HP Pavilion a6600, Configuration Manual

Page 1: ...res These configuration guides also provide configuration examples to help you apply software features to different network scenarios This documentation is intended for network planners field technical support and servicing engineers and network administrators working with the HP A Series products Part number 5998 1515 Software version A6600 CMW520 R2603 Document version 6PW101 20110630 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ... failover mode 48 Configuring a router as a RADIUS server 48 RADIUS server functions configuration task list 48 Configuring a RADIUS user 48 Specifying a RADIUS client 49 Displaying and maintaining AAA 50 AAA configuration examples 50 Authentication authorization for Telnet SSH users by a RADIUS server 50 Local authentication authorization for Telnet FTP users 54 AAA for PPP users by an HWTACACS s...

Page 4: ...unction 90 Configuring an 802 1X guest VLAN 90 Configuring an Auth Fail VLAN 91 Displaying and maintaining 802 1X 92 802 1X configuration examples 92 802 1X authentication configuration example 92 802 1X with guest VLAN and VLAN assignment configuration example 94 802 1X with ACL assignment configuration example 97 Configuring EAD fast deployment 99 EAD fast deployment implementation 99 Configurin...

Page 5: ...ying the source IP address for outgoing portal packets 132 Configuring portal stateful failover 132 Specifying auto redirection URL for authenticated portal users 134 Configuring portal detection functions 135 Configuring online Layer 3 portal user detection 135 Configuring the portal server detection function 135 Configuring portal user information synchronization 137 Logging off portal users 138...

Page 6: ... 193 Cannot change port security mode when a user is online 194 Configuring user profiles 195 Configuration task list 195 Creating a user profile 195 Configuration prerequisites 195 Creating a user profile 196 Configuring a user profile 196 Enabling a user profile 196 Displaying and maintaining user profile 196 Configuring password control 197 Configuration task list 199 Configuring password contr...

Page 7: ...led PKI certificate verification 228 Destroying a local RSA or DSA key pair 228 Deleting a certificate 229 Configuring an access control policy 229 Displaying and maintaining PKI 230 PKI configuration examples 230 Requesting a certificate from a CA server running RSA Keon 230 Requesting a certificate from a CA server running Windows 2003 Server 234 Applying RSA digital signature in IKE negotiation...

Page 8: ...uration task list 288 Configuring a name for the local security gateway 289 Configuring an IKE proposal 289 Configuring an IKE peer 290 Setting keepalive timers 292 Setting the NAT keepalive timer 293 Configuring a DPD detector 293 Disabling next payload field check 293 Displaying and maintaining IKE 294 IKE configuration examples 294 Main mode IKE with pre shared key authentication configuration ...

Page 9: ...tion 333 Terminating the remote SFTP server connection 333 SFTP client configuration example 333 SFTP server configuration example 337 Configuring SSL 340 SSL security mechanism 340 SSL protocol stack 341 Configuration task list 341 Configuring SSL server policy 341 Configuration prerequisites 341 Configuration procedure 342 Configuring an SSL client policy 343 Configuration prerequisites 343 Conf...

Page 10: ...limit policy 370 Configuring the connection limit policy 370 Configuring an IP address based connection limit rule 370 Applying the connection limit policy 371 Displaying and maintaining connection limiting 371 Connection limit configuration example 371 Troubleshooting connection limiting 373 Connection limit rules with overlapping segments 373 Connection limit rules with overlapping protocol type...

Page 11: ...re 405 Enabling Naptha attack protection 406 Displaying and maintaining TCP and ICMP attack protection 406 Configuring IP source guard 407 Binding entry types 407 Configuring IPv4 source guard binding 408 Configuring a static IPv4 source guard binding entry 408 Configuring the dynamic IPv4 source guard binding function 409 Displaying and maintaining IP source guard 409 IP source guard configuratio...

Page 12: ...ing and fixed ARP 431 Configuration procedure 431 Configuring ARP gateway protection 432 Configuration procedure 432 ARP gateway protection configuration example 432 Configuring ARP filtering 433 Configuration procedure 433 ARP filtering configuration example 434 Configuring ND attack defense 435 Enabling source MAC consistency check for ND packets 436 Configuring URPF 437 How URPF works 437 Confi...

Page 13: ...own in Figure 1 Figure 1 Network diagram for AAA When a user tries to log in to the NAS use network resources or access other networks the NAS authenticates the user The NAS can transparently pass the user s authentication authorization and accounting information to the servers The RADIUS and HWTACACS protocols define how a NAS and a remote server exchange user information between them In the netw...

Page 14: ... maintains information related to user authentication and network service access It listens to connection requests authenticates users and returns user access control information to the clients for example by rejecting or accepting the user access request In general the RADIUS server maintains the following databases Users Clients and Dictionary as shown in Figure 2 Figure 2 RADIUS server componen...

Page 15: ...he MD5 algorithm and the shared key 3 The RADIUS server authenticates the username and password If the authentication succeeds the server sends back an Access Accept message containing the user s authorization information If the authentication fails the server returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result If the RADI...

Page 16: ...s Request are acceptable the authentication succeeds and the server sends an Access Accept response 3 Access Reject From the server to the client If any attribute value carried in the Access Request is unacceptable the authentication fails and the server sends an Access Reject response 4 Accounting Request From the client to the server A packet of this type carries user information for the server ...

Page 17: ...th of the attribute in bytes including the Type Length and Value fields Value up to 253 bytes Value of the attribute Its format and content depend on the Type and Length fields Table 2 RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Termina...

Page 18: ...91 Tunnel Server Auth id NOTE The attribute types listed in Table 2 are defined in RFC 2865 RFC 2866 RFC 2867 and RFC 2868 For more information about commonly used standard RADIUS attributes see Commonly used standard RADIUS attributes Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vendor Specific an attribute defined by RFC 2865 allows a vendor to def...

Page 19: ...res in common like using a client server model using shared keys for user information security and providing flexibility and extensibility HWTACACS and RADIUS do have differences as listed in Table 3 Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency Encrypts the entire packet ...

Page 20: ...ntication response indicating successful authentication 12 User authorization request packet 13 Authorization response indicating successful authorization 14 The user logs in successfully 15 Start accounting request 16 Accounting response indicating the start of accounting 17 The user logs off 18 Stop accounting request 19 Stop accounting response 10 Authentication continuance packet with the logi...

Page 21: ... pushes its configuration interface to the user 15 The HWTACACS client sends a start accounting request to the HWTACACS server 16 The HWTACACS server sends back an accounting response indicating that it has received the start accounting request 17 The user logs off 18 The HWTACACS client sends a stop accounting request to the HWTACACS server 19 The HWTACACS server sends back a stop accounting resp...

Page 22: ...ll commands executed on the router or all authorized commands successfully executed For more information see Fundamentals Configuration Guide Level switching authentication Allows the authentication server to authenticate users who perform privilege level switching As long as they pass level switching authentication users can switch their user privilege levels without logging out and disconnecting...

Page 23: ... used standard RADIUS attributes Table 4 Commonly used standard RADIUS attributes No Attribute Description 1 User Name Name of the user to be authenticated 2 User Password User password for PAP authentication present only in Access Request packets in PAP authentication mode 3 CHAP Password Digest of the user password for CHAP authentication present only in Access Request packets in CHAP authentica...

Page 24: ...meout Maximum idle time permitted for the user before termination of the session 31 Calling Station Id Identification of the user that the NAS sends to the server For the LAN access service provided by an HP device this attribute carries the MAC address of the user in the format HHHH HHHH HHHH 32 NAS Identifier Identification that the NAS uses for indicating itself 40 Acct Status Type Type of the ...

Page 25: ...ing available total traffic of the connection in different units for different server types 20 Command Operation for the session used for session control 1 Trigger Request 2 Terminate Request 3 SetPolicy 4 Result 5 PortalClear 24 Control_Identifier Identification for retransmitted packets For retransmitted packets of the same session this attribute must take the same value for retransmitted packet...

Page 26: ...unting interval in the unit set on the router 204 Output Interval Packets Packets output within an accounting interval in the unit set on the router 205 Input Interval Gigawords Result of bytes input within an accounting interval divided by 4G bytes 206 Output Interval Gigawords Result of bytes output within an accounting interval divided by 4G bytes 207 Backup NAS IP Backup source IP address for ...

Page 27: ...authentication methods for an ISP domain Required Complete at least one task Configuring AAA authorization methods for an ISP domain Configuring AAA accounting methods for an ISP domain Tearing down user connections forcibly Optional Configuring a NAS ID VLAN binding Optional Specifying the device ID used in stateful failover mode Optional Displaying and maintaining AAA Optional NOTE To control ac...

Page 28: ...nd specify an expiration time for the account to control the validity of the account User group Each local user belongs to a local user group and bears all attributes of the group such as the password control attributes and authorization attributes For more information see Configuring user group attributes Password control attributes Password control attributes help you control the security of loc...

Page 29: ...iguring user group attributes Optional Displaying and maintaining local users and local user groups Optional Configuring local user attributes To do Command Remarks 1 Enter system view system view 2 Set the password display mode for all local users local user password display mode auto cipher force Optional auto by default indicating to display the password of a local user in the way defined by pa...

Page 30: ...ed Set the minimum password length password control length length Optional By default the setting for the user group is used If there is no such setting for the user group the global setting 10 characters by default is used Configure the password composition policy password control composition type number type number type length type length Optional By default the settings for the user group are u...

Page 31: ...cal user passwords are displayed in cipher text regardless of the configuration of password If you also save the configuration and restart the router all existing local user passwords are always displayed in cipher text no matter how you configure local user password display mode or password The passwords configured after you restore the display mode to auto by using local user password display mo...

Page 32: ...ing 10 characters by default is used Configure the password composition policy password control composition type number type number type length type length Optional By default the global settings both are one by default are used 4 Configure the authorization attributes for the user group authorization attribute acl acl number callback number callback number idle cut minute level level user profile...

Page 33: ...f RADIUS request transmission attempts Optional Setting the status of RADIUS servers Optional Setting the username format and traffic statistics units Optional Specifying the source IP address for outgoing RADIUS packets Optional Specifying a backup source IP address for outgoing RADIUS packets Optional Setting timers for controlling communication with RADIUS servers Optional Configuring RADIUS ac...

Page 34: ...n instance vpn instance name NOTE The IP addresses of the primary and secondary authentication authorization servers for a scheme must be different from each other Otherwise the configuration fails All servers for authentication authorization and accountings primary or secondary must use IP addresses of the same IP version Specify a RADIUS authentication authorization server as the primary authent...

Page 35: ...rom each other Otherwise the configuration fails All servers for authentication authorization and accountings primary or secondary must use IP addresses of the same IP version If you delete an accounting server that is serving users the router can no longer send real time accounting requests and stop accounting requests for the users to that server or buffer the stop accounting requests Specify a ...

Page 36: ... router uses to communicate with the RADIUS server It can be standard or extended Standard Uses the standard RADIUS protocol compliant with RFC 2865 and RFC 2866 or later Extended Uses the proprietary RADIUS protocol of HP When the RADIUS server runs iMC you must set the RADIUS server type to extended When the RADIUS server runs third party RADIUS server software either RADIUS server type applies ...

Page 37: ...ter communicates with the primary server If the primary server fails the router changes the server s status to blocked and starts a quiet timer for the server Then it turns to a secondary server in the active state a secondary server configured earlier has a higher priority If the secondary server is unreachable the router changes the server s status to blocked starts a quiet timer for the server ...

Page 38: ... secondary authentication ip ipv4 address ipv6 ipv6 address active block 6 Set the status of the secondary RADIUS accounting server state secondary accounting ip ipv4 address ipv6 ipv6 address active block NOTE The server status set by state cannot be saved to the configuration file After the router restarts the status of each server is restored to active To display the states of the servers use d...

Page 39: ...er processes the packet If it is not the server drops the packet Usually the source address of outgoing RADIUS packets can be the IP address of the any interface of the NAS that can communicate with the RADIUS server In some special scenarios however you must change the source IP address For example if a NAT device is present between the NAS and the RADIUS server the source IP address of outgoing ...

Page 40: ...outer sends the source IP address for outgoing RADIUS packets that is configured on the standby router to the RADIUS server so that the RADIUS server can send unsolicited RADIUS packets to the standby router Specify a backup IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme or in system view for all RADIUS schemes whose servers are in a VPN or the public net...

Page 41: ... reachable the router changes the server s status to blocked starts this timer for the server and tries to communicate with another server in the active state After this timer expires the router changes the status of the server back to active Real time accounting timer realtime accounting Defines the interval at which the router sends real time accounting packets to the RADIUS accounting server fo...

Page 42: ...e state of the unreachable servers to blocked and the time for finding a reachable server is shortened Be sure to set the server quiet timer properly Too short a quiet timer may result in frequent authentication or accounting failures because the router has to repeatedly attempt to communicate with an unreachable server that is in the active state For more information about the maximum number of R...

Page 43: ...re forwarding them to the server The RADIUS offload feature enables a router to process EAP packets for this purpose The RADIUS offload feature needs the cooperation of the local EAP authentication server They work together as follows 1 After receiving EAP packets from an EAP client the local EAP authentication server interacts with the client encapsulates the authentication information of the cli...

Page 44: ...the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold This threshold ranges from 1 to 100 and defaults to 30 This threshold can only be configured through the MIB The failure ratio is generally small If a trap message is triggered because the failure ratio is higher than the threshold troubleshoot the configuration on a...

Page 45: ...pression Available in any view Display information about buffered stop accounting requests for which no responses have been received on a distributed router display stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name slot slot number begin exclude include regular expression Available in any view Clear RADIUS statistics o...

Page 46: ...S scheme view To do Command Remarks 1 Enter system view system view 2 Create an HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default NOTE Up to 16 HWTACACS schemes can be configured A scheme can be deleted only when it is not referenced Specifying the HWTACACS authentication servers Specify one primary authentication server and up to o...

Page 47: ...e To do Command Remarks 1 Enter system view system view 2 Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name 3 Specify the primary HWTACACS authorization server primary authorization ip address port number vpn instance vpn instance name Required Configure at least one command No authorization server is specified by default 4 Specify the secondary HWTACACS authorization server secondar...

Page 48: ...ponses are received stop accounting buffer enable Optional Enabled by default 6 Set the maximum number of stop accounting attempts retry stop accounting retry times Optional 100 by default NOTE An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time The IP addresses of the primary and secondary account...

Page 49: ... this purpose The router periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users For normal and accurate traffic statistics make sure that the unit for data flows and that for packets on the router are consistent with those configured on the HWTACACS servers To set the username format and the traffic statistics units for an HWTACACS sch...

Page 50: ... The source IP address specified in system view for the VPN or public network depending on where the HWTACACS server resides 3 The IP address of the outbound interface specified by the route To specify a source IP address for all HWTACACS schemes of a VPN or the public network To do Command Remarks 1 Enter system view system view 2 Specify a source IP address for outgoing HWTACACS packets hwtacacs...

Page 51: ...es higher performance Displaying and maintaining HWTACACS To do Command Remarks Display the configuration information or statistics of HWTACACS schemes on a centralized router display hwtacacs hwtacacs server name statistics begin exclude include regular expression Available in any view Display the configuration information or statistics of HWTACACS schemes on a distributed router display hwtacacs...

Page 52: ... use remote authentication authorization and accounting create the required RADIUS and HWTACACS schemes as described in Configuring RADIUS schemes and Configuring HWTACACS schemes Creating an ISP domain In a networking scenario with multiple ISPs a router may connect users of different ISPs Users of different ISPs may have different user attributes such as different username and password structure...

Page 53: ...ress pool for allocating addresses to PPP users ip pool pool number low ip address high ip address Optional By default no IP address pool is configured for PPP users 8 Specify the default authorization user profile authorization attribute user profile profile name Optional By default an ISP domain has no default authorization user profile NOTE If a user passes authentication but is authorized with...

Page 54: ... HWTACACS scheme to be referenced first The local and none authentication methods do not require any scheme Determine the access type or service type to be configured With AAA configure an authentication method for each access type and service type limiting the authentication protocols that can be used for access Determine whether to configure an authentication method for all access types or servi...

Page 55: ...and argument combination when configuring an authentication method local authentication is the backup method It is used only when the remote server is not available If you specify only the local or none keyword in an authentication method configuration command the router has no backup authentication method It performs only local authentication or does not perform any authentication If the method f...

Page 56: ...ke effect 2 Determine the access type or service type to be configured With AAA configure an authorization scheme for each access type and service type limiting the authorization protocols that can be used for access 3 Determine whether to configure an authorization method for all access types or service types To configure AAA authorization methods for an ISP domain To do Command Remarks 1 Enter s...

Page 57: ...thorization is the backup method and is used only when the remote server is not available If you specify only the local or none keyword in an authorization method configuration command the router has no backup authorization method It performs only local authorization or does not perform any authorization Configuring AAA accounting methods for an ISP domain In AAA accounting is a separate process a...

Page 58: ...e default accounting method is used by default 6 Specify the accounting method for DVPN users accounting dvpn local none radius scheme radius scheme name local Optional The default accounting method is used by default 7 Specify the accounting method for LAN users accounting lan access local none radius scheme radius scheme name local none Optional The default accounting method is used by default T...

Page 59: ...isp name interface interface type interface number ip ip address mac mac address ucibindex ucib index user name user name Required Applies only to portal and PPP user connections 3 Tear down AAA user connections forcibly on a distributed router cut connection access type dot1x mac authentication portal all domain isp name interface interface type interface number ip ip address mac mac address ucib...

Page 60: ...device ID NOTE Configuring or changing the device ID of a router logs off all online users of the router HP recommends that you save the configuration and reboot the router after configuring or changing the device ID The device ID is the symbol for stateful failover mode Do not configure any device ID for a router working in stand alone mode Configuring a router as a RADIUS server RADIUS server fu...

Page 61: ...IUS client the NAS after the RADIUS user passes authentication The NAS then uses the assigned ACL and VLAN to control user access If the assigned ACL does not exist on the NAS ACL assignment fails and the NAS logs the RADIUS user out forcibly If the assigned VLAN does not exist on the NAS the NAS creates the VLAN and adds the RADIUS user or access port to the VLAN Specifying a RADIUS client This t...

Page 62: ...uthorization for Telnet SSH users by a RADIUS server Configuration of RADIUS authentication and authorization of SSH users is similar to that for Telnet users The following takes Telnet users as an example Network requirements As shown in Figure 10 a Telnet user is connected to the router and the router is connected to the RADIUS server Complete the following tasks Configure an iMC server to act a...

Page 63: ...Add Access Device page and perform the following configurations as shown in Figure 11 a Set the shared key for authenticating authentication and accounting to expert b Specify the ports for authentication and accounting as 1812 and 1813 respectively c Select Device Management Service as the service type d Select HP as the access device type e Select the access device from the device list or manual...

Page 64: ...m the following configurations as shown in Figure 12 a Add a user named hello bbb and specify the password b Select SSH as the service type c Set the EXEC privilege level to 3 This value identifies the privilege level of the SSH user after login which is 0 by default d Specify the IP address range of the hosts to be managed as 10 1 1 0 to 10 1 1 255 and click OK to finish the operation NOTE The IP...

Page 65: ...re the IP address of interface GigabitEthernet 1 0 2 through which the router communicates with the server Router interface gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 ip address 10 1 1 2 255 255 255 0 Router GigabitEthernet1 0 2 quit Enable the Telnet server on the router Router telnet server enable Configure the router to use AAA for Telnet users Router user interface vty 0 4 Router ui vty...

Page 66: ...e same result by configuring default AAA methods for all types of users in domain bbb Router domain bbb Router isp bbb authentication default radius scheme rad Router isp bbb authorization default radius scheme rad Router isp bbb quit 3 Verify the configuration After you complete the configuration the Telnet user should be able to Telnet to the router use the configured account to enter the user i...

Page 67: ...main as local authentication and authorization Router domain system Router isp system authentication login local Router isp system authorization login local Router isp system quit 2 Verify the configuration When Telnetting to the router a user can access the user interface of the router by using username telnet system and correct password Use display connection to view the connection information o...

