R3507P22-R2607P22-R2507P22-HP UWW Security Configuration Guide

Manuals Brands HP Manuals Network Hardware HP 850 Unified Wired-WLAN Appliance

HP Unified Wired-WLAN Products

Security Configuration Guide

HP 830 Unified Wired-WLAN PoE+ Switch Series

HP 850 Unified Wired-WLAN Appliance

HP 870 Unified Wired-WLAN Appliance

HP 11900/10500/7500 20G Unified Wired-WLAN Module

Part number: 5998-4798

Software version:

3507P22 (HP 830 PoE+ Switch Series)

2607P22 (HP 850 Appliance)

2607P22 (HP 870 Appliance)

2507P22 (HP 11900/10500/7500 20G Module)

Document version: 6W101-20140418

Summary of content (465 pages)

PAGE 1

HP Unified Wired-WLAN Products Security Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4798 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418
PAGE 2

Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PAGE 3

Contents Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ································································································································
PAGE 4

Temporary access control of wireless users ········································································································ 91 Troubleshooting AAA ···················································································································································· 94 Troubleshooting RADIUS······································································································································· 94 Troubleshooting HWTACACS····
PAGE 5

Configuration procedure ···································································································································· 120 Verifying the configuration ································································································································· 122 Configuring MAC authentication ··························································································································· 124 Overview·····················
PAGE 6

Specifying a source IP address for outgoing portal packets ··················································································· 163 Configuring MAC-based quick portal authentication ······························································································ 163 Configuring portal stateful failover····························································································································· 164 Associating an SSID and AP with a portal server an
PAGE 7

Configuring the userLoginWithOUI mode ········································································································ 230 Configuring the userLoginSecureExt mode on a WLAN port ········································································· 235 Configuring an 802.
PAGE 8

Verifying PKI certificates ·············································································································································· 281 Verifying certificates with CRL checking ··········································································································· 281 Verifying certificates without CRL checking ······································································································ 281 Destroying the local RSA key pair·
PAGE 9

SCP configuration example········································································································································· 325 Network requirements ········································································································································· 325 Configuration procedure ···································································································································· 325 Configuring SSL ····
PAGE 10

Configuring an ACL ············································································································································ 361 Configuring an IPsec transform set ···················································································································· 364 Configuring an IPsec policy ······························································································································· 365 Applying an IPsec policy group t
PAGE 11

Configuring an ASPF policy ······························································································································· 407 Applying an ASPF policy to an interface·········································································································· 408 Applying an ASPF policy to a user profile ······································································································· 408 Configuring port mapping·····························
PAGE 12

Configuration procedure ···································································································································· 432 Configuring source IP address verification············································································································ 433 Overview······································································································································································· 433 Configuring sou
PAGE 13

Security overview Network security services provide solutions to solve or reduce security threats. Network security threats are existing or potential threats to data confidentiality, data integrity, and data availability. Network security threats • Information disclosure—Information is leaked to an unauthorized person or entity. • Data integrity damage—Data integrity is damaged by unauthorized modification or malicious destruction.
PAGE 14

• Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device. • Accounting—Records all network service usage information, including the service type, start time, and traffic. The accounting function provides information for charging and user behavior auditing.
PAGE 15

Data security Managing public keys Public key configuration enables you to manage the local asymmetric key pairs (for example, creating or destroying a local asymmetric key pair, and displaying or exporting a local host public key), and configure the peer host public keys on the local device. IPsec and IKE IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology used for data encryption and data origin authentication.
PAGE 16

• Application layer protocol inspection—ASPF checks application layer information for packets, such as the protocol type and port number, and monitors the application layer protocol status for each connection. ASPF maintains status information for each connection, and based on status information, determines whether to permit a packet to pass through the firewall into the internal network, thus defending the internal network against attacks.
PAGE 17

User profile A user profile provides a configuration template to save predefined configurations, such as a CAR policy or a QoS policy. Different user profiles are applicable to different application scenarios. The user profile works with PPPoE, 802.1X, MAC authentication, and portal authentication. It is capable of restricting authenticated users' behaviors. After the authentication server verifies a user, it sends the device the name of the user profile that is associated with the user.
PAGE 18

Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
PAGE 19

RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting. RADIUS was originally designed for dial-in user access.
PAGE 20

Figure 3 Basic RADIUS message exchange process RADIUS uses the following workflow: 1. The host initiates a connection request that includes the user's username and password to the RADIUS client. 2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server after it received the username and password. The user password is encrypted with the MD5 algorithm and the shared key. 3. The RADIUS server authenticates the username and password.
PAGE 21

Figure 4 RADIUS packet format 0 7 Code 15 31 7 Length Identifier Authenticator Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 Main values of the Code field Packet type Description 1 Access-Request From the client to the server. A packet of this type includes user information for the server to authenticate the user.
PAGE 22

Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes." { Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. { Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length sub-fields.
PAGE 23

No. Attribute No.
PAGE 24

HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.
PAGE 25

Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates using the following workflow: 1. A Telnet user sends an access request to the HWTACACS client. 2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it receives the request. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6.
PAGE 26

9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
PAGE 27

2. The LDAP client, using the username in the authentication information of a user, constructs search conditions to search for the user in the specified root directory of the server, and obtains a user DN list. 3. The LDAP client uses each user DN in the obtained user DN list and the user password to bind with the LDAP server. If a binding succeeds, the user is legal.
PAGE 28

5. The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP server. 6. After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There may be one or more user DNs found. 7.
PAGE 29

• Login users—Users who want to log in to the device, including SSH users, Telnet users, Web users, FTP users, and terminal users. • Portal users—Users who must pass portal authentication to access the network. • PPP users—Users who access the network through PPP. Support for PPP users depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products.
PAGE 30

No. Attribute Description 3 CHAP-Password Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used. 4 NAS-IP-Address IP address for the server to use to identify a client. A client is typically identified by the IP address of its access interface. This attribute is only present in Access-Request packets. 5 NAS-Port Physical port of the NAS that the user accesses.
PAGE 31

