HP A5830 Series, Configuration Manual

Page 1: ...rocedures These configuration guides also provide configuration examples to help you apply software features to different network scenarios This documentation is intended for network planners field technical support and servicing engineers and network administrators working with the HP A Series products Part number 5998 2067 Software version Release 1109 Document version 6W100 20110715 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ...nctions configuration task list 43 Configuring a RADIUS user 43 Specifying a RADIUS client 44 Displaying and maintaining AAA 44 AAA configuration examples 44 AAA for Telnet users by an HWTACACS server 44 AAA for Telnet users by separate servers 46 Authentication authorization for SSH Telnet users by a RADIUS server 47 AAA for 802 1X users by a RADIUS server 50 Level switching authentication for Te...

Page 4: ...with guest VLAN and VLAN assignment configuration example 86 802 1X with ACL assignment configuration example 89 Configuring EAD fast deployment 91 EAD fast deployment implementation 91 Configuration prerequisites 91 Configuration procedure 91 Displaying and maintaining EAD fast deployment 92 EAD fast deployment configuration example 93 Troubleshooting EAD fast deployment 95 Web browser users cann...

Page 5: ...t the port security mode 126 Cannot configure secure MAC addresses 126 Cannot change port security mode when a user is online 126 Configuring password control 128 Password control configuration task list 130 Enabling password control 131 Setting global password control parameters 131 Setting user group password control parameters 132 Setting local user password control parameters 133 Setting super...

Page 6: ...sk list 170 Generating a DSA or RSA key pair 171 Enabling the SSH server function 171 Configuring the user interfaces for SSH clients 171 Configuring a client public key 172 Configuring an SSH user 173 Setting the SSH management parameters 174 Configuring the switch as an SSH client 175 SSH client configuration task list 175 Specifying a source ip address interface for the SSH client 175 Configuri...

Page 7: ...figuring IPv6 source guard on a port 211 Configuring a static IPv6 source guard binding entry 212 Setting the maximum number of IPv6 source guard binding entries 213 Displaying and maintaining IP source guard 213 IP source guard configuration examples 214 Static IPv4 source guard binding entry configuration example 214 Dynamic IPv4 source guard binding by DHCP snooping configuration example 216 Dy...

Page 8: ...ction configuration example 1 232 ARP detection configuration example 2 234 ARP restricted forwarding configuration example 235 Configuring ARP automatic scanning and fixed ARP 237 Configuration procedure 237 Configuring ND attack defense 239 Enabling source MAC consistency check for ND packets 240 Configuring the ND detection function 240 Configuring ND detection 241 Displaying and maintaining ND...

Page 9: ...nt for the AAA servers See Figure 1 Figure 1 Network diagram for AAA When a user tries to log in to the NAS use network resources or access other networks the NAS authenticates the user The NAS can transparently pass the user s authentication authorization and accounting information to the servers The RADIUS and HWTACACS protocols define how a NAS and a remote server exchange user information betw...

Page 10: ...rvice access It listens to connection requests authenticates users and returns user access control information for example rejecting or accepting the user access request to the clients In general the RADIUS server maintains the following databases Users Clients and Dictionary See Figure 2 Figure 2 RADIUS server components Users Stores user information such as usernames passwords applied protocols ...

Page 11: ...on information If the authentication fails the server returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response and starts accounting 6 The user accesses t...

Page 12: ...et of this type carries user information for the server to start or stop accounting for the user The Acct Status Type attribute in the packet indicates whether to start or stop accounting 5 Accounting Response From the server to the client The server sends a packet of this type to notify the client that it has received the Accounting Request and has successfully recorded the accounting information...

Page 13: ... Commonly used RADIUS attributes Number Attribute Number Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acct Input Gigawords 9 Framed IP Netmask 53 Acct Outp...

Page 14: ...d 44 Acct Session Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vender Specific an attribute defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple sub attributes in the TLV format in RADIUS packets for ext...

Page 15: ...ity Table 3 lists their differences Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the user password field in an authentication packet Protocol packets are complicated and authorization is independent o...

Page 16: ...indicating the start of accounting 17 The user logs off 18 Stop accounting request 19 Stop accounting response 10 Authentication continuance packet with the login password The process is as follows 1 A Telnet user sends an access request to the HWTACACS client 2 After receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS server 3 The HWTACACS server sends ba...

Page 17: ...p accounting request to the HWTACACS server 19 The HWTACACS server sends back a stop accounting response indicating that the stop accounting request has been received Domain based user management A NAS manages users based on ISP domains On a NAS each user belongs to one ISP domain A NAS determines the ISP domain that a user belongs to by the username entered by the user at login as shown in Figure...

Page 18: ...onfiguring AAA methods for ISP domains RADIUS server feature of the switch Generally the RADIUS server runs on a computer or workstation and the RADIUS client runs on a NAS A network device that supports the RADIUS server feature can also serve as the RADIUS server It works with RADIUS clients to implement user authentication authorization and accounting As shown in Figure 8 the RADIUS server and ...

Page 19: ... Support RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions RFC 1492 An Access Control Protocol Sometimes Called TACACS RADIUS attributes Commonly used standard RADIUS attributes Number Attribute Description 1 User Name Name of the user to be authenticated 2 User Password User password for PAP authentication present only in Access Request packets in PAP authenticatio...

Page 20: ...g itself 40 Acct Status Type Type of the Accounting Request packet 1 Start 2 Stop 3 Interium Update 4 Reset Charge 7 Accounting On Defined in 3GPP the 3rd Generation Partnership Project 8 Accounting Off Defined in 3GPP 9 to 14 Reserved for tunnel accounting 15 Reserved for failed 45 Acct Authentic Authentication method used by the user 1 RADIUS 2 Local 3 Remote 60 CHAP Challenge CHAP challenge gen...

Page 21: ... retransmitted packets of the same session this attribute must take the same value For retransmitted packets of different sessions this attribute may take the same value The client response of a retransmitted packet must also carry this attribute and the value of the attribute must be the same For Accounting Request packets of the start stop and interim update types the Control Identifier attribut...

Page 22: ...ng interval in the unit set on the device 204 Output Interval Packets Packets output within an accounting interval in the unit set on the device 205 Input Interval Gigawords Result of bytes input within an accounting interval divided by 4G bytes 206 Output Interval Gigawords Result of bytes output within an accounting interval divided by 4G bytes 207 Backup NAS IP Backup source IP address for send...

Page 23: ...Remote AAA No AAA local the default None scheme local the default None scheme Table 4 AAA configuration task list Task Remarks Configuring AAA schemes Configuring local users Required Complete at least one task Configuring RADIUS schemes Configuring HWTACACS schemes Configuring AAA methods for ISP domains Creating an ISP domain Required Configuring ISP domain attributes Optional Configuring AAA au...

Page 24: ...fy a validity time and an expiration time for the account to control the validity of the account User group Each local user belongs to a local user group and bears all attributes of the group such as the password control attributes and authorization attributes For more information about local user groups see Configuring user group attributes Binding attributes Binding attributes are used to contro...

Page 25: ...mmand 3 Add a local user and enter local user view local user user name Required No local user exists by default 4 Configure a password for the local user password cipher simple password Optional If you do not configure any password for a local user the local user does not need to provide any password during authentication and can pass authentication after entering the correct local username and p...

Page 26: ...the user group the global settings both are 1 by default are used 9 Configure the binding attributes for the local user bind attribute call number call number subcall number ip ip address location port slot number subslot number port number mac mac address vlan vlan id Optional By default no binding attribute is configured for a local user Binding attributes are only intended for and LAN users 10 ...

Page 27: ...erface set by the user privilege level command in user interface view For an SSH user using public key authentication the commands that are available are determined by the level configured for the user interface For more information about user interface authentication mode and user interface command level see Fundamentals Configuration Guide You can configure the user profile authorization attribu...

Page 28: ... 5 Set the guest attribute for the user group group attribute allow guest Optional By default the guest attribute is not set for a user group and guest users created by a guest manager through the web interface cannot join the group For more information about password control attributes configuration commands see Security Command Reference Displaying and maintaining local users and local user grou...

Page 29: ...bling the trap function for RADIUS Optional Enabling the RADIUS listening port of the RADIUS client Optional Displaying and maintaining RADIUS Optional Creating a RADIUS scheme Before performing other RADIUS configurations create a RADIUS scheme and enter RADIUS scheme view To do Use the command Remarks 1 Enter system view system view 2 Create a RADIUS scheme and enter RADIUS scheme view radius sc...

Page 30: ... used if there is one When redundancy is not required specify only the primary server By setting the maximum number of real time accounting attempts for a scheme you make the switch disconnect users for whom no accounting response is received before the number of accounting attempts reaches the limit When the switch receives a connection teardown request from a host or a connection teardown notifi...

Page 31: ...configured in this task is for all servers of the same type accounting or authentication in the scheme and it has a lower priority than a shared key configured individually for a RADIUS server To set the shared keys for authenticating RADIUS packets To do Use the command Remarks 1 Enter system view system view 2 Enter RADIUS scheme view radius scheme radius scheme name 3 Set the shared key for aut...

Page 32: ...s the type of the RADIUS protocol that the switch uses to communicate with the RADIUS server It can be standard or extended Standard Uses the standard RADIUS protocol compliant to RFC 2865 and RFC 2866 or later Extended Uses the proprietary RADIUS protocol of HP When the RADIUS server runs iMC you must set the RADIUS server type to extended When the RADIUS server runs third party RADIUS server sof...

Page 33: ...condary server in the active state a secondary server configured earlier has a higher priority If the secondary server is unreachable the switch changes the server s status to blocked starts a quiet timer for the server and continues to check the next secondary server in the active state This search process continues until the switch finds an available secondary server or has checked all secondary...

Page 34: ...tatus set by the state command cannot be saved to the configuration file After the switch restarts the status of each server is restored to active To display the states of the servers use the display radius scheme command Specifying the source IP address for outgoing RADIUS packets The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIU...

Page 35: ... the switch receives no response from the RADIUS server before this timer expires it resends the request Server quiet timer quiet Defines the duration to keep an unreachable server in the blocked state If a server is not reachable the switch changes the server s status to blocked starts this timer for the server and tries to communicate with another server in the active state After this timer expi...

Page 36: ...entication or accounting failures because the switch has to repeatedly attempt to communicate with an unreachable server that is in the active state For more information about the maximum number of RADIUS packet transmission attempts see Setting the maximum number of RADIUS request transmission attempts Configuring RADIUS accounting on The accounting on feature enables a switch to send accounting ...

