HP High-End Firewalls Access Control Configuration Guide Part number: 5998-2628 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents ACL configuration ························································································································································ 1 ACL overview ···································································································································································· 1 IPv4 ACL categories ··································································································································
Configuring a service resource····································································································································· 34 Displaying default service resources ··················································································································· 34 Configuring a customized service resource········································································································ 35 Configuring a service group resource ···
ASPF configuration example ········································································································································· 79 Configuration guidelines ··············································································································································· 80 Connection limit configuration ·································································································································· 81 Connec
Configuring local users ······································································································································· 127 Configuring RADIUS schemes in the web interface ························································································· 131 RADIUS configuration example in the web interface ······················································································ 135 Configuring RADIUS schemes in the CLI ···························
ACL configuration NOTE: The web interface supports only configuration of IPv4 ACLs. ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. You can use ACLs in QoS, firewall, routing, and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs.
• auto—Sorts ACL rules in depth-first order. Depth-first ordering ensures that any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL. Table 1 Sort ACL rules in depth-first order ACL category IPv4 basic ACL IPv4 advanced ACL Ethernet frame header ACL Sequence of tie breakers 1. VPN instance 2. More 0s in the source IP address wildcard (more 0s means a narrower IP address range) 3.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.
Task Remarks Optional Necessary only when the ACL contains a large number of ACL rules. Configuring ACL acceleration IMPORTANT: Only IPv4 basic ACLs and advanced ACLs support ACL acceleration. Creating an ACL After you select Firewall > ACL from the navigation tree, all existing ACLs will be displayed in the right pane, as shown in Figure 1. Click Add to enter the ACL configuration page, as shown in Figure 2.
Configuring a basic ACL rule Select Firewall > ACL from the navigation tree. Then, select the basic ACL for which you want to configure ACL rules from the ACL list in the right pane and click the corresponding icon in the Operation column to display all existing rules of the ACL, as shown in Figure 3. Click Add to enter the basic ACL rule configuration page, as shown in Table 4.
Item Description Select a time range for the rule. Time Range Non-first Fragments Only If you select None, the rule will be always effective. Available time ranges are configured by selecting Resource > Time Range from the navigation tree. Select this check box to apply the rule to only non-first fragments. If you do no select this check box, the rule applies to all fragments and non-fragments. Select this check box to log matching packets.
Figure 6 Advanced ACL rule configuration page Table 5 Advanced ACL rule configuration items Item Description Select the Rule ID check box and type a number for the rule. Rule ID If you do not specify the rule number, the system will assign one automatically. IMPORTANT: If the rule already exists, the configuration overwrites the old rule. Select the operation to be performed for packets matching the rule. Operation • Permit: Allows matching packets to pass. • Deny: Denies matching packets.
Item Description Source IP Address Select the Source IP Address check box and type a source IP address and source wildcard, in dotted decimal notation. Source Wildcard Destination IP Address Destination Wildcard Select the Destination IP Address check box and type a destination IP address and destination wildcard, in dotted decimal notation. Specify the VPN instance. VPN Instance If you select None, the rule applies to only non-VPN packets. Select the protocol to be carried over IP.
Operation column to list all existing rules of the ACL, as shown in Figure 7. Click Add to enter the configuration page for Ethernet frame header ACL rules, as shown in Figure 8. Figure 7 List of Ethernet frame header ACL rules Figure 8 Ethernet frame header ACL rule configuration page Table 6 Ethernet frame header ACL rule configuration items Item Description Select the Rule ID check box and type a number for the rule.
Item Description Destination MAC Address Select the Destination MAC Address check box and specify the destination MAC address and wildcard. Destination Wildcard LSAP Type Select the LSAP Type check box and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following two items: LSAP Wildcard • LSAP Type—Specifies the encapsulation format. • LSAP Wildcard—Specifies the LSAP mask.
Configuration procedure 1. Create a time range for office hours # Create a periodic time range from 8:00 to 18:00 on working days. • Select Resource > Time Range from the navigation tree and then click Add. • Type worktime in the Name text box. • Select the Periodic Time Range check box. • Set the start time to 8:00. • Set the end time to 18:00. • Select the Mon., Tues., Wed., Thurs., and Fri. check boxes. • Click Apply. 2.
To do… Use the command… Remarks Enter system view system-view –– Required By default, no ACL exists. Create an IPv4 basic ACL and enter its view acl number acl-number [ name acl-name ] [ match-order { auto | config } ] IPv4 basic ACLs are numbered in the range 2000 to 2999. You can use the acl name acl-name command to enter the view of a named IPv4 ACL.
To do… Use the command… Set the rule numbering step step step-value Create or edit a rule rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | sourc
To do… Use the command… Set the rule numbering step step step-value Create or edit a rule rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] * Remarks Optional 5 by default. Required By default, an Ethernet frame header ACL does not contain any rule.
To do… Use the command… Remarks Required Disabled by default. Enable ACL acceleration for an IPv4 ACL acl accelerate number acl-number The ACL must exist. Only IPv4 basic ACLs and advanced ACLs support ACL acceleration. NOTE: • ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask. • After you modify an IPv4 ACL with ACL acceleration enabled, disable and re-enable ACL acceleration to ensure correct rule matching.
Zone configuration NOTE: The firewall supports configuring a zone only in the web interface. Zone overview Traditional firewall/router policies are configured based on packet inbound and outbound interfaces on early dual-homed firewalls. With the development of firewalls, they can not only connect the internal and external network, but also connect the internal network, external network, and the Demilitarized Zone (DMZ). Also, they are providing high-density ports.
Figure 10 Zone classification Configuring a zone Configuration task list Perform the tasks in Table 7 to configure a zone. Table 7 Zone configuration task list Task Remarks Optional Select a virtual device To select a virtual device, select Device Management > Virtual Device > Device Selection. For more information, see System Management and Maintenance Configuration Guide. By default, the current virtual device is the virtual root device.
Figure 11 Zone Figure 12 Create a zone Table 8 Configuration items for creating a zone Item Description Zone ID The zone ID must be unique on a virtual device. Zone Name Zone name Preference Sets the preference of a zone. By default, packets from a high priority zone to a low priority zone are allowed to pass. Share Whether the specified zone can be referenced by other virtual devices. Virtual Device The virtual device to which the specified zone belongs Return to Zone configuration task list.