No. Attribute Description 60 CHAP-Challenge CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: 61 NAS-Port-Type • • • • • • 15—Ethernet. 16—Any type of ADSL. 17—Cable (with cable for cable TV). 19—WLAN-IEEE 802.11. 201—VLAN. 202—ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.
PAGE 32

No. Sub-attribute Description 25 Result_Code Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure. 26 Connect_ID Index of the user connection. 28 Ftp_Directory FTP user working directory. When the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client. 29 Exec_Privilege EXEC user priority.
PAGE 33

1. Configure the required AAA schemes. { { 2. Local authentication—Configure local users and the related attributes, including the usernames and passwords for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP schemes. You must configure user attributes on the servers accordingly. Configure AAA methods for the ISP domain.
PAGE 34

Task Remarks Configuring accounting methods for an ISP domain one task. Tearing down user connections Optional. Configuring local EAP authentication Required. Configuring a NAS ID-VLAN binding Optional. Specifying the device ID Optional. NOTE: To use AAA methods to control access of login users, you must configure the authentication-mode command. For more information, see Fundamentals Configuration Guide.
PAGE 35

You can configure a password control attribute in system view, user group view, or local user view, and you can make the attribute effective for all local users, all local users in a group, or only the local user. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control." For more information about password control commands, see Security Command Reference.
PAGE 36

view has the lowest priority. For more information about user profiles, see "Configuring a user profile." If a local user is the only one security log manager in the system, this local user cannot be deleted. You cannot change or delete the security log manager role of this user unless you specify another local user as a security log manager. • To configure local user attributes: Step Command Remarks 1. Enter system view. system-view N/A 2. Add a local user and enter local user view.
PAGE 37

Step Command Remarks Optional. • Set the password aging time: password-control aging aging-time • Set the minimum password 7. Configure password control attributes for the local user.
PAGE 38

Configuring user group attributes User groups simplify local user configuration and management. A user group includes a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
PAGE 39

Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters that the device uses to exchange information with the RADIUS servers. For example, there might be authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters include the IP addresses of the servers, the shared keys, and the RADIUS server type.
PAGE 40

Specifying the RADIUS authentication/authorization servers In RADIUS, user authorization information is piggybacked in authentication responses sent to RADIUS clients. It is neither allowed nor needed to specify a separate RADIUS authorization server. You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a secondary server is used.
PAGE 41

Specifying the RADIUS accounting servers and the relevant parameters You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS scheme. When the primary server is not available, a secondary server is used. When redundancy is not required, specify only the primary server. A RADIUS accounting server can function as the primary accounting server for one scheme and a secondary accounting server for another scheme at the same time.
PAGE 42

Step 6. Command Set the maximum number of stop-accounting attempts. Remarks retry stop-accounting retry-times Optional. The default setting is 500. Specifying the shared keys for secure RADIUS communication The RADIUS client and RADIUS server use the MD5 algorithm and a shared key pair for packet authentication and password encryption to secure communication.
PAGE 43

Step Command Remarks Optional. By default, the ISP domain name is included in a username. Set the format for usernames sent to the RADIUS servers. 3. user-name-format { keep-original | with-domain | without-domain } Do not apply the RADIUS scheme to more than one ISP domain if you have configured the user-name-format without-domain command for that RADIUS scheme. Otherwise, users in different ISP domains are considered the same user if they use the same username.
PAGE 44

Setting the maximum number of RADIUS request transmission attempts RADIUS uses UDP packets to transfer data. Because UDP communication is not reliable, RADIUS uses a retransmission mechanism to improve reliability. If a NAS sends a RADIUS request to a RADIUS server but receives no response before the response timeout timer (defined by the timer response-timeout command) expires, the NAS retransmits the request.
PAGE 45

• When the primary server and secondary servers are all in blocked state, the device communicates with the primary server. If the primary server is available, its status changes to active. Otherwise, its status remains to be blocked. • If one server is in active state and all the others are in blocked state, the device only tries to communicate with the server in active state, even if the server is unavailable.
PAGE 46

The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate with the RADIUS server. However, in some situations, you must change the source IP address. You can specify a source IP address for outgoing RADIUS packets for a specific RADIUS scheme or all RADIUS schemes. Before sending a RADIUS packet, the NAS selects a source IP address in the following order: 1. The source IP address specified for the RADIUS scheme. 2.
PAGE 47

You can specify a backup IP address for outgoing RADIUS packets for a specific RADIUS scheme or all RADIUS schemes. Before sending a RADIUS packet, the NAS selects a backup source IP address in the following order: 1. The backup source IP address specified for the RADIUS scheme. 2. The backup source IP address specified in system view. If no backup source IP address is specified in the views, the NAS sends no backup source IP address to the server.
PAGE 48

• When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the number of secondary servers. If the retransmission process takes too long, the client connection in the access module may time out while the device is trying to find an available server. For more information about the maximum number of RADIUS packet transmission attempts, see "Setting the maximum number of RADIUS request transmission attempts.
PAGE 49

Step Enable accounting-on and configure parameters. 3. Command Remarks accounting-on enable [ interval seconds | send send-times ] * Disabled by default. The default interval is 3 seconds, and the default number of send-times is 50. Configuring the IP address of the security policy server The security policy server is the management and control center for Endpoint Admission Defense (EAD). The NAS checks the validity of received control packets and accepts only control packets from known servers.
PAGE 50

Configuring interpretation of the RADIUS class attribute as CAR parameters This task is required when the RADIUS server supports assigning CAR parameters through the class attribute. According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS client. However, the RFC does not require the RADIUS client to interpret the attribute and only requires the RADIUS client to send the attribute to the accounting server on an "as is" basis.
PAGE 51

Step Command Remarks 1. Enter system view. system-view N/A 2. Enable logging of RADIUS packets. radius log packet Disabled by default. Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets. To enable the RADIUS client service: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable the RADIUS client service.
PAGE 52

Task Remarks Specifying the HWTACACS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure HWTACACS communication Required. Setting the username format and traffic statistics units Optional. Specifying the source IP address for outgoing HWTACACS packets Optional. Setting HWTACACS timers Optional. Displaying and maintaining HWTACACS Optional. Creating an HWTACACS scheme The HWTACACS protocol is configured on a per-scheme basis.
PAGE 53

