How it Works
HP
Loading...
F
Loading...
Loading...
FlexNetwork MSR
Comware 5 Layer 2 - Wan Access Configuration Manual
388 pgs4.97 Mb0
Comware 5 Security Configuration Manual
502 pgs5.76 Mb0
Comware 5 Voice Configuration Guide
361 pgs4.92 Mb0
Comware 5 Web-Based Configuration Guide
825 pgs54.73 Mb0
Comware 7 ACL and QoS Configuration Guide
159 pgs1.16 Mb0
Comware 7 Layer 2 - WAN Access Configuration Guide
283 pgs2.42 Mb0
Comware 7 Layer 3 - Ip Services Configuration Manuals
490 pgs6.22 Mb0
Comware 7 Security Command Reference
1005 pgs4.12 Mb0
Comware 7 WLAN Command Reference
116 pgs540.64 Kb0
Table of contents
Loading...

HP FlexNetwork MSR Comware 7 Security Configuration Guide

HPE FlexNetwork MSR Rout e r Series
Comware 7 Security Configuration Guide
Document version: 6W101-20161114
Part number: 5200-2403 Software version: MSR-CMW710-R0411
© Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies. Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates. UNIX® is a registered trademark of The Open Group.

Contents

Configuring AAA ··············································································1
Overview ···································································································································· 1
RADIUS ······························································································································ 2 HWTACACS ························································································································ 6 LDAP ·································································································································· 9 AAA implementation on the device ························································································· 12 AAA for MPLS L3VPNs ········································································································ 14 Protocols and standards ······································································································· 14
RADIUS attributes ··············································································································· 15 FIPS compliance ························································································································ 17 AAA configuration considerations and task list ················································································· 18 Configuring AAA schemes ··········································································································· 19
Configuring local users ········································································································· 19
Configuring RADIUS schemes ······························································································· 26
Configuring HWTACACS schemes ························································································· 36
Configuring LDAP schemes ·································································································· 42 Configuring AAA methods for ISP domains ····················································································· 46
Configuration prerequisites···································································································· 47
Creating an ISP domain ········································································································ 47
Configuring ISP domain attributes ·························································································· 48
Configuring authentication methods for an ISP domain ······························································· 50
Configuring authorization methods for an ISP domain ································································ 51
Configuring accounting methods for an ISP domain ··································································· 53 Configuring the session-control feature ·························································································· 55 Configuring the RADIUS DAE server feature ··················································································· 55 Changing the DSCP priority for RADIUS packets ············································································· 56 Setting the maximum number of concurrent login users ····································································· 56 Configuring and applying an ITA policy ·························································································· 57 Configuring a NAS-ID profile ········································································································ 58 Configuring the device ID ············································································································ 58 Displaying and maintaining AAA ··································································································· 58 AAA configuration examples ········································································································ 59
Authentication and authorization for SSH users by a RADIUS server ············································ 59
Local authentication and authorization for SSH users ································································· 62
AAA for SSH users by an HWTACACS server ·········································································· 63
Authentication for SSH users by an LDAP server ······································································ 65
AAA for PPP users by an HWTACACS server ·········································································· 70
ITA configuration example for IPoE users ················································································ 71
Local guest configuration and management example ································································· 75 Troubleshooting RADIUS ············································································································ 77
RADIUS authentication failure ······························································································· 77
RADIUS packet delivery failure ······························································································ 77
RADIUS accounting error ······································································································ 78 Troubleshooting HWTACACS······································································································· 78 Troubleshooting LDAP ················································································································ 78
LDAP authentication failure ··································································································· 78
802.1X overview ············································································ 80
802.1X architecture ···················································································································· 80 Controlled/uncontrolled port and port authorization status ·································································· 80
802.1X-related protocols ············································································································· 81
Packet formats ···················································································································· 81
EAP over RADIUS ··············································································································· 82
802.1X authentication initiation ····································································································· 83
802.1X client as the initiator ·································································································· 83
Access device as the initiator ································································································· 84
802.1X authentication procedures ································································································· 84
i
Comparing EAP relay and EAP termination ·············································································· 85
EAP relay ·························································································································· 85
EAP termination ·················································································································· 87
Configuring 802.1X ········································································· 89
Access control methods ·············································································································· 89
802.1X VLAN manipulation ·········································································································· 89
Authorization VLAN ············································································································· 89
Guest VLAN ······················································································································· 91
Auth-Fail VLAN ··················································································································· 92
Critical VLAN ······················································································································ 92 Using 802.1X authentication with other features ··············································································· 94
ACL assignment ·················································································································· 94
EAD assistant ····················································································································· 94
SmartOn ···························································································································· 95 Compatibility information ············································································································· 96
Feature and hardware compatibility ························································································ 96
Command and hardware compatibility ····················································································· 96 Configuration prerequisites ·········································································································· 96
802.1X configuration task list ········································································································ 97 Enabling 802.1X ························································································································ 97 Enabling EAP relay or EAP termination ·························································································· 97 Setting the port authorization state ································································································ 98 Specifying an access control method ····························································································· 99 Setting the maximum number of concurrent 802.1X users on a port ····················································· 99 Setting the maximum number of authentication request attempts ······················································ 100 Setting the 802.1X authentication timeout timers ············································································ 100 Configuring online user handshake ······························································································ 100
Configuration guidelines ····································································································· 101
Configuration procedure ····································································································· 101 Configuring the authentication trigger feature ················································································ 101
Configuration guidelines ····································································································· 102
Configuration procedure ····································································································· 102 Specifying a mandatory authentication domain on a port ································································· 102 Setting the quiet timer ··············································································································· 103 Enabling the periodic online user reauthentication feature ································································ 103 Configuring an 802.1X guest VLAN ····························································································· 104
Configuration guidelines ····································································································· 104
Configuration procedure ····································································································· 104 Configuring an 802.1X Auth-Fail VLAN························································································· 104
Configuration guidelines ····································································································· 104
Configuration procedure ····································································································· 104 Configuring an 802.1X critical VLAN ···························································································· 105
Configuration guidelines ····································································································· 105
Configuration procedure ····································································································· 105 Specifying supported domain name delimiters ··············································································· 105 Configuring the EAD assistant feature ·························································································· 106 Configuring 802.1X SmartOn······································································································ 106 Displaying and maintaining 802.1X ······························································································ 107
802.1X authentication configuration examples ··············································································· 108
Basic 802.1X authentication configuration example ································································· 108
802.1X guest VLAN and authorization VLAN configuration example············································ 110
802.1X with ACL assignment configuration example ································································ 112
802.1X with EAD assistant configuration example (with DHCP relay agent) ·································· 114
802.1X with EAD assistant configuration example (with DHCP server) ········································ 117
802.1X SmartOn configuration example ················································································· 119
Troubleshooting 802.1X ············································································································ 120
EAD assistant for Web browser users ··················································································· 120
Configuring MAC authentication ······················································ 122
Overview ································································································································ 122
User account policies ········································································································· 122
ii
Authentication methods ······································································································ 122
VLAN assignment·············································································································· 123
ACL assignment ················································································································ 123
Periodic MAC reauthentication ····························································································· 124 Compatibility information ··········································································································· 124