Figure 13 Modify zone Table 9 Configuration items for configuring a zone member Item Description Zone ID/Zone Name/Virtual Device Specified zone ID, name and the virtual device to which the zone belongs The preference of the specified zone Preference By default, packets from a high priority zone to a low priority zone are allowed to pass. Share Whether the specified zone can be referenced by other virtual devices.
Item Description Specify a subnet address resource to be added to the zone. You can specify one subnet address resource by selecting a subnet address resource from the drop-down list; or you can specify multiple subnet address resources in this way: Click Multiple, select the target subnet address resource from the Available Subnet Address list in the pop-up window, click to add the select subnet address resource to the Current Subnet Address list, and then click Apply.
• If you deploy the WWW server and the FTP server on the external network, security cannot be ensured; if you deploy them on the internal network, the external illegal users may use the security holes to attack the internal network. Therefore, you can deploy the servers in the DMZ zone with a priority between Trust and Untrust, and connect the Ethernet interface GigabitEthernet 0/1 on Firewall to the servers.
• Select Device Management > Zone from the navigation tree. • Click the • Select GigabitEthernet 0/2. • Other items keep unchanged. • Click Apply. icon of the Untrust zone.
Service management Overview The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved.
Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients. • Configuring service management Select Device Management > Service Management from the navigation tree to enter the service management configuration page, as shown in Figure 15. Figure 15 Service management Table 10 shows the detailed configuration for service management.
Item Description Enable HTTP service Specify whether to enable the HTTP service. The HTTP service is enabled by default. Set the port number for HTTP service. HTTP Port Number You can view this configuration item by clicking the expanding button in front of HTTP. IMPORTANT: When you modify a port, ensure that the port is not used by other service. ACL Enable HTTPS service Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service.
Address resource configuration NOTE: The firewall supports address resource configuration only in the web interface. Address resource overview Address resources are classified into four categories: IP address resource, IP address group resource, MAC address resource, and MAC address group resource. They can be referenced by inter-zone policies to define packet match criteria. 1.
Figure 17 Host address resource configuration page Table 11 Host address resource configuration items Item IP Address Domain Name Description Select either of them as the address resource form. Name Specify the name for the host address resource. Description Describe the host address resource in brief. Specify the IP addresses for the host address resource. • Type an IP address in the IP Address text box, and then click Add to add it to the IP Address IP List.
Figure 19 Address range resource configuration page Table 12 Address range resource configuration items Item Description Name Specify the name for the address range resource. Description Describe the address range resource in brief. Address Range Specify a start IP address and an end IP address to define an address range. Exclude IP Address Specify the IP addresses to be excluded. Use commas (,) to separate the IP addresses.
Table 13 Subnet address resource configuration items Item Description Name Specify the name for the subnet address resource. Description Describe the subnet address resource in brief. IP/Wildcard Specify an IP address and a wildcard to define an address range. Exclude IP Address Specify the IP addresses to be excluded. Use commas (,) to separate the IP addresses.
Item Description Add or remove IP address resources: • Select one or more IP address resources from the Available Group Members list and then click Add to add them to the Group Members list. Group Members • Select one or more IP address resources from the Group Members list and then click Remove to remove them from the Group Members list. The Available Group Members list contains all the host resources, address range resources, and subnet address resources that have been configured.
Item Description Add or remove MAC address resources: • Type a MAC address in the MAC Address text box, and then click Add to add it to MAC Address the MAC List. • Select one or more MAC addresses in the MAC list, and then click Remove to remove them from the MAC list. Configuring a MAC address group resource NOTE: Configure MAC address resources before configuring MAC address group resources.
Item Description Description Describe the MAC address group resource in brief. Add or remove MAC address group resources: • Select one or more MAC address resources from the Available Group Members list and then click Add to add them to the Group Members list. Group Members • Select one or more MAC address resources from the Group Members list and then click Remove to remove them from the Group Members list.
Figure 29 Import configurations 33
Service resource configuration NOTE: The high-end firewalls support service resource configuration only in web interface. Service resource overview A service resource defines a service by specifying the protocol to be carried by IP and the protocol-specific items. It may be referenced by inter-zone policy as a packet match criterion. Service resources fall into three categories: • Default service resources: Created by the device during initialization. • Customized service resource: Created manually.
Configuring a customized service resource Select Resource > Service > Customized Service from the navigation tree. All existing customized service resources are displayed, as shown in Figure 31. Then, click Add to enter the customized service resource configuration page, as shown in Figure 32.
Item Description Specify the destination TCP port range in the following two text boxes. The two text boxes are available after you select TCP. Destination Port • If the values of the two text boxes are the same, a single port is specified. • If the value of the second text box is greater than that of the first, a port range is specified. The value of the second text box cannot be less than that of the first. Specify the source UDP port range in the following two text boxes.
ICMP message name Type Code port-unreachable Type=3 Code=3 protocol-unreachable Type=3 Code=2 reassembly-timeout Type=11 Code=1 source-quench Type=4 Code=0 source-route-failed Type=3 Code=5 timestamp-reply Type=14 Code=0 timestamp-request Type=13 Code=0 ttl-exceeded Type=11 Code=0 Configuring a service group resource Select Resource > Service > Service Group from the navigation tree. All existing service group resources are displayed, as shown in Figure 33.
Item Description Description Describe the service group resource in brief. Add or remove service resources: • Select one or more service resources from the Available Group Members list and then click Add to add them to the Group Members list. Group Members • Select one or more service resource from the Group Members list and then click Delete to remove them from the Group Members list. The Available Group Members list contains all default and customized service resources that have been configured.
Figure 36 Import configurations 39
Time range resource configuration A time range resource defines a time range, which can be referenced by an ACL or an inter-zone policy to control when a rule is effective. You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range. The following basic types of time range are available: • Periodic time range—Recurs periodically on a day or days of the week.
Figure 38 Time range resource configuration page Table 20 Time range resource configuration items Item Description Name Type the name for the time range resource. Periodic Time Range Start Time Set the start time of the periodic time range, in the hh:mm format (24-hour clock). End Time Set the end time of the periodic time range, in the hh:mm format (24-hour clock). The end time must be greater than the start time. Sun., Mon., Tues., Wed., Thurs., Fri., and Sat.
To do… Use the command… Remarks Display the configuration and status of one or all time ranges display time-range { time-range-name | all } Optional Available in any view Configuration guidelines If the selected time range resource includes the current time, the time range is displayed as "Active" in the time range resource list. Otherwise, the time range is displayed as "Inactive".