Specifying the HWTACACS authorization servers You can specify one primary authorization server and one secondary authorization server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time.
PAGE 54

Step 2. Enter HWTACACS scheme view. Command Remarks hwtacacs scheme hwtacacs-scheme-name N/A • Specify the primary HWTACACS 3. Specify HWTACACS accounting servers. accounting server: primary accounting ip-address [ port-number ] • Specify a secondary HWTACACS accounting server: secondary accounting ip-address [ port-number ] 4. 5. Enable buffering of stop-accounting requests to which no responses are received. stop-accounting-buffer enable Set the maximum number of stop-accounting attempts.
PAGE 55

The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure that the units for data flows and for data packets on the device are consistent with the units configured on the HWTACACS servers. To set the username format and the traffic statistics units for an HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view.
PAGE 56

To specify a source IP address for all HWTACACS schemes: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing HWTACACS packets. hwtacacs nas-ip ip-address By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3.
PAGE 57

Displaying and maintaining HWTACACS Task Command Remarks Display the configuration or statistics of HWTACACS schemes. display hwtacacs [ hwtacacs-server-name [ statistics ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about buffered stop-accounting requests for which no responses have been received. display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ | { begin | exclude | include } regular-expression ] Available in any view.
PAGE 58

Specifying the LDAP authentication server Changing the IP address and port number of the LDAP authentication server only affects LDAP authentication processes that occur after your change. To specify the LDAP authentication server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter LDAP scheme view. ldap scheme ldap-scheme-name N/A 3. Specify the LDAP authentication server. authentication-server ip-address [ port-number ] Not specified by default.
PAGE 59

Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server but does not receive a response from the server within the LDAP server timeout period, the device considers that the authentication or authorization request has timed out and tries the backup authentication or authorization method, if any. If no backup method is configured, the device considers the authentication or authorization attempt as a failure.
PAGE 60

A user DN search starting from the root directory might take a long time if the LDAP server has many levels of directories. To improve search efficiency, you can change the start point by specifying the search base DN. If the usernames configured on the LDAP server do not contain domain names, configure the device to remove domain names from the usernames to be sent to the LDAP server. Otherwise, configure the device to send usernames containing domain names to the LDAP server.
PAGE 61

LDAP server contains user group attributes, specifying group attributes is unnecessary for Microsoft LDAP server. Configurable LDAP group attributes are as follows: • Group name attribute • Group object class • Member name attribute • Search base DN • Search scope Typically, the group object class and member name attribute take the default values defined by the server manufacturers. If no default values are specified or you want to customize them, you can use commands to configure the values.
PAGE 62

Configuring AAA methods for ISP domains By default, the device uses local (default) AAA methods for users in an ISP domain. To use other AAA methods for them, configure the device to reference existing AAA schemes for the ISP domain. For information about configuring AAA schemes, see "Configuring RADIUS schemes," "Configuring HWTACACS schemes," and "Configuring LDAP schemes.
PAGE 63

Step Command Remarks Optional. 4. Specify the default ISP domain. domain default enable isp-name 5. Specify an ISP domain for users with unknown domain names. domain if-unknown isp-name By default, the default ISP domain is the system-defined ISP domain system. To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default ISP domain by using the undo domain default enable command. Optional.
PAGE 64

Step 4. Specify the maximum number of online users in the ISP domain. Command Remarks access-limit enable max-user-number Optional. No limit is specified by default. Optional. Disabled by default. Configure the idle cut function. idle-cut enable minute [ flow ] Enable the self-service server location function and specify the URL of the self-service server. self-service-url enable url-string Define an IP address pool for allocating addresses to PPP users.
PAGE 65

You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method. Configuration prerequisites Before configuring authentication methods, complete the following tasks: • For RADIUS, HWTACACS, or LDAP authentication, configure the RADIUS, HWTACACS, or LDAP scheme to be referenced first. Local and none authentication methods do not require a scheme. • Determine the access type or service type to be configured.
PAGE 66

Step 4. 5. 6. Command Remarks Specify the authentication method for LAN users. authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } Optional. Specify the authentication method for login users. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | ldap-scheme ldap-scheme-name [ local ] | none | radius-scheme radius-scheme-name [ local ] } Specify the authentication method for portal users.
PAGE 67

authorization as the backup method. The backup method will be used when the remote server is not available. Configuration prerequisites Before configuring authorization methods, complete the following tasks: 1. For HWTACACS or LDAP authorization, configure the HWTACACS or LDAP scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS authentication scheme. Otherwise, it does not take effect. 2.
PAGE 68

Step Command Remarks 6. Specify the authorization method for login users. authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | ldap-scheme ldap-scheme-name [ local ] | none | radius-scheme radius-scheme-name [ local ] } 7. Specify the authorization method for portal users. authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } Optional. The default authorization method is used by default. Optional.
PAGE 69

• You can configure a default accounting method for an ISP domain. This method will be used for all users who support the accounting method and have no specific accounting method configured. • You can configure local accounting (local) or no accounting (none) as the backup for remote accounting that is used when the remote accounting server is unavailable. • Local accounting (local) and no accounting (none) cannot have a backup method. • Accounting is not supported for FTP services.
PAGE 70

Step Command Remarks Optional. accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Specify the accounting method for PPP users. 9. The default accounting method is used by default. Support for this feature depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. Tearing down user connections Step 1. 2. Command Remarks Enter system view.
PAGE 71

4. Configure 802.1X on the device. Configuring the local EAP authentication server A local EAP authentication server is a local authentication server that uses an EAP profile. An EAP profile is a collection of local EAP authentication settings, including the authentication method and user database to be used and, for some authentication methods, the SSL server policy to be referenced.
PAGE 72

Step 7. Specify the EAP profile for the local authentication server. Command Remarks local-server authentication eap-profile profile-name N/A Configuring a NAS ID-VLAN binding The access locations of users can be identified by their access VLANs. Configure NAS ID-VLAN bindings on the device in application scenarios where identifying the access locations of users is required.
PAGE 73

