/authorization servers Required Specifying the RADIUS accounting servers and the relevant parameters Optional Specifying the shared keys for secure RADIUS communication Optional Specifying the VPN to which the servers belong Optional Setting the username format and traffic statistics units Optional...
Page 36 In RADIUS, user authorization information is piggybacked in authentication responses sent to RADIUS clients. There is no separate RADIUS authorization server. You can enable the server status detection feature. With the feature, the switch periodically sends an authentication request to check whether or not the target RADIUS authentication/authorization server is reachable.
Page 37 When the switch receives a connection teardown request from a host or a connection teardown notification from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the switch to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit.
Page 38 A shared key configured in this task is for all servers of the same type (accounting or authentication) in the scheme, and has a lower priority than a shared key configured individually for a RADIUS server. To specify a shared key for secure RADIUS communication: Step Command Remarks...
Page 39 • • Extended—Uses the proprietary RADIUS protocol of HP. When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies. For the switch to function as a RADIUS server to authenticate login users, you must set the RADIUS server type to standard.
Page 40 To set the maximum number of RADIUS request transmission attempts for a scheme: Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Set the maximum number of Optional. RADIUS request transmission retry retry-times The default setting is 3. attempts.
Page 41 After receiving an authentication/accounting response from a server, the switch changes the status • of the server identified by the source IP address of the response to active if the current status of the server is blocked. The device does not change the status of an unreachable authentication or accounting server if the server quiet timer is set to 0.
Page 42 You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in the same VPN. Before sending a RADIUS packet, a NAS selects a source IP address in the following order: •...
Page 43 Step Command Remarks Enter system view. system-view Specify a backup source IP radius nas-backup-ip ip-address address for outgoing RADIUS Not specified by default. [ vpn-instance vpn-instance-name ] packets. To specify a backup source IP address for a RADIUS scheme: Step Command Remarks Enter system view.
Page 44 Step Command Remarks Optional. Set the quiet timer for the timer quiet minutes servers. The quiet timer is 5 minutes. Optional. Set the real-time accounting timer realtime-accounting minutes The default real-time accounting timer. timer is 12 minutes. For a type of users, the maximum number of transmission attempts multiplied by the RADIUS server •...
Page 45 Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
Page 46 The status of a RADIUS server changes. If a NAS receives no response to an accounting or • authentication request before the specified maximum number of RADIUS request transmission attempts is exceeded, it considers the server unreachable, sets the status of the server to block and sends a trap message.
Page 47: Configuring Hwtacacs Schemes
Task Command Remarks display radius scheme Display the configuration information [ radius-scheme-name ] [ slot Available in any view of RADIUS schemes. slot-number ] [ | { begin | exclude | include } regular-expression ] display radius statistics [ slot Display the statistics for RADIUS slot-number ] [ | { begin | exclude | Available in any view...
Page 48 Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: Step Command Remarks Enter system view. system-view Create an HWTACACS scheme hwtacacs scheme and enter HWTACACS scheme Not defined by default.
Page 49 Specifying the HWTACACS authorization servers You can specify one primary authorization server and up to 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the switch searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
Page 50 The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, • the configuration fails. You can remove an accounting server only when no active TCP connection for sending accounting • packets is using it. HWTACACS does not support accounting for FTP users. •...
Page 51 NOTE: A shared key configured on the switch must be the same as that configured on the HWTACACS server. Specifying the VPN to which the servers belong After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and accounting servers specified for the scheme belong to the VPN.
Page 52 Step Command Remarks Optional. data-flow-format { data { byte | Specify the unit for data flows giga-byte | kilo-byte | mega-byte } The default unit is byte for data or packets sent to the | packet { giga-packet | kilo-packet flows and is one-packet for data HWTACACS servers.
Page 53 Setting timers for controlling communication with HWTACACS servers The switch uses the following timers to control the communication with an HWTACACS server: • Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval. After sending an HWTACACS request (authentication, authorization, or accounting request), the switch starts this timer.
Page 54: Configuring Aaa Methods For Isp Domains
Task Command Remarks display stop-accounting-buffer Display information about buffered hwtacacs-scheme stop-accounting requests for which no hwtacacs-scheme-name [ slot Available in any view responses have been received. slot-number ] [ | { begin | exclude | include } regular-expression ] reset hwtacacs statistics { accounting | Clear HWTACACS statistics.
Page 55: Configuring Isp Domain Attributes
Step Command Remarks Create an ISP domain and domain isp-name enter ISP domain view. Return to system view. quit Optional. Specify the default ISP domain default enable By default, the default ISP domain is the domain. isp-name system-defined ISP domain system. NOTE: To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default ISP domain by using the undo domain default enable command.
Page 56: Configuring Aaa Authentication Methods For An Isp Domain
Step Command Remarks Specify the maximum number Optional. access-limit enable of online users in the ISP max-user-number No limit by default. domain. Optional. Disabled by default. Configure the idle cut function. idle-cut enable minute [ flow ] This command is effective for only LAN users and portal users.
Page 57 Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type, limiting the authentication protocols that can be used for access. Determine whether to configure an authentication method for all access types or service types. Follow these guidelines when you configure AAA authentication methods for an ISP domain: The authentication method specified with the authentication default command is for all types of •...
Page 58: Configuring Aaa Authorization Methods For An Isp Domain
Step Command Remarks Specify the Optional. authentication super { hwtacacs-scheme authentication method hwtacacs-scheme-name | radius-scheme The default authentication for privilege level radius-scheme-name } method is used by default. switching. Configuring AAA authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization.
Page 59: Configuring Aaa Accounting Methods For An Isp Domain
If you specify only the local or none keyword in an authorization method configuration command, • the switch has no backup authorization method and performs only local authorization or does not perform any authorization. To configure AAA authorization methods for an ISP domain: Step Command Remarks...
Page 60 Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service type, limiting the accounting protocols that can be used for access. Determine whether to configure an accounting method for all access types or service types. Follow these guidelines when you configure AAA accounting methods for an ISP domain: If you configure the accounting optional command, the limit on the number of local user •...
Page 61: Tearing Down User Connections
Step Command Remarks Optional. accounting portal { local | none | Specify the accounting radius-scheme radius-scheme-name The default accounting method method for portal users. [ local ] } is used by default. Tearing down user connections Step Command Remarks Enter system view. system-view cut connection { access-type { dot1x | mac-authentication | portal } | all | domain...
Page 62: Configuring A Switch As A Radius Server
Configuring or changing the device ID of a switch logs out all online users of the switch. • • HP recommends to save the configuration and reboot the switch after configuring or changing the device ID. The device ID is the symbol for stateful failover mode. Do not configure any device ID for a switch •...
Page 63: Specifying A Radius Client
Step Command Remarks Optional. Configure a password for the password [ cipher | simple ] By default, no password is RADIUS user. password specified. Optional. Configure the authorization authorization-attribute { acl attribute for the RADIUS user. acl-number | vlan vlan-id } * Not configured by default.
Page 64: Aaa Configuration Examples
Task Command Remarks display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type Display information about user interface-number | ip ip-address | mac Available in any view connections. mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]...
Page 65: Aaa For Telnet Users By Separate Servers
# Create HWTACACS scheme hwtac. [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys for secure authentication, authorization, and accounting communication to expert.
Page 66 Figure 12 Network diagram Configuration procedure Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...
Page 67: Authentication/Authorization For Ssh/Telnet Users By A Radius Server
Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
Page 68 NOTE: The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is the IP address of the outbound interface by default, or otherwise the IP address specified with the nas-ip or radius nas-ip command on the switch.
Page 69 Figure 15 Adding an account for device management Configuring the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.
Page 70: Level Switching Authentication For Telnet Users By An Hwtacacs Server
[Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on IMC.
Page 71 Figure 16 Network diagram Configuration considerations Configure the switch to use AAA, particularly, local authentication for Telnet users: Create ISP domain bbb and configure it to use local authentication for Telnet users. Create a local user account, configure the password, and assign the user privilege level. On the switch, configure the authentication method for user privilege level switching: Specify to use HWTACACS authentication and, if HWTACACS authentication is not available, use local authentication for user level switching authentication.
Page 72 # Use HWTACACS authentication for user level switching authentication and, if HWTACACS authentication is not available, use local authentication. [Switch] super authentication-mode scheme local # Create an HWTACACS scheme named hwtac. [Switch] hwtacacs scheme hwtac # Specify the IP address for the primary authentication server as 10.1.1.1 and the port for authentication as 49.
Page 73 Figure 17 Configuring advanced attributes for the Telnet user Verify the configuration: After you complete the configuration, the Telnet user should be able to telnet to the switch and use username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 commands.
Page 74: Radius Authentication And Authorization For Telnet Users By A Switch
super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as prompted. <Switch> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this.
Page 75 [SwitchA-ui-vty0-4] authentication-mode scheme [SwitchA-ui-vty0-4] quit # Create RADIUS scheme rad. [SwitchA] radius scheme rad # Specify the IP address for the primary authentication server as 10.1.1.2, the port for authentication as 1645, and the shared key for secure authentication communication as abc. [SwitchA-radius-rad] primary authentication 10.1.1.2 1645 key abc # Configure the scheme to remove the domain name from a username before sending the username to the RADIUS server.
Page 76: Troubleshooting Aaa
IPv6=N/A Total 1 connection(s) matched. Troubleshooting AAA Troubleshooting RADIUS Symptom 1 User authentication/authorization always fails. Analysis A communication failure exists between the NAS and the RADIUS server. The username is not in the format of userid@isp-name or the ISP domain for the user authentication is not correctly configured on the NAS.
Page 77: Troubleshooting Hwtacacs
The port numbers of the RADIUS server for authentication, authorization and accounting are available. Symptom 3 A user is authenticated and authorized, but accounting for the user is not normal. Analysis The accounting port number is not correct. Configuration of the authentication/authorization server and the accounting server are not correct on the NAS.
Page 78: 802.1X Overview
802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Page 79: 802.1X-Related Protocols
Performs bidirectional traffic control to deny traffic to and from the client. Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.
Page 80: Packet Formats
• Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by HP • implementation of 802.1X. Table 5 EAPOL packet types Value Type...
Page 81: Eap Over Radius
Value Type Description The client sends an EAPOL-Logoff message to tell the 0x02 EAPOL-Logoff network access device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.
Page 82: Access Device As The Initiator
802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.
Page 83: A Comparison Of Eap Relay And Eap Termination
• Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an HP EAP termination supports PAP or CHAP authentication. iNode 802.1X client. • The processing is complex on the network access device.
Page 84 Figure 27 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
Page 85 The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
Page 86: Eap Termination
EAP termination Figure 28 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 28 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).
Page 87: Configuring 802.1X
HP implementation of 802.1X Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. • Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication.