Interzone policy configuration NOTE: The firewalls support interzone policy configuration only in web interface. Interzone policy overview Interzone policies, based on ACLs, are used for identification of traffic between zones. An interzone policy references one ACL for a pair of source zone and destination zone. This ACL contains a group of ACL rules, each of which permits or denies packets matching the match criteria.
Table 21 Interzone policy configuration task list Task Remarks Required Configuring an interzone policy rule Create rules for the interzone policy and configure the match criteria and filter action. By default, no interzone policy rules are present in the system. Optional Inserting an Interzone Policy Rule Insert a rule before a specified interzone policy rule for the same zone pair so that the inserted one is listed before the specified one.
Configuring an interzone policy rule Select Firewall > Security Policy > Interzone Policy from the navigation tree to enter the interzone policy rule list page, as shown in Figure 39. Then, click Add to enter the interzone policy rule (that is the ACL rule) configuration page, as shown in Figure 40.
Item Description Configure a destination address resource for the rule by creating an address resource or referencing an existing address resource. • If you select the New IP Address option, specify an IP address and Destination IP Address wildcard. After you apply the configuration, the system will automatically create a subnet address resource. For example, if you enter 1.1.1.1/0.0.0.255, a subnet address resource is created with the resource name being 1.1.1.1/0.0.0.255.
Item Description Specify whether to create another rule after finishing this one. • If you select this option, you will enter the interzone policy rule configuration page after clicking Apply, with the source zone and destination zone selected for the last rule. Continue to add next rule • If you do not select this option, you will see the list of interzone policy rule after clicking Apply.
Figure 42 Import configurations Return to Interzone policy configuration task list. Changing the priority of a rule Select Firewall > Security Policy > Interzone Policy from the navigation tree to enter the interzone policy rule list page, as shown in Figure 39. Click the icon of a rule to bring up the dialog box as shown in Figure 43, Figure 43 Modify the priority of a rule Type the ID of the target rule in the text box to place the rule to which the icon corresponds before the target rule.
• indicates that the ACL is accelerated. You can click the Stop Accelerating link to disable ACL acceleration. • indicates that the ACL has been modified after it was configured with ACL acceleration. You can click the Start Accelerating link to enable ACL acceleration again, making changes to the ACL take effect. Return to Interzone policy configuration task list.
Figure 46 Network diagram for interzone policy configuration Configuration procedure 1. Create a time range for working hours # Create a periodic time range from 8:00 to 18:00 in working days. • Select Resource > Time Range from the navigation tree and then click Add. • Type worktime in the Name text box. • Select the Periodic Time Range check box. • Set the start time to 8:00. • Set the end time to 18:00. • Select the Mon., Tues., Wed., Thurs., and Fri. check boxes. • Click Apply. 2.
Click Apply. • # Configure an access rule for controlling the access of all the other hosts to the external network. • After the last configuration step, you will enter the interzone policy rule configuration page, with the source and destination zone selected for the last rule. • Type 1 in the Rule ID text box. • Select Deny as the filter action. • Select worktime as the time range. • Select the Status check box. • Click Apply.
Figure 47 Firewall policy configuration wizard: 1/7 3. Configure the items on the page. Table 25 Configuration items on page 1/7 of the firewall policy configuration wizard Item Description Source Zone Specify the source zone of the firewall policy. Destination Zone Specify the destination zone of the firewall policy. 4. Click Next to enter the second page of the firewall policy configuration wizard, as shown in Figure 48. Figure 48 Firewall policy configuration wizard: 2/7 5.
Table 26 Configuration items on page 2/7 of the firewall policy configuration wizard Item Description Rule Order Specify the order of the rule in the firewall policy. Specify the action to be taken for packets matching the rule: Filter Action • Permit: Allows matched packets to pass. • Deny: Drops matched packets. VPN Instance 6. Specify the VPN instance for the firewall policy. Click Next to enter the third page of the firewall policy configuration wizard, as shown in Figure 49.
Figure 50 Firewall policy configuration wizard: 4/7 9. Configure the items on the page. Table 28 Configuration items on page 4/7 of the firewall policy configuration wizard Item Description Service (Group) Specify the service resource for the firewall policy. 10. Click Next to enter the fifth page of the firewall policy configuration wizard, as shown in Figure 51.
Figure 51 Firewall policy configuration wizard: 5/7 11. Configure the items on the page. Table 29 Configuration items on page 5/7 of the firewall policy configuration wizard Item Description Time Range Specify the time range resource for the firewall policy. 12. Click Next to enter the sixth page of the firewall policy configuration wizard, as shown in Figure 52.
Figure 52 Firewall policy configuration wizard: 6/7 13. Configure the items on the page. Table 30 Configuration items on page 6/7 of the firewall policy configuration wizard Item Description Enable Syslog Function Specify whether to keep a log of matched packets. 14. Click Next to enter the seventh page of the firewall policy configuration wizard, as shown in Figure 53.
Figure 53 Firewall policy configuration wizard: 7/7 15. Check that the settings are what you want and then select the page to jump to: • Interzone policy page—Jumps to the page you can enter by selecting Firewall > Security Policy > Interzone Policy from the navigation tree. • Configuration Wizard main page—Jumps to the page you can enter by selecting Wizard from the navigation tree.
Session management NOTE: The firewall supports session management only in the web interface. Session management overview The session management feature is designed to manage sessions of applications such as network address translation (NAT), application specific packet filter (ASPF), and intrusion protection. This feature regards packet exchanges at the transport layer as sessions and updates the status of sessions or ages out sessions according to the information in packets.
• Supporting port mapping for application layer protocols and allowing application layer protocols to use customized ports and adopt different session timeout intervals. • Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets. Because ICMP error packets are generated due to errors, the mapping can help speed up the aging of the original sessions.
Displaying and maintaining session management information Task Remarks Displaying session table information Display the session table information of the current virtual device Displaying session statistics Task Remarks Displaying global session statistics Display the global session statistics Enabling/disabling session statistics collection Enable or disable session statistics collection based on source/destination security zone or source/destination IP address The session statistics collection fun
Figure 54 Session configuration On this interface, you can perform the following configurations listed in Table 31.
Table 31 Basic session configuration items Item Description Enable or disable unidirectional traffic detection. • With unidirectional traffic detection enabled, session management Enable unidirectional traffic detection processes both the unidirectional and bidirectional traffic. • With unidirectional traffic detection disabled, session management processes only the bidirectional traffic.