Page 68: ... primary accounting server Router hwtacacs hwtac primary accounting 10 1 1 1 49 Set the shared keys for authenticating authentication authorization and accounting packets to expert Router hwtacacs hwtac key authentication expert Router hwtacacs hwtac key authorization expert Router hwtacacs hwtac key accounting expert Specify the scheme to exclude the domain names from usernames to be sent to the ...

Page 69: ... 0 1 ip address 10 1 1 2 255 255 255 0 3 Verify the configuration Initiate a PPP connection from the PPP client and enter the correct username and password You pass authentication and the PPP client can use the IP address assigned by the router to access the network Use display connection on the router to view information about the connection Level switching authentication for Telnet users by a RA...

Page 70: ...d specify that usernames sent to the RADIUS server carry no domain name Configure the domain to use RADIUS scheme rad for user privilege level switching authentication Configure the password for local user privilege level switching authentication 3 On the RADIUS server add the username and password for user privilege level switching authentication Configuration procedure 1 Configure the router Con...

Page 71: ...he domain names from usernames to be sent to the RADIUS server Router radius rad user name format without domain Router radius rad quit Create ISP domain bbb Router domain bbb Configure the AAA methods for domain bbb as local authentication Router isp bbb authentication login local Configure the domain to use the RADIUS scheme rad for user privilege level switching authentication Router isp bbb au...

Page 72: ...word Switching to level enab1 pass1 1 enab2 pass2 2 enab3 pass3 3 NOTE A username configured on the RADIUS server is in the format of enablevel where level specifies the privilege level to which the user wants to switch Figure 16 Configure a username for privilege level switching take enab1 for example ...

Page 73: ...ent no decompiling or reverse engineering shall be allowed Login authentication Username test bbb Password Router User view commands cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trac...

Page 74: ...ter to provide direct portal authentication so that the host can access only the portal server before passing portal authentication and can access the Internet after passing portal authentication Set the shared keys for authenticating authentication and authorization packets exchanged between the router and the RADIUS server as expert and specify the ports for authentication authorization and acco...

Page 75: ...rts for authentication and accounting as 1812 and 1813 respectively c Select LAN Access Service as the service type d Select HP as the access device type e Select the access device from the device list or manually add the device whose IP address is 10 1 1 2 f Adopt the default settings for other parameters and click OK to finish the operation NOTE The IP address of the access device specified abov...

Page 76: ...the default settings for other parameters and click OK to finish the operation Figure 20 Add a charging policy Add a service Click the Service tab and select User Access Manager Service Configuration from the navigation tree to enter the Service Configuration page Then click Add to enter the Add Service Configuration page and perform the following configurations as shown in Figure 21 a Add a servi...

Page 77: ...o enter the Add Access User page and perform the following configurations as shown in Figure 22 a Select the user or add a user named hello b Specify the account name as portal and configure the password c Select the access service Portal auth acct d Configure other parameters accordingly and click OK to finish the operation Figure 22 Add an access user account ...

Page 78: ...g iMC UAM installation Usually the default setting of port 8080 is used b Click OK to finish the operation Figure 23 Portal server configuration Configure the IP address group Select User Access Manager Portal Service Management IP Group from the navigation tree to enter the portal IP address group configuration page Then click Add to enter the page for adding an IP address group as shown in Figur...

Page 79: ...tal device as shown in Figure 25 a Enter the device name NAS b Enter the IP address of the access interface on the router which is 192 168 1 70 c Enter the key which is portal the same as that configured on the router d Set whether to enable IP address reallocation Because direct portal authentication is used in this example select No from the Reallocate IP drop down list e Click OK to finish the ...

Page 80: ...a port group as shown in Figure 27 a Enter the port group name b Select the configured IP address group The IP address used by the user to access the network must be within this IP address group c Use the default settings for other parameters and click OK to finish the operation Figure 27 Port group configuration Select User Access Manager Service Parameters Validate System Configuration from the ...

Page 81: ...eme rs1 Router isp dm1 authorization portal radius scheme rs1 Router isp dm1 accounting portal radius scheme rs1 Router isp dm1 quit Configure dm1 as the default ISP domain for all users Then if a user enters a username without any ISP domain at login the authentication and accounting methods of the default domain are used for the user Router domain default enable dm1 Configure portal authenticati...

Page 82: ...roubleshooting RADIUS Symptom 1 User authentication authorization always fails Analysis 1 A communication failure exists between the NAS and the RADIUS server 2 The username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password entered by the user is incorrect 5 The RADIUS server and the NAS are co...

Page 83: ...configured on the NAS are the same as those configured on the RADIUS server 4 The port numbers of the RADIUS server for authentication authorization and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting ...

Page 84: ...ust support EAPOL The network access device residing at the other end of the LAN segment is the entity that authenticates connected clients The network access device provides the client with access to the LAN The server is the entity that provides authentication services for the network access device It performs authentication authorization and accounting services for 802 1X users It can be the ne...

Page 85: ...es support only unidirectional traffic control EAP over LAN EAPOL packet format EAPOL defined in 802 1X is intended to carry EAP protocol packets between clients and devices over LANs Figure 30 shows the EAPOL packet format Figure 30 EAPOL packet format PAE Ethernet type Protocol type It takes the value 0x888E Protocol version Version of the EAPOL protocol supported by the EAPOL packet sender Type...

Page 86: ... body field The format of the EAP packet is shown in Figure 31 Figure 31 EAP packet format 0 15 Code Data Length 7 Identifier 2 4 N Code Type of the EAP packet which can be Request Response Success or Failure Identifier One octet used to match Responses with Requests Length Length in bytes of the EAP packet which is the sum of the Code Identifier Length and Data fields Data Content of the EAP pack...

Page 87: ...nitiate 802 1X authentication The destination MAC address of the packet can be the IEEE 802 1X specified multicast address 01 80 C2 00 00 03 or the broadcast MAC address If any intermediate device between the client and the server does not support this multicast address you must use an 802 1X client the HP iNode 802 1X client for example that can send broadcast EAPOL Start packets Access device as...

Page 88: ...entity 3 EAP Response Identity 6 EAP Request MD5 challenge 10 EAP Success 7 EAP Response MD5 challenge 4 RADIUS Access Request EAP Response Identity 5 RADIUS Access Challenge EAP Request MD5 challenge 9 RADIUS Access Accept EAP Success 8 RADIUS Access Request EAP Response MD5 challenge 11 Handshake request EAP Request Identity 13 EAPOL Logoff Client Device Server Port authorized Handshake timer Po...

Page 89: ...in a RADIUS Access Request packet to the authentication server 9 When it receives the RADIUS Access Request packet the RADIUS server compares the password information encapsulated in the packet with that generated by itself If the two are identical the authentication server considers the user valid and sends a RADIUS Access Accept packet to the device 10 Upon receiving the RADIUS Access Accept pac...

Page 90: ...cess 5 EAP Response MD5 challenge 9 Handshake request EAP Request Identity 10 Handshake response EAP Response Identity 11 EAPOL Logoff Client Device Server Port authorized Handshake timer Port unauthorized 6 RADIUS Access Request CHAP Response MD5 challenge 7 RADIUS Access Accept CHAP Success Different from the authentication process in EAP relay mode it is the device that generates the random cha...

Page 91: ...l each user is separately authenticated on a port When a user logs off no other online users are affected For more information see 802 1X fundamentals Using 802 1X authentication with other features VLAN assignment Configure the authentication server to assign a VLAN for an 802 1X user who has passed authentication The way that the network access device handles VLANs on an 802 1X enabled port diff...

Page 92: ... is enabled Assigns the 802 1X guest VLAN to the port as the default VLAN All 802 1X users on this port can access only resources in the guest VLAN If no 802 1X guest VLAN is configured the access device does not perform any VLAN operation A user in the 802 1X guest VLAN fails 802 1X authentication If an 802 1X Auth Fail VLAN see Auth Fail VLAN is available assigns the Auth Fail VLAN to the port a...

Page 93: ...that performs MAC based access control Authentication status VLAN manipulation A user fails 802 1X authentication Re maps the MAC address of the user to the Auth Fail VLAN The user can access only resources in the Auth Fail VLAN A user in the Auth Fail VLAN fails 802 1X re authentication The user is still in the Auth Fail VLAN A user in the Auth Fail VLAN passes 802 1X authentication Re maps the M...

Page 94: ... Optional Setting the port authorization state Optional Specifying an access control method Optional Setting the maximum number of concurrent 802 1X users on a port Optional Setting the maximum number of authentication request Optional Setting the 802 1X timers Optional Configuring the online user handshake function Optional Enabling the proxy detection function Optional Enabling the multicast tri...

Page 95: ... as MD5 Challenge EAP TL and PEAP To use this mode you must make sure that RADIUS server supports the EAP Message and Message Authenticator attributes and that it uses the same EAP authentication method as the client If EAP relay mode is used the user name format command configured in RADIUS scheme view does not take effect The access device sends the authentication data from the client to the ser...

Page 96: ...one set later takes effect To set the authorization state of a port To do Command Remarks 1 Enter system view system view 2 Set the port authorizati on state In system view dot1x port control authorized force auto unauthorized force interface interface list Optional Use either approach By default auto applies In Ethernet interface view interface interface type interface number dot1x port control a...

Page 97: ...e authentication request If the number of transmission attempts exceeds the specified upper limit but the device still receives no response it stops transmitting the request To do Command Remarks 1 Enter system view system view 2 Set the maximum number of attempts for sending an authentication request dot1x retry max retry value Optional 2 by default Setting the 802 1X timers The network device us...

Page 98: ...ance network set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response or adjust the server timeout timer to adapt to the performance of different authentication servers In most cases the default settings are sufficient To set the 802 1X timers To do Command Remarks 1 Enter system view system view 2 Set the 802 1X timers dot1x timer handshake pe...

Page 99: ... To configure the online user handshake function To do Command Remarks 1 Enter system view system view 2 Enter Ethernet interface view interface interface type interface number 3 Enable the online handshake function dot1x handshake Optional Enabled by default 4 Enable the online handshake security function dot1x handshake secure Optional Disabled by default NOTE You must disable proxy detection be...

Page 100: ...thentication packets To do Command Remarks 1 Enter system view system view 2 Enter Ethernet interface view interface interface type interface number 3 Enable the multicast trigger function dot1x multicast trigger Optional Enabled by default Enabling the unicast trigger function The unicast trigger function enables the network device to initiate 802 1X authentication when it receives a data frame f...

Page 101: ...in enhances the flexibility of 802 1X access control deployment To specify a mandatory authentication domain for a port To do Command Remarks 1 Enter system view system view 2 Enter Ethernet interface view interface interface type interface number 3 Specify a mandatory 802 1X authentication domain on the port dot1x mandatory domain domain name Required Not specified by default Enabling the quiet t...

Page 102: ...thentication timer configuration on the server vary with servers NOTE If the server assigns a VLAN before re authentication and no VLAN after re authentication or vice versa the user is logged off and cannot access any network resource VLANs assigned to the same user before and after re authentication can be different Configuring an 802 1X guest VLAN Configuration guidelines Follow these guideline...

Page 103: ...rt can correctly process VLAN tagged incoming traffic You cannot specify a VLAN as both a super VLAN and an 802 1X Auth Fail VLAN For more information see Layer 2 LAN Switching Configuration Guide Configuration prerequisites Create the VLAN to be specified as the 802 1X Auth Fail VLAN If the 802 1X enabled port performs port based access control enable 802 1X multicast trigger If the 802 1X enable...

Page 104: ...d access control on the port so that the logoff of one user does not affect other online 802 1X users Use RADIUS servers to perform authentication authorization and accounting for the 802 1X users If RADIUS authentication fails perform local authentication on the access device If RADIUS accounting fails the access device logs the user off Configure the host at 10 1 1 1 as the primary authenticatio...

Page 105: ...r localuser quit 5 Configure a RADIUS scheme Create the RADIUS scheme radius1 and enter its view Router radius scheme radius1 Specify the IP addresses of the primary authentication and accounting RADIUS servers Router radius radius1 primary authentication 10 1 1 1 Router radius radius1 primary accounting 10 1 1 1 Configure the IP addresses of the secondary authentication and accounting RADIUS serv...

Page 106: ... enable aabbcc net 7 Configure 802 1X Enable 802 1X globally Router dot1x Enable 802 1X on port GigabitEthernet 1 0 1 Router interface gigabitethernet 1 0 1 Router GigabitEthernet1 0 1 dot1x Router GigabitEthernet1 0 1 quit Enable MAC based access control on the port Optional MAC based access control is the default setting Router dot1x port method macbased interface gigabitethernet 1 0 1 Verifying...

Page 107: ... 10 GE1 0 1 VLAN 10 GE1 0 2 VLAN 5 GE1 0 3 VLAN 2 GE1 0 4 Router Internet Update server Authentication server Host VLAN 10 GE1 0 1 VLAN 1 GE1 0 2 VLAN 5 GE1 0 3 VLAN 2 GE1 0 4 Router Internet Update server Authentication server Host VLAN 10 GE1 0 1 VLAN 5 GE1 0 2 VLAN 5 GE1 0 3 VLAN 2 GE1 0 4 Router Port added to guest VLAN User gets online The following configuration procedure covers most AAA RAD...

Page 108: ...bc Exclude the ISP domain name from the username sent to the RADIUS server Router radius 2000 user name format without domain Router radius 2000 quit 5 Configure an ISP domain Create ISP domain bbb and enter its view Router domain bbb Apply RADIUS scheme 2000 to the ISP domain for authentication authorization and accounting Router isp bbb authentication lan access radius scheme 2000 Router isp bbb...

Page 109: ...ication on the port Use the RADIUS server at 10 1 1 1 as the authentication and authorization server and the RADIUS server at 10 1 1 2 as the accounting server Assign an ACL to GigabitEthernet 1 0 1 to deny 802 1X users to access the FTP server Figure 38 Network diagram for ACL assignment Internet Router Host RADIUS server cluster 192 168 1 10 GE1 0 2 Vlan int2 192 168 1 1 24 FTP server 10 0 0 1 1...

Page 110: ...thorization default radius scheme 2000 Router isp 2000 accounting default radius scheme 2000 Router isp 2000 quit Configure ACL 3000 to deny packets destined for the FTP server at 10 0 0 1 Router acl number 3000 Router acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Enable 802 1X globally Router dot1x Enable 802 1X on port GigabitEthernet 1 0 1 Router interface gigabitethernet 1 0 1 Router Giga...

Page 111: ...hich has a limited set of network resources such as software and DHCP servers An unauthenticated user can access only this segment to download EAD client obtain a dynamic IP address from a DHCP server or perform some other tasks to be compliant with the network security strategy URL redirection An unauthenticated user using a web browser to access the network is automatically redirected to a speci...

Page 112: ...If users fail to download EAD client or fail to pass authentication before the timer expires they must reconnect to the network to access the free IP To prevent ACL rule resources from being used up shorten the timer when the amount of EAD users is large To set the EAD rule timer To do Command Remarks 1 Enter system view system view 2 Set the EAD rule timer dot1x timer ead timeout ead timeout valu...

Page 113: ...0 2 10 1 1 10 24 GE1 0 1 Free IP Web server 192 168 2 3 24 Internet 192 168 1 0 24 Vlan int 2 192 168 1 1 24 192 168 2 0 24 GE1 0 3 192 168 2 1 24 DHCP server 192 168 2 2 24 Authentication servers 10 1 1 1 10 1 1 2 Router In addition to the configuration on the access device complete the following tasks Configure the DHCP server so that the host can obtain an IP address on the segment of 192 168 1...

Page 114: ... ping an IP address on the network segment specified by free IP C ping 192 168 2 3 Pinging 192 168 2 3 with 32 bytes of data Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Reply from 192 168 2 3 bytes 32 time 1ms TTL 128 Ping statistics for 192 168 2 3 Packets Sent 4 Received 4 Lost 0 0 loss Approxi...

Page 115: ...er than X X X X The redirection function does redirect this kind of ARP request The address is within the freely accessible network segment The router considers that the user is trying to access a host in the freely accessible network segment and redirection does not take place even if no host is present with the address The redirect URL is not in the freely accessible network segment no server is...

Page 116: ...ice uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insure environment One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable for a secure environment Authentication approach...

Page 117: ...its access to network resources After the user passes MAC authentication the authentication server either the local access device or a RADIUS server assigns the VLAN to the port as the default VLAN After the user logs off the initial default VLAN or the default VLAN configured before any VLAN is assigned by the authentication server is restored If the authentication server assigns no VLAN the init...

Page 118: ...C authentication users Configuration procedure MAC authentication can take effect on a port only when it is enabled globally and on the port Configuring MAC authentication globally To do Command Remarks 1 Enter system view system view 2 Enable MAC authentication globally mac authentication Required Disabled by default 3 Configure MAC authentication timers mac authentication timer offline detect of...

Page 119: ...l Specifying MAC authentication user domain By default MAC authentication users are in the system default authentication domain To implement different access policies for users specify authentication domains for MAC authentication users in the following ways Specify a global authentication domain in system view This domain setting applies to all ports Specify an authentication domain for an indivi...

Page 120: ...MAC authentication The MAC addresses are separated by hyphens and in lower case The access device detects whether a user has gone offline every 180 seconds When a user fails authentication the device does not authenticate the user within 180 seconds Figure 40 Local MAC authentication Configuration procedure 1 Configure local MAC authentication Add a local user account set both the username and pas...

Page 121: ...hentication MAC address authentication is enabled User name format is MAC address in lowercase like xx xx xx xx xx xx Fixed username mac Fixed password not configured Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is aabbcc net Silent Mac User info MAC Addr From Po...

Page 122: ...s belong to ISP domain 2000 and share the user account aaa with password 123456 Figure 41 RADIUS based MAC authentication Make sure that the RADIUS server and the access device can reach each other Create a shared account for MAC authentication users on the RADIUS server and set the username aaa and password 123456 for the account Configuration procedure 1 Configure RADIUS based MAC authentication...

Page 123: ...pecify username aaa and password 123456 for the account shared by MAC authentication users Router mac authentication user name format fixed account aaa password simple 123456 2 Verify the configuration Display MAC authentication settings and statistics Router display mac authentication MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 ...

Page 124: ... accounting Perform MAC authentication on port GigabitEthernet 1 0 1 to control Internet access Make sure that an authenticated user can access the Internet but the FTP server at 10 0 0 1 Use MAC based user accounts for MAC authentication users The MAC addresses are separated by hyphens and in lower case Figure 42 ACL assignment Check that the RADIUS server and the access device can reach each oth...

Page 125: ...ac authentication Specify the ISP domain for MAC authentication Sysname mac authentication domain 2000 Configure the device to use MAC based user accounts and the MAC addresses are separated by hyphens and in lowercase Sysname mac authentication user name format mac address with hyphen lowercase Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname interface gigabitethernet 1 0 1 Sysnam...

Page 126: ...een assigned to port GigabitEthernet 1 0 1 to deny access to the FTP server C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss ...

Page 127: ... vendors and content service providers form an industrial ecological system Extended portal functions By forcing patching and anti virus policies extended portal functions help users to defend against viruses Portal authentication supports the following extended functions Security check Works after identity authentication succeeds to check whether the required anti virus software virus definition ...

Page 128: ...counting Allowing users who have passed identity authentication and security check to access granted Internet resources Portal server The portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device It provides free portal services and pushes web authentication pages to users Authentication accounting server The...

Page 129: ...d local portal server Layer 2 portal authentication Enable Layer 2 portal authentication on an access device s Layer 2 ports that connect authentication clients so that only clients whose MAC addresses pass authentication can access the external network Only the local portal server provided by the access device supports Layer 2 portal authentication Layer 2 portal authentication allows the authent...

Page 130: ...ol the forwarding of packets from clients in a more granular way by also using the learned MAC addresses Portal support for EAP Authentication by using the username and password is less secure Digital certificate authentication is usually used to ensure higher security EAP supports several digital certificate based authentication methods for example EAP TLS Working together with EAP portal authent...