Displaying and maintaining AAA Task Command Remarks Display the configuration of ISP domains. display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about user connections.
PAGE 74

Figure 10 Network diagram Authentication server 10.1.1.1/24 IP network Telnet user AP AC Configuration procedure 1. On the HWTACACS server, set the shared key to expert and add the Telnet user account information. (Details not shown.) 2. Configure the AC: # Assign IP addresses to the interfaces. (Details not shown.) # Enable the Telnet server on the AC. system-view [AC] telnet server enable # Configure the AC to use AAA for Telnet users.
PAGE 75

[AC-isp-bbb] authentication login hwtacacs-scheme hwtac [AC-isp-bbb] authorization login hwtacacs-scheme hwtac [AC-isp-bbb] quit { Create an ISP domain, and configure the default authentication and authorization methods for all types of users in the domain. [AC] domain bbb [AC-isp-bbb] authentication default hwtacacs-scheme hwtac [AC-isp-bbb] authorization default hwtacacs-scheme hwtac Verifying the configuration 1. Telnet to the AC, and enter the correct username and password. 2.
PAGE 76

[AC] telnet server enable # Configure the AC to use AAA for Telnet users. [AC] user-interface vty 0 4 [AC-ui-vty0-4] authentication-mode scheme [AC-ui-vty0-4] quit # Create an ISP domain named bbb and set it as the default ISP domain. [AC] domain bbb [AC-isp-bbb] quit [AC] domain default enable bbb # Create HWTACACS scheme hwtac. [AC] hwtacacs scheme hwtac # Specify the primary authorization server and the service port number. [AC-hwtacacs-hwtac] primary authorization 10.1.1.
PAGE 77

LDAP authentication for Telnet users Network requirements As shown in Figure 12, Active Directory of the Microsoft Windows 2003 Server is an LDAP server located on 10.1.1.1/24, and the server domain name is ldap.com. On the LDAP server, set the administrator password as admin!123456, and add a user with the username of aaa and password of ldap!123456. Configure the AC to use the LDAP server to authenticate Telnet users. Figure 12 Network diagram LDAP server 10.1.1.1/24 Vlan-int2 10.1.1.
PAGE 78

Figure 13 Creating user aaa d. Enter ldap!123456 in both the Password and Confirm password fields, select the password strategy options as needed, and then click Next. The New Object - User window closes. Figure 14 Setting the user's password e. Click ldap.com from the navigation tree. The list of users in the ldap.com domain appears. f. Right-click aaa and select Properties from the shortcut menu. The aaa Properties window appears. g. Click the Member Of tab, and then click Add.
PAGE 79

The Select Groups window appears. Figure 15 Modifying user properties h. Enter Users in the Enter the object names to select field and click OK. User aaa is added to the group Users. Figure 16 Adding user aaa to group Users 2. i. Right-click Administrator and select Set Password from the shortcut menu. j. In the dialog box, set the password to admin!123456. (Details not shown.
PAGE 80

# Enable the AC to provide the Telnet service. (This step is optional because the Telnet service is enabled by default.) system-view [AC] telnet server enable # Assign the IP address 10.1.1.2/24 to interface VLAN-interface 2, through which Telnet users access the AC. [AC] vlan 2 [AC-vlan2] quit [AC] interface vlan-interface 2 [AC-Vlan-interface2] ip address 10.1.1.2 24 [AC-Vlan-interface2] quit # Configure the AC to use AAA for Telnet users.
PAGE 81

Authentication and authorization for portal users by a RADIUS server Network requirements As shown in Figure 17, the client has a public network IP address assigned manually or obtained through DHCP. Configure the AC to provide the following functions: • Authenticate and authorize portal users through the RADIUS server. • Direct portal authentication so that the client can access the Internet only when portal authentication is passed.
PAGE 82

− Select LAN Access Service from the Service Type list. − Select HP(General) from the Access Device Type list. − Use the default settings for other parameters. e. In the Device List area, select the access device from the device list or manually add the device with the IP address 10.1.1.2. The IP address of the access device must be the same as the source IP address of the RADIUS packets sent from the AC, which is chosen in the following order: − IP address specified with the nas-ip command.
PAGE 83

Figure 19 Adding a service 3. Add an account for portal users and assign the previous service to the account: a. Click the User tab. b. From the navigation tree, select Access User View > All Access Users. The All Access Users page appears. c. Click Add. The Add Access User page appears, as shown in Figure 20. d. In the Access Information area, configure the user account: − Select or add a platform user named hello. − Enter portal in the Account Name field.
PAGE 84

c. In the Portal Page field, enter the URL address of the portal authentication main page, in the format of http://ip:port/portal, where ip and port are those configured during IMC UAM installation. The default setting of port 8080 is typically used. d. Click OK. Figure 21 Portal server configuration 2. Configure an IP address group: a. From the navigation tree, select User Access Manager > Portal Service > IP Group. The IP Group page appears. b. Click Add.
PAGE 85

3. Configure the AC as a portal device: a. From the navigation tree, select User Access Manager > Portal Service > Device. The Device page appears. b. Click Add. The Add Device page appears, as shown in Figure 23. c. Enter NAS in the Device Name field. d. Enter 192.168.1.70 in the IP Address field, which is the IP address of the access interface on the AC. e. Enter portal in the Key field. Make sure the key is the same as that configured on the AC. f.
PAGE 86

Figure 24 Portal device list Figure 25 Associating the portal device with the IP address group 5. Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the portal server configuration. Configuring the AC 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [AC] radius scheme rs1 # Set the server type for the RADIUS scheme. To support IMC, set the server type to extended.
PAGE 87

[AC-isp-dm1] authentication portal radius-scheme rs1 [AC-isp-dm1] authorization portal radius-scheme rs1 [AC-isp-dm1] quit 3. Configure portal authentication: # Configure the portal server. [AC] portal server newpt ip 10.1.1.1 key portal port 50100 url http://10.1.1.1:8080/portal [AC] portal free-rule 0 source interface ten-gigabitethernet 1/0/1 destination any # Enable portal authentication on the interface connecting the wireless client.
PAGE 88