Displaying session table information To display session table information, select Firewall > Session Table > Session Summary from the navigation tree. The interface is shown in Figure 55. On this page, you can click the expansion button before Search Item to choose exact query or query based on the result of the last query. You can specify a source IP address or destination IP address on the top of the interface, and then click the Search button. All matching sessions will be displayed on the interface.
Table 33 Description of detailed session information Item Description Protocol Transport layer protocol, which can be TCP, UDP, ICMP, or RAWIP Session status, which can be: • Accelerate • SYN • TCP-EST • FIN States • UDP-OPEN • UDP-READY • ICMP-OPEN • ICMP-CLOSED • RAWIP-OPEN • RAWIP-READY TTL (S) Remaining lifetime of the session, in seconds Initiator: VD / ZONE / VPN / IP / PORT The initiator’s virutal device/security zone/VPN instance/IP address/port number Responder: VD / ZONE / VPN / IP / POR
Figure 57 Session statistics Table 34 Global session statistics items Item Description Current Session(s) Total number of sessions of the system Current TCP Session(s) Total number of current TCP half-open connections, TCP half-close connections, and full TCP connections in the system Current TCP Half-Open Session(s) Number of current TCP half-open connections in the system Current TCP Half-Close Session(s) Number of current TCP half-close connections in the system Current UDP Session(s) Number
Item Description ICMP Session Establishment Rate ICMP session establishment rate in a 1-second sampling interval RAWIP Session Establishment Rate RAWIP session establishment rate in a 1-second sampling interval Received TCP Packet(s) Number of TCP packets received Received TCP Byte(s) Number of TCP bytes received Received UDP Packet(s) Number of UDP packets received Received UDP Byte(s) Number of UDP bytes received Received ICMP Packet(s) Number of ICMP packets received Received ICMP Byte(s)
Item Description Enable statistics per destination IP address Enable session statistics collection per destination IP address Return to Displaying session statistics. Displaying session statistics per IP address To display session statistics per IP address, select Firewall > Session Table > Statistics from the navigation tree, and then select the IP Statistics tab to enter the page for displaying session statistics per IP address, as show in Figure 59.
Item Description UDP Connection Count Number of full UDP connections UDP Connection Rate UDP connection establishment rate in a 5-second sampling interval ICMP Connection Count Number of full ICMP connections ICMP Connection Rate ICMP connection establishment rate in a 5-second sampling interval RAWIP Connection Count Number of current RAWIP connections RAWIP Connection Rate RAWIP connection establishment rate in a 5-second sampling interval TCP Packet Count Number of TCP packets TCP Byte Co
Table 37 Items of IP address based session statistics Item Description Total Connection Count Total number of current connections Total Connection Rate Connection establishment rate in a 5-second sampling interval TCP Connection Count Total number of TCP half-open connections, TCP half-close connections, and full TCP connections TCP Half-Open Connection Count Number of TCP half-open connections TCP Half-Close Connection Count Number of TCP half-close connections TCP Connection Rate TCP connecti
If a session entry is not matched with any packets in a specified period of time, the entry will be aged out. Follow these steps to set the session aging times based on protocol state: To do... Use the command...
CAUTION: For a large amount of sessions (more than 800000), do not specify too short aging time. Otherwise, the console might be slow in response. Enabling checksum verification To ensure that session tracking is not affected by packets with checksum errors, you can enable checksum verification for protocol packets.
Clearing sessions manually Follow these steps to clear sessions manually: To do... Use the command... Clear sessions reset session [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Remarks Required Available in user view Configuring session log export Session logs are exported in the form of flow logs.
To do... Use the command...
Virtual fragment reassembly NOTE: The firewall supports configuring virtual fragment reassembly only in the web interface.
Figure 61 Virtual fragment reassembly configuration page Table 38 Virtual fragment reassembly configuration items Item Description Security Zone Specify a security zone to be configured with virtual fragment reassembly. Enable Virtual Fragment Reassembly Select the check box to enable the virtual fragment reassembly feature. Specify max number of concurrent reassemblies Specify the maximum number of concurrent reassemblies.
• Enable virtual fragment reassembly on the trusted zone of Firewall, and configure one-to-one NAT on GigabitEthernet 0/2. Figure 62 Network diagram for virtual fragment reassembly Configuration procedure 1. Configure Firewall. # Configure a static NAT binding. • Select Firewall > NAT Policy > Static NAT from the navigation tree, and then click Add in the Static Address Mapping area. • Type 1.1.1.1 for Internal IP Address. • Type 2.2.2.3 for Global IP Address. • Click Apply.
Configuration guidelines When you configure virtual fragment reassembly, note the following guidelines: 1. The virtual fragment reassembly feature only applies to packets incoming to a security zone. 2. The virtual fragment reassembly feature does not support load sharing, that is, the fragments of an IP datagram cannot arrive through different security zones.
ASPF configuration NOTE: The firewall supports ASPF configuration only in the web interface. ASPF policy overview Application Specific Packet Filter (ASPF) applications are based on zone management and session management. Zone management is an independent common module. It does not concern service packet processing; it only maintains information relevant to zones and provides policy interfaces for other modules.
Figure 64 Add an ASPF policy Table 39 ASPF policy configuration items Item Description Source Zone Select a zone on the current virtual device as the source zone. Dest Zone Select a zone on the current virtual device or a shared zone as the destination zone. Discard ICMP error packets Select this check box to specify to discard ICMP error packets or deselect this check box to allow ICMP error packets to pass.
# Create an ASPF policy. • Select Firewall > Session Table > Advanced from the navigation tree, select the ASPF tab, and then click Add. • Select Zone 1 from the Source Zone drop-down box. • Select Zone 2 from the Dest Zone drop-down box. • Select the Discard ICMP error packets check box. • Click Apply. Configuration guidelines When configuring ASPF, ensure that the security zone and virtual device management modules are working normally.
Connection limit configuration NOTE: The firewall supports connection limit configuration only in the command line interface (CLI). Connection limit overview An internal user that initiates a large quantity of connections to external networks in a short period of time occupies large amounts of system resources of the device, making other users unable to access network resources normally.
Configuring an IP address-based connection limit rule An IP address-based connection limit rule allows you to limit the number of connections from a specified source IP address to a specified destination IP address. The limit rules are matched in ascending order of rule ID. When configuring connection limit rules for a policy, check the rules and their order carefully. HP recommends arrange the rules in ascending order of granularity and range.