Feature and hardware compatibility ······················································································ 124
Command and hardware compatibility ··················································································· 124 Configuration prerequisites ········································································································ 125 Configuration task list················································································································ 125 Enabling MAC authentication ····································································································· 125 Specifying a MAC authentication domain ······················································································ 126 Configuring the user account format ···························································································· 126 Configuring MAC authentication timers························································································· 127 Setting the maximum number of concurrent MAC authentication users on a port ·································· 127 Configuring MAC authentication delay·························································································· 128 Enabling MAC authentication multi-VLAN mode on a port ································································ 128 Configuring the keep-online feature ····························································································· 129 Including user IP addresses in MAC authentication requests ···························································· 129 Displaying and maintaining MAC authentication ············································································· 130 MAC authentication configuration examples ·················································································· 130
Local MAC authentication configuration example ····································································· 130
RADIUS-based MAC authentication configuration example ······················································· 132
ACL assignment configuration example ················································································· 134
Configuring portal authentication ····················································· 137
Overview ································································································································ 137
Extended portal functions ···································································································· 137
Portal system components ·································································································· 137
Portal system using the local portal Web server ······································································ 139
Interaction between portal system components ······································································· 139
Portal authentication modes ································································································ 140
Portal support for EAP ········································································································ 141
Portal authentication process ······························································································· 141
Portal packet filtering rules ·································································································· 143
BYOD support ·················································································································· 144
MAC-based quick portal authentication ·················································································· 144 Compatibility information ··········································································································· 145
Feature and hardware compatibility ······················································································ 145
Command and hardware compatibility ··················································································· 145 Portal configuration task list ······································································································· 146 Configuration prerequisites ········································································································ 147 Configuring a portal authentication server ····················································································· 147 Configuring a portal Web server ·································································································· 148 Enabling portal authentication····································································································· 149
Configuration restrictions and guidelines ················································································ 150
Configuration procedure ····································································································· 150 Specifying a portal Web server ··································································································· 151 Controlling portal user access····································································································· 152
Configuring a portal-free rule ······························································································· 152
Configuring an authentication source subnet ·········································································· 153
Configuring an authentication destination subnet ····································································· 154
Setting the maximum number of portal users ·········································································· 154
Specifying a portal authentication domain ·············································································· 155
Specifying a preauthentication domain ·················································································· 156
Specifying a preauthentication IP address pool for portal users ·················································· 157
Enabling strict-checking on portal authorization information ······················································· 158
Enabling portal authentication only for DHCP users ································································· 159
Enabling outgoing packets filtering on a portal-enabled interface ················································ 159 Configuring portal detection features ···························································································· 160
Configuring online detection of portal users ············································································ 160
Configuring portal authentication server detection ···································································· 161
Configuring portal Web server detection ················································································ 162
iii
Configuring portal user synchronization ················································································· 163 Configuring the portal fail-permit feature ······················································································· 163 Configuring BAS-IP for portal packets sent to the portal authentication server ····································· 164 Specifying a format for the NAS-Port-ID attribute ··········································································· 165 Specifying the device ID ············································································································ 166 Enabling portal roaming ············································································································ 166 Logging out online portal users ··································································································· 166 Disabling traffic accounting for portal users ··················································································· 167 Configuring Web redirect ··········································································································· 167 Applying a NAS-ID profile to an interface ······················································································ 168 Configuring the local portal Web server feature ·············································································· 169
Customizing authentication pages ························································································ 169
Configuring a local portal Web server ···················································································· 171
Enabling validity check on wireless clients·············································································· 172
Automatically logging out wireless portal users ······································································· 173
Enabling ARP or ND entry conversion for portal clients ····························································· 173 Configuring HTTPS redirect ······································································································· 174 Configuring MAC-based quick portal authentication ········································································ 174
Configuring a remote MAC binding server ·············································································· 174
Configuring a local MAC binding server ················································································· 175
Specifying a MAC binding server on an interface ····································································· 176
Specifying a MAC binding server on a service template ···························································· 176 Configuring NAS-Port-Type ········································································································ 176 Configuring portal safe-redirect ··································································································· 177 Setting the interval at which an AP reports traffic statistics to the AC ·················································· 179 Excluding an attribute from portal protocol packets ········································································· 179 Enabling portal logging ·············································································································· 179 Configuring portal support for third-party authentication ··································································· 180
Editing buttons and pages for third-party authentication ···························································· 180
Configuring a third-party authentication server ········································································ 181
Specifying an authentication domain for third-party authentication ·············································· 182 Configuring portal temporary pass ······························································································· 182 Displaying and maintaining portal ································································································ 183 Portal configuration examples (wired application) ··········································································· 185
Configuring direct portal authentication ·················································································· 185
Configuring re-DHCP portal authentication ············································································· 194
Configuring cross-subnet portal authentication ········································································ 198
Configuring extended direct portal authentication ···································································· 201
Configuring extended re-DHCP portal authentication ······························································· 204
Configuring extended cross-subnet portal authentication ·························································· 208
Configuring portal server detection and portal user synchronization ············································ 212
Configuring cross-subnet portal authentication for MPLS L3VPNs ·············································· 221
Configuring direct portal authentication with a preauthentication domain ······································ 223
Configuring re-DHCP portal authentication with a preauthentication domain ································· 225
Configuring direct portal authentication using the local portal Web server ····································· 228 Portal configuration examples (wireless application) ······································································· 231
Configuring direct portal authentication ·················································································· 231
Verifying the configuration ··································································································· 239
Configuring MAC-based quick portal authentication ································································· 240 Troubleshooting portal ·············································································································· 248
No portal authentication page is pushed for users ···································································· 248
Cannot log out portal users on the access device ···································································· 248
Cannot log out portal users on the RADIUS server ·································································· 249
Users logged out by the access device still exist on the portal authentication server ······················· 249
Re-DHCP portal authenticated users cannot log in successfully ················································· 249
Configuring port security ································································ 251
Overview ································································································································ 251
Port security features ········································································································· 251
Port security modes ··········································································································· 252 Feature and hardware compatibility ····························································································· 254 Configuration task list················································································································ 254
iv
Enabling port security ··············································································································· 255 Setting port security's limit on the number of secure MAC addresses on a port ···································· 255 Setting the port security mode ···································································································· 256 Configuring port security features ································································································ 257
Configuring NTK ··············································································································· 257
Configuring intrusion protection ···························································································· 258 Configuring secure MAC addresses ····························································································· 258
Configuration prerequisites·································································································· 259
Configuration procedure ····································································································· 259 Ignoring authorization information from the server ·········································································· 260 Enabling MAC move ················································································································· 260 Enabling the authorization-fail-offline feature ················································································· 261 Applying a NAS-ID profile to port security ····················································································· 261 Enabling SNMP notifications for port security ················································································ 262 Displaying and maintaining port security ······················································································· 262 Port security configuration examples ···························································································· 262