Page 131: ...rized VLAN for the user the authentication server assigns the authorized VLAN to the access device Then the access device adds the user to the authorized VLAN and generates a MAC VLAN entry If the authorized VLAN does not exist the access device first creates the VLAN By deploying the authorized VLAN assignment function control which authenticated users can access which network resources Auth Fail...

Page 132: ...uthentication process Direct authentication and cross subnet authentication share the same authentication process while re DHCP authentication has a different process because of the presence of two address allocation procedures Direct authentication cross subnet authentication process with CHAP PAP authentication Figure 46 Direct authentication cross subnet authentication process Authentication ac...

Page 133: ...ess device The access device then controls access of the user based on the authorization information Re DHCP authentication process with CHAP PAP authentication Figure 47 Re DHCP authentication process Authentication accounting server Authentication client Portal server Access device 6 Authentication succeeds Security policy server 12 Security check 13 Authorization 7 The user obtains a new IP add...

Page 134: ...ty policy server All portal authentication modes share the same EAP authentication steps The following takes the direct portal authentication as an example to show the EAP authentication process 1 The authentication client sends an EAP Request Identity message to the portal server to initiate an EAP authentication process 2 The portal server sends a portal authentication request to the access devi...

Page 135: ... the EAP Message attribute 9 The portal server notifies the authentication client of the authentication success 10 The portal server sends an authentication reply acknowledgment to the access device The remaining steps are for extended portal authentication For more information see the portal authentication process with CHAP PAP authentication Portal stateful failover The stateful failover feature...

Page 136: ...ta communication of the online portal users Basic concepts 1 Device states Independence A stable running status of a device when it does not establish the failover link with the other device Synchronization A stable running status of a device when it establishes the failover link with the other device successfully and is ready for data backup 2 User modes Stand alone Indicates that the user data i...

Page 137: ... and AAA authentication both of which support authentication across VPNs Therefore the NAS can transparently transmit a client s portal authentication packets in a VPN through the MPLS backbone to the servers in another VPN This implements centralized authentication of clients in different VPNs while ensuring the separation of packets of the different VPNs Figure 50 Network diagram for portal auth...

Page 138: ...ortal feature cannot implement this solution by itself RADIUS authentication needs to be configured on the access device to cooperate with the portal feature to complete user authentication The prerequisites for portal authentication configuration are as follows The portal server and the RADIUS server have been installed and configured properly Local portal authentication requires no independent p...

Page 139: ...he remote portal server To use the local portal server of the access device specify the IP address of a Layer 3 interface on the access device as the portal server s IP address The specified interface must be reachable to the client Now the router does not support local portal server To specify a portal server for Layer 3 authentication To do Command Remarks 1 Enter system view system view 2 Speci...

Page 140: ...he destination port number that the router uses for sending unsolicited packets to the portal server must be the same as that which the remote portal server actually uses The portal server and its parameters can be deleted or modified only when the portal server is not referenced by any interface Cross subnet authentication mode portal server server name method layer3 does not require Layer 3 forw...

Page 141: ...trigger portal authentication If an unauthenticated user is not on any authentication source subnet the access device discards all the user s HTTP packets that do not match any portal free rule To configure an authentication source subnet To do Command Remarks 1 Enter system view system view 2 Enter interface view interface interface type interface number 3 Configure an authentication source subne...

Page 142: ... portal users on an interface the router uses the authentication domain for authentication authorization and accounting of all portal users on the interface ignoring the domain names carried in the usernames This allows you to specify different authentication domains for different interfaces as needed To specify the authentication domain for portal users on an interface To do Command Remarks 1 Ent...

Page 143: ... points are identified by their access VLANs Network carriers must use NAS identifiers to identify user access points With a NAS ID profile specified on an interface when a user logs in from the interface the access device checks the specified profile to obtain the NAS ID that is bound with the access VLAN The value of this NAS ID is used as that of the NAS identifier attribute in the RADIUS packe...

Page 144: ...for outgoing portal packets portal nas ip ip address Optional By default no source IP address is specified for outgoing portal packets and the IP address of the user logon interface is used as the source IP address of the outgoing portal packets Configuring portal stateful failover CAUTION Specifying or changing the device ID of a router logs off all online users on the router Therefore perform th...

Page 145: ...teful failover interface and enable stateful failover on the interface For related configuration see High Availability Configuration Guide After the working state of the two devices changes from independence to synchronization and the portal group takes effect the two devices start to back up the data of online portal users for each other To configure stateful failover To do Command Remarks 1 Ente...

Page 146: ...ple use cut connection and portal delete users on the device to log off users The AAA and portal configuration must be consistent on the two routers that back up each other For example you must configure the same portal server on the two routers Specifying auto redirection URL for authenticated portal users After a user passes portal authentication if the access device is configured with an auto r...

Page 147: ... detection To do Command Remarks 1 Enter system view system view 2 Enter interface view interface interface type interface number 3 Configure online Layer 3 portal user detection access user detect type arp retransmit number interval interval Required Not configured by default NOTE Adjust the maximum number of transmission attempts and the interval of sending probe packets according to the actual ...

Page 148: ...ice considers that the portal server is unreachable 3 Actions to be taken when the server reachability status changes choose one or more Sending a trap message When the status of a portal server changes the access device sends a trap message to the NMS The trap message contains the portal server name and the current state of the portal server Sending a log When the status of a portal server change...

Page 149: ...ve this problem the access device provides the portal user information synchronization function This function is implemented by sending and detecting the portal synchronization packet The process is as follows 1 The portal server sends the online user information to the access device in a user synchronization packet at the user heartbeat interval which is set on the portal server 2 Upon receiving ...

Page 150: ...henticated users list To do Command Remarks 1 Enter system view system view 2 Log off users portal delete user ip address all interface interface type interface number Required Displaying and maintaining portal To do Command Remarks Display the ACLs on a specified interface display portal acl all dynamic static interface interface type interface number begin exclude include regular expression Avai...

Page 151: ...face interface type interface number Available in user view Clear portal server statistics on a specified interface or all interfaces reset portal server statistics all interface interface type interface number Available in user view Clear TCP spoofing statistics reset portal tcp cheat statistics Available in user view Portal configuration examples Configuring direct portal authentication Network ...

Page 152: ... Manager Portal Service Management Server from the navigation tree to enter the portal server configuration page as shown in Figure 52 Configure the portal parameters as needed This example uses the default values Figure 52 Portal server configuration Configure the IP address group Select User Access Manager Portal Service Management IP Group from the navigation tree to enter the portal IP address...

Page 153: ...b Enter the IP address of the interface on the router for connecting the user c Enter the key which must be the same as that configured on the router d Set whether to enable IP address reallocation Because direct portal authentication is used in this example select No from the Reallocate IP drop down list e Set whether to support portal server heartbeat and user heartbeat functions In this example...

Page 154: ...n Figure 56 Perform the following configurations a Enter the port group name b Select the configured IP address group The IP address used by the user to access the network must be within this IP address group c Use the default settings for other parameters Figure 56 Port group configuration Select User Access Manager Service Parameters Validate System Configuration from the navigation tree to make...

Page 155: ...scheme rs1 Router isp dm1 accounting portal radius scheme rs1 Router isp dm1 quit Configure dm1 as the default ISP domain for all users Then if a user enters a username without any ISP domain at logon the authentication and accounting methods of the default domain are used for the user Router domain default enable dm1 Configure portal authentication Configure the portal server as needed Router por...

Page 156: ...Configuring re DHCP portal authentication Network requirements As shown in Figure 57 The host is directly connected to the router and the router is configured for re DHCP portal authentication The host is assigned with an IP address through the DHCP server Before passing portal authentication the host uses an assigned private IP address After passing portal authentication it can obtain a public IP...

Page 157: ...scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you must set the server type to extended Router radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Router radius rs1 primary authentication 192 168 0 113 Router radius rs1 primary accounting 192 168 0 113 Route...

Page 158: ...t portal authentication Network requirements As shown in Figure 58 Router A is configured for cross subnet portal authentication Before passing portal authentication a user can access only the portal server After passing portal authentication the user can access Internet resources The host accesses Router A through Router B A RADIUS server serves as the authentication accounting server Figure 58 C...

Page 159: ...hould not be included in the username sent to the RADIUS server RouterA radius rs1 user name format without domain RouterA radius rs1 quit 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view RouterA domain dm1 Configure AAA methods for the ISP domain RouterA isp dm1 authentication portal radius scheme rs1 RouterA isp dm1 authorization portal radius scheme rs1 Rou...

Page 160: ...y check after passing identity authentication the user can access only subnet 192 168 0 0 24 After the user passes security check the user can access Internet resources A RADIUS server serves as the authentication accounting server Figure 59 Configure direct portal authentication with extended functions Configure IP addresses for the host router and servers as shown in Figure 59 and make sure that...

Page 161: ... ISP domain Router isp dm1 authentication portal radius scheme rs1 Router isp dm1 authorization portal radius scheme rs1 Router isp dm1 accounting portal radius scheme rs1 Router isp dm1 quit Configure dm1 as the default ISP domain for all users Then if a user enters the username without the ISP domain at logon the authentication and accounting methods of the default domain are used for the user R...

Page 162: ...passing identity authentication the user can access only subnet 192 168 0 0 24 After passing security check the user can access Internet resources A RADIUS server serves as the authentication accounting server Figure 60 Configure re DHCP portal authentication with extended functions 192 168 0 111 24 192 168 0 114 24 192 168 0 112 24 Router Host automatically obtains an IP address GE1 0 2 20 20 20 ...

Page 163: ... for communication with the servers Router radius rs1 primary authentication 192 168 0 113 Router radius rs1 primary accounting 192 168 0 113 Router radius rs1 key authentication radius Router radius rs1 key accounting radius Router radius rs1 user name format without domain Configure the IP address of the security policy server Router radius rs1 security policy server 192 168 0 114 Router radius ...

Page 164: ...55 0 Router Gigabitethernet1 0 2 ip address 10 0 0 1 255 255 255 0 sub Router Gigabitethernet1 0 2 dhcp select relay Router Gigabitethernet1 0 2 dhcp relay server select 0 Router Gigabitethernet1 0 2 dhcp relay address check enable Enable portal authentication on the interface connecting the host Router Gigabitethernet1 0 2 portal server newpt method redhcp Router Gigabitethernet1 0 2 quit Configu...

Page 165: ...configurations on the RADIUS server to ensure that the user authentication and accounting functions can work normally Configuration procedure Configure Router A 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view RouterA system view RouterA radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you must set the server type to extended Rout...

Page 166: ...tion 192 168 0 0 0 0 0 255 RouterA acl adv 3000 rule deny ip RouterA acl adv 3000 quit RouterA acl number 3001 RouterA acl adv 3001 rule permit ip RouterA acl adv 3001 quit 4 Configure extended portal authentication Configure the portal server as needed RouterA portal server newpt ip 192 168 0 111 key portal port 50100 url http 192 168 0 111 8080 portal Enable portal authentication on the interfac...

Page 167: ...24 GE 0 2 192 168 0 5 24 GE 0 3 Eth1 3 Virtual IP address 2 192 168 0 1 24 Server Master Backup Virtual IP address 1 9 9 1 1 24 Master Backup L2 Switch L2 Switch IP 192 168 0 111 24 Gateway 192 168 0 1 24 Configure IP addresses for the host server and routers as shown in Figure 62 and make sure that they can reach each other Make sure that Host can access the authentication server through Router A...

Page 168: ...uration Configure an IP address group Select User Access Manager Portal Service Management IP Group from the navigation tree to enter the portal IP address group configuration page Then click Add to enter the page for adding an IP address group as shown in Figure 64 a Enter the IP group name b Enter the start IP address and end IP address of the IP address group Make sure that the IP address of th...

Page 169: ...lds the portal enabled interface c Enter the key which must be the same as that configured on the routers d Set whether to enable IP address reallocation Because direct portal authentication is used in this example select No from the Reallocate IP drop down list e Select No for both Support Server Heartbeat and Support User Heartbeat Figure 65 Add a portal device Associate the portal device with t...

Page 170: ...ee to validate the above configurations 2 Configure Router A Configure VRRP Create VRRP group 1 and configure the virtual IP address of the VRRP group 1 as 9 9 1 1 RouterA system view RouterA interface gigabitethernet 0 1 RouterA Gigabitethernet0 1 vrrp vrid 1 virtual ip 9 9 1 1 Set the priority of Gigabitethernet 0 1 in VRRP group 1 to 200 RouterA Gigabitethernet0 1 vrrp vrid 1 priority 200 On Gi...

Page 171: ...y of Gigabitethernet 0 2 in VRRP group 2 to 200 RouterA Gigabitethernet0 2 vrrp vrid 2 priority 200 On Gigabitethernet 0 2 configure the interface to be tracked as Gigabitethernet 0 1 and reduce the priority of Gigabitethernet 0 2 in VRRP group 2 by 150 when the interface state of Gigabitethernet 0 1 becomes Down or Removed RouterA Gigabitethernet0 2 vrrp vrid 2 track interface gigabitethernet 0 1...

Page 172: ...m1 authentication portal radius scheme rs1 RouterA isp dm1 authorization portal radius scheme rs1 RouterA isp dm1 accounting portal radius scheme rs1 RouterA isp dm1 quit Configure dm1 as the default ISP domain for all users Then if a user enters a username without any ISP domain at logon the authentication and accounting methods of the default domain are used for the user RouterA domain default e...

Page 173: ... group 2 and configure the virtual IP address of the VRRP group 2 as 192 168 0 1 RouterB interface gigabitethernet 0 2 RouterB Gigabitethernet0 2 vrrp vrid 2 virtual ip 192 168 0 1 Set the priority of Gigabitethernet 0 2 in VRRP group 2 to 150 RouterB Gigabitethernet0 2 vrrp vrid 2 priority 150 RouterB Gigabitethernet0 2 quit Configure a RADIUS scheme Create RADIUS scheme rs1 and enter its view Ro...

Page 174: ...g the host RouterB interface gigabitethernet 0 1 RouterB Gigabitethernet0 1 portal server newpt method layer3 Specify the source IP address for outgoing portal packets as 9 9 1 1 the virtual IP address of VRRP group 1 RouterB GigabitEthernet0 1 portal nas ip 9 9 1 1 Configure portal stateful failover Assign interface Gigabitethernet 0 1 to portal group 1 RouterB GigabitEthernet0 1 portal backup gr...

Page 175: ...from Router A Configuring portal server detection and portal user information synchronization Network requirements As shown in Figure 68 a host is directly connected to a router the access device and must pass portal authentication before it can access the Internet A RADIUS server serves as the authentication accounting server Detailed requirements are as follows The host is assigned with a public...

Page 176: ...n synchronize portal user information with the portal server by cooperating with the portal user heartbeat function Configure IP addresses for the host router and servers as shown in Figure 68 and make sure that they can reach each other Perform configurations on the RADIUS server to ensure that the user authentication and accounting functions can work normally The following describes how to confi...

Page 177: ...tion page Then click Add to enter the page for adding an IP address group as shown in Figure 70 a Enter the IP group name b Enter the start IP address and end IP address of the IP address group Make sure that the IP address of the user host is within this IP address group c Select a service group By default the group Ungrouped is used d Select the IP group type as Normal Figure 70 Add an IP addres...

Page 178: ...ether to support portal server heartbeat and user heartbeat functions In this example select Yes for both Support Server Heartbeat and Support User Heartbeat Figure 71 Add a portal device Associate the portal device with the IP address group As shown in Figure 72 on the device list click the icon in the Port Group Information Management column of device NAS to enter the port group configuration pa...

Page 179: ...xtended Router radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Router radius rs1 primary authentication 192 168 0 112 Router radius rs1 primary accounting 192 168 0 112 Router radius rs1 key authentication radius Router radius rs1 key accounting radius Configure the access device to no...

Page 180: ...e interval to 40 seconds Also specify the access device to send a server unreachable trap message and disable portal authentication to permit unauthenticated portal users if two consecutive probes fail Router portal server newpt server detect method portal heartbeat action trap permit all interval 40 retry 2 NOTE The product of interval and retry must be greater than or equal to the portal server ...

Page 181: ...l authentication be sure to configure the MPLS L3VPN capabilities properly and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other This example gives only the access authentication configuration on the user side PE For information about MPLS L3VPN see MPLS Configuration Guide Configure the RADIUS server properly to provide normal authentication accountin...

Page 182: ...dress of the access device specified on the server to avoid authentication failures 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view RouterA domain dm1 Configure AAA methods for the ISP domain RouterA isp dm1 authentication portal radius scheme rs1 RouterA isp dm1 authorization portal radius scheme rs1 RouterA isp dm1 accounting portal radius scheme rs1 Router...

Page 183: ...Gigabitethernet1 0 1 Total 1 user s matched 1 listed Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server the portal server displays a blank webpage rather than the portal authentication page or an error message Analysis The keys configured on the access device and the portal server are inconsistent causing CH...

Page 184: ...g port on the server and the portal server cannot receive the REQ_LOGOUT message As a result you cannot force the user to log off the portal server When the user uses the disconnect attribute on the client to log off the portal server actively sends a REQ_LOGOUT message to the access device The source port is 50100 and the destination port of the ACK_LOGOUT message from the access device is the so...

Page 185: ... scenarios that require both 802 1X authentication and MAC authentication For scenarios that require only 802 1X authentication or MAC authentication HP recommends that you configure 802 1X authentication or MAC authentication rather than port security For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features NTK The N...

Page 186: ...cess to the port is not restricted Control MAC address learning autoLearn NTK intrusion protection secure Perform 802 1X authentication userLogin userLoginSecure NTK intrusion protection userLoginSecureExt userLoginWithOUI Perform MAC authentication macAddressWithRadius NTK intrusion protection Perform a combination of MAC authentication and 802 1X authentication Or macAddressOrUserLoginSecure NTK...

Page 187: ...ddresses and manually configured MAC addresses to pass Perform 802 1X authentication userLogin A port in this mode performs 802 1X authentication and implements port based access control The port can service multiple 802 1X users If one 802 1X user passes authentication all the other 802 1X users of the port can access the network without authentication userLoginSecure A port in this mode performs...

Page 188: ...he keyword Ext implies NOTE The maximum number of users that a port supports equals the maximum number of secure MAC addresses or the maximum number of authenticated users that the security mode supports whichever is smaller For more information about configuring MAC address table entries see Layer 2 LAN Switching Configuration Guide Support for guest VLAN and Auth Fail VLAN An 802 1X guest VLAN i...

Page 189: ...ired Disabled by default 1 Enabling port security resets the following configurations on a port to the defaults in parentheses below Then values of these configurations cannot be changed manually the system adjusts them based on the port security mode automatically 802 1X disabled port access control method macbased and port authorization mode auto MAC authentication disabled 2 Disabling port secu...

Page 190: ...ired Not limited by default NOTE This feature is available only on a SAP interface card in bridging mode This configuration is independent of the MAC learning limit described in MAC address table configuration in the Layer 2 LAN Switching Configuration Guide Setting the port security mode Configuration prerequisites Before you set the port security mode complete the following tasks On the port dis...

Page 191: ...rface card in bridging mode When a port operates in autoLearn mode the maximum number of secure MAC addresses cannot be changed An OUI as defined by the IEEE is the first 24 bits of the MAC address which uniquely identifies a device vendor configure multiple OUI values However a port in userLoginWithOUI mode allows only one 802 1X user and one user whose MAC address contains a specified OUI to pas...

Page 192: ... response to illegal frames blockmac Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames All subsequent frames sourced from a blocked MAC address are dropped A blocked MAC address is restored to the normal state after being blocked for 3 minutes The interval is fixed and cannot be changed disableport Disables the port until you bring it up manu...

Page 193: ...l frames To enable port security traps To do Command Remarks 1 Enter system view system view 2 Enable port security traps port security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default port security traps are disabled Configuring secure MAC addresses Secure MAC addresses never age out or get lost if saved before the device...