Connection limit configuration example Network requirements As shown in Figure 66, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The internal network address is 192.168.0.0/16 and there are two servers on the internal network. Perform NAT configuration so that the internal users can access the Internet and external users can access the internal servers, and configure connection limiting so that: • Each host on segment 192.168.0.
[Firewall] connection-limit apply policy 0 Verification After the configuration, use the display connection-limit policy to display the information about the connection limit policy. The output in the example is as follows: [Firewall] display connection-limit policy 0 Connection-limit policy 0, refcount 1, 3 limits limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100 per-source limit 1 source ip any destination ip 192.168.0.
Analysis Both rules limit 0 and limit 1 involve HTTP connections, and the rule with a smaller ID is matched first. Rule 0 is used for HTTP connections. Solution Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for HTTP connections is matched first.
Portal configuration NOTE: • The firewall supports portal configuration only in the command line interface (CLI). • The Firewall A-F5000 not supports portal. Portal overview Introduction to portal Portal authentication helps control access to the Internet. It is also called “web authentication”. A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page.
Figure 67 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. The security check for a client is implemented through the communications between the client and the security policy server. Access firewall An access firewall controls user access.
3. Upon receipt of the authentication information, the access firewall communicates with the authentication/accounting server for authentication and accounting. 4. After successful authentication, the access firewall checks whether there is a corresponding security policy for the user. If not, it allows the user to access the Internet. Otherwise, the client communicates with the access firewall and the security policy server for security check.
mode, a client is uniquely identified by the combination of its IP address and MAC address because the access device learns the MAC address of the authentication client. Due to these differences, when the MAC address of an authentication client remains the same but the IP address changes, a new portal authentication will be triggered in Layer 3 authentication mode but will not be triggered in non-Layer 3 authentication mode.
With extended portal functions, the process includes two additional steps: 8. The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements. 9. Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device.
Portal configuration task list Complete these tasks to configure portal authentication: Task Remarks Basic portal configuration Required Configuring a portal-free rule Optional Configuring an authentication subnet Optional Specifying the source IP address for outgoing portal packets Optional Logging out users Optional Specifying an authentication domain for portal users Optional Specifying the NAS ID value carried in a RADIUS request Optional Specifying a NAS ID profile for an interface Opt
Configuration procedure This task allows you to specify the portal server IP address and enable portal authentication on an interface.
To do… Use the command… Remarks Configure a portal-free rule portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | netmask } | any } } | source { any | [ interface interface-type interface-number | ip { ip-address mask { mask-length | mask } | any } | mac mac-address | vlan vlan-id ] *}}* Required NOTE: • If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN.
Follow these steps to specify the source IP address for outgoing portal packets: To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Optional Specify the source IP address for outgoing portal packets portal nas-ip ip-address By default, no source IP address is specified for outgoing portal packets, and the IP address of the user login interface is used as the source IP address of the outgoing portal packets.
NOTE: The access device selects the authentication domain for a portal user on an interface in this order: the authentication domain specified for the interface, the authentication domain carried in the username, and the system default authentication domain.
To do… Use the command… Remarks Return to system view quit — Enter interface view interface interface-type interface-number — Specify a NAS ID profile for the interface portal nas-id-profile profile-name Required By default, an interface is specified with no NAS ID profile. Setting the maximum number of online portal users You can use this feature to control the total number of online portal users in the system.
To do… Use the command… Remarks Display information about portal users on a specified interface or all interfaces display portal user { all | interface interface-type interface-number } Available in any view Clear portal connection statistics on a specified interface or all interfaces reset portal connection statistics {all | interface interface-type interface-number } Available in user view Clear portal server statistics on a specified interface or all interfaces reset portal server statistics {
NOTE: The following assumes that the portal server runs IMC PLAT 5.0-E0101L02 and IMC UAM 5.0-E0101. # Configure the portal server. Log in to the IMC management platform and select the Service tab. Then, select Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure 71.
Figure 72 Add an IP address group # Add a portal device. Select Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure 73. • Type the device name. • Type the IP address of the firewall’s interface connected to the user. • Type the key, which must be the same as that configured on the firewall. • Set whether to enable IP address reallocation.
Figure 74 Device list On the port group configuration page, click Add to enter the page for adding a port group, as shown in Figure 75. Perform the following configurations: • Type the port group name. • Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. Figure 75 Port group configuration # Select Service Parameters > Validate System Configuration from the navigation tree to make the configurations take effect. 2.
[Firewall-radius-rs1] user-name-format without-domain [Firewall-radius-rs1] quit Configure an authentication domain • # Create an ISP domain named dm1 and enter its view. [Firewall] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Firewall-isp-dm1] authentication portal radius-scheme rs1 [Firewall-isp-dm1] authorization portal radius-scheme rs1 [Firewall-isp-dm1] accounting portal radius-scheme rs1 [Firewall-isp-dm1] quit # Configure dm1 as the default ISP domain for all users.
--------------------------------------------------------------------0015-e9a6-7cfe 2.2.2.2 0 GigabitEthernet0/1 On interface GigabitEthernet0/1:total 1 user(s) matched, 1 listed. Configuring re-DHCP portal authentication Network requirements As shown in Figure 76: • The host is directly connected to the firewall and the firewall is configured for re-DHCP authentication. The host is assigned with an IP address through the DHCP server.
[Firewall] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, you need set the server type to extended. [Firewall-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Firewall-radius-rs1] primary authentication 192.168.0.113 [Firewall-radius-rs1] primary accounting 192.168.0.
[Firewall–GigabitEthernet0/1] portal server newpt method redhcp [Firewall–GigabitEthernet0/1] quit Configuring Layer 3 portal authentication Network requirements As shown in Figure 77: • Firewall A is configured for Layer 3 portal authentication. Before passing portal authentication, users can access only the portal server. After passing portal authentication, they can access Internet resources. • The host accesses Firewall A through Firewall B.
[FirewallA-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [FirewallA-radius-rs1] user-name-format without-domain [FirewallA-radius-rs1] quit 2. Configure an authentication domain # Create an ISP domain named dm1 and enter its view. [FirewallA] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1.
