HP Moonshot 45Gc, Moonshot 45XGc, 786619-B21, Moonshot 180XGc, 786617-B21 Security Configuration Manual

...

HPE Moonshot 45Gc/45XGc/180XGc Switch Module

Security Configuration Guide

Part number: 859335-002 Software version: Release 242x Document version: 6W100-20160201

Enterprise products and services are set forth in the express warranty statements acco mpanying such products and services. Nothing herein should be construe d as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions co ntained herein.

Confidential computer software. V alid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and T e chnical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.

Microsoft® and Windows® are trademarks of the Microsoft group of companies. Adobe® and Acrobat® are trademarks of Adobe Systems In corporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates. UNIX® is a registered trademark of The Open Group.

Configuring AAA ····························································································· 1

RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 6 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 11 AAA for MPLS L3VPNs ···························································································································· 13 Protocols and standards ·························································································································· 13

RADIUS attributes ···································································································································· 14 FIPS compliance ·············································································································································· 16 AAA configuration considerations and task list ································································································ 17 Configuring AAA schemes ······························································································································· 18

Configuring local users ····························································································································· 18

Configuring RADIUS schemes ················································································································· 22

Configuring HWTACACS schemes ·········································································································· 33

Configuring LDAP schemes ····················································································································· 40 Configuring AAA methods for ISP domains ····································································································· 43

Configuration prerequisites ······················································································································ 43

Creating an ISP domain ··························································································································· 43

Configuring ISP domain attributes ··········································································································· 43

Configuring authentication methods for an ISP domain ··········································································· 44

Configuring authorization methods for an ISP domain ············································································· 45

Configuring accounting methods for an ISP domain ················································································ 46 Enabling the session-control feature ················································································································ 47 Configuring the RADIUS DAE server feature ·································································································· 48 Setting the maximum number of concurrent login users ·················································································· 48 Configuring a NAS-ID profile ···························································································································· 49 Displaying and maintaining AAA ······················································································································ 49 AAA configuration examples ···························································································································· 50

AAA for SSH users by an HWTACACS server ························································································ 50

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 51

Authentication and authorization for SSH users by a RADIUS server ····················································· 53

Authentication for SSH users by an LDAP server ···················································································· 56 Troubleshooting RADIUS ································································································································· 61

RADIUS authentication failure ················································································································· 61

RADIUS packet delivery failure ················································································································ 61

RADIUS accounting error ························································································································· 62 Troubleshooting HWTACACS ·························································································································· 62 Troubleshooting LDAP ····································································································································· 62

802.1X overview ··························································································· 64

802.1X architecture ·········································································································································· 64 Controlled/uncontrolled port and port authorization status ·············································································· 64

802.1X-related protocols ·································································································································· 65

Packet formats ········································································································································· 65

EAP over RADIUS ··································································································································· 66

802.1X authentication initiation ························································································································ 67

802.1X client as the initiator ····················································································································· 67

Access device as the initiator ··················································································································· 67

802.1X authentication procedures ··················································································································· 68

Comparing EAP relay and EAP termination ····························································································· 68

EAP relay ················································································································································· 69

EAP termination ······································································································································· 70

Configuring 802.1X ······················································································· 72

Access control methods ··································································································································· 72

802.1X VLAN manipulation ······························································································································ 72

Authorization VLAN ·································································································································· 72

Guest VLAN ············································································································································· 74

Auth-Fail VLAN ········································································································································ 75

Critical VLAN ············································································································································ 76 Using 802.1X authentication with other features ····························································································· 78

ACL assignment ······································································································································· 78

User profile assignment ··························································································································· 79

EAD assistant ··········································································································································· 79 Configuration prerequisites ······························································································································ 79

802.1X configuration task list ··························································································································· 80 Enabling 802.1X ··············································································································································· 80 Enabling EAP relay or EAP termination ··········································································································· 81 Setting the port authorization state ·················································································································· 81 Specifying an access control method ·············································································································· 82 Setting the maximum number of concurrent 802.1X users on a port ······························································· 82 Setting the maximum number of authentication request attempts ··································································· 82 Setting the 802.1X authentication timeout timers ···························································································· 83 Configuring the online user handshake feature ······························································································· 83

Configuration guidelines ··························································································································· 83

Configuration procedure ··························································································································· 84 Configuring the authentication trigger feature ·································································································· 84

Configuration guidelines ··························································································································· 84

Configuration procedure ··························································································································· 84 Specifying a mandatory authentication domain on a port ················································································ 85 Setting the quiet timer ······································································································································ 85 Enabling the periodic online user reauthentication feature ·············································································· 86 Configuring an 802.1X guest VLAN ················································································································· 86

Configuration guidelines ··························································································································· 86

Configuration prerequisites ······················································································································ 87

Configuration procedure ··························································································································· 87 Enabling 802.1X guest VLAN assignment delay ····························································································· 87 Configuring an 802.1X Auth-Fail VLAN ··········································································································· 88

Configuration guidelines ··························································································································· 88

Configuration prerequisites ······················································································································ 89

Configuration procedure ··························································································································· 89 Configuring an 802.1X critical VLAN ················································································································ 89

Configuration guidelines ··························································································································· 89

Configuration procedure ··························································································································· 90 Enabling 802.1X critical voice VLAN ················································································································ 90

Configuration prerequisites ······················································································································ 90

Configuration procedure ··························································································································· 91 Sending 802.1X protocol packets out of a port without VLAN tags ································································· 91 Specifying supported domain name delimiters ································································································ 91 Configuring the EAD assistant feature ············································································································· 92 Displaying and maintaining 802.1X ·················································································································· 93

802.1X authentication configuration examples ································································································ 93

Basic 802.1X authentication configuration example ················································································ 93

802.1X guest VLAN and authorization VLAN configuration example ······················································ 95

802.1X with ACL assignment configuration example ··············································································· 98

802.1X with EAD assistant configuration example ··················································································· 99

Troubleshooting 802.1X ································································································································· 102

EAD assistant for Web browser users ··································································································· 102

Configuring MAC authentication ································································· 103

User account policies ····························································································································· 103

Authentication methods ·························································································································· 103

VLAN assignment ·································································································································· 103

ACL assignment ····································································································································· 105

User profile assignment ························································································································· 106

Periodic MAC reauthentication ··············································································································· 106