Page 37: ...To configure the switch to interpret the RADIUS class attribute as CAR parameters To do Use the command Remarks 1 Enter system view system view 2 Enter RADIUS scheme view radius scheme radius scheme name 3 Interpret the class attribute as CAR parameters attribute 25 car Required By default RADIUS attribute 25 is not interpreted as CAR parameters Whether interpretation of RADIUS class attribute as ...

Page 38: ...S client radius client enable Optional Enabled by default Displaying and maintaining RADIUS To do Use the command Remarks Display the configuration information of RADIUS schemes display radius scheme radius scheme name slot slot number begin exclude include regular expression Available in any view Display the statistics for RADIUS packets display radius statistics slot slot number begin exclude in...

Page 39: ...onfigurations create an HWTACACS scheme and enter HWTACACS scheme view To do Use the command Remarks 1 Enter system view system view 2 Create an HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to one secondary authentication ser...

Page 40: ...tive TCP connection for sending authorization packets is using it To specify HWTACACS authorization servers for an HWTACACS scheme To do Use the command Remarks 1 Enter system view system view 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name 3 Specify the primary HWTACACS authorization server primary authorization ip address port number Required Configure at least one command No a...

Page 41: ...g server is specified by default 4 Specify the secondary HWTACACS accounting server secondary accounting ip address port number 5 Enable buffering of stop accounting requests to which no responses are received stop accounting buffer enable Optional Enabled by default 6 Set the maximum number of stop accounting attempts retry stop accounting retry times Optional 100 by default Setting the shared ke...

Page 42: ...ows and one packet for data packets by default If an HWTACACS server does not support a username that carries the domain name configure the switch to remove the domain name before sending the username to the server For level switching authentication the user name format keep original and user name format without domain commands produce the same results they make sure that usernames sent to the HWT...

Page 43: ...eives no response from the server before this timer expires it resends the request Server quiet timer quiet Defines the duration to keep an unreachable server in the blocked state If a server is not reachable the switch changes the server s status to blocked starts this timer for the server and tries to communicate with another server in the active state After this timer expires the switch changes...

Page 44: ...mes in ISP domain view Each ISP domain has a set of default AAA methods which are local authentication local authorization and local accounting by default and can be customized If you do not configure any AAA methods for an ISP domain the switch uses the system default AAA methods for authentication authorization and accounting of the users in the domain Configuration prerequisites To use local au...

Page 45: ...umber of online users in a domain to ensure system performance and service reliability Idle cut This function enables the switch to check the traffic of each online user in the domain at the idle timeout interval and to log out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic Self service server location By using the information defined...

Page 46: ...entication is performed by the NAS which is configured with the user information including the usernames passwords and attributes Local authentication allows high speed and low cost but the amount of information that can be stored is limited by the hardware Remote authentication scheme The NAS cooperates with a RADIUS or HWTACACS server to authenticate users Remote authentication provides centrali...

Page 47: ...s scheme radius scheme name local hwtacacs scheme hwtacacs scheme name local option when you configure an authentication method local authentication is the backup method and is used only when the remote server is not available If you specify only the local or none keyword in an authentication method configuration command the switch has no backup authentication method and performs only local authen...

Page 48: ...or access 3 Determine whether to configure an authorization method for all access types or service types To configure AAA authorization methods for an ISP domain To do Use the command Remarks 1 Enter system view system view 2 Enter ISP domain view domain isp name 3 Specify the default authorization method for all types of users authorization default hwtacacs scheme hwtacacs scheme name local local...

Page 49: ...scheme The NAS works with a RADIUS server or HWTACACS server for accounting You can configure local or no accounting as the backup method which is used when the remote server is not available By default an ISP domain uses the local accounting method Before you configure accounting methods complete the following tasks 1 For RADIUS or HWTACACS accounting configure the RADIUS or HWTACACS scheme to be...

Page 50: ...ting is the backup method and is used only when the remote server is not available If you specify only the local or none keyword in an accounting method configuration command the switch has no backup accounting method and performs only local accounting or does not perform any accounting Accounting is not supported for FTP services Tearing down user connections To do Use the command Remarks 1 Enter...

Page 51: ...US user To do Use the command Remarks 1 Enter system view system view 2 Create a RADIUS user and enter RADIUS server user view radius server user user name Required No RADIUS user exists by default 3 Configure a password for the RADIUS user password cipher simple password Optional By default no password is specified 4 Configure the authorization attribute for the RADIUS user authorization attribut...

Page 52: ... must be consistent with that configured on the RADIUS client Displaying and maintaining AAA To do Use the command Remarks Display the configuration information of ISP domains display domain isp name begin exclude include regular expression Available in any view Display information about user connections display connection access type dot1x mac authentication domain isp name interface interface ty...

Page 53: ...wtac primary authorization 10 1 1 1 49 Specify the primary accounting server Switch hwtacacs hwtac primary accounting 10 1 1 1 49 Set the shared key for authentication authorization and accounting packets to expert Switch hwtacacs hwtac key authentication simple expert Switch hwtacacs hwtac key authorization simple expert Switch hwtacacs hwtac key accounting simple expert Configure the scheme to r...

Page 54: ...g the username to the servers Figure 11 Configure AAA by separate servers for Telnet users Configuration procedure 1 Configure the switch Assign IP addresses to interfaces Details not shown Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme S...

Page 55: ...zation for SSH Telnet users by a RADIUS server The configuration of authentication and authorization for SSH users is similar to that for Telnet users The following uses SSH users as an example Network requirements See Figure 12 Complete the following tasks Configure an iMC server to act as the RADIUS server Configure the switch to use the RADIUS server for SSH user authentication and authorizatio...

Page 56: ...ith the IP address of 10 1 1 2 f Click OK to finish the operation The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch which is the IP address of the outbound interface by default or the IP address specified with the nas ip or radius nas ip command on the switch Figure 13 Add an access device Add a user for device m...

Page 57: ...ess of VLAN interface 3 through which the switch accesses the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users Switch user in...

Page 58: ...cess the demands of level 0 through level 3 Use the display connection command to view the connection information on the switch Switch display connection Index 1 Username hello bbb IP 192 168 1 58 IPv6 N A Total 1 connection s matched AAA for 802 1X users by a RADIUS server Network requirements As shown in Figure 15 configure the switch to use the RADIUS server to perform authentication authorizat...

Page 59: ... the Access Device List page Then click Add to enter the Add Access Device page and perform the following configurations a Set the shared key for authentication and accounting to expert b Specify the ports for authentication and accounting as 1812 and 1813 respectively c Select LAN Access Service as the service type d Select HP A Series as the access device type e Select the switch from the device...

Page 60: ...following configurations a Add a plan named UserAcct b Select Flat rate as the charging template c In the Basic Plan Settings field set the fixed fee to be charged as 120 dollars per month d In the Service Usage Limit field set the Usage Threshold to 120 hours allowing the user to access the Internet for up to 120 hours per month e Adopt the default settings for other parameters and click OK to fi...

Page 61: ...omain name b Specify UserAcct as the Charging Plan c Select Deploy VLAN and set the ID of the VLAN to be assigned to 4 d Configure other parameters according to the actual situation e Click OK to finish the operation Figure 18 Add a service Add a user See Figure 19 Click the User tab and select All Access Users from the navigation tree to enter the All Access Users page Then click Add to enter the...

Page 62: ...d primary authentication 10 1 1 1 Switch radius rad primary accounting 10 1 1 1 Switch radius rad key authentication expert Switch radius rad key accounting expert Configure the scheme to include the domain names in usernames to be sent to the RADIUS server Switch radius rad user name format with domain Switch radius rad quit Configure an authentication domain Create an ISP domain named bbb and en...

Page 63: ...MD5 Challenge If the HP iNode client is used no advanced authentication options need to be enabled When using the HP iNode client the user can pass authentication after entering username dot1x bbb and the correct password in the client property page When using the Windows XP 802 1X client the user can pass authentication after entering the correct username and password in the pop up authentication...

Page 64: ...figure it to use local authentication for Telnet users Create a local user account configure the password and assign the privilege level for the user to use after login 2 On the switch configure the authentication method for user privilege level switching Specify to use HWTACACS authentication If HWTACACS authentication is not available use local authentication for user level switching authenticat...

Page 65: ...hentication as 49 Switch hwtacacs hwtac primary authentication 10 1 1 1 49 Set the shared key for authentication packets to expert Switch hwtacacs hwtac key authentication simple expert Configure the scheme to remove the domain name from a username before sending the username to the HWTACACS server Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Create ISP domain b...

Page 66: ...Use separate password and specify the password as enabpass Figure 21 Configure advanced attributes for the Telnet user 3 Verify the configuration After you complete the configuration the Telnet user should be able to telnet to the switch and use username test bbb and password aabbcc to enter the user interface of the switch and access all level 0 commands Switch telnet 192 168 1 70 Trying 192 168 ...

Page 67: ...al authentication Switch super 3 Password Å Enter the password for HWTACACS privilege level switch authentication Error Invalid configuration or no response from the authentication server Info Change authentication mode to local Password Å Enter the password for local privilege level switch authentication User privilege level is 3 and only those commands can be used whose level is equal or less th...

Page 68: ...rname to the RADIUS server SwitchA radius rad user name format without domain Set the source IP address for RADIUS packets as 10 1 1 1 SwitchA radius rad nas ip 10 1 1 1 SwitchA radius rad quit Create ISP domain bbb SwitchA domain bbb Specify the authentication method for Telnet users as rad SwitchA isp bbb authentication login radius scheme rad Specify the authorization method for Telnet users as...

Page 69: ...leshooting RADIUS Symptom 1 User authentication authorization always fails Analysis 1 A communication failure exists between the NAS and the RADIUS server 2 The username is not in the format of userid isp name or the ISP domain for the user authentication is not correctly configured on the NAS 3 The user is not configured on the RADIUS server 4 The password entered by the user is incorrect 5 The R...

Page 70: ...same as those configured on the RADIUS server 4 The port numbers of the RADIUS server for authentication authorization and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting server are not correct on the ...

Page 71: ...X clients by using the data sent from the network access device and it returns the authentication results for the network access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can also use the network access device as the authentication server Controlled uncontrolled port and port authorization status 802 1X defines two logical ports for t...