autoLearn configuration example·························································································· 262
userLoginWithOUI configuration example ·············································································· 265
macAddressElseUserLoginSecure configuration example ························································· 268 Troubleshooting port security ····································································································· 272
Cannot set the port security mode ························································································ 272
Cannot configure secure MAC addresses ·············································································· 272
Configuring user profiles ································································ 273
Overview ································································································································ 273 Command and hardware compatibility·························································································· 273 Configuration restrictions and guidelines ······················································································ 273 Configuring a user profile ··········································································································· 273 Displaying and maintaining user profiles ······················································································· 274
Configuring password control ·························································· 275
Overview ································································································································ 275
Password setting ··············································································································· 275
Password updating and expiration ························································································ 276
User login control ·············································································································· 277
Password not displayed in any form ······················································································ 277
Logging ··························································································································· 277 FIPS compliance ······················································································································ 278 Password control configuration task list ························································································ 278 Enabling password control ········································································································· 278 Setting global password control parameters ·················································································· 279 Setting user group password control parameters ············································································ 280 Setting local user password control parameters ············································································· 281 Setting super password control parameters ··················································································· 281 Displaying and maintaining password control ················································································ 282 Password control configuration example ······················································································· 282
Network requirements ········································································································ 282
Configuration procedure ····································································································· 283
Verifying the configuration ··································································································· 284
Configuring keychains ··································································· 286
Overview ································································································································ 286 Configuration procedure ············································································································ 286 Displaying and maintaining keychain ··························································································· 286 Keychain configuration example ································································································· 287
Network requirements ········································································································ 287
Configuration procedure ····································································································· 287
Verifying the configuration ··································································································· 288
Managing public keys ···································································· 292
Overview ································································································································ 292 FIPS compliance ······················································································································ 292
v
Creating a local key pair ············································································································ 292 Distributing a local host public key ······························································································· 294
Exporting a host public key·································································································· 294
Displaying a host public key ································································································ 294 Destroying a local key pair ········································································································· 295 Configuring a peer host public key ······························································································· 295
Importing a peer host public key from a public key file ······························································ 295
Entering a peer host public key ···························································································· 296 Displaying and maintaining public keys ························································································ 296 Examples of public key management ··························································································· 296
Example for entering a peer host public key ··········································································· 296
Example for importing a public key from a public key file ··························································· 298
Configuring PKI ··········································································· 301
Overview ································································································································ 301
PKI terminology ················································································································ 301
PKI architecture ················································································································ 302
PKI operation ··················································································································· 302
PKI applications ················································································································ 303
Support for MPLS L3VPN ··································································································· 303 FIPS compliance ······················································································································ 304 PKI configuration task list ·········································································································· 304 Configuring a PKI entity ············································································································· 304 Configuring a PKI domain ·········································································································· 305 Requesting a certificate ············································································································· 307
Configuration guidelines ····································································································· 308
Configuring automatic certificate request ··············································································· 308
Manually requesting a certificate ·························································································· 309 Aborting a certificate request ······································································································ 309 Obtaining certificates ················································································································ 309
Configuration prerequisites·································································································· 310
Configuration guidelines ····································································································· 310
Configuration procedure ····································································································· 310 Verifying PKI certificates ············································································································ 311
Verifying certificates with CRL checking ················································································· 311
Verifying certificates without CRL checking ············································································ 312 Specifying the storage path for the certificates and CRLs ································································ 312 Exporting certificates ················································································································ 312 Removing a certificate··············································································································· 313 Configuring a certificate-based access control policy ······································································ 314 Displaying and maintaining PKI ·································································································· 315 PKI configuration examples ········································································································ 315
Requesting a certificate from an RSA Keon CA server ····························································· 315
Requesting a certificate from a Windows Server 2003 CA server ················································ 318
Requesting a certificate from an OpenCA server ····································································· 321
IKE negotiation with RSA digital signature from a Windows Server 2003 CA server ······················· 324
Certificate-based access control policy configuration example ··················································· 327
Certificate import and export configuration example ································································· 328 Troubleshooting PKI configuration ······························································································· 334
Failed to obtain the CA certificate ························································································· 334
Failed to obtain local certificates ··························································································· 334
Failed to request local certificates ························································································· 335
Failed to obtain CRLs ········································································································· 336
Failed to import the CA certificate ························································································· 336
Failed to import a local certificate ························································································· 337
Failed to export certificates·································································································· 337
Failed to set the storage path ······························································································ 338
Configuring IPsec ········································································· 339
Overview ································································································································ 339
Security protocols and encapsulation modes ·········································································· 339
Security association ··········································································································· 341
vi
Authentication and encryption ······························································································ 341
IPsec implementation ········································································································· 342
IPsec RRI ························································································································ 344
Protocols and standards ····································································································· 345 FIPS compliance ······················································································································ 345 IPsec tunnel establishment ········································································································ 345 Implementing ACL-based IPsec ·································································································· 346
Configuring an ACL ··········································································································· 347
Configuring an IPsec transform set ······················································································· 350
Configuring a manual IPsec policy ························································································ 352
Configuring an IKE-based IPsec policy ·················································································· 354
Applying an IPsec policy to an interface ················································································· 357
Enabling ACL checking for de-encapsulated packets ······························································· 358
Configuring IPsec anti-replay ······························································································· 358
Configuring IPsec anti-replay redundancy ·············································································· 359
Binding a source interface to an IPsec policy ·········································································· 360
Enabling QoS pre-classify ··································································································· 360
Enabling logging of IPsec packets ························································································ 361
Configuring the DF bit of IPsec packets ················································································· 361
Configuring IPsec RRI ········································································································ 362 Configuring IPsec for IPv6 routing protocols ·················································································· 363
Configuration task list ········································································································· 363