Page 194: ...AC addresses saved in the configuration file are maintained even after the device restarts Ignoring authorization information from the RADIUS server The authorization information is delivered by the RADIUS server to the device after an 802 1X user or MAC authenticated user passes RADIUS authentication configure a port to ignore authorization information from the RADIUS server To configure a port t...

Page 195: ... interface type interface number vlan vlan id count begin exclude include regular expression Available in any view Port security configuration examples Configuring the autoLearn mode Network requirements See Figure 75 Configure port GigabitEthernet 1 0 1 on Router as follows Allow up to 64 users to access the port without authentication Permit the port to learn and add MAC addresses as secure MAC ...

Page 196: ...igabitEthernet1 0 1 is link up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted The output shows that the maximum number of secure MAC addresses on the port is 64 the port security mode is autoLearn intrusion protection traps are enabled and the intrusion pro...

Page 197: ...ort is restored to autoLearn and the port is able to learn MAC addresses again Configuring the userLoginWithOUI mode Network requirements As shown in Figure 76 a client is connected to the Router through port GigabitEthernet 1 0 1 The Router authenticates the client with a RADIUS server If the authentication succeeds the client is authorized to access the Internet The RADIUS server at 192 168 1 2 ...

Page 198: ...on name Router radius radsun key accounting money Router radius radsun timer response timeout 5 Router radius radsun retry 5 Router radius radsun timer realtime accounting 15 Router radius radsun user name format without domain Router radius radsun quit Configure ISP domain sun to use RADIUS scheme radsun for authentication authorization and accounting of all types of users Specify that the ISP do...

Page 199: ...cheme named radsun Router display radius scheme radsun SchemeName radsun Index 1 Type standard Primary Auth Server IP 192 168 1 2 Port 1812 State active Encryption Key N A VPN instance N A Primary Acct Server IP 192 168 1 3 Port 1813 State active Encryption Key N A VPN instance N A Second Auth Server IP 192 168 1 3 Port 1812 State active Encryption Key N A VPN instance N A Second Acct Server IP 19...

Page 200: ... 123402 Index is 3 OUI value is 123403 Index is 4 OUI value is 123404 Index is 5 OUI value is 123405 GigabitEthernet1 0 1 is link up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802 1X user gets online you see that the number of secure MAC a...

Page 201: ...configured Auth Fail VLAN NOT configured Max number of on line users is 1024 EAPOL Packet Tx 16331 Rx 102 Sent EAP Request Identity Packets 16316 EAP Request Challenge Packets 6 EAP Success Packets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 C...

Page 202: ...authentication accounting configurations and ISP domain configurations are the same as those in Configuring the userLoginWithOUI mode 2 Configure port security Enable port security Router system view Router port security enable Configure a MAC authentication user setting the username and password to aaa and 123456 respectively Router mac authentication user name format fixed account aaa password s...

Page 203: ...cation information Router display mac authentication interface gigabitethernet 1 0 1 MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 3 Current domain is mac Silent MAC User ...

Page 204: ...esource number is 1 GigabitEthernet1 0 1 is link up 802 1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled 802 1X unicast trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac based 802 1X Multicast trigger is enabled Mandatory a...

Page 205: ...he port security mode to noRestrictions first Router GigabitEthernet1 0 1 undo port security port mode Router GigabitEthernet1 0 1 port security port mode autolearn Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses Router GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Error Security MAC address configuration failed Error Can not operate secur...

Page 206: ...for there is 802 1X user s on line on port GigabitEthernet1 0 1 Analysis Changing port security mode is not allowed when an 802 1X authenticated or MAC authenticated user is online Solution Use cut to forcibly disconnect the user from the port before changing the port security mode Router GigabitEthernet1 0 1 quit Router cut connection interface gigabitethernet 1 0 1 Router interface gigabitethern...

Page 207: ...tions are based on interface VLAN or globally and a policy applies to any user who accesses the interface VLAN or device If a user moves between ports to access a device to restrict the user behavior you must remove the policy from the previous port and then configure the same policy on the port that the user uses The configuration task is tedious and prone to errors User profiles provide flexible...

Page 208: ...ble a user profile so that configurations in the profile can be applied by the device to restrict user behaviors If the device detects that the user profile is disabled the device denies the associated user even if the user has been verified by the authentication server To enable a user profile To do Command Remarks 1 Enter system view system view 2 Enable a user profile user profile profile name ...

Page 209: ...he password at the first login or for a user whose password has just been aged out Password aging Password aging imposes a lifecycle on a user password After the password aging time expires the user needs to change the password If a user enters an expired password when logging in the system displays an error message and prompts the user to provide a new password and to confirm it by entering it ag...

Page 210: ...out the blacklist entry aging time is 1 minute Prohibits the user from logging in within a configurable period of time and allows the user to log in again after the period of time elapses or after the user is removed from the blacklist NOTE A blacklist can contain up to 1024 entries A login attempt using a wrong username fails but the username is not added into the blacklist Web users failing logi...

Page 211: ...n within the configured period of time the system tears down the connection Maximum account idle time set the maximum account idle time to make accounts staying idle for this period of time become invalid and unable to log in again For example if you set the maximum account idle time to 60 days and a user who is using the account test has never logged in successfully within 60 days after the last ...

Page 212: ...ol functions Some password control functions must be enabled individually after the password control feature is enabled globally These functions include the following Password aging Minimum password length Password history Password composition checking You must enable a function for its relevant configurations to take effect To enable password control To do Command Remarks 1 Enter system view syst...

Page 213: ... user password control history max record num Optional 4 by default 8 Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts password control login attempt login times exceed lock unlock lock time time unlock Optional By default the maximum number of login attempts is 3 and a user who fails to log in after the spec...

Page 214: ...h configured in system view is used 5 Configure the password composition policy for the user group password control composition type number type number type length type length Optional By default the password composition policy configured in system view is used Setting local user password control parameters To do Command Remarks 1 Enter system view system view 2 Create a local user and enter local...

Page 215: ...r passwords see Fundamentals Configuration Guide To set super password control parameters To do Command Remarks 1 Enter system view system view 2 Set the password aging time for super passwords password control super aging aging time Optional 90 days by default 3 Configure the minimum length for super passwords password control super length length Optional 10 characters by default 4 Configure the ...

Page 216: ...nction is disabled Password control configuration example Network requirements Implementing the following global password control policy An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in A user can log in five times within 60 days after the password expires The password aging time is 30 days The minimum password up...

Page 217: ...nsecutively Sysname password control complexity same character check Set the minimum number of composition types for super passwords to 3 and the minimum number of characters of each composition type to 5 Sysname password control super composition type number 3 type length 5 Configure a super password Sysname super password level 3 simple 12345ABGFTweuix Create a local user named test Sysname loca...

Page 218: ...60 day s Password complexity Enabled username checking Enabled repeated characters checking Display the password control configuration information for super passwords Sysname display password control super Super password control configurations Password aging Enabled 30 days Password length Enabled 10 characters Password composition Enabled 3 types 5 characters per type Display the password control...

Page 219: ...ame To enable or disable the RSH daemon on Windows NT 2000 XP or 2003 use the Services component Configuring RSH Configuration prerequisites Run RSH daemon on the remote host Make sure that there are routes between the router and the remote host Configuration procedure Execute a remote host s OS command from the router by using the following command To do Command Remarks Execute an OS command of a...

Page 220: ... be separately obtained and installed on the remote host Configuration procedure 1 Configure the remote host On the remote host check that the RSH daemon has been installed and started properly by following these steps a From the Windows Control Panel open the Administrative Tools folder For Windows XP if you use the category view of the Control Panel window select Administrative Tools from Perfor...

Page 221: ...Status column to check whether the Remote Shell Daemon service is started In this example the service is not started yet e Double click the Remote Shell Daemon service row Then in Remote Shell Daemon Properties window that appears click Start to start the service as shown in Figure 81 Figure 81 Remote Shell Daemon Properties window ...

Page 222: ... route to the remote host The configuration procedure is omitted Set the time of the host remotely Router rsh 192 168 1 10 command time Trying 192 168 1 10 Press CTRL K to abort The current time is 6 56 42 57 Enter the new time 12 00 12 00 ...

Page 223: ... where it is decrypted by the same algorithm also with the help of a key to obtain the original plain text Figure 82 Encryption and decryption The following types of key algorithms are available based on whether the keys for encryption and decryption are the same Symmetric key algorithm The keys for encryption and decryption are the same Commonly used symmetric key algorithms include AES and DES A...

Page 224: ...ich are relatively short are encrypted Configuring the local asymmetric key pair create and destroy a local asymmetric key pair and export the host public key of a local asymmetric key pair Creating a local asymmetric key pair To do Command Remarks 1 Enter system view system view 2 Create a local DSA key pair or RSA key pairs public key local create dsa rsa Required By default no key pair is creat...

Page 225: ...m view system view Destroy an asymmetric key pair public key local destroy dsa rsa Required Configuring a remote host s public key To enable your local host to authenticate a remote host configure the remote host s RSA or DSA public key on the local host The following methods are available Import it from a public key file Obtain a copy of the remote host s public key file through FTP or TFTP in bi...

Page 226: ...racters 5 Return to public key view public key code end Required When you exit public key code view the system automatically saves the public key 6 Return to system view peer public key end NOTE Do not configure an RSA server public key of the remote host for identity authentication in SSH applications Authentication in SSH applications uses the RSA host public key For more information see Configu...

Page 227: ...A Create RSA key pairs on Router A RouterA system view RouterA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs RouterA display public key local rsa public Time of Key pair c...

Page 228: ...B16C9E766BD995C669 A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3B CA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 RouterB pkey key code public key code end RouterB pkey public key peer public key end Display the host public key of Router A saved on Router B RouterB display public key peer name Routera Key Name Routera Key Type RSA Key Modul...

Page 229: ...A Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854 C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784A D597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80A AB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 Time of Key pair created 09 50 07 2007 08 07 K...

Page 230: ...ype set to I ftp put Routera pub 227 Entering Passive Mode 10 1 1 2 5 148 125 BINARY mode data connection already open transfer starting for Routera pub 226 Transfer complete FTP 299 byte s sent in 0 189 second s 1 00Kbyte s sec 4 Import the host public key of Router A to Router B Import the host public key of Router A from the key file Routera pub to Router B RouterB public key peer Routera impor...

Page 231: ... CA certificate A local certificate is a digital certificate signed by a CA for an entity and a CA certificate is the certificate of a CA If multiple CAs are trusted by different users in a PKI system the CAs forms a CA tree with the root CA at the top level The root CA has a CA certificate signed by itself and each lower level CA has a CA certificate signed by the CA at the next higher level CRL ...

Page 232: ...eration and key pair backup The PKI standard recommends that an independent RA be used for registration management to achieve higher security of application systems PKI repository A PKI repository can be an LDAP server or a common database It stores and manages information like certificate requests certificates keys CRLs and logs when it provides a simple query function LDAP is a protocol for acce...

Page 233: ... entity submits a certificate request to the RA 2 The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA 3 The CA verifies the digital signature approves the application and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifi...

Page 234: ...ty where the entity resides Organization to which the entity belongs Unit of the entity in the organization State where the entity resides NOTE The configuration of an entity DN must comply with the CA certificate issue policy You must determine for example which entity DN parameters are mandatory and which are optional Otherwise certificate requests might be rejected To configure an entity DN To ...

Page 235: ...ndependent RA is in charge of certificate request management It receives the registration request from an entity checks its qualification and determines whether to ask the CA to sign a digital certificate The RA only checks the application qualification of an entity it does not issue any certificate Sometimes the registration management function is provided by the CA in which case no independent R...

Page 236: ...querying the certificate request status certificate request polling count count interval minutes Optional The polling is executed for up to 50 times at the interval of 20 minutes by default 8 Specify the LDAP server ldap server ip ip address port port number version version number Optional No LDP server is specified by default 9 Configure the fingerprint for root certificate verification root cert...

Page 237: ... To do Command Remarks 1 Enter system view system view 2 Enter PKI domain view pki domain domain name 3 Set the certificate request mode to auto certificate request mode auto key length key length password cipher simple password Required Manual by default NOTE If a certificate will expire or has expired the entity does not initiate a re request automatically and the service using the certificate m...

Page 238: ...e and the registration information resulting from configuration changes Before requesting a new certificate use pki delete certificate to delete the existing local certificate and the CA certificate stored locally When it is impossible to request a certificate from the CA through SCEP print the request information or save the request information to a local file and then send the printed informatio...

Page 239: ...n domain name der p12 pem filename filename Configuring PKI certificate verification A certificate needs to be verified before being used Verifying a certificate checks that the certificate is signed by the CA and that the certificate has neither expired nor been revoked specify whether CRL checking is required in certificate verification If you enable CRL checking CRLs are used in verification of...

Page 240: ... PKI certificate verification To do Command Remarks 1 Enter system view system view 2 Enter PKI domain view pki domain domain name 3 Disable CRL checking crl check disable Required Enabled by default 4 Return to system view quit 5 Retrieve the CA certificate See Retrieving a certificate manually Required 6 Verify the validity of the certificate pki validate certificate ca local domain domain name ...

Page 241: ...er its view pki certificate attribute group group name Required No certificate attribute group exists by default 3 Configure an attribute rule for the certificate issuer name certificate subject name or alternative subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional No restriction exists on the issuer name certificate su...

Page 242: ... policy policy name all begin exclude include regular expression Available in any view PKI configuration examples CAUTION The SCEP add on is required when you use the Windows Server as the CA In this case when configuring the PKI domain use certificate request from ra to specify that the entity requests a certificate from an RA The SCEP add on is not required when RSA Keon is used In this case whe...

Page 243: ...hat the router can request certificates and retrieve CRLs properly 2 Configure the router Configure the entity DN Configure the entity name as aaa and the common name as router Router system view Router pki entity aaa Router pki entity aaa common name router Router pki entity aaa quit Configure the PKI domain Create PKI domain torsa and enter its view Router pki domain torsa Configure the name of ...

Page 244: ...MD5 fingerprint EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct Y N y Saving CA RA certificates chain please wait a moment CA certificates retrieval success Retrieve CRLs and save them locally Router pki retrieval crl domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success ...

Page 245: ...blic Key 1024 bit Modulus 1024 bit 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C 2B Exponent 65537 0x10001 X509v3 extensions X509v3 CRL Distribution Points UR...

Page 246: ...Tools Certificate Authority If the CA server and SCEP add on have been installed successfully there should be two certificates issued by the CA to the RA Right click the CA server in the navigation tree and select Properties Policy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate Modify the IIS attri...

Page 247: ...rtificate request as aaa Router pki domain torsa certificate request entity aaa Generate a local key pair using RSA Router public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits in the modulus default 1024 Generating Keys Apply for certificates Retrieve the CA certificate and ...

Page 248: ... GMT Not After Nov 21 12 42 16 2008 GMT Subject CN router Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 1024 bit Modulus 1024 bit 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D...

Page 249: ...p between Router A and Router B to secure the traffic between Host A on subnet 10 1 1 0 24 and Host B on subnet 11 1 1 0 24 Router A and Router B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI certificate system for identity authentication As shown in Figure 88 Router A and Router B use different CAs They might also use the same CA as required Figure 88 Apply RSA digital s...

Page 250: ...re the CRL distribution URL This is not necessary if CRL checking is disabled RouterA pki domain 1 crl url ldap 1 1 1 102 RouterA pki domain 1 quit Create a local key pair using RSA RouterA public key local create rsa Request a certificate RouterA pki retrieval certificate ca domain 1 RouterA pki retrieval crl domain 1 RouterA pki request certificate domain 1 Configure IKE proposal 1 using RSA sig...

Page 251: ...pki domain 1 quit Create a local key pair using RSA RouterB public key local create rsa Request a certificate RouterB pki retrieval certificate ca domain 1 RouterB pki retrieval crl domain 1 RouterB pki request certificate domain 1 Configure IKE proposal 1 using RSA signature for identity authentication RouterB ike proposal 1 RouterB ike proposal 1 authentication method rsa signature RouterB ike p...

Page 252: ...mation about how to configure a PKI domain see Configure the PKI domain Configuration procedure 1 Configure the HTTPS server Configure the SSL policy for the HTTPS server to use Router system view Router ssl server policy myssl Router ssl server policy myssl pki domain 1 Router ssl server policy myssl client verify enable Router ssl server policy myssl quit 2 Configure the certificate attribute gr...

Page 253: ...nd certificate attribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Router ip https ssl server policy myssl Apply the certificate attribute based access control policy of myacp to HTTPS service Router ip https certificate access control policy myacp Enable HTTPS service Router ip https enable Troubleshooting PKI Failed to re...

Page 254: ...lly proper Retrieve a CA certificate Regenerate a key pair Specify a trusted CA Use ping to check that the RA server is reachable Specify the authority for certificate request Configure the required entity DN parameters Failed to retrieve CRLs Symptom Failed to retrieve CRLs Analysis Possible reasons include The network connection is not proper For example the network cable might be damaged or loo...

Page 255: ... provides security services and IKE performs key exchange For more information see Configuring IKE IPsec provides two security mechanisms authentication and encryption The authentication mechanism allows the receiver of an IP packet to authenticate the sender and check if the packet has been tampered with The encryption mechanism ensures data confidentiality and protects the data from being eavesd...

Page 256: ...how long the SA can be valid after it is created Traffic based lifetime which defines the maximum traffic that the SA can process The SA becomes invalid when either of the lifetime timers expires Before the SA expires IKE negotiates a new SA which takes over immediately after its creation Encapsulation modes IPsec supports two IP packet encapsulation modes Tunnel mode IPsec protects the entire IP ...

Page 257: ...t key AES provides the highest security strength and is slower than 3DES IPsec SA setup modes There are two IPsec SA setup modes Manual mode In this mode you manually configure and maintain all SA settings Advanced features like periodical key update are not available However this mode implements IPsec independently of IKE ISAKMP mode In this mode IKE automatically negotiates and maintains IPsec S...

Page 258: ...must be IPsec protected forwards the packet to the IPsec tunnel interface The original IP packet is encapsulated to form a new IP packet The source and destination of the new packet are the source and destination address of the tunnel interface respectively 3 The IPsec tunnel interface encapsulates the packet and then sends it to the forwarding module 4 The forwarding module looks up the routing t...

Page 259: ...g protocol IPsec RRI IPsec RRI enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or peer IPsec tunnel gateways to a routing table In an MPLS L3VPN network IPsec RRI can add static routes to VPN instances routing tables IPsec RRI applies to gateways for example a headquarters gateway that must provide many IPsec tunnels It frees you from the ...

Page 260: ...nfigure service based IPsec configure manual IPsec policies and bind the policies to an IPv6 routing protocol See Configuring IPsec for IPv6 routing protocols Implementing ACL based IPsec Configuration task list CAUTION Typically IKE uses UDP port 500 for communication and AH and ESP use the protocol numbers 51 and 50 respectively Make sure that flows of these protocols are not denied on the inter...

Page 261: ...does not require protection and delivers it to the next function module In the inbound direction all IPsec packets matching a permit statement are processed by IPsec and all non IPsec packets that match a permit statement are discarded When defining ACL rules for IPsec follow these guidelines Permit only data flows that must be protected and use the any keyword with caution With the any keyword sp...

Page 262: ...hes the deny statement and is sent as normal traffic When the traffic arrives at Router B it is dropped if it matches a permit statement in the ACL referenced in the applied IPsec policy Configuration on Router A acl number 3000 rule 0 permit ip source 1 1 1 0 0 0 0 255 destination 2 2 2 0 0 0 0 255 rule 1 deny ip acl number 3001 rule 0 permit ip source 1 1 2 0 0 0 0 255 destination 3 3 3 0 0 0 0 ...

Page 263: ...1 2 of Router B ACL2 rule permit 1 1 1 0 24 2 2 2 0 24 ACL1 rule permit 2 2 2 2 1 1 1 1 ACL2 rule permit 2 2 2 0 24 1 1 1 0 24 If the ACL rules on peers do not form mirror images of each other SAs can be set up only when both of the following requirements are met The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer As shown in Figure 95 the range ...