Page 72: ...e and the authentication server 802 1X delivers authentication information through one of the following methods Encapsulates EAP packets in RADIUS by using EAPOR as described in EAP relay Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets as described in EAP termination Packet formats EAP packet format Figure 25 shows the EAP packet...

Page 73: ...information 0x01 EAPOL Start The client sends an EAPOL Start message to initiate 802 1X authentication to the network access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff message to tell the network access device that it is logging off Length Data length in bytes or length of the Packet body If packet type is EAPOL Start or EAPOL Logoff this field is set to 0 and no Packet body field f...

Page 74: ...vice between the client and the authentication server does not support the multicast address you must use an 802 1X client for example the HP iNode 802 1X client that can send broadcast EAPOL Start packets Access device as the initiator The access device initiates authentication if a client for example the 802 1X client available with Windows XP cannot send EAPOL Start packets The access device su...

Page 75: ...P termination Packet exchange method Benefits Limitations EAP relay Supports various EAP authentication methods The configuration and processing is simple on the network access device The RADIUS server must support the EAP Message and Message Authenticator attributes and the EAP authentication method used by the client EAP termination Works with any RADIUS server that supports PAP or CHAP authenti...

Page 76: ...sponse to the Identity EAP Request packet the client sends the username in an Identity EAP Response packet to the network access device 4 The network access device relays the Identity EAP Response packet in a RADIUS Access Request packet to the authentication server 5 The authentication server uses the identity information in the RADIUS Access Request to search its user database If a matching entr...

Page 77: ...ice logs off the client 12 Upon receiving a handshake request the client returns a response If the client fails to return a response after a certain number of consecutive handshake attempts two by default the network access device logs off the client This handshake mechanism enables timely release of the network resources used by 802 1X users who have abnormally gone offline 13 The client can also...

Page 78: ...uthentication procedure in EAP termination mode In EAP termination mode it is the network access device rather than the authentication server that generates an MD5 challenge for password encryption see Step 4 The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server ...

Page 79: ...ication The way that the network access device handles VLANs on an 802 1X enabled port differs by 802 1X access control mode Access control VLAN manipulation Port based Assigns the VLAN to the port as the default VLAN All subsequent 802 1X users can access the default VLAN without authentication When the user logs off the previous default VLAN is restored and all other online users are logged off ...

Page 80: ...t are in the guest VLAN A user in the 802 1X guest VLAN passes 802 1X authentication Assigns the VLAN specified for the user to the port as the default VLAN and removes the port from the 802 1X guest VLAN After the user logs off the user configured default VLAN is restored If the authentication server assigns no VLAN the user configured default VLAN applies The user and all subsequent 802 1X users...

Page 81: ...cation Assigns the VLAN specified for the user to the port as the default VLAN and removes the port from the Auth Fail VLAN After the user logs off the user configured default VLAN is restored If the authentication server assigns no VLAN the initial default VLAN applies The user and all subsequent 802 1X users are assigned to the user configured default VLAN After the user logs off the default VLA...

Page 82: ... or EAP termination Optional Setting the port authorization state Optional Specifying an access control method Optional Setting the maximum number of concurrent 802 1X users on a port Optional Setting the maximum number of authentication request attempts Optional Setting the 802 1X authentication timeout timers Optional Configuring the online user handshake function Optional Configuring the authen...

Page 83: ... Use the command Remarks 1 Enter system view system view 2 Configure EAP relay or EAP termination dot1x authentication method chap eap pap Optional By default the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server Specify the eap keyword to enable EAP termination Specify the chap or pap keyword to enable CHAP enabled or PAP enabled EAP relay If EAP r...

Page 84: ...ifying an access control method You can specify an access control method for one port in Ethernet interface view or for multiple ports in system view If different access control methods are specified for a port in system view and Ethernet interface view the one specified later takes effect To specify the access control method To do Use the command Remarks 1 Enter system view system view 2 Specify ...

Page 85: ... an authentication request dot1x retry max retry value Optional 2 by default Setting the 802 1X authentication timeout timers The network device uses the following 802 1X authentication timeout timers Client timeout timer Starts when the access device sends an EAP Request MD5 Challenge packet to a client If no response is received when this timer expires the access device retransmits the request t...

Page 86: ...lients that cannot exchange handshake packets with the network access device disable the online user handshake function to prevent their connections from being inappropriately torn down Configuration procedure To configure the online user handshake function To do Use the command Remarks 1 Enter system view system view 2 Set the handshake timer dot1x timer handshake period handshake period value Op...

Page 87: ... the username request timeout timer dot1x timer tx period tx period value Optional The default is 30 seconds 3 Enter Ethernet interface view interface interface type interface number 4 Enable an authentication trigger dot1x multicast trigger unicast trigger Required if you want to enable the unicast trigger Use either command By default the multicast trigger is enabled and the unicast trigger is d...

Page 88: ...em view 2 Set the periodic re authentication timer dot1x timer reauth period reauth period value Optional The default is 3600 seconds 3 Enter Ethernet interface view interface interface type interface number 4 Enable periodic online user re authentication dot1x re authenticate Required Disabled by default The periodic online user re authentication timer can also be set by the authentication server...

Page 89: ... The 802 1X Auth Fail VLAN has a higher priority See Using 802 1X authentication with other features Port intrusion protection on a port that performs MAC based access control The 802 1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature See Configuring port security Configuration prerequisite...

Page 90: ...a port that performs MAC based access control The 802 1X Auth Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature See Configuring port security Configuration prerequisites Create the VLAN to be specified as the 802 1X Auth Fail VLAN If the 802 1X enabled port performs port based access control e...

Page 91: ... 802 1X users dot1x domain delimiter string Optional By default only the at sign delimiter is supported If you configure the access device to include the domain name in the username sent to the RADIUS server make sure that the domain delimiter in the username can be recognized by the RADIUS server For username format configuration see the user name format command in Security Command Reference Disp...

Page 92: ... access device in this example see Security Command Reference 1 Configure the 802 1X client If HP iNode is used do not select the Carry version info option in the client configuration Details not shown 2 Configure the RADIUS servers and add user accounts for the 802 1X users Details not shown 3 Assign an IP address for each interface on the access device Details not shown 4 Configure user accounts...

Page 93: ...t and enter its view Device domain aabbcc net Apply the RADIUS scheme radius1 to the ISP domain and specify local authentication as the secondary authentication method Device isp aabbcc net authentication lan access radius scheme radius1 local Device isp aabbcc net authorization lan access radius scheme radius1 local Device isp aabbcc net accounting lan access radius scheme radius1 local Set the m...

Page 94: ...ternet GigabitEthernet 1 0 2 is in VLAN 1 GigabitEthernet 1 0 2 implements port based access control GigabitEthernet 1 0 3 is in VLAN 5 and is for accessing the Internet The authentication server runs RADIUS and is in VLAN 2 The update server in VLAN 10 is for client software download and upgrade If no user performs 802 1X authentication on GigabitEthernet 1 0 2 within a period of time the device ...

Page 95: ...uration on the 802 1X client and RADIUS server are not shown For more information about AAA RADIUS configuration commands see Security Command Reference 1 Make sure that the 802 1X client can update its IP address after the access port is assigned to the guest VLAN or a server assigned VLAN Details not shown 2 Configure the RADIUS server to provide authentication authorization and accounting servi...

Page 96: ...ounting lan access radius scheme 2000 Device isp bbb quit 6 Configure 802 1X Enable 802 1X globally Device dot1x Enable 802 1X for port GigabitEthernet 1 0 2 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 dot1x Implement port based access control on the port Device GigabitEthernet1 0 2 dot1x port method portbased Set the port authorization mode to auto This step is optional By ...

Page 97: ...nfiguration procedures on the 802 1X client and RADIUS server are beyond the scope of this configuration example For information about AAA and RADIUS configuration commands see Security Command Reference 1 Configure 802 1X client Make sure that the client is able to update its IP address after the access port is assigned to the 802 1X guest VLAN or a server assigned VLAN Details not shown 2 Config...

Page 98: ...ing business hours Device acl number 3000 Device acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 time range ftp Device acl adv 3000 quit Enable 802 1X globally Device dot1x Enable 802 1X on port GigabitEthernet 1 0 1 Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 dot1x Verification Use the user account to pass authentication and then ping the FTP server on any weekday during...

Page 99: ...ware and DHCP servers An unauthenticated user can access only this segment to download EAD client obtain a dynamic IP address from a DHCP server or perform some other tasks to be compliant with the network security strategy URL redirection If an unauthenticated 802 1X user is using a web browser to access the network the EAD fast deployment function redirects the user to a specific URL For example...

Page 100: ...AD rule to open access to the redirect URL for each redirected user seeking to access the network The EAD rule timer sets the lifetime of each ACL rule When the timer expires or the user passes authentication the rule is removed If users fail to download EAD client or fail to pass authentication before the timer expires they must reconnect to the network to access the free IP To prevent ACL rule r...

Page 101: ...l network except 192 168 2 0 24 The web page allows users to download the 802 1X client program Allow authenticated 802 1X users to access the network Figure 36 Network diagram for EAD fast deployment GE1 0 2 10 1 1 10 24 GE1 0 1 Free IP WEB server 192 168 2 3 24 Internet 192 168 1 0 24 Vlan int 2 192 168 1 1 24 192 168 2 0 24 GE1 0 3 192 168 2 1 24 DHCP server 192 168 2 1 24 Authentication server...

Page 102: ... Use the display dot1x command to display the 802 1X configuration After the host obtains an IP address from a DHCP server use the ping command from the host to ping an IP address on the network segment specified by free IP C ping 192 168 2 3 Pinging 192 168 2 3 with 32 bytes of data Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 16...

Page 103: ...ies to resolve it If the resolution fails the operating system sends an ARP request but the target address is not in the dotted decimal notation The redirection function does redirect this kind of ARP request The address is within a free IP segment No redirection takes place even if no host is present with the address The redirect URL is not in a free IP segment no server is using the redirect URL...

Page 104: ... in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable for a secure environment Authentication approaches You can perform MAC authenti...

Page 105: ...ault VLAN A hybrid port is always assigned to a server assigned VLAN as an untagged member After assignment do not re configure the port as the VLAN s tagged member If MAC based VLAN is enabled on a hybrid port the device maps the server assigned VLAN to the user s MAC address The hybrid port s default VLAN does not change After the user logs off the initial default VLAN or the configured default ...