Configuring a manual IPsec profile ······················································································· 363 Configuring IPsec for tunnels······································································································ 365
Configuration task list ········································································································· 365
Configuring an IKE-based IPsec profile ················································································· 365
Applying an IKE-based IPsec profile to a tunnel interface ·························································· 366 Configuring SNMP notifications for IPsec ······················································································ 367 Configuring IPsec fragmentation ································································································· 367 Setting the maximum number of IPsec tunnels ·············································································· 368 Enabling logging for IPsec negotiation·························································································· 368 Displaying and maintaining IPsec ································································································ 368 IPsec configuration examples ····································································································· 369
Configuring a manual mode IPsec tunnel for IPv4 packets ························································ 369
Configuring an IKE-based IPsec tunnel for IPv4 packets ··························································· 372
Configuring an IKE-based IPsec tunnel for IPv6 packets ··························································· 376
Configuring IPsec for RIPng ································································································ 379
Configuring IPsec RRI ········································································································ 382
Configuring IPsec tunnel interface-based IPsec for IPv4 packets ················································ 386
Configuring IKE ··········································································· 391
Overview ································································································································ 391
IKE negotiation process ······································································································ 391
IKE security mechanism ····································································································· 392
Protocols and standards ····································································································· 393 FIPS compliance ······················································································································ 393 IKE configuration prerequisites ··································································································· 393 IKE configuration task list ·········································································································· 393 Configuring an IKE profile ·········································································································· 394 Configuring an IKE proposal ······································································································· 396 Configuring an IKE keychain ······································································································ 397 Configuring the global identity information ····················································································· 398 Configuring the IKE keepalive feature ·························································································· 399 Configuring the IKE NAT keepalive feature ··················································································· 399 Configuring IKE DPD ················································································································ 400 Enabling invalid SPI recovery ····································································································· 400 Setting the maximum number of IKE SAs ····················································································· 401 Configuring an IKE IPv4 address pool ·························································································· 401 Configuring SNMP notifications for IKE ························································································ 402 Enabling logging for IKE negotiation ···························································································· 402 Displaying and maintaining IKE ·································································································· 402 IKE configuration examples ········································································································ 403
vii
Main mode IKE with pre-shared key authentication configuration example ··································· 403
Aggressive mode with RSA signature authentication configuration example ································· 407
Aggressive mode with NAT traversal configuration example ······················································ 414
IKE remote extended authentication configuration example ······················································· 419
IKE local extended authentication and address pool authorization configuration example ················ 422 Troubleshooting IKE ················································································································· 426
IKE negotiation failed because no matching IKE proposals were found ········································ 426
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ··············· 426
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 427
IPsec SA negotiation failed due to invalid identity information ···················································· 427
Configuring IKEv2 ········································································ 431
Overview ································································································································ 431
IKEv2 negotiation process··································································································· 431
New features in IKEv2 ········································································································ 432
Protocols and standards ····································································································· 432 IKEv2 configuration task list ······································································································· 432 Configuring an IKEv2 profile ······································································································· 433 Configuring an IKEv2 policy ······································································································· 436 Configuring an IKEv2 proposal ··································································································· 437 Configuring an IKEv2 keychain ··································································································· 438 Configure global IKEv2 parameters ····························································································· 439
Enabling the cookie challenging feature ················································································· 439
Configuring the IKEv2 DPD feature ······················································································· 439
Configuring the IKEv2 NAT keepalive feature ········································································· 440
Configuring IKEv2 address pools ·························································································· 440 Displaying and maintaining IKEv2 ······························································································· 440 IKEv2 configuration examples ···································································································· 441
IKEv2 with pre-shared key authentication configuration example ················································ 441
IKEv2 with RSA signature authentication configuration example ················································· 446
IKEv2 with NAT traversal configuration example ····································································· 454 Troubleshooting IKEv2 ·············································································································· 458
IKEv2 negotiation failed because no matching IKEv2 proposals were found ································· 458
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 459
IPsec tunnel establishment failed ························································································· 459
Configuring SSH ·········································································· 460
Overview ································································································································ 460
How SSH works ················································································································ 460
SSH authentication methods ······························································································· 461 FIPS compliance ······················································································································ 462 Configuring the device as an SSH server ······················································································ 462
SSH server configuration task list ························································································· 462
Generating local key pairs ··································································································· 463
Enabling the Stelnet server ································································································· 464
Enabling the SFTP server ··································································································· 464
Enabling the SCP server ····································································································· 464
Enabling NETCONF over SSH ····························································································· 464
Configuring the user lines for SSH login ················································································· 465
Configuring a client's host public key ····················································································· 465
Configuring an SSH user ···································································································· 466
Configuring the SSH management parameters ······································································· 468 Configuring the device as an Stelnet client ···················································································· 469
Stelnet client configuration task list ······················································································· 469
Generating local key pairs ··································································································· 469
Specifying the source IP address for SSH packets··································································· 469
Establishing a connection to an Stelnet server ········································································ 470 Configuring the device as an SFTP client ····················································································· 472
SFTP client configuration task list ························································································· 472
Generating local key pairs ··································································································· 472
Specifying the source IP address for SFTP packets ································································· 472
Establishing a connection to an SFTP server ·········································································· 473
viii
Working with SFTP directories ····························································································· 474
Working with SFTP files ······································································································ 475
Displaying help information ································································································· 475
Terminating the connection with the SFTP server ···································································· 475 Configuring the device as an SCP client ······················································································· 475
SCP client configuration task list ·························································································· 475
Generating local key pairs ··································································································· 476
Establishing a connection to an SCP server ··········································································· 476 Specifying algorithms for SSH2··································································································· 478
Specifying key exchange algorithms for SSH2 ········································································ 478
Specifying public key algorithms for SSH2 ············································································· 479
Specifying encryption algorithms for SSH2 ············································································· 479
Specifying MAC algorithms for SSH2 ···················································································· 480 Configuring SSH redirect ··········································································································· 480
SSH redirect overview ········································································································ 480
Feature and hardware compatibility ······················································································ 481
Configuration restrictions and guidelines ················································································ 481
Configuration prerequisites·································································································· 481
Configuration procedure ····································································································· 482 Displaying and maintaining SSH ································································································· 483 Stelnet configuration examples ··································································································· 483
Password authentication enabled Stelnet server configuration example ······································· 484
Publickey authentication enabled Stelnet server configuration example ······································· 486
Password authentication enabled Stelnet client configuration example ········································ 492
Publickey authentication enabled Stelnet client configuration example ········································ 495 SFTP configuration examples ····································································································· 497
Password authentication enabled SFTP server configuration example ········································ 497
Publickey authentication enabled SFTP client configuration example ·········································· 500 SCP configuration example ········································································································ 503
Network requirements ········································································································ 503
Configuration procedure ····································································································· 503 NETCONF over SSH configuration example ················································································· 505
Network requirements ········································································································ 505