Authentication and authorization for 802.1X users by a RADIUS server Network requirements As shown in Figure 26, configure the AC to provide the following functions: • Implement authentication and authorization for the 802.1X user on the client through the RADIUS server. • Use the WLAN-ESS port as the authentication port. • Include the domain name in the username sent to the RADIUS server. The username is dot1x@bbb.
PAGE 89

− Select LAN Access Service from the Service Type list. − Select HP(General) from the Access Device Type list. − Use the default settings for other parameters. e. In the Device List area, select the access device from the device list or manually add the device with the IP address 10.1.1.2. The IP address of the access device must be the same as the source IP address of the RADIUS packets sent from the AC, which is chosen in the following order: − IP address specified with the nas-ip command.
PAGE 90

− Select the Deploy VLAN option, and enter 4 in the box. g. Click OK. Figure 28 Adding a service 3. Add an account for portal users and assign the previous service to the account: a. Click the User tab. b. From the navigation tree, select Access User View > All Access Users. The All Access Users page appears. c. Click Add. The Add Access User page appears, as shown in Figure 29. d. In the Access Information area, configure the access user: − Select or add a platform user named test.
PAGE 91

Figure 29 Adding an access user account Configuring the AC 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter its view. system-view [AC] radius scheme rad # Set the server type for the RADIUS scheme. To support IMC, set the server type to extended. [AC-radius-rad] server-type extended # Specify the primary authentication server and the service port number. [AC-radius-rad] primary authentication 10.1.1.
PAGE 92

# Disable the online user handshake function. [AC-WLAN-ESS1] undo dot1x handshake # Disable the 802.1X multicast trigger function. [AC-WLAN-ESS1] undo dot1x multicast-trigger # Configure the port to use mandatory authentication domain bbb. The AC will use the authentication and authorization methods of this domain for all users accessing this port. This step is optional. [AC-WLAN-ESS1] dot1x mandatory-domain bbb [AC-WLAN-ESS1] quit # Configure the WLAN service template.
PAGE 93

# View the information of the specified connection on the AC. [AC] display connection ucibindex 22 Index=22 , Username=dot1x@bbb MAC=0015-e9a6-7cfe IP=192.168.1.58 IPv6=N/A Access=8021X ,AuthMethod=EAP Port Type=Wireless-802.
PAGE 94

# Create user group dot1x, configure the authorized VLAN as VLAN 100. system-view [AC] user-group dot1x [AC-ugroup-dot1x] authorization-attribute vlan 100 [AC-ugroup-dot1x] quit # Create local user usera, and add the user to user group dot1x. [AC] local-user usera [AC-luser-usera] group dot1x [AC-luser-usera] password simple 1234 [AC-luser-usera] service-type lan-access [AC-luser-usera] quit # Configure the ISP domain to use local authentication and authorization.
PAGE 95

[AC-wlan-st-1] security-ie wpa [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as MSM460-WW and serial number as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit Verifying the configuration 1.
PAGE 96

Configuration prerequisites • To use the 802.1X client of Windows XP, configure the 802.1X connection properties as follows: a. Open the Properties dialog box of the 802.1X connection. b. On the Authentication tab, select the Enable IEEE 802.1X authentication for this network option and select Protected EAP (PEAP) from the EAP Type list. c. Click Properties, and in the popup dialog box, select Secured password (EAP-MSCHAP v2) from the Select Authentication Method list and click OK. d. Click OK.
PAGE 97

[AC-radius-radoff] eap offload method peap-mschapv2 [AC-radius-radoff] quit # Configure the AAA method for the ISP domain. [AC] domain bbb [AC-isp-bbb] authentication lan-access radius-scheme radoff [AC-isp-bbb] authorization lan-access radius-scheme radoff [AC-isp-bbb] accounting lan-access radius-scheme radoff [AC-isp-bbb] quit 5. Configure 802.1X: # Enable port security globally. [AC] port-security enable # Specify the 802.1X authentication method.
PAGE 98

Verifying the configuration 1. Use the display radius scheme radoff and display domain bbb commands to view AAA configuration. 2. Use the display dot1x interface wlan-ess1 command to view 802.1X configuration. 3. After the 802.1X user passes EAP authentication by using the username in the username@bbb format and successfully logs in, use the display connection command to display the user's connection information.
PAGE 99

Figure 33 Configuring advanced attributes for the Telnet user 2. Configure the AC: # Assign an IP address to VLAN-interface 2, the interface used to connect the client. system-view [AC] interface vlan-interface 2 [AC-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [AC-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, the interface used to connect the server. [AC] interface vlan-interface 3 [AC-Vlan-interface3] ip address 10.1.1.2 255.255.255.
PAGE 100

# Set the shared key for authenticating authentication packets to expert. [AC-hwtacacs-hwtac] key authentication simple expert # Specify that usernames sent to the HWTACACS server do not include domain names. [AC-hwtacacs-hwtac] user-name-format without-domain [AC-hwtacacs-hwtac] quit # Configure ISP domain bbb to use local authentication for Telnet users. [AC] domain bbb [AC-isp-bbb] authentication login local # Configure to use HWTACACS scheme hwtac for privilege level switching authentication.
PAGE 101

Local EAP authentication for 802.1X users by an LDAP server Network requirements As shown in Figure 34, an 802.1X client connects to an AC that connects to an LDAP server. The IP address of the LDAP server is 10.1.1.1/24 and the domain name is ldap.com. Configure the AC to perform local EAP authentication for 802.1X users and to use the LDAP server for user identity authentication. Figure 34 Network diagram Configuration prerequisites • Configure the 802.1X connection properties if the 802.
PAGE 102

# Specify an LDAP scheme. system-view [AC] ldap scheme ldap1 # Specify the IP address of the LDAP authentication server. [AC-ldap-ldap1] authentication-server 10.1.1.1 # Specify the administrator DN. [AC-ldap-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com # Specify the administrator password. [AC-ldap-ldap1] login-password simple admin!123456 # Configure the base directory for user search.
PAGE 103