Page 88 Link type VLAN assignment • Sets the VLAN ID assigned through the Tunnel attributes as the PVID on the port. Trunk/hybrid port • Assigns the port to the VLANs assigned through the Egress-VLANID or Egress-VLAN-Name attribute, and sets the VLANs as tagged VLANs. Table 7 VLAN assignment in MAC-based access control mode Link type VLAN assignment...
Page 89 Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources.
Page 90 NOTE: The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member. Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
Page 91 NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. Critical VLAN You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration.
Page 92 Authentication status VLAN manipulation A user that has not been assigned to any Maps the MAC address of the user to the critical VLAN. The VLAN fails 802.1X authentication because user can access only resources in the critical VLAN. all the RADIUS servers are unreachable. A user in the 802.1X critical VLAN fails authentication because all the RADIUS The user is still in the critical VLAN.
Page 93: Configuration Prerequisites
Configuration prerequisites Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. • • If RADIUS authentication is used, create user accounts on the RADIUS server. If local authentication is used, create local user accounts on the access device and set the service •...
Page 94: Enabling 802.1X
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...
Page 95: Setting The Port Authorization State
Step Command Remarks Optional. By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Configure EAP relay or dot1x authentication-method Specify the eap keyword to enable EAP EAP termination. { chap | eap | pap } relay.
Page 96: Specifying An Access Control Method
Specifying an access control method You can specify an access control method for one port in Ethernet interface view, or for multiple ports in system view. If different access control methods are specified for a port in system view and Ethernet interface view, the one specified later takes effect.
Page 97: Setting The Maximum Number Of Authentication Request Attempts
Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command).
Page 98: Configuration Guidelines
To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.
Page 99: Configuration Guidelines
request attempts set with the dot1x retry command (see "Setting the maximum number of authentication request attempts") is reached. The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. Configuration guidelines Follow these guidelines when you configure the authentication trigger function: Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start...
Page 100: Configuring The Quiet Timer
Step Command Remarks interface interface-type Enter Ethernet interface view. interface-number Specify a mandatory 802.1X dot1x mandatory-domain By default, no mandatory 802.1X authentication domain on the domain-name authentication domain is specified. port. Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.
Page 101: Configuration Procedure
If no critical VLAN is configured, RADIUS server unreachable can cause an online user being • re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the original VLAN. Configuration procedure To enable the periodic online user re-authentication function: Step Command Remarks...
Page 102: Configuring A Vlan Group
802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. •...
Page 103: Configuration Prerequisites
Table 8 Relationships of the 802.1X guest VLAN and other security features Feature Relationship description Reference See Layer 2 — You cannot specify a VLAN as both a super Super VLAN Switching Configuration VLAN and an 802.1X guest VLAN. Guide Only the 802.1X guest VLAN take effect.
Page 104: Configuring An 802.1X Auth-Fail Vlan
802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. Table 9 when configuring multiple security features on a port.
Page 105: Configuring An 802.1X Critical Vlan
802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. Configuration prerequisites •...
Page 106: Specifying Supported Domain Name Delimiters
Step Command Remarks Optional. Configure the port to trigger By default, when a reachable 802.1X authentication on dot1x critical recovery-action RADIUS server is detected, the detection of a reachable reinitialize system removes the port or 802.1X authentication server for users users from the critical VLAN in the critical VLAN.
Page 107: Configuration Guidelines
Assigns the port to the configured voice VLAN as a tagged member and sends the voice VLAN information through an LLDP or CDP packet to the terminal. A voice terminal is not associated with a specific voice VLAN. The voice VLAN assigned to the voice terminal depends on the voice VLAN configuration on the access port.
Page 108: Displaying And Maintaining 802.1X
802.1X MAC address binding entries never age out. They can survive a user logoff or a device reboot. To delete an entry, you must use the undo dot1x binding-mac mac-address command. After the number of 802.1X MAC address binding entries reaches the upper limit of concurrent 802.1X users, the following restrictions exist: Users not in the binding entries will fail authentication even after users in the binding entries go •...
Page 109: 802.1X Authentication Configuration Example
Figure 29 Network diagram Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
Page 110 [Device-luser-localuser] authorization-attribute idle-cut 20 [Device-luser-localuser] quit Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter its view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
Page 111: Verifying The Configuration
[Device-Ethernet1/0/1] dot1x [Device-Ethernet1/0/1] quit # Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.) [Device] dot1x port-method macbased interface ethernet 1/0/1 Verifying the configuration Use the display dot1x interface ethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information.
Page 112: Configuration Procedure
Figure 30 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.
Page 113: Verifying The Configuration
Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc...
Page 114: With Acl Assignment Configuration Example
802.1X with ACL assignment configuration example Network requirements As shown in Figure 31, the host at 192.168.1.10 connects to port Ethernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
Page 115: Verifying The Configuration
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00.
Page 116: Configuring Ead Fast Deployment
Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
Page 117: Configuring The Redirect Url
If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP • segments are in both guest VLAN and Auth-Fail VLAN. Users can access only the free IP segments. To configure a free IP: Step Command Remarks...
Page 118: Displaying And Maintaining Ead Fast Deployment
Displaying and maintaining EAD fast deployment Task Command Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information. exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements As shown in...
Page 119: Configuration Procedure
Configure the DHCP server so that the host can obtain an IP address on the segment of • 192.168.1.0/24. Configure the web server so that users can log in to the web page to download 802.1X clients. • Configure the authentication server to provide authentication, authorization, and accounting •...
Page 120: Troubleshooting Ead Fast Deployment
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication.
Page 121: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
Page 122: Mac Authentication Timers
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle.
Page 123: Critical Vlan
network resources, such as a software server, to download anti-virus software and system patches. If no MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources. If a user in the guest VLAN passes MAC authentication, that user is removed from the guest VLAN and can access all authorized network resources.
Page 124: Configuring Mac Authentication Globally
For RADIUS authentication, check that the device and the RADIUS server can reach each other, and • create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure that the username and password for each account is the same as the MAC address of the MAC authentication users.
Page 125: Specifying A Mac Authentication Domain
Step Command Remarks • In system view: mac-authentication interface Disabled by default. interface-list Enable MAC authentication for • Enable MAC authentication. In interface view: ports in bulk in system view or an interface interface-type individual port in Ethernet interface-number interface view. mac-authentication Optional.
Page 126: Configuring A Mac Authentication Critical Vlan
Table 10 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship description Reference The MAC authentication guest VLAN Quiet function of MAC function has higher priority. A user can "MAC authentication timers" authentication access any resources in the guest VLAN. You cannot specify a VLAN as both a super See Layer 2 LAN Switching...
Page 127: Configuring Mac Authentication Delay
Table 11 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference The MAC authentication critical VLAN function has higher priority. When a user fails MAC authentication Quiet function of MAC because no RADIUS authentication server is "MAC authentication timers"...
Page 128: Enabling Mac Authentication Multi-Vlan Mode
• Creates a new MAC-VLAN mapping for the user. HP recommends that you configure this feature on hybrid or trunk ports. For example, an IP phone, which can send tagged and untagged frames, is connected to a MAC authentication-enabled port. The port receives tagged frames in VLAN 2 and untagged frames in VLAN 1.
Page 129: Mac Authentication Configuration Examples
Task Command Remarks display mac-authentication Display MAC authentication [ interface interface-list ] [ | { begin Available in any view information. | exclude | include } regular-expression ] Clear MAC authentication reset mac-authentication statistics Available in user view statistics. [ interface interface-list ] MAC authentication configuration examples Local MAC authentication configuration example Network requirements...
Page 130 [Device] mac-authentication interface ethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lowercase.
Page 131: Radius-Based Mac Authentication Configuration Example
RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 34, a host connects to port Ethernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on port Ethernet 1/0/1 to control Internet access. Make sure that: The device detects whether a user has gone offline every 180 seconds.
Page 132 # Enable MAC authentication on port Ethernet 1/0/1. [Device] mac-authentication interface ethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain 2000 # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify username aaa and plaintext password 123456 for the account shared by MAC authentication users.
Page 133: Acl Assignment Configuration Example
ACL assignment configuration example Network requirements As shown in Figure 35, a host connects to the device's port Ethernet 1/0/1, and the device uses RADIUS servers to perform authentication, authorization, and accounting. Perform MAC authentication on port Ethernet 1/0/1 to control Internet access. Make sure that an authenticated user can access the Internet but the FTP server at 10.0.0.1.
Page 134 # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication. [Sysname] mac-authentication domain 2000 # Configure the device to use MAC-based user accounts, and the MAC addresses are hyphen separated and in lowercase. [Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication for port Ethernet 1/0/1.
Page 135: Configuring Portal Authentication
Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...
Page 136 Figure 36 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
Page 137: Portal System Using The Local Portal Server
To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.
Page 138: Portal Authentication Modes
NOTE: The local portal server function of the access device implements only some simple portal server functions. It only allows users to log on and log off through the Web interface. It cannot take the place of an independent portal server. Protocols used for interaction between the client and local portal server HTTP and Hypertext Transfer Protocol Secure (HTTPS) can be used for interaction between an authentication client and an access device providing the local portal server function.
Page 139: Portal Support For Eap
Re-DHCP authentication • Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the network resources. No public IP address is allocated to those who fail authentication.
Page 140: Layer 2 Portal Authentication Process
Layer 2 portal authentication process Figure 39 Local Layer 2 portal authentication process Local Layer 2 portal authentication takes the following procedure: The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which supports HTTP and HTTPS requests.
Page 141: Layer 3 Portal Authentication Process
VLAN during a specified period of time (90 seconds by default), it removes the user from the Auth-Fail VLAN and adds the user to the initial VLAN of the port. NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to make sure that the client can communicate with the hosts in the VLAN.
Page 142 The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication acknowledgment message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. The access device sends an authentication reply to the portal server.
Page 143 The portal server notifies the authentication client of logon success. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.
Page 144: Portal Stateful Failover
After receiving the certificate request, the portal server sends an EAP authentication reply to the authentication client, carrying the EAP-Message attribute values. The authentication client sends another EAP request to continue the EAP authentication with the RADIUS server, during which there may be several portal authentication requests. The subsequent authentication processes are the same as that initiated by the first EAP request, except that the EAP request types vary with the EAP authentication phases.
Page 145 Figure 43 Network diagram for portal stateful failover configuration As shown in Figure 43, users have to pass portal authentication to access the Internet. To avoid portal service interruption caused by single point failures, you can deploy two access devices (Gateway A and Gateway B) and configure the portal stateful failover function on them, so that they back up the portal online user information of each other through the failover link.
Page 146: Portal Authentication Across Vpns
Secondary: Indicates that the user logs in from the peer device, and the user data is synchronized • from the peer device to the local device. The local device is in synchronization state. It only receives and processes the synchronization messages and does not process packets from the server. Portal authentication across VPNs This feature is not applicable to VPNs with overlapping address spaces.