Configuration procedure ····································································································· 505
Verifying the configuration ··································································································· 506
Configuring SSL ··········································································· 507
Overview ································································································································ 507
SSL security services ········································································································· 507
SSL protocol stack············································································································· 507 FIPS compliance ······················································································································ 508 SSL configuration task list ·········································································································· 508 Configuring an SSL server policy ································································································ 508 Configuring an SSL client policy ·································································································· 510 Displaying and maintaining SSL ·································································································· 511 SSL server policy configuration example ······················································································ 511
Configuring ASPF ········································································ 514
Overview ································································································································ 514
ASPF basic concepts ········································································································· 514
ASPF inspections ·············································································································· 515 Command and hardware compatibility·························································································· 517 ASPF configuration task list ······································································································· 517 Configuring an ASPF policy ······································································································· 517 Applying an ASPF policy to an interface ······················································································· 518 Applying an ASPF policy to a zone pair ························································································ 519 Enabling ICMP error message sending for packet dropping by security policies applied to zone pairs ······ 519 Displaying and maintaining ASPF ······························································································· 520 ASPF configuration examples····································································································· 520
ASPF FTP application inspection configuration example ··························································· 520
ASPF TCP application inspection configuration example ·························································· 521
ASPF H.323 application inspection configuration example ························································ 523
ix
ASPF application to a zone pair configuration example ····························································· 524
Configuring APR ·········································································· 527
Overview ································································································································ 527
PBAR ······························································································································ 527
NBAR ····························································································································· 527
Application group ·············································································································· 527
APR signature database management ·················································································· 528 Command and hardware compatibility·························································································· 528 Licensing requirements ············································································································· 529 APR configuration task list ········································································································· 529 Configuring PBAR ···················································································································· 529 Configuring a user-defined NBAR rule·························································································· 530 Configuring application groups ··································································································· 531 Enabling application statistics on an interface ················································································ 531 Managing the APR signature database ························································································ 532
Scheduling an automatic update for the APR signature database ··············································· 532
Triggering an automatic update for the APR signature database ················································ 533
Performing a manual update for the APR signature database ···················································· 533
Rolling back the APR signature database ·············································································· 534 Displaying and maintaining APR ································································································· 534 APR configuration examples ······································································································ 535
PBAR configuration example ······························································································· 535
NBAR configuration example ······························································································· 536
Managing sessions ······································································· 538
Overview ································································································································ 538
Session management operation ··························································································· 538
Session management functions ··························································································· 539 Command and hardware compatibility·························································································· 539 Session management task list ···································································································· 539 Setting the session aging time for different protocol states ······························································· 540 Setting the session aging time for different application layer protocols or applications ··························· 540 Specifying persistent sessions ···································································································· 542 Enabling session statistics collection ···························································································· 542 Specifying the loose mode for session state machine······································································ 542 Configuring session logging ······································································································· 543 Displaying and maintaining session management ·········································································· 544
Configuring connection limits ·························································· 549
Overview ································································································································ 549 Command and hardware compatibility·························································································· 549 Configuration task list················································································································ 549 Creating a connection limit policy ································································································ 550 Configuring the connection limit policy·························································································· 550 Applying the connection limit policy ····························································································· 551 Displaying and maintaining connection limits ················································································· 552 Connection limit configuration example ························································································ 553
Network requirements ········································································································ 553
Configuration procedure ····································································································· 554
Verifying the configuration ··································································································· 554 Troubleshooting connection limits ······························································································· 555
ACLs in the connection limit rules with overlapping segments ···················································· 555
Configuring object groups ······························································ 556
Overview ································································································································ 556 Configuring an IPv4 address object group ····················································································· 556 Configuring an IPv6 address object group ····················································································· 556 Configuring a port object group ··································································································· 557 Configuring a service object group ······························································································ 557 Displaying and maintaining object groups ····················································································· 557
x
Configuring object policies ····························································· 559
Overview ································································································································ 559 Object policy rules ···················································································································· 559
Rule numbering ················································································································ 559
Rule match order ··············································································································· 559
Rule description ················································································································ 559 Command and hardware compatibility·························································································· 559 Object policy configuration task list ······························································································ 560 Configuration prerequisites ········································································································ 560 Creating object policies ············································································································· 560
Creating an IPv4 object policy ······························································································ 560
Creating an IPv6 object policy ······························································································ 560 Configuring object policy rules ···································································································· 561
Configuring an IPv4 object policy rule ···················································································· 561
Configuring an IPv6 object policy rule ···················································································· 561 Applying object policies to zone pairs ··························································································· 562 Changing the rule match order···································································································· 563 Enabling rule matching acceleration ···························································································· 563 Displaying and maintaining object policies ···················································································· 564 Object policy configuration example ····························································································· 564
Network requirements ········································································································ 564
Configuration procedure ····································································································· 565
Verifying the configuration ··································································································· 567
Configuring attack detection and prevention ······································· 568
Overview ································································································································ 568 Command and hardware compatibility·························································································· 568 Attacks that the device can prevent ····························································································· 568
Single-packet attacks ········································································································· 568
Scanning attacks ··············································································································· 570
Flood attacks ···················································································································· 570
Login dictionary attack ········································································································ 571 Blacklist ································································································································· 571
IP blacklist ······················································································································· 571
User blacklist ···················································································································· 571
Address object group blacklist ····························································································· 572 Whitelist ································································································································· 572
Address object group whitelist ····························································································· 572 Client verification ····················································································································· 572
TCP client verification ········································································································ 572
DNS client verification ········································································································ 574
HTTP client verification ······································································································· 575 Attack detection and prevention configuration task list ····································································· 576 Configuring an attack defense policy ···························································································· 577
Creating an attack defense policy ························································································· 577
