HP HSR6800 Routers Security Configuration Guide Part number: 5998-4496 Software version: HSR6800-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ································································································································
802.1X client as the initiator································································································································ 76 Access device as the initiator ······························································································································· 77 802.
Setting the EAD rule timer ··········································································································································· 106 Displaying and maintaining EAD fast deployment ··································································································· 106 EAD fast deployment configuration example ············································································································ 107 Network requirements ··············
Configuring online Layer 3 portal user detection ···························································································· 137 Configuring the portal server detection function ······························································································ 138 Configuring portal user information synchronization ······················································································ 139 Logging off portal users ··················································
Configuring password control ································································································································ 189 Overview······································································································································································· 189 FIPS compliance ··························································································································································
Removing a certificate ················································································································································· 227 Configuring an access control policy ························································································································ 228 Displaying and maintaining PKI ································································································································· 228 PKI configur
Protocols and standards ····································································································································· 288 FIPS compliance ··························································································································································· 288 IKE configuration task list ············································································································································ 288 C
Password authentication enabled Stelnet client configuration example ························································ 329 Publickey authentication enabled Stelnet client configuration example ························································ 332 SFTP configuration examples ······································································································································ 334 Password authentication enabled SFTP server configuration example ··················
Connection limit configuration task list ······················································································································ 367 Creating a connection limit policy ····························································································································· 367 Configuring the connection limit policy ····················································································································· 367 Applying the connecti
Blacklist configuration example ··························································································································· 15 Traffic statistics configuration example ··············································································································· 17 TCP proxy configuration example ······················································································································· 18 Configuring TCP attack protection ·······
Enabling source MAC consistency check for ND packets ························································································· 53 Configuring URPF ······················································································································································· 54 Overview········································································································································································· 54 URPF check m
Support and other resources ····································································································································· 94 Contacting HP ································································································································································ 94 Subscription service ·············································································································································· 94 Re
Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorized usage of some resource in a network system. Network security services provide solutions to solve or reduce those threats to different extents. Network security threats • Information disclosure—Information is leaked to an unauthorized person or entity. • Data integrity damage—Data integrity is damaged by unauthorized modification or malicious destruction.
Network security technologies Identity authentication AAA AAA provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies network users and determines whether the user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
Portal authentication Portal authentication, also called "Web authentication," controls user access at the access layer and other data entrance that needs protection. It does not require client software to authenticate users. Users only need to enter a username and a password on the webpage for authentication. With portal authentication, an access device redirects all unauthenticated users to a specific webpage, and users can freely access resources on the webpage.
• Source port number • Destination port number The device compares the head information against the preset ACL rules and processes (discards or forwards) the packet based on the comparison result.
comprehensive and effective solution against common ARP attacks, such as user and gateway spoofing attacks and flood attacks. ND attack defense The IPv6 ND protocol provides rich functions, but does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. To defend against such attacks, the device provides multiple ND attack detection technologies, such as source MAC consistency check for ND packets and ND Detection.
Password control Password control is a set of functions for enhancing the local password security. It controls user login passwords, super passwords, and user login status based on predefined policies. Those policies include minimum password length, minimum password update interval, password aging, and early notice on pending password expiration. RSH RSH allows users to execute OS commands on a remote host that runs the RSH daemon.
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carries the user's username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted using the MD5 algorithm and the shared key. 3. The RADIUS server authenticates the username and password.
Figure 4 RADIUS packet format 0 7 Code 15 31 7 Length Identifier Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 1 Main values of the Code field Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user.
{ { { Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes." Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length sub-fields.
No. Attribute No.
HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.
Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6.
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
• Portal users—Users who must pass portal authentication to access the network. • PPP users—Users who access through PPP. • SSL VPN users—Users who access through SSL VPN. In addition, AAA provides the following services for login users to enhance device security: • Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted, and allows login users to execute only authorized commands.
• RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support • RFC 2869, RADIUS Extensions • RFC 1492, An Access Control Protocol, Sometimes Called TACACS RADIUS attributes This section provides tables of commonly used standard RADIUS attributes and HP proprietary RADIUS sub-attributes. Commonly used standard RADIUS attributes No.
No. Attribute Description Type of the Accounting-Request packet. Possible values include: 40 Acct-Status-Type • • • • • • • • 1—Start. 2—Stop. 3—Interim-Update. 4—Reset-Charge. 7—Accounting-On. (Defined in the 3rd Generation Partnership Project.) 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.) 9 to 14—Reserved for tunnel accounting. 15—Reserved for failed. Authentication method used by the user. Possible values include: 45 Acct-Authentic 60 CHAP-Challenge • 1—RADIUS.
No. Sub-attribute Description 15 Remanent_Volume Total remaining available traffic for the connection, in different units for different server types. Operation for the session, used for session control. Possible values include: 20 24 Command Control_Identifier • • • • • 1—Trigger-Request. 2—Terminate-Request. 3—SetPolicy. 4—Result. 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.
No. Sub-attribute Description 205 Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. 206 Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes. 207 Backup-NAS-IP Backup source IP address for sending RADIUS packets. 255 Product_ID Product name. AAA configuration considerations and task list To configure AAA on the NAS: 1. Configure the required AAA schemes. { { 2.
Task schemes Remarks Configuring RADIUS schemes Configuring HWTACACS schemes Configuring AAA methods for ISP domains Complete at least one task. Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring authentication methods for an ISP domain Required. Configuring authorization methods for an ISP domain Complete at least one task. Configuring accounting methods for an ISP domain Tearing down user connections Optional. Configuring a NAS ID-VLAN binding Optional.
• Password control attributes. Password control attributes help you control the security of local users' passwords. Password control attributes include password aging time, minimum password length, and password composition policy. You can configure a password control attribute in system view, user group view, or local user view, making the attribute effective for all local users, all local users in a group, or only the local user.
level configured for the user interface. For more information about user interface authentication mode and user interface command level, see Fundamentals Configuration Guide. • You can configure the user profile authorization attribute in local user view, user group view, and ISP domain view. The setting in local user view has the highest priority, and that in ISP domain view has the lowest priority. For more information about user profiles, see "Configuring user profiles.
Step Command Remarks Optional. • Set the password aging time: password-control aging aging-time • Set the minimum password 7. Configure password control attributes for the local user.
Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
Task Command Remarks Display local user information (in standalone mode). display local-user [ idle-cut { disable | enable } | service-type { dvpn | ftp | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display local user information (in IRF mode).
Task Remarks Displaying and maintaining RADIUS Optional. Creating a RADIUS scheme Before you perform other RADIUS configurations, first create a RADIUS scheme and enter RADIUS scheme view. A RADIUS scheme can be referenced by multiple ISP domains at the same time. To create a RADIUS scheme and enter RADIUS scheme view: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a RADIUS scheme and enter RADIUS scheme view.
Step Command Remarks Configure at least one command. By default, no authentication/authorization server is specified. • Specify the primary RADIUS 3. Specify RADIUS authentication/authorization servers.
Step Command Remarks Configure at least one command. • Specify the primary RADIUS 3. Specify RADIUS accounting servers. accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * • Specify a secondary RADIUS accounting server: secondary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * 4. 5. 6.
Step Command Remarks By default, no shared key is specified. 3. Specify a shared key for secure RADIUS authentication/authorization or accounting communication. key { accounting | authentication } [ cipher | simple ] key In FIPS mode, the shared key must be a string of at least 8 characters that contain numbers, uppercase letters, lowercase letters, and special characters. The shared key configured on the device must be the same as that configured on the RADIUS server.
Do not apply the RADIUS scheme to more than one ISP domain if you have configured the user-name-format without-domain command for that RADIUS scheme. Otherwise, users in different ISP domains are considered the same user if they use the same username. For level switching authentication, user-name-format keep-original and user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the RADIUS server carry no ISP domain name.
Step 3. Command Set the maximum number of RADIUS request transmission attempts. retry retry-times Remarks Optional. The default setting is 3. Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with which the device communicates when the current servers are no longer available.
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may need to change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server. To set the status of RADIUS servers in a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing RADIUS packets. radius nas-ip { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3.
accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values. In this case, the next authentication or accounting attempt can succeed because the device has set the status of the unreachable servers to blocked so time for finding a reachable server is shortened. Properly set the server quiet timer.
Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
The ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to 30%. This threshold can only be configured through the MIB. • The failure ratio is typically small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server.
Task Command Remarks Display information about buffered stop-accounting requests for which no responses have been received (in IRF mode). display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear RADIUS statistics (in standalone mode).
To create an HWTACACS scheme and enter HWTACACS scheme view: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an HWTACACS scheme and enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name Not defined by default. You can delete an HWTACACS scheme only when it is not referenced. Specifying the HWTACACS authentication servers You can specify one primary authentication server and one secondary authentication server for an HWTACACS scheme.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A • Specify the primary HWTACACS 3. Specify HWTACACS authorization servers. authorization server: primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * • Specify the secondary HWTACACS authorization server: secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command.
Step 4. 5. Command Remarks Enable buffering of stop-accounting requests to which no responses are received. stop-accounting-buffer enable Set the maximum number of stop-accounting attempts. retry stop-accounting retry-times Optional. Enabled by default. Optional. The default setting is 100. You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.
do not recognize usernames that contain the ISP domain names. In this case, you can configure the device to remove the domain name from each username to be sent. The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows and that for packets on the device are consistent with those configured on the HWTACACS servers.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing HWTACACS packets. hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3.
Step Command Remarks Optional. 4. Set the quiet timer for the primary server. timer quiet minutes 5. Set the real-time accounting interval. timer realtime-accounting minutes The default quiet timer for the primary server is 5 minutes. Optional. The default real-time accounting interval is 12 minutes. Displaying and maintaining HWTACACS Task Command Remarks Display the configuration or statistics of HWTACACS schemes (in standalone mode).
Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect users of different ISPs. Different ISP users can have different user attributes (such as username and password structures), different service types, and different rights. To manage these ISP users, you need to create ISP domains and then configure AAA methods and domain attributes for each ISP domain. The device can accommodate up to 16 ISP domains, including the system predefined ISP domain system.
• Maximum number of online users—The device controls the number of online users in a domain to ensure the system performance and service reliability. • Idle cut—Enables the device to check the traffic of each online user in the domain at the idle timeout interval, and to log out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic.
Step 9. Command Set the device to include the idle cut time in the user online time to be uploaded to the server. Remarks Optional. session-time include-idle-time By default, the user online time uploaded to the server excludes the idle cut time. Configuring authentication methods for an ISP domain In AAA, authentication, authorization, and accounting are separate processes.
• You can configure a default authentication method for an ISP domain. The default method will be used for all users who support the authentication method and have no specific authentication method configured. • You can configure local authentication (local) or no authentication (none) as the backup for remote authentication that is used when the remote authentication server is unavailable. • Local authentication (local) and no authentication (none) cannot have a backup method.
Step 9. Specify the authentication method for privilege level switching. Command Remarks authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } Optional. The default authentication method is used by default. Configuring authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting.
• You can configure local authorization (local) or no authorization (none) as the backup for remote authorization that is used when the remote authorization server is unavailable. • Local authorization (local) and no authorization (none) cannot have a backup method. Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A 3.
• Local accounting (local)—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account. It does not provide statistics for charging. The maximum number of concurrent users using the same local user account is set by the access-limit command in local user view. • Remote accounting (scheme)—The NAS works with a RADIUS server or HWTACACS server for accounting.
Step Command Remarks 4. Specify the default accounting method for all types of users. accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Optional. 5. Specify the command accounting method. accounting command hwtacacs-scheme hwtacacs-scheme-name Optional. 6. Specify the accounting method for DVPN users. accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] } Optional.
Step Command Remarks • In standalone mode: 2. cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name } [ slot slot-number ] Tear down AAA user connections.
Task Command Remarks Display information about user connections (in IRF mode). display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Select the access device type HP(General). Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2). c. Click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the device, which is chosen in the following order: { IP address specified with the nas-ip command on the device. { IP address specified with the radius nas-ip command on the device.
Figure 12 Adding an account for device management Configuring the router # Assign an IP address to interface GigabitEthernet 3/0/1, the Telnet user access interface. system-view [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet3/0/1] quit # Configure the IP address of interface GigabitEthernet 3/0/2, through which the router communicates with the server.
# Set the shared key for secure authentication communication to expert. [Router-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs on IMC. [Router-radius-rad] server-type extended # Include the domain names in usernames sent to the RADIUS server. [Router-radius-rad] user-name-format with-domain [Router-radius-rad] quit # Configure the AAA methods for domain bbb.
[Router] telnet server enable # Configure the router to use AAA for Telnet users. [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Create local user named telnet. [Router] local-user telnet [Router-luser-telnet] service-type telnet [Router-luser-telnet] password simple aabbcc [Router-luser-telnet] quit # Configure the AAA methods for the ISP domain as local authentication and authorization.
Configuration procedure 1. Configure the HWTACACS server. On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the PPP user, and specify the password. (Details not shown.) 2. Configure the router: # Create HWTACACS scheme hwtac. system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server. [Router-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server.
Level switching authentication for Telnet users by a RADIUS server Network requirements As shown in Figure 15, configure the router to: • Use local authentication for the Telnet user and assign the privilege level of 0 to the user when the user passes authentication. • Use the RADIUS server for level switching authentication of the Telnet user. If the RADIUS server is not available, use local authentication. Figure 15 Network diagram Configuration considerations 1.
[Router-GigabitEthernet3/0/1] quit # Configure the IP address of GigabitEthernet 3/0/2, through which the router communicates with the server. [Router] interface gigabitethernet 3/0/2 [Router-GigabitEthernet3/0/2] ip address 10.1.1.2 255.255.255.0 [Router-GigabitEthernet3/0/2] quit # Enable the router to provide Telnet service. [Router] telnet server enable # Configure the router to use AAA for Telnet users.