Page 147: Configuration Prerequisites
Task Remarks Specifying an authentication domain for portal users Configuring Layer 2 portal authentication to support Web proxy Enabling support for portal user moving Specifying an Auth-Fail VLAN for portal authentication Optional Specifying an auto redirection URL for authenticated portal users Optional Configuring online Layer 2 portal user detection Optional...
Page 148: Specifying The Portal Server
Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. HP recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: •...
Page 149: Specifying A Portal Server For Layer 3 Portal Authentication
Specifying a portal server for Layer 3 portal authentication This task allows you to specify the portal server parameters for Layer 3 portal authentication, including the portal server IP address, shared encryption key, server port, and the URL address for Web authentication.
Page 150 Table 12 Main authentication page file names Main authentication page File name Logon page logon.htm Logon success page logonSuccess.htm Logon failure page logonFail.htm Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm...
Page 151 The following example shows part of the script in page online.htm. <form action=logon.cgi method = post > <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Rules on page file compression and saving A set of authentication page files must be compressed into a standard zip file. The name of a zip •...
Page 152: Configuring The Local Portal Server
</body> </html> HP recommends using Microsoft IE 6.0 or above on the authentication clients. Make sure the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.
Page 153: Enabling Portal Authentication
When you specify the protocol for the local portal server to support, the local portal server will load the default authentication page file, which is supposed to be saved in the root directory of the device. Therefore, to make sure that the local portal server uses the user-defined default authentication pages, you must edit and save them properly.
Page 154: Enabling Layer 3 Portal Authentication
Enabling Layer 3 portal authentication Before enabling Layer 3 portal authentication on an interface, make sure: • An IP address is configured for the interface. The interface is not added to any port aggregation group. • The portal server referenced by the interface already exists. •...
Page 155 The matching items for a portal-free rule include the source and destination IP address, TCP/UDP port number, source MAC address, inbound interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so that users sending the packets can directly access the specified external websites.
Page 156: Configuring An Authentication Source Subnet
Configuring an authentication source subnet Only Layer 3 portal authentication supports this feature. By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule.
Page 157: Specifying An Authentication Domain For Portal Users
NOTE: The maximum number of online portal users the switch actually assigns depends on the ACL resources on the switch. Specifying an authentication domain for portal users After you specify an authentication domain for portal users on an interface, the device uses the authentication domain for authentication, authorization, and accounting (AAA) of all portal users on the interface, ignoring the domain names carried in the usernames.
Page 158: Enabling Support For Portal User Moving
Step Command Remarks By default, no Web proxy server port number is Add a Web proxy server portal web-proxy port port-number configured and proxied HTTP port number. requests cannot trigger portal authentication. Enabling support for portal user moving Only Layer 2 portal authentication supports this feature. In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled port of the device without logging off, the user cannot get online when the original port is still up.
Page 159: Configuring Radius Related Attributes
Before specifying an Auth-Fail VLAN, be sure to create the VLAN. To specify an Auth-Fail VLAN for portal authentication: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Specify an Auth-Fail VLAN for portal authentication on the portal auth-fail vlan authfail-vlan-id Not specified by default...
Page 160: Specifying A Nas Id Profile For An Interface
Specifying a NAS ID profile for an interface In some networks, users' access points are identified by their access VLANs. Network carriers need to use NAS-identifiers to identify user access points. With a NAS ID profile specified on an interface, when a user logs in from the interface, the access device checks the specified profile to obtain the NAS ID that is bound with the access VLAN.
Page 161: Configuring Portal Stateful Failover
{ ipv4-address | ipv6 source IP address of the outgoing for outgoing portal packets. ipv6-address } portal packets. In NAT environments, HP recommends specifying the interface's public IP address as the source IP address of outgoing portal packets.
Page 162: Specifying An Auto Redirection Url For Authenticated Portal Users
Step Command Remarks By default, the portal service backup interface does not belong Specify the portal group to to any portal group. which the portal service portal backup-group group-id The portal service backup backup interface belongs. interfaces on the two devices for stateful failover must belong to the same portal group.
Page 163: Configuring Portal Detection Functions
Follow these guidelines to specify an auto redirection URL for authenticated portal users: • To use this feature for remote Layer 3 portal authentication, the portal server must be the IMC portal server that supports the page auto-redirection function. The wait-time period option is effective to only local portal authentication. •...
Page 164 To address this problem, the access device must be able to detect the reachability changes of the portal server quickly and take corresponding actions to deal with the changes. For example, after the access device detects that the portal server is unreachable, it allows portal users to access network resources without authentication.
Page 165: Configuring Portal User Information Synchronization
IMC portal server and make sure that the product of interval and retry is greater than or equal to the portal server heartbeat interval. HP recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server.
Page 166: Logging Off Portal Users
HP recommends that you configure the interval to be greater than the portal user heartbeat interval configured on the portal server.
Page 167: Portal Configuration Examples
Task Command Remarks display portal server statistics { all | interface interface-type Display portal server statistics on a interface-number } [ | { begin | Available in any view specific interface or all interfaces. exclude | include } regular-expression ] display portal tcp-cheat statistics Display TCP spoofing statistics.
Page 168 Configuration prerequisites Configure IP addresses for the host, switch, and servers as shown in Figure 45 and make sure they can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions for users. Configuring the portal server (IMC PLAT 5.0) This example assumes that the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101).
Page 169 Figure 47 Adding an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure •...
Page 170 Figure 49 Device list On the port group configuration page, click Add to enter the page shown in Figure 50. Perform the following configurations: • Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must •...
Page 171: Configuring Re-Dhcp Portal Authentication
[Switch-radius-rs1] key accounting simple radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
Page 172 Figure 51 Network diagram Configuration procedure When you configure re-DHCP portal authentication, follow these guidelines: • Configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) The switch must be configured as a DHCP relay agent and the portal-enabled interface must be •...
Page 173: Configuring Cross-Subnet Portal Authentication
# Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
Page 174 The host accesses Switch A through Switch B. • • A RADIUS server serves as the authentication/accounting server. Figure 52 Network diagram Configuration procedure When configuring cross-subnet portal authentication, follow these guidelines: • Configure IP addresses for the host, switches, and servers as shown in Figure 52 and make sure they can reach each other.
Page 175: Configuring Direct Portal Authentication With Extended Functions
[SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.
Page 176 Figure 53 Network diagram Configuration procedure Configure IP addresses for the host, switch, and servers as shown in Figure 53 and make sure they can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions for users. Configure the switch: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
Page 177: Configuring Re-Dhcp Portal Authentication With Extended Functions
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources: [Switch] acl number 3000...
Page 178 Figure 54 Network diagram Portal server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Switch automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration procedure When you configure re-DHCP portal authentication, follow these guidelines: For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this •...
Page 179 [Switch-radius-rs1] key accounting simple radius [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
Page 180: Configuring Cross-Subnet Portal Authentication With Extended Functions
[Switch-Vlan-interface100] dhcp relay server-select 0 [Switch-Vlan-interface100] dhcp relay address-check enable # Enable re-DHCP portal authentication on the interface connecting the host. [Switch–Vlan-interface100] portal server newpt method redhcp [Switch–Vlan-interface100] quit Configuring cross-subnet portal authentication with extended functions Network requirements As shown in Figure •...
Page 181 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.112 [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key accounting simple radius...
Page 182: Configuring Portal Stateful Failover
# Enable portal authentication on the interface connecting Switch B. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal server newpt method layer3 [SwitchA–Vlan-interface4] quit On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring portal stateful failover Network requirements As shown in...
Page 183 Make sure that Host can access the authentication server through Switch A and Switch B. Configure VRRP group 1 and VRRP group 2 to implement backup for downstream and upstream links, respectively. For more information about VRRP, see High Availability Configuration Guide. For information about stateful failover configuration, see High Availability Configuration Guide.
Page 184 Figure 58 Adding an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Enter the device name NAS.
Page 185 Figure 60 Device list On the port group configuration page, click Add to enter the page shown in Figure 50. Perform the following configurations: • Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must •...
Page 186 [SwitchA] interface vlan-interface 20 [SwitchA–Vlan-interface20] vrrp vrid 2 virtual-ip 192.168.0.1 # Set the priority of VLAN-interface 20 in VRRP group 2 to 200. [SwitchA–Vlan-interface20] vrrp vrid 2 priority 200 # On VLAN-interface 20, configure the interface to be tracked as VLAN-interface 10 and reduce the priority of VLAN-interface 20 in VRRP group 2 by 150 when the interface state of VLAN-interface 10 becomes Down or Removed.
Page 187 # Specify the source IP address of outgoing portal packets as 9.9.1.1, the virtual IP address of VRRP group 1. [SwitchA–Vlan-interface10] portal nas-ip 9.9.1.1 Configure portal stateful failover: # Assign interface VLAN-interface 10 to portal group 1. [SwitchA–Vlan-interface10] portal backup-group 1 [SwitchA–Vlan-interface10] quit # Set the device ID for Switch A in stateful failover mode to 1.
Page 188 [SwitchB-radius-rs1] key accounting simple expert # Configure the access device to not carry the ISP domain name in the username sent to the RADIUS server. (Optional, configure the username format as needed.) [SwitchB-radius-rs1] user-name-format without-domain [SwitchB-radius-rs1] quit Configure an authentication domain: # Create ISP domain dm1 and enter its view.
Page 189: Configuring Portal Server Detection And Portal User Information Synchronization
Verifying the configuration # After user Host logs in through Switch A, display the user authentication information by using the display portal user command on Switch A and Switch B. [SwitchA] display portal user all Index:3 State:ONLINE SubState:NONE ACL:NONE Work-mode: primary VPN instance:NONE Vlan Interface...
Page 190 Figure 62 Network diagram Configuration considerations Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication and accounting. Configure direct portal authentication on interface VLAN-interface 100, which is connected with the user host.
Page 191 Figure 63 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.
Page 192 Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Enter the device name NAS. • Enter the IP address of the switch's interface connected to the user. •...
Page 193 Figure 67 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. <Switch>...
Page 194 40 retry 2 The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.
Page 195: Configuring Layer 2 Portal Authentication
Configuring Layer 2 portal authentication Network requirements As shown in Figure 68, a host is directly connected to a switch. The switch performs Layer 2 portal authentication on users connected to port Ethernet 1/0/1. More specifically, Use the remote RADIUS server for authentication, authorization and accounting. •...
Page 196 for the assigned IP addresses and make sure there is a route to the host. To shorten the IP address update time in case of an authentication state change, set a short lease for each address. Because the DHCP server and the DHCP client are not in the same subnet, you need to configure •...
Page 197 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key accounting simple radius [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] quit Configure an authentication domain: # Create and enter ISP domain triple. [Switch] domain triple # Configure AAA methods for the ISP domain. [Switch-isp-triple] authentication portal radius-scheme rs1 [Switch-isp-triple] authorization portal radius-scheme rs1 [Switch-isp-triple] accounting portal radius-scheme rs1 [Switch-isp-triple] quit...