Configuring a single-packet attack defense policy ···································································· 577
Configuring a scanning attack defense policy ········································································· 579
Configuring a flood attack defense policy ··············································································· 579
Configuring attack detection exemption ················································································· 584
Applying an attack defense policy to an interface ····································································· 585
Applying an attack defense policy to the device ······································································· 585
Enabling log non-aggregation for single-packet attack events ···················································· 586 Configuring TCP client verification ······························································································· 586 Configuring DNS client verification ······························································································ 587 Configuring HTTP client verification ····························································································· 588 Configuring the IP blacklist ········································································································· 588 Configuring the user blacklist······································································································ 589 Configuring the address object group blacklist ··············································································· 590 Configuring the address object group whitelist ··············································································· 590 Enabling the login delay ············································································································ 591 Displaying and maintaining attack detection and prevention ····························································· 591
xi
Attack detection and prevention configuration examples ·································································· 595
Interface-based attack detection and prevention configuration example ······································· 595
IP blacklist configuration example ························································································· 599
User blacklist configuration example ····················································································· 599
Address object group blacklist configuration example ······························································· 600
Address object group whitelist configuration example ······························································· 601
Interface-based TCP client verification configuration example ···················································· 602
Interface-based DNS client verification configuration example ··················································· 603
Interface-based HTTP client verification configuration example ·················································· 604
Configuring IP source guard ··························································· 606
Overview ································································································································ 606
Static IPSG bindings ·········································································································· 606
Dynamic IPSG bindings ······································································································ 607 Command and hardware compatibility·························································································· 608 IPSG configuration task list ········································································································ 608 Configuring the IPv4SG feature ·································································································· 608
Enabling IPv4SG on an interface ·························································································· 608
Configuring a static IPv4SG binding ······················································································ 609 Configuring the IPv6SG feature ·································································································· 609
Enabling IPv6SG on an interface ·························································································· 609
Configuring a static IPv6SG binding ······················································································ 610 Displaying and maintaining IPSG ································································································ 610 IPSG configuration examples ····································································································· 611
Static IPv4SG configuration example ···················································································· 611
Dynamic IPv4SG using DHCP snooping configuration example ················································· 612
Static IPv6SG configuration example ···················································································· 613
Dynamic IPv6SG using DHCPv6 snooping configuration example ·············································· 614
Configuring ARP attack protection ··················································· 616
Command and hardware compatibility·························································································· 616 ARP attack protection configuration task list ·················································································· 616 Configuring unresolvable IP attack protection ················································································ 617
Configuring ARP source suppression ···················································································· 617
Configuring ARP blackhole routing ······················································································· 617
Displaying and maintaining unresolvable IP attack protection ···················································· 618
Configuration example ······································································································· 618 Configuring source MAC-based ARP attack detection ····································································· 619
Configuration procedure ····································································································· 619
Displaying and maintaining source MAC-based ARP attack detection ········································· 619
Configuration example ······································································································· 620 Configuring ARP packet source MAC consistency check ································································· 621 Configuring ARP active acknowledgement ···················································································· 621 Configuring authorized ARP ······································································································· 622
Configuration procedure ····································································································· 622
Configuration example (on a DHCP server) ············································································ 622
Configuration example (on a DHCP relay agent) ····································································· 623 Configuring ARP attack detection ································································································ 624
Configuring user validity check ····························································································· 625
Configuring ARP packet validity check ·················································································· 626
Configuring ARP restricted forwarding ··················································································· 627
Displaying and maintaining ARP attack detection ···································································· 627
User validity check and ARP packet validity check configuration example ···································· 627
ARP restricted forwarding configuration example ····································································· 629 Configuring ARP scanning and fixed ARP ····················································································· 630
Configuration restrictions and guidelines ················································································ 631
Configuration procedure ····································································································· 631 Configuring ARP gateway protection ···························································································· 631
Configuration guidelines ····································································································· 631
Configuration procedure ····································································································· 632
Configuration example ······································································································· 632 Configuring ARP filtering ··········································································································· 633
xii
Configuration guidelines ····································································································· 633
Configuration procedure ····································································································· 633
Configuration example ······································································································· 633
Configuring uRPF ········································································· 635
Overview ································································································································ 635
uRPF check modes ··········································································································· 635
Features ·························································································································· 635
uRPF operation ················································································································· 636
Network application ··········································································································· 639 Command and hardware compatibility·························································································· 639 Enabling uRPF ························································································································ 639 Displaying and maintaining uRPF ································································································ 640 uRPF configuration example for interfaces ···················································································· 640
Configuring IPv6 uRPF ·································································· 642
Overview ································································································································ 642
IPv6 uRPF check modes ···································································································· 642
Features ·························································································································· 642
IPv6 uRPF operation ·········································································································· 643
Network application ··········································································································· 645 Command and hardware compatibility·························································································· 645 Enabling IPv6 uRPF ················································································································· 645 Displaying and maintaining IPv6 uRPF ························································································· 646 IPv6 uRPF configuration example for interfaces ············································································· 646
Configuring crypto engines ····························································· 648
Overview ································································································································ 648 Command and hardware compatibility·························································································· 648 Displaying and maintaining crypto engines ···················································································· 648
Configuring FIPS ·········································································· 650
Overview ································································································································ 650 Configuration restrictions and guidelines ······················································································ 650 Configuring FIPS mode ············································································································· 651
Entering FIPS mode ·········································································································· 651
Configuration changes in FIPS mode ···················································································· 652
Exiting FIPS mode ············································································································· 653 FIPS self-tests ························································································································· 653
Power-up self-tests ············································································································ 654
Conditional self-tests ·········································································································· 654
Triggering self-tests ··········································································································· 654 Displaying and maintaining FIPS ································································································· 655 FIPS configuration examples ······································································································ 655
Entering FIPS mode through automatic reboot ········································································ 655
Entering FIPS mode through manual reboot ··········································································· 656
Exiting FIPS mode through automatic reboot ·········································································· 657
Exiting FIPS mode through manual reboot ············································································· 658
Document conventions and icons ···················································· 660
Conventions ···························································································································· 660 Network topology icons ············································································································· 661
Support and other resources··························································· 662
Accessing Hewlett Packard Enterprise Support·············································································· 662 Accessing updates ··················································································································· 662
Websites ························································································································· 663
Customer self repair ·········································································································· 663
Remote support ················································································································ 663
Documentation feedback ···································································································· 663
xiii
Index ························································································· 665
xiv