2. Configure the RADIUS server. The RADIUS server in this example runs ACSv4.0. Add the usernames and passwords for user privilege level switching authentication. Table 5 Adding username and passwords for user privilege level switching authentication Username Password Switching to level $enab1$ pass1 1 $enab2$ pass2 2 $enab3$ pass3 3 A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to switch.
Figure 17 List of the usernames for privilege level switching Verifying the configuration. After the configuration is complete, the user can Telnet to the router and use username test@bbb and password aabbcc to enter the user interface of the router, and access all level 0 commands. telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ...
Password: Å Enter the password for RADIUS privilege level switching authentication. Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Å Enter the password for local privilege level switching authentication. User privilege level is 3, and only those commands can be used whose level is equal or less than this.
b. Click Add to configure an access device as follows: Set the shared key for secure authentication communication to expert. Set the ports for authentication to 1812, respectively. Select the service type LAN Access Service. Select the access device type HP(General). Select the access device from the device list or manually add the device with the IP address 10.1.1.2. c. Leave the default settings for other parameters and click OK.
Figure 20 Adding a service 3. Add an access user account: a. Click the User tab, and then select Access User View > All Access Users from the navigation tree. b. Click Add to configure a user as follows: Select the user or add a user named hello. Enter the account name portal and specify the password. Select the access service Portal auth. Configure other parameters as needed. c. Click OK.
Figure 22 Portal server configuration 2. Configure an IP address group: a. Select User Access Manager > Portal Service > IP Group from the navigation tree. b. Click Add to configure an IP address group as follows: Enter the name Portal_user. Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255. Make sure the IP address group contains the IP address of the host. Select the action Normal. c. Click OK. Figure 23 Adding an IP address group 3.
Enter the IP address of the access interface on the router, which is 192.168.1.70. Enter the key, which is portal, the same as that configured on the router. Specify whether to enable IP address reallocation. This example uses direct portal authentication by selecting No from the Reallocate IP list. c. Leave the default settings for other parameters and click OK. Figure 24 Adding a portal device 4. Associate the portal device with the IP address group: a.
Figure 26 Associating the portal device with IP address group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using IMC, set the server type to extended.
[Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] portal server newpt method direct [Router-GigabitEthernet3/0/1] quit Verifying the configuration The user can initiate portal authentication by using the HP iNode client or by accessing a Web page. All the initiated Web requests will be redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page.
Solution Check that: • The NAS and the RADIUS server can ping each other. • The username is in the userid@isp-name format and the ISP domain is correctly configured on the NAS. • The user is configured on the RADIUS server. • The correct password is entered. • The same shared key is configured on both the RADIUS server and the NAS. Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server.
Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS.
802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Figure 28 Authorization state of a controlled port In unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.
Packet formats EAP packet format Figure 29 shows the EAP packet format. Figure 29 EAP packet format • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The length is the sum of the Code, Identifier, Length, and Data fields. • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet.
Value Type Description 0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the network access device that it is logging off. • Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows. • Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
the authentication server does not support the multicast address, use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets (for example, an 802.1X client available with Windows XP).
A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. authentication methods. EAP relay • The configuration and processing is simple on the network access device. • Supports only MD5-Challenge EAP termination Works with any RADIUS server that supports PAP or CHAP authentication.
Figure 35 802.
9. The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. 10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11.
Figure 36 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. For more information about port security, see "Configuring port security." NOTE: 802.
Access control VLAN manipulation • If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. MAC-based • If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns the first authenticated user's VLAN to the port as the PVID.
Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.
The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode. • On a port that performs port-based access control Authentication status VLAN manipulation A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. Assigns the critical VLAN to the port as the PVID. The 802.1X user and all subsequent 802.1X users on this port can access only resources in the critical VLAN.
Authentication status VLAN manipulation A user in the 802.1X guest VLAN or the Auth-Fail VLAN fails authentication because all the RADIUS server are unreachable. The user remains in the 802.1X VLAN or the Auth-Fail VLAN. A user in the MAC authentication guest VLAN fails 802.1X authentication because all the 802.1X authentication server are unreachable. The user is removed from the MAC authentication VLAN and mapped to the 802.1X critical VLAN. To perform the 802.
802.1X configuration task list Task Remarks Enabling 802.1X Required. Enabling EAP relay or EAP termination Optional. Setting the port authorization state Optional. Specifying an access control method Optional. Setting the maximum number of concurrent 802.1X users on a port Optional. Setting the maximum number of authentication request attempts Optional. Setting the 802.1X authentication timeout timers Optional. Configuring the online user handshake function Optional.
Step Command Remarks • In system view: Enable 802.1X on a port in system view or Ethernet interface view. 3. dot1x interface interface-list • In Ethernet interface view: a. interface interface-type interface-number By default, 802.1X is disabled on a port. b. dot1x Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: • The support of the RADIUS server for EAP packets • The authentication methods supported by the 802.
auto—Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios. • You can set authorization state for one port in interface view, or for multiple ports in system view. If different authorization state is set for a port in system view and interface view, the one set later takes effect.
Step Enter system view. 1. Command Remarks system-view N/A • In system view: Set the maximum number of concurrent 802.1X users on a port in system view or Ethernet interface view. 2. dot1x max-user user-number [ interface interface-list ] • In Ethernet interface view: a. interface interface-type interface-number The default setting is 1024. b.
Step Command Remarks 2. Set the client timeout timer. dot1x timer supp-timeout supp-timeout-value The default is 30 seconds. 3. Set the server timeout timer. dot1x timer server-timeout server-timeout-value The default is 100 seconds. Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users.
Enabling the proxy detection function The proxy detection function prevents users from using an authenticated 802.1X client as a network access proxy to bypass monitoring and accounting. When a user is detected accessing the network through a proxy, the network access device can send traps to the network management system or log the user off by sending an offline message.
Configuration guidelines Follow these guidelines when you configure the authentication trigger function: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication. • Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication. • To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response. To configure the quiet timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. 3.
If no critical VLAN is configured, RADIUS server unreachable can cause an online user being re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the original VLAN. Configuring an 802.1X guest VLAN Follow these guidelines when you configure an 802.1X guest VLAN: • You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different. • Assign different IDs to the voice VLAN, the port VLAN, and the 802.
Feature Relationship description Reference Port intrusion protection on a port that performs MAC-based access control The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. See "Configuring port security." Before configuring an 802.1X Auth-Fail VLAN, complete the following tasks: • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Configure an 802.1X critical VLAN on the port. dot1x critical vlan vlan-id By default, no critical VLAN is configured. 4. Configure the port to trigger 802.1X authentication on detection of a reachable authentication server for users in the critical VLAN. Optional.
Task Command Remarks Display 802.1X session information, statistics, or configuration information of specified or all ports. display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear 802.1X statistics. reset dot1x statistics [ interface interface-list ] Available in user view. 802.1X authentication configuration example Network requirements As shown in Figure 37, the Router performs 802.
4. Configure user accounts for the 802.1X users on the Router: # Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.) system-view [Router] local-user localuser [Router-luser-localuser] service-type lan-access [Router-luser-localuser] password simple localpass # Configure the idle cut function to log off any online user that has been idled for 20 minutes.
# Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain. [Router] domain default enable aabbcc.net 7. Configure 802.1X: # Enable 802.1X globally. [Router] dot1x # Enable 802.1X on port GigabitEthernet 3/0/1. [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] dot1x [Router-GigabitEthernet3/0/1] quit # Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.
Figure 38 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the Router. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. 1. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown.) 2.
4. Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. system-view [Router] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Router-radius-2000] primary authentication 10.11.1.1 1812 [Router-radius-2000] primary accounting 10.11.1.
802.1X with ACL assignment configuration example Network requirements As shown in Figure 39, the host at 192.168.1.10 connects to port GigabitEthernet 3/0/1 of Router. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to GigabitEthernet 3/0/1 to deny the access of 802.1X users to the FTP server at 10.0.0.1/24 on weekdays during business hours from 8:00 to 18:00.
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Router] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.
Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, Router, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VLAN. Users can access only the free IP segments. To configure a free IP: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a free IP. dot1x free-ip ip-address { mask-address | mask-length } By default, no free IP is configured. Configuring the redirect URL Step Command Remarks N/A 1. Enter system view. system-view 2.
EAD fast deployment configuration example Network requirements As shown in Figure 40, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 3/0/1 of Router, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network. To allow all intranet users to install and update 802.1X client program from a web server, configure the following: • Allow unauthenticated users to access the segment of 192.
2. Configure DHCP relay: # Enable DHCP. system-view [Router] dhcp enable # Configure a DHCP server for a DHCP server group. [Router] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2. [Router] interface vlan-interface 2 [Router-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Router-Vlan-interface2] dhcp relay server-select 1 [Router-Vlan-interface2] quit 3. Configure a RADIUS scheme and an ISP domain.
The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service. Enter the external website address in dotted decimal notation, for example, 3.3.3.3 or http://3.3.3.3, in the address bar.
Configuring MAC authentication MAC authentication is available only for SAP modules that are operating in bridge mode. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
• If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication. For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle.
Task Remarks Basic configuration for MAC authentication: • Configuring MAC authentication globally • Configuring MAC authentication on a port Required. Specifying a MAC authentication domain Optional. Basic configuration for MAC authentication Before you perform basic configuration for MAC authentication, complete the following tasks: • Create and configure an authentication domain, also called "an ISP domain.
Configuring MAC authentication on a port You cannot add a MAC authentication-enabled port to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group. To configure MAC authentication on a port: Step Enter system view. 1. Command Remarks system-view N/A • In system view: Enable MAC authentication in system view or interface view. 2. mac-authentication interface interface-list • In interface view: a.
Step Command Remarks • In system view: Specify an authentication domain for MAC authentication users in system view or interface view. 2. mac-authentication domain domain-name • In interface view: a. interface interface-type interface-number By default, the system default authentication domain is used for MAC authentication users. b. mac-authentication domain domain-name Displaying and maintaining MAC authentication Task Command Remarks Display MAC authentication information.
[Router] local-user 00-e0-fc-12-34-56 [Router-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Router-luser-00-e0-fc-12-34-56] service-type lan-access [Router-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net to perform local authentication for LAN access users. [Router] domain aabbcc.net [Router-isp-aabbcc.net] authentication lan-access local [Router-isp-aabbcc.net] quit # Enable MAC authentication globally.
Slot: 3 Index=52 , Username=00-15-e9-43-82-73@aabbcc.net IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 3. Total 1 connection(s) matched. RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 42, a host connects to port GigabitEthernet 3/0/1 on the router. The router uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access.
[Router-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Enable MAC authentication globally. [Router] mac-authentication # Enable MAC authentication on port GigabitEthernet 3/0/1.
Index=52 , Username=aaa@2000 IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 3. Total 1 connection(s) matched. ACL assignment configuration example Network requirements As shown in Figure 43, a host connects to port GigabitEthernet 3/0/1 of the router, and the router uses RADIUS servers to perform authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access.
[Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally.
120
Configuring portal authentication Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. Overview Portal authentication helps control access to the Internet. Portal authentication is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page.
Figure 44 Portal system components Authentication client Authentication client Security policy server Access device Portal server Authentication/accounting server Authentication client Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal such as a PC. A client can use a browser or portal client software for portal authentication.
Security policy server A security policy server interacts with authentication clients and access devices for security check and resource authorization. The components of a portal system interact as follows: 1. When an unauthenticated user enters a website address in the browser's address bar to access the Internet, an HTTP request is created and sent to the access device. The access device then redirects the HTTP request to the portal server's Web authentication homepage.
• Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to be present between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address is used for client identification.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 46 Direct authentication/cross-subnet authentication process The direct authentication/cross-subnet authentication process is as follows: 1. An authentication client initiates authentication by sending an HTTP request.
Re-DHCP authentication process (with CHAP/PAP authentication) Figure 47 Re-DHCP authentication process Authentication client Portal server Access device Authentication/ accounting server Security policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication reply 6) Authentication succeeds 7) The user obtains a new IP address 8) Discover user IP change 9) Detect user IP change 10) Notify login success 11) IP change acknowledg
Portal support for EAP authentication process Figure 48 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following example uses direct portal authentication to show the EAP authentication process: 1. The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. 2.
8. The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. 9. The portal server notifies the authentication client of the authentication success. 10. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication. For more information about the steps, see the portal authentication process with CHAP/PAP authentication.
Task Remarks Configuring a portal-free rule Configuring an authentication source Controlling access of portal users Configuring an authentication destination subnet Optional. Setting the maximum number of online portal Specifying an authentication domain for portal users Specifying the NAS ID value carried in a RADIUS request Configuring RADIUS related Specifying NAS-Port-Type for an Specifying the NAS-Port-ID for an Optional.
You can modify the authorized ACLs on the access device. However, your changes take effect only on portal users logging on after the modification. Specifying a portal server for Layer 3 portal authentication Perform this task to specify portal server parameters for Layer 3 portal authentication, including the portal server IP address, shared encryption key, server port, and the URL address for Web authentication.
Configuration prerequisites Before enabling Layer 3 portal authentication on an interface, make sure: • An IP address is configured for the interface. • The interface is not added to any port aggregation group. • The portal server to be referenced on the interface exists. Configuration procedure To enable Layer 3 portal authentication: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Step 2. Command Configure a portal-free rule.
Configuring an authentication destination subnet By configuring authentication destination subnets, you specify that only users accessing the specified subnets (excluding the destination IP addresses and subnets specified in portal-free rules) trigger portal authentication. Users can access other subnets without portal authentication. If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnet takes effect.
interface, ignoring the domain names carried in the usernames. This allows you to specify different authentication domains for different interfaces as needed. To specify the authentication domain for portal users on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify an authentication domain for portal users on the interface.
NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server. If NAS-Port-Type is not specified, the device uses the access port type obtained. If there are multiple network devices between the Broadband Access Server (the portal authentication access device) and a portal client, the BAS may not be able to obtain a user's correct access port information. To specify the NAS-Port-Type value for an interface: Step Command Remarks 1. Enter system view. system-view N/A 2.