Page 106: ...alled an ISP domain For local authentication create local user accounts and specify the lan access service for the accounts For RADIUS authentication check that the device and the RADIUS server can reach each other and create user accounts on the RADIUS server If you are using MAC based accounts make sure that the username and password for each account is the same as the MAC address of the MAC aut...

Page 107: ...uthentication max user user number Optional By default the maximum number of concurrent MAC authentication users is 1024 You cannot add a MAC authentication enabled port in to a link aggregation group or enable MAC authentication on a port already in a link aggregation group Specifying an authentication domain for MAC authentication users By default MAC authentication users are in the system defau...

Page 108: ...guest VLAN mac authentication guest vlan guest vlan id Required By default no MAC authentication guest VLAN is configured You can configure only one MAC authentication guest VLAN on a port Follow the guidelines in Table 8 when you configure a MAC authentication guest VLAN on a port Table 8 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship descript...

Page 109: ...hentication The MAC addresses are separated by hyphens and in lowercase characters The access device detects whether a user has gone offline every 180 seconds When a user fails authentication the device does not authenticate the user within 180 seconds Figure 37 Local MAC authentication Configuration procedure 1 Configure local MAC authentication Add a local user account set both the username and ...

Page 110: ...authentication is enabled User name format is MAC address in lowercase like xx xx xx xx xx xx Fixed username mac Fixed password not configured Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 1 Current domain is aabbcc net Silent Mac User info MAC Addr From Port Port Index Gigabiteth...

Page 111: ...Configuration procedure NOTE Make sure that the RADIUS server and the access device can reach each other Create a shared account for MAC authentication users on the RADIUS server and set the username aaa and password 123456 for the account 1 Configure RADIUS based MAC authentication on the device Configure a RADIUS scheme Device system view Device radius scheme 2000 Device radius 2000 primary auth...

Page 112: ... MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 1 Current domain is 2000 Silent Mac User info MAC ADDR From Port Port Index Gigabitethernet1 0 1 is link up MAC address a...

Page 113: ...S server and the access device can reach each other 1 Configure the ACL assignment Configure ACL 3000 to deny packets destined for 10 0 0 1 Sysname system view Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Sysname acl adv 3000 quit 2 Configure RADIUS based MAC authentication on the device Configure a RADIUS scheme Sysname radius scheme 2000 Sysname radius 2000 ...

Page 114: ...rvers Add a user account with 00 e0 fc 12 34 56 as both the username and password on the RADIUS server and specify ACL 3000 as the authorization ACL for the user account Details not shown 4 Verify the configuration After the host passes authentication perform the display connection command on the device to view online user information Sysname GigabitEthernet1 0 1 display connection Slot 1 Index 9 ...

Page 115: ...thentication They apply to scenarios that require both 802 1X authentication and MAC authentication For scenarios that require only 802 1X authentication or MAC authentication HP recommends that you configure 802 1X authentication or MAC authentication rather than port security For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port s...

Page 116: ...ecifies 802 1X authentication and port based access control macAddress Specifies MAC authentication Else Specifies that the authentication method before Else is applied first If the authentication fails whether to turn to the authentication method following Else depends on the protocol type of the authentication request Or Typically in a security mode with Or the authentication method to be used d...

Page 117: ...nSecure mode except that this mode supports multiple online 802 1X users userLoginWithOUI This mode is similar to the userLoginSecure mode The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI For wired users the port performs 802 1X authentication upon receiving 802 1X frames and performs OUI check upon receiving non 802 1X frames P...

Page 118: ...est VLAN is the VLAN that a user is in after failing authentication Support for the guest VLAN and Auth Fail VLAN features varies with security modes You can use the 802 1X guest VLAN and 802 1X Auth Fail VLAN features together with port security modes that support 802 1X authentication For more information about the 802 1X guest VLAN and Auth Fail VLAN on a port that performs MAC based access con...

Page 119: ...ty when online users are present For more information about 802 1X configuration see Configuring 802 1X For more information about MAC authentication configuration see Configuring MAC authentication Setting port security s limit on the number of MAC addresses on a port You can set the maximum number of MAC addresses that port security allows on a port for the following purposes Controlling the num...

Page 120: ...port when online users are present Configuration procedure To enable a port security mode To do Use the command Remarks 1 Enter system view system view 2 Set an OUI value for user authentication port security oui oui value index index value Optional Not configured by default The command is required for the userlogin withoui mode 3 Enter Layer 2 Ethernet interface view interface interface type inte...

Page 121: ...re To do Use the command Remarks 1 Enter system view system view 2 Enter Layer 2 Ethernet interface view interface interface type interface number 3 Configure the NTK feature port security ntk mode ntk withbroadcasts ntk withmulticasts ntkonly Required By default NTK is disabled on a port and all frames are allowed to be sent Configuring intrusion protection Intrusion protection enables a device t...

Page 122: ...1 Enter system view system view 2 Enable port security traps port security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default port security traps are disabled Configuring secure MAC addresses Secure MAC addresses are MAC addresses configured or learned in autoLearn mode They can survive link down up events and once saved can...

Page 123: ... procedure To configure a secure MAC address To do Use the command Remarks 1 Enter system view system view 2 Set the sticky MAC aging timer port security timer autolearn aging time value Optional By default sticky MAC addresses do not age out and you can remove them only by performing the undo port security mac address security command changing the port security mode or disabling the port security...

Page 124: ...ss security interface interface type interface number vlan vlan id count begin exclude include regular expression Available in any view Display information about blocked MAC addresses display port security mac address block interface interface type interface number vlan vlan id count begin exclude include regular expression Available in any view Port security configuration examples Configuring the...

Page 125: ... port mode autolearn Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered Device GigabitEthernet1 0 1 port security intrusion mode disableport temporarily Device GigabitEthernet1 0 1 quit Device port security timer disableport 30 2 Verify the configuration After completing the configurations use the following command to view the port security configura...

Page 126: ...rt security interface command after the number of MAC addresses learned by the port reaches 64 you can see that the port security mode has changed to secure When any frame with a new MAC address arrives intrusion protection is triggered and you see the following traps Jan 14 10 39 47 135 2011 Device PORTSEC 4 VIOLATION TraphpSecureViolation An intrusion occurs IfIndex 9437185 Port 9437185 MAC Addr...

Page 127: ...ansmission attempts is five The device sends real time accounting packets to the RADIUS server at an interval of 15 minutes and it sends usernames without domain names to the RADIUS server Configure port GigabitEthernet 1 0 1 of the device to do the following Allow only one 802 1X user to be authenticated Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI va...

Page 128: ...o CHAP This configuration is optional By default the authentication method is CHAP for 802 1X Device dot1x authentication method chap 3 Configure port security Enable port security Device port security enable Add five OUI values Device port security oui 1234 0100 1111 index 1 Device port security oui 1234 0200 1111 index 2 Device port security oui 1234 0300 1111 index 3 Device port security oui 12...

Page 129: ...vice display domain sun Domain sun State Active Access limit 30 Accounting method Required Default authentication scheme radius radsun Default authorization scheme radius radsun Default accounting scheme radius radsun Domain User Template Idle cut Disabled Self service Disabled Authorization attributes Use the following command to view the port security configuration information Device display por...

Page 130: ...umber is 2048 per slot Total current used 802 1X resource number is 1 GigabitEthernet1 0 1 is link up 802 1X protocol is enabled Handshake is enabled Handshake secure is disabled 802 1X unicast trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac based 802 1X Multicast trigger is enabled Mandatory authentication ...

Page 131: ...e and password for MAC authentication Set the total number of MAC authenticated users and 802 1X authenticated users to 64 Enable NTK to prevent frames from being sent to unknown MAC addresses Configuration procedure NOTE Configurations on the host and RADIUS servers are not shown 1 Configure the RADIUS protocol Configure the RADIUS authentication accounting and ISP domain settings the same as in ...

Page 132: ...trusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Use the following command to view MAC authentication information Device display mac authentication interface gigabitethernet 1 0 1 MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 60s Quie...

Page 133: ...e is enabled Handshake secure is disabled 802 1X unicast trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac based 802 1X Multicast trigger is enabled Mandatory authentication domain NOT configured Guest VLAN NOT configured Auth Fail VLAN NOT configured Max number of on line users is 1024 EAPOL Packet Tx 16331 R...

Page 134: ...gure secure MAC addresses Device GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Error Security MAC address configuration failed Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn Solution Set the port security mode to autoLearn Device GigabitEthernet1 0 1 undo port security port mode Device GigabitEthernet1 0 1 po...

Page 135: ...er is online Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode Device GigabitEthernet1 0 1 quit Device cut connection interface gigabitethernet 1 0 1 Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 undo port security port mode ...

Page 136: ...ssword aging Password aging imposes a lifecycle on a user password After the password aging time expires the user must change the password If a user enters an expired password when logging in the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again The new password must be a valid one and the user must enter exactly the same passwor...

Page 137: ...s or after the user is removed from the blacklist A blacklist can contain up to 1024 entries A login attempt using a wrong username undoubtedly fails but the username is not added into the blacklist Web users failing login authentication are not blacklisted Users accessing the system through the Console or AUX interface are not blacklisted either because the system is unable to obtain the IP addre...

Page 138: ...ys and user using the account test has never logged in successfully within 60 days after the last successful login the account becomes invalid Logging The system logs all successful password changing events and user blacklisting events due to login failures Password control configuration task list The password control functions can be configured in several views and different views support differe...

Page 139: ...able password control To do Use the command Remarks 1 Enter system view system view 2 Enable the password control feature password control enable Required Disabled by default 3 Enable a password control function individually password control aging composition history length enable Optional All password control functions are enabled by default After global password control is enabled local user pas...

Page 140: ... is warned of the pending password expiration password control alert before expire alert time Optional 7 days by default 10 Set the maximum number of days and maximum number of times that a user can log in after the password expires password control expired user login delay delay times times Optional By default a user can log in three times within 30 days after the password expires 11 Set the auth...

Page 141: ...for the local user password control length length Optional By default the setting for the user group to which the local user belongs is used If no minimum password length is configured for the user group the setting in system view is used 5 Configure the password composition policy for the local user password control composition type number type number type length type length Optional By default t...

Page 142: ...the command Remarks 1 Enter system view system view 2 Create a local user and enter local user view local user user name 3 Set the password for the local user in interactive mode password Required Displaying and maintaining password control To do Use the command Remarks Display password control configuration information display password control super begin exclude include regular expression Availa...