Configuration prerequisites ···························································································································· 106 Configuration task list ····································································································································· 106 Enabling MAC authentication ························································································································· 107 Specifying a MAC authentication domain ······································································································ 107 Configuring the user account format ·············································································································· 108 Setting MAC authentication timers ················································································································· 108 Enabling MAC authentication offline detection ······························································································ 109 Setting the maximum number of concurrent MAC authentication users on a port ········································· 109 Enabling MAC authentication multi-VLAN mode on a port ············································································ 110 Configuring MAC authentication delay ··········································································································· 110 Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 111

Configuration restrictions and guidelines ······························································································· 111

Configuration procedure ························································································································· 111 Configuring a MAC authentication guest VLAN ····························································································· 112 Configuring a MAC authentication critical VLAN ···························································································· 112 Enabling the MAC authentication critical voice VLAN ···················································································· 113

Configuration prerequisites ···················································································································· 113

Configuration procedure ························································································································· 114 Configuring the keep-online feature ··············································································································· 114 Including user IP addresses in MAC authentication requests ········································································ 114 Displaying and maintaining MAC authentication ···························································································· 115 MAC authentication configuration examples ·································································································· 115

Local MAC authentication configuration example ·················································································· 115

RADIUS-based MAC authentication configuration example ·································································· 117

ACL assignment configuration example································································································· 119

Configuring portal authentication ································································ 123

Extended portal functions ······················································································································· 123

Portal system components ····················································································································· 123

Portal system using the local portal Web server ···················································································· 125

Interaction between portal system components ····················································································· 125

Portal authentication modes ··················································································································· 126

Portal authentication process ················································································································· 126 Portal configuration task list ··························································································································· 128 Configuration prerequisites ···························································································································· 129 Configuring a portal authentication server ····································································································· 130 Configuring a portal Web server ···················································································································· 130 Enabling portal authentication on an interface ······························································································· 131

Configuration restrictions and guidelines ······························································································· 131

Configuration procedure ························································································································· 131 Referencing a portal Web server for an interface ·························································································· 132 Controlling portal user access ························································································································ 132

Configuring a portal-free rule ················································································································· 132

Configuring an authentication source subnet ························································································· 133

Configuring an authentication destination subnet ·················································································· 134

Setting the maximum number of portal users ························································································ 135

Specifying a portal authentication domain ····························································································· 135

Enabling outgoing packets filtering on a portal-enabled interface ·························································· 136 Configuring portal detection features ············································································································· 136

Configuring online detection of portal users ··························································································· 136

Configuring portal authentication server detection ················································································· 137

Configuring portal Web server detection ································································································ 138

Configuring portal user synchronization ································································································· 139 Configuring the portal fail-permit feature ········································································································ 140 Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server ··························· 140 Applying a NAS-ID profile to an interface ······································································································ 141 Enabling portal roaming ································································································································· 142 Logging out portal users ································································································································ 142 Configuring the local portal Web server feature ····························································································· 142

Customizing authentication pages ········································································································· 143

Configuring a local portal Web server ···································································································· 145

iii

Displaying and maintaining portal ·················································································································· 145 Portal configuration examples ························································································································ 146

Configuring direct portal authentication ·································································································· 146

Configuring re-DHCP portal authentication ···························································································· 153

Configuring cross-subnet portal authentication ······················································································ 157

Configuring extended direct portal authentication ·················································································· 159

Configuring extended re-DHCP portal authentication ············································································ 162

Configuring extended cross-subnet portal authentication ······································································ 166

Configuring portal server detection and portal user synchronization ····················································· 169

Configuring cross-subnet portal authentication for MPLS L3VPNs························································ 177

Configuring direct portal authentication using local portal Web server ·················································· 179 Troubleshooting portal ··································································································································· 182

No portal authentication page is pushed for users ················································································· 182

Cannot log out portal users on the access device ················································································· 182

Cannot log out portal users on the RADIUS server ··············································································· 183

Users logged out by the access device still exist on the portal authentication server···························· 183

Re-DHCP portal authenticated users cannot log in successfully ··························································· 183

Configuring port security ············································································· 185

Port security features ····························································································································· 185

Port security modes ······························································································································· 185 Configuration task list ····································································································································· 188 Enabling port security ···································································································································· 188 Setting port security's limit on the number of secure MAC addresses on a port ············································ 189 Setting the port security mode ······················································································································· 189 Configuring port security features ·················································································································· 190

Configuring NTK ····································································································································· 190

Configuring intrusion protection ············································································································· 191 Configuring secure MAC addresses ·············································································································· 191

Configuration prerequisites ···················································································································· 192

Configuration procedure ························································································································· 192 Ignoring authorization information from the server ························································································ 193 Enabling MAC move ······································································································································ 193 Applying NAS-ID profile to port security ········································································································· 194 Enabling the authorization-fail-offline feature ································································································· 194 Displaying and maintaining port security ······································································································· 195 Port security configuration examples ············································································································· 195

autoLearn configuration example ··········································································································· 195

userLoginWithOUI configuration example ······························································································ 197

macAddressElseUserLoginSecure configuration example ···································································· 200 Troubleshooting port security ························································································································· 203

Cannot set the port security mode ········································································································· 203

Cannot configure secure MAC addresses ····························································································· 204

Configuring password control ····································································· 205

Password setting ···································································································································· 205

Password updating and expiration ········································································································· 206

User login control ··································································································································· 207

Password not displayed in any form ······································································································ 207

Logging ·················································································································································· 207 FIPS compliance ············································································································································ 208 Password control configuration task list ········································································································· 208 Enabling password control ····························································································································· 208 Setting global password control parameters ·································································································· 209 Setting user group password control parameters ·························································································· 210 Setting local user password control parameters ···························································································· 211 Setting super password control parameters ·································································································· 211 Displaying and maintaining password control ································································································ 212 Password control configuration example ······································································································· 212

Network requirements ···························································································································· 212

Configuration procedure ························································································································· 213

Verifying the configuration ······················································································································ 214

Managing public keys ················································································· 216

Overview ························································································································································ 216 FIPS compliance ············································································································································ 216 Creating a local key pair ································································································································ 216 Distributing a local host public key ················································································································· 218

Exporting a host public key ···················································································································· 218

Displaying a host public key ··················································································································· 218 Destroying a local key pair ····························································································································· 219 Configuring a peer host public key ················································································································· 219

Importing a peer host public key from a public key file ·········································································· 219