• If the NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID as that of the interface. • If the interface does not support NAS ID configuration, or has no NAS ID configured, the device uses the device name as the interface NAS ID. To configure a NAS ID profile on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a NAS ID profile and enter NAS ID profile view.
After the access device is configured with a device ID, the redirection URL that the access device sends to a portal client carries the parameter wlanacname and an XML value. The XML value is the configured device ID. The portal server uses this configured device ID to determine which access device a portal client is using. To specify a device ID for a device: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a device ID for the device.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure online Layer 3 portal user detection. access-user detect type { arp | icmp } retransmit number interval interval [ idle-time idletime ] Not configured by default. NOTE: Adjust the maximum number of transmission attempts and the interval of sending probe packets according to the actual network conditions.
{ { Sending a log—When the status of a portal server changes, the access device sends a log message. The log message indicates the portal server name and the current state and original state of the portal server. Disabling portal authentication (enabling portal authentication bypass)—When the device detects that a portal server is unreachable, it disables portal authentication on the interfaces that use the portal server (allows all portal users on the interfaces to access network resources).
user-sync command), it considers that the user does not exist on the portal server and logs the user off. To configure the portal user information synchronization function: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the portal user information synchronization function. portal server server-name user-sync [ interval interval ] [ retry retries ] Not configured by default. The portal server specified in the command must exist.
Task Command Remarks Display information about a portal-free rule or all portal-free rules. display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the portal configuration of a specific interface. display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about a specific portal server or all portal servers.
Figure 50 Network diagram Portal server GE3/0/2 2.2.2.1/24 Host GE3/0/1 192.168.0.100/24 192.168.0.111/24 Router 2.2.2.2/24 Gateway : 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites Configure IP addresses for the host, router, and servers as shown in Figure 50 and make sure that they can reach each other. Configure the RADIUS server properly to provide authentication/authorization functions for users.
a. Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 52. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. e. Select a service group. By default, the group Ungrouped is used. f. Select the IP group type Normal. g. Click OK. Figure 52 Adding an IP address group 3.
Figure 53 Adding a portal device 4. Associate the portal device with the IP address group. a. As shown in Figure 54, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 54 Device list b. On the port group configuration page, click Add to enter the page shown in Figure 55. Perform the following configurations: c. Enter the port group name. d. Select the configured IP address group.
Configuring the router 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended. [Router-radius-rs1] server-type extended # Specify the primary authentication/authorization server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.
Authentication domain: Authentication network: The user can initiate portal authentication by using the HP iNode client or by accessing a webpage. All the initiated Web requests are redirected to the portal authentication page http://192.168.0.111:8080/portal. Before passing portal authentication, the user can access only the authentication page. After passing portal authentication, the user can access Internet resources.
Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 56 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and authorization functions for users. • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown.
# Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal, in plain text { Port number: 50100 { URL: http://192.168.0.111:8080/portal [Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the router as a DHCP relay agent, and enable the IP address check function. [Router] dhcp enable [Router] dhcp relay server-group 0 ip 192.168.0.
• Configure the RADIUS server properly to provide authentication and authorization functions for users. • Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Configuration procedure 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
[RouterA–GigabitEthernet3/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring direct portal authentication with extended functions Network requirements As shown in Figure 58, the host is assigned with a public network IP address either manually or through DHCP. Configure the router to perform extended direct portal authentication for users on the host.
[Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] key authentication radius [Router-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Router-radius-rs1] security-policy-server 192.168.0.113 [Router-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain.
Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure 59, the host obtains an IP address from the DHCP server. Configure the router to perform extended re-DHCP portal authentication for users on the host. Before a user passes portal authentication, the DHCP server assigns a private IP address to the host. After the user passes portal authentication, the DHCP server assigns a public IP address to the host.
Configuration procedure 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended. [Router-radius-rs1] server-type extended # Specify the primary authentication/authorization server , and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.
{ URL: http://192.168.0.111:8080/portal [Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the router as a DHCP relay agent, and enable the IP address check function. [Router] dhcp enable [Router] dhcp relay server-group 0 ip 192.168.0.112 [Router] interface gigabitethernet 3/0/2 [Router–GigabitEthernet3/0/2] ip address 20.20.20.1 255.255.255.0 [Router–GigabitEthernet3/0/2] ip address 10.0.0.1 255.255.255.
• Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Configuration procedure 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [RouterA] radius scheme rs1 # Set the server type for the RADIUS scheme.
{ Key: portal, in plain text { Port number: 50100 { URL: http://192.168.0.111:8080/portal [RouterA] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting Router B. [RouterA] interface gigabitethernet 3/0/2 [RouterA–GigabitEthernet3/0/2] portal server newpt method layer3 [RouterA–GigabitEthernet3/0/2] quit On Router B, configure a default route to subnet 192.168.0.
3. Configure direct portal authentication on interface GigabitEthernet 3/0/2, which is directly connected with the host. 4. Configure the portal server detection function on the access device, so that the access device can detect the status of the portal server by cooperating with the portal server heartbeat function. 5.
c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. e. Select a service group. By default, the group Ungrouped is used. f. Select the IP group type Normal. g. Click OK. Figure 63 Adding an IP address group 3. Add a portal device: a. Select User Access Manager > Portal Service > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 64. c.
4. Associate the portal device with the IP address group: a. As shown in Figure 65, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 65 Device list b. On the port group configuration page, click Add to enter the page shown in Figure 66. c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit 2. Configure an authentication domain: # Create ISP domain dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users.
1)newpt: IP : 192.168.0.111 Key : ****** Port : 50100 URL Status : http://192.168.0.111:8080/portal : Up The Up state of the portal server indicates that the portal server is reachable.
# Specify the primary authentication/authorization server, and configure the keys for communication with the servers. [RouterA-radius-rs1] primary authentication 192.168.0.111 [RouterA-radius-rs1] key authentication simple radius # Configure the device to not carry the ISP domain name in the username sent to the RADIUS server. [RouterA-radius-rs1] user-name-format without-domain # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3.
Work-mode:stand-alone VPN instance:vpn1 MAC IP Vlan Interface ---------------------------------------------------------------------------000d-88f7-c268 3.3.0.1 0 GigabitEthernet3/0/1 Total 1 user(s) matched, 1 listed. Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays a blank webpage , rather than the portal authentication page or an error message.
Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to make sure that it is the actual listening port of the portal server.
Configuring port security Overview Port security is available only for SAP modules that are operating in bridge mode. Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to networks that require different authentication methods for different users on a port.
Port security modes Port security supports the following categories of security mode: • MAC learning control—Includes autoLearn and secure. MAC address learning is permitted on ports in autoLearn mode and disabled on ports in secure mode. • Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
TIP: • userLogin specifies 802.1X authentication and port-based access control. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. • Typically, in a security mode with Or, the authentication method to be used depends on the protocol type of the authentication request.
Performing MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users. Performing a combination of MAC authentication and 802.1X authentication • macAddressOrUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The port performs MAC authentication 30 seconds after receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.
Enabling port security When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. Before you enable port security, disable 802.1X and MAC authentication globally. To enable port security: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable port security.
Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode. You can specify a port security mode when port security is disabled, but your configuration cannot take effect.
Configuring port security features Configuring NTK The NTK feature checks destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, see Table 8. The NTK feature supports the following modes: • ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
Step Command Remarks 3. Configure the intrusion protection feature. port-security intrusion-mode { blockmac | disableport | disableport-temporarily } By default, intrusion protection is disabled. 4. Return to system view. quit N/A 5. Set the silence timeout period during which a port remains disabled. port-security timer disableport time-value Optional. 20 seconds by default.
Table 9 A comparison of static, sticky, and dynamic secure MAC addresses Type Address sources Can be saved and survive a device reboot? Aging mechanism Not available. They never age out unless you manually remove them, change the port security mode, or disable the port security feature. Static Manually added Sticky Manually added, converted from dynamic secure MAC addresses, or automatically learned when the dynamic secure MAC function (port-security mac-address dynamic) is disabled.
Step Command Remarks Optional. 2. Set the secure MAC aging timer. port-security timer autolearn aging time-value By default, secure MAC addresses do note age out, and you can remove them only by performing the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature. • In system view: port-security mac-address security [sticky] mac-address interface interface-type interface-number vlan vlan-id 3. Configure a secure MAC address.
Displaying and maintaining port security Task Command Remarks Display port security configuration information, operation information, and statistics about one or more ports or all ports. display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about secure MAC addresses.
[Router] port-security trap intrusion [Router] interface gigabitethernet 3/0/1 # Set port security's limit on the number of MAC addresses to 64 on the port. [Router-GigabitEthernet3/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Router-GigabitEthernet3/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
# Perform the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message: #Jul 14 10:39:47:135 2009 Router PORTSEC/4/VIOLATION: -Slot=3; Trap1.3.6.1.4.1.255 06.2.26.1.3.
• Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values to access the port in addition to an 802.1X user. Figure 69 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Configuration procedures for the host and RADIUS servers are not shown. 1. Configure the RADIUS protocol: # Configure a RADIUS scheme named radsun.
[Router] port-security enable # Add five OUI values. [Router] port-security oui 1234-0100-1111 index 1 [Router] port-security oui 1234-0200-1111 index 2 [Router] port-security oui 1234-0300-1111 index 3 [Router] port-security oui 1234-0400-1111 index 4 [Router] port-security oui 1234-0500-1111 index 5 [Router] interface gigabitethernet 3/0/1 # Set the port security mode to userLoginWithOUI.
Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte Packet unit : one # Display the configuration of the ISP domain sun.
Proxy logoff checker is disabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout Reauth Period 100 s 3600 s The maximal retransmitting times 2 EAD quick deploy configuration: EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 is link-up 802.
[Router] display mac-address interface gigabitethernet 3/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 1234-0300-0011 1 Learned GigabitEthernet3/0/1 AGING --- 1 mac address(es) found --- Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 69, a client is connected to the Router through GigabitEthernet 3/0/1. The Router authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
# Set the NTK mode of the port to ntkonly. [Router-GigabitEthernet3/0/1] port-security ntk-mode ntkonly [Router-GigabitEthernet3/0/1] quit Verifying the configuration # Display the port security configuration.
# Display 802.1X authentication information. display dot1x interface GigabitEthernet 3/0/1 Equipment 802.
Controlled User(s) amount to 1 As NTK is enabled, frames with an unknown destination MAC address, multicast address, or broadcast address will be discarded. Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Router-GigabitEthernet3/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other.
Cannot change port security mode when a user is online Symptom Port security mode cannot be changed when an 802.1X authenticated or MAC authenticated user is online. [RouterGigabitEthernet3/0/1] undo port-security port-mode Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet3/0/1. Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online.
Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user profile, and enter its view. user-profile profile-name You can use the command to enter the view of an existing user profile. Performing configurations in user profile view After a user profile is created, perform configurations in user profile view. The configuration made in user profile view takes effect when the user profile is enabled and a user using the user profile goes online.
Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. • Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.
• Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
Password combination level Minimum number of character types Minimum number of characters for each type Level 3 Three One Level 4 Four One In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password. When a user sets or changes the password, the system checks if the password meets the composition requirement. If not, the system displays an error message.
Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: • Settings for super passwords apply only to super passwords. • Settings in local user view apply only to the password of the local user.
{ Password composition checking To enable password control: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the global password control feature. password-control enable By default, the global password control feature is disabled. 3. Enable a specific password control function. password-control { aging | composition | history | length } enable Optional. All of the four password control functions are enabled by default.
Step 7. 8. 9. Set the maximum number of history password records for each user. Command Remarks password-control history max-record-num Optional. 4 by default. Optional. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts.
Setting local user password control parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Create a local user and enter local user view. local-user user-name N/A Optional. 3. Configure the password aging time for the local user. password-control aging aging-time By default, the setting equals that for the user group to which the local user belongs. If no aging time is configured for the user group, the global setting applies to the local user. Optional. 4.
Step Command Remarks Optional. 3. Configure the minimum length for super passwords. password-control super length length 4. Configure the password composition policy for super passwords. password-control super composition type-number type-number [ type-length type-length ] By default, the minimum super password length is the same as the global minimum password length. Optional. By default, the super password composition policy is the same as the global password composition policy.
Password control configuration example Network requirements Implement the following global password control policy: • An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • The password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days.
[Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for the local user. [Sysname-luser-test] password-control length 12 # Specify that the passwords of the local user must contain at least two types of valid characters and each type contains at least five characters.
State: Active ServiceType: telnet Access-limit: Disable User-group: system Current AccessNum: 0 Bind attributes: Authorization attributes: Password aging: Enabled (20 days) Password length: Enabled (12 characters) Password composition: Enabled (2 types, Total 1 local user(s) matched.
Configuring RSH Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. The RSH daemon supports authentication of an RSH client by the username. Figure 70 shows a network diagram for the typical RSH application. Figure 70 RSH application Configuration prerequisites • Run RSH daemon on the remote host.
Figure 71 Network diagram Configuration Procedure 1. Check that the RSH daemon has been installed and started properly on the remote host: a. From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 72 Administrative Tools folder b. Double-click the Services icon to display the Services window. Figure 73 Services window c.
d. Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. e. Double-click the Remote Shell Daemon service row, and then in the popped up Remote Shell Daemon Properties window, click Start to start the service, as shown in Figure 74. Figure 74 Remote Shell Daemon Properties window 2. Configure the router: # Configure a route to the remote host. (Details not shown.) # Set the time of the host remotely. rsh 192.168.1.
Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 75.
Remar ks Task Creating a local asymmetric key pair Displaying or exporting the local host public key Configuring a local asymmetric key pair on the local device Destroying a local asymmetric key pair Exporting an RSA key pair Importing an RSA key pair 204 Choos e one or more tasks.