Page 143: ...onfiguration procedure Enable the password control feature globally Sysname system view Sysname password control enable Prohibit the user from logging in forever after two successive login failures Sysname password control login attempt 2 exceed lock Set the password aging time to 30 days for all passwords Sysname password control aging 30 Set the minimum password update interval to 36 hours Sysna...

Page 144: ...rol configuration information Sysname display password control Global password control configurations Password control Enabled Password aging Enabled 30 days Password length Enabled 10 characters Password composition Enabled 1 types 1 characters per type Password history Enabled max history record 4 Early notice on password expiration 7 days User authentication timeout 60 seconds Maximum failed lo...

Page 145: ...telnet Access limit Disable Current AccessNum 0 User group system Bind attributes Authorization attributes Password aging Enabled 20 days Password length Enabled 12 characters Password composition Enabled 2 types 5 characters per type Total 1 local user s matched ...

Page 146: ...he algorithms for digital signature For information about SSH SSL and PKI see Configuring SSH2 0 Configuring SSL and Configuring PKI Asymmetric key algorithms can be used in two scenarios for two purposes To encrypt and decrypt data The sender uses the public key of the intended receiver to encrypt the information to be sent Only the intended receiver the holder of the paired private key can decry...

Page 147: ...y pair and one host key pair Each key pair comprises a public key and a private key 512 to 2048 bits 1024 by default To achieve high security specify at least 768 bits DSA One key pair the host key pair Only SSH1 5 uses the RSA server key pair Configuration procedure To create a local asymmetric key pair To do Use the command Remarks 1 Enter system view system view 2 Create a local asymmetric key ...

Page 148: ...ost public key is enough Displaying the host public key in a specific format and saving it to a file After you display the host public key in a specify format save the key to a file and transfer this file to the peer device To display the local host public key in a specified format To do Use the command Remarks 1 Enter system view system view 2 Display the local RSA host public key in a specified ...

Page 149: ...ce Method Prerequisites Remarks Import the public key from a public key file recommended 1 Save the host public key of the intended asymmetric key pair in a file 2 Transfer a copy of the file through FTP or TFTP in binary mode to the local device During the import process the system automatically converts the public key to a string in PKCS format Manually configure the public key enter or copy the...

Page 150: ...blic keys display public key local dsa rsa public begin exclude include regular expression Available in any view Display the specified or all peer public keys on the local device display public key peer brief name publickey name begin exclude include regular expression Public key configuration examples Manually specifying the peer public key on the local device Network requirements As shown in Fig...

Page 151: ...72B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80A AB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 Time of Key pair created 09 50 07 2011 03 07 Key name SERVER_KEY Key type RSA Encryption Key Key code 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E3 5000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3C...

Page 152: ...2BF9C4A10203010001 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A Importing a public key from a public key file Network requirements As shown in Figure 44 to prevent illegal access Device B the local device authenticates Device A the peer device through a digital signature Before you configure authentication parameters on Devi...

Page 153: ...BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B 9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Export the RSA host public key HOST_KEY to a file named devicea pub DeviceA public key local export rsa ssh2 devicea pub 2 Enable the FTP server function on Device A Enable the FTP server function create an FTP user with the username ftp password 123 and user l...

Page 154: ...o Device B DeviceB system view DeviceB public key peer devicea import sshkey devicea pub Display the host public key of Device A on Device B DeviceB display public key peer name devicea Key Name devicea Key Type RSA Key Module 1024 Key Code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854 C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16...

Page 155: ...common standard is X 509 v3 This document discusses two types of certificates local certificate and CA certificate A local certificate is a digital certificate signed by a CA for an entity A CA certificate is the certificate of a CA If multiple CAs are trusted by different users in a PKI system the CAs form a CA tree with the root CA at the top level The root CA has a CA certificate signed by itse...

Page 156: ...ded by publishing CRLs RA An RA is an extended part of a CA or an independent authority An RA can implement functions including identity authentication CRL management key pair generation and key pair backup The PKI standard recommends that an independent RA be used for registration management to achieve higher security PKI repository A PKI repository can be an LDAP server or a common database It s...

Page 157: ...rtificates PKI operation In a PKI enabled network an entity can request a local certificate from the CA and the device can check the validity of certificates Here is how it works 1 An entity submits a certificate request to the RA 2 The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA 3 The CA verifies the digital s...

Page 158: ...dress For example www whatever com is an FQDN where www is a host name and whatever com a domain name IP address of the entity Locality where the entity resides Organization to which the entity belongs Unit of the entity in the organization State where the entity resides The configuration of an entity DN must comply with the CA certificate issue policy You must determine for example which entity D...

Page 159: ...efines these parameters Trusted CA An entity requests a certificate from a trusted CA Entity A certificate applicant uses an entity to provide its identity information to a CA RA Generally an independent RA is in charge of certificate request management It receives the registration request from an entity checks its qualification and determines whether to ask the CA to sign a digital certificate Th...

Page 160: ...s specified by default 6 Configure the certificate request URL certificate request url url string Required No certificate request URL is configured by default 7 Configure the polling interval and attempt limit for querying the certificate request status certificate request polling count count interval minutes Optional The polling is executed for up to 50 times at the interval of 20 minutes by defa...

Page 161: ... certificate request mode auto key length key length password cipher simple password Required Manual by default In auto mode an entity does not automatically re request a certificate to replace a certificate that is expiring or has expired After the certificate expires the service using the certificate might be interrupted Submitting a certificate request in manual mode In manual mode you manually...

Page 162: ...ertificate from the CA through SCEP you can print the request information or save the request information to a local file and then send the printed information or saved file to the CA by an out of band method To print the request information use the pki request certificate domain command with the pkcs10 keyword To save the request information to a local file use the pki request certificate domain ...

Page 163: ...e involves checking whether the certificate is signed by the CA and whether the certificate has expired or has been revoked You can specify whether to perform CRL checking during certificate verification If you enable CRL checking CRLs are used in verification of a certificate and you must retrieve the CA certificate and CRLs to the local switch before the certificate verification If you disable C...

Page 164: ...efault 4 Return to system view quit 5 Retrieve the CA certificate See Retrieving a certificate manually Required 6 Verify the validity of the certificate pki validate certificate ca local domain domain name Required Destroying a local RSA key pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate is about to expire you can destroy the old RSA ...

Page 165: ...e fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional No restriction exists on the issuer name certificate subject name and alternative subject name by default 4 Return to system view quit 5 Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control policy exists by de...

Page 166: ...r See Figure 46 The switch acquires the CRLs for certificate verification Figure 46 Request a certificate from a CA server running RSA Keon CA server Internet Host Device PKI entity Configuration procedure 1 Configure the CA server Create a CA server named myca In this example configure basic attributes including the Nickname and Subject DN on the CA server at first The Nickname indicates the name...

Page 167: ...evice pki domain torsa certificate request url http 4 4 4 133 446 c95e970f632d27be5e8cbf80e971d9c4a9a93337 Set the registration authority to CA Device pki domain torsa certificate request from ca Specify the entity for certificate request as aaa Device pki domain torsa certificate request entity aaa Configure the URL for the CRL distribution point Device pki domain torsa crl url http 4 4 4 133 447...

Page 168: ...lly Saving the local certificate to device Done 3 Verify the configuration Use the following command to view information about the local certificate acquired Device display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm sha1WithRSAEncryption Issuer C cn O org OU test CN myca Validity Not Before Jan 8 09 26 53 ...

Page 169: ...questing a certificate from a CA server running Windows 2003 Server Network requirements Configure PKI entity Device to request a local certificate from the CA server See Figure 47 Figure 47 Request a certificate from a CA server running Windows 2003 server CA server Internet Host Device PKI entity Configuration procedure 1 Configure the CA server Install the certificate service suites From the St...

Page 170: ...erver ensuring that the switch can request a certificate normally 2 Configure the switch Configure the entity DN Configure the entity name as aaa and the common name as device Device system view Device pki entity aaa Device pki entity aaa common name device Device pki entity aaa quit Configure the PKI domain Create PKI domain torsa and enter its view Device pki domain torsa Configure the name of t...

Page 171: ...ice Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate to device Done 3 Verify the configuration Use the following command to view information about the local certificate acquired Device display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 48FA0FD9 00000000 000C Signature Algorithm sha1WithRSAEncrypti...

Page 172: ...er crt 1 3 6 1 4 1 311 20 2 0 I P S E C I n t e r m e d i a t e O f f l i n e Signature Algorithm sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B Omitted You can also use some other display commands to view more information about the CA certificate For more information about the display pki certificate ca domain command see Security Command Reference Configuring a certificate attribute b...

Page 173: ...t attribute group mygroup1 quit Create certificate attribute group mygroup2 and add two attribute rules The first rule defines that the FQDN of the alternative subject name does not include the string of apple and the second rule defines that the DN of the certificate issuer name includes the string aabbcc Device pki certificate attribute group mygroup2 Device pki cert attribute group mygroup2 att...

Page 174: ... to check whether the RA server is reachable Specify the authority for certificate request Synchronize the system clock of the switch with that of the CA Failed to request a local certificate Symptom Failed to request a local certificate Analysis Possible reasons include the following The network connection is not normal For example the network cable might be damaged or loose No CA certificate has...

Page 175: ...k connection is not normal For example the network cable might be damaged or loose No CA certificate has been retrieved before you try to retrieve CRLs The IP address of LDAP server is not configured The CRL distribution URL is not configured The LDAP server version is wrong Solution Make sure that the network connection is physically normal Retrieve a CA certificate Specify the IP address of the ...

Page 176: ...nge algorithm to generate the same session key and session ID Authentication The SSH server authenticates the client in response to the client s authentication request Session request After passing authentication the client sends a session request to the server Interaction After the server grants the request the client and the server start to communicate with each other Version negotiation 1 The s...

Page 177: ...tion of the client During password authentication the SSH client encrypts its username and password encapsulates them into a password authentication request and sends the request to the server After receiving the request the SSH server decrypts the username and password checks the validity of the username and password locally or by a remote AAA server and then informs the client of the authenticat...

Page 178: ... it cannot resolve the request Interaction In this stage the server and the client exchange data as follows 1 The client encrypts and sends the command to be executed to the server 2 The server decrypts and executes the command and then encrypts and sends the result to the client 3 The client decrypts and displays the result on the terminal In the interaction stage you can execute commands from th...