# Configure the port to use mandatory authentication domain bbb. The AC will use the authentication, authorization, and accounting methods of this domain for all users accessing this port. This step is optional. [AC-WLAN-ESS1] dot1x mandatory-domain bbb [AC-WLAN-ESS1] quit # Configure the WLAN service template.
PAGE 104

Figure 35 Network diagram AC Internet Client AP L2 switch Client Configuration prerequisites • Configure the 802.1X connection properties if the 802.1X client of Windows XP is used: a. Open the Properties dialog box of the 802.1X connection. b. On the Authentication tab, select the Enable IEEE 802.1X authentication for this network option and select the smart card or other certificates as the EAP authentication type. • To use the iNode client, configure the 802.
PAGE 105

# Disable the multicast trigger function. [AC-WLAN-ESS1] undo dot1x multicast-trigger # Disable the online user handshake function. [AC-WLAN-ESS1] undo dot1x handshake # Configure the port to use mandatory authentication domain test. With this configuration, the AC will use the authentication, authorization, and accounting methods of this domain for all 802.1X users accessing the port. This configuration is optional. [AC-WLAN-ESS1] dot1x mandatory-domain test [AC-WLAN-ESS1] quit 4.
PAGE 106

[AC-user-profile-manager] wlan permit-ssid aabbcc [AC-user-profile-manager] quit # Enable the user profile. [AC] user-profile manager enable # Create guest account guest and specify the password and service type. [AC] local-user guest [AC-luser-guest] password simple guest [AC-luser-guest] service-type lan-access # Set the expiration time of the guest account to 12:00:00 on August 8, 2013.
PAGE 107

Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. • The authentication/authorization and accounting UDP ports configured on the NAS are incorrect. • The RADIUS server's authentication/authorization and accounting port numbers are being used by other applications.
PAGE 108

Analysis Possible reasons include: • A communication failure exists between the NAS and the LDAP server. • The LDAP server IP address or port number configured on the NAS is not correct. • The username is not in the format userid@isp-name, or the ISP domain is not correctly configured on the NAS. • The user is not configured on the LDAP server. • The password entered by the user is not correct. • The administrator DN or password is not configured.
PAGE 109

802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing WLANs, and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
PAGE 110

Figure 37 Authorization state of a controlled port In unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.
PAGE 111

Packet formats EAP packet format Figure 38 shows the EAP packet format. Figure 38 EAP packet format • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The length is the sum of the Code, Identifier, Length, and Data fields. • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet.
PAGE 112

Value Type Description 0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the network access device that it is logging off. • Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows. • Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
PAGE 113

the authentication server does not support the multicast address, use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP.
PAGE 114

Figure 43 EAP termination Comparing EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. authentication methods. EAP relay • The configuration and processing is simple on the network access device. • Supports only MD5-Challenge EAP termination Works with any RADIUS server that supports PAP or CHAP authentication.
PAGE 115

Figure 44 802.
PAGE 116

9. The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. 10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11.
PAGE 117

Figure 45 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
PAGE 118

Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (for example, a WLAN) that requires different authentication methods for different users on a port. For more information about port security, see "Configuring port security." HP implementation of 802.
PAGE 119

Access control VLAN manipulation • If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. MAC-based • If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns the first authenticated user's VLAN to the port as the PVID.
PAGE 120

Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. Auth-Fail VLAN is supported only on ports that perform MAC-based access control. The following table describes how the network access device handles VLANs on these ports.
PAGE 121

802.1X configuration task list Task Remarks Required. By default, the 802.1X function of port security is disabled. Enable port security to enable 802.1X 802.1X must work with the port security feature to function on a WLAN port. Enabling EAP relay or EAP termination Optional. Setting the port authorization state Optional. Specifying an access control method Optional. Setting the maximum number of concurrent 802.1X users on a port Optional.
PAGE 122

Step Enter system view. 1. Configure EAP relay or EAP termination. 2. Command Remarks system-view N/A dot1x authentication-method { chap | eap | pap } By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Specify the eap keyword to enable EAP termination. Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP relay.
PAGE 123

Specifying an access control method You can specify an access control method for one port in interface view, or for multiple ports in system view. If different access control methods are specified for a port in system view and interface view, the one specified later takes effect. To specify the access control method: Step 1. Enter system view. 2. Specify an access control method in system view, Layer 2 Ethernet interface view, or WLAN-ESS interface view.
PAGE 124

Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still received no response.
PAGE 125

of handshake attempts (set by the dot1x retry command), the network access device sets the user in the offline state. If iNode clients are deployed, you can also enable the online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages.
PAGE 126

request attempts set with the dot1x retry command (see "Setting the maximum number of authentication request attempts") is reached. The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger.
PAGE 127

Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view or WLAN-ESS interface view. interface interface-type interface-number N/A 3. Specify a mandatory 802.1X authentication domain on the port. dot1x mandatory-domain domain-name By default, no mandatory 802.1X authentication domain is specified.
PAGE 128

The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.
PAGE 129

as an untagged member. For more information about the MAC-based VLAN function, see Layer 2 Configuration Guide. Configuration procedure To configure an 802.1X guest VLAN: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure an 802.1X guest VLAN for one or more ports in system view, Layer 2 Ethernet interface view, or WLAN-ESS interface view.
PAGE 130

On the 802.1X-enabled port that performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member. For more information about the MAC-based VLAN function, see Layer 2 Configuration Guide. • Configuration procedure To configure an Auth-Fail VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view or WLAN-ESS interface view.
PAGE 131

Configuring the accounting delay feature By default, the accounting delay feature is disabled. The device sends an accounting request to the accounting server for an 802.1X user immediately after the user passes authentication, regardless of whether an IP address has been assigned to the user. The accounting delay feature enables the device to wait a period of time for an authenticated 802.1X user to obtain an IP address before sending an accounting request.
PAGE 132

802.1X with ACL assignment configuration example This section describes how to configure 802.1X with ACL assignment. For more information about 802.1X configuration, see WLAN Configuration Guide. The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
PAGE 133