Remar ks Task Exporting an RSA key pair To copy a local RSA key pair to another device, you must export the RSA key pair on the local device and then import it to the target router. For information about importing an RSA key pair, see "Importing an RSA key pair." To export an RSA key pair: Step 4. 5. Enter system view.
Creating a local asymmetric key pair When you create an asymmetric key pair on the local device, follow these guidelines: • Create an asymmetric key pair of the proper type to work with a target application. • After you enter the command, specify a proper modulus length for the key pair. The following table compares these types of key pairs.
Displaying and recording the host public key information Task Command Remarks Display the local RSA public keys. display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local DSA host public key. display public-key local dsa public [ | { begin | exclude | include } regular-expression ] Use at least one command. The display public-key local rsa public command displays both the RSA server and host public keys.
After you export the host public key in a specific format to a file, transfer the file to the peer device. Destroying a local asymmetric key pair You might have to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the local certificate expires. For more information about the local certificate, see "Configuring PKI.
Step 2. Import an RSA key pair. Command Remarks public-key local import rsa name key-name pem After you execute the public-key local import command, copy the private key of the RSA key pair at the prompt (the public key is included in the private key), press Ctrl+C, and then enter the password used to encrypt the RSA key pair when the key pair was exported. You cannot use an imported RSA key pair as the default RSA key pair. The RSA key pair to be imported must be in PEM format.
Step Command Remarks 2. Specify a name for the public key and enter public key view. public-key peer keyname N/A 3. Enter public key code view. public-key-code begin N/A 4. Configure the peer public key. Type or copy the key Spaces and carriage returns are allowed between characters. 5. Return to public key view. public-key-code end When you exit public key code view, the system automatically saves the public key. 6. Return to system view.
system-view [RouterA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
Public key code view: return to last view with "public-key-code end".
system-view [RouterA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
[RouterA-luser-ftp] service-type ftp [RouterA-luser-ftp] authorization-attribute level 3 [RouterA-luser-ftp] quit 3. From Router B, use FTP to log in to Router A, and get the public key file routera.pub with the file transfer mode of binary. ftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1. 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get routera.
Exporting and importing an RSA key pair Network requirements Create and export an RSA key pair on Router A, and then import the key pair to Router B. Figure 78 Network diagram Configuration procedure 1. Configure Router A: # Create a local RSA key pair named rsa1 with the default modulus length of 1024 bits. system-view [RouterA] public-key local create rsa name rsa1 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Copy the private key (started from -----BEGIN RSA PRIVATE KEY----- ) to a file for later import. 2.
04C7F80D81F40B18105A88DFDE1802279062906F8DC65872A1F763F7BF471548D709118494C5F622 0E58D5F2722A7A183999075EB494828DB7843855A81A0E701C1CDC15BBEF136329308DC179CD9D38 BB30203010001 # Display the public key information of local RSA key pairs on Router A.
Configuring PKI Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. A key problem with PKI is how to manage the public keys.
CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.
PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it works: 1. An entity submits a certificate request to the RA. 2. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. 3. The CA verifies the digital signature, approves the application, and issues a certificate. 4.
Task Remarks Use either method. Manually requesting a certificate Obtaining certificates Optional. Verifying PKI certificates Optional. Destroying the local RSA key pair Optional. Removing a certificate Optional. Configuring an access control policy Optional. Configuring a PKI entity A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN).
Step Command Optional. 4. Configure the country code for the entity. country country-code-str 5. Configure the FQDN for the entity. fqdn name-str No country code is specified by default. Optional. No FQDN is specified by default. Optional. 6. Configure the IP address for the entity. ip ip-address 7. Configure the locality for the entity. locality locality-name No IP address is specified by default. Optional. No locality is specified by default. Optional. 8.
needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status. • IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you need to configure the IP address of the LDAP server.
Requesting a certificate When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an "out-of-band" means such as phone, disk, or email.
• If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps avoid inconsistency between the certificate and the registration information resulting from configuration changes. Before requesting a new certificate, use the pki delete-certificate command to delete the existing local certificate and the CA certificate stored locally.
If a PKI domain already has a CA certificate, you cannot obtain another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To obtain a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first. Be sure that the device system time falls in the validity period of the certificate so that the certificate is valid.
Step Command Remarks Optional. 5. Enable CRL checking. crl check enable 6. Return to system view. quit N/A 7. Obtain the CA certificate. See "Obtaining certificates" N/A 8. Obtain the CRLs. pki retrieval-crl domain domain-name 9. Verify the validity of a certificate. pki validate-certificate { ca | local } domain domain-name Enabled by default. N/A This command is not saved in the configuration file. N/A Verifying PKI certificates without CRL checking Step Command Remarks 1.
Step Command 1. Enter system view. system-view 2. Delete certificates. pki delete-certificate { ca | local } domain domain-name Configuring an access control policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. To configure a certificate attribute-based access control policy: Step Command Remarks 1. Enter system view. system-view N/A 2.
Task Command Remarks Display information about one or all certificate attribute-based access control policies. display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view. PKI configuration examples The SCEP add-on is required when you use the Windows Server as the CA.
After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that the device can request certificates and obtain CRLs properly. Configuring the router 1. Configure the entity DN: # Configure the entity name as aaa and the common name as router. system-view [Router] pki entity aaa [Router-pki-entity-aaa] common-name router [Router-pki-entity-aaa] quit 2. Configure the PKI domain: # Create PKI domain torsa and enter its view.
Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success. # Obtain CRLs and save them locally. [Router] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success! # Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Router] Enrolling the local certificate,please wait a while..
2B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl You can also use some other display commands (display pki certificate ca domain and display pki crl domain commands) to display detailed information about the CA certificate and CRLs. Certificate request from a Windows 2003 CA server Network requirements Configure PKI entity Router to request a local certificate from the CA server. Figure 81 Network diagram Configuring the CA server 1.
To avoid conflict with existing services, specify an available port number as the TCP port number of the default website. After completing the configuration, check that the system clock of the router is synchronous to that of the CA server, so that the router can request a certificate normally. Configuring the router 1. Configure the entity DN: # Configure the entity name as aaa and the common name as router.
Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success. # Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Router] Enrolling the local certificate,please wait a while...... Certificate request Successfully! Saving the local certificate to device......
X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e You can also use some other display pki certificate ca domain command to display more information about the CA certificate.
# Configure the entity DN. system-view [RouterA] pki entity en [RouterA-pki-entity-en] ip 2.2.2.1 [RouterA-pki-entity-en] common-name routera [RouterA-pki-entity-en] quit # Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterA] pki domain 1 [RouterA-pki-domain-1] ca identifier CA1 [RouterA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.
[RouterB-pki-domain-1] certificate request from ra # Configure the CRL distribution URL. This is not necessary if CRL checking is disabled. [RouterB-pki-domain-1] crl url ldap://1.1.1.102 [RouterB-pki-domain-1] quit # Create a local key pair using RSA. [RouterB] public-key local create rsa # Request a certificate.
NOTE: The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a PKI domain, see "Configuring a PKI domain." 1. Configure the HTTPS server. # Configure the SSL policy for the HTTPS server to use. system-view [Router] ssl server-policy myssl [Router-ssl-server-policy-myssl] pki-domain 1 [Router-ssl-server-policy-myssl] client-verify enable [Router-ssl-server-policy-myssl] quit 2. Configure the certificate attribute group.
Troubleshooting PKI Failed to obtain a CA certificate Symptom Failed to obtain a CA certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • The system clock of the device is not synchronized with that of the CA. 1.
5. Use the ping command to verify that the RA server is reachable. 6. Specify the authority for certificate request. 7. Configure the required entity DN parameters. Failed to obtain CRLs Symptom Failed to obtain CRLs. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been obtained before you try to obtain CRLs. • The IP address of LDAP server is not configured.
Configuring IPsec Unless otherwise specified, the term "IKE" in this chapter refers to IKE version 1. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5 and SHA-1. The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 84 shows the format of IPsec packets.
Figure 84 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms 1. Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
IPsec tunnel interface An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including multicast packets that are routed to an IPsec tunnel interface are IPsec protected. The IPsec tunnel interface has the following advantages: • Simplified configuration—The IPsec tunnel interface is easier to configure compared to using access control lists (ACLs) to identify protected packets.
Figure 86 De-encapsulation process of an IPsec packet 5. The router forwards an IPsec packet received on the inbound interface to the forwarding module. 6. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation. 7. The IPsec tunnel interface de-encapsulates the packet, and then delivers the resulting clear text packet back to the forwarding module. 8.
Figure 87 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway.
ACL-based IPsec and Tunnel interface-based IPsec are available for both IPv4 and IPv6 packets, and the configuration procedures are the same for IPv4 and IPv6. Implementing ACL-based IPsec The following is the generic configuration procedure for implementing ACL-based IPsec: 1. Configure an ACL for identifying data flows to be protected. 2. Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and encapsulation mode. 3.
• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0. • In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires protection and continues to process it.
ipsec policy test 2 isakmp security acl 3001 ike-peer bb transform-set 1 • Configure Router B: acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255 rule 1 deny ip # ipsec policy test 1 isakmp security acl 3001 ike-peer aa transform-set 1 Configuring ACL rules To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer.
Figure 89 Non-mirror image ACLs Protection modes Data flows can be protected in the following modes: • Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one tunnel that is established solely for it. • Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This mode is configurable only when IKE is used for IPsec policy negotiation.
Step Command Remarks Configure at least one command. By default, no security algorithm is specified. • Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } 4. Specify the security algorithms.
IPsec policies include the following categories: • Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode. • IPsec policy that uses IKE—The parameters are automatically negotiated through IKE. • IPsec GDOI policy—Group members obtain policies that belong to their home GDOI group from the key server.
Step Command Remarks Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. 3. Assign an ACL to the IPsec policy. By default, an IPsec policy references no ACL. security acl [ ipv6 ] acl-number The ACL supports match criteria of the VPN attribute. An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last one takes effect. 4. Assign an IPsec transform set to the IPsec policy.
Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher | simple ] hex-key • Configure an authentication key in characters for AH: sa string-key { inbound | outbound } ah [ cipher | simple ] string-key • Configure a key in characters 7. Configure keys for the SA.
Step Command Remark 1. Enter system view. system-view N/A 2. Create an IPsec policy that uses IKE and enter its view. ipsec policy policy-name seq-number isakmp By default, no IPsec policy exists. 3. Configure an IPsec connection name. connection-name name By default, no IPsec connection name is configured. 4. Assign an ACL to the IPsec policy. security acl [ ipv6 ] acl-number [ aggregation ] By default, an IPsec policy does not reference any ACL. Optional.
Step Command Enable the IPsec policy. 9. 10. Return to system view. policy enable Remark Optional. Enabled by default. N/A quit Optional. 11. Set the global SA lifetime. 2. ipsec sa global-duration { time-based seconds | traffic-based kilobytes } 3600 seconds for time-based SA lifetime by default. 1843200 kilobytes for traffic-based SA lifetime by default. Configure an IPsec policy that uses IKE by referencing an IPsec policy template.
Step Command Remark Optional. By default, the PFS feature is not used for negotiation. 6. Enable and configure the perfect forward secrecy feature for the IPsec policy. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } If the local end is configured with the PFS feature, the remote end that initiates the negotiation must also be configured with this feature, and the DH group specified at the both ends must be the same. Otherwise, the negotiation fails.
For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet, the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out without IPsec protection.
Step 2. Command Enable ACL checking of de-encapsulated IPsec packets. ipsec decrypt check Remarks Optional. Enabled by default. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This function checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window.
For more information about QoS policy and classification, see ACL and QoS Configuration Guide. To configure packet information pre-extraction: Step 1. Enter system view. Command Remarks system-view N/A • To enter IPsec policy view: 2. Enter IPsec policy view or IPsec policy template view. ipsec policy policy-name seq-number [ isakmp | manual ] • To enter IPsec policy template Use either command. view: ipsec policy-template template-name seq-number 3. Enable packet information pre-extraction.
Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and apply the IPsec policy. When you disable RRI, or remove the ACL or the peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static mode applies to scenarios where the topologies of branch networks seldom change. Dynamic IPsec RRI Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs.
When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static routes. It does not delete or modify static routes it has created.
Task Remarks Required. Configuring an IPsec transform set An IPsec transform set for the IPsec tunnel interface to reference supports tunnel mode only. Configuring an IPsec profile Required. Configuring an IPsec tunnel interface Required. Enabling packet information pre-extraction on the IPsec tunnel interface Optional. Applying a QoS policy to an IPsec tunnel interface Optional. Enabling the encryption engine Optional. Configuring the IPsec anti-replay function Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPsec profile and enter its view. ipsec profile profile-name By default, no IPsec profile exists. 3. Specify the IPsec transform sets for the IPsec profile to reference. transform-set transform-name&<1-6> By default, an IPsec profile references no IPsec transform sets. 4. Specify the IKE peer for the IPsec profile to reference.
• The source address of the tunnel interface is the IP address of the local physical interface that connects to the remote. • The IPsec tunnel interfaces of the IPsec tunnel are configured with proper IPsec profiles. • The expected IKE SA and IPsec SAs are established between the local security gateway and the peer gateway. Use the display ike sa command to view the status the IKE SA and the IPsec SAs. To configure an IPsec tunnel interface: Step Command Remarks 1. Enter system view.
An IPsec profile cannot be applied to both an IPsec tunnel interface and a DVPN tunnel interface simultaneously. An IPsec tunnel interface can reference only one IPsec profile. Apply an IPsec profile to only one IPsec tunnel interface. Although an IPsec profile can be applied to multiple IPsec tunnel interfaces, it takes effect only on the IPsec tunnel interface that goes up first.
To apply a QoS policy to an IPsec tunnel interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter tunnel interface view. interface tunnel number N/A 3. Apply a QoS policy to the IPsec tunnel interface. qos apply policy policy-name { inbound | outbound } For more information about the command, see ACL and QoS Command Reference. Configuring IPsec for IPv6 routing protocols IMPORTANT: Do not apply an IPsec policy used for an IPv6 routing protocol to an interface.