Page 179: ...ion key on the SSH server and client respectively no session key transmission is required in SSH2 0 and the server key pair is not used The length of the modulus of RSA server keys and host keys must be in the range of 512 to 2048 bits Some SSH2 0 clients require that the length of the key modulus be at least 768 bits on the SSH server side The public key local create dsa command generates only th...

Page 180: ...nfigure the client to use the corresponding host private key so that the server uses the digital signature to authenticate the client You can manually configure the public key of an SSH client on the server or import it from the public key file Configure it manually Type or copy the public key to the SSH server The public key must have not been converted and must be in the DER encoding format Impo...

Page 181: ...ice type and authentication method For information about how to configure local authentication and remote authentication see Configuring AAA This configuration task allows you to create an SSH user and specify the service type and authentication method An SSH user s service type can be Stelnet or SFTP For more information about Stelnet see Configuring SSH2 0 For more information about SFTP see Con...

Page 182: ... authentication the commands that a user can use after login are determined by AAA authorization Setting the SSH management parameters SSH management includes the following Enabling the SSH server to be compatible with SSH1 client Setting the RSA server key pair update interval applies to users who are using SSH1 client Setting the SSH user authentication timeout period Setting the maximum number ...

Page 183: ...route to the SSH server to access the SSH server Specify a source IPv6 address or interface for the SSH client ssh client ipv6 source ipv6 ipv6 address interface interface type interface number Configuring whether first time authentication is supported When the switch connects to the SSH server as an SSH client you can configure whether the switch supports first time authentication With first time...

Page 184: ...for configuring client public key on the server 4 Specify the host public key name of the server ssh client authentication server server assign publickey keyname Required Establishing a connection between the SSH client and server To do Use the command Remarks Establish a connection between the SSH client and the server and specify the public key algorithm preferred encryption algorithm preferred ...

Page 185: ...rmation username begin exclude include regular expression Available in any view Display the public keys of the local key pairs display public key local dsa rsa public begin exclude include regular expression Available in any view Display the public keys of the SSH peers display public key peer brief name publickey name begin exclude include regular expression Available in any view For more informa...

Page 186: ...stination of the SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch ui vty0 4 quit Create loc...

Page 187: ...igure 50 Figure 50 SSH client configuration interface Click Open to connect to the server If the connection is normal you are prompted to enter the username and password After entering the username client001 and password aabbcc you can enter the configuration interface of the server When the switch acts as a server for publickey authentication Network requirements As shown in Figure 51 a host the ...

Page 188: ... you configure the SSH server 1 Configure the SSH client Generate the RSA key pairs Run PuTTYGen exe select SSH 2 RSA and click Generate See Figure 52 Figure 52 Generate a key pair on the client 1 When the generator is generating the key pair you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 53 Otherwise the progress bar stops moving and the key pai...

Page 189: ...53 Generate a key pair on the client 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key See Figure 54 Figure 54 Generate a key pair on the client 3 ...

Page 190: ...greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Generate a DSA key pair Switch public key local create dsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server ...

Page 191: ... to the user Switch ssh user client002 service type stelnet authentication type publickey assign publickey Switch001 3 Establish a connection between the SSH client and the SSH server Specify the private key file and establish a connection to the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 See ...

Page 192: ...guration examples When the switch acts as client for password authentication Network requirements As shown in Figure 58 Switch A the SSH client must pass password authentication to log in to Switch B the SSH server through the SSH protocol Configure the username client001 and the password aabbcc for the SSH client on Switch B Figure 58 Switch acts as client for password authentication Configuratio...

Page 193: ...ion SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 Sw...

Page 194: ...ic key local dsa public command on the server SwitchA public key peer key1 SwitchA pkey public key public key code begin SwitchA pkey key code 308201B73082012C06072A8648CE3804013082011F0281810 0D757262C4584C44C211F18BD96E5F0 SwitchA pkey key code 61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE 65BE6C265854889DC1EDBD13EC8B274 SwitchA pkey key code DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0...

Page 195: ...ublickey authentication Network requirements As shown in Figure 59 Switch A the SSH client must pass publickey authentication to log in to Switch B the SSH server through the SSH protocol Use the DSA public key algorithm Figure 59 Switch acts as client for publickey authentication Configuration procedure NOTE During SSH server configuration the client public key is required Use the client software...

Page 196: ...Keys Generate a DSA key pair SwitchB public key local create dsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Enable the SSH server SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for...

Page 197: ...1 to the user SwitchB ssh user client002 service type stelnet authentication type publickey assign publickey Switch001 3 Establish a connection between the SSH client and the SSH server Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 Username client002 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Continue Y...

Page 198: ...ver Enables the SFTP server so that a client can log in to the SFTP server through SFTP To enable the SFTP server To do Use the command Remarks 1 Enter system view system view 2 Enable the SFTP server sftp server enable Required Disabled by default When the switch functions as the SFTP server only one client can access the SFTP server at a time If the SFTP client uses WinSCP a file on the server c...

Page 199: ...ion to the SFTP server To establish a connection to the remote SFTP server and enter SFTP client view To do Use the command Remarks Establish a connection to the remote SFTP server and enter SFTP client view Establish a connection to the remote IPv4 SFTP server and enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha...

Page 200: ...ctory on the SFTP server rename oldname newname Optional 7 Create a new directory on the remote SFTP server mkdir remote path Optional 8 Delete one or more directories from the SFTP server rmdir remote path 1 10 Optional Working with SFTP files SFTP file operations include the following Changing the name of a file Downloading a file Uploading a file Displaying a list of the files Deleting a file T...

Page 201: ...2 Display a list of all commands or the help information of an SFTP client command help all command name Required Terminating the connection to the remote SFTP server To do Use the command Remarks 1 Enter SFTP client view For more information see Establishing a connection to the SFTP server Required Execute the command in user view 2 Terminate the connection to the remote SFTP server and return to...

Page 202: ...48 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Export the host public key to file pubkey SwitchA public key local export rsa ssh2 pubkey SwitchA quit Then transmit the public key file to the server through FTP or TFTP 2 Configure the SFTP server Generate the RSA key pairs SwitchB system vie...

Page 203: ...m the file pubkey SwitchB public key peer Switch001 import sshkey pubkey For user client001 set the service type as SFTP authentication method as publickey public key as Switch001 and working folder as flash SwitchB ssh user client001 service type sftp authentication type publickey assign publickey Switch001 work directory flash 3 Establish a connection between the SFTP client and the SFTP server ...

Page 204: ... 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new2 and check whether the directory has been renamed successfully sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug ...

Page 205: ...nnection is required between the host and the switch The host an SFTP client needs to log in to the switch for file management and file transfer Use password authentication and configure the username client002 and the password aabbcc for the client on the switch Figure 61 Network diagram for SFTP server configuration Configuration procedure 1 Configure the SFTP server Generate the RSA key pairs Sw...

Page 206: ...h ui vty0 4 quit Configure a local user named client002 with the password being aabbcc and the service type being SSH Switch local user client002 Switch luser client002 password simple aabbcc Switch luser client002 service type ssh Switch luser client002 quit Configure the user authentication method as password and service type as SFTP Switch ssh user client002 service type sftp authentication typ...

Page 207: ...199 Figure 62 SFTP client interface ...

Page 208: ... a message of any length to a fixed length message With the key the sender uses the MAC algorithm to compute the MAC value of a message Then the sender suffixes the MAC value to the message and sends the result to the receiver The receiver uses the same key and MAC algorithm to compute the MAC value of the received message and compares the locally computed MAC value with that received If the two v...

Page 209: ...d the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key SSL alert protocol Enables the SSL client and server to send alert messages to each other An alert message contains the alert severity level and a description SSL configuration task list Task Remarks Configuring an SSL server policy Required Configuring an SSL client poli...

Page 210: ...ation client verify enable Optional By default the SSL server does not require the client to be authenticated 9 Enable SSL client weak authentication client verify weaken Optional Disabled by default This command takes effect only when the client verify enable command is configured If you enable client authentication here you must request a local certificate for the client SSL mainly comes in thes...

Page 211: ...nd configure the common name as http server1 and the FQDN as ssl security com Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Create PKI domain 1 specify the trusted CA as ca server the URL of the registration server as http 10 1 2 2 certsrv mscep mscep dll the authority for certificate reque...

Page 212: ...tch should appear After entering username usera and password 123 you should be able to log in to the web interface to access and manage the switch For more information about PKI configuration commands see Configuring PKI For more information about the public key local create rsa command see Security Command Reference For more information about HTTPS see Fundamentals Configuration Guide Configuring...

Page 213: ...cal certificate for the client Displaying and maintaining SSL To do Use the command Remarks Display SSL server policy information display ssl server policy policy name all begin exclude include regular expression Available in any view Display SSL client policy information display ssl client policy policy name all begin exclude include regular expression Troubleshooting SSL SSL handshake failure Sy...

Page 214: ... the SSL server on the SSL client or let the server request a certificate from the CA that the SSL client trusts If the SSL server is configured to authenticate the client but the SSL client has no certificate or the certificate cannot be trusted request and install a certificate for the client 2 Use the display ssl server policy command to view the cipher suites that the SSL server policy support...

Page 215: ...ie feature can prevent SYN Flood attacks After receiving a TCP connection request the server directly returns a SYN ACK message instead of establishing an incomplete TCP connection Only after receiving an ACK message from the client can the server establish a connection and then enter the ESTABLISHED state In this way incomplete TCP connections could be avoided to protect the server against SYN Fl...

Page 216: ...ries A static IP source guard binding entry is configured manually It is suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured For example you can configure a static binding entry on a port that connects a server allowing the port to receive packets from and send packets to only the server A static IPv4 source guard binding entry filters IPv4 packets ...

Page 217: ...ay DHCPv6 snooping and ND snooping see Layer 3 IP Services Configuration Guide IP source guard configuration task list Complete the following tasks to configure IPv4 source guard binding Task Remarks Configuring IPv4 source guard on a port Required Configuring a static IPv4 source guard binding entry Optional Setting the maximum number of IPv4 source guard binding entries Optional Complete the fol...

Page 218: ...d interfaces Bridge mode Layer 2 and route mode Layer 3 Ethernet ports VLAN interfaces and port groups You can use the port link mode command to set an Ethernet port to operate in bridge or route mode see Layer 2 LAN Switching Configuration Guide 3 Configure IPv4 source guard on the port ip verify source ip address ip address mac address mac address Required Not configured by default To generate I...