Page 264: ... beyond the anti replay window in the inbound direction resulting in packet loss For more information see ACL and QoS Configuration Guide Configuring an IPsec proposal An IPsec proposal part of an IPsec policy or an IPsec profile defines the security parameters for IPsec SA negotiation including the security protocol encryption authentication algorithms and encapsulation mode To configure an IPsec...

Page 265: ...Psec policies fall into two categories Manual IPsec policy The parameters are configured manually such as the keys the SPIs and the IP addresses of the two ends in tunnel mode IPsec policy that uses IKE The parameters are automatically negotiated through IKE Configuring a manual IPsec policy 1 Configuration guidelines To ensure successful SA negotiations follow these guidelines when configuring ma...

Page 266: ... connected neighbors or an OSPFv3 area For RIPng the scope can be directly connected neighbors or a RIPng process For IPv6 BGP the scope can be directly connected neighbors or a neighbor group All SAs both inbound and outbound within the routed network scope must use the same SPI and keys Configure the keys on all routers within the routed network scope in the same format For example if you enter ...

Page 267: ...local address of the tunnel tunnel local ip address Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications Not configured by default Configure the remote address of the tunnel tunnel remote ip address Required Not configured by default 6 Configure the SPIs for the SAs sa spi inbound outbound ah esp spi number Required 7 Configure keys for the SAs ...

Page 268: ...rameters not defined in the template are determined by the initiator This approach applies to scenarios where the remote end s information such as the IP address is unknown 1 Configuration prerequisites Configure the ACLs and the IKE peer for the IPsec policy For more information see Configuring IKE The parameters for the local and remote ends must match 2 Configuration procedure Directly configur...

Page 269: ...uses IKE The difference is that more parameters are optional Required configuration The IPsec proposals and IKE peer Optional configuration The ACL PFS feature and SA lifetime Unlike the direct configuration ACL configuration to be referenced by an IPsec policy is optional The responder without ACL configuration accepts the initiator s ACL configuration To configure an IPsec policy that uses IKE b...

Page 270: ... reference only one ACL If you apply multiple ACLs to an IPsec policy only the last one takes effect With SAs to be established through IKE negotiation an IPsec policy can reference up to six IPsec proposals During negotiation IKE searches for a fully matched IPsec proposal at the two ends of the expected IPsec tunnel If no match is found no SA can be set up and the packets expecting to be protect...

Page 271: ...system view 2 Enter interface view interface interface type interface number 3 Apply an IPsec policy group to the interface ipsec policy policy name Required NOTE An interface can reference only one IPsec policy group An IPsec policy that uses IKE can be applied to more than one interface but a manual IPsec policy can be applied to only one interface Enabling the encryption engine The encryption e...

Page 272: ...sliding window If the sequence number is not in the current sequence number range the packet is considered a replayed packet and is discarded IPsec packet de encapsulation involves complicated calculation De encapsulation of replayed packets not only makes no sense but also consumes large amounts of resources and degrades performance resulting in DoS IPsec anti replay checking when enabled is perf...

Page 273: ... number 3 Enable packet information pre extraction qos pre classify Required Disabled by default Enabling invalid SPI recovery When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other reason its peer security gateway may not know about the problem and send IPsec packets to it These packets are discarded by the receiver because the receiver cannot find app...

Page 274: ...Psec SA negotiation Dynamic IPsec RRI creates static routes when the IPsec SAs are established and deletes the static routes when the IPsec SAs are deleted The dynamic mode applies to scenarios where the topologies of branch networks change frequently For example when branches have dial in users configure dynamic IPsec RRI to avoid frequent configuration changes that are otherwise required on the ...

Page 275: ...Configuration task list This is the generic configuration procedure for implementing tunnel interface based IPsec 1 Configure an IPsec proposal to specify the security protocols authentication and encryption algorithms and encapsulation mode 2 Configure an IPsec profile to associate data flows with the IPsec proposal and to specify the IKE peer parameters and the SA lifetime 3 Configure an IPsec t...

Page 276: ... profile is applied to an IPsec tunnel interface only one IPsec tunnel is set up to protect all data flows that are routed to the tunnel IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces The IPsec tunnel established using an IPsec profile protects all IP data routed to the tunnel interface Before configuring an IPsec profile complete the following tasks IPsec propos...

Page 277: ... kilobytes for traffic based SA lifetime by default Configuring an IPsec tunnel interface An IPsec tunnel interface uses IPsec as the encapsulation protocol To configure an IPsec tunnel interface complete the following tasks 1 Create a tunnel interface and set the tunnel mode to IPsec over IPv4 2 Specify the source address or source interface of the IPsec tunnel interface which is used as the loca...

Page 278: ...266 The expected IKE SA and IPsec SAs are established between the local security gateway and the peer gateway Use display ike sa to view the status of the IKE SA and the IPsec SAs ...

Page 279: ...takes the primary IP address of the source interface 6 Specify the destination address of the tunnel interface destination ip address Optional for an IKE negotiation responder and required for an IKE negotiation initiator By default no tunnel destination address is configured 7 Apply an IPsec profile to the tunnel interface ipsec profile profile name Required The IPsec profile must have been creat...

Page 280: ...sec packets arriving at the destination may be out of order This may cause IPsec out of order to be dropped by the IPsec anti replay function For more information see Configuring the IPsec anti replay function To enable packet information pre extraction on an IPsec tunnel interface To do Command Remarks 1 Enter system view system view 2 Enter tunnel interface view interface tunnel number 3 Enable ...

Page 281: ...nnel addresses are not needed Applying an IPsec policy to an IPv6 routing protocol Required See Layer 3 IP Routing Configuration Guide Displaying and maintaining IPsec To do Command Remarks Display IPsec policy information display ipsec policy brief name policy name seq number begin exclude include regular expression Available in any view Display IPsec policy template information display ipsec pol...

Page 282: ...and Router B to protect data flows between subnet 10 1 1 0 24 and subnet 10 1 2 0 24 Configure the tunnel to use the security protocol ESP the encryption algorithm DES and the authentication algorithm SHA1 HMAC 96 Figure 96 Network diagram for IPsec configuration Configuration procedure 1 Configure Router A Define an ACL to identify data flows from subnet 10 1 1 0 24 to subnet 10 1 2 0 24 RouterA ...

Page 283: ...2 1 Configure the SPIs RouterA ipsec policy manual map1 10 sa spi outbound esp 12345 RouterA ipsec policy manual map1 10 sa spi inbound esp 54321 Configure the keys RouterA ipsec policy manual map1 10 sa string key outbound esp abcdefg RouterA ipsec policy manual map1 10 sa string key inbound esp gfedcba RouterA ipsec policy manual map1 10 quit Configure the IP address of the serial interface Rout...

Page 284: ... spi outbound esp 54321 RouterB ipsec policy manual use1 10 sa spi inbound esp 12345 Configure the keys RouterB ipsec policy manual use1 10 sa string key outbound esp gfedcba RouterB ipsec policy manual use1 10 sa string key inbound esp abcdefg RouterB ipsec policy manual use1 10 quit Configure the IP address of the serial interface RouterB interface serial 2 1 2 RouterB Serial2 1 2 ip address 2 2...

Page 285: ...rA ipsec proposal tran1 esp encryption algorithm des RouterA ipsec proposal tran1 esp authentication algorithm sha1 RouterA ipsec proposal tran1 quit Configure the IKE peer RouterA ike peer peer RouterA ike peer peer pre shared key abcde RouterA ike peer peer remote address 2 2 3 1 RouterA ike peer peer quit Create an IPsec policy that uses IKE for IPsec SA negotiation RouterA ipsec policy map1 10...

Page 286: ...sal tran1 quit Configure the IKE peer RouterB ike peer peer RouterB ike peer peer pre shared key abcde RouterB ike peer peer remote address 2 2 2 1 RouterB ike peer peer quit Create an IPsec policy that uses IKE for IPsec SA negotiation RouterB ipsec policy use1 10 isakmp Apply the ACL RouterB ipsec policy isakmp use1 10 security acl 3101 Apply the IPsec proposal RouterB ipsec policy isakmp use1 1...

Page 287: ...diagram for setting up an IPsec tunnel with IPsec tunnel interfaces Configuation procedure 1 Configure Router A Name the local gateway routera RouterA system view RouterA ike local name routera Configure an IKE peer named atob Because the local peer obtains the IP address automatically set the IKE negotiation mode to aggressive RouterA ike peer atob RouterA ike peer atob exchange mode aggressive R...

Page 288: ... 255 255 0 tunnel 1 2 Configure Router B Assign an IP address to interface Serial 2 1 1 RouterB system view RouterB interface serial 2 1 1 RouterB Serial2 1 1 ip address 1 1 1 1 24 RouterB Serial2 1 1 quit Name the local gateway routerb RouterB ike local name routerb Configure an IKE peer named btoa Because the remote peer obtains the IP address automatically set the IKE negotiation mode to aggres...

Page 289: ...onfigure a static route to Router A RouterB ip route static 172 17 17 0 255 255 255 0 tunnel 1 Verification After the configuration IKE negotiation is triggered to set up SAs when Serial 2 1 1 on Router A complements the dial up process If IKE negotiation is successful and SAs are set up the IPsec tunnel between Router A and Router B is up and it provides protection for packets traveling through i...

Page 290: ...for nat traversal N outbound ESP SAs spi 2364632148 0x8cf16c54 proposal ESP ENCRYPT DES ESP AUTH MD5 sa duration kilobytes sec 1843200 3600 sa remaining duration kilobytes sec 1843199 3503 max sent sequence number 6 udp encapsulation used for nat traversal N On Router B ping the IP address of the interface on Router A that connects to the branch RouterB ping a 192 168 1 1 172 17 17 1 PING 172 17 1...

Page 291: ...s Configure basic RIPng parameters Configure a manual IPsec policy Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface to protect RIPng packets traveling through the interface Figure 98 Network diagram for configuring IPsec for RIPng packets For information about RIPng configuration see Layer 3 IP Routing Configuration Guide Configuration procedure...

Page 292: ...1 10 quit Apply IPsec policy policy001 to the RIPng process RouterA ripng 1 RouterA ripng 1 enable ipsec policy policy001 RouterA ripng 1 quit 2 Configure Router B Assign an IPv6 address to each interface Omitted Create a RIPng process and enable it on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 RouterB system view RouterB ripng 1 RouterB ripng 1 quit RouterB interface gigabitethernet 1 0 1 Ro...

Page 293: ...thernet1 0 1 quit Create an IPsec proposal named tran1 and set the encapsulation mode to transport mode the security protocol to ESP the encryption algorithm to DES and authentication algorithm to SHA1 HMAC 96 RouterC ipsec proposal tran1 RouterC ipsec proposal tran1 encapsulation mode transport RouterC ipsec proposal tran1 transform esp RouterC ipsec proposal tran1 esp encryption algorithm des Ro...

Page 294: ...s 8 Update time 30 sec s Timeout time 180 sec s Suppress time 120 sec s Garbage Collect time 120 sec s Number of periodic updates sent 186 Number of trigger updates sent 1 IPsec policy name policy001 SPI 12345 Using display ipsec sa on Router A you see information about the inbound and outbound SAs RouterA display ipsec sa Protocol RIPng IPsec policy name policy001 sequence number 10 mode manual c...

Page 295: ... 10 5 5 5 24 Assign IPv4 Address to the interfaces on the routers Make sure that Router A and Router B can reach each other Configuration procedure 1 Configure Router A Configure ACL 3101 to identify traffic from subnet 10 4 4 0 24 to subnet 10 5 5 0 24 RouterA system view RouterA acl number 3101 RouterA acl adv 3101 rule permit ip source 10 4 4 0 0 0 0 255 destination 10 5 5 0 0 0 0 255 RouterA a...

Page 296: ...t 1 0 1 RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 ipsec policy map1 RouterA GigabitEthernet1 0 1 quit 2 Configure Router B Configure ACL 3101 to identify traffic from subnet 10 5 5 0 24 to subnet 10 4 4 0 24 RouterB system view RouterB acl number 3101 RouterB acl adv 3101 rule permit ip source 10 5 5 0 0 0 0 255 destination 10 4 4 0 0 0 0 255 RouterB acl adv 3101 quit Co...

Page 297: ...RouterB GigabitEthernet1 0 1 ipsec policy use1 3 Verify the configuration Send traffic from subnet 10 5 5 0 24 to subnet 10 4 4 0 24 or from subnet 10 4 4 0 24 to 10 5 5 0 24 IKE negotiation is triggered to establish IPsec SAs between Router A and Router B Display the routing table on Router A RouterA display ip routing table Routing Tables Public Destinations 8 Routes 8 Destination Mask Proto Pre...

Page 298: ...nd PKI based digital signature authentication RSA signature Identity protection Encrypts the identity information with the generated keys before sending the information DH The DH algorithm is a public key algorithm With this algorithm two peers can exchange keying material and then use the material to calculate the shared keys Due to the decryption complexity a third party cannot decrypt the keys ...

Page 299: ...vide identity protection and exchanges only three messages rather than three pairs The main mode provides identity protection but is slower Functions IKE provides the following functions for IPsec Automatically negotiates IPsec parameters such as the keys Performs DH exchange when establishing an SA ensuring that each SA has a key independent of other keys Automatically negotiates SAs when the seq...

Page 300: ...ty Association and Key Management Protocol ISAKMP RFC 2409 The Internet Key Exchange IKE RFC 2412 The OAKLEY Key Determination Protocol Configuration task list Prior to IKE configuration you must determine the following parameters The strength of the algorithms for IKE negotiation namely the security protection level including the identity authentication method encryption algorithm authentication ...

Page 301: ...s used as the name of the local security gateway Configuring an IKE proposal An IKE proposal defines a set of attributes describing how IKE negotiation should take place You may create multiple IKE proposals with different preferences The preference of an IKE proposal is represented by its sequence number and the lower the sequence number the higher the preference Two peers must have at least one ...

Page 302: ...to greater than 10 minutes Configuring an IKE peer For an IPsec policy that uses IKE you must configure an IKE peer by performing the following tasks Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1 If the IP address of the remote end is obtained dynamically the IKE negotiation mode of the local end must be aggressive When acting as the IKE negotiation responder...

Page 303: ...e shared key cipher simple key Required Configure either command according to the authentication method for the IKE proposal 6 Configure the PKI domain for digital signature authentication certificate domain domain name 7 Select the ID type for IKE negotiation phase 1 id type ip name user fqdn Optional ip by default 8 Configure the names of the two ends Specify a name for the local security gatewa...

Page 304: ...intains the link status of an ISAKMP SA by keepalive packets Generally if the peer is configured with the keepalive timeout you must configure the keepalive packet transmission interval on the local end If the peer receives no keepalive packet during the timeout interval the ISAKMP SA is tagged with the TIMEOUT tag if it does not have the tag or is deleted along with the IPsec SAs it negotiated wh...

Page 305: ...D acknowledgement within the DPD packet retransmission interval it retransmits the DPD hello 4 If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts two by default it considers the peer already dead and it clears the IKE SA and the IPsec SAs based on the IKE SA DPD enables an IKE entity to check the liveliness of its peer only when n...

Page 306: ...nclude regular expression Available in any view Display IKE proposal information display ike proposal begin exclude include regular expression Available in any view Clear SAs established by IKE reset ike sa connection id Available in user view IKE configuration examples Main mode IKE with pre shared key authentication configuration example Network requirements As shown in Figure 102 an IPsec tunne...

Page 307: ...rA ipsec proposal tran1 Set the packet encapsulation mode to tunnel RouterA ipsec proposal tran1 encapsulation mode tunnel Use security protocol ESP RouterA ipsec proposal tran1 transform esp Specify encryption and authentication methods RouterA ipsec proposal tran1 esp encryption algorithm des RouterA ipsec proposal tran1 esp authentication algorithm sha1 RouterA ipsec proposal tran1 quit Create ...

Page 308: ... RouterA GigabitEthernet1 0 2 ip address 10 1 1 1 255 255 255 0 RouterA GigabitEthernet1 0 2 quit Assign an IP address to interface GigabitEthernet 1 0 1 RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 ip address 1 1 1 1 255 255 255 0 Apply the IPsec policy to interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 ipsec policy map1 Configure a static route to subnet 10 1...

Page 309: ...kmp use1 10 ike peer peer RouterB ipsec policy isakmp use1 10 quit Assign an IP address to interface GigabitEthernet 1 0 2 RouterB interface gigabitethernet 1 0 2 RouterB GigabitEthernet1 0 2 ip address 10 1 2 1 255 255 255 0 RouterB GigabitEthernet1 0 2 quit Assign an IP address to interface GigabitEthernet 1 0 1 RouterB interface gigabitethernet 1 0 1 RouterB GigabitEthernet1 0 1 ip address 2 2 ...

Page 310: ...flag phase doi 1 2 2 2 2 RD ST 1 IPSEC 2 2 2 2 2 RD ST 2 IPSEC flag meaning RD READY ST STAYALIVE RL REPLACED FD FADING TO TIMEOUT Display information about the established IPsec SAs which protect traffic between subnet 10 1 1 0 24 and subnet 10 1 2 0 24 RouterA display ipsec sa Interface GigabitEthernet1 0 1 path MTU 1500 IPsec policy name map1 sequence number 10 mode isakmp connection id 1 encap...

Page 311: ...k the branch and the headquarters connect to an ATM network through Router B and Router A Router B connects to the public network through an ADSL line and acts as the PPPoE client The interface connecting to the public network uses a private address dynamically assigned by the ISP Router A uses a fixed public IP address for the interface connected to the public network Figure 103 Network diagram f...

Page 312: ...ec proposal prop esp encryption algorithm 3des RouterA ipsec proposal prop esp authentication algorithm sha1 RouterA ipsec proposal prop quit Create an IPsec policy specifying to set up SAs through IKE negotiation RouterA ipsec policy policy 10 isakmp Configure the IPsec policy to reference the IKE peer RouterA ipsec policy isakmp policy 10 ike peer peer Configure the IPsec policy to reference ACL...

Page 313: ... peer peer id type name RouterB ike peer peer remote name routera RouterB ike peer peer remote address 100 1 1 1 RouterB ike peer peer nat traversal RouterB ike peer peer quit Create an IPsec proposal named prop RouterB ipsec proposal prop RouterB ipsec proposal prop encapsulation mode tunnel RouterB ipsec proposal prop transform esp RouterB ipsec proposal prop esp encryption algorithm 3des Router...

Page 314: ...c 172 16 0 0 255 255 255 0 dialer 0 Configure interface GigabitEthernet 1 0 1 RouterB interface gigabitethernet 1 0 1 RouterB GigabitEthernet1 0 1 tcp mss 1450 RouterB GigabitEthernet1 0 1 ip address 192 168 0 1 255 255 255 0 RouterB GigabitEthernet1 0 1 quit Create a virtual Ethernet interface and create a PPPoE session that uses dialer bundle 1 on the interface RouterB interface virtual ethernet...

Page 315: ...eck that the ACLs in the IPsec policies configured on the interfaces at both ends are compatible Configure the ACLs to mirror each other For more information see Configuring IPsec Proposal mismatch Symptom The proposals do not match Analysis The following is the debugging information got NOTIFY of type NO_PROPOSAL_CHOSEN Or drop message from A B C D due to notification type NO_PROPOSAL_CHOSEN The ...

Page 316: ...as no corresponding SA use reset ike sa to clear the IKE SA that has no corresponding IKE SA and trigger SA re negotiation ACL configuration error Symptom ACL configuration error results in data flow blockage Analysis When multiple routers create different IPsec tunnels early or late a router may have multiple peers If the router is not configured with ACL rule the peers send packets to it to set ...

Page 317: ...ts multiple algorithms The two parties negotiate algorithms for communication and use the DH key exchange algorithm to generate the same session key and session ID Authentication The SSH server authenticates the client in response to the client s authentication request Session request After passing authentication the client sends a session request to the server Interaction After the server grants ...