Page 198: Troubleshooting Portal
move the user from VLAN 8 to VLAN 3, the authorized VLAN. You can use the display connection ucibindex command to view the online user information <Switch> display connection ucibindex 30 Slot: Index=30 , Username=userpt@triple MAC=0015-e9a6-7cfe IP=192.168.1.2 IPv6=N/A Access=PORTAL ,AuthMethod=PAP Port Type=Ethernet,Port Name=Ethernet1/0/1 Initial VLAN=8, Authorization VLAN=3 ACL Group=Disable...
Page 199: Incorrect Server Port Number On The Access Device
Incorrect server port number on the access device Symptom After a user passes the portal authentication, you cannot force the user to log off by executing the portal delete-user command on the access device, but the user can log off by using the disconnect attribute on the authentication client.
Page 200: Configuring Triple Authentication
Configuring triple authentication Overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services.
Page 201: Using Triple Authentication With Other Features
If a terminal passes 802.1X or portal authentication, no other types of authentication will be • triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the • terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal.
Page 202: Triple Authentication Configuration Examples
Command Remarks authentication. "Configuring MAC Configure MAC authentication. authentication" 802.1X authentication must use MAC-based access control. HP does not recommend you Configure Layer-2 portal "Configuring portal configure 802.1X guest VLANs authentication. authentication" for triple authentication. Triple authentication configuration examples Triple authentication basic function configuration example...
Page 203 # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Configure the local portal server to support HTTP. <Switch> system-view [Switch] portal local-server http # Configure the IP address of interface loopback 0 as 4.4.4.4. [Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit...
Page 204: Triple Authentication Supporting Vlan Assignment And Auth-Fail Vlan Configuration Example
Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain.
Page 205 Portal terminals use DHCP to get IP addresses in 192.168.1.0/24 before authentication and in • 3.3.3.0/24 after passing authentication. 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP • addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24.
Page 206 Configure DHCP: # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Enable DHCP. <Switch> system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address.
Page 207 # Configure the local portal server to support HTTPS and use SSL server policy sslsvr. [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4.
Page 208 # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1...
Page 209 0015-e9a6-7cfe ffff-ffff-ffff 0002-0002-0001 ffff-ffff-ffff 0015-88f8-0dd7 ffff-ffff-ffff Total MAC VLAN address count:3 Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users. [Switch] display dhcp server ip-in-use all Pool utilization: 0.59% IP address Client-identifier/ Lease expiration Type Hardware address 3.3.3.111...
Page 210: Configuring Port Security
NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
Page 211: Port Security Modes
Port security modes Port security supports the following categories of security modes: • MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes in this category implement MAC authentication, 802.1X •...
Page 212 TIP: • userLogin specifies 802.1X authentication and port-based access control. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. •...
Page 213: Working With Guest Vlan And Auth-Fail Vlan
Performing MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users. Performing a combination of MAC authentication and 802.1X authentication macAddressOrUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.
Page 214: Enabling Port Security
Task Remarks Setting port security's limit on the number of MAC addresses on a port Optional. Setting the port security mode Required. Configuring port security features: Optional. • Configuring NTK Configure one or more features • Configuring intrusion protection as required. •...
Page 215: Setting The Port Security Mode
To set the maximum number of secure MAC addresses allowed on a port: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the limit of port security on port-security max-mac-count the number of MAC Not limited by default.
Page 216: Configuring Port Security Features
Step Command Remarks port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure Set the port security By default, a port operates in | userlogin | userlogin-secure | mode. noRestrictions mode. userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are...
Page 217: Enabling Port Security Traps
disableport-temporarily—Disables the port for a specific period of time. The period can be • configured with the port-security timer disableport command. port operating either macAddressElseUserLoginSecure mode macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail. To configure the intrusion protection feature: Step Command...
Page 218: Configuration Prerequisites
IMPORTANT: When the maximum number of secure MAC address entries is reached, the port changes to secure mode, and no more secure MAC addresses can be added or learned. The port allows only frames sourced from a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address static command to pass through.
Page 219: Ignoring Authorization Information
Step Command Remarks Enter system view. system-view Optional. By default, secure MAC addresses do note age out, and you can Set the secure MAC aging port-security timer autolearn aging remove them only by performing the timer. time-value undo port-security mac-address security command, changing the port security mode, or disabling the port security feature.
Page 220: Displaying And Maintaining Port Security
Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Ignore the authorization By default, a port uses the information from the RADIUS port-security authorization ignore authorization information from the server or the local device. RADIUS server or the local device. Displaying and maintaining port security Task Command...
Page 221 Figure 72 Network diagram Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Enable intrusion protection traps on port Ethernet 1/0/1. [Device] port-security trap intrusion [Device] interface ethernet 1/0/1 # Set port security's limit on the number of MAC addresses to 64 on the port.
Page 222 The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, intrusion protection traps are enabled, and the intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds. # Repeatedly perform the display port-security command to track the number of MAC addresses learned by the port, or use the display this command in Layer 2 Ethernet interface view to display the secure MAC addresses.
Page 223: Configuring The Userloginwithoui Mode
Configuring the userLoginWithOUI mode Network requirements As shown in Figure 73, a client is connected to the Device through port Ethernet 1/0/1. The Device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Page 224 [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users. Specify that the ISP domain can contain up to 30 users. [Device] domain sun [Device-isp-sun] authentication default radius-scheme radsun [Device-isp-sun] authorization default radius-scheme radsun...
Page 225 Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Second Acct Server: IP: 192.168.1.2 Port: 1813 State: active Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : ****** Acct Server Encryption Key : ****** Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second) Retransmission times for timeout...
Page 226 Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. # Display 802.1X information.
Page 227: Configuring The Macaddresselseuserloginsecure Mode
EAP Response/Challenge Packets: 6 Error Packets: 0 1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1 In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. # Display MAC address information for interface Ethernet 1/0/1.
Page 228 # Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.) [Device] dot1x authentication-method chap # Set port security's limit on the number of MAC addresses to 64 on the port. [Device-Ethernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure.
Page 229 Current online user number is 3 MAC ADDR Authenticate state Auth Index 1234-0300-0011 MAC_AUTHENTICATOR_SUCCESS 1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS # Display 802.1X authentication information. <Device> display dot1x interface ethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period...
Page 230: Troubleshooting Port Security
1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1 As NTK is enabled, frames with unknown destination MAC addresses, multicast addresses, and broadcast addresses will be discarded. Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode.
Page 231: Cannot Change Port Security Mode When A User Is Online
Cannot change port security mode when a user is online Symptom Port security mode cannot be changed when an 802.1X authenticated or MAC authenticated user is online. [Device-Ethernet1/0/1] undo port-security port-mode Error:Cannot configure port-security for there is 802.1X user(s) on line on port Ethernet1/0/1.
Page 232: Configuring A User Profile
Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.
Page 233: Applying A Qos Policy
Step Command Remarks Enter system view. system-view Create a user profile, You can use the command to enter the view of user-profile profile-name and enter its view. an existing user profile. Applying a QoS policy You can apply QoS policies in user profile view to implement traffic management functions. Follow these guidelines when you apply a QoS policy: After a user profile is created, apply a QoS policy in user profile view to implement restrictions on •...
Page 234: Displaying And Maintaining User Profiles
Step Command Remarks Enter system view. system-view A user profile is disabled by Enable a user profile. user-profile profile-name enable default. Displaying and maintaining user profiles Task Command Remarks Display information about all the display user-profile [ | { begin | exclude Available in any view created user profiles.
Page 235: Configuring Password Control
Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. •...
Page 236 You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.
Page 237: Fips Compliance
Depending on the system security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters that are from each type in the password. There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing the number of character types that a password must at least contain.
Page 238: Password Control Configuration Task List
Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: • Global settings in system view apply to all local user passwords and super passwords. Settings in user group view apply to the passwords of all local users in the user group.
Page 239: Setting Global Password Control Parameters
Step Command Remarks Enter system view. system-view Enable the password control password-control enable Disabled by default. feature. Optional. password-control { aging | Enable a password control composition | history | length } All of the four password control function individually. enable functions are enabled by default.
Page 240 Step Command Remarks Optional. Set the minimum password password-control length length length. 10 characters by default. Optional. • In non-FIPS mode, by default, a password must contain at least one type of characters and password-control composition each type must contain at least Configure the password type-number type-number one character.
Page 241: Setting User Group Password Control Parameters
Setting user group password control parameters Step Command Remarks Enter system view. system-view Create a user group and enter user-group group-name user group view. Optional Configure the password By default, the aging time of the password-control aging aging-time aging time for the user group. user group is the same as the global password aging time.
Page 242: Setting Super Password Control Parameters
Step Command Remarks Optional By default, the settings equal those Configure the password password-control composition for the user group to which the composition policy for the type-number type-number local user belongs. If no password local user. [ type-length type-length ] composition policy is configured for the user group, the global settings apply to the local user.
Page 243: Displaying And Maintaining Password Control
Step Command Set the password for the local user in interactive password mode. Displaying and maintaining password control Task Command Remarks display password-control [ super ] Display password control [ | { begin | exclude | include } Available in any view configuration information.
Page 244 The password must contain at least 12 characters. • • The password must consist of at least two types of valid characters, five or more of each type. The password aging time is 20 days. • Configuration procedure # Enable the password control feature globally. <Sysname>...
Page 245 [Sysname-luser-test] quit Verifying the configuration # Display the global password control configuration information. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days...
Page 246: Configuring Habp
Configuring HABP Overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 74, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.
Page 247: Configuring Habp
Otherwise, the cluster management device will not be able to manage the devices attached to this member switch. For more information about the cluster function, see Network Management and Monitoring Configuration Guide. Configuring HABP Configuring the HABP server An HABP server is usually configured on the authentication device enabled with 802.1X authentication or MAC address authentication.
Page 248: Displaying And Maintaining Habp
Step Command Remarks Optional By default, an HABP client belongs to VLAN 1. Specify the VLAN to which the habp client vlan vlan-id HABP client belongs. The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for transmitting HABP packets.
Page 249 Figure 75 Network diagram Configuration procedure Configure Switch A: # Perform 802.1X related configurations on Switch A (see "Configuring 802.1X"). # Enable HABP. (HABP is enabled by default. This configuration is optional.) <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. [SwitchA] habp server vlan 1 # Set the interval at which the switch sends HABP request packets to 50 seconds.
Page 250 <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA> display habp table Holdtime Receive Port 001f-3c00-0030 Ethernet1/0/2 001f-3c00-0031 Ethernet1/0/1...
Page 251: Managing Public Keys
Managing public keys Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key (a character string) to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 76 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...
Page 252: Configuration Task List
1024 bits. par. • In FIPS mode: 2048 bits. • In FIPS mode: the system creates a host HP recommendation: a minimum of 768 bits. key pair. • In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits. •...