Entering a peer host public key ·············································································································· 219 Displaying and maintaining public keys ········································································································· 220 Examples of public key management ············································································································ 220

Example for entering a peer host public key ·························································································· 220

Example for importing a public key from a public key file ······································································ 222

Configuring PKI ··························································································· 225

PKI terminology ······································································································································ 225

PKI architecture ······································································································································ 226

PKI operation ········································································································································· 226

PKI applications ····································································································································· 227

Support for MPLS L3VPN ······················································································································ 227 FIPS compliance ············································································································································ 228 PKI configuration task list ······························································································································· 228 Configuring a PKI entity ································································································································· 228 Configuring a PKI domain ······························································································································ 229 Requesting a certificate ································································································································· 231

Configuration guidelines ························································································································· 231

Configuring automatic certificate request ······························································································· 232

Manually requesting a certificate ············································································································ 232 Aborting a certificate request ························································································································· 233 Obtaining certificates ····································································································································· 233

Configuration prerequisites ···················································································································· 233

Configuration guidelines ························································································································· 233

Configuration procedure ························································································································· 234 Verifying PKI certificates ································································································································ 234

Verifying certificates with CRL checking ································································································ 234

Verifying certificates without CRL checking ··························································································· 235 Specifying the storage path for the certificates and CRLs ············································································· 235 Exporting certificates ······································································································································ 236 Removing a certificate ··································································································································· 236 Configuring a certificate-based access control policy ···················································································· 237 Displaying and maintaining PKI ····················································································································· 238 PKI configuration examples ··························································································································· 238

Requesting a certificate from an RSA Keon CA server ·········································································· 238

Requesting a certificate from a Windows Server 2003 CA server ························································· 241

Requesting a certificate from an OpenCA server ··················································································· 244

Certificate import and export configuration example ·············································································· 247 Troubleshooting PKI configuration ················································································································· 252

Failed to obtain the CA certificate ·········································································································· 253 

Failed to obtain local certificates ············································································································ 253

Failed to request local certificates ·········································································································· 254

Failed to obtain CRLs ····························································································································· 254

Failed to import the CA certificate ·········································································································· 255

Failed to import a local certificate ··········································································································· 256

Failed to export certificates ···················································································································· 256

Failed to set the storage path ················································································································· 257

Configuring IPsec ························································································ 258

Security protocols and encapsulation modes ························································································· 258

Security association ······························································································································· 260

Authentication and encryption ················································································································ 260

IPsec implementation ····························································································································· 261

Protocols and standards ························································································································ 262 FIPS compliance ············································································································································ 262 IPsec tunnel establishment ···························································································································· 262 Implementing ACL-based IPsec ···················································································································· 263

Feature restrictions and guidelines ········································································································ 263

ACL-based IPsec configuration task list ································································································· 263

Configuring an ACL ································································································································ 264

Configuring an IPsec transform set ········································································································ 264

Configuring a manual IPsec policy ········································································································· 266

Configuring an IKE-based IPsec policy ·································································································· 268

Applying an IPsec policy to an interface ································································································ 271

Enabling ACL checking for de-encapsulated packets ············································································ 272

Configuring IPsec anti-replay ················································································································· 272

Configuring IPsec anti-replay redundancy ····························································································· 273

Binding a source interface to an IPsec policy ························································································ 274

Enabling QoS pre-classify ······················································································································ 274

Enabling logging of IPsec packets ········································································································· 275

Configuring the DF bit of IPsec packets ································································································· 275 Configuring IPsec for IPv6 routing protocols ·································································································· 276

Configuration task list ····························································································································· 276

Configuring a manual IPsec profile ········································································································ 276 Configuring SNMP notifications for IPsec ······································································································ 277 Displaying and maintaining IPsec ·················································································································· 278 IPsec configuration examples ························································································································ 279

Configuring a manual mode IPsec tunnel for IPv4 packets ··································································· 279

Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································ 281

Configuring IPsec for RIPng ··················································································································· 284

Configuring IKE ··························································································· 288

IKE negotiation process ························································································································· 288

IKE security mechanism ························································································································· 289

Protocols and standards ························································································································ 290 FIPS compliance ············································································································································ 290 IKE configuration prerequisites ······················································································································ 290 IKE configuration task list ······························································································································· 290 Configuring an IKE profile ······························································································································ 291 Configuring an IKE proposal ·························································································································· 293 Configuring an IKE keychain ·························································································································· 294 Configuring the global identity information ····································································································· 295 Configuring the IKE keepalive feature ··········································································································· 295 Configuring the IKE NAT keepalive feature ··································································································· 296 Configuring IKE DPD ····································································································································· 296 Enabling invalid SPI recovery ························································································································ 297 Setting the maximum number of IKE SAs ······································································································ 297 Configuring SNMP notifications for IKE ········································································································· 298 Displaying and maintaining IKE ····················································································································· 298 IKE configuration examples ··························································································································· 299

Main mode IKE with pre-shared key authentication configuration example ··········································· 299

Verifying the configuration ······················································································································ 301 Troubleshooting IKE ······································································································································ 301

IKE negotiation failed because no matching IKE proposals were found ················································ 301

IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly ··············· 302

IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 303

IPsec SA negotiation failed due to invalid identity information ······························································· 303

Configuring IKEv2 ······················································································· 306

IKEv2 negotiation process ····················································································································· 306

New features in IKEv2 ···························································································································· 307

Protocols and standards ························································································································ 307 IKEv2 configuration task list ··························································································································· 307 Configuring an IKEv2 profile ·························································································································· 308 Configuring an IKEv2 policy ··························································································································· 311 Configuring an IKEv2 proposal ······················································································································ 311 Configuring an IKEv2 keychain ······················································································································ 313 Configure global IKEv2 parameters ··············································································································· 314

Enabling the cookie challenging feature ································································································ 314

Configuring the IKEv2 DPD feature ······································································································· 314

Configuring the IKEv2 NAT keepalive feature ························································································ 314 Displaying and maintaining IKEv2 ················································································································· 315 IKEv2 configuration examples ······················································································································· 315

IKEv2 with pre-shared key authentication configuration example ·························································· 315

IKEv2 with RSA signature authentication configuration example ·························································· 318 Troubleshooting IKEv2 ··································································································································· 323

IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 323

IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 323

IPsec tunnel establishment failed ··········································································································· 323