Task Command Remarks Display IPsec SA information. display ipsec sa [ brief | policy policy-name [ seq-number ] | remote [ ipv6 ] ip-address ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPsec packet statistics. display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPsec tunnel information.
# Configure a static route to Host B. [RouterA] ip route-static 10.1.2.0 255.255.255.0 serial 2/1/1 # Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set.
# Specify the encapsulation mode as tunnel. [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy.
[RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure a static route to Host B. [RouterA] ip route-static 10.1.2.0 255.255.255.0 serial 2/1/1 # Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP.
[RouterB] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Configure the IKE peer.
Figure 91 Network diagram Configuration procedure 1. Configure Router A: # Assign IPv6 addresses to interfaces. (Details not shown.) # Define an ACL to identify data flows from subnet 333::0/64 to subnet 555::0/64. system-view [RouterA] acl ipv6 number 3101 [RouterA-acl-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-adv-3101] quit # Configure a static route to Host B. [RouterA] ipv6 route-static 555::0 64 222::1 # Create an IPsec transform set named tran1.
# Assign IPv6 addresses to interfaces. (Details not shown.) # Define an ACL to identify data flows from subnet 555::0/64 to subnet 333::0/64. system-view [RouterB] acl ipv6 number 3101 [RouterB-acl-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64 [RouterB-acl-adv-3101] quit # Configure a static route to Host A. [RouterB] ipv6 route-static 333::0 64 111::1 # Create an IPsec transform set named tran1. [RouterB] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel.
Configure an IPsec tunnel to protect the traffic between the branch and the headquarters. Make sure that the IPsec configuration of the headquarters' gateway remains relatively stable despite of changes of the branch's private IP address segment. Figure 92 Network diagram Configuration considerations Configure an IPsec tunnel interface on each router and configure a static route on each router to route the packets destined to the peer to the IPsec tunnel interface for IPsec protection.
# Create tunnel interface Tunnel1. [RouterA] interface tunnel 1 # Assign IPv4 address 10.1.1.1/24 to tunnel interface Tunnel1. [RouterA–Tunnel1] ip address 10.1.1.1 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4. [RouterA–Tunnel1] tunnel-protocol ipsec ipv4 # Set the source interface of the tunnel to Serial 2/1/1 on Tunnel 1. [RouterA–Tunnel1] source serial 2/1/1 # Set the tunnel destination address to 1.1.1.1, the source address of the remote peer.
[RouterB-ipsec-profile-btoa] quit # Create tunnel interface Tunnel 1. This interface will be used to protect the data flows between Router B and Router A. As the public IP address of the remote peer is not known, you do not need to configure the destination address on the tunnel interface. [RouterB] interface tunnel 1 # Assign IPv4 address 10.1.1.2/24 to tunnel interface Tunnel 1. [RouterB–Tunnel1] ip address 10.1.1.2 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4.
IPsec policy name: "btoa" sequence number: 1 acl version: ACL4 mode: tunnel ----------------------------PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow : sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP dest addr: 0.0.0.0/0.0.0.
Configuring IPsec for RIPng The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3—IP Routing Configuration Guide. Network requirements As shown in Figure 93, Router A, Router B, and Router C are connected. They learn IPv6 routing information through RIPng. Configure IPsec for RIPng so that RIPng packets exchanged between the routers are transmitted through an IPsec tunnel.
[RouterA] ipsec policy policy001 10 manual [RouterA-ipsec-policy-manual-policy001-10] transform-set tran1 [RouterA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [RouterA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [RouterA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process.
# Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on GigabitEthernet 3/0/1.
Number of trigger updates sent : 1 IPsec policy name: policy001, SPI: 123456 The output shows that IPsec policy policy001 is applied to the RIPng process successfully. # Execute the display ipsec sa command on Router A to view the information about the inbound and outbound SAs.
Figure 94 Network diagram Configuration procedure 1. Assign IPv4 addresses to the interfaces on the routers according to Figure 94. Make sure Router A and Router B can reach each other. (Details not shown.) 2. Configure Router A: # Configure ACL 3101 to identify traffic from subnet 10.4.4.0/24 to subnet 10.5.5.0/24. system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.4.4.0 0.0.0.255 destination 10.5.5 0 0.0.0.
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer peer. [RouterA-ipsec-policy-isakmp-map1-10] ike-peer peer # Enable dynamic IPsec RRI and use 1.1.1.2 as the next hop of the static route. [RouterA-ipsec-policy-isakmp-map1-10] reverse-route remote-peer 1.1.1.2 [RouterA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface GigabitEthernet 3/0/1.
# Apply IPsec policy use1 to interface GigabitEthernet 3/0/1. [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] ipsec policy use1 4. Verify the configuration: # Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24, or from subnet 10.4.4.0/24 to 10.5.5.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B. # Display the routing table on Router A.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKE version 1. Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.
Figure 95 IKE exchange process in main mode Peer 1 Send local IKE policy Peer 2 Confirmed policy SA exchange Receive the policy Search for matched policy Key generation Initiator’s key information Receiver’s key information Key exchange Algorithm negotiation Initiator’s policy Generate the key Identity authentication Generate the key Initiator’s identity and authentication data Receiver’s identity and ID and authentication data exchange Perform ID/exchange authentication Perform ID/exchange
Relationship between IKE and IPsec Figure 96 Relationship between IKE and IPsec Figure 96 illustrates the relationship between IKE and IPsec: • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
Task Remarks Configuring a name for the local security gateway Optional. Optional. Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional.
• In FIPS mode, both the IPsec SAs and the corresponding IKE SAs are renegotiated. • In non-FIPS mode, only the IPsec SAs are renegotiated. To configure an IKE proposal: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IKE proposal and enter its view. ike proposal proposal-number N/A Optional. 3. 4. 5. Specify an encryption algorithm for the IKE proposal.
• Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When acting as the responder, the local end uses the IKE proposals configured in system view for negotiation. • Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature authentication. • Specify the ID type for the local end to use in IKE negotiation phase 1.
Step Command Remarks Optional. 7. Configure a name for the local security gateway. local-name name By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used. Optional. 8. Specify the name of the remote security gateway. 9. Configure an IP address for the local gateway.
NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. Setting keepalive timers IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. 3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello. 4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
Task Command Remarks Display IKE SA information. display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IKE proposal information. display ike proposal [ | { begin | exclude | include } regular-expression ] Available in any view. Clear SAs established by IKE. reset ike sa [ connection-id ] Available in user view.
[RouterA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use security protocol ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify encryption and authentication algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create IKE peer peer.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 3. Configure Router B: # Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. system-view [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3101] quit # Create IPsec transform set tran1. [RouterB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
4. Verify the configuration: # Check the IKE proposal configuration.
dest addr: 10.1.2.0/255.255.255.
Configuration procedure 1. Configure Router A: # Specify a name for the local security gateway. system-view [RouterA] ike local-name routera # Configure an ACL. [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule 0 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure an IKE proposal.
[RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] ip address 172.16.0.1 255.255.255.0 [RouterA-GigabitEthernet3/0/1] quit # Configure a static route to the branch LAN. [RouterA] ip route-static 192.168.0.0 255.255.255.0 serial 2/1/1 2. Configure Router B: # Specify a name for the local security gateway. system-view [RouterB] ike local-name routerb # Configure an ACL. [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule 0 permit ip source 192.168.0.0 0.0.0.
[RouterB] dialer-rule 1 ip permit # Configure dialer interface Dialer 0. Use the username and password assigned by the ISP for dial and PPP authentication.
got NOTIFY of type INVALID_ID_INFORMATION Or drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION Solution Verify that the ACLs in the IPsec policies configured on the interfaces at both ends are compatible. Configure the ACLs to mirror each other. For more information about ACL mirroring, see "Configuring IPsec." Proposal mismatch Symptom The proposals mismatch. Analysis The following is the debugging information: got NOTIFY of type NO_PROPOSAL_CHOSEN Or drop message from A.B.C.
ACL configuration error Symptom ACL configuration error results in data flow blockage. Analysis When multiple devices create different IPsec tunnels early or late, a device might have multiple peers. If the device is not configured with ACL rule, the peers send packets to it to set up different IPsec tunnels in different protection granularity respectively.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description Algorithm negotiation SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the encryption algorithm for encrypting data, public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity.
signature. Finally, it informs the client of the authentication result. The device supports using the publickey algorithms RSA and DSA for digital signature. A client can send public key information to the device that acts as the server for validity check in either of the following methods: { { The client directly sends the user's public key information to the server, and the server checks the validity of the user's public key.
FIPS compliance The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Configuring the device as an SSH server You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet, SFTP, and SCP server unless otherwise specified.
The public-key local create dsa command generates only the host key pair. SSH1 does not support the DSA algorithm. To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server. In FIPS mode, the DSA algorithm is not available. To generate local DSA or RSA key pairs on the SSH server: Step Command Remarks 1. Enter system view. system-view N/A 2. Generate DSA or RSA key pairs.
IMPORTANT: Before you configure a user interface to support SSH, you must configure its authentication mode to scheme. Otherwise, the protocol inbound command fails. To configure the user interface for SSH clients: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VTY user interface view. user-interface vty number [ ending-number ] N/A 3. Set the login authentication mode to scheme. By default, the authentication mode is password.
You can configure up to 20 SSH client public keys on an SSH server. For more information about client public key configuration, see "Managing public keys." Configuring a client public key manually Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public key view. public-key peer keyname N/A 3. Enter public key code view. public-key-code begin N/A 4. Configure a client's host public key.
{ Any—The user can use password authentication, publickey authentication, or keyboard-interactive authentication. All authentication methods, except password authentication and keyboard-interactive authentication, require a client's host public key or digital certificate to be specified. • { { If a client directly sends the user's public key information to the server, the server must specify the client's public key and the specified public key must already exist.
• Compatibility between the SSH server and SSH1 clients. • RSA server key pair update interval, applicable to users using SSH1 client. • SSH user authentication timeout period. This parameter is used to reject a connection if the authentication for the connection is not completed before the timeout period expires. • Maximum number of SSH authentication attempts. This parameter is used to prevent malicious password cracking. • SFTP connection idle timeout period.
Specifying a source IP address or source interface for the Stelnet client By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server as the source IP address to communicate with the Stelnet server. You can change the source IP address or specify a source interface for the client.
Disabling first-time authentication Step Command Remarks 1. Enter system view. system-view N/A 2. Disable first-time authentication. undo ssh client first-time Enabled by default. 3. Configure the server host public key. See "Configuring a client's host public key" The method for configuring the server host public key on the client is similar to that for configuring client public key on the server. 4. Specify the host public key name of the server.
Task Command Remarks • Establish a connection to an IPv4 server: { { Establish a connection to an Stelnet server.
Task Remarks Working with SFTP files Optional. Displaying help information Optional. Terminating the connection with the SFTP server Optional. Specifying a source IP address or source interface for the SFTP client By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server as the source IP address to communicate with the SFTP server. You can change the source IP address or specify a source interface for the client.
Task Command Remarks • Establish a connection to an IPv4 SFTP server: { { Establish a connection to an SFTP server and enter SFTP client view.
Step Command Remarks 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." N/A 2. Change the working directory of the remote SFTP server. cd [ remote-path ] Optional. 3. Return to the upper-level directory. cdup Optional. 4. Display the current working directory on the SFTP server. pwd Optional. 5. Display files under the specified directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] 6.
Step Command 5. Display the files under the specified directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] 6. Delete one or more directories from the SFTP server. • delete remote-file&<1-10> • remove remote-file&<1-10> Remarks Optional. The dir command functions as the ls command. Optional. The delete command functions as the remove command.
Transferring files with an SCP server Task Command Remarks • Upload a file to the SCP server: { { Connect to the SCP server, and transfer files with the server.
Task Command Remarks Display the source IP address or interface configured for the SFTP client. display sftp client source [ | { begin | exclude | include } regular-expression ] Available in any view. Display the source IP address or interface information configured for the Stelnet client. display ssh client source [ | { begin | exclude | include } regular-expression ] Available in any view. Display SSH server status information or session information on an SSH server.
system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048).
To establish a connection to the Stelnet server: a. Launch PuTTY.exe to enter the following interface. b. In the Host Name (or IP address)field, enter the IP address of the Stelnet server. Figure 101 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the command-line interface of the server.
Figure 102 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports different types of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY version 0.58 on the Stelnet client. Configuration procedure 1. Generate an RSA key pair on the Stelnet client: a. Launch PuTTYGen.
Figure 104 Generating process c. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
d. Click Save private key to save the private key. A confirmation dialog box appears. e. Click Yes and enter the name of the file for saving the key (private.ppk in this example). f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
[Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: a. Launch PuTTY.exe on the Stelnet client to enter the following interface. b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 106 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d.
Figure 107 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 108, you can log in to Router B through the Stelnet client running on Router A.
[RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
[RouterA-GigabitEthernet3/0/1] quit [RouterA] quit { If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
[RouterA-pkey-public-key] peer-public-key end # Specify the host public key for the Stelnet server 192.168.1.40 as key1. [RouterA] ssh client authentication server 10.165.87.136 assign publickey key1 [RouterA] quit # Establish an SSH connection to SSH server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort Connected to 192.168.1.40... Enter password: After you enter the correct username and password, you can log in to Router B successfully.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048).
[RouterB] public-key peer ClientKey import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key ClientKey to the user. [RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.
+++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function.
Figure 111 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 112, you can log in to Router B through the SFTP client that runs on Router A. Router B acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm. Figure 112 Network diagram Configuration considerations In the server configuration, the client public key is required.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++ # Export the host public key to file pubkey. [RouterA] public-key local export rsa ssh2 pubkey [RouterA] quit # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2.