Page 253: Displaying Or Exporting The Local Host Public Key
NOTE: Only SSH 1.5 uses the RSA server key pair. To create a local asymmetric key pair: Step Command Remarks Enter system view. system-view • In non-FIPS mode: By default, no local asymmetric key public-key local create { dsa | pairs exist.
Page 254: Destroying A Local Asymmetric Key Pair
Displaying the host public key in a specific format and saving it to a file To display the local host public key in a specific format: Step Command Remarks Enter system view. system-view • Display the local RSA host public key: In non-FIPS mode: public-key local export rsa { openssh | ssh1 | ssh2 }...
Page 255: Specifying The Peer Public Key On The Local Device
HP device might not be in a key. correct format. To import the host public key from a public key file to the local device:...
Page 256: Displaying And Maintaining Public Keys
Step Command Remarks Specify a name for the public public-key peer keyname key and enter public key view. Enter public key code view. public-key-code begin Spaces and carriage returns are Configure the peer public key. Enter or copy the key allowed between characters, but are not saved.
Page 257 # Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 258: Importing A Peer Public Key From A Public Key File
E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1E F999B2BF9C4A10203010001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7...
Page 259 ++++++++ ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 =====================================================...
Page 260 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec. [ftp] quit 221 Server closing. Import the host public key of Device A to Device B: # Import the host public key of Device A from the key file devicea.pub to Device B.
Page 261: Configuring Pki
With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms Digital certificate •...
Page 262: Pki Architecture
certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email. As different CAs might use different methods to examine the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request.
Page 263: Pki Operation
PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it operates: An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA.
Page 264: Configuring An Entity Dn
Task Remarks Submitting a PKI certificate request Required. • Submitting a certificate request in auto mode Use either approach. • Submitting a certificate request in manual mode Optional. Retrieving a certificate manually Optional. Configuring PKI certificate verification Optional. Destroying a local RSA key pair Optional.
Page 265: Configuring A Pki Domain
Step Command Remarks Optional. Configure the country code country country-code-str No country code is specified by for the entity. default. Optional. Configure the FQDN for the fqdn name-str entity. No FQDN is specified by default. Optional. Configure the IP address for ip ip-address No IP address is specified by the entity.
Page 266: Configuration Guidelines
needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status. IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. •...
Page 267: Submitting A Pki Certificate Request
Step Command Remarks Required when the certificate request mode is auto and optional when the certificate request mode is manual. In the latter case, if you Configure the fingerprint for root-certificate fingerprint { md5 | do not configure this command, the root certificate verification.
Page 268 The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate. Generating a key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user. The public key is transferred to the CA along with some other information.
Page 269: Retrieving A Certificate Manually
Retrieving a certificate manually You can download CA certificates, local certificates, or peer entity certificates from the CA server and save them locally. To do so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Page 270: Configuration Guidelines
CRLs to the local switch before the certificate verification. If you disable CRL checking, you only need to retrieve the CA certificate. Configuration guidelines The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. •...
Page 271: Destroying A Local Rsa Key Pair
Step Command Remarks Return to system view. quit "Retrieving a certificate Retrieve the CA certificate. manually" Verify the validity of the pki validate-certificate { ca | local } certificate. domain domain-name Destroying a local RSA key pair A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate is about to expire, you can destroy the old RSA key pair and then create a pair to request a new certificate.
Page 272: Displaying And Maintaining Pki
Step Command Remarks Optional. attribute id { alt-subject-name Configure an attribute rule for { fqdn | ip } | { issuer-name | No restriction exists on the issuer the certificate issuer name, subject-name } { dn | fqdn | ip } } name, certificate subject name certificate subject name, or { ctn | equ | nctn | nequ }...
Page 273: Certificate Request From An Rsa Keon Ca Server
Certificate request from an RSA Keon CA server Network requirements The switch submits a local certificate request to the CA server. The switch acquires the CRLs for certificate verification. Figure 80 Network diagram Configuring the CA server Create a CA server named myca: In this example, you need to configure these basic attributes on the CA server at first: Nickname—Name of the trusted CA.
Page 274 [Device-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 # Set the registration authority to CA. [Device-pki-domain-torsa] certificate request from ca # Specify the entity for certificate request as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Configure the URL for the CRL distribution point. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl [Device-pki-domain-torsa] quit Generate a local key pair using RSA:...
Page 275 Verifying the configuration # Display information about the retrieved local certificate. [Device] display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2) Serial Number: 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn O=org OU=test CN=myca Validity Not Before: Jan 8 09:26:53 2012 GMT Not After : Jan 8 09:26:53 2012 GMT...
Page 276: Certificate Request From A Windows 2003 Ca Server
You can also use display pki certificate ca domain and display pki crl domain to display detailed information about the CA certificate and CRLs. For more information about the commands, see Security Command Reference. Certificate request from a Windows 2003 CA server Network requirements Configure PKI entity Device to request a local certificate from the CA server.
Page 277 Configuring the switch Configure the entity name as aaa and the common name as evice. <Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name device [Device-pki-entity-aaa] quit Configure the PKI domain: # Create PKI domain torsa and enter its view. [Device] pki domain torsa # Configure the name of the trusted CA as myca.
Page 278 [Device] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..[Device] Enrolling the local certificate,please wait a while..Certificate request Successfully! Saving the local certificate to device..Done! Verifying the configuration # Display information about the retrieved local certificate. [Device] display pki certificate local domain torsa Certificate: Data:...
Page 279: Certificate Attribute Access Control Policy Configuration Example
CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B (Omitted) You can also use some other display commands to display more information about the CA certificate. For more information about the display pki certificate ca domain command, see Security Command Reference.
Page 280: Troubleshooting Pki
# Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1. [Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1...
Page 281: Failed To Request A Local Certificate
Check that the required commands are configured properly. • • Use the ping command to verify that the RA server is reachable. Specify the authority for certificate request. • Synchronize the system clock of the switch with that of the CA. •...
Page 282 Retrieve a CA certificate. • • Specify the IP address of the LDAP server. Specify the CRL distribution URL. • Re-configure the LDAP version. • • Configure the correct DNS server that can resolve the domain name of the CRL distribution point.
Page 283: Configuring Ipsec
Configuring IPsec The term "router" in this document refers to both routers and switches. A switch in IRF mode does not support IPsec automatic negotiation. IKE configuration is available only for the switches in FIPS mode. For more information about FIPS mode, "Configuring FIPS."...
Page 284 encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES), and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger.
Page 285 Figure 83 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
Page 286: Ipsec For Ipv6 Routing Protocols
IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for these IPv6 routing protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol. If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to decryption or authentication failure, the routing protocol discards that packet.
Page 287: Acl-Based Ipsec Configuration Task List
example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches an ACL permit rule. For more information about configuring an ACL for IPsec, see "Configuring ACLs."...
Page 288 In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires • protection and continues to process it. If a deny statement is matched or no match is found, IPsec considers that the packet does not require protection and delivers it to the next function module. •...
Page 289: Configuring An Ipsec Proposal
NOTE: To use IPsec in combination with QoS, make sure IPsec's ACL classification rules match the QoS classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss.
Page 290: Configuring An Ipsec Policy
NOTE: Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to • existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the updated parameters.
Page 291 To configure a manual IPsec policy: Step Command Remarks Enter system view. system-view Create a manual IPsec ipsec policy policy-name policy and enter its By default, no IPsec policy exists. seq-number manual view. Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications.
Page 292 Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher string-key | simple hex-key ] • Configure an authentication key in characters for AH: Configure keys properly for the security sa string-key { inbound | protocol (AH or ESP) you have specified.
Page 293 An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy • view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer, whichever are smaller. •...
Page 294: Applying An Ipsec Policy Group To An Interface
the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be protected will be dropped. During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same DH group.
Page 295: Enabling Acl Checking Of De-Encapsulated Ipsec Packets
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If found, the data flows are processed according to the tunnel information; otherwise, they are processed according to the original IPsec process: search the policy group or policy at the interface, and then the matched tunnel.
Page 296: Configuring Packet Information Pre-Extraction
To configure IPsec anti-replay checking: Step Command Remarks Enter system view. system-view Optional. Enable IPsec anti-replay ipsec anti-replay check checking. Enabled by default. Optional. Set the size of the IPsec ipsec anti-replay window width anti-replay window. 32 by default. CAUTION: IPsec anti-replay checking is enabled by default.
Page 297: Displaying And Maintaining Ipsec
Task Remarks Required Configuring a manual IPsec policy ACLs and IPsec tunnel addresses are not needed. Required Applying an IPsec policy to an IPv6 routing protocol See Layer 3—IP Routing Configuration Guide. Displaying and maintaining IPsec To do… Use the command… Remarks display ipsec policy [ brief | name Display IPsec policy information...
Page 298: Ipsec Configuration Examples
IPsec configuration examples IKE-based IPsec tunnel for IPv4 packets configuration example Network requirements As shown in Figure 84, configure an IPsec tunnel between Switch A and Switch B to protect data flows between Switch A and Switch B. Configure the tunnel to use the security protocol ESP, the encryption algorithm AES-CBC- 1 28, and the authentication algorithm HMAC-SHA1-96.
Page 299 # Apply the IPsec proposal. [SwitchA-ipsec-policy-isakmp-map1-10] proposal tran1 # Apply the ACL. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IKE peer. [SwitchA-ipsec-policy-isakmp-map1-10] ike-peer peer [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy group to VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B: # Assign an IP address to VLAN-interface 1.
Page 300: Ipsec For Ripng Configuration Example
[SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy group to VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the previous configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet.
Page 301 # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96. [SwitchA] ipsec proposal tran1 [SwitchA-ipsec-proposal-tran1] encapsulation-mode transport [SwitchA-ipsec-proposal-tran1] transform esp [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm des [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit...
Page 302 [SwitchB-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchB-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchB-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchB-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchB-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [SwitchB] ripng 1 [SwitchB-ripng-1] enable ipsec-policy policy001 [SwitchB-ripng-1] quit Configure Switch C...
Page 303 Using the display ripng command on Switch A, you will see the running status and configuration information of the specified RIPng process. The output shows that IPsec policy policy001 is applied to this process successfully. <SwitchA> display ripng 1 RIPng process : 1 Preference : 100 Checkzero : Enabled Default Cost : 0...
Page 304: Configuring Ike
Configuring IKE This feature is applicable only to the switches in FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.
Page 305: Ike Functions
Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 86 IKE exchange process in main mode As shown in Figure 86, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange, used for negotiating the security policy.
Page 306: Relationship Between Ike And Ipsec
Relationship between IKE and IPsec Figure 87 Relationship between IKE and IPsec Figure 87 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...
Page 307: Configuring A Name For The Local Security Gateway
Task Remarks Optional. Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional.
Page 308: Configuring An Ike Peer
Step Command Remarks Enter system view. system-view Create an IKE proposal and ike proposal proposal-number enter its view. Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] The default is AES-CBC-128. proposal. Optional. Specify an authentication authentication-method { pre-share method for the IKE proposal.