Configuring SSH ························································································· 325

How SSH works ····································································································································· 325

SSH authentication methods ·················································································································· 326

SSH support for Suite B ························································································································· 327

Protocols and standards ························································································································ 328 FIPS compliance ············································································································································ 328 Configuring the device as an SSH server ······································································································ 328

SSH server configuration task list ·········································································································· 328

Generating local key pairs ······················································································································ 328

Enabling the Stelnet server ···················································································································· 329

Enabling the SFTP server ······················································································································ 329

Enabling the SCP server ························································································································ 330

Configuring NETCONF over SSH ·········································································································· 330

Configuring user lines for SSH login ······································································································ 330

Configuring a client's host public key ····································································································· 331

Configuring an SSH user ······················································································································· 332

Configuring the SSH management parameters ····················································································· 333

Specifying a PKI domain for the SSH server ························································································· 334 Configuring the device as an Stelnet client ···································································································· 335

Stelnet client configuration task list ········································································································ 335

Specifying the source IP address for SSH packets ················································································ 335

Establishing a connection to an Stelnet server ······················································································ 335

Establishing a connection to an Stelnet server based on Suite B ·························································· 337 Configuring the device as an SFTP client ······································································································ 338

SFTP client configuration task list ·········································································································· 338

Specifying the source IP address for SFTP packets ·············································································· 338

Establishing a connection to an SFTP server ························································································ 338

Establishing a connection to an SFTP server based on Suite B ···························································· 340

Working with SFTP directories ··············································································································· 341

Working with SFTP files ························································································································· 341

Displaying help information ···················································································································· 341

Terminating the connection with the SFTP server ················································································· 342 Configuring the device as an SCP client ········································································································ 342

Establishing a connection to an SCP server ·························································································· 342

Establishing a connection to an SCP server based on Suite B······························································ 344 Specifying algorithms for SSH2 ····················································································································· 344

Specifying key exchange algorithms for SSH2 ······················································································ 345

vii

Specifying public key algorithms for SSH2 ···························································································· 345

Specifying encryption algorithms for SSH2 ···························································································· 345

Specifying MAC algorithms for SSH2 ···································································································· 346 Displaying and maintaining SSH ···················································································································· 346 Stelnet configuration examples ······················································································································ 346

Password authentication enabled Stelnet server configuration example ··············································· 346

Publickey authentication enabled Stelnet server configuration example ··············································· 349

Password authentication enabled Stelnet client configuration example ················································ 354

Publickey authentication enabled Stelnet client configuration example ················································· 358

Stelnet configuration example based on 128-bit Suite B algorithms ······················································ 360 SFTP configuration examples ························································································································ 364

Password authentication enabled SFTP server configuration example ················································· 364

Publickey authentication enabled SFTP client configuration example ··················································· 366

SFTP configuration example based on 192-bit Suite B algorithms ························································ 370 SCP configuration examples ·························································································································· 374

SCP configuration example with password authentication ···································································· 374

SCP configuration example based on Suite B algorithms ······································································ 376 NETCONF over SSH configuration example with password authentication ·················································· 382

Network requirements ···························································································································· 383

Configuration procedure ························································································································· 383

Verifying the configuration ······················································································································ 384

Configuring SSL ·························································································· 385

SSL security services ····························································································································· 385

SSL protocol stack ································································································································· 385 FIPS compliance ············································································································································ 386 SSL configuration task list ······························································································································ 386 Configuring an SSL server policy ··················································································································· 386 Configuring an SSL client policy ···················································································································· 388 Displaying and maintaining SSL ···················································································································· 390

Configuring IP source guard ······································································· 391

Static IPSG bindings ······························································································································ 391

Dynamic IPSG bindings ························································································································· 392 IPSG configuration task list ···························································································································· 392 Configuring the IPv4SG feature ····················································································································· 393

Enabling IPv4SG on an interface ··········································································································· 393

Configuring a static IPv4SG binding ······································································································ 393 Configuring the IPv6SG feature ····················································································································· 394

Enabling IPv6SG on an interface ··········································································································· 394

Configuring a static IPv6SG binding ······································································································ 395 Displaying and maintaining IPSG ·················································································································· 396 IPSG configuration examples ························································································································ 396

Static IPv4SG configuration example ····································································································· 396

Dynamic IPv4SG using DHCP snooping configuration example ··························································· 397

Dynamic IPv4SG using DHCP relay configuration example ·································································· 398

Static IPv6SG configuration example ····································································································· 399

Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 400

Configuring ARP attack protection ······························································ 402

ARP attack protection configuration task list ·································································································· 402 Configuring unresolvable IP attack protection ······························································································· 402

Configuring ARP source suppression ···································································································· 403

Configuring ARP blackhole routing ········································································································ 403

Displaying and maintaining unresolvable IP attack protection ······························································· 403

Configuration example ··························································································································· 404 Configuring ARP packet rate limit ·················································································································· 404

Configuration guidelines ························································································································· 405

Configuration procedure ························································································································· 405 Configuring source MAC-based ARP attack detection ·················································································· 405

viii

Configuration procedure ························································································································· 406

Displaying and maintaining source MAC-based ARP attack detection ·················································· 406

Configuration example ··························································································································· 406 Configuring ARP packet source MAC consistency check ·············································································· 407 Configuring ARP active acknowledgement ···································································································· 408 Configuring authorized ARP ·························································································································· 408

Configuration procedure ························································································································· 408

Configuration example (on a DHCP server) ··························································································· 409

Configuration example (on a DHCP relay agent) ··················································································· 410 Configuring ARP detection ····························································································································· 411

Configuring user validity check ·············································································································· 412

Configuring ARP packet validity check ·································································································· 412

Configuring ARP restricted forwarding ··································································································· 413

Enabling ARP detection logging ············································································································· 414

Displaying and maintaining ARP detection ···························································································· 414

User validity check and ARP packet validity check configuration example ············································ 414

ARP restricted forwarding configuration example ·················································································· 416 Configuring ARP scanning and fixed ARP ····································································································· 417

Configuration restrictions and guidelines ······························································································· 418

Configuration procedure ························································································································· 418 Configuring ARP gateway protection ············································································································· 418

Configuration guidelines ························································································································· 418

Configuration procedure ························································································································· 419

Configuration example ··························································································································· 419 Configuring ARP filtering ································································································································ 420

Configuration guidelines ························································································································· 420