# Set the authentication mode of the user interface to AAA. [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it RouterKey.
sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename the directory new1 to new2 and verify that the directory name has been changed successfully.
Network requirements As shown in Figure 113, Router A acts as an SCP client and Router B acts as an SCP server. A user can securely transfer files with Router B through Router A. Router B uses the password authentication method and the client's username and password are saved on Router B. Figure 113 Network diagram Configuration procedure 1. Configure the SCP server: # Generate RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048).
[RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh.
Configuring firewall Overview A firewall blocks unauthorized Internet access to a protected network while allowing internal network users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet. Many of today's firewalls offer additional features, such as identity authentication and encryption.
ASPF functions An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and monitors the connection-oriented application layer protocol status. ASPF maintains the status information of each connection, and based on such information, determines whether to permit a packet to pass through the firewall into the internal network, thus defending the internal network against attacks.
{ { • Single-channel protocol—A single-channel protocol establishes only one channel to exchange both control messages and data for a user. SMTP and HTTP are examples of single-channel protocols. Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user and transfers control messages and user data through different channels. FTP and RTSP are examples of multi-channel protocols.
Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP inspection without application layer inspection will lead to failure of establishing a data connection. Configuring a packet-filter firewall Packet-filter firewall configuration task list Task Remarks Enabling the firewall function Required. Configuring the default filtering action of the firewall Optional. Configuring packet filtering on an interface Required.
Step Command Remarks Optional. • In standalone mode: 2. Specify the default filtering action of the firewall. firewall default { deny | permit } { all | slot slot-number } • In IRF mode: firewall default { deny | permit } { all | chassis chassis-number slot slot-number } permit (permit packets to pass the firewall) by default. Use the deny action with caution. If you specify the deny action, routing protocol packets are denied, resulting in network disconnectivity.
You can apply only one ACL to filter packets in one direction of an interface. Configuring IPv6 packet filtering on an interface IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet filtering in the inbound or outbound direction of an interface so that the interface filters packets that match the IPv6 ACL rules. To configure IPv6 packet filtering on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
• By using the firewall feature, the company intends to achieve the following aim: only specific users on external networks are given access to the internal servers, and only specific hosts on the internal network are permitted to access external networks. • Assume that the IP address of a specific external user is 20.3.3.3. Figure 115 Network diagram 129.1.1.1/24 129.1.1.2/24 FTP server Telnet server 129.1.1.3/24 WWW server Internal network GE3/0/1 129.1.1.5/24 S2/1/1 20.1.1.
[Router-GigabitEthernet3/0/1] firewall packet-filter 3001 inbound # Apply ACL 3002 to packets that come in through Serial 2/1/1. [Router-GigabitEthernet3/0/1] quit [Router] interface serial 2/1/1 [Router-Serial2/1/1] firewall packet-filter 3002 inbound Configuring an ASPF ASPF configuration task list Task Remarks Enabling the firewall function Required. Configuring an ASPF policy Required. Applying an ASPF policy to an interface Required. Configuring port mapping Optional.
Applying an ASPF policy to an interface Two concepts are distinguished in ASPF policy: internal interface and external interface. If the device is connected to both the internal network and the Internet, and employs ASPF to protect the internal servers, the interface connected to the internal network is the internal interface and the one connected to the Internet is the external interface.
Displaying ASPF Task Command Remarks Display all ASPF policy and session information. display aspf all [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ASPF policy configuration applied the interface. display aspf interface [ | { begin | exclude | include } regular-expression ] Available in any view. Display the configuration information of a specific ASPF policy.
# Create ACL 2001 to block Java applets from site 2.2.2.11. [RouterA] acl number 2001 [RouterA-acl-basic-2001] rule deny source 2.2.2.11 0 [RouterA-acl-basic-2001] rule permit [RouterA-acl-basic-2001] quit # Create ASPF policy1. [RouterA] aspf-policy 1 [RouterA-aspf-policy-1] icmp-error drop [RouterA-aspf-policy-1] tcp syn-check [RouterA-aspf-policy-1] quit # Apply ACL 3111 and the ASPF policy to the interface Serial 2/1/1.
Configuring ALG Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. Usually NAT translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which may cause problems if not translated.
Figure 117 Network diagram for ALG-enabled FTP application in passive mode Inside network Outside network NAT Host Router FTP-ALG enabled FTP server FTP_CMD (“PASV”) FTP_CMD (“PASV”) FTP_EnterPassive (“IP1, Port1”) ALG IP1, Port1-------> IP2, Port2 FTP_EnterPassive (“IP2, Port2”) FTP_Connet (IP2, Port2) FTP_Connet (IP1, Port1) The communication process includes the following steps: 1. Establishing a control connection. The host sends a TCP connection request to the server.
Step Command Remarks 1. Enter system view. system-view N/A Enable ALG. alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Optional. 2. By default, ALG is enabled for all protocols. FTP ALG configuration example The example describes only ALG configuration, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 118, a company uses the private network segment 192.168.1.
SIP/H.323 ALG configuration example H.323 ALG configuration is similar to SIP ALG configuration. The following example describes SIP ALG configuration. The example describes only ALG configurations, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 119, a company uses the private network segment 192.168.1.0/24, and has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11.
Configure NAT and ALG on the router so that Host A uses 5.5.5.9 as its external IP address, the WINS server uses 5.5.5.10 as its external IP address, and Host B can access the WINS server and Host A by using host names. Figure 120 Network diagram Configuration procedure # Configure a static NAT entry. system-view [Router] nat static 192.168.1.3 5.5.5.9 # Enable ALG for NBT. [Router] alg nbt # Configure NAT.
Managing sessions Overview Session management is a common feature designed to implement session-based services such as NAT, ASPF, and intrusion protection. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet. Session management allows multiple features to process the same service packet.
Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets. • Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. • Supporting persistent sessions, which are not aged within a long period of time. • Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.
Step Command Remarks This aging time setting is effective for only the sessions that are being established. The defaults are as follows: 2. Set the aging time for sessions of a specified protocol and in a specified state. session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value • • • • • • • • • • accelerate—10 seconds. fin—30 seconds. icmp-closed—30 seconds. icmp-open—60 seconds. rawip-open—30 seconds.
Configuring early aging for sessions A device that does not support attack detection or attack protection is vulnerable to attacks on session resources. If session resources are used up, the device cannot support normal forwarding services, for example, NAT processing. To prevent such attacks, you can configure early aging for sessions.
To enable checksum verification for protocol packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable checksum verification. session checksum { all | { icmp | tcp | udp } * } Disabled by default. Specifying the persistent session rule You can set sessions with specific characteristics as persistent sessions. The aging time of a persistent session does not change with session state transitions, and the session will not be removed even when no packets match it.
Task Command Remarks • In standalone mode: Clear sessions. reset session [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type { icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] • In IRF mode: Available in user view.
To set session logging thresholds: Step 1. Enter system view. Command Remarks system-view N/A Optional. 2. Set the holdtime threshold for session logging. session log time-active time-value • Set the packet count threshold: 3. Configure the traffic threshold for session logging. session log packets-active packets-value • Set the byte count threshold: session log bytes-active bytes-value 0 by default, which means that the system does not output session logs based on session holdtime threshold.
For more information about flow log functions, see Network Management and Monitoring Configuration Guide. For more information about flow log commands, see Network Management and Monitoring Command Reference. Displaying and maintaining session management Task Command Remarks Display the session aging times for application layer protocols. display application aging-time [ | { begin | exclude | include } regular-expression ] Available in any view.
Task Command Remarks Display configuration and statistics about logs (in standalone mode). display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ] Available in any view. Display configuration and statistics about logs (in IRF mode). display userlog export chassis chassis-number slot slot-number [ | { begin | exclude | include } regular-expression ] Available in any view. Clear sessions (in standalone mode).
Configuring connection limits Overview An internal user initiating a large quantity of connections to external networks in a short period of time occupies large amounts of system resources on the device, limiting access to network resources for other users. An internal server that receives large numbers of connection requests within a short period of time cannot process them in time or accept other normal connection requests.
An IP address-based connection limit rule can be of any of the following types: • Source-to-destination—Limits connections from a specific internal host or segment to a specific external host or segment. • Source-to-any—Limits connections from a specific internal host or segment to external networks. • Any-to-destination—Limits connections from external networks to a specific internal server. • Any-to-any—Limits the total number of connections passing through the device.
• Each host on segment 192.168.0.0/24 can establish up to 100 connections to external network and all the other hosts can establish as many connections as possible. • Permit up to 10000 connections from the external network to the DNS server. • Permit up to 10000 connections from the external network to the Web server. Figure 121 Network diagram Configuration procedure The following describes only connection limit configuration.
Connection-limit policy 0, refcount 1, 3 limits limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100 per-source limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000 limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000 Troubleshooting connection limiting Connection limit rules with overlapping segments Symptom On the router, create a connection limit policy and configure two rules for the policy.
Analysis Both rules limit 0 and limit 1 involve HTTP connections, and the rule with a smaller ID is matched first. Rule 0 is used for HTTP connections. Solution Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for HTTP connections is matched first.
Configuring Web filtering Overview In legacy network security solutions, network protection mainly targets external attacks. With the popularity of network applications in every walk of life, however, the internal network also faces security threats caused by internal user access to illegal networks. To protect the internal network against such threats, the network devices must be able to filter illegal access requests from internal users.
• If URL address filtering does not support IP addresses, the device checks the ACL rules for URL address filtering. If the ACL permits the IP address, the device forwards the request. Otherwise, the device drops the request. URL parameter filtering Many webpages are dynamic, connected with databases, and support data query and modification through Web requests.
ActiveX blocking ActiveX blocking protects networks from being attacked by malicious ActiveX plugins. After the ActiveX blocking function is enabled, requests for ActiveX plugins to all webpages will be filtered. If the ActiveX plugins in some webpages are expected, you can configure ACL rules to permit requests to the ActiveX plugins of these webpages. Processing procedure • If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces the suffix .ocx with .
Step Command Remarks 2. Enable the URL address filtering function. firewall http url-filter host enable Disabled by default. 3. Configure IP address-supported URL address filtering. firewall http url-filter host ip-address { deny | permit } Deny by default. 4. Specify an ACL for URL address filtering. firewall http url-filter host acl acl-number 5. Display information about URL address filtering.
Step 5. Display information about Java blocking. Command Remarks display firewall http java-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Optional. In the ACL for Java blocking, you need to configure the source IP addresses as the IP addresses of the HTTP servers allowed to be accessed, and set the action to permit. Configuring ActiveX blocking Step Command Remarks 1. Enter system view. system-view N/A 2.
Task Command Remarks Clear Web filtering statistics. reset firewall http { activex-blocking | java-blocking | url-filter host | url-filter parameter } counter Available in user view. URL address filtering configuration example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through the device. The device is enabled with the URL address filtering function, and allows the hosts to access only www.webflt.com using the URL address or IP address.
[Router-acl-basic-2000] quit # Specify to allow users to use IP addresses to access websites. [Router] firewall http url-filter host ip-address deny [Router] firewall http url-filter host acl 2000 After the above configuration, open a Web browser on a host in the LAN, enter website http://www.webflt.com or http://3.3.3.3 and you can access this website correctly. Enter other website addresses, and you are not allowed to access the corresponding websites.
[Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1 [Router-GigabitEthernet3/0/1] quit # Enable the URL parameter filtering function and add URL parameter filtering entry group.
[Router-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1 [Router-GigabitEthernet3/0/1] quit # Configure an ACL numbered 2100 for Java blocking. [Router] acl number 2100 [Router-acl-basic-2100] rule 0 permit source 5.5.5.5 0.0.0.
Analysis The number of URL address filtering entries, URL parameter filtering entries, Java blocking suffix keywords, or ActiveX blocking suffix keywords has reached the upper limit. Solution If necessary, remove some configured entries or keywords before adding new ones. Invalid characters are present in the configured parameter Symptom When you configure a URL address filtering entry or URL parameter filtering entry, the system displays a character error message.
Wildcard Meaning Usage guidelines * Stands for any number of valid characters and spaces excluding a dot (.) It can be present once at the beginning or in the middle of a filtering entry. It cannot be at the end and cannot be used next to a caret (^) or a dollar sign ($). Table 14 Wildcards for URL parameter filtering entries Wildcard Meaning Usage guidelines ^ Matches parameters starting with the keyword Can be present once at the beginning of a filtering entry.
Analysis For URL address filtering, Java blocking and ActiveX blocking, ACLs permit access to servers in external networks rather than hosts in the internal network. This is because the internal network is assumed to be trusted. Solution Specify the IP address of the server in the external network as the source IP address in the ACL rule. Unable to access the HTTP server by IP address Symptom After the URL address filtering function is enabled, you cannot access the HTTP server by its IP address.
Contents 384
Configuring attack detection and protection Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
Single-packet attack Description Large ICMP For some hosts and devices, large ICMP packets cause memory allocation error and thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. Route Record An attacker exploits the route record option in the IP header to probe the topology of a network. Smurf An attacker sends an ICMP echo request to the broadcast address of the target network.
An attacker sends a large number of UDP packets to the target in a short time, making the target too busy to process normal services. Blacklist function The blacklist function is an attack protection measure that filters packets by source IP address. Compared with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
• RAW IP session establishment rate The device collects statistics to calculate the session establishment rates at an interval of 5 seconds. Therefore, the session establishment rates displayed on the device are based on the statistics collected during the latest 5-second interval. The traffic statistics function does not concern about the session status (except the TCP half-open and half-close states). As long as a session is established, the count increases by 1.
Figure 127 Data exchange process in unidirectional proxy mode TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (invalid sequence number) 3) RST 4) SYN (retransmitting) 5) SYN (forwarding) 6) SYN ACK 7) ACK 8) ACK (forwarding) When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate, responds with an RST message.
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a connection between itself and the server through a three-way handshake on behalf of the client. Thus, two TCP connections are established, and the two connections use different sequence numbers.