Page 309 Specify the dead peer detection (DPD) detector for the IKE peer. • To configure an IKE peer: Step Command Remarks Enter system view. system-view Create an IKE peer and enter ike peer peer-name IKE peer view. Optional. Specify the IKE negotiation exchange-mode main mode for phase 1.
Page 310: Setting Keepalive Timers
Step Command Remarks Optional. Enable the NAT traversal nat traversal function for IPsec/IKE. Disabled by default. Optional. No DPD detector is applied to an Apply a DPD detector to the IKE peer by default. dpd dpd-name IKE peer. For more information about DPD configuration, see "Configuring a detector."...
Page 311: Configuring A Dpd Detector
Step Command Remarks Enter system view. system-view Set the NAT keepalive ike sa nat-keepalive-timer interval 20 seconds by default. interval. seconds Configuring a DPD detector Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.
Page 312: Displaying And Maintaining Ike
Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | { begin | Display IKE DPD information Available in any view. exclude | include } regular-expression ] display ike peer [ peer-name ] [ | { begin | Display IKE peer information Available in any view.
Page 313 # Create IPsec proposal tran1. [SwitchA] ipsec proposal tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel # Use security protocol ESP. [Switch-ipsec-proposal-tran1] transform esp # Specify encryption and authentication algorithms. [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm aes 128 [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit # Create an IKE proposal numbered 10.
Page 314 <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchB-acl-adv-3101] quit # Create IPsec proposal tran1.
Page 315: Troubleshooting Ike
# Reference IKE peer peer. [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet.
Page 316: Failing To Establish An Ipsec Tunnel
The two parties in the negotiation have no matched proposals. Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether the referred IPsec proposals have a match in protocol, encryption and authentication algorithms.
Page 317: Configuring Ssh2.0
Configuring SSH2.0 Overview Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
Page 318 After receiving the packet, the client resolves the packet and compares the server's protocol version number with that of its own. If the server's protocol version is lower and supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version. In either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use.
Page 319: Ssh Connection Across Vpns
In the interaction stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be within 2000 bytes. HP recommends you to paste commands in the same view. Otherwise, the server might not be able to execute the commands correctly.
Page 320: Fips Compliance
connections with CEs in different VPNs that are enabled with the SSH server function to implement secure access to the CEs and secure transfer of log file. Figure 89 Network diagram FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Page 321: Enabling The Ssh Server Function
Configuration guidelines To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key • pairs on the SSH server. • When an SSH user logs in to the switch, RSA key pairs can be automatically generated if no local DSA, RSA, or ECDSA key pairs are configured on the switch.
Page 322: Configuring A Client's Host Public Key
Before importing the public key, you must upload the public key file (in binary) to the server through FTP or TFTP. NOTE: HP recommends you to configure a client public key by importing it from a public key file. For more information about client public key configuration, see "Managing public keys."...
Page 323: Configuring An Ssh User
Step Command Remarks Enter public key view. public-key peer keyname Enter public key code view. public-key-code begin Configure a client's host Enter the content of the host public Spaces and carriage returns are public key. allowed between characters. Return to public key view and When you exit public key code save the configured host public-key-code end...
Page 324: Setting The Ssh Management Parameters
If only publickey authentication is used, the command level accessible to the user is set by the user • privilege level command on the user interface. If password authentication is used, either with or without publickey authentication, the command level accessible to the user is authorized by AAA. •...
Page 325: Setting The Dscp Value For Packets Sent By The Ssh Server
Step Command Remarks Enter system view. system-view Optional. By default, the SSH server supports Enable the SSH server to ssh server compatible-ssh1x SSH1 clients. support SSH1 clients. [ enable ] This command is not available in FIPS mode. Optional. By default, the interval is 0, and the RSA server key pair is not updated.
Page 326: Configuring The Switch As An Ssh Client
Configuring the switch as an SSH client SSH client configuration task list Task Remarks Specifying a source IP address/interface for the SSH client Optional Configuring whether first-time authentication is supported Optional Establishing a connection between the SSH client and server Required Setting the DSCP value for packets sent by the SSH client Optional...
Page 327: Establishing A Connection Between The Ssh Client And Server
Step Command Remarks Enter system view. system-view Optional. Enable the switch to support ssh client first-time [ enable ] By default, first-time authentication first-time authentication. is supported on a client. Disabling first-time authentication For successful authentication of an SSH client not supporting first-time authentication, the server host public key must be configured on the client and the public key name must be specified.
Page 328: Setting The Dscp Value For Packets Sent By The Ssh Client
Task Command Remarks • For an IPv4 server: In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *...
Page 329: Displaying And Maintaining Ssh
Step Command Remarks • Set the DSCP value for IPv4 Optional. packets sent by the SSH client: By default, the DSCP value is 16 in ssh client dscp dscp-value Set the DSCP value for IPv4 packets sent by the SSH client packets sent by the SSH client.
Page 330: When The Switch Acts As A Server For Password Authentication
When the switch acts as a server for password authentication Network requirements As shown in Figure 90, a host (the SSH client) and a switch (the SSH server) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after passing password authentication.
Page 331 [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh [Switch-ui-vty0-15] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit...
Page 332: When The Switch Acts As A Server For Publickey Authentication
Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server. When the switch acts as a server for publickey authentication Network requirements As shown in Figure...
Page 333 Figure 93 Generating the key pair on the client When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 94. Otherwise, the progress bar stops moving and the key pair generating process will be stopped.
Page 334 Figure 94 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 95 Saving the key pair on the client...
Page 335 Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.
Page 336 # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Specify the private key file and establish a connection to the SSH server: Launch PuTTY.exe to enter the interface as shown in Figure In the Host Name (or IP address) text box, enter the IP address of the server 192.168.1.40.
Page 337: Ssh Client Configuration Examples
Figure 97 Specifying the private key file Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode.
Page 338 # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Page 339 # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit # Establish a connection between the SSH client and the SSH server: If the client supports first-time authentication, you can directly establish a connection from the client to the server.
Page 340: When Switch Acts As Client For Publickey Authentication
[SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server 10.165.87.136 as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
Page 341 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server: # Generate RSA key pairs. <SwitchB>...
Page 342 [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish an SSH connection to the server 10.165.87.136. <SwitchA>...
Page 343: Configuring Sftp
Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.
Page 344: Configuring The Sftp Connection Idle Timeout Period
Set the user privilege level to any value from 0 to 3 if the SFTP client executes other commands. To enable the SFTP server: Step Command Remarks Enter system view. system-view Enable the SFTP server. sftp server enable Disabled by default. Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.
Page 345: Establishing A Connection To The Sftp Server
Establishing a connection to the SFTP server This configuration task will enable the SFTP client to establish a connection to the remote SFTP server and enter SFTP client view. To enable the SFTP client: Task Command Remarks • Establish a connection to the remote IPv4 SFTP server and enter SFTP client view: In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ]...
Page 346: Working With Sftp Files
Step Command Remarks For more information, see Enter SFTP client view. "Establishing a connection to the Execute the command in user view. SFTP server." Change the working directory cd [ remote-path ] Optional. of the remote SFTP server. Return to the upper-level cdup Optional.
Page 347: Displaying Help Information
Step Command Remarks Optional. • delete remote-file&<1- 1 0> Delete one or more directories The delete command functions as from the SFTP server. • remove remote-file&<1- 1 0> the remove command. Displaying help information This configuration task will display a list of all commands or the help information of an SFTP client command, such as the command format and parameters.
Page 348: Sftp Client Configuration Example
Step Command Remarks • Set the DSCP value for IPv4 Optional. packets sent by the SFTP client: Set the DSCP value for By default, the DSCP value is 16 in sftp client dscp dscp-value packets sent by the SFTP IPv4 packets sent by the SFTP client •...
Page 349 [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SFTP server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 350 [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey Switch001 work-directory flash:/ Establish a connection between the SFTP client and the SFTP server: # Establish a connection to the remote SFTP server and enter SFTP client view. <SwitchA> sftp 192.168.0.1 identity-key rsa Input Username: client001 Trying 192.168.0.1 ...
Page 351: Sftp Server Configuration Example
File successfully renamed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...
Page 352 Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Page 353 # Configure the user authentication method as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Establish a connection between the SFTP client and the SFTP server: The switch supports a variety of SFTP client software. The following example uses PSFTP of PuTTy Version 0.58.
Page 354: Configuring Scp
Configuring SCP Overview Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. SCP uses SSH connections for copying files. The switch can act as the SCP server, allowing a user to log in to the switch for file upload and download. The switch can also act as an SCP client, enabling a user to log in from the switch to a remote server for secure file transfer.
Page 355: Configuring The Switch As The Scp Client
If publickey authentication, whether with password authentication or not, is used, you must set the • working directory in the ssh user command. Configuring the switch as the SCP client To transfer files with an SCP server: Step Command Remarks •...
Page 356: Scp Server Configuration Example
Figure 103 Network diagram Configuration procedure # Create VLAN-interface 1 and assign an IP address to it. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Download the file remote.bin from the SCP server, save it locally and change the file name to local.bin. <SwitchA>...
Page 357 Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Page 358: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the key...
Page 359: Fips Compliance
Figure 106 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
Page 360 Step Command Remarks Enter system view. system-view Create an SSL server policy ssl server-policy policy-name and enter its view. Optional. By default, no PKI domain is specified for an SSL server policy. The SSL server generates a certificate itself instead of requesting one from the CA.
Page 361: Ssl Server Policy Configuration Example
Step Command Remarks Optional. Disabled by default. Enable SSL client weak client-verify weaken This command takes effect only authentication. when the client-verify enable command is configured. SSL server policy configuration example Network requirements As shown in Figure 107, users need to access and control the device through web pages. For security of the device and to make sure that data is not eavesdropped or tampered with, configure the device so that users must use HTTPS (Hypertext Transfer Protocol Secure, which uses SSL) to log in to the web interface of the device.
Page 362 # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en. [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca server [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra...
Page 363: Configuring An Ssl Client Policy
Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. To configure an SSL client policy: Step Command...
Page 364: Displaying And Maintaining Ssl
Displaying and maintaining SSL Task Command Remarks display ssl server-policy Display SSL server policy { policy-name | all } [ | { begin | Available in any view information. exclude | include } regular-expression ] display ssl client-policy Display SSL client policy { policy-name | all } [ | { begin | Available in any view information.
Page 365: Configuring Tcp Attack Protection
SYN Flood attacks. Follow these guidelines when you enable the SYN Cookie feature: If you enable MD5 authentication for TCP connections on the HP 3600 v2 EI, the SYN Cookie • configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective.
Page 366: Configuring Tcp Fragment Attack Protection
Configuring TCP fragment attack protection The TCP fragment attack protection feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments: •...
Page 367: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops packets that do not match the table. The IP source guard binding table can include global and interface-specific binding entries. IP source guard first uses the interface-specific binding entries to match packets.