Configuration procedure ························································································································· 420

Configuration example ··························································································································· 420 Configuring ARP sender IP address checking ······························································································· 421

Configuring MFF ························································································· 423

Basic concepts ······································································································································· 424

MFF operation modes ···························································································································· 424

MFF working mechanism ······················································································································· 425

Protocols and standards ························································································································ 425 Configuring MFF ············································································································································ 425

Enabling MFF ········································································································································· 425

Configuring a network port ····················································································································· 425

Enabling periodic gateway probe ··········································································································· 426

Specifying the IP addresses of servers ·································································································· 426 Displaying and maintaining MFF ···················································································································· 427 MFF configuration examples ·························································································································· 427

Manual-mode MFF configuration example in a tree network ································································· 427

Manual-mode MFF configuration example in a ring network ································································· 428

Configuring uRPF ······················································································· 430

uRPF check modes ································································································································ 430

uRPF operation ······································································································································ 430

Network application ································································································································ 433 Configuring uRPF ·········································································································································· 433 Displaying and maintaining uRPF ·················································································································· 433 uRPF configuration example ·························································································································· 434

Configuring crypto engines ········································································· 435

Configuring FIPS ························································································· 436

Configuring FIPS mode ·································································································································· 437

Entering FIPS mode ······························································································································· 437

Configuration changes in FIPS mode ···································································································· 438

Exiting FIPS mode ································································································································· 439 FIPS self-tests ················································································································································ 439

Power-up self-tests ································································································································ 440

Conditional self-tests ······························································································································ 440

Triggering self-tests ································································································································ 441 Displaying and maintaining FIPS ··················································································································· 441 FIPS configuration examples ························································································································· 441

Entering FIPS mode through automatic reboot ······················································································ 441

Entering FIPS mode through manual reboot ·························································································· 442

Exiting FIPS mode through automatic reboot ························································································ 444

Exiting FIPS mode through manual reboot ···························································································· 444

Configuring user profiles ············································································· 446

Overview ························································································································································ 446 Configuration task list ····································································································································· 446 Configuration restrictions and guidelines ······································································································· 446 Creating a user profile ···································································································································· 446 Configuring parameters for a user profile ······································································································ 447

Configuring QoS parameters for traffic management ············································································ 447 Displaying and maintaining user profiles ······································································································· 447 User profile configuration examples ··············································································································· 447

Local 802.1X authentication/authorization with QoS policy configuration example ······························· 447

Configuring attack detection and prevention ··············································· 452

Single-packet attacks ····························································································································· 452

Scanning attacks ···································································································································· 453

Flood attacks ·········································································································································· 454

TCP fragment attack ······························································································································ 455

Login dictionary attack ··························································································································· 455 Attack detection and prevention configuration task list ·················································································· 455 Configuring an attack defense policy ············································································································· 456

Creating an attack defense policy ·········································································································· 456

Configuring a single-packet attack defense policy ················································································· 456

Configuring a scanning attack defense policy ························································································ 457

Configuring a flood attack defense policy ······························································································ 458

Configuring attack detection exemption ································································································· 462

Applying an attack defense policy to the device ···················································································· 462

Disabling log aggregation for single-packet attack events ····································································· 463 Configuring TCP fragment attack prevention ································································································· 463 Enabling the login delay ································································································································· 463 Displaying and maintaining attack detection and prevention ········································································· 464 Attack detection and prevention configuration example ················································································ 465

Network requirements ···························································································································· 465

Configuration procedure ························································································································· 465

Verifying the configuration ······················································································································ 466

Configuring ND attack defense ··································································· 469

Configuring keychains ················································································· 470

Overview ························································································································································ 470 Configuration procedure ································································································································ 470 Displaying and maintaining keychain ············································································································· 471 Keychain configuration example ···················································································································· 471

Network requirements ···························································································································· 471

Configuration procedure ························································································································· 471

Verifying the configuration ······················································································································ 473

Document conventions and icons ······························································· 476

Conventions ··················································································································································· 476 Network topology icons ·································································································································· 477

Support and other resources ······································································ 478

Accessing Hewlett Packard Enterprise Support ···························································································· 478 Accessing updates ········································································································································· 478

Websites ················································································································································ 479

Customer self repair ······························································································································· 479

Remote support ······································································································································ 479

Documentation feedback ······················································································································· 479

Index ··········································································································· 481

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feat ure specifies the following security functions:

• Authentication—Identifies users and verifies their validity.

• Authorization—Grants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and prevent guests from accessing files on the device.

• Accounting—Records network usage details of users, including the service type, start time, and traffic. This function enables time-based and traffic-based charging and user behavior auditing.

AAA uses a client/server m odel. The clie nt runs on the access d evice, or the net work access se rver (NAS), which authenticates user identities and controls user access. The server maintains user information centrally. See Figure 1.

Figure 1

Remote user

To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The NAS transparently passes the user information to AAA servers and waits for the authentication, authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny the access request.

AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often used.

The network in Figure 1 ha servers to implement different security functions. For example, you can use the HWTACACS server for authentication and authorization, and use the RADIUS server for accounting.

AAA network diagram

Network

s one RADIUS server and one HWT A CACS server. You can use dif ferent

NAS

RADIUS server

HWTACACS server

Internet

You can choose the security functions provided by AAA as needed. For example, if your company wants employees to be authenticated before they access specific resources, you would deploy an authentication server. If network usage information is needed, you would also configure an accounting server.

The device performs dynamic password authentication.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support additional access methods, such as Ethernet and ADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access.

The RADIUS server operates using the following process:

1. Receives authentication, authorization, and accounting requests from RADIUS clients.

2. Performs user authentication, authorization, or accounting.

3. Returns user access control information (for example, rejecting or accepting the user acce ss

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy services.

The RADIUS server maintains the following databases:

• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP addresses.

• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

• Dictionary—Stores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys, which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called Authenticator. This field includes a signature ge nerated by using the MD5 algorithm, the shared key, and some other information. The receiver of the packet verifies the si gnature and accepts the packet only when the signature is correct. This mechanism ensures the security of information exchanged between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses the following workflow:

1. The host sends a connection request that includes the user's username and password to the RADIUS client.

2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server. The request includes the user's password, which has been processed by the MD5 algorithm and shared key.

3. The RADIUS server authenticates the username and password. If the authenticati on succeeds, the server sends back an Access-Accept packet that contains the user's authorization information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Reque st) packet to the

RADIUS server.