Figure 78 Configure direct portal authentication with extended functions Configuration procedure NOTE: • Configure IP addresses for the host, firewall, and servers as shown in Figure 78 and ensure they can reach other. • Configure the RADIUS server properly to provide authentication and accounting functions for users. Configure the firewall: 1. Configure a RADIUS scheme # Create a RADIUS scheme named rs1 and enter its view.
[Firewall-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without any ISP domain at login, the authentication and accounting methods of the default domain are used for the user. [Firewall] domain default enable dm1 3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources NOTE: On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
Figure 79 Configure re-DHCP portal authentication with extended functions Portal server 192.168.0.111/24 GE0/1 20.20.20.1/24 10.0.0.1/24sub GE0/0 192.168.0.100/24 DHCP server 192 .168.0.112 / 24 Firewall Host automatically obtains an IP address RADIUS server 192 1 . 68.0.113 / 24 Security policy server 192.168.0.114/ 24 Configuration procedure NOTE: • For re-DHCP authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.
[Firewall-radius-rs1] security-policy-server 192.168.0.114 [Firewall-radius-rs1] quit 2. Configure an authentication domain # Create an ISP domain named dm1 and enter its view. [Firewall] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Firewall-isp-dm1] authentication portal radius-scheme rs1 [Firewall-isp-dm1] authorization portal radius-scheme rs1 [Firewall-isp-dm1] accounting portal radius-scheme rs1 [Firewall-isp-dm1] quit # Configure dm1 as the default ISP domain for all users.
[Firewall–GigabitEthernet0/1] portal server newpt method redhcp [Firewall–GigabitEthernet0/1] quit Configuring Layer 3 portal authentication with extended functions Network requirements As shown in Figure 80: • Firewall A is configured for Layer 3 extended portal authentication. When users have passed identity authentication but have not passed security check, they can access only subnet 192.168.0.0/24. After passing the security check, they can access Internet resources.
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [FirewallA-radius-rs1] primary authentication 192.168.0.112 [FirewallA-radius-rs1] primary accounting 192.168.0.112 [FirewallA-radius-rs1] key authentication radius [FirewallA-radius-rs1] key accounting radius [FirewallA-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [FirewallA-radius-rs1] security-policy-server 192.168.
[FirewallA–GigabitEthernet0/1] portal server newpt method layer3 [FirewallA–GigabitEthernet0/1] quit On Firewall B, you need to configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. The configuration steps are omitted. Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays a blank web page, rather than the portal authentication page or an error message.
AAA configuration AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and services.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting. RADIUS was originally designed for dial-in user access.
Figure 83 RADIUS basic message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carries the user’s username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key. 3. The RADIUS server authenticates the username and password.
Figure 84 RADIUS packet format Descriptions of the fields are as follows: 1. The Code field (1 byte long) indicates the type of the RADIUS packet. Table 40 gives the possible values and their meanings. Table 40 Main values of the Code field Code Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user.
5. The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type, Length, and Value. • Type (1 byte long)—Indicates the type of the attribute. It is in the range 1 to 255. See Table 41 for commonly used attributes for RADIUS authentication, authorization and accounting.
No. Attribute No.
Figure 85 Segment of a RADIUS packet containing an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users.
Figure 86 HWTACACS basic message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login password 8) Request for password 9) The user inputs the password 10) Authentication continuance packet with the login password 11) Authentica
9. The user inputs the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
In addition, AAA provides the following services for login users to enhance device security: • Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user, ensuring that login users execute only commands they are authorized to execute. For more information about command authorization, see Getting Started Guide.
No. Attribute Description 15 Login-Service Type of the service that the user uses for login. 18 Reply-Message Text to be displayed to the user, which can be used by the server to indicate, for example, the reason of the authentication failure. 26 Vendor-Specific Vendor specific attribute. A packet can contain one or more such proprietary attributes, each of which can contain one or more sub-attributes.
HP proprietary RADIUS sub-attributes Table 44 HP proprietary RADIUS sub-attributes No. Sub-attribute Description 1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps. 2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps. 3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps. 4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps.
No. Sub-attribute Description 140 User_Group User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device.
Figure 88 AAA configuration procedure Local AAA Configure local users and related attributes Configure AAA methods None Authentication method + Create an ISP domain and enter its view No AAA None Authorization method + Configure the RADIUS, HWTACACS, and LDAP schemes to be referenced local (the default) scheme local (the default) scheme None Accounting method local (the default) scheme Remote AAA Table 45 AAA configuration task list Task Remarks Configuring local users Configuring AAA schemes
Configuring AAA schemes Configuring local users To implement local user authentication, authorization, and accounting, you must create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by a username. Configurable local user attributes are as follows: • Service type The types of the services that the user can use. Local authentication checks the service types of a local user.
Task Remarks Configuring user group attributes Optional Displaying and maintaining local users and local user groups Optional Configuring local user attributes Follow these steps to configure attributes for a local user: To do… Use the command… Remarks Enter system view system-view — Set the password display mode for all local users local-user password-display-mode { auto | cipher-force } Add a local user and enter local user view local-user user-name Optional auto by default, indicating to
To do… Use the command… Remarks Optional Configure the binding attributes for the local user bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port port-number | mac mac-address | vlan vlan-id } * By default, no binding attribute is configured for a local user. Binding attributes are only intended for PPP users. Optional By default, no authorization attribute is configured for a local user.
NOTE: • If you configure the local-user password-display-mode cipher-force command, all existing local user passwords will be displayed in cipher text, regardless of the configuration of the password command. If you also save the configuration and restart the device, all existing local user passwords will always be displayed in cipher text, no matter how you configure the local-user password-display-mode command or the password command.
To do… Use the command… Remarks Optional Set the guest attribute for the user group group-attribute allow-guest By default, the guest attribute is not set for a user group, and guest users created by a guest manager through the web interface cannot join the group.
Configuring RADIUS server From the navigation tree, select User > RADIUS > Server Configuration to enter the RADIUS server configuration interface, as shown in Figure 89. Figure 89 RADIUS server configuration Table 47 RADIUS server configuration Task Remarks Server Type Type of the server to be configured, including Authentication Server and Accounting Sever IP address of the primary server If no primary server is specified, the text box displays 0.0.0.0. Primary Server IP If you enter 0.0.0.
Task Remarks UDP port of the secondary server Secondary Server UDP Port If the IP address of the secondary server is not specified or the specified IP address is to be removed, the port number is 1812 for authentication or 1813 for accounting. Status of the secondary server, including: Secondary Server Status • active: The server is working normally. • blocked: The server is down.