Configuring attack protection functions for an interface Creating an attack protection policy Before configuring attack protection functions for an interface, you need to create an attack protection policy and enter its view. In attack protection policy view, you can define one or more signatures used for attack detection and specify the corresponding protection measures. When creating an attack protection policy, you can also specify an interface so that the interface uses the policy exclusively.
Step 4. Configure the ICMP packet length threshold that triggers large ICMP attack protection. Command Remarks signature-detect large-icmp max-length length Optional. 4000 bytes by default. Optional. 5. Configure the device to drop single-packet attack packets. signature-detect action drop-packet By default, the device does not process the attack packets if it detects an attack. 6. Return to system view. quit N/A 7. Enable attack protection logging. attack-defense logging enable Optional.
Step 7. Enable the blacklist function. Command Remarks blacklist enable Required to make the blacklist entries added by the scanning attack protection function take effect. By default, the blacklist function is disabled. Configuring a flood attack protection policy The flood attack protection function is used to protect servers. It detects various flood attacks by monitoring the rate at which connection requests are sent to a server.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter attack protection policy view. attack-defense policy policy-number N/A 3. Enable ICMP flood attack protection. defense icmp-flood enable Disabled by default. 4. Configure the global action and silence thresholds for ICMP flood attack protection.
To apply an attack protection policy to an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Apply an attack protection policy to the interface. attack-defense apply policy policy-number By default, no attack protection policy is applied to any interface. The attack protection policy to be applied to an interface must already exist.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the blacklist function. blacklist enable Disabled by default. Optional. Add a blacklist entry. 3. blacklist ip source-ip-address [ timeout minutes ] The scanning attack protection function can add blacklist entries automatically. You can add blacklist entries manually, or configure the device to automatically add the IP addresses of detected scanning attackers to the blacklist.
Task Command Remarks Display the configuration information about one or all attack protection policies. display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about blacklist entries. (In standalone mode.) display blacklist { all | ip source-ip-address [ slot slot-number ] | slot slot-number } [ | { begin | exclude | include } regular-expression ] Available in any view.
Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the internal server against SYN flood attacks from the external network. To meet the requirements, perform the following configurations: • On GigabitEthernet 3/0/2, configure Smurf attack protection and scanning attack protection, enable the blacklist function for scanning attack protection, and set the connection rate threshold that triggers the scanning attack protection to 4500 connections per second.
[Router-GigabitEthernet3/0/2] quit # Create attack protection policy 2. [Router] attack-defense policy 2 # Enable SYN flood attack protection. [Router-attack-defense-policy-2] defense syn-flood enable # Configure SYN flood attack protection for the internal server 10.1.1.2 and set the action threshold to 5000 and silence threshold to 1000. [Router-attack-defense-policy-2] defense syn-flood ip 10.1.1.
Figure 130 Network diagram Host A Host B GE3/0/1 192.168.1.1/16 Router Attacker GE3/0/2 202.1.0.1/16 Internet Host D 5.5.5.5/24 Host C 192.168.1.4/16 Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Enable the blacklist function. system-view [Router] blacklist enable # Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it. [Router] blacklist ip 5.5.5.5 # Add Host C's IP address 192.168.1.
Traffic statistics configuration example Network requirements As shown in Figure 131, configure traffic statistics in the outbound direction of GigabitEthernet 3/0/1, and configure UDP flood attack protection to protect the internal server against external UDP flood attacks. Figure 131 Network diagram Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Create attack protection policy 1.
Half-open TCP sessions : 0 Half-close TCP sessions : 0 TCP session establishment rate : 0/s UDP sessions : 13676 UDP session establishment rate : 2735/s ICMP sessions : 0 ICMP session establishment rate : 0/s RAWIP sessions : 0 RAWIP session establishment rate : 0/s [Router-GigabitEthernet3/0/1] display flow-statistics statistics interface gigabitethernet 3/0/1 outbound Flow Statistics Information -----------------------------------------------------------Interface : GigabitEthernet3/0/1
Figure 132 Network diagram Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Create attack protection policy 1. system-view [Router] attack-defense policy 1 # Enable SYN flood attack protection. [Router-attack-defense-policy-1] defense syn-flood enable # Set the global action threshold for SYN flood attack protection to 100 packets per second.
The output shows that an entry has been added for the attacked server.
Configuring TCP attack protection Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks This chapter describes the attacks that these features can prevent, working mechanisms of these features, and configuration procedures.
Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.
Configuring IP source guard This feature is available only for SAP interface modules operating in Layer 2 mode. Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag.
A static IPv4 source guard entry binds an IP address, MAC address, VLAN, or any combination of the three with a port. Such an entry is effective on only the specified port. A port forwards a packet only when the IP address, MAC address, and VLAN tag (if any) of the packet all match those in a static binding entry on the port. All other packets will be dropped. The router does not support static IPv6 source guard entries.
Follow these guidelines when you enable IPv4 source guard on a port: • You cannot enable IPv4 source guard on a link aggregation member port. If IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group. • The keyword specified in the ip verify source command is only for instructing the generation of dynamic IPv4 source guard entries. It does not affect static IP source guard entries.
Step 3. Configure a static IPv4 source guard entry on the port. Command Remarks ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] By default, no static IPv4 binding entry is configured on a port. A static source guard entry can be configured on only Layer 2 Ethernet ports.
Task Command Remarks Display static IPv4 source guard entries (in IRF mode). display ip source binding static [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPv4 source guard entries (in standalone mode).
Figure 134 Network diagram Configuration procedure 1. Configure Router A: # Enable IPv4 source guard on GigabitEthernet 3/0/2 to filter packets based on both the source IP address and MAC address. system-view [RouterA] interface gigabitethernet 3/0/2 [RouterA-GigabitEthernet3/0/2] ip verify source ip-address mac-address # Configure GigabitEthernet 3/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
# Enable IPv4 source guard on GigabitEthernet 3/0/1 to filter packets based on the source IP address. [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] ip verify source ip-address # Configure GigabitEthernet 3/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass. [RouterB-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.
Configuration procedure 1. Configure DHCP snooping: # Enable DHCP snooping. system-view [Router] dhcp-snooping # Configure port GigabitEthernet 3/0/2, which is connected to the DHCP server, as a trusted port. [Router] interface ethernet1/2 [Router-GigabitEthernet3/0/2] dhcp-snooping trust [Router-GigabitEthernet3/0/2] quit 2. Enable IPv4 source guard on port GigabitEthernet 3/0/1 to filter packets based on both the source IP address and MAC address.
Figure 136 Network diagram DHCP client DHCP relay agent GE3/0/2 GE3/0/1 Host DHCP server Router 10.1.1.1/24 MAC: 0001-0203-0406 Configuration procedure 1. Configure the DHCP relay agent: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP relay. system-view [Router] dhcp enable # Configure the IP address of the DHCP server. [Router] dhcp relay server-group 1 ip 10.1.1.1 # Configure GigabitEthernet 3/0/1 to operate in DHCP relay mode.
Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
Task Remarks Optional. Configuring ARP gateway protection Configure this function on access devices (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended). Configuring unresolvable IP attack protection If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called unresolvable IP packets), the following situations can occur: • The device sends a large number of ARP requests, overloading the target subnets.
Displaying and maintaining ARP source suppression Task Command Remarks Display ARP source suppression configuration information. display arp source-suppression [ | { begin | exclude | include } regular-expression ] Available in any view. Configuration example Network requirements As shown in Figure 137, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. The two areas connect to the gateway (Device) through an access switch respectively.
system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 # Enable ARP blackhole routing. system-view [Device] arp resolving-route enable Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU.
Configuring ARP active acknowledgement Configure this feature on gateway devices to prevent user spoofing. ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. To configure ARP active acknowledgement: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the ARP active acknowledgement function. arp anti-attack active-ack enable Disabled by default.
Configuration example (on a DHCP server) Network requirements Configure the DHCP server with an IP address pool of 10.1.1.0/24 on Router A. Enable authorized ARP on GigabitEthernet 3/0/1 of Router A to ensure user validity. Configure the DHCP client on Router B to obtain an IP address from the DHCP server. Figure 138 Network diagram Configuration procedure 1. Configure Router A: # Configure the IP address of GigabitEthernet 3/0/1.
Router B must use the IP address and MAC address in the authorized ARP entry to communicate with Router A. Otherwise, the communication fails. Thus user validity is ensured. Authorized ARP configuration example (on a DHCP relay agent) Network requirements Configure Router A as a DHCP server with an IP address pool of 10.10.1.0/24. Configure Router B as a DHCP relay agent. Enable authorized ARP on GigabitEthernet 3/0/2 of Router B to ensure user validity.
[RouterB-GigabitEthernet3/0/1] ip address 10.1.1.2 24 [RouterB-GigabitEthernet3/0/1] quit [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on GigabitEthernet 3/0/2. [RouterB-GigabitEthernet3/0/2] dhcp select relay [RouterB-GigabitEthernet3/0/2] quit # Add the DHCP server 10.1.1.1 to DHCP server group 1. [RouterB] dhcp relay server-group 1 ip 10.1.1.1 # Correlate GigabitEthernet 3/0/2 to DHCP server group 1.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. ARP detection does not check ARP packets received from ARP trusted ports. Configuring user validity check After you enable this feature, the device checks user validity as follows: 1. Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and MAC addresses of the ARP packet against user validity check rules.
Step Command Configure the port as a trusted port that is excluded from ARP detection. 7. Remarks Optional. arp detection trust A port is an untrusted port by default. At least a user validity check rule, a static IP source guard binding entry, a DHCP snooping entry, or an 802.1X security entry must be available to perform user validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded. You must specify a VLAN for an IP source guard binding entry.
• If the packets are ARP requests, they are forwarded through the trusted interface. • If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface. Before configuring this feature, configure user validity check. To enable ARP restricted forwarding: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3.
Figure 140 Network diagram Configuration procedure 1. Add all ports on Router B into VLAN 10, and configure the IP address of VLAN-interface 10 on Router A. (Details not shown.) 2. Configure the DHCP server on Router A. system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.) 4.
# Configure the upstream port as an ARP-trusted port (a port is an untrusted port by default). [RouterB-vlan10] interface gigabitethernet 3/0/3 [RouterB-GigabitEthernet3/0/3] port link-mode bridge [RouterB-GigabitEthernet3/0/3] arp detection trust [RouterB-GigabitEthernet3/0/3] quit After the configurations are completed, ARP packets received on interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 are checked against 802.1X entries.
# Enable DHCP snooping. system-view [RouterB] dhcp-snooping [RouterB] interface gigabitethernet 3/0/3 [RouterB-GigabitEthernet3/0/3] port link-mode bridge [RouterB-GigabitEthernet3/0/3] dhcp-snooping trust [RouterB-GigabitEthernet3/0/3] quit # Enable ARP detection for VLAN 10. [RouterB] vlan 10 [RouterB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default).
Figure 142 Network diagram Configuration procedure 1. Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface. (Details not shown.) 2. Configure the DHCP server on Router A: system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure the DHCP client on Hosts A and Host B. (Details not shown.) 4.
[RouterB-GigabitEthernet3/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [RouterB-GigabitEthernet3/0/2] ip verify source ip-address mac-address [RouterB-GigabitEthernet3/0/2] quit # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [RouterB] arp detection validate dst-mac ip src-mac # Configure port isolation.
• The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. • Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static ARP entries. • The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports.
Step Command Remarks 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Enable ARP gateway protection for a specific gateway. arp filter source ip-address Disabled by default. ARP gateway protection configuration example Network requirements As shown in Figure 143, Host B launches gateway spoofing attacks to Router B. As a result, traffic that Router B intends to send to Router A is sent to Host B. Configure Router B to block such attacks.
NOTE: This feature is supported only when SAP modules operate in bridge mode. The ARP filtering feature can prevent gateway spoofing and user spoofing attacks. An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded. Follow these guidelines when you configure ARP filtering: • You can configure up to eight permitted entries on an interface.
Configuration procedure # Configure ARP filtering on Router B. system-view [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] port link-mode bridge [RouterB-GigabitEthernet3/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [RouterB-GigabitEthernet3/0/1] quit [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] port link-mode bridge [RouterB-GigabitEthernet3/0/2] arp filter binding 10.1.1.
Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid. • To identify forged ND packets, HP developed the ND detection feature. For more information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide.
Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
URPF work flow Figure 147 shows how URPF works.
NOTE: URPF does not check multicast packets. 1. URPF checks source address validity: { { { 2. 3. Proceeds to step 2 for other packets. { If yes, proceeds to step 3. { If not, proceeds to step 5. URPF checks whether the matching route is a default route: { If yes, URPF checks whether the allow-default-route keyword is configured to allow the default route: if yes, proceeds to step 4. If not, proceeds to step 5. If not, proceeds to step 4.
Network application Figure 148 Network diagram • Configure strict URPF check between an ISP network and a customer network, and loose URPF check between ISPs. • Configure ACLs for special packets or users. Configuring URPF on an interface URPF checks only packets arriving at an enabled interface. Do not configure the allow-default-route keyword for loose URPF check. Otherwise, URPF might fail to work.
URPF configuration example Network requirements As shown in Figure 149, enable strict URPF check on GigabitEthernet 3/0/1 of Router B and permit packets from network 10.1.1.0/24. Enable strict URPF check on GigabitEthernet 3/0/1 of Router A to allow using the default route for URPF check. Figure 149 Network diagram Configuration procedure 1. Configure Router B: # Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.
Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the device supports Level 2. Unless otherwise noted, FIPS in the document refers to FIPS 140-2.
Type Operations Test the following algorithms used by cryptographic engines: Cryptographic engine self-tests • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryption and decryption) AES 3DES SHA1 HMAC-SHA1 Random number generator algorithms Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked.
• Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits. • SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5. Configuration considerations To enter the FIPS mode, follow these steps: 1. Enable FIPS mode. 2. Enable the password control function. 3. Configure the username and password to log in to the device in FIPS mode. The password must comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. 4.