9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting for the user.

10. The RADIUS client notifies the user of the termination.

RADIUS packet format

RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client. These mechanisms incl ude the timer mechanism, the retransmission mechanism, and the backup server mechanism.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

• The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 g values and their meanings.

Table 1 Main values of the Code field

Code Packet type Description

From the client to the server. A packet of this type includes user information

1 Access-Request

for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port.

ives the main

From the server to the client. If all attribute values included in the

2 Access-Accept

3 Access-Reject

Accounting-Reque st

Accounting-Respo nse

Access-Request are acceptable, the authentication succeeds, and the server sends an Access-Accept response.

From the server to the client. If any attribute value included in the Access-Request is unacceptable, the authentication fails, and the server sends an Access-Reject response.

From the client to the server. A packet of this type includes user information for the server to start or stop accounting for the user. The Acct-Status-Type attribute in the packet indicates whether to start or stop accounting.

From the server to the client. The server sends a packet of this type to notify the client that it has received the Accounting-Request and has successfully recorded the accounting information.

• The Identifier field (1 byte long) is used to match response packets with request packets and to detect duplicate request packets. The request and response packets of the same exchange process for the same purpose (such as authentication or accounting) have the same identifier.

• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered padding and are ignored by the receiver. If the length of a received packet is less than this length, the packet is dropped.

• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator.

• The Attributes field (variab le in length) includes authentication, authorization, and accounting information. This field can contain multiple attributes, each with the following subfields:

{ Type—Type of the attribute.

{ Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. { Value—Value of the attribute. Its format and content depend on the Type subfield.

Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC

2868. For more information, see "Commonly used standard RADIUS attributes."

Table 2 Commonly used RADIUS attributes

No. Attribute No. Attribute

1 User-Name 45 Acct-Authentic 2 User-Password 46 Acct-Session-Time 3 CHAP-Password 47 Acct-Input-Packets 4 NAS-IP-Address 48 Acct-Output-Packets 5 NAS-Port 49 Acct-Terminate-Cause 6 Service-Type 50 Acct-Multi-Session-Id 7 Framed-Protocol 51 Acct-Link-Count 8 Framed-IP-Address 52 Acct-Input-Gigawords 9 Framed-IP-Netmask 53 Acct-Output-Gigawords 10 Framed-Routing 54 (unassigned) 11 Filter-ID 55 Event-Timestamp 12 Framed-MTU 56-59 (unassigned) 13 Framed-Compression 60 CHAP-Challenge 14 Login-IP-Host 61 NAS-Port-Type 15 Login-Service 62 Port-Limit 16 Login-TCP-Port 63 Login-LAT-Port 17 (unassigned) 64 Tunnel-Type 18 Reply-Message 65 Tunnel-Medium-Type 19 Callback-Number 66 Tunnel-Client-Endpoint 20 Callback-ID 67 Tunnel-Server-Endpoint 21 (unassigned) 68 Acct-Tunnel-Connection 22 Framed-Route 69 Tunnel-Password 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security 27 Session-Timeout 74 ARAP-Security-Data 28 Idle-Timeout 75 Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message

No. Attribute No. Attribute

33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 81 Tunnel-Private-Group-id 35 Login-LAT-Node 82 Tunnel-Assignment-id 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 38 Framed-AppleTalk-Network 85 Acct-Interim-Interval 39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost 40 Acct-Status-Type 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool 42 Acct-Input-Octets 89 (unassigned) 43 Acct-Output-Octets 90 Tunnel-Client-Auth-id 44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes implement functions that the standard RADIUS protocol does not provide.

A vendor can encapsulate multiple subattributes in the TL V format in attribute 26 to provide exte nded functions. As shown in Figure 5, a

subattribute encapsulated in attribute 26 consists of the following

parts:

• Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a code compliant to RFC 1700.

• Vendor-Type—Type of the subattribute.

• Vendor-Length—Length of the subattribute.

• Vendor-Data—Contents of the subattribute.

The device supports the RADIUS subattributes with a vendor ID of 25506. For more information, see "Proprietary RADIUS subattributes (vendor ID 25506)."

Figure 5

Format of attribute 26

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on T ACACS (RFC 1492 ). HWT ACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWT ACA CS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the

ry differences between HWTACACS and RADIUS.

prima

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, which provides reliable network transmission.

Uses UDP, which provides high transport efficiency.

Encrypts the entire packet except for the HWTACACS header.

Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers.

Supports authorization of configuration commands. Access to commands depends on both the user's roles and authorization. A user can use only commands that are permitted by the user roles and authorized by the HWTACACS server.

Basic HWTACACS packet exchange process

Figure 6 describes how HWT ACACS perf orms user authentication, a uthorization, and accounting for

a Telnet user .

Encrypts only the user password field in an authentication packet.

Protocol packets are simple and the authorization process is combined with the authentication process.

Does not support authorization of configuration commands. Access to commands solely depends on the user's roles. For more information about user roles, see Fundamentals Configuration Guide.

Figure 6 Basic HWTACACS packet exchange process for a Telnet user

Host HWTACACS client HWTACACS server

1) The user tries to log in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user enters the username

6) Continue-authentication packet with the username

7) Authentication response requesting the password

8) Request for password

9) The user enters the password

10) Continue-authentication packet with the password

11) Response indicating successful authentication

12) User authorization request packet

13) Response indicating successful authorization

14) The user logs in successfully

15) Start-accounting request

16) Response indicating the start of accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

HWTACACS operates using the following workflow:

1. A Telnet user sends an access request to the HWTACACS client.

2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it

receives the request.

3. The HWTACACS server sends back an authentication response to request the username.

4. Upon receiving the response, the HWTACACS client asks the user for the username.

5. The user enters the username.

6. After receiving the username from the user, the HWTACACS client sends the server a

continue-authentication packet that includes the username.

7. The HWTACACS server sends back an authentication response to request the login password.

8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.

9. The user enters the password.

10. After receiving the login password, the HWTACACS client sends the HWTACACS serv er a

11. If the authentication succeeds, the HWTACACS server sends back an authenti cation response

12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.