Page 318: ...ation stage CAUTION Before the key and algorithm negotiation the server must have already generated a DSA or RSA key pair which is not only used for generating the session key and session ID but is also used by the client to authenticate the identity of the server For more information see Configuring public keys Authentication SSH supports the following authentication methods Password authenticati...

Page 319: ...ter version support password re authentication that is initiated by the router acting as the SSH server Session request After passing authentication the client sends a session request to the server and the server listens to and processes the request from the client If the server successfully processes the request the server sends an SSH_SMSG_SUCCESS packet to the client and goes on to the interact...

Page 320: ...Ns that are enabled with the SSH server function to implement secure access to the CEs and secure transfer of log file Figure 104 Network diagram for SSH SFTP connection across VPNs Configuring the router as an SSH server Configuration task list Task Remarks Generating a DSA or RSA key pair Required Enabling the SSH server function Required Configuring user interfaces for SSH clients Required Conf...

Page 321: ... a private key The public key in the server key pair of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key Because SSH2 0 uses the DH algorithm to generate the session key on the SSH server and client no session key transmission is required in SSH2 0 and the server key pair is not used The length of the modulus of RSA server keys and host keys must range f...

Page 322: ...ication mode scheme For a user interface configured to support SSH you cannot change the authentication mode To change the authentication mode first undo the SSH support configuration Configuring a client public key This configuration task is only necessary for SSH users who are using publickey authentication For each SSH user who uses publickey authentication to log in you must configure the clie...

Page 323: ...ng a client public key from a public key file To do Use Remarks 1 Enter system view system view 2 Import the public key from a public key file public key peer keyname import sshkey filename Required For more information see Configuring public keys Configuring an SSH user This configuration allows you to create an SSH user and specify the service type and authentication method An SSH user s service...

Page 324: ...d Remarks 1 Enter system view system view 2 Create an SSH user and specify the service type and authenticati on method For Stelnet users ssh user username service type stelnet authentication type password any password publickey publickey assign publickey keyname Required Use either command For all users or SFTP users ssh user username service type all sftp authentication type password any password...

Page 325: ...ter as an SSH client Configuration task list Task Remarks Specifying a source IP address or interface for the SSH client Optional Configuring first time authentication support Optional Establishing connection between the SSH client and server Required Specifying a source IP address or interface for the SSH client This configuration task allows you to specify a source IP address or interface for th...

Page 326: ...e authentication To do Command Remarks 1 Enter system view system view 2 Enable the router to support first time authentication ssh client first time enable Optional By default first time authentication is supported on a client Disable first time authentication For successful authentication of an SSH client not supporting first time authentication the server host public key must be configured on t...

Page 327: ...mand Remarks Display the source IP address or interface currently set for the SFTP client display sftp client source begin exclude include regular expression Available in any view Display the source IP address or interface information on an SSH client display ssh client source begin exclude include regular expression Available in any view Display SSH server status information or session informatio...

Page 328: ...gure a username and password for the user on the router Figure 105 Router acts as server for password authentication Configuration procedure 1 Configure the SSH server Generate the RSA key pairs Router system view Router public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits o...

Page 329: ...ilege level to 3 Router local user client001 Router luser client001 password simple aabbcc Router luser client001 service type ssh Router luser client001 authorization attribute level 3 Router luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password This step is optional Router ssh user client001 service type stelnet authentication type ...

Page 330: ...authentication server Network requirements As shown in Figure 107 a host the SSH client and a router the SSH server are directly connected through Ethernet interfaces Configure an SSH user on the router so that the host can securely log in to the router after passing publickey authentication Use the RSA public key algorithm Figure 107 Router acts as server for publickey authentication During SSH s...

Page 331: ...t SSH 2 RSA and click Generate Figure 108 Generate a key pair on the client 1 When the generator is generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 109 Otherwise the process bar stops moving and the key pair generating process stops ...

Page 332: ...igure 109 Generate a key pair on the client 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key Figure 110 Generate a key pair on the client 3 ...

Page 333: ...ses as the destination for SSH connection Router interface GigabitEthernet 1 0 1 Router GigabitEthernet1 0 1 ip address 192 168 1 40 255 255 255 0 Router GigabitEthernet1 0 1 quit Set the authentication mode for the user interfaces to AAA Router user interface vty 0 4 Router ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Router ui vty0 4 protocol inbound ssh Set the...

Page 334: ...xe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 112 SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection window navigate to the private key file private ppk and click OK ...

Page 335: ...figuration interface of the server SSH client configuration examples Configuring router to act as password authentication client Network requirements As shown in Figure 114 Router A the SSH client must pass password authentication to log in to Router B the SSH server through the SSH protocol Configure the username client001 and the password aabbcc for the SSH client on Router B Figure 114 Router a...

Page 336: ...ys Enable the SSH server RouterB ssh server enable Configure an IP address for interface GigabitEthernet 1 0 1 which the SSH client uses as the destination for SSH connection RouterB interface GigabitEthernet 1 0 1 RouterB GigabitEthernet1 0 1 ip address 10 165 87 136 255 255 255 0 RouterB GigabitEthernet1 0 1 quit Set the authentication mode for the user interfaces to AAA RouterB user interface v...

Page 337: ...ort first time authentication you must perform the following configurations Disable first time authentication RouterA undo ssh client first time Configure the host public key of the SSH server get the server host public key by using display public key local dsa public on the server RouterA public key peer key1 RouterA pkey public key public key code begin RouterA pkey key code 308201B73082012C0607...

Page 338: ... 136 Press CTRL K to abort Connected to 10 165 87 136 Enter password After you enter the correct username and password log in to Router B successfully Configuring router to act as public key authentication client Network requirements As shown in Figure 115 Router A the SSH client must pass publickey authentication to log in to Router B the SSH server through the SSH protocol Use the DSA public key...

Page 339: ...through FTP or TFTP 2 Configure the SSH server Generate the RSA key pairs RouterB system view RouterB public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Generate a DSA key pair RouterB public key local create dsa The range of pub...

Page 340: ...user privilege level 3 RouterB ui vty0 4 quit Import the peer public key from the file key pub RouterB public key peer Router001 import sshkey key pub Specify the authentication method for user client002 as publickey and assign the public key Router001 to the user RouterB ssh user client002 service type stelnet authentication type publickey assign publickey Router001 3 Establish a connection betwe...

Page 341: ...erver Configuration prerequisites Before you configure this task complete the following tasks Configure the SSH server Use ssh user service type to set the service type of SSH users to sftp or all For more information see Configuring SSH2 0 Enabling the SFTP server This configuration task enables the SFTP service so that a client can log in to the SFTP server through SFTP To enable the SFTP server...

Page 342: ...o use only a specified source IP address or interface to access the SFTP server enhancing the service manageability To specify a source IP address or interface for the SFTP client To do Command Remarks 1 Enter system view system view 2 Specify a source IP address or interface for the SFTP client Specify a source IPv4 address or interface for the SFTP client sftp client source ip ip address interfa...

Page 343: ...mote IPv6 SFTP server and enter SFTP client view sftp ipv6 server port number vpn instance vpn instance name identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Working with SFTP directories SFTP directory operations include Chan...

Page 344: ...ing a file Displaying a list of the files Deleting a file To work with SFTP files To do Command Remarks 1 Enter SFTP client view For more information see Establishing a connection to the SFTP server Required Execute the command in user view 2 Change the name of a specified file on the SFTP server rename old name new name Optional 3 Download a file from the remote server and save it locally get rem...

Page 345: ...r SFTP client view For more information see Establishing a connection to the SFTP server Required Execute the command in user view 2 Terminate the connection to the remote SFTP server and return to user view bye Required Use any of the commands These three commands function in the same way exit quit SFTP client configuration example Network requirements As shown in Figure 116 an SSH connection is ...

Page 346: ...greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Export the host public key to file pubkey RouterA public key local export rsa ssh2 pubkey RouterA quit Then you must transmit the public key file to the server through FTP or TFTP 2 Configure the SFTP server Generate the RSA key pairs RouterB system view RouterB public key l...

Page 347: ...ty 0 4 RouterB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH RouterB ui vty0 4 protocol inbound ssh RouterB ui vty0 4 quit Import the peer public key from the file pubkey RouterB public key peer Router001 import sshkey pubkey For user client001 set the service type as SFTP authentication method as publickey public key as Router001 and working folder as cfa0 RouterB...

Page 348: ...a directory named new1 and check that it has been created successfully sftp client mkdir new1 New directory created sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone ...

Page 349: ...h the remote SFTP server sftp client quit Bye Connection closed RouterA SFTP server configuration example Network requirements As shown in Figure 117 an SSH connection is required between the host and the router The host an SFTP client needs to log in to the router for file management and file transfer Use password authentication and configure the username client002 and the password aabbcc for the...

Page 350: ...of the user interfaces to AAA Router user interface vty 0 4 Router ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Router ui vty0 4 protocol inbound ssh Router ui vty0 4 quit Configure a local user named client002 with the password being aabbcc and the service type being SSH Router local user client002 Router luser client002 password simple aabbcc Router luser client...

Page 351: ...P server Run psftp exe to launch the client interface as shown in Figure 118 and enter the following command open 192 168 1 45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server Figure 118 SFTP client interface ...

Page 352: ...s the key based MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message Figure 119 illustrates how SSL uses a MAC algorithm to verify message integrity With the key the sender uses the MAC algorithm to compute the MAC value of a message Then the sender suffixes the MAC value to the message and sends the result to the receiver The receiver uses t...

Page 353: ... server A session consists of a set of parameters including the session ID peer certificate cipher suite and master secret SSL change cipher spec protocol Used for notification between the client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key SSL alert protocol Enables the SSL client and server to send alert message...

Page 354: ...ptional The defaults are as follows 500 for the maximum number of cached sessions 3600 seconds for the caching timeout time 8 Configure the server to require certificate based SSL client authentication client verify enable Optional By default the SSL server does not require the client to be authenticated 9 Enable SSL client weak authentication client verify weaken Optional Disabled by default This...

Page 355: ...e Optional No PKI domain is configured by default 4 Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional rsa_rc4_128_md5 by default 5 Specify the SSL protocol version for the SSL client policy version ssl3 0 tls1 0 Optional TLS 1 0 by default 6 Enable certific...

Page 356: ...ocate the problem If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate request one for it If the server s certificate cannot be trusted install the root certificate of the CA that issues the local certificate to the SSL server on the SSL client or let the server request a certificate from the CA that the SSL client trusts If the SSL server is configu...

Page 357: ...ess translation NOTE For details about address translation and NAT configuration see Layer 3 IP Services Configuration Guide This chapter focuses on ACL based packet filtering firewall and ASPF Packet filtering firewall A packet filtering firewall implements IP packet specific filtering For each IP packet to be forwarded the firewall first obtains the header information of the packet including the...

Page 358: ...n such information determines whether to permit a packet to go through the firewall into the internal network thus defending the internal network against attacks An ASPF supports transport layer protocol information detection namely general TCP and UDP detection It can determine whether to permit a TCP UDP packet to pass through the firewall and get into the internal network based on the packet s ...

Page 359: ... port mapping so that all TCP packets using 8080 as the destination port and 10 110 0 0 16 as the destination network segment are regarded as HTTP packets The hosts can be specified by means of a basic ACL Single channel protocol and multi channel protocol Single channel protocol A single channel protocol establishes only one channel to exchange both control messages and data for a user SMTP and H...

Page 360: ...erent from application layer protocol detection general TCP UDP detection is specific to the transport layer information in the packets such as source and destination addresses and port number General TCP UDP detection requires a full match between the packets returned to the external interface of the ASPF and the packets previously sent out from the external interface of ASPF namely a perfect mat...

Page 361: ...ber Optional permit permit packets to pass the firewall by default IPv6 application To do Command Remarks 1 Enter system view system view 2 Specify the default filtering action of the firewall firewall ipv6 default deny permit Optional permit permit packets to pass the firewall by default Configuring packet filtering on an interface When an ACL is applied to an interface the time range based filte...

Page 362: ...face view interface interface type interface number 3 Configure IPv6 packet filtering on an interface firewall packet filter ipv6 acl6 number name acl6 name inbound outbound Required IPv6 packets are not filtered by default Displaying and maintaining a packet filtering firewall To do Command Remarks View the packet filtering statistics of the IPv4 firewall display firewall statistics all interface...

Page 363: ...ervers and only specific hosts on the internal network are permitted to access external networks Assume that the IP address of a specific external user is 20 3 3 3 Figure 122 Network diagram for packet filtering firewall configuration v WAN FTP server Telnet server WWW server 129 1 1 1 24 129 1 1 2 24 129 1 1 3 24 Internal network Internal host Router GE1 0 1 129 1 1 5 24 S2 1 1 20 1 1 1 16 129 1 ...

Page 364: ...tethernet 1 0 1 Router GigabitEthernet1 0 1 firewall packet filter 3001 inbound Router GigabitEthernet1 0 1 quit Apply ACL 3002 to packets that come in through Serial 2 1 1 Router interface serial 2 1 1 Router Serial2 1 1 firewall packet filter 3002 inbound Configuring an ASPF Configuration task list Task Remarks Enabling the firewall function Required Configuring an ASPF policy Required Applying ...

Page 365: ...sponse packet can pass ASPF when internal network users access the Internet To monitor the traffic through an interface you must apply the configured ASPF policy to that interface Because it is based on interfaces that an ASPF stores and maintains the application layer protocol status make sure that a connection initiation packet and the corresponding return packet are based on the same interface ...

Page 366: ...isplay aspf interface begin exclude include regular expression Available in any view Display the configuration information of a specific ASPF policy display aspf policy aspf policy number begin exclude include regular expression Available in any view Display the port mapping information display port mapping application name port port number begin exclude include regular expression Available in any...

Page 367: ... 3111 quit Create ACL 2001 to block Java applets from site 2 2 2 11 RouterA acl number 2001 RouterA acl basic 2001 rule deny source 2 2 2 11 0 RouterA acl basic 2001 rule permit RouterA acl basic 2001 quit Create an ASPF policy that checks application layer protocols FTP and HTTP and set the idle timeout value for the two protocols to 3000 seconds RouterA aspf policy 1 RouterA aspf policy 1 detect...

Page 368: ...ork with NAT and ASPF to implement the following functions Address translation Resolves the source IP address port protocol type TCP or UDP and remote IP address information in packet payloads Data connection detection Extracts information required for data connection establishment and establishing data connections for data exchange Application layer status checking Inspects the status of the appl...

Page 369: ...ition is taking place correctly If not the request is dropped In this way ALG protects the server against clients that send packets with state machine errors or log into the server with illegal user accounts An authentication request with a correct state is forwarded by the ALG enabled router to the server which authenticates the host according to the information in the packet 3 Establishing a dat...

Page 370: ... through a router with NAT and ALG enabled The company provides FTP services to the outside The inside network segment of the company is 192 168 1 0 24 and the IP address of the FTP server is 192 168 1 2 Configure NAT and ALG to meet the following requirements The host in the outside network can access the FTP server in the inside network The company has four public network addresses which are 5 5...

Page 371: ...of the company is 192 168 1 0 24 Configure NAT and ALG to meet the following requirements SIP UA 1 in the inside network and SIP UA 2 in the outside network can communicate with their aliases The company has four public network addresses which are 5 5 5 1 5 5 5 9 5 5 5 10 and 5 5 5 11 SIP UA 1 selects one from the range 5 5 5 9 to 5 5 5 11 as its public network address when registering with the SI...

Page 372: ... 5 9 as its external IP address and the WINS server uses 5 5 5 10 as its external IP address Figure 127 Network diagram for NBT ALG configuration Configuration procedure Configure a static NAT entry Router system view Router nat static 192 168 1 3 5 5 5 9 Enable ALG for NBT Router alg nbt Configure NAT Router interface gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 nat outbound static Configure...

Page 373: ...rt layer protocol TCP or UDP information and performs unified status maintenance and management of all connections In actual applications session management works together with ASPF to dynamically determine whether a packet can pass the firewall and enter the internal network according to connection status thus preventing intrusion The session management function implements only connection status ...

Page 374: ...ssion early aging Setting the maximum number of sessions allowed to be established Enabling checksum verification Specifying the persistent session rule Clearing sessions manually These tasks are mutually independent and can be configured in any order configure them as required Setting protocol state based session aging times This aging time setting is effective only for the sessions that are bein...

Page 375: ...ith UDP or ESTABLISH with TCP state set the session aging times according to the types of application layer protocols to which the sessions belong CAUTION For a large amount of sessions more than 800 000 do not specify too short of an aging time Otherwise the console might be slow in response To set session aging times based on application layer protocol type To do Command Remarks 1 Enter system v...

Page 376: ... memory resources To set the maximum number of sessions allowed to be established To do Command Remarks 1 Enter system view system view 2 Set the maximum number of sessions allowed to be established on an A6602 router session max entries max entries Required The default maximum value depends on your device model The maximum value here must not exceed the corresponding specification of the router 3...

Page 377: ...S Configuration Guide To specify the persistent session rule To do Command Remarks 1 Enter system view system view 2 Specify the persistent session rule session persist acl acl number aging time time value Required Not specified by default A persistent session rule can reference only one ACL Clearing sessions manually To do Command Remarks Clear sessions On a centralized device reset session sourc...

Page 378: ...me active time value Optional 0 by default which means that the system does not output session logs based on session holdtime threshold 3 Configure the traffic threshold for session logging Set the packet count threshold session log packets active packets value Optional 0 by default which means that the system does not output session logs based on packet count threshold Set the byte count threshol...

Page 379: ...xport source ip ip address Optional IP address of the interface sending UDP packets by default 4 Specify the IP address and UDP port number of the flow log server On a centralized device userlog flow export vpn instance vpn instance name host ip address udp port Required Not specified by default On a distributed device userlog flow export slot slot number vpn instance vpn instance name host ip add...

Page 380: ...on on a centralized device display session relation table begin exclude include regular expression Available in any view Display session relationship table information on a distributed device display session relation table slot slot number begin exclude include regular expression Available in any view Display configuration and statistics about logs on a centralized device display userlog export be...

Page 381: ...ralized device reset userlog flow logbuffer Available in user view Clear flow logs in the buffer on a distributed device reset userlog flow logbuffer slot slot number Available in user view For more information see Network Management and Monitoring Command Reference ...

Page 382: ...omprises a set of connection limit rules which define the valid range and parameters for the policy To create a connection limit policy To do Command Remarks 1 Enter system view system view 2 Create a connection limit policy and enter its view connection limit policy policy number Required Configuring the connection limit policy A connection limit policy contains one or more connection limit rules...

Page 383: ...max num per destination per source per source destination Required Applying the connection limit policy To make a connection limit policy take effect apply it globally To do Command Remarks 1 Enter system view system view 2 Apply a connection limit policy connection limit apply policy policy number Required Only one connection limit policy can be applied globally Displaying and maintaining connect...

Page 384: ...k per source address with the upper connection limit of 100 Router connection limit policy 0 limit 0 source ip 192 168 0 0 24 destination ip any protocol ip max connections 100 per source Configure connection limit rule 1 to limit connections from the external network to the DNS server 192 168 0 3 24 with the upper connection limit of 10 000 Router connection limit policy 0 limit 1 source ip any d...

Page 385: ...he rule with a smaller ID is matched first Rule 0 is used for connections from 192 168 0 100 Solution Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for the host is matched first Connection limit rules with overlapping protocol types Symptom Internal server 192 168 0 100 provides both Web and FTP services for external users On the router create a connection ...

Page 386: ... URL address against the configured filtering entries 3 If a match is found and the filtering action of the matched entry is permit the router forwards the request 4 If a match is found and the filtering action of the matched entry is deny the router drops the web request and sends a TCP reset packet to both the client that sent the request and the server 5 If no match is found the router forwards...

Page 387: ...parameters are transmitted by a method other than GET POST and PUT the router directly forwards the web request If the parameters are transmitted by the method of GET POST or PUT the router obtains the URL parameters from the web request and compares the URL parameters against the configured filtering entries If a match is found the router denies the request Otherwise the router forwards the reque...