Table 48 RADIUS parameters Task Remarks Type of the RADIUS server supported by the device, including: • extended: Specifies an extended RADIUS server (usually a IMC server). That is, the RADIUS client (the device) and RADIUS server communicate using the proprietary RADIUS protocol and packet format. Server Type • standard: Specifies a standard RADIUS server.
Task Remarks Set the format of username sent to the RADIUS server. Username Format A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. If a RADIUS server does not accept a username including an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS server.
Figure 91 RADIUS server configuration Authentication / Accounting servers 10 .110.91.146 GE 0/1 10 .110.91. 160 PSTN PPP user Internet Firewall A Configuration procedure • Create an ISP domain, configure its AAA scheme as RADIUS scheme named system, and configure accounting that is optional. (Omitted). • Configure the serial ports. (Omitted) • Configure the Ethernet ports. (Omitted) • Configure RADIUS scheme system.
RADIUS scheme configuration task list Task Remarks Creating a RADIUS scheme Required Specifying the RADIUS authentication/authorization servers Required Specifying the RADIUS accounting servers and the relevant parameters Optional Specifying the shared keys for authenticating RADIUS packets Optional Setting the username format and traffic statistics units Optional Setting the supported RADIUS server type Optional Setting the maximum number of RADIUS request transmission attempts Optional Set
To do… Use the command… Remarks Enter system view system-view — Enter RADIUS scheme view radius scheme radius-scheme-name — Specify the primary RADIUS authentication/authorization server primary authentication ip-address [ port-number ] Specify the secondary RADIUS authentication/authorization server secondary authentication ip-address [ port-number ] Required Configure at least one command. No authentication/authorizat ion server is specified by default.
To do… Use the command… Enable buffering of stop-accounting requests to which no responses are received stop-accounting-buffer enable Set the maximum number of stop-accounting attempts retry stop-accounting retry-times Remarks Optional Enabled by default Optional 500 by default NOTE: • The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.
The device periodically sends accounting updates to RADIUS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows and that for packets on the device are consistent with those on the RADIUS server.
Setting the maximum number of RADIUS request transmission attempts Because RADIUS uses UDP packets to transfer data, the communication process is not reliable. RADIUS uses a retransmission mechanism to improve the reliability. If a NAS sends a RADIUS request to a RADIUS server but receives no response after the response timeout timer (defined by the timer response-timeout command) expires, it retransmits the request.
checks the primary server (if any) first and then the secondary servers in the order they are configured. • When the primary server and secondary servers are all in the blocked state, the device communicates with the primary server. If the primary server is available, its status changes to active; otherwise, its status remains to be blocked.
You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in a VPN or the public network. Before sending a RADIUS packet, a NAS selects a source IP address in this order: • The source IP address specified for the RADIUS scheme. • The source IP address specified in system view for the VPN or public network, depending on where the RADIUS server resides.
To do… Use the command… Remarks Set the RADIUS server response timeout timer timer response-timeout seconds Set the quiet timer for the servers timer quiet minutes Set the real-time accounting timer timer realtime-accounting minutes Optional 3 seconds by default Optional 5 minutes by default Optional 12 minutes by default NOTE: • For a type of users, the maximum number of transmission attempts multiplied by the RADIUS server response timeout period must be less than the client connection timeout t
To do… Use the command… Enable accounting-on and configure parameters accounting-on enable [ interval seconds | send send-times ] * Remarks Required Disabled by default. The default interval is 3 seconds and the default number of send-times is 5. NOTE: The accounting-on feature requires the cooperation of the HP IMC network management system.
To do… Use the command… Interpret the class attribute as CAR parameters Remarks Required attribute 25 car Be default, RADIUS attribute 25 is not interpreted as CAR parameters. NOTE: Whether interpretation of the RADIUS class attribute as CAR parameters is supported depends on two factors: • Whether the device supports CAR parameters assignment. • Whether the RADIUS server supports assigning CAR parameters through the class attribute.
Displaying and maintaining RADIUS To do… Use the command… Remarks Display the configuration information of RADIUS schemes display radius scheme [ radius-scheme-name ] Available in any view Display the RADIUS packet statistics display radius statistics Available in any view Display information about buffered stop-accounting requests for which no responses have been received display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time |
similar to Figure 92 appears, asking you to create an HWTACACS scheme first. Click Add to create an HWTACACS scheme named system. Figure 92 Create an HWTACACS scheme Return to HWTACACS configuration task list. Configuring HWTACACS servers When the HWTACACS scheme system exists, select User > HWTACACS > Server Configuration from the navigation tree and configure HWTACACS servers as described in Table 50.
Task Remarks Type the IP address of the secondary server When no secondary server is specified, the secondary server IP and the secondary server TCP port are empty. Secondary Server IP If you leave the IP address text box empty, it means to remove the secondary server (if configured). The specified IP address of the primary server cannot be the same as that of the secondary server. Otherwise, the configuration will fail. Type the TCP port of the secondary server.
Task Remarks Set the real-time accounting interval, whose value must be a multiple of 3. To implement real-time accounting for users, you must set the real-time accounting interval. With this parameter specified, the firewall sends the accounting information of online users to the TACACS server at the specified interval. Realtime-Accounting Interval The value of the real-time accounting interval is related to the requirement on the performance of the NAS and TACACS server.
Task Remarks Specify the unit for data packets sent to the TACACS server (used for traffic accounting), which can be Unit of Packets • • • • one-packet kilo-packet mega-packet giga-packet If you leave the box blank, the default unit is used. Table 52 Relationship between the real-time accounting interval and number of users Number of users Real-time accounting interval (in minutes) 1 to 99 3 100 to 499 6 500 to 999 12 ƒ1000 ƒ15 Return to HWTACACS configuration task list.
# Configure the Ethernet ports. (Omitted) # Configure HWTACACS scheme system. • From the navigation tree, select User > HWTACACS > Server Configuration. • Click Add in the right pane. # Configure the HWTACACS authentication server. After creating the HWTACACS scheme named system, the HWTACACS server configuration interface appears. • Select Authentication Server as the server type. • Enter 10.110.91.146 as the IP address of the primary server, and 49 as the TCP port of the primary server.