13. If the authorization succeeds, the HWTACACS server sends back an authorization response,

14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and

15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

16. The HWTACACS server sends back an accounting response, indi cating that it has received the

17. The user logs off.

18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19. The HWTACACS server sends back a stop-accounting response, indicating that the

LDAP

The Lightweight Directory Access Proto col (LDAP) provides stan dard multiplatform directory service. LDAP was developed on the basis of the X.500 protocol. It improves the following functions of X.500:

• Read/write interactive access.

• Browse.

• Search.

continue-authentication packet that includes the login password.

to indicate that the user has passed authentication.

indicating that the user is now authorized.

permits the user to log in.

start-accounting request.

stop-accounting request has been received.

LDAP is suitable for storing data that does not often change. The protocol is used to store user information. For example, LDAP server software Active Directory Server is used in Microsoft Windows operating systems. The software stores the user information and user group information for user login authentication and authorization.

LDAP directory service

LDAP uses directories to maintain the organization informatio n, personnel information, and resource information. The directories are organized in a tree structure and include entries. An entry is a set of attributes with distinguished names (DNs). The attributes are used to store information such as usernames, passwords, emails, computer names, and phone numbers.

LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun ONE Directory Server.

LDAP authentication and authorization

AAA can use LDAP to provide authentication and authorization services for users. LDAP defines a set of operations to implement its functions. The main operations for authentication and authori zation are the bind operation and search operation.

• The bind operation allows an LDAP client to perform the following operations:

{ Establish a connection with the LDAP server. { Obtain the access rights to the LDAP server. { Check the validity of user information.

• The search operation constructs search conditions and obtains the directory re source information of the LDAP server.

In LDAP authentication, the client completes the following operations:

1. Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search.

2. Constructs search conditions by using the username in the authentication information of a u ser. The specified root directory of the server is searched and a user DN list is generated.

3. Binds with the LDAP server by using each user DN and password. If a binding is created, the user is considered legal.

In LDAP authorization, the client performs the same operations as in LDAP authentication. Wh en the client constructs search conditions, it obtains both authorization information and the user DN list.

• If the authorization information meets the authorization requirements, the authorization process ends.

• If the authorization information does not meet the authorization requirements, the client sends an administrator bind request to the LDAP server. This operation obtains the right to search for authorization information about users on the user DN list.

Basic LDAP packet exchange process

The following example illustrates the basic packet exchange process during LDAP authentication and authorization for a Telnet user.

Figure 7 Basic packet exchange process for LDAP authentication of a Telnet user

The basic packet exchange process is as follows:

1. A Telnet user initiates a connection request and sends the username and password to the LDAP client.

2. After receiving the request, the LDAP client establishes a TCP connection with the LDAP server.

3. To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server.

4. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgment to the LDAP client.

5. The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP server.

6. After receiving the request, the LDAP server searches for the use r DN by the base DN, sea rch scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found.

7. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server. The server will check whether the user password is correct.

8. The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client notifies the user of the login failure and denies the user's access request.

9. The LDAP client and server perform authorization exchanges. If another scheme (for example, an HWTACACS scheme) is expected for authorization, the LDAP client exchanges authorization packets with the HWTACACS authorization server instead.

10. After successful authorization, the LDAP client notifies the user of the successful login.

AAA implementation on the device

This section describes AAA user mana gement and methods.

User management based on ISP domains and user access types

AAA manages users based on the users' ISP domains and access types. On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a

user belongs based on the username entered by the user at login.

Figure 8 Determining the ISP domain for a user by username

AAA manages use rs in the same ISP domain based on the users' access types. The device supports the following user access types:

• LAN—LAN users must pass 802.1X or MAC authentication to come online.

• Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device.

Terminal users can access through console ports.

• Portal—Portal users must pass portal authentication to access the network.

• Web—Web users log in to the Web interface of the device through HTTP or HTTPS.

NOTE:

The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend on the configuration of the authentication modules.

AAA methods

AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The N AS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.

AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for whom no AAA method s are configured.

The device supports the following authentication methods:

• No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method.

• Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.

• Remote authentication—The NAS works with a RADIUS, HWTACACS, or LDAP server to authenticate users. The server manages user information in a centralized manner. Remote authentication provides high capacity, reliable, and centralized authentication services for multiple NASs. You can configure backup methods to be used when the remote server is not available.

The device supports the following authorization methods:

• No authorization—The NAS performs no authorization exchange. The following default authorization information applies after users pass authentication:

{ Non-login users can access the network. { Login users are assigned the default user role. For more information about the default user

{ FTP, SFTP , and SCP login users also ha ve the root directory of the NAS set as the wo rking

• Local authorization—The NAS performs authorization according to the user attributes locally configured for users.

• Remote authorization—The NAS works with a RADIUS, HWTACACS, or LDAP server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is included in the Access-Accept packet. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is included in the authorization response after successful authentication. You can configure backup methods to be used when the remote server is not available.

role feature, see Fundamentals Configuration Guide.

directory. However, the users do not have permission to access the root directory.

The device supports the following accounting methods:

• No accounting—The NAS does not perform accounting for the users.

• Local accounting—Local accounting is implemented on the NAS. It counts and controls the

number of concurrent users who use the same local user account, but does not provide statistics for charging.

• Remote accounting—The NAS works with a RADIUS server or HWTACACS server for accounting. You can configure ba ckup methods to be used when the remote server is not available.

In addition, the device provides the following login services to enhance device security:

• Command authorization—Enables the NAS to let the authorization server determine whether a command entered by a login user is permitted. Login users can execute only commands permitted by the authorization server. Fo r more info rm ation about command auth orization, see Fundamentals Configuration Guide.

• Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

• User role authentication—Authenticates each user who wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.

AAA for MPLS L3VPNs

You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated. The deployment enables forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For example, as shown in Figure 9, you can deploy PE at the left side of the MPLS backbone acts as a NAS. The NAS transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication. Authentication packets of private users in different VPNs do not affect each other.

Figure 9 Network diagram

AAA across the VPNs. The

This feature can also help an MCE to implement portal authentication for VPNs. For more information about MCE, see MPLS Configuration Guide. For more information about portal authentication, see "Configuring portal authentication."