Page 388: ...forwarded Otherwise the suffix is replaced with block and then the request is forwarded In addition to the default suffix ocx add ActiveX blocking suffixes that is the filename suffixes to be replaced in web requests through command lines Configuring web filtering IP address supported URL filtering can take effect only after the URL address filtering is enabled URL parameter filtering Java blockin...

Page 389: ...play firewall http url filter host all item keywords verbose begin exclude include regular expression Optional NOTE The source IP addresses specified in the ACL for URL address filtering must be the IP addresses of the websites allowed to be accessed by using their IP addresses Configuring URL parameter filtering To do Command Remarks 1 Enter system view system view 2 Enable the URL parameter filt...

Page 390: ...s the IP addresses of the HTTP servers allowed to be accessed and set the action to permit Configuring ActiveX blocking To do Command Remarks 1 Enter system view system view 2 Enable the ActiveX blocking function firewall http activex blocking enable Required Disabled by default 3 Add an ActiveX blocking suffix keyword firewall http activex blocking suffix keywords Optional 4 Specify an ACL for Ac...

Page 391: ...expression Available in any view Display information about ActiveX blocking display firewall http activex blocking all item keywords verbose begin exclude include regular expression Available in any view Clear web filtering statistics reset firewall http activex blocking java blocking url filter host url filter parameter counter Available in user view Web filtering configuration examples URL addre...

Page 392: ...filtering Router acl number 2000 Router acl basic 2000 rule 0 permit source 3 3 3 3 0 0 0 0 Router acl basic 2000 rule 1 deny source any Router acl basic 2000 quit Specify to allow users to use IP addresses to access websites Router firewall http url filter host ip address deny Router firewall http url filter host acl 2000 After the above configuration open a web browser on a host in the LAN enter...

Page 393: ...0 quit Router nat address group 1 2 2 2 10 2 2 2 11 Router interface gigabitethernet 1 0 1 Router GigabitEthernet1 0 1 nat outbound 2200 address group 1 Router GigabitEthernet1 0 1 quit Enable the URL parameter filtering function and add URL parameter filtering entry group Router firewall http url filter parameter enable Router firewall http url filter parameter keywords group Use display firewall...

Page 394: ...2200 rule 0 permit source 192 168 1 0 0 0 0 255 Router acl basic 2200 rule 1 deny source any Router acl basic 2200 quit Router nat address group 1 2 2 2 10 2 2 2 11 Router interface gigabitethernet 1 0 1 Router GigabitEthernet1 0 1 nat outbound 2200 address group 1 Router GigabitEthernet1 0 1 quit Configure an ACL numbered 2100 for Java blocking Router acl number 2100 Router acl basic 2100 rule 0 ...

Page 395: ... you try to add a URL address filtering entry or URL parameter filtering entry the system prompts you that no more entries can be added When you add a Java blocking or ActiveX blocking suffix keyword the system prompts you that no more keywords can be added Analysis The number of URL address filtering entries URL parameter filtering entries Java blocking suffix keywords or ActiveX blocking suffix ...

Page 396: ...ely or inconsecutively but cannot be used together with an asterisk Stands for any number of valid characters and spaces excluding a dot It can be present once at the beginning or in the middle of a filtering entry It cannot be at the end and cannot be used next to or Table 12 Wildcards for URL parameter filtering entries Wildcard Meaning Usage guidelines Matches parameters starting with the keywo...

Page 397: ...va blocking or ActiveX blocking but it does not work Analysis For URL address filtering Java blocking and ActiveX blocking ACLs permit access to servers in external networks rather than hosts in the internal network This is because the internal network is assumed to be trusted Solution Specify the IP address of the server in the external network as the source IP address in the ACL rule Unable to a...

Page 398: ...ties of junk packets to the network using up the network bandwidth Table 13 lists the single packet attacks that can be prevented by the device Table 13 Types of single packet attacks Single packet attack Description Fraggle An attacker sends large amounts of UDP echo requests with the UDP port number being 7 or Chargen packets with the UDP port number being 19 resulting in a large quantity of jun...

Page 399: ...on WinNuke An attacker sends OOB data with the pointer field values overlapped to the NetBIOS port 139 of a Windows system with an established connection to introduce a NetBIOS fragment overlap causing the system to crash Scanning attack An attacker uses scanning tools to scan host addresses and ports in a network in order to find possible targets and the services enabled on the targets and to fig...

Page 400: ...ogin attempts The maximum number of login failures is six the blacklist entry aging time is 10 minutes and they are not configurable The device also allows you to add and delete blacklist entries manually Blacklist entries added manually can be permanent blacklist entries or non permanent blacklist entries A permanent entry always exists in the blacklist unless you delete it manually configure the...

Page 401: ...led with the TCP proxy function can function as a TCP proxy between TCP clients and servers Upon detecting a SYN flood attack the device can add a protected IP address entry for the attacked server and use the TCP proxy function to inspect and process all subsequent TCP requests destined to the server Working mode TCP proxy can work in two modes Unidirectional proxy Processes only packets from TCP...

Page 402: ...d of time so that the client can establish a TCP connection to the server After the TCP connection is established the TCP proxy forwards the subsequent packets of the connection without any processing Unidirectional proxy mode can satisfy the requirements of most environments Generally servers do not initiate attacks to clients and packets from servers to clients do not have to be inspected by the...

Page 403: ...s through the ingress and egress of the protected servers You must also make sure that all packets that the clients send to the server and all packets that the servers send to the clients pass through the TCP proxy device Configuration task list The attack detection and protection configuration tasks fall into three categories Configuring attack protection functions for an interface To do so you m...

Page 404: ...e an attack protection policy and enter its view In attack protection policy view define one or more signatures used for attack detection and specify the corresponding protection measures When creating an attack protection policy also specify an interface so that the interface uses the policy exclusively To create an attack protection policy To do Command Remarks 1 Enter system view system view 2 ...

Page 405: ...rop single packet attack packets signature detect action drop packet Optional By default the device only outputs alarm logs if detecting a single packet attack Configuring a scanning attack protection policy The scanning attack protection function detects scanning attacks by monitoring the establishment rate of connections to the target systems It is usually applied to interfaces connecting extern...

Page 406: ...n actions as configured by default the device only outputs alarm logs but it can be configured to drop the subsequent connection request packets or to use the TCP proxy as well When the device detects that the packet sending rate to the server drops below the silence threshold it considers that the attack to the server is over turns back to the attack detection state and stops taking the protectio...

Page 407: ...Optional Not specifically configured for an IP address by default 6 Configure the device to drop ICMP flood attack packets defense icmp flood action drop packet Optional By default the device only outputs alarm logs if detecting an attack 3 Configure a UDP flood attack protection policy To do Command Remarks 1 Enter system view system view 2 Enter attack protection policy view attack defense polic...

Page 408: ... for defense syn flood action the device adds a protected IP address entry for the server and starts TCP proxy in the specified mode to inspect and process subsequent TCP connection requests destined to the server To configure the TCP proxy function To do Command Remarks 1 Enter system view system view 2 Set the TCP proxy working mode Unidirectional mode tcp proxy mode unidirection Optional By def...

Page 409: ...ime which is configurable For the configuration of scanning attack protection see Configuring a scanning attack protection policy Enabling traffic statistics on an interface To collect traffic statistics on an interface enable the traffic statistics function on the interface The device supports traffic statistics in the following modes By direction inbound or outbound Collect statistics on packets...

Page 410: ...ce number inbound outbound begin exclude include regular expression Available in any view Display the interface traffic statistics based on IP addresses on a centralized device display flow statistics statistics destination ip dest ip address source ip src ip address vpn instance vpn instance name begin exclude include regular expression Available in any view Display the interface traffic statisti...

Page 411: ...nable the blacklist function for scanning attack protection and set the connection rate threshold that triggers the scanning attack protection to 4500 connections per second On GigabitEthernet 1 0 3 configure SYN flood attack protection so that the device drops subsequent SYN packets when the SYN packet sending rate to a server constantly reaches or exceeds 5000 packets per second and permits SYN ...

Page 412: ...Apply policy 2 to GigabitEthernet 1 0 3 Router interface gigabitethernet 1 0 3 Router GigabitEthernet1 0 3 attack defense apply policy 2 Router GigabitEthernet1 0 3 quit Verify the configuration After the configuration view the contents of attack protection policy 1 and 2 by using display attack defense policy If Smurf attack packets are received on GigabitEthernet 1 0 2 the device should output a...

Page 413: ...list information Blacklist enabled Blacklist items 2 IP Type Aging started Aging finished Dropped packets YYYY MM DD hh mm ss YYYY MM DD hh mm ss 5 5 5 5 manual 2008 04 09 16 02 20 Never 0 192 168 1 4 manual 2008 04 09 16 02 26 2008 04 09 16 52 26 0 After the configuration takes effect the router should do the following Always drop packets from Host D unless you delete Host D s IP address from the...

Page 414: ...tethernet 1 0 1 Router GigabitEthernet1 0 1 attack defense apply policy 1 Enable the traffic statistics function in the outbound direction of GigabitEthernet 1 0 1 Router GigabitEthernet1 0 1 flow statistic enable outbound Enable traffic statistics based on destination IP address Router GigabitEthernet1 0 1 flow statistic enable destination ip Verify the configuration If you suspect that the serve...

Page 415: ...ate 0 s The output shows that on GigabitEthernet 1 0 1 there is a large number of UDP packets destined for 10 1 1 2 and the session establishment rate has exceeded the specified threshold Therefore determine that the server is under a UDP flood attack Use display attack defense statistics to view the related statistics collected after the UDP flood protection function takes effect Configuring TCP ...

Page 416: ...e gigabitethernet 1 0 2 Router GigabitEthernet1 0 2 attack defense apply policy 1 Router GigabitEthernet1 0 2 quit Set the TCP proxy working mode to bidirectional Router undo tcp proxy mode unidirection Enable TCP proxy on GigabitEthernet 1 0 1 Router interface gigabitethernet 1 0 1 Router GigabitEthernet1 0 1 tcp proxy enable Router GigabitEthernet1 0 1 quit Verify the configuration When a SYN fl...

Page 417: ...y never make any response to SYN ACK messages As a result a large number of incomplete TCP connections are established resulting in heavy resource consumption and making the server unable to handle services normally The SYN Cookie feature can prevent SYN Flood attacks After receiving a TCP connection request the server directly returns a SYN ACK message instead of establishing an incomplete TCP co...

Page 418: ...ate exceeds the maximum number it considers that a Naptha attack occurs and it accelerates the aging of TCP connections in this state The device stops accelerating the aging of TCP connections when the number of TCP connections in the state is less than 80 of the maximum number 1 at least To enable protection against Naptha attack To do Command Remarks 1 Enter system view system view 2 Enable the ...

Page 419: ...hem up in the binding entries of the IP source guard If there is a match the port forwards the packet Otherwise the port discards the packet as shown in Figure 140 IP source guard binding entries are on a per port basis After a binding entry is configured on a port it is effective only on the port Figure 140 Diagram for the IP source guard function IP network Illegal host Legal host Enable the IP ...

Page 420: ...ynamic IPv4 source guard binding generates IPv4 source guard binding entries dynamically based on DHCP snooping or DHCP relay entries to filter IPv4 packets received on a port Dynamic IPv6 source guard binding generates IPv6 source guard binding entries dynamically based on DHCPv6 snooping or ND snooping entries to filter IPv6 packets received on a port NOTE For information about DHCP snooping and...

Page 421: ...relay where the MAC address IP address or VLAN tag information may not be included depending on your configuration IP source guard applies these entries to the port to filter packets To configure the dynamic IPv4 source guard binding function To do Command Remarks 1 Enter system view system view 2 Enter interface view interface interface type interface number 3 Configure the dynamic IPv4 source gu...

Page 422: ... of Router A only IP packets from Host C can pass On port GigabitEthernet 1 0 1 of Router A only IP packets from Host A can pass On port GigabitEthernet 1 0 2 of Router B only IP packets from Host A can pass On port GigabitEthernet 1 0 1 of Router B only IP packets sourced from 192 168 0 2 24 can pass Host B can communicate with Host A by using this IP address even if it uses another NIC Figure 14...

Page 423: ...display information about static IPv4 source guard binding entries The output shows that the static IPv4 source guard binding entries are configured successfully RouterA display user bind Total entries found 2 MAC Address IP Address VLAN Interface Type 0001 0203 0405 192 168 0 3 N A GE1 0 2 Static 0001 0203 0406 192 168 0 1 N A GE1 0 1 Static On Router B display information about static IPv4 sourc...

Page 424: ...ynamic IPv4 source guard binding function on port GigabitEthernet 1 0 1 to filter packets based on both the source IP address and MAC address Router interface gigabitethernet 1 0 1 Router GigabitEthernet1 0 1 ip check source ip address mac address Router GigabitEthernet1 0 1 quit Verification Display the dynamic IPv4 source guard binding entries generated on port GigabitEthernet 1 0 1 Router displ...

Page 425: ... binding by DHCP relay Configuration procedure 1 Configure the dynamic IPv4 source guard binding function Configure IP addresses for the interfaces Omitted Configure the dynamic IPv4 source guard binding function on VLAN interface 100 to filter packets based on both the source IP address and MAC address Router system view Router vlan 100 Router Vlan100 quit Router interface vlan interface 100 Rout...

Page 426: ...nterface Type 0001 0203 0406 192 168 0 1 100 Vlan100 DHCP RLY Troubleshooting IP source guard Binding entries and function cannot be configured Symptom Failed to configure static binding entries or the dynamic binding function on a port Analysis IP source guard is not supported on a port in an aggregation group Solution Remove the port from the aggregation group ...

Page 427: ...ent such attacks This chapter mainly introduces these features Configuration task list Task Remarks Flood prevention Configuring ARP defense against IP packet attacks Configuring ARP source suppression Optional Configure this function on gateways recommended Enabling ARP black hole routing Optional Configure this function on gateways recommended Configuring ARP active acknowledgement Optional Conf...

Page 428: ...dresses enable the ARP black hole routing function After receiving an IP packet whose destination IP address cannot be resolved by ARP the device with this function enabled immediately creates a black hole route and simply drops all packets matching the route during the aging time of the black hole route Configuring ARP source suppression To do Command Remarks 1 Enter system view system view 2 Ena...

Page 429: ...have the same source address enable the ARP source suppression function with the following steps 1 Enable ARP source suppression 2 Set the threshold for ARP packets from the same source address to 100 If the number of ARP requests sourced from the same IP address in 5 seconds exceeds 100 the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the f...

Page 430: ...nfigure ARP packet rate limit in system view To do Command Remarks 1 Enter system view system view 2 Configure ARP packet rate limit for centralized devices arp rate limit disable rate pps drop Required Enabled by default The ARP packet rate ranges from 5 to 8192 pps 3 Configure ARP packet rate limit for distributed devices arp rate limit disable rate pps drop slot slot number Required Enabled by ...

Page 431: ...DHCP clients address leases on the DHCP server or dynamic bindings on the DHCP relay agent After it is enabled with authorized ARP an interface starts the ARP entry aging detection to detect unusual logout of users It is disabled from learning dynamic ARP entries to prevent attacks from unauthorized clients that send packets using other clients IP or MAC addresses and allows only authorized client...

Page 432: ...er A acts as a DHCP server with an IP address pool of 10 1 1 0 24 Enable authorized ARP on GigabitEthernet1 0 1 of Router A to start aging detection Router B is a DHCP client that obtains an IP address of 10 1 1 2 24 from the DHCP server Figure 145 Network diagram for authorized ARP configuration Configuration procedure 1 Configure Router A Configure the IP address of GigabitEthernet1 0 1 RouterA ...

Page 433: ... A From the output see that an IP address of 10 1 1 2 has been assigned to Router B After that Router B must use the IP address and MAC address that are consistent with those in the authorized ARP entry to communicate with Router A Otherwise the communication fails Thus the client validity is ensured If Router B fails Router A deletes the authorized ARP entry associated with Router B after the agi...

Page 434: ...erB GigabitEthernet1 0 1 ip address 10 1 1 2 24 RouterB GigabitEthernet1 0 1 quit RouterB interface gigabitethernet1 0 2 RouterB GigabitEthernet1 0 2 ip address 10 10 1 1 24 Enable DHCP relay agent on GigabitEthernet1 0 2 RouterB GigabitEthernet1 0 2 dhcp select relay RouterB GigabitEthernet1 0 2 quit Add the DHCP server 10 1 1 1 to DHCP server group 1 RouterB dhcp relay server group 1 ip 10 1 1 1...

Page 435: ...ized clients to be forwarded and to prevent user spoofing and gateway spoofing ARP detection includes ARP detection based on specified objects ARP detection based on static IP source guard binding entries DHCP snooping entries 802 1X security entries OUI MAC addresses and ARP restricted forwarding NOTE If both the ARP detection based on specified objects and the ARP detection based on static IP So...

Page 436: ...mpares the sender IP and MAC addresses of an ARP packet received from the VLAN against the static IP Source Guard binding entries DHCP snooping entries 802 1X security entries or OUI MAC addresses to prevent spoofing After you enable this feature for a VLAN 1 Upon receiving an ARP packet from an ARP untrusted port the device compares the sender IP and MAC addresses of the ARP packet against the st...

Page 437: ...ted port by default NOTE When configuring this feature you must configure ARP detection based on at least static IP source guard binding entries DHCP snooping entries or 802 1X security entries Otherwise all ARP packets received from an ARP untrusted port are discarded except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled When configuring an IP source ...

Page 438: ...vailable in any view Clear the ARP detection statistics reset arp detection statistics interface interface type interface number Available in user view ARP detection with DHCP snooping configuration example Network requirements As shown in Figure 147 configure Router A as a DHCP server and enable DHCP snooping on Router B Configure Host A as a DHCP client Configure Host B whose IP address is 10 1 ...

Page 439: ...pstream port as a trusted port and the downstream ports as untrusted ports a port is an untrusted port by default RouterB vlan10 interface gigabitethernet1 0 3 RouterB GigabitEthernet1 0 3 arp detection trust RouterB GigabitEthernet1 0 3 quit Configure a static IP source guard binding entry on interface GigabitEthernet1 0 2 RouterB interface gigabitethernet1 0 2 RouterB GigabitEthernet1 0 2 user b...

Page 440: ...AN interface 10 on Router A Omitted 2 Configure Router A as a DHCP server Configure DHCP address pool 0 RouterA system view RouterA dhcp enable RouterA dhcp server ip pool 0 RouterA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 3 Configure Host A and Host B as 802 1X clients the configuration procedure is omitted and configure them to upload IP addresses for ARP detection 4 Configure Router B En...

Page 441: ...rnet1 0 2 they are checked against 802 1X security entries ARP restricted forwarding configuration example Network requirements As shown in Figure 149 Router A acts as a DHCP server Host A acts as a DHCP client Host B s IP address is 10 1 1 6 and its MAC address is 0001 0203 0607 Port isolation configured on Router B isolates the two hosts at Layer 2 which can communicate with the gateway Router A...

Page 442: ...detection trust RouterB GigabitEthernet1 0 3 quit Configure a static IP source guard entry on interface GigabitEthernet1 0 2 RouterB interface gigabitethernet1 0 2 RouterB GigabitEthernet1 0 2 user bind ip address 10 1 1 6 mac address 0001 0203 0607 vlan 10 RouterB GigabitEthernet1 0 2 quit Enable the checking of the MAC addresses and IP addresses of ARP packets RouterB arp detection validate dst ...

Page 443: ...ce sends ARP requests to the neighbors obtains their MAC addresses and creates dynamic ARP entries Fixed ARP allows the device to change the existing dynamic ARP entries including those generated through ARP automatic scanning into static ARP entries The fixed ARP feature effectively prevents ARP entries from being modified by attackers NOTE HP recommends that you use ARP automatic scanning and fi...

Page 444: ...ay protection The ARP gateway protection feature if configured on ports not connected with the gateway can block gateway spoofing attacks When such a port receives an ARP packet it checks whether the sender IP address in the packet is consistent with that of any protected gateway If it is it discards the packet If it is not it handles the packet normally Configuration procedure To do Command Remar...