FIPS configuration example Network requirements As shown in Figure 150, Host connects to Router through a console port. Configure Router to operate in FIPS mode and create a local user for Host so that Host can log in to the router. Figure 150 Network diagram Configuration procedure CAUTION: After you enable the FIPS mode, be sure to create a local user and its password before you reboot the device. Otherwise, you cannot log in to the device.
(To leave the existing filename unchanged, press the enter key): cfa0:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait.... The current configuration is saved to the active main board successfully. Configuration is saved to device successfully. [Sysname] quit # Reboot the device. reboot Verifying the configuration After the device reboots, enter the username (test) and password (AAbbcc1234%).
Configuring group domain VPN Group domain Virtual Private Network (group domain VPN) provides a point-to-multipoint tunnel-less VPN solution. It is mainly used to protect multicast traffic. Overview Group domain VPN uses a group-based IPsec model. Members in a group use a common IPsec policy, which includes security protocols, algorithms, and keys.
Figure 151 Group domain VPN structure KS GM GM IP network Reigster Update keys GM The KS maintains security policies for groups, and creates and maintains key information. It responds to registration requests from GMs and sends rekey messages to GMs. After a GM registers with the KS, the KS sends the IPsec policy and keys to the GM. The keys are periodically updated. Before the key lifetime expires, the KS notifies all GMs to update keys by sending rekey messages.
Figure 152 Registration process GM KS 1) IKE negotiation 2) Group ID 3) SA policy 4) Acknowledgement 5) TEK and KEK As shown in Figure 152, 1. The GM and KS perform IKE negotiation. 2. The GM sends its group ID to the KS. 3. The KS sends an IPsec policy to the GM according to the group ID. 4. The GM verifies the IPsec policy. If the IPsec policy settings are acceptable, for example, the security protocols and encryption algorithms are supported, the GM sends an acknowledge message to the KS. 5.
Rekey If rekey parameters are configured on the KS, the KS periodically unicasts or multicasts (the default mode is multicast) rekey messages to registered GMs to update their IPsec SAs or rekey SAs. The rekey messages are protected by the current rekey SA on the KS. GMs authenticate the rekey messages by using the public key that it received from the KS during registration. If a GM does not receive any rekey messages before its IPsec SA or rekey SA expires, the GM re-registers to the KS.
Keepalive The primary periodically sends hello messages to secondary KSs. If secondary KSs receive no hello messages within a specific interval, they consider the primary KS has failed, and re-elect a new primary KS. During the election, the secondary KSs do not accept registrations from GMs.
Task Remarks GDOI KS redundancy can be used to achieve KS high availability and load sharing. The following describes GDOI KS redundancy settings: • UDP port number—Specifies the UDP port number that a GDOI KS uses to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number. • Peer address—Specifies the IP address of a peer KS. • Local priority—Specifies the priority of the local KS for primary KS election.
Task Remarks Configuring rekey parameters Optional. Configuring basic settings for a GDOI KS group A device supports multiple GDOI KS groups. A GDOI KS group includes all settings required by a KS in the group. The following describes basic GDOI KS group settings: • Group name—Identifies the GDOI KS group on the device. • Group ID—Identifies the GDOI KS group in the Group Domain VPN. A KS uses the group ID received from a GM to determine the GDOI KS group that the GM wants to join.
Step Command Remarks Specify an IP address or a number as the group ID. Configure an ID for the GDOI KS group. identity { address ip-address | number number } 4. Reference a key pair for KS rekey. rekey authentication public-key rsa key-name By default, no key pair is referenced. 5. Specify a rekey ACL. rekey acl { acl-number | name acl-name } By default, no rekey ACL is specified. 6. Create an IPsec policy for the GDOI KS group and enter GDOI KS group IPsec policy view.
To configure GDOI KS redundancy: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the UDP port number for listening to redundancy protocol packets. gdoi ks redundancy port port-number By default, the KS listens to UDP port 19000 for redundancy protocol packets. 3. Enter GDOI KS group view. gdoi ks group group-name N/A 4. Specify a peer KS. peer address ip-address By default, no peer KS is specified. 5. (Optional.) Configure a local priority.
Configuring rekey parameters The following describes the rekey parameters: • Rekey encryption—Specifies the encryption algorithm used by the KEK. • Rekey lifetime—Specifies the lifetime of the KEK. • Rekey transport unicast—Enables unicasting rekey messages. By default, the KS multicasts rekey messages. Configure this setting only when the network does not support multicasting because unicast transmission increases overheads and affects device performance.
Task Command Clear GDOI information for GMs and initiate registrations. reset gdoi [ group group-name ] Enforce rekey. gdoi ks rekey [ group group-name ] Configuring the GDOI GM The GDOI GM needs IKE settings that include an IKE proposal and an IKE peer used for phase-1 IKE negotiation. The IKE peer is identified by the IP address of the KS. For information about IKE configuration, see "Configuring IKE." GDOI GM configuration task list Task Remarks Configuring a GDOI GM group Required.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a GDOI GM group and enter GDOI GM group view. gdoi gm group group-name By default, no GDOI GM group exists. Configure a GDOI GM group ID. identity { address ip-address | number number } Configure a KS address. server address ip-address 3. 4. Specify an IP address or a number as the group ID. By default, no GDOI GM group ID is specified. By default, no KS address is specified. Optional. 5.
Step Command Remarks By default, no GDOI GM group is referenced. 3. Reference a GDOI GM group for the GDOI IPsec policy entry. group group-name You can reference only one GDOI GM group for a GDOI IPsec policy entry. For a GDOI IPsec policy entry to take effect, the referenced GDOI GM group must have correct KS addresses and group ID. Optional. By default, no ACL is referenced. 4. Reference an ACL for the GDOI IPsec policy entry.
Task Command Display the GDOI GM group information. display gdoi gm [ group group-name ] [ | { begin | exclude | include } regular-expression ] Display information about IPsec SAs obtained by the GM. display gdoi gm ipsec sa [ group group-name ] [ | { begin | exclude | include } regular-expression ] Display brief information of the GM. display gdoi gm members [ group group-name ] [ | { begin | exclude | include } regular-expression ] Display the ACL information of the GM.
Figure 155 Network diagram Configuration procedure Make sure each GM (GM 1, GM 2, and GM 3) and each KS can reach each other, and the two KSs can reach each other. Make sure the multicast packets between the GMs and the multicast rekey messages between the KS and GMs can be forwarded correctly. By default, the KS multicasts rekey messages. To unicast rekey messages, use the rekey transport unicast command. Configuring KS 1 # Configure IP addresses for interfaces. (Details not shown.
# Configure the pre-shared key as tempkey1 in plaintext. [KS1-ike-peer-toks2] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 200.2.2.200. [KS1-ike-peer-toks2] remote-address 200.2.2.200 [KS1-ike-peer-toks2] quit # Create the IKE peer togm for IKE negotiation with GMs. [KS1] ike peer togm # Apply IKE proposal 1 to the IKE peer. [KS1-ike-peer-togm] proposal 1 # Configure the pre-shared key as tempkey1 in plaintext.
# Create a local RSA key pair named rsa1. [KS1] public-key local create rsa name rsa1 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ # Export the local RSA key pair rsa1 by using 3DES CBC and password 12345678. Copy the key or key pair as needed, which will be used in RSA key import on KS 2.
# Create an IPsec policy. [KS1-gdoi-ks-group-ks1] ipsec 10 # Reference the IPsec profile fortek. [KS1-gdoi-ks-group-ks1-ipsec-10] profile fortek # Reference the ACL fortek. [KS1-gdoi-ks-group-ks1-ipsec-10] security acl name fortek [KS1-gdoi-ks-group-ks1-ipsec-10] quit # Specify the peer KS 200.2.2.200. [KS1-gdoi-ks-group-ks1] peer address 200.2.2.200 # Specify the source address of sent packets as 100.1.1.100. [KS1-gdoi-ks-group-ks1] source address 100.1.1.100 # Specify the local priority as 10000.
# Configure the pre-shared key as tempkey1 in plaintext. [KS2-ike-peer-togm] pre-shared-key simple tempkey1 [KS2-ike-peer-togm] quit # Create an IPsec transform set fortek. [KS2] ipsec transform-set fortek # Specify the ESP protocol for the IPsec transform set fortek. [KS2-ipsec-transform-set-fortek] transform esp # Specify the encryption algorithm AES-CBC 128 for the IPsec transform set fortek.
MGaftNqe4esjetm7bRJHSpsbwZ9YUpvA9iWh8R406NGq8e+1A/ZiK23+t1XqRwaU 1FXnwbqHgW1pZ7JxQdgBuC9uXc4VQyP/xe6xCyUepdMC71fmeOaiwUFrj6LAzzBg o3SfhX1NHyHBnr7c6SnIeUTG2g/qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7 ZBTjv+vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN/v1 lCsD2PscXnPOloLTE/8EDLRHNE8RpIYDWqI/YI8Yg6wlx29mf29+cj/9r4gPrDPy c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxG
[GM1] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for the IKE proposal. [GM1-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm SHA1 for the IKE proposal. [GM1-ike-proposal-1] authentication-algorithm sha # Specify DH group2 for the IKE proposal. [GM1-ike-proposal-1] dh group2 [GM1-ike-proposal-1] quit # Create IKE peer toks1. [GM1] ike peer toks1 # Reference IKE proposal 1 for the IKE peer.
[GM1-Ethernet1/1] quit Configuring GM 2 # Configure IP addresses for interfaces. (Details not shown.) # Create IKE proposal 1. system-view [GM2] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for the IKE proposal. [GM2-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm SHA1 for the IKE proposal. [GM2-ike-proposal-1] authentication-algorithm sha # Specify DH group2 for the IKE proposal.
# Reference GDOI GM group 1 for the GDOI IPsec policy. [GM2-ipsec-policy-gdoi-map-1] group 1 [GM2-ipsec-policy-gdoi-map-1] quit # Apply the GDOI IPsec policy to interface Ethernet 1/1. [GM2] interface ethernet 1/1 [GM2-Ethernet1/1] ipsec policy map [GM2-Ethernet1/1] quit Configuring GM 3 # Configure IP addresses for interfaces. (Details not shown.) # Create IKE proposal 1. system-view [GM3] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for the IKE proposal.
[GM3-gdoi-gm-group-1] server address 100.1.1.100 [GM3-gdoi-gm-group-1] server address 200.2.2.200 [GM3-gdoi-gm-group-1] quit # Create a GDOI IPsec policy. [GM3] ipsec policy map 1 gdoi # Reference GDOI GM group 1 for the GDOI IPsec policy. [GM3-ipsec-policy-gdoi-map-1] group 1 [GM3-ipsec-policy-gdoi-map-1] quit # Apply the IPsec policy to interface Ethernet 1/1.
current outbound spi: 0xDB865076(3683012726) [inbound ESP SAs] spi: 0xDB865076(3683012726) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 317 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/63 anti-replay detection: Disabled spi: 0x640321A(104870426) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 325 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/853 anti-replay detection: D
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.3.0/255.255.255.
Group Server List : 100.1.1.100 Group Member : 1.1.1.1 Registration status : Registered Registered with : 100.1.1.100 Re-register in : 81 sec Succeeded registrations : 1 Attempted registrations : 1 Last rekey from : 100.1.1.
Group member version : 1.0 Group ID : 12345 Rekeys sent : 0 Rekey retries : 0 Rekey ACKs received : 0 Rekey ACKs missed : 0 Group member ID : 2.2.2.2 Group member version : 1.0 Group ID : 12345 Rekeys sent : 0 Rekey retries : 0 Rekey ACKs received : 0 Rekey ACKs missed : 0 Group member ID : 3.3.3.3 Group member version : 1.0 Group ID : 12345 Rekeys sent : 0 Rekey retries : 0 Rekey ACKs received : 0 Rekey ACKs missed : 0 KS 2 stores the same GM information.
Sessions: Peer address : 100.1.1.100 Peer version : 1.0 Peer priority : 10000 Peer role : Primary Peer status : Ready Troubleshooting group domain VPN IKE SA negotiation failure Symptom Phase 1 IKE negotiation failed. Analysis If the failure occurred between GM and KS, the IKE configurations on the GM and KS do not match, or the GM and KS cannot reach each other. If the failure occurred between KSs, the IKE configurations on the KSs do not match, or the KSs cannot reach each other.
Solution Verify that the GM and KS have the same group ID. KS redundancy failure Symptom KS redundancy configuration does not take effect. Analysis Display KS redundancy information on KS 1. The output shows that each KS considers itself as the primary KS. display gdoi ks redundancy Group Name :ks1 Local address : 100.1.1.100 Local version : 1.0 Local priority : 10000 Local role : Primary Primary address : 100.1.1.100 Sessions: Session 1: Peer address : 200.2.2.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIJLMNOPRSTUV Configuring an Auth-Fail VLAN,95 A Configuring an IKE peer,290 AAA configuration considerations and task list,20 Configuring an IKE proposal,289 AAA configuration examples,54 Configuring ARP active acknowledgement,36 ALG process,353 Configuring ARP automatic scanning and fixed ARP,47 Applying the connection limit policy,368 Configuring ARP detection,39 ARP attack protection configuration task list,32 Configuring ARP filtering,49 Attack detection and protection configu
Connection limit configuration task list,367 EAD fast deployment configuration example,107 Contacting HP,94 Enabling 802.
Importing an RSA key pair Ignoring authorization information from the server,174 After you export an RSA key pair on a device, you can import the key pair to another device. IKE configuration task list,288 To import an RSA key pair: Implementing ACL-based IPsec,247 IKE configuration examples,295 Implementing IPsec,246 Step Implementing tunnel interface-based IPsec,262 Command Importing an RSA key pair,208 Remarks Initiating 802.
Overview,1 SFTP configuration examples,334 Overview,7 SIP/H.