Configuring AAA

Remote user
NAS
RADIUS server
HWTACACS server
Internet
Network

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions:
Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and prevent guests from accessing files on the device.
Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server (NAS), which authenticates user identities and controls user access. The server maintains user information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The NAS transparently passes the user information to AAA servers and waits for the authentication, authorization, and ac coun ti ng r es ult. Based on t he r esult, the NAS determines whether to permit or deny the access request.
AAA has various implementations , including RADIUS, HWTACACS, and LDAP. R ADIUS is most often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different servers to implement different security functions. For example, you can use the HWTACACS server for authentication and authorization, and use the RADIUS server for accounting.
Yo u can choose th e security func tions provided by AA A as needed. For example, if your company wants employees to be authenticate d before t hey access specific resources, you would deploy an authentication server. If network usage information is needed, you would also configure an accounting server.
The device performs dynamic password authentication.
1

RADIUS

RADIUS servers
Users Clients Dictionary
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in net work environm ents that requir e both high security an d remote user access.
The RADIUS authorizat io n proc es s is c om bined with t he RA DIUS authentication process, and user authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It pass es user inf ormation to RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the cli ent of another RADIUS server to prov ide authenticati on proxy services.
The RADIUS server maintains the following databases:
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses. Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information bet ween them with th e help of shared k eys, which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key, and some other information. The receiver of the packet verifies the signature and accepts the packet only when the signat ure is corr ect. T his m echanism ens ures the secur it y of inf orm ation exchan ged between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
2
Basic RADIUS packet exchange process
RADIUS client
RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS packet format
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server. The request includes the user's password, which has been processed by the MD5 algorithm and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the server sends back an Access-Accept packet that contains the user's authorization information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear do wn the c onnec ti on.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS uses UDP to transmit packets. T he protocol also uses a series of m echanisms to ensure smooth packet exchange between the RADIUS server and the client. These mechanisms include the timer mechanism, the retransmission mechanism, and the backup server mechanism.
3
Figure 4 RADIUS packet format
Code
Packet type
Description
Name attribute and can optionally contain the attributes of
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
Descriptions of the fields are as follows:
The Code field (1 byte long ) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
From the client to the server. A packet of this type includes user
1 Access-Request
information for the serv er t o authent icate th e user . It mu st con tain t he User­NAS-IP-Address, User-Password, and NAS-Port.
From the server to the client. If all attribute values included in the
2 Access-Accept
3 Access-Reject
4
5
The Identifier field (1 byte lon g) is used to match response packets with request packets and to
Accounting-Reque st
Accounting-Respo nse
Access-Request are acceptable, the authentication succeeds, and the server sends an Access-Accept response.
From the server to the client. If any attribute value included in the Access-Request is unacceptable, the authentication fails, and the server sends an Access-Reject response.
From the client to the server. A packet of this type includes user information for the s erv er to start or s top accounting for the user. The Acct-Status-Type attribute in the packet indicates whether to start or stop accounting.
From the server to the c lient. The server sends a packet of this type to notify the client that it has received the Accounting-Request and has successfully recorded the accounting information.
detect duplicate request packets. The request and response packets of the same exchange process for the same purpose (such as authentication or accounting) have the same identifier.
The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered padding and are ignored by the receiver. If the length of a received packet is less than this length, the packet is dropped.
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator.
The Attributes field (variable in length) includes authen tic ati on, aut hor izat io n, and ac c ounti ng
information. This field can contain multiple attributes, each with the following subfields:
Type—Type of the attribute.
4
Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
No.
Attribute
No.
Attribute
Value—Value of the attribute. Its format and content depend on the Type subfield.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
1 User-Name 45 Acct-Authentic 2 User-Password 46 Acct-Session-Time 3 CHAP-Password 47 Acct-Input-Packets 4 NAS-IP-Address 48 Acct-Output-Packets 5 NAS-Port 49 Acct-Terminate-Cause 6 Service-Type 50 Acct-Multi-Session-Id 7 Framed-Protocol 51 Acct-Link-Count 8 Framed-IP-Address 52 Acct-Input-Gigawords 9 Framed-IP-Netmask 53 Acct-Output-Gigawords 10 Framed-Routing 54 (unassigned) 11 Filter-ID 55 Event-Timestamp 12 Framed-MTU 56-59 (unassigned) 13 Framed-Compression 60 CHAP-Challenge 14 Login-IP-Host 61 NAS-Port-Type 15 Login-Service 62 Port-Limit 16 Login-TCP-Port 63 Login-LAT-Port 17 (unassigned) 64 Tunnel-Type 18 Reply-Message 65 Tunnel-Medium-Type 19 Callback-Number 66 Tunnel-Client-Endpoint 20 Callback-ID 67 Tunnel-Server-Endpoint 21 (unassigned) 68 Acct-Tunnel-Connection 22 Framed-Route 69 Tunnel-Password 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security 27 Session-Timeout 74 ARAP-Security-Data 28 Idle-Timeout 75 Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message
5
No.
Attribute
No.
Attribute
33 Proxy-State 80 Message-Authenticator
Type Length
0
Vendor-ID
7 15 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……
34 Login-LAT-Service 81 Tunnel-Private-Group-ID 35 Login-LAT-Node 82 Tunnel-Assignment-id 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 38 Framed-AppleTalk-Network 85 Acct-Interim-Interval 39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost 40 Acct-Status-Type 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool 42 Acct-Input-Octets 89 (unassigned) 43 Acct-Output-Octets 90 Tunnel-Client-Auth-id 44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protoco l features excellent extensibility. The Vendor-Specific attri bute (attribute 26) allows a vendor to define extended attributes. The extended attributes can implement functions that the standard RADIUS protocol does not provide.
A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following parts:
Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
Vendor-Type—Type of the subattribute. Vendor-Length—Length of the subattribute. Vendor-Data—Contents of the subattribute.
The device supports RADIUS subattributes with a vendor ID of 25506. For m ore information, see "Proprietary RADIUS subattributes (vendor ID 25506)."
Figure 5 Format of attribute 26

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWT ACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server.
6
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS
RADIUS
Uses TCP, which provides reliable network
Encrypts the entire packet except for the
password field in an
authorization can be deployed on different
Protocol packets are simple and the authorization
roles and authorization. A user can use only commands that are permitted by the user roles and
Access to commands solely depends
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication an d obtaining authorized rights, a user logs in to the dev ice and performs operations. The HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have man y features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the primary differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
transmission.
HWTACACS header. Protocol packets are complicated and authorization
is independent of authentication. Authentication and HWTACACS servers.
Supports authorization of configuration commands. Access to commands depends on both the user's
authorized by the HWTACACS server.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for
a Telnet user.
Uses UDP, which provides high transport efficiency.
Encrypts only the user authentication packet.
process is combined with the authentication process.
Does not support authorization of configuration commands. on the user's roles. For more inform at io n abou t use r roles, see Fundamentals Configuration Guide.
7
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
Host
HWTACACS client HWTACACS server
1) The user tries to log in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user enters the username
6) C ontinue-authentication packet with the username
7) Authentication response requesting the password
8) Request for password
9) The user enters the password
11) Response indicating successful authentication
12) User authorization request packet
13) Response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) C ontinue-a u th e n tic a tio n packet with the password
HWTACACS operates using in the following workflow:
1. A Telnet user sends an access request to the HWTACACS client.
2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user enters the username.
6. After receiving the username from the user, the HWTACACS client sends the server a
7. The HWTACACS server sends back an authentication response to request the login password.
8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.
9. The user enters the password.
receives the request.
continue-authentication packet that includes the username.
8
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
11. If the authentication succeeds, the HWTACACS server sends back an authentication response
12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13. If the authorization succeeds, the HWTACACS server sends back an authorization res pons e,
14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the