Page 368: Dynamic Ip Source Guard Binding Entries
For information about ARP detection, see "Configuring ARP attack protection." For information about ND detection, see "Configuring ND attack defense." Static IP source guard binding entries can be global or interface-specific. Global static binding entry—Binds the IP address and MAC address in system view. The binding •...
Page 369: Configuring The Ipv4 Source Guard Feature
Task Remarks Configuring IPv4 source guard on an interface Required Configuring a static IPv4 source guard binding entry Optional Setting the maximum number of IPv4 source guard binding entries Optional Complete the following tasks to configure IPv6 source guard: Task Remarks Configuring IPv6 source guard on an interface Required...
Page 370: Configuring A Static Ipv4 Source Guard Binding Entry
Step Command Remarks Optional. Enable 802.1X globally. dot1x By default, 802.1X is disabled globally. The term "interface" collectively refers to interface interface-type the following types of ports and interfaces: Enter interface view. interface-number Bridge mode (Layer 2) Ethernet ports, VLAN interfaces, and port groups. Optional.
Page 371: Setting The Maximum Number Of Ipv4 Source Guard Binding Entries
Step Command Remarks ip source binding ip-address Configure a global static IPv4 By default, no global static IPv4 ip-address mac-address source guard binding entry. binding entry exists. mac-address Configuring a static IPv4 source guard binding entry on an interface When you configure a static IPv4 source guard binding entry on an interface, follow these guidelines: You cannot repeatedly configure the same static binding entry on one interface, but you can •...
Page 372: Configuring The Ipv6 Source Guard Feature
Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number of Optional. ip verify source max-entries IPv4 binding entries for the number 2048 by default. interface. Configuring the IPv6 source guard feature You cannot enable IPv6 source guard on a link aggregation member port or a service loopback port. If IPv6 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group.
Page 373: Configuring A Static Ipv6 Source Guard Binding Entry
Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view or port group interface-number view. Not configured by default. The keyword specified in the ipv6 verify source command is only for instructing the generation of Configure the IPv6 source ipv6 verify source { ipv6-address | dynamic IPv6 source guard guard feature on the...
Page 374: Setting The Maximum Number Of Ipv6 Source Guard Binding Entries
IP source guard does not use the VLAN information (if specified) in static IPv6 binding entries to • filter packets. When the ND detection feature is configured, be sure to specify the VLAN where ND detection is • configured in static binding entries. Otherwise, ND packets will be discarded because they cannot match any static IPv6 binding entry.
Page 375: Ip Source Guard Configuration Examples
Task Command Remarks display ip source binding static [ interface interface-type interface-number | Display static IPv4 source guard ip-address ip-address | mac-address Available in any view binding entries. mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number | Display IPv4 source guard binding...
Page 376 Figure 109 Network diagram Configuration procedure Configure Device A: # Configure the IPv4 source guard feature on Ethernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA> system-view [DeviceA] interface ethernet 1/0/2 [DeviceA-Ethernet1/0/2] ip verify source ip-address mac-address # Configure Ethernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
Page 377: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example
# Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface ethernet 1/0/1 [DeviceB-Ethernet1/0/1] ip verify source ip-address # Configure Ethernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.
Page 378: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example
[Device] dhcp-snooping # Configure Ethernet 1/0/2 as a trusted port. [Device] interface ethernet1/0/2 [Device-Ethernet1/0/2] dhcp-snooping trust [Device-Ethernet1/0/2] quit Configure the IPv4 source guard feature. # Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.
Page 379: Static Ipv6 Source Guard Configuration Example
Figure 111 Network diagram Configuration procedure Configure the IPv4 source guard feature: # Configure the IP addresses of the interfaces. (Details not shown.) # Configure the IPv4 source guard feature on VLAN-interface 100 to filter packets based on both the source IP address and MAC address. <Switch>...
Page 380: Dynamic Ipv6 Source Guard Using Dhcpv6 Snooping Configuration Example
Figure 112 Network diagram Configuration procedure # Configure the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address. <Device> system-view [Device] interface ethernet 1/0/1 [Device-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address # Configure Ethernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.
Page 381: Dynamic Ipv6 Source Guard Using Nd Snooping Configuration Example
Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port. [Device] interface ethernet 1/0/2 [Device-Ethernet1/0/2] ipv6 dhcp snooping trust [Device-Ethernet1/0/2] quit...
Page 382: Global Static Ip Source Guard Configuration Example
Figure 114 Network diagram Configuration procedure Configure ND snooping: # In VLAN 2, enable ND snooping. <Device> system-view [Device] vlan 2 [Device-vlan2] ipv6 nd snooping enable [Device-vlan2] quit Configure the IPv6 source guard feature: # Configure the IPv6 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.
Page 383 Figure 115 Network diagram Configuration procedure # Create VLAN 10, and assign Ethernet 1/0/2 to VLAN 10. <DeviceB> system-view [DeviceB] vlan 10 [DeviceB-vlan10] port ethernet1/0/2 [DeviceB-vlan10] quit # Create VLAN 20, and assign Ethernet 1/0/3 to VLAN 20. [DeviceB] vlan 20 [DeviceB-vlan20] port ethernet1/0/3 [DeviceB-vlan20] quit # Configure the link type of Ethernet 1/0/1 as trunk, and permit packets of VLAN 10 and VLAN 20 to...
Page 384: Troubleshooting Ip Source Guard
Verifying the configuration # Display static IPv4 source guard binding entries on Device B. [DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.2 Static 0001-0203-0407 192.168.1.2 Static # Verify that Host A and Host B can ping each other successfully. Troubleshooting IP source guard Symptom Failed to configure static or dynamic IP source guard on a port.
Page 385: Configuring Arp Attack Protection
Configuring ARP attack protection The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).
Page 386: Configuring Arp Defense Against Ip Packet Attacks
Task Remarks Optional. Configuring ARP active acknowledgement Configure this function on gateways (recommended). Optional. Configuring ARP detection Configure this function on access devices (recommended). Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional. Configuring ARP gateway protection Configure this function on access devices (recommended).
Page 387: Enabling Arp Black Hole Routing
Step Command Remarks Set the maximum number of packets with the Optional. same source IP address but unresolvable arp source-suppression limit destination IP addresses that the device can limit-value 10 by default. receive in 5 consecutive seconds. Enabling ARP black hole routing Step Command Remarks...
Page 388 Figure 116 Network diagram IP network ARP attack protection Gateway Device VLAN 10 VLAN 20 Host A Host B Host C Host D R&D Office Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: Enable ARP source suppression.
Page 389: Configuring Arp Packet Rate Limit
Configuring ARP packet rate limit Introduction The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking.
Page 390: Configuring Source Mac Address Based Arp Attack Detection
Step Command Remarks Configure ARP packet rate arp rate-limit { disable | rate pps By default, ARP packet rate limit is limit. drop } disabled. Configuring source MAC address based ARP attack detection With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU.
Page 391: Displaying And Maintaining Source Mac Address Based Arp Attack Detection
Displaying and maintaining source MAC address based ARP attack detection Task Command Remarks display arp anti-attack source-mac { slot Display attacking MAC addresses slot-number | interface interface-type detected by source MAC address based Available in any view interface-number } [ | { begin | exclude | ARP attack detection.
Page 392: Configuring Arp Packet Source Mac Address Consistency Check
Configure the MAC address of the server as a protected MAC address so that it can send ARP packets Configuration procedure # Enable source MAC address based ARP attack detection and specify the filter mode. <Device> system-view [Device] arp anti-attack source-mac filter # Set the threshold to 30.
Page 393: Configuration Procedure
Configuration procedure To configure ARP active acknowledgement: Step Command Remarks Enter system view. system-view Enable the ARP active acknowledgement arp anti-attack active-ack enable Disabled by default function. Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.
Page 394: Configuring Arp Packet Validity Check
Configuration guideliens Follow these guidelines when you configure user validity check: • Static IP source guard binding entries are created by using the ip source binding command. For more information, see "Configuring IP source guard." Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more •...
Page 395: Configuring Arp Restricted Forwarding
src-mac—Checks whether the sender MAC address in the message body is identical to the source • MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded. • dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
Page 396: Configuring The Arp Detection Logging Function
Configuring the ARP detection logging function The ARP detection logging function enables a device to generate ARP detection log messages when ARP packet attacks are detected. An ARP detection log message can include the following information: • Receiving interface of the ARP packets. Sender IP address.
Page 397 Figure 118 Network diagram Configuration procedure Add all ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure Switch A as a DHCP server: # Configure DHCP address pool 0. <SwitchA>...
Page 398: User Validity Check And Arp Packet Validity Check Configuration Example
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] arp detection trust [SwitchB-Ethernet1/0/3] quit After the preceding configurations are complete, when ARP packets arrive at interfaces Ethernet 1/0/1 and Ethernet 1/0/2, they are checked against 802.1X security entries.
Page 399: Arp Restricted Forwarding Configuration Example
[SwitchB-Ethernet1/0/3] dhcp-snooping trust [SwitchB-Ethernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default). [SwitchB-vlan10] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] arp detection trust [SwitchB-Ethernet1/0/3] quit # Configure a static IP source guard binding entry on interface Ethernet 1/0/2.
Page 400 Configure DHCP address pool 0 on Switch A as a DHCP server. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure the DHCP client on Hosts A and B. (Details not shown.) Configure Switch B. # Enable DHCP snooping, and configure Ethernet 1/0/3 as a DHCP-trusted port.
Page 401: Configuring Arp Automatic Scanning And Fixed Arp
ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe.
Page 402: Configuring Arp Gateway Protection
Configuring ARP gateway protection The ARP gateway protection feature, if configured on ports not connected with the gateway, can block gateway spoofing attacks. When such a port receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway.
Page 403: Configuring Arp Filtering
Figure 121 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B. <SwitchB> system-view [SwitchB] interface ethernet 1/0/1 [SwitchB-Ethernet1/0/1] arp filter source 10.1.1.1 [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] arp filter source 10.1.1.1 After the configuration is complete, Switch B will discard the ARP packets whose source IP address is that of the gateway.
Page 404: Configuration Example
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view/Layer 2 aggregate interface interface-number view. arp filter binding ip-address Configure an ARP filtering entry. Not configured by default mac-address Configuration example Network requirements As shown in Figure 122, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349- 1 233.
Page 405: Configuring Nd Attack Defense
Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
Page 406: Enabling Source Mac Consistency Check For Nd Packets
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. Enabling source MAC consistency check for ND...
Page 407: Configuration Guidelines
If an exact match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is forwarded. If no match is found in either table, the packet is discarded. If neither the DHCPv6 snooping table nor the ND snooping table is available, the ND packet is discarded. Configuration guidelines Follow these guidelines when you configure ND detection: To create IPv6 static bindings with IP source guard, use the ipv6 source binding command.