Page 219: ...do Use the command Remarks 1 Enter system view system view 2 Enter Layer 2 Ethernet interface view interface interface type interface number 3 Configure the maximum number of IPv4 binding entries allowed on the port ip verify source max entries number Optional 256 by default If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries o...

Page 220: ...c IPv6 source guard binding entries It does not affect static binding entries When using a static binding entry a port does not take the keyword into consideration If you repeatedly configure the IPv6 source guard binding function only the last configuration takes effect To obtain dynamic IPv6 source guard binding entries make sure that DHCPv6 snooping or ND snooping is configured and works normal...

Page 221: ...ting dynamic binding entry the new static binding entry overwrites the dynamic binding entry Setting the maximum number of IPv6 source guard binding entries The maximum number of IPv6 source guard binding entries is used to limit the total number of static and dynamic IPv6 source guard binding entries on a port When the number of IPv6 binding entries on a port reaches the maximum the port does not...

Page 222: ...terface type interface number ipv6 address ipv6 address mac address mac address slot slot number begin exclude include regular expression Available in any view IP source guard configuration examples Static IPv4 source guard binding entry configuration example Network requirements As shown in Figure 67 Host A and Host B are connected to ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 1 of Devic...

Page 223: ... the source IP address and MAC address DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 ip verify source ip address mac address Configure GigabitEthernet 1 0 1 to allow only IP packets with the source MAC address of 0001 0203 0406 and the source IP address of 192 168 0 1 to pass DeviceA GigabitEthernet1 0 1 ip source binding ip address 192 168 0 1 mac address 0001 0203 0406 Dev...

Page 224: ...g entries The output shows that the static IPv4 source guard binding entries are configured successfully DeviceB display ip source binding static Total entries found 2 MAC Address IP Address VLAN Interface Type 0001 0203 0406 192 168 0 1 N A GE1 0 2 Static N A 192 168 0 2 N A GE1 0 1 Static Dynamic IPv4 source guard binding by DHCP snooping configuration example Network requirements As shown in Fi...

Page 225: ...AC Address IP Address VLAN Interface Type 0001 0203 0406 192 168 0 1 1 GE1 0 1 DHCP SNP Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated on GigabitEthernet 1 0 1 Device display dhcp snooping DHCP Snooping is enabled The client binding table for all untrusted ports Type D Dynamic S Static R Recovering Type IP Address MAC Address Lease VLAN SVLAN In...

Page 226: ...urce IP address and MAC address Switch system view Switch vlan 100 Switch Vlan100 quit Switch interface vlan interface 100 Switch Vlan interface100 ip verify source ip address mac address Switch Vlan interface100 quit 2 Configure the DHCP relay agent Enable the DHCP service Switch dhcp enable Configure the IP address of the DHCP server Switch dhcp relay server group 1 ip 10 1 1 1 Configure VLAN in...

Page 227: ...ess 2001 1 mac address 0001 0202 0202 Device GigabitEthernet1 0 1 quit Verification On the device display the information about static IPv6 source guard binding entries The output shows that the binding entry is configured successfully Device display ipv6 source binding static Total entries found 1 MAC Address IP Address VLAN Interface Type 0001 0202 0202 2001 1 N A GE1 0 1 Static IPv6 Dynamic IPv...

Page 228: ...e IP address and MAC address Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 ipv6 verify source ipv6 address mac address Device GigabitEthernet1 0 1 quit Verification Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1 0 1 Device display ipv6 source binding Total entries found 1 MAC Address IP Address VLAN Interface Type 040a 0000 0001 2001 ...

Page 229: ...uit 2 Configure the IPv6 source guard function Configure the IPv6 source guard function on GigabitEthernet 1 0 1 to filter packets based on both the source IP address and MAC address Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 ipv6 verify source ipv6 address mac address Device GigabitEthernet1 0 1 quit Verification Display the IPv6 source guard binding entries generated on p...

Page 230: ...inding entries or dynamic binding function Symptom Failed to configure static binding entries or the dynamic binding function on a port Analysis IP source guard is not supported on a port in an aggregation group Solution Remove the port from the aggregation group ...

Page 231: ...its CPU is overloaded Sends a large number of ARP packets to overload the CPU of the receiving device For more information about ARP attack features and types see ARP Attack Protection Technology White Paper ARP attacks and viruses threaten LAN security This chapter introduces multiple features to detect and prevent such attacks ARP attack protection configuration task list Task Remarks Flood prev...

Page 232: ...urce suppression function With the function enabled you can set a threshold for the number of ARP requests that a sending host can trigger in 5 seconds with packets with unresolvable destination IP addresses When the number of ARP requests exceeds that threshold the device suppresses the host from triggering any ARP requests in the following 5 seconds If the packets have various source addresses y...

Page 233: ...include regular expression Available in any view ARP defense against IP packet attack configuration example Network requirements As shown in Figure 73 a LAN contains two areas an R D area in VLAN 10 and an office area in VLAN 20 The two areas each connect to the gateway Device through an access switch A large number of ARP requests are detected in the office area and are considered to be the resul...

Page 234: ...k hole routing configuration Enable ARP black hole routing on the device Device system view Device arp resolving route enable Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on a switch For example if an attacker sends a large number of ARP packets to an ARP detection enabled device the CPU of the device bec...

Page 235: ...k detection To do Use the command Remarks 1 Enter system view system view 2 Enable source MAC address based ARP attack detection and specify the detection mode arp anti attack source mac filter monitor Required Disabled by default 3 Configure the threshold arp anti attack source mac threshold threshold value Optional 50 by default 4 Configure the age timer for ARP attack detection entries arp anti...

Page 236: ... Server 0012 3f86 e 94c Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address To prevent such attacks configure the gateway as follows 1 Enable source MAC address based ARP attack detection and specify the filter mode 2 Set the threshold 3 Set the age timer for detection entries 4 Configure the MAC addres...

Page 237: ...nowledgement The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating an incorrect ARP entry For more information about its working mechanism see ARP Attack Protection Technology White Paper Configuration procedure To configure ARP active acknowled...

Page 238: ...a matching IP address but an unmatched MAC address is found the ARP packet is considered invalid and is discarded 2 If no entry with a matching IP address is found the device compares the ARP packet s sender IP and MAC addresses against the DHCP snooping entries and 802 1X security entries a If a match is found in any of the entries the ARP packet is considered valid and is forwarded b If no match...

Page 239: ...e target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and discarded ip Checks the sender and target IP addresses in an ARP packet Any all zero all one or multicast IP addresses are considered invalid and the corresponding packets are discarded With this object specified the sender and target IP addresses of...

Page 240: ...id 3 Enable ARP restricted forwarding arp restricted forwarding enable Required Disabled by default Displaying and maintaining ARP detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detection begin exclude include regular expression Available in any view Display the ARP detection statistics display arp detection statistics interface interface type inte...

Page 241: ...55 255 255 0 3 Configure Host A and Host B as 802 1X clients the configuration procedure is not shown and configure them to upload IP addresses for ARP detection 4 Configure Switch B Enable the 802 1X function SwitchB system view SwitchB dot1x SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dot1x SwitchB GigabitEthernet1 0 1 quit SwitchB interface gigabitethernet 1 0 2 SwitchB...

Page 242: ...6 and MAC address is 0001 0203 0607 Enable ARP detection for VLAN 10 to allow only packets from valid clients or hosts to pass Figure 76 Network diagram for ARP detection configuration Switch A Switch B Host A Host B GE1 0 3 Vlan int10 10 1 1 1 24 Gateway DHCP server GE1 0 1 GE1 0 3 GE1 0 2 DHCP client VLAN 10 DHCP snooping 10 1 1 6 0001 0203 0607 Configuration procedure 1 Add all ports on Switch ...

Page 243: ...dresses and IP addresses of ARP packets SwitchB arp detection validate dst mac ip src mac After the preceding configurations are complete when ARP packets arrive at interfaces GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 their MAC and IP addresses are checked and then the packets are checked against the static IP source guard binding entries and finally DHCP snooping entries ARP restricted forw...

Page 244: ...igure the DHCP client on Hosts A and B Details not shown 4 Configure Switch B Enable DHCP snooping and configure GigabitEthernet 1 0 3 as a DHCP trusted port SwitchB system view SwitchB dhcp snooping SwitchB interface gigabitethernet 1 0 3 SwitchB GigabitEthernet1 0 3 dhcp snooping trust SwitchB GigabitEthernet1 0 3 quit Enable ARP detection SwitchB vlan 10 SwitchB vlan10 arp detection enable Conf...

Page 245: ... such packets Port isolation works normally Configuring ARP automatic scanning and fixed ARP ARP automatic scanning is usually used together with the fixed ARP feature With ARP automatic scanning enabled on an interface the device automatically scans neighbors on the interface sends ARP requests to the neighbors obtains their MAC addresses and creates dynamic ARP entries Fixed ARP allows the devic...

Page 246: ...anged from a dynamic one use the undo arp ip address command To delete all such static ARP entries use the reset arp all or reset arp static command To configure ARP automatic scanning and fixed ARP To do Use the command Remarks 1 Enter system view system view 2 Enter interface view interface interface type interface number 3 Enable ARP automatic scanning arp scan start ip address to end ip addres...

Page 247: ...s of a victim host The gateway and other hosts update the ND entry for the victim host with incorrect address information As a result all packets intended for the victim host are sent to the attacking host rather than the victim host Sends forged RA packets with the IPv6 address of a victim gateway As a result all hosts attached to the victim gateway maintain incorrect IPv6 configuration parameter...

Page 248: ...port does not check ND packets for address spoofing An ND untrusted port checks all ND packets except RA and RR messages in the VLAN for source spoofing RA and RR messages are considered illegal and are directly discarded The ND detection function checks an ND packet by looking up the IPv6 static bindings table of the IP source guard function ND snooping table and DHCPv6 snooping table as follows ...

Page 249: ...by default 4 Quit system view quit 5 Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number 6 Configure the port as an ND trusted port ipv6 nd detection trust Optional A port does not trust sources of ND packets by default Displaying and maintaining ND detection To do Use the command Remarks Display the ND detection configuration display...

Page 250: ...v6 forwarding SwitchA system view SwitchA ipv6 Create VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Assign port GigabitEthernet 1 0 3 to VLAN 10 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link type trunk SwitchA GigabitEthernet1 0 3 port trunk permit vlan 10 SwitchA GigabitEthernet1 0 3 quit Assign an IPv6 address to VLAN interface 10 SwitchA interface vlan interface 1...