LDAP

The Lightweight Directory Access Protocol (LDAP) provides standard multiplatform directory service. LDAP was developed on the basis of the X.500 protocol. It improves the following functions of X.500:
continue-authentication packet that includes the login password.
to indicate that the user has passed authentication.
indicating that the user is now authorized.
permits the user to log in.
start-accounting request.
stop-accounting request has been received.
Read/write interactive access. Browse. Search.
LDAP is suita ble for storing data that does not often change. The protocol is used to store user information. For example, LDAP server software Active Directory Server is used in Microsoft Windows operating s ystems. The software stores the user informat ion and user group infor mation for user login authentication and authorization.
LDAP directory service
LDAP uses directories to maintain the organization information, personnel information, and resource information. The directories are organized in a tree structure and include entries. An entry is a set of attributes with distinguished names (DNs). The attributes are used to store inform ation such as usernames, passwords, emails, computer names, and phone numbers.
LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun ONE Directory Server.
LDAP authentication and authorization
AAA can use LDAP to provide authentication and auth orization s ervices f or users. LDAP defines a set of operations to implement its functions. The main operations for authentication and authorization are the bind operation and search operation.
The bind operation allows an LDAP client to perform the following operations:
Establish a connection with the LDAP server. Obtain the access rights to the LDAP server. Check the validity of user information.
The search operation constructs search conditions and obtains the directory resource
information of the LDAP server.
In LDAP authentication, the client completes the following tasks:
9
1. Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is
3) Administrator bind request
4) Bind response
5) User DN search request
6) Search response
7) User DN bind request
8) Bind response
Host LDAP client LDAP server
10) The user logs in successfully
1) The user logs in by Telnet
2) Establish a TCP connection
9) Authorization process
created, the client establishes a connection to the server and obtains the right to search.
2. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generat ed.
3. Binds with the LDAP server by using each user DN and password. If a binding is created, the user is considered legal.
In LDAP authorization, th e client performs the sam e tasks as in LDAP authentication. When the client constructs search conditions, it obtains both authorization information and the user DN list.
Basic LDAP authentication process
The following example illustrates the basic LDAP authentication process for a Tel net user.
Figure 7 Basic LDAP authentication process for a Telnet user
The following shows the basic LDAP authentication process:
1. A Telnet user initiates a connection request and sends the username and password to the LDAP client.
2. After receiving the request, the LDAP client establishes a TCP connection with the LDAP server.
3. To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server.
4. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgment to the LDAP client.
5. The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP server.
6. After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found.
7. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server. The server will check whether the user password is correct.
10
8. The LDAP server processes the request, and sends a response to notify the LDAP client of the
4) Administrator bind request
5) Bind response
6) User authorization search request
7) Search response
Host LDAP client LDAP server
8) The user logs in successfully
1) The user logs in by Telnet
3) Establish a TCP connection
2) Authentication process
bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client notifies the user of the login failure and denies the user's access request.
9. The LDAP client saves the user DN that has been bound and exchanges authorization packets with the authorization serve r.
If LDAP authorization is used, see the authorization process shown in Figure 8. If another method is expected for authorization, the authorization process of that method
applies.
10. After successful authorization, the LDAP client notifies the user of the successful login.
Basic LDAP authorization process
The following example illustrates the basic LDAP authorization process for a Telnet user.
Figure 8 Basic LDAP authorization process for a Telnet user
The following shows the basic LDAP authorization process:
1. A Telnet user initiates a connection request and sends the username and password to the device. The device will act as the LDAP client during authorization.
2. After receiving the request, the device exchanges authentication packets with the authentication server for the user:
If LDAP authentication is used, see the authentication process shown in Figure 7.
If the device (the LDAP client) uses the same LDAP server for authentication and authorization, skip to step 6.
If the device (the LDAP client) uses different LDAP servers for authentication and authorization, skip to step 4.
If another authentication method is used, the authentication process of that method applies.
The device acts as the LDAP client. Skip to step 3.
3. The LDAP client establishes a TCP connection with the LDAP authorization server.
4. To obtain the right to search, the LDAP client uses the administrator DN and password to send
an administrator bind request to the LDAP server.
5. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgment to the LDAP client.
11
6. The LDAP client sends an authorization search request with the username of the Telnet user to
Username contains
@domain-name?
A user enters the
username in the form
userid@domain-name
or userid
The user belongs to
domain domain-name.
The user belongs to the
default domain.
Yes
No
NAS
domains for users of the access types depend on the configuration of the authentication modules.
the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server.
7. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search.
8. After successful authorization, the LDAP client notifies the user of the successful login.

AAA implementation on the device

This section describes AAA user management and methods.
User management based on ISP domains and user access types
AAA manages users based on the users' ISP domains and access types. On a NAS, each user belon gs to one ISP domain. The NAS determines the I SP dom ain to which a
user belongs based on the username entered by the user at login.
Figure 9 Determining the ISP domain for a user by username
AAA manages users in the same ISP domain based on the users' access types. The device supports the following user access types:
LAN—LAN users must pass 802.1X or MAC authentication to come online. Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device.
Terminal users can access through a console, AUX, or Async port.
ADVPN. X.25 PAD. Portal—Portal users must pass portal authentication to access the network. PPP. IPoE—IPoE users include Layer 2 and Layer 3 leased line users and Set Top Box (STB) users. IKE—IKE users must pass IKE extended authentication to access the network. Web—Web users log in to the Web interface of the device through HTTP or HTTPS.
NOTE:
The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP
12
AAA methods
AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the m ethods configured f or the access t ype in the domain to contr ol the user's access.
AAA also supports configuring a set of def ault m ethods f or an ISP domain. T hese def ault methods are applied to users for whom no AAA methods are configured.
The device supports the following authentication methods:
No authentication—This method trusts all users and does not perform authentication. For
security purposes, do not us e this method.
Local authentication—The NAS authenticates users by itself, based on the locally configured
user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Remote authentication—The NAS works with a RADIUS, HWTACACS, or LDAP server to
authenticate users. The server manages user information in a centralized manner. Remote authentication provides high capacity, reliable, and centralized authentication services for multiple NASs. You can configure backup methods to be used when the remote server is not available.
The device supports the following authorization methods:
No authorization—The NAS performs no authorization exchange. The following default
authorization inform ation applies after users pass authentication:
Non-login users can access the network. Login users obtain the default user role. For more information about the default user role
The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.
Local authorization—The NAS performs authorization according to the user attributes locally
configured for users.
Remote authorization—The NAS works with a RADIUS, HWTACACS, or LDAP server to
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is included in the Access-Accept packet. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is included in the authorization response after successful authentication. You can configure backup methods to be used when the remote server is not available.
feature, see Fundamentals Configuration Guide.
However, the users do not have permission to access the root directory.
The device supports the following accounting methods:
No accounting—The NAS does not perform accounting for the users. Local accounting—Local accounting is implemented on the NAS. It counts and controls the
number of concurrent users who use the same local user account, but does not provide statistics for charging.
Remote accounting—The NAS works with a RADIUS server or HWTACACS server for
accounting. You can configure backup methods to be used when the remote server is not available.
In addition, the device provides the following login services to enhance device security:
Command authorization—Enables the NAS to let the authorization server determine whether
a command entered by a login user is permitted. Login users can execute only commands permitted by the authorization server. For more information about command authorization, see Fundamentals Configuration Guide.
13
P
MPLS backbone
PE
PE
CE
CE
CE
VPN 1
VPN 2
VPN 3
RADIUS
server
HWTACACS
server
Host
Host
NAS
Command accounting—When command authorization is disabled, command accounting
enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.
User role authentication—Authenticates each user who wants to obtain another user role
without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.

AAA for MPLS L3VPNs

Yo u can d eploy AAA across VPNs in an MPLS L3VPN scenario where c l ient s in d iffer ent VPN s ar e centrally authenticated. The dep loyment enables for warding of RADIUS a nd HWTACACS packets across MPLS VPNs. For example, as show n in Figure 10, you can deploy AAA across the VPNs. The PE at the left side of the MPL S backbone acts as a NAS. The NAS transparen tly deli vers the A AA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication. Authentication packets of private users in different VPNs do not affect each other.
Figure 10 Network diagram
This feature can also help an MCE to implement portal authentication for VPNs. For more information about MCE, see MPLS Configuration Guide. For more information about portal authentication, see "Configuring portal authentication."

Protocols and standards

RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868, RADIUS Attributes for Tunnel Protocol Support RFC 2869, RADIUS Extensions RFC 5176, Dynamic Authorization Extensions to Remote Authentication Dial In User Service
(RADIUS)
RFC 1492, An Access Control Protocol, Sometimes Called TACACS RFC 1777, Lightweight Directory Access Protocol RFC 2251, Lightweight Directory Access Protocol (v3)
14
Loading...
+ 709 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use