Page 408: Nd Detection Configuration Example
Task Command Remarks Clear the statistics by ND reset ipv6 nd detection statistics [ interface Available in user view detection. interface-type interface-number ] ND detection configuration example Network requirements As shown in Figure 124, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405.
Page 409 [SwitchA] interface ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type trunk [SwitchA-Ethernet1/0/3] port trunk permit vlan 10 [SwitchA-Ethernet1/0/3] quit # Assign an IPv6 address to VLAN-interface 10. [SwitchA] interface vlan-interface 10 [SwitchA-Vlan-interface10] ipv6 address 10::1/64 [SwitchA-Vlan-interface10] quit Configuring Switch B: # Enable IPv6 forwarding. <SwitchB>...
Page 410: Configuring Urpf
Configuring URPF The term "router" in this feature refers to both routers and Layer 3 switches. Overview Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch source spoofing attacks by creating packets with forged source addresses.
Page 411 Figure 126 URPF work flow Check the source address of the received packet A broadcast source address? An all-zone source address? A broadcast destination Discard addres? Does the FIB Is there a default entry match the route? source address? Loose URPF? Loose URPF? Does Is the matching...
Page 412 For other packets, proceeds to step 2. URPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. URPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, URPF checks whether the matching route is a direct route: if yes, proceeds to step 5;...
Page 413: Network Application
Disabled by default NOTE: The routing table size decreases by half when URPF is enabled on HP 3600 v2 Switch Series. • To prevent loss of routes and packets, URPF cannot be enabled if the number of route entries the switch •...
Page 414 Figure 128 Network diagram Configuration procedure Enable strict URPF check on Switch A. <SwitchA> system-view [SwitchA] ip urpf strict Enable strict URPF check on Switch B. <SwitchB> system-view [SwitchB] ip urpf strict...
Page 415: Configuring Mff
Configuring MFF Overview Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2, many VLAN resources are occupied, and many IP addresses are used because you have to assign a network segment to each VLAN and an IP address to each VLAN interface for Layer 3 communication.
Page 416: Basic Concepts
NOTE: An MFF-enabled device and a host cannot ping each other. Basic concepts A device with MFF enabled provides two types of ports: user port and network port. If you enable MFF for a VLAN, each port in the VLAN must be an MFF network or user port. Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN.
Page 417: Working Mechanism
In manual mode, after receiving an ARP request for a host's MAC address from the gateway, the MFF device directly replies the host's MAC address to the gateway according to the ARP snooping entries. The MFF device also forges ARP requests to get the gateway's MAC address based on ARP snooping entries.
Page 418: Configuring Mff
Configuring MFF Configuration prerequisites In MFF automatic mode, enable DHCP snooping on the device and configure DHCP snooping • trusted ports. In MFF manual mode, enable ARP snooping on the device. • Enabling MFF To enable MFF and specify an MFF operating mode: Step Command Remarks...
Page 419: Specifying The Ip Addresses Of Servers
Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable periodic gateway mac-forced-forwarding gateway Disabled by default. probe. probe Specifying the IP addresses of servers You need to maintain a server list on the MFF device. The list contains the IP addresses of servers in the network to ensure communication between the servers and clients.
Page 420: Mff Configuration Examples
MFF configuration examples Auto-mode MFF configuration example in a tree network Network requirements As shown in Figure 130, all the devices are in VLAN 100. Host A, Host B, and Host C obtain IP addresses from the DHCP server. They are isolated at Layer 2, and can communicate with each other through the gateway.
Page 421: Auto-Mode Mff Configuration Example In A Ring Network
[SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding auto [SwitchA-vlan-100] quit # Configure Ethernet 1/0/2 as a network port. [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] mac-forced-forwarding network-port # Configure Ethernet 1/0/2 as a DHCP snooping trusted port. [SwitchA-Ethernet1/0/2] dhcp-snooping trust Configure Switch B: # Enable DHCP snooping. <SwitchB>...
Page 422 <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 Configure the DHCP server: # Enable DHCP and configure an address pool. <Device> system-view [Device] dhcp enable [Device] dhcp server ip-pool 1 [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 # Add gateway's IP address into DHCP address pool 1. [Device-dhcp-pool-1] gateway-list 10.1.1.100 [Device-dhcp-pool-1] quit # Configure the IP address of VLAN-interface 1.
Page 423: Manual-Mode Mff Configuration Example In A Tree Network
[SwitchB-vlan-100] quit # Configure Ethernet 1/0/4 as a network port. [SwitchB] interface ethernet 1/0/4 [SwitchB-Ethernet1/0/4] mac-forced-forwarding network-port # Configure Ethernet 1/0/4 as a DHCP snooping trusted port. [SwitchB-Ethernet1/0/4] dhcp-snooping trust no-user-binding [SwitchB-Ethernet1/0/4] quit # Configure Ethernet 1/0/6 as a network port. [SwitchB] interface ethernet 1/0/6 [SwitchB-Ethernet1/0/6] mac-forced-forwarding network-port # Configure Ethernet 1/0/6 as a DHCP snooping trusted port.
Page 424: Manual-Mode Mff Configuration Example In A Ring Network
# Configure manual-mode MFF. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchA-vlan-100] arp-snooping enable [SwitchA-vlan-100] quit # Configure Ethernet 1/0/2 as a network port. [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] mac-forced-forwarding network-port Configure Switch B:...
Page 425 Figure 133 Network diagram Configuration procedure Configure IP addresses of the hosts, as in shown in Figure 133. Configure the IP address of VLAN-interface 1 on the gateway. <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 Configure Switch A: # Enable STP.
Page 426 [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchB-vlan-100] arp-snooping enable [SwitchB-vlan-100] quit # Configure Ethernet 1/0/4 and Ethernet 1/0/6 as network ports. [SwitchB] interface ethernet 1/0/4 [SwitchB-Ethernet1/0/4] mac-forced-forwarding network-port [SwitchB- Ethernet1/0/4] quit [SwitchB] interface ethernet 1/0/6 [SwitchB-Ethernet1/0/6] mac-forced-forwarding network-port Enable STP on Switch C.
Page 427: Configuring Savi
Configuring SAVI Overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.
Page 428: Savi Configuration In Dhcpv6-Only Address Assignment Scenario
Step Command Remarks Optional One second by default. This command is used with the DHCPv6 snooping function. After DHCPv6 snooping Set the time to wait for a ipv6 savi dad-preparedelay detects that a client obtains an IPv6 address, it DAD NS from a value monitors whether the client detects IP address DHCPv6 client.
Page 429: Packet Check Principles
Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see "Configuring ND attack defense." Configure a static IPv6 source guard binding entry on each interface connected to a client. This step is optional.
Page 430: Savi Configuration In Slaac-Only Address Assignment Scenario
[SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-Ethernet1/0/2] quit [SwitchB] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-Ethernet1/0/3] quit SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 135 Network diagram Internet Gateway Switch A Eth1/0/3 Vlan-int10 10::1...
Page 431: Packet Check Principles
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."...
Page 432: Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario
[SwitchB-Ethernet1/0/1] ipv6 verify source ipv6-address mac-address [SwitchB-Ethernet1/0/1] quit [SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-Ethernet1/0/2] quit SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 136 Network diagram As shown in Figure 136, Switch B connects to the DHCPv6 server through interface Ethernet 1/0/1 and connects to the DHCPv6 client through interface Ethernet 1/0/3.
Page 433: Packet Check Principles
Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."...
Page 434 [SwitchB-Ethernet1/0/2] quit # Configure the dynamic IPv6 source guard binding function on downlink ports Ethernet 1/0/3 through Ethernet 1/0/5. [SwitchB] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-Ethernet1/0/3] quit [SwitchB] interface ethernet 1/0/4 [SwitchB-Ethernet1/0/4] ipv6 verify source ipv6-address mac-address [SwitchB-Ethernet1/0/4] quit [SwitchB] interface ethernet 1/0/5 [SwitchB-Ethernet1/0/5] ipv6 verify source ipv6-address mac-address...
Page 435: Configuring Blacklist
Configuring blacklist Overview The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature.
Page 436: Blacklist Configuration Example
Blacklist configuration example Network requirements As shown in Figure 137, Host A, Host B, and Host C are internal users, and external user Host D is considered an attacker. Configure Device to always filter packets from Host D, and to prevent internal users from guessing passwords.
Page 437 Host D and Host C are on the blacklist. Host C will stay on the list for 10 minutes, and will then be able to try to log in again. The entry for Host D will never age out. When you do not consider Host D an attacker anymore, you can use the undo blacklist ip 5.5.5.5 command to remove the entry.
Page 438: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch supports Level 2.
Page 439: Configuration Procedure
If the self-test fails, the device automatically reboots. Configuration procedure To configure FIPS, complete the following tasks: Remove the existing key pairs and certificates. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable the FIPS mode. Enable the password control function. Configure local user attributes (including local username, service type, password, and so on) on the switch.
Page 440: Triggering A Self-Test
Triggering a self-test To examine whether the cryptography modules operate normally, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. To trigger a self-test: Step Command...
Page 441: Verifying The Configuration
# Create a local user named test, and set its service type as terminal, privilege level as 3, and password as AAbbcc1234%. The password is a string of at least 10 characters by default and must contain both uppercase and lowercase letters, digits, and special characters. [Sysname] local-user test [Sysname-luser-test] service-type terminal [Sysname-luser-test] authorization-attribute level 3...
Page 442 Confirm :********** Updating user(s) information, please wait... <Sysname> # Display the current FIPS mode. You can see that the FIPS mode is enabled. <Sysname> display fips status FIPS mode is enabled...
Page 443: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 444: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 445 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 446: Index
Index A B C D E F H I L M N O P R S T U Configuring an access control policy,258 Configuring an entity DN,251 AAA configuration considerations and task list,15 Configuring an IKE peer,295 AAA configuration examples,51 Configuring an IKE proposal,294 overview,1...
Page 447 FIPS self-tests,425 Displaying and maintaining AAA,50 Displaying and maintaining EAD fast deployment,105 HABP configuration example,235 Displaying and maintaining FIPS,427 HP implementation of 802.1X,74 Displaying and maintaining HABP,235 Displaying and maintaining IKE,299 Displaying and maintaining IP source guard,361 Ignoring authorization information,206...
Page 448 SAVI configuration in SLAAC-only address assignment scenario,417 Overview,233 Setting keepalive timers,297 Overview,304 Setting port security's limit on the number of MAC Overview,330 addresses on a port,201 Overview,103 Setting the 802.1X authentication timeout timers,84 Overview,219 Setting the EAD rule timer,104 Overview,270 Setting the maximum number of 802.1X authentication Overview,197 attempts for MAC authentication...
Page 449 Troubleshooting SSL,351 User profile configuration task list,219 Using MAC authentication with other features,109 URPF configuration example,400...

HP 3600 v2 Series Configuration Manual

Quick Links

Troubleshooting

Related Manuals for HP 3600 v2 Series

Summary of Contents for HP 3600 v2 Series