Page 251: ...thernet1 0 3 port trunk permit vlan 10 SwitchB GigabitEthernet1 0 3 quit Enable ND snooping in VLAN 10 SwitchB vlan 10 SwitchB vlan 10 ipv6 nd snooping enable Enable ND detection in VLAN 10 SwitchB vlan 10 ipv6 nd detection enable SwitchB vlan 10 quit Configure the uplink port GigabitEthernet 1 0 3 as an ND trusted port Configure the downlink ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a...

Page 252: ...ckets to IP address 2 2 2 1 Router C in response to the requests Consequently both Router B and Router C are attacked URPF can prevent this source address spoofing attack by checking the source addresses of packets and filtering out invalid packets URPF check modes URPF provides two check modes strict and loose Strict URPF To pass strict URPF check the source address and receiving interface of a p...

Page 253: ...he following Discards packets with a broadcast source address Discards packets with an all zero source address but a non broadcast destination address A packet with source address 0 0 0 0 and destination address 255 255 255 255 might be a DHCP or BOOTP packet and it is not discarded ...

Page 254: ...ching FIB entry If it does proceed to Step 8 If it does not proceed to Step 9 5 URPF checks whether the source IP address matches an ARP entry If it does proceed to Step 8 If it does not proceed to Step 9 6 URPF checks whether the FIB table has a default route If it does proceed to Step 7 If it does not proceed to Step 9 7 URPF checks whether the check mode is loose If it is proceed to Step 8 If i...

Page 255: ... URPF check globally ip urpf loose strict Required Disabled by default The routing table size decreases by half when URPF is enabled on the HP A5830 switches To prevent loss of routes and packets URPF cannot be enabled if the number of route entries the switch maintains exceeds half the routing table size URPF configuration examples Network requirements As shown in Figure 83 a client Switch A dire...

Page 256: ...ram for URPF configuration Configuration procedure 1 Configure Switch A Enable strict URPF check SwitchA system view SwitchA ip urpf strict 2 Configure Switch B Enable strict URPF check SwitchB system view SwitchB ip urpf strict ...

Page 257: ... wwalerts After registering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking categ...

Page 258: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 259: ...ting capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device ...

Page 260: ...at 65 enabling 74 enabling EAP relay 75 enabling EAP termination 75 enabling periodic online user re authentication function 80 enabling security entry detection ARP attack protection 230 fundamentals 63 guest VLAN 72 HP implementation 71 initiating authentication 66 maintaining 83 Message Authentication attribute 66 packet format 64 performing authentication port security 109 performing MAC 802 1...

Page 261: ...unting on RADIUS 28 ACL assignment 802 1X 74 assignment MAC authentication 97 configuring with assignment 802 1X 89 algorithm negotiation SSH2 0 169 application PKI 149 URPF network application 247 architecture 802 1X 63 PKI 148 ARP attack protection configuration 223 configuring active acknowledgement 229 configuring against IP packet attack 224 configuring automatic scanning 237 configuring dete...

Page 262: ...X 80 initiating 802 1X 66 level switching authentication for Telnet user HWTACACS 56 mechanism RADIUS 2 Message Authentication attribute 802 1X 66 procedures 802 1X 66 RADIUS server for SSH Telnet user AAA 47 setting maximum number of authentication request attempts 802 1X 77 setting timeout timers 802 1X 77 SSH2 0 169 timers MAC 97 using 802 1X authentication with other features 71 using MAC auth...

Page 263: ...ck protection 229 ARP attack protection 223 authentication 802 1X 83 authentication trigger function 802 1X 78 Auth Fail VLAN 802 1X 73 82 autoLearn mode port security 116 automatic scanning ARP attack protection 237 basic MAC authentication 98 certificate attribute based access control policy PKI 164 certificate request from CA running RSA Keon PKI 158 certificate request from CA running Windows ...

Page 264: ...e limit ARP attack protection 226 packet source MAC address consistency check ARP attack protection 229 password control 128 135 PKI 147 158 port security 107 111 116 public key 138 142 quiet timer 802 1X 80 RADIUS user 43 RADIUS based MAC authentication 103 redirect URL EAD fast deployment 92 restricted forwarding ARP attack protection 232 235 scheme HWTACACS 31 scheme RADIUS 20 secure MAC addres...

Page 265: ...nt 92 help information SFTP 193 host public key information 140 HWTACACS 36 IP source guard 213 local user AAA 20 local user group AAA 20 MAC authentication 101 ND detection 241 password control 134 PKI 157 port security 116 public key 142 RADIUS 30 source MAC address based ARP attack detection 227 SSH2 0 177 SSL 205 TCP attack protection 207 documentation conventions used 250 website 249 domain P...

Page 266: ...ssion Defense See EAD entity PKI 148 entity DN PKI 150 establishing client server connection SSH2 0 176 establishing server connection SFTP 191 exporting host public key in specific format to a file 140 feature ACL assignment MAC authentication 97 configuring autoLearn mode port security 116 configuring intrusion protection port security 113 configuring macAddressElseUserLoginSecure mode port secu...

Page 267: ...70 interface configuring SSH client SSH2 0 171 intrusion protection port security 107 IP configuring defense against packet attack ARP attack protection 224 specifying client source address interface SFTP 191 specifying source address interface for client SSH2 0 175 IP address configuring for security policy server RADIUS 28 of security policy server RADIUS 28 specifying source address for outgoin...

Page 268: ...orization method AAA 39 configuring method for domain AAA 36 creating domain AAA 36 key negotiation SSH2 0 169 local user configuring AAA 16 loose URPF 244 MAC authentication approaches 96 authentication timers 97 configuring authentication 96 performing authentication port security 109 performing MAC 802 1X authentication port security 109 user account policies 96 using authentication with other ...

Page 269: ...AC 802 1X authentication port security 109 PKI 149 port security 107 SSH SSH2 0 168 NAS ID configuring NAS ID VLAN binding AAA 42 ND attack defense configuration 239 configuring detection function 240 241 displaying ND detection 241 enabling source MAC consistency check for packet 240 maintaining ND detection 241 need to know NTK 107 network management AAA configuration 1 AAA for 802 1X user RADIU...

Page 270: ...7 179 server policy configuration SSL 202 source MAC address based detection ARP attack protection 228 static IPv4 binding configuration IP source guard 214 static IPv6 source guard binding entry configuration IP source guard 219 URPF configuration 247 userLoginWithOUI mode configuration port security 119 verifying authentication configuration 802 1X 86 verifying configuration with ACL assignment ...

Page 271: ...ure e mail 149 submitting certificate request 153 submitting certificate request in auto mode 153 submitting certificate request in manual mode 153 terminology 147 troubleshooting 166 virtual private network VPN 149 web security 149 port authorization status 802 1X 63 controlled uncontrolled 802 1X 63 enabling client listening port RADIUS 30 setting authorization state 802 1X 75 setting maximum nu...

Page 272: ...RL checking disabled certificate verification PKI 156 configuring CRL checking enabled certificate verification PKI 155 configuring detection ARP attack protection 229 233 234 configuring detection function ND attack defense 241 configuring domain PKI 151 configuring dynamic IPv4 binding by DHCP relay IP source guard 217 218 configuring dynamic IPv4 binding by DHCP snooping IP source guard 216 217...

Page 273: ...re MAC addresses port security 114 115 configuring security features port security 113 configuring server SFTP 197 configuring server policy SSL 201 203 204 configuring source MAC address based detection ARP attack protection 227 228 configuring source suppression ARP attack protection 224 configuring specified object detection ARP attack protection 231 configuring SSH client user interface SSH2 0...

Page 274: ...ocal host public key 139 generating DSA or RSA key pair SSH2 0 171 ignoring server authorization information port security 115 importing client public key from public key file SSH2 0 173 importing public key from public key file 144 RADIUS server authentication authorization for SSH Telnet user AAA 47 retrieving certificate manually PKI 154 setting authentication timeout timers 802 1X 77 setting E...

Page 275: ...to remote server SFTP 193 working with directories SFTP 191 working with files SFTP 192 process message exchange HWTACACS 7 message exchange RADIUS 2 protocol stack SSL 200 protocols 802 1X 64 AAA 11 HWTACACS 11 RADIUS 11 public key configuration 138 142 configuring local asymmetric key pair on local device 139 creating local asymmetric key pair 139 destroying local asymmetric key pair 141 display...

Page 276: ... 44 specifying source IP address for outgoing packets 26 standards 11 recording host public key information 140 registration authority RA 148 repository PKI 148 retrieving certificate manually PKI 154 scheme configuring AAA 16 scheme HWTACACS 31 scheme RADIUS 21 secure e mail PKI 149 secure file transfer protocol See SFTP Secure Shell See SSH Secure Sockets Layer See SSL security AAA configuration...

Page 277: ...rce guard binding entries 213 maximum number of request transmission attempts RADIUS 24 packet shared keys HWTACACS 33 port authorization state 802 1X 75 security mode port security 112 server status RADIUS 25 super password control parameter password control 133 supported server type RADIUS 24 timer to control server communication HWTACACS 35 timer to control server communication RADIUS 27 user g...

Page 278: ...er 173 disabling first time authentication support 176 displaying 177 enabling SSH server function 171 enabling switch for first time authentication support 175 establishing client server connection 176 generating DSA or RSA key pair 171 importing client public key from file 173 interaction 170 key negotiation 169 maintaining 177 session request 170 setting management parameter 174 specifying sour...

Page 279: ... security 107 trap function RADIUS 29 troubleshooting cannot change port security mode when a user is online port security 126 cannot configure secure MAC addresses port security 126 cannot configure static binding entries or dynamic binding function IP source guard 222 cannot set the port security mode port security 126 failure to request a local certificate PKI 166 failure to retrieve a CA certi...

Page 280: ...ncurrent users on a port 802 1X 76 tearing down connection AAA 42 username setting format HWTACACS 34 setting format RADIUS 23 version negotiation SSH2 0 168 virtual private network VPN 149 VLAN assignment 802 1X 71 assignment MAC 97 Auth Fail 802 1X 73 configuring assignment 802 1X 86 configuring guest VLAN 802 1X 86 configuring NAS ID VLAN binding AAA 42 guest 802 1X 72 web security PKI 149 URL ...