Page 445: ...ose source IP address is that of the gateway Configuring ARP filtering To prevent gateway spoofing and user spoofing the ARP filtering feature controls the forwarding of ARP packets on a port The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries If a match is found the packet is handled normally If not the packet is discarded Configuratio...

Page 446: ...ackets only Figure 151 Network diagram for ARP filtering configuration Configuration procedure Configure ARP filtering on Router B RouterB system view RouterB interface gigabitethernet1 0 1 RouterB GigabitEthernet1 0 1 arp filter binding 10 1 1 2 000f e349 1233 RouterB GigabitEthernet1 0 1 quit RouterB interface gigabitethernet1 0 2 RouterB GigabitEthernet1 0 2 arp filter binding 10 1 1 3 000f e34...

Page 447: ...ends forged NS NA RS packets with the IPv6 address of a victim host The gateway and other hosts update the ND entry for the victim host with incorrect address information As a result all packets intended for the victim host are sent to the attacking host rather than the victim host Sends forged RA packets with the IPv6 address of a victim gateway As a result all hosts attached to the victim gatewa...

Page 448: ... carry different source MAC addresses in the Ethernet frame header and the source link layer address option CAUTION If VRRP is used disable source MAC consistency check for ND packets to prevent incorrect dropping of packets With VRRP the NA message always conveys a MAC address different than the Source Link Layer Address option To enable source MAC consistency check for ND packets To do Command R...

Page 449: ... check and default route check URPF works as follows 1 URPF checks the source address validity and then does the following Discards packets with a broadcast address as the source Discards packets with an all zero source address but a non broadcast destination address A packet with source address 0 0 0 0 and destination address 255 255 255 255 might be a DHCP or BOOTP packet and it is not discarded...

Page 450: ...er system view system view 2 Enter interface view interface interface type interface number 3 Enable URPF check on the interface ip urpf loose strict allow default route acl acl number Required Disabled by default NOTE URPF only checks packets arriving at the interface After configuring the URPF check on an interface use display ip interface to view statistics of packets discarded by URPF displaye...

Page 451: ...ernet1 0 1 RouterB GigabitEthernet1 0 1 ip address 1 1 1 2 255 255 255 0 Enable strict URPF check on GigabitEthernet1 0 1 RouterB GigabitEthernet1 0 1 ip urpf strict acl 2010 2 Configure Router A Specify the IP address of GigabitEthernet1 0 1 RouterA system view RouterA interface GigabitEthernet1 0 1 RouterA GigabitEthernet1 0 1 ip address 1 1 1 1 255 255 255 0 Enable strict URPF check on GigabitE...

Page 452: ...l certificates Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs Enabling FIPS mode After enabling FIPS mode you must restart the device to validate the configuration To do Command Remarks 1 Enter system view system view 2 Enable FIPS mode fips mode enable Required Not enabled by default Settings changed by enabling FIPS mode After you enable FIPS mod...

Page 453: ...cal the known answer test fails Power up self tests fall into the following types Table 14 List of power up self tests Type Operations Cryptographic algorithm self tests Test the following algorithms DSA signature and authentication RSA signature and authentication RSA encryption and decryption AES 3DES SHA1 HMAC SHA1 Random number generator algorithms Cryptographic engine self tests Test the foll...

Page 454: ... random number is generated If two consecutive random numbers are different the test succeeds Otherwise the test fails This test is also run when a DSA RSA asymmetrical key pair is generated Triggered self test To verify whether the password algorithm modules operate normally use this command to trigger a self test on the password algorithms The triggered self test is the same as the automatic sel...

Page 455: ... wwalerts After registering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking categ...

Page 456: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 457: ...ting capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device ...

Page 458: ...nabling quiet timer 89 enabling security entry detection ARP attack protection 424 enabling the proxy detection function 87 enabling unicast trigger function 88 fundamentals 72 guest VLAN 80 initiating authentication 75 maintaining 92 Message Authenticator attribute 75 performing authentication port security 175 performing combined MAC and 802 1X authentication port security 176 port authorization...

Page 459: ...king web filtering 376 assignment 802 1X 81 assignment MAC authentication 105 assignment of authorized ACLs 120 configuring IPV4 packet filtering on interface 350 configuring IPV6 packet filtering on interface 350 configuring packet filtering on interface 349 configuring port mapping 353 configuring with assignment 802 1X 97 data flow protection modes 252 enabling check of de encapsulated IPsec pa...

Page 460: ...st IP packet attack 416 417 configuring authorized ARP 419 configuring automatic scanning 431 configuring detection 423 configuring filtering 433 434 configuring fixed ARP 431 configuring gateway protection 432 configuring packet rate limit 418 configuring source MAC address consistency check 418 configuring source suppression 416 configuring specified object detection 423 detection with 802 1X su...

Page 461: ...nning protection policy 393 configuring single packet protection policy 393 configuring TCP proxy 396 creating protection policy 392 detection configuration 386 391 399 displaying detection 398 displaying protection 398 enabling black hole routing ARP attack protection 416 enabling Naptha attack protection 406 enabling traffic statistics on interface 397 flood attack 387 maintaining detection 398 ...

Page 462: ...DIUS 2 Message Authenticator attribute 802 1X 75 modes portal 117 port security mode 174 portal configuration 115 139 portal support for EAP 118 portal support for EAP process 122 portal system components 115 procedures 802 1X 76 RADIUS server for SSH Telnet user AAA 50 re DHCP authentication process 121 re DHCP portal configuration 144 re DHCP portal with extended functions configuration 150 sett...

Page 463: ... web filtering 378 configuring Java blocking web filtering 378 CA configuring access control policy 229 configuring certificate attribute based access control policy 240 configuring PKI certificate request RSA Keon 230 configuring PKI certificate request Windows 2003 Server 234 deleting certificate 229 PKI 220 policy 219 troubleshooting failure to retrieve certificate 241 CAR parameters RADIUS 31 ...

Page 464: ...etection DHCP snooping 426 ARP detection with 802 1X support 428 ASPF 352 354 ASPF policy 353 attack detection 386 391 399 attack protection 386 391 399 attack protection functions for interface 392 attack protection functions on interfaces 399 attack protection policy 392 authentication 802 1X 92 authentication source subnet 129 Auth Fail VLAN 802 1X 80 91 authorized ARP 419 authorized ARP on DHC...

Page 465: ...source guard 407 410 IPsec 243 248 270 IPsec anti replay function 260 IPsec for IPv6 routing protocols 269 IPsec for RIPng 279 IPsec policy 253 IPsec policy IKE 256 IPsec policy manual 253 IPsec profile 264 IPsec proposal 252 IPsec RRI 262 283 IPsec tunnel interface 265 IPsec with tunnel interface 275 IPv4 firewall default filtering action 349 IPv4 packet filtering on interface 350 IPv4 source gua...

Page 466: ...ication with extended functions 150 redirect URL EAD fast deployment 100 remote host public key 213 router as client SFTP 330 333 router as client SSH2 0 313 router as RADIUS server 48 router as server SFTP 329 337 router as SSH server SSH2 0 308 router to act as password authentication client SSH2 0 323 router to act as password authentication server SSH2 0 316 router to act as public key authent...

Page 467: ...ic key pair 212 scheme HWTACACS 34 scheme RADIUS 21 user profile 195 CRL configuring CRL checking disabled certificate verification 228 configuring CRL checking enabled certificate verification 227 PKI 219 troubleshooting failure to retrieve CRLs 242 cross subnet authentication mode portal 117 120 cryptography FIPS configuration 440 data authentication IKE 286 transmission public key 211 215 delet...

Page 468: ... with DHCP snooping configuration 426 authentication modes portal 117 authorized ARP on DHCP relay agent configuration 421 authorized ARP on DHCP server configuration 420 IPv4 source guard dynamic binding by DHCP relay configuration 413 IPv4 source guard dynamic binding by DHCP snooping configuration 411 Layer 3 portal authentication process 120 re DHCP authentication process 121 digital certifica...

Page 469: ...ast deployment 99 configuring redirect URL EAD fast deployment 100 displaying fast deployment 100 fast deployment configuration 99 100 free IP 99 implementing fast deployment 99 setting rule timer EAD fast deployment 100 troubleshooting fast deployment 103 URL redirection 99 users not correctly redirected fast deployment troubleshooting 103 EAP message attribute 802 1X 74 Message Authenticator att...

Page 470: ...lation mode IPsec 244 encryption algorithm IPsec 244 enabling encryption engine 259 FIPS configuration 440 public key configuration 211 215 SSH2 0 client configuration 323 SSH2 0 configuration 305 SSH2 0 router acts as password authentication client configuration 323 SSH2 0 router acts as password authentication server configuration 316 SSH2 0 router acts as public key authentication server config...

Page 471: ... configuration 345 configuring ASPF 352 354 configuring ASPF policy 353 configuring default filtering action 349 configuring IPv4 default filtering action 349 configuring IPv4 packet filtering on interface 350 configuring IPv6 default filtering action 349 configuring IPv6 packet filtering on interface 350 configuring packet filtering firewall 348 351 configuring packet filtering on interface 349 c...

Page 472: ...1 setting packet shared keys 36 setting timer to control server communication 38 setting traffic statistics units 37 setting username format 37 specifying accounting server 35 specifying authentication server 34 specifying authorization server 35 specifying server s VPN 37 specifying source IP address for outgoing packets 38 troubleshooting 71 ICMP attack protection configuration 405 displaying at...

Page 473: ...curity 173 180 invalid troubleshooting invalid blocking suffix web filtering 385 troubleshooting invalid characters web filtering 383 troubleshooting invalid use of wildcard web filtering 384 user ID IKE 303 IP configuring defense against packet attack ARP attack protection 416 417 configuring IP address based connection limit rule 370 EAD free IP 99 packet filtering firewall 345 source guard See ...

Page 474: ... 269 enabling ACL check of de encapsulated packet 260 enabling encryption engine 259 enabling invalid SPI recovery 261 enabling packet information pre extraction 268 encryption algorithm 244 establishing tunnel in manual mode 270 establishing tunnel through IKE negotiation 272 IKE configuration 286 288 294 IKE functions 287 implementation 243 implementing ACL based IPsec 248 implementing tunnel in...

Page 475: ...AA 40 cross subnet across VPNs portal authentication configuration 169 cross subnet portal authentication configuration 146 cross subnet portal authentication with extended functions configuration 152 direct portal authentication configuration 139 direct portal authentication with extended functions configuration 148 enabling Layer 3 portal authentication 128 enabling portal authentication 127 ext...

Page 476: ...er 123 specifying portal server for authentication 127 URPF configuration 437 438 link portal stateful failover 154 local user AAA 16 log export session logging 366 logging configuring session log export 366 configuring session logging 365 enabling session logging 365 logging off portal users 138 setting session logging thresholds 366 MAC address See MAC address authentication See MAC authenticati...

Page 477: ...agement 368 web filtering 379 manual SA setup mode IPsec 245 manuals 443 mapping configuring port mapping 353 general port mapping ASPF 347 host port mapping ASPF 347 MD5 authentication algorithm IPsec 244 settings changed by enabling FIPS 440 mechanism SSL 340 message exchange process HWTACACS 8 exchange process RADIUS 3 ND attack defense configuration 435 specifying EAP handling method 83 method...

Page 478: ...ck defense configuration 435 enabling source MAC consistency check for packet 436 need to know NTK 173 network 802 1X architecture 72 AAA across MPLS L3VPNs 10 access device portal 116 authentication client portal 116 authentication accounting server portal 116 configuring an authentication source subnet 129 configuring RADIUS related attributes 131 EAD fast deployment configuration 99 100 EAD fre...

Page 479: ...iguration 421 authorized ARP on DHCP server configuration 420 configuring MAC authentication 104 106 108 connection limit configuration 370 371 cross subnet across VPNs portal authentication configuration 169 cross subnet portal authentication configuration 146 cross subnet portal authentication with extended functions configuration 152 direct portal authentication configuration 139 direct portal ...

Page 480: ...SSH2 0 server configuration 316 SSL configuration 340 static IPv4 source guard binding entry configuration 410 TCP attack protection configuration 405 TCP proxy configuration 403 traffic statistics configuration 401 URPF configuration 437 438 user profile configuration 195 VLAN assignment configuration 802 1X 94 web filtering configuration 374 376 379 NTK port security 179 object detection ARP att...

Page 481: ...tion 359 specifying source IP address for outgoing portal packets 132 static IPv4 source guard binding entry configuration 410 PAM ASPF 347 parameter configuring parameter filtering 381 configuring URL filtering 377 setting global password control parameters 201 setting local user password control parameters 202 setting local user password in interactive mode 203 setting management parameter SSH2 ...

Page 482: ...ASPF policy to interface 353 applying attack protection policy on interface 396 applying connection limit policy 371 applying IPsec group interface 259 applying QoS policy to IPsec tunnel interface 268 CA PKI 219 configuring ASPF policy 353 configuring attack protection policy 392 configuring certificate attribute based access control policy 240 configuring connection limit policy 370 configuring ...

Page 483: ...ures 179 controlling MAC address learning 175 displaying 183 enabling 177 enabling port security 177 enabling trap 181 features 173 guest VLAN support 176 ignoring RADIUS server authorization information 182 intrusion protection 173 IP source guard configuration 407 410 IPv4 source guard dynamic binding by DHCP relay configuration 413 IPv4 source guard dynamic binding by DHCP snooping configuratio...

Page 484: ...ying server 127 specifying server for Layer 3 authentication 127 specifying source IP address for outgoing packets 132 specifying user authentication domain 130 stateful failover 123 support for EAP 118 support for EAP authentication process 122 system components 115 troubleshooting 171 user information synchronization configuration 163 PPP HWTACACS server 55 pre extraction IPsec packet informatio...

Page 485: ...ation 146 configuring cross subnet portal authentication with extended functions 152 configuring defense against IP packet attack ARP attack protection 416 417 configuring detection ARP attack protection 423 configuring direct portal authentication 139 configuring direct portal authentication with extended functions 148 configuring DPD detector IKE 293 configuring dynamic IPv4 source guard functio...

Page 486: ...asymmetric key pair on local device public key 212 configuring local MAC authentication 108 configuring local security gateway name IKE 289 configuring local user AAA 16 configuring local user attributes AAA 17 configuring MAC authentication 104 106 108 configuring MAC authentication globally 106 configuring MAC authentication on a port 107 configuring macAddressElseUserLoginSecure port security 1...

Page 487: ...ing source MAC address consistency check 418 configuring source suppression ARP attack protection 416 configuring specified object detection ARP attack protection 423 configuring SSL client policy 343 configuring SSL server policy 341 configuring static IPv4 source guard binding entry 408 410 configuring TCP proxy 396 403 configuring traffic statistics 401 configuring URL address filtering 376 379...

Page 488: ...IPS mode 440 enabling firewall function 348 352 enabling invalid SPI recovery IPsec 261 enabling IPv4 firewall function 348 enabling IPv6 firewall function 349 enabling Layer 3 portal authentication 128 enabling multicast trigger function 802 1X 88 enabling Naptha attack protection 406 enabling OUI MAC address detection ARP attack protection 424 enabling packet information pre extraction on IPsec ...

Page 489: ...lication layer protocol type based session aging times 363 setting global password control parameters 201 setting IKE NAT keepalive timer 293 setting keepalive timer 292 setting local user password control parameters 202 setting local user password in interactive mode 203 setting management parameter SSH2 0 312 setting max number of authentication request attempts 802 1X 85 setting max number of c...

Page 490: ...outgoing portal packets 132 specifying source IP address interface for client SSH2 0 313 specifying the server s VPN RADIUS 24 specifying user authentication domain MAC authentication 107 specifying user authentication domain portal 130 submitting PKI certificate request 225 submitting PKI certificate request auto mode 225 submitting PKI certificate request manual mode 225 tearing down user connec...

Page 491: ...A certificate request configuration Windows 2003 Server 234 PKI configuration 219 230 QoS applying policy to IPsec tunnel interface 268 configuring ACL 249 configuring packet information pre extraction 261 quiet timer 802 1X 89 MAC authentication 105 RA PKI 220 RADIUS AAA for portal users by a RADIUS server 62 attribute 11 authentication mechanism 2 client server model 2 configuring accounting on ...

Page 492: ...anually 226 RIPng IPsec configuration 279 routing 802 1X configuration 92 AAA configuration 50 ARP attack protection configuration 415 ARP attack protection restricted forwarding configuration 429 ARP detection with 802 1X support configuration 428 ARP detection with DHCP snooping configuration 426 configuring as RADIUS server 48 configuring IPsec for IPv6 routing protocols 269 configuring IPsec R...

Page 493: ...setup mode IPsec 245 scanning attack 387 scheme configuring AAA 16 configuring HWTACACS 33 creating RADIUS 21 secure email PKI 221 file transfer protocol See SFTP mode port security MAC address learning 175 shell See SSH security AAA configuration 1 attack detection configuration 386 391 399 attack protection configuration 386 391 399 autoLearn configuration 183 check function portal 115 configuri...

Page 494: ...oubleshooting 171 incorrect port number on access device portal troubleshooting 172 portal 116 portal server detection configuration 163 portal system components 115 portal user information synchronization configuration 163 RADIUS model 2 RADIUS server authentication authorization for SSH Telnet user AAA 50 security policy portal 116 setting status RADIUS 25 setting supported type RADIUS 24 settin...

Page 495: ...ng times 362 rule timer EAD fast deployment 100 security mode port security 178 server status RADIUS 25 session logging thresholds 366 settings changed by enabling FIPS mode 440 super password control parameters 203 supported server type RADIUS 24 timer to control server communication HWTACACS 38 timer to control server communication RADIUS 29 traffic statistics units 26 user group password contro...

Page 496: ...t public key manually 311 configuring client user interface 310 configuring first time authentication support 314 configuring router as client 313 configuring router as SSH server 308 configuring router to act as password authentication client 323 configuring router to act as password authentication server 316 configuring router to act as public key authentication server 318 configuring router to ...

Page 497: ... 405 TCP attack protection configuration 405 configuring port mapping 353 configuring proxy 396 403 displaying attack protection 406 enabling Naptha attack protection 406 enabling SYN cookie feature 405 proxy 389 SSL configuration 340 SSL protocol stack 341 tearing down user connection AAA 47 Telnet level switching authentication for Telnet user RADIUS 57 settings changed by enabling FIPS 440 term...

Page 498: ...t server port number on access device 172 invalid blocking suffix 385 invalid characters present in configured parameter 383 invalid use of wildcard 384 invalid user ID IKE 303 IP source guard 414 packets cannot reach server RADIUS 70 PKI 241 port security 193 portal 171 proposal mismatch IKE 303 RADIUS 70 SSL 344 SSL handshake failure 344 unable to access the HTTP server by IP address 385 user ac...

Page 499: ...erver PPP user AAA 55 configuring group attributes AAA 20 configuring local AAA 16 configuring local attributes AAA 17 configuring portal user information synchronization 137 configuring RADIUS user 48 controlling portal access 128 cross subnet across VPNs portal authentication configuration 169 cross subnet portal authentication configuration 146 cross subnet portal authentication with extended f...

Page 500: ... support configuration 428 ARP detection with DHCP snooping configuration 426 assignment 802 1X 79 assignment MAC authentication 105 Auth Fail 802 1X 80 Auth Fail VLAN support port security 176 configuring assignment 802 1X 94 configuring Auth Fail VLAN 802 1X 91 configuring guest VLAN 802 1X 90 94 configuring NAS ID VLAN binding AAA 47 configuring secure MAC addresses port security 181 enabling 8...

Page 501: ...ng off portal users 138 portal configuration 115 139 portal server detection configuration 163 portal system components 115 portal user information synchronization configuration 163 re DHCP portal authentication configuration 144 re DHCP portal authentication with extended functions configuration 150 security PKI 221 setting max number of online portal users 130 specifying auto redirect URL portal...