Protocols and standards

• RFC 2865, Remote Authentication Dial In User Service (RADIUS)

• RFC 2866, RADIUS Accounting

• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support

• RFC 2868, RADIUS Attributes for Tunnel Protocol Support

• RFC 2869, RADIUS Extensions

• RFC 5176, Dynamic Authorization Extensions to Remote Authentication Dial In User Service

(RADIUS)

• RFC 1492, An Access Control Protocol, Sometimes Called T ACACS

• RFC 1777, Lightweight Directory Access Proto col

• RFC 2251, Lightweight Directory Access Protocol (v3 )

RADIUS attributes

Commonly used standard RADIUS attributes

No. Attribute Description

1 User-Name Name of the user to be authenticated.

2 User-Password

3 CHAP-Password

4 NAS-IP-Address

5 NAS-Port Physical port of the NAS that the user accesses.

6 Service-Type

7 Framed-Protocol Encapsulation protocol for framed access. 8 Fr amed-IP-Address IP address assigned to the user. 11 Filter-ID Name of the filter list.

12 Framed-MTU

14 Login-IP-Host IP address of the NAS interface that the user accesses. 15 Login-Service Type of the service that the user uses for login.

18 Reply-Message

User password for PAP authentication, only present in Access-Request packets when PAP authentication is used.

Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used.

IP address for the server to use to identify the client. Typically, a client is identified by the IP address of its access interface. This attribute is only present in Access-Request packets.

Type of service that the user has requested or type of service to be provided.

MTU for the data link between the user and NAS. For example, with

802.1X EAP authentication, NAS uses this attribute to notify the server of the MTU for EAP packets to avoid oversized EAP packets.

Text to be displayed to the user, which can be used by the server to communicate information, for example, the reason of the authentication failure.

Vendor-specific proprietary attribute. A packet can contain one or more

26 Vendor-Specific

27 Session-Timeout Maximum service duration for the user before termination of the session.

28 Idle-Timeout

31 Calling-Station-Id

32 NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.

40 Acct-Status-Type

proprietary attributes, each of which can contain one or more subattributes.

Maximum idle time permitted for the user before termination of the session.

User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH.

Type of the Accounting-Request packet. Possible values include:

• 1—Start.

• 2—Stop.

• 3—Interim-Update.

• 4—Reset-Charge.

• 7—Accounting-On. (Defined in the 3rd Generation Partnership

Project.)

• 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.)

• 9 to 14—Reserved for tunnel accounting.

• 15—Reserved for failed.

No. Attribute Description

Authentication method used by the user. Possible values include:

45 Acct-Authentic

• 1—RADIUS.

• 2—Local.

• 3—Remote.

60 CHAP-Challenge

61 NAS-Port-Type

79 EAP-Message

87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user.

Message-Authenticato r

CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.

Type of the physical port of the NAS that is authenticating the user. Possible values include:

• 15—Ethernet.

• 16—Any type of ADSL.

• 17—Cable. (With cable for cable TV.)

• 19—WLAN-IEEE 802.11.

• 201—VLAN.

• 202—ATM.

If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.

Used to encapsulate EAP packets to allow RADIUS to support EAP authentication.

Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used.

Proprietary RADIUS subattributes (vendor ID 25506)

No. Subattribute Description

1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps. 2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps. 3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps. 4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. 5 Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. 6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps.

15 Remanent_Volume

20 Command

24 Control_Identifier

Total amount of data available for the connection, in different units for different server types.

Operation for the session, used for session control. Possible values include:

• 1—Trigger-Request.

• 2—Terminate-Request.

• 3—SetPolicy.

• 4—Result.

• 5—PortalClear.

Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value. The client response of a retransmitted packet must also include this attribute and the value of this attribute must be the same.

For Accounting-Request packets of the start, stop, and interim update

No. Subattribute Description

types, the Control_Identifier attribute does not take effect.

25 Result_Code

26 Connect_ID Index of the user connection.

28 Ftp_Directory

29 Exec_Privilege EXEC user priority.

59 NAS_Startup_Timestamp

60 Ip_Host_Addr

61 User_Notify

62 User_HeartBeat

140 User_Group

Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure.

FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this

attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client.

Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).

User IP address and MAC address included in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.

Information that must be sent from the server to the client transparently.

Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and verifies the handshake packets from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets.

User groups assigned after the SSL VPN user passes authentication. A user can belong to multiple user groups that are separated by semicolons. This attribute is used to work with the SSL VPN device.

141 Security_Level

201 Input-Interval-Octets Number of bytes input within a realtime accounting interval. 202 Output-Interval-Octets Number of bytes output within a realtim e accounting interval.

203 Input-Interval-Packets

204 Output-Interval-Packets

205 Input-Interval-Gigawords

206

207 Backup-NAS-IP Backup source IP address for sending RADIUS packets. 255 Product_ID Product name.

Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

Security level assigned after the SSL VPN user passes security authentication.

Number of packets input within an accounting interval in the unit set on the NAS.

Number of packets output within an accounting interval in the unit set on the NAS.

Amount of bytes input within an accounting interval, in units of 4G bytes.

bytes.

AAA configuration considerations and task list

To configure AAA, complete the following tasks on the NAS:

1. Configure the required AAA schemes.

{ Local authentication—Configure local users and the related attributes, including the

usernames and passwords, for the users to be authenticated.

{ Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP

schemes.

2. Configure AAA methods for the users' ISP domains. To use remote AAA methods, you must specify the configured RADIUS, HWTACACS, or LDAP schemes in ISP domain view.

Figure 10 AAA configuration procedure

Local AAA

Configure AAA methods for

Configure local users and related

attributes

different types of users or/and the default methods for all types of users

No AAA

To configure AAA, perform the following tasks:

Create an ISP domain and enter ISP domain

view

Configure the RADIUS, HWTACACS,

or LDAP schemes to be used

Remote AAA

Authentication method

Authorization method

Accounting method

none/ local (the default)/scheme

Tasks at a glance

(Required.) Perform at least one of the following tasks to configure local users or AAA schemes:

• Configuring local users

• Configuring RADIUS schemes

• Configuring HWTACACS schemes

• Configuring LDAP schemes

(Required.) Configure AAA methods for ISP domains:

1. (Required.) Creating an ISP domain

2. (Optiona

3. (Req

and accounting methods for the ISP domain:

{ Configuring authentication methods for an ISP domain { Configuring authorization methods for an ISP domain { Configuring accounting methods for an ISP domain

l.) Configuring ISP domain attributes

uired.) Perform at least one of the following tasks to configure AAA authentication, authorization,

(Optional.) Enabling the session-control feature (Optional.) Configuring the RADIUS DAE server feature (Optional.) Setting the maximum number of concurrent login users

+ 461 hidden pages