Task Remarks Specifying the HWTACACS accounting servers and the relevant parameters Optional Specifying the shared keys for authenticating HWTACACS packets Required Setting the username format and traffic statistics units Optional Specifying a source IP address for outgoing HWTACACS packets Optional Setting timers for controlling communication with HWTACACS servers Optional Displaying and maintaining HWTACACS Optional Creating an HWTACACS scheme The HWTACACS protocol is configured on a per sch
NOTE: • An HWTACACS server can function as the primary authentication server of one scheme and as the secondary authentication server of another scheme at the same time. • The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails. • You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.
To do… Use the command… Remarks Enter system view system-view — Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme-name — Specify the primary HWTACACS accounting server primary accounting ip-address [ port-number ] Required Specify the secondary HWTACACS accounting server secondary accounting ip-address [ port-number ] No accounting server is specified by default.
name. In this case, the device must remove the domain name of each username before sending the username. You can set the username format on the device for this purpose. The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows and that for packets on the device are consistent with those configured on the HWTACACS servers.
To do… Use the command… Remarks Enter system view system-view — Specify a source IP address for outgoing HWTACACS packets hwtacacs nas-ip ip-address Required By default, the IP address of the outbound interface is used as the source IP address.
NOTE: The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server. A shorter interval requires higher performance.
To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter ISP domain view domain isp-name Required Return to system view quit — Specify the default ISP domain domain default enable isp-name Optional By default, the default ISP domain is the system predefined ISP domain system. NOTE: To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default ISP domain by using the undo domain default enable command.
To do… Use the command… Remarks Optional Configure the idle cut function idle-cut enable minute [ flow ] Enable the self-service server location function and specify the URL of the self-service server self-service-url enable url-string Define an IP address pool for allocating addresses to PPP users ip pool pool-number low-ip-address [ high-ip-address ] Specify the default authorization user profile authorization-attribute user-profile profile-name Disabled by default This command is effective for
• Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type, limiting the authentication protocols that can be used for access. • Determine whether to configure an authentication method for all access types or service types.
• No authorization (none)—The NAS performs no authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have only the right of Level 0 (visiting). • Local authorization (local)—The NAS performs authorization according to the user attributes configured for users. • Remote authorization (scheme)—The NAS cooperates with a RADIUS or HWTACACS server to authorize users.
NOTE: • The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access type. • If you configure an authentication method and an authorization method that use RADIUS schemes for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication. If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also fails.
To do… Use the command… Remarks Optional Disabled by default With the accounting optional feature, a device allows users to use network resources when no accounting server is available or communication with all accounting servers fails.
To do… Use the command… Remarks Enter system view system-view — Required Tear down AAA user connections cut connection { access-type portal | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } Applicable to only portal and PPP user connections. Configuring a NAS ID-VLAN binding The access locations of users can be identified by their access VLANs.
AAA configuration examples Authentication/authorization for Telnet/SSH users by a RADIUS server NOTE: Configuration of RADIUS authentication and authorization SSH users is similar to that for Telnet users. The following takes Telnet users as an example. Network requirements As shown in Figure 96, a Telnet user is connected to the Firewall and the Firewall is connected to the RADIUS server.
Log in to the IMC management platform, select the Service tab, and select Access Service > Access Device from the navigation tree to enter the Access Device List page.
Figure 98 Add a user for device management 2. Configure the Firewall # Configure the IP address of interface GigabitEthernet 0/1, through which the Telnet user accesses the Firewall. system-view [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ip address 192.168.1.70 255.255.255.0 [Firewall-GigabitEthernet0/1] quit # Configure the IP address of interface GigabitEthernet 0/2, through which the Firewall communicates with the server.
[Firewall] radius scheme rad # Specify the primary authentication server. [Firewall-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for authenticating authentication packets to expert. [Firewall-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs IMC. [Firewall-radius-rad] server-type extended # Specify the scheme to include the domain names in usernames to be sent to the RADIUS server.
Configuration procedure 1. Configure the firewall # Configure the IP address of interface GigabitEthernet 0/1, through which the Telnet user accesses the Firewall. system-view [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ip address 192.168.1.70 255.255.255.0 [Firewall-GigabitEthernet0/1] quit # Enable the Telnet server on the device. [Firewall] telnet server enable # Configure the Firewall to use AAA for Telnet users.
The shared keys for authenticating authentication and authorization packets exchanged between the NAS and the RADIUS server are both abc. The usernames sent to the RADIUS server carry no domain names. Figure 100 RADIUS authentication and authorization for Telnet users by a network device Configuration procedure # Configure an IP address for each interface as shown in Figure 100. The detailed configuration is omitted here. 1. Configure the NAS # Enable the Telnet server on Firewall A.
# Specify the accounting method for Telnet users as none. [FirewallA-isp-bbb] accounting login none # Configure the RADIUS server type as standard. When a network device is configured to be a RADIUS server, the server type must be set to standard. [FirewallA-isp-bbb] server-type standard [FirewallA-isp-bbb] quit # Configure bbb as the default ISP domain.
Solution Check that: 1. The NAS and the RADIUS server can ping each other. 2. The username is in the userid@isp-name format and the ISP domain for the user authentication is correctly configured on the NAS. 3. The user is configured on the RADIUS server. 4. The correct password is entered. 5. The same shared key is configured on both the RADIUS server and the NAS. Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis 1.
Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See ”Troubleshooting RADIUS.” Configuration guidelines Configure the RADIUS client note the following guidelines • When you modify the parameters of the RADIUS scheme, the system does not check whether the scheme is being used by users. • After accounting starts, update-accounting and stop-accounting packets will be sent to the designated server, and no primary/secondary server switchover will take place even if the designated server fails.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall chassis or a firewall module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDFILOPRSTVZ Configuring session management in the web interface,59 A AAA configuration considerations and task list,125 Configuring the connection limit policy,81 AAA configuration examples,166 Configuring virtual fragment reassembly,74 AAA overview,113 Connection limit configuration example,83 ACL overview,1 Connection limit configuration task list,81 Address resource overview,26 Connection limit overview,81 Applying the connection limit policy,82 Contacting HP,175 ASPF configuration
Specifying an authentication domain for portal users,94 Troubleshooting connection limiting,84 Troubleshooting portal,112 Specifying the NAS ID value carried in a RADIUS request,95 V Specifying the source IP address for outgoing portal packets,93 Virtual fragment reassembly configuration example,75 T Z Tearing down user connections,164 Zone configuration example,20 Troubleshooting AAA,172 Zone overview,16 Virtual fragment reassembly overview,74 179