# Configure the RADIUS server and specify the ACL to be assigned. (Details not shown.) # Configure the RADIUS scheme. system-view [AC] radius scheme 2000 [AC-radius-2000] primary authentication 10.1.1.1 [AC-radius-2000] primary accounting 10.1.1.2 [AC-radius-2000] key authentication abc [AC-radius-2000] key accounting abc [AC-radius-2000] user-name-format without-domain [AC-radius-2000] quit # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain.
PAGE 134

[AC-wlan-st-1] quit # Create an AP template named ap1 and its model is MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable Verifying the configuration # After a user passes authentication, use the display connection command to verify that the 802.
PAGE 135

Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.
PAGE 136

Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources.
PAGE 137

For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user.
PAGE 138

MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources. If a user in the guest VLAN passes MAC authentication, that user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
PAGE 139

• For local authentication, create local user accounts, and specify the lan-access service for the accounts. • For RADIUS authentication, check that the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account is the same as the MAC address of the MAC authentication users.
PAGE 140

Step Command Remarks • On a group of Ethernet interfaces in system view: mac-authentication interface interface-list • On an Ethernet interface in interface view: Enable MAC authentication. 2. a. interface interface-type interface-number b. mac-authentication Use one of the methods. By default, MAC authentication is disabled on a port. • On a WLAN-ESS or WLAN-MESH interface: See "Configuring port security"). Set the maximum number of concurrent MAC authentication users allowed on a port. 3.
PAGE 141

• Enable MAC-based VLAN on the port. • Create the VLAN to be specified as the MAC authentication guest VLAN. To configure a MAC authentication guest VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN-ESS interface view. interface interface-type interface-number N/A 3. Specify a MAC authentication guest VLAN. mac-authentication guest-vlan guest-vlan-id By default, no MAC authentication guest VLAN is configured.
PAGE 142

Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN-ESS interface view. interface interface-type interface-number N/A 3. Configure portal-before-MAC. mac-authentication trigger after-portal By default, this feature is disabled. Displaying and maintaining MAC authentication Task Command Remarks Display MAC authentication information. display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view.
PAGE 143

Figure 47 Network diagram Supplicant Authenticator IP network Client AP L2switch MAC: 00-e0-fc-12-34-56 AC Configuration procedure # Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address of the user host, and enable LAN access service for the account.
PAGE 144

[AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # Create an AP template named ap1, specify the model as MSM460-WW and serial number as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 2 to radio 1.
PAGE 145

RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 48, a WLAN client connects to the AC through a Layer 2 switch. The AC uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on WLAN-ESS interface to control Internet access. Make sure that: • The AC detects whether a user has gone offline every 180 seconds. • All MAC authentication users belong to ISP domain 2000 and share the user account aaa with password 123456.
PAGE 146

[AC-isp-2000] quit # Enable port security. [AC] port-security enable # Configure the WLAN port security, using MAC and PSK authentication, and specify the domain 2000 as the authentication domain for MAC authentication users on the port.
PAGE 147

Server response timeout value is 100s The max allowed user number is 20480 per slot Current user number amounts to 1 Current domain is 2000 Silent MAC User info: MAC Addr From Port Port Index WLAN-DBSS0:7 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 4096 Current online user number is 1 MAC Addr Authenticate State 000e-35b2-8be9 MAC_AUTHENTICATOR_SUCCESS Auth Index 1297 # Display the online user information.
PAGE 148

Figure 49 Network diagram Authentication servers (RADIUS server cluster) 10.1.1.1 10.1.1.2 IP network Client AP FTP server 192.168.1.10 10.0.0.1 AC Configuration procedure Make sure the RADIUS server and the AC can reach each other. 1. Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) 2. Configure the ACL: # Configure IP addresses of the interfaces.
PAGE 149

# Enable port security. [AC] port-security enable # Configure the WLAN port security, using MAC and PSK authentication, and specify the domain 2000 as the authentication domain for MAC authentication users on the port.
PAGE 150

MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 4096 Current online user number is 1 MAC Addr Authenticate State 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS Auth Index 1301 # Display online user information. display connection Index=1301,Username=00-e0-fc-12-34-56@2000 MAC=00-E0-FC-L2-34-56 IP=N/A IPv6=N/A Online=00h00m53s Total 1 connection(s) matched.
PAGE 151

Configuring portal authentication Overview Portal authentication helps control access to the Internet. Portal authentication is also called Web authentication. A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website. However, to access the Internet, a user must pass portal authentication.
PAGE 152

Figure 50 Portal system components Authentication client Authentication client Security policy server Access device Portal server Authentication/accounting server Authentication client Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal such as a PC. A client can use a browser or portal client software for portal authentication.
PAGE 153

The components of a portal system interact as follows: 1. When an unauthenticated user enters a website address in the browser's address bar to access the Internet, the system creates an HTTP request and sends it to the access device. The access device then redirects the HTTP request to the portal server's Web authentication homepage. For extended portal functions, authentication clients must run the portal client software. 2.
PAGE 154

Authentication page customization support The local portal server function allows you to customize authentication pages. You can customize authentication pages by editing the corresponding HTML files, and then compress and save the files to the storage medium of the device.
PAGE 155

In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address is used for client identification. After a client passes authentication, the access device generates an ACL for the client based on the client's IP address to permit packets from the client to go through the access port.
PAGE 156

Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 53 Direct authentication/cross-subnet authentication process The direct authentication/cross-subnet authentication process is as follows: 1. An authentication client initiates authentication by sending an HTTP request.
PAGE 157

Re-DHCP authentication process (with CHAP/PAP authentication) Figure 54 Re-DHCP authentication process Authentication client Portal server Access device Authentication/ accounting server Security policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication reply 6) Authentication succeeds 7) The user obtains a new IP address 8) Discover user IP change 9) Detect user IP change 10) Notify login success 11) IP change acknowledg
PAGE 158

Authentication process with the local portal server Figure 55 Authentication process with the local portal server With the local portal server, the direct/cross-subnet authentication process is as follows: 1. A portal client initiates authentication by sending an HTTP request. When the HTTP packet arrives at an access device using the local portal server, it is redirected to the local portal server, which then pushes a Web authentication page for the user to enter the username and password.
PAGE 159

2. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client. 3.
PAGE 160

to the portal server, which provides a portal authentication page for the user. The user must enter the username and password to pass portal authentication. MAC-triggered authentication provides a quick, effective portal authentication for users whose MAC addresses have been bound with portal user accounts on the MAC binding servers. A MAC binding server is required for MAC-triggered authentication. An HP IMC portal server should be used as the MAC binding server.
PAGE 161

on each device for stateful failover packets. When both a failover link and a backup VLAN are configured, add the physical ports at the two ends of the failover link to the backup VLAN. For more information about the stateful failover feature, see High Availability Configuration Guide. Figure 57 Network diagram for portal stateful failover configuration As shown in Figure 57, users have to pass portal authentication to access the Internet.
PAGE 162

{ { Primary—Indicates that the user logs in from the local device, and the user data is generated on the local device. The local device is in synchronization state and ready for receiving and processing packets from the server. Secondary—Indicates that the user logs in from the peer device, and the user data is synchronized from the peer device to the local device. The local device is in synchronization state.
PAGE 163

Task Remarks Specifying the parameters to be carried in the redirection URL Optional. Configuring the control mode for portal user packets Optional. Enabling host identity check through DHCP snooping Optional. Configuring mandatory webpage pushing Optional. Configuration prerequisites Although the portal feature provides a solution for user identity authentication and security check, the portal feature cannot implement this solution by itself.
PAGE 164

• The specified parameters of a portal server can be modified or deleted only if the portal server is not referenced on any interface. • For local portal server configuration, the keywords key, port, and url are usually not required and, if configured, do not take effect. When using local portal servers for stateful failover in wireless environments, however, the keyword url is required and the address format must be http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm.
PAGE 165

The page elements refer to the files that the authentication pages reference, for example, back.jpg for page Logon.htm. Each main authentication page can reference multiple page elements. If you define only some of the main authentication pages, the system uses the default authentication pages for the undefined ones.
PAGE 166

Password :
PAGE 167
... ...
... ... If a user refreshes the logon success or online page, or jumps to another website from either of the pages, the device also logs off the user.
PAGE 168

Configuration prerequisites To configure the local portal server to support HTTPS, complete the following configurations first: • Configure PKI policies, obtain the CA certificate, and apply for a local certificate. For more information, see "Configuring PKI." • Configure the SSL server policy, and specify the PKI domain to be used, which is configured in the above step. For more information, see "Configuring SSL.
PAGE 169

• In re-DHCP authentication mode, a client can use a public IP address to send packets before passing portal authentication. However, responses to the packets are restricted. • An IPv6 portal server does not support the re-DHCP portal authentication mode. • You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal authentication on an interface, but you cannot enable two IPv4 or two IPv6 portal servers on the interface.
PAGE 170

Step 1. Enter system view. Command Remarks system-view N/A • To configure an IPv4 portal-free rule: 2.
PAGE 171

Step Command Remarks N/A 2. Enter interface view. interface interface-type interface-number 3. Configure an authentication source subnet. portal auth-network { ipv4-network-address { mask-length | mask } | ipv6 ipv6-network-address prefix-length } Optional. By default, the authentication source IPv4 and IPv6 subnets are 0.0.0.0/0 and ::/0, respectively, which mean that users from any subnets must pass portal authentication.
PAGE 172

and the system default authentication domain. For information about the default authentication domain, see "Configuring AAA." Configuring Layer 3 portal authentication to support Web proxy By default, only HTTP requests from non-proxy users can trigger Layer 3 portal authentication. Proxied HTTP requests cannot trigger Layer 3 portal authentication, and they are silently dropped. To allow such HTTP requests to trigger portal authentication, configure the port numbers of the Web proxy servers on the device.
PAGE 173

If a user's browser uses the WPAD protocol to discover Web proxy servers, add the port numbers of the Web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication. If the Web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger portal authentication only when they access a reachable host enabled with the HTTP service.
PAGE 174

Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the NAS-Port-Type value for the interface. portal nas-port-type { ethernet | wireless } Not configured by default.
PAGE 175

Step Command Remarks 1. Enter system view. system-view N/A 2. Create a NAS ID profile and enter NAS ID profile view. aaa nas-id profile profile-name For more information about the command, see Security Command Reference. 3. Bind a NAS ID with a VLAN. nas-id nas-identifier bind vlan vlan-id For more information about the command, see Security Command Reference. 4. Return to system view. quit N/A 5. Enter interface view. interface interface-type interface-number N/A 6.
PAGE 176

• Enable MAC-triggered authentication on the interface enabled with portal authentication. • Specify the MAC binding server as a portal server. For configuration information, see "Specifying a portal server for Layer 3 portal authentication." After MAC-triggered authentication takes effect, the access device checks a user's traffic at a specific interval (specified by the period period-value option).
PAGE 177

• Specify the backup source IP address for outgoing RADIUS packets as the source IP address for RADIUS packets that is configured on the peer device, so that the peer device can receive packets from the server. (This configuration is optional.) • Specify the backup VLAN, and enable stateful failover on the VLAN interface. For related configuration, see High Availability Configuration Guide.
PAGE 178

Step Command Remarks Optional. Use either method. • Method 1: 6. Specify a backup source IP address for outgoing RADIUS packets. radius nas-backup-ip ip-address • Method 2: a. radius scheme radius-scheme-name b. nas-backup-ip ip-address By default, no backup source IP address is specified. You do not need to specify the backup source IP address if the device uses the virtual IP address of the VRRP group to which the uplink belongs as the source IP address of outgoing RADIUS packets.
PAGE 179

local portal authentication, if the URL a user entered in the address bar before portal authentication is more than 255 characters, the user cannot be redirected to the page of the URL after passing portal authentication. To use this feature for remote Layer 3 portal authentication, the portal server must be an IMC portal server that supports the page auto-redirection function. To specify an autoredirection URL for authenticated portal users: Step 1. Enter system view. 2.
PAGE 180

Configuring the portal server detection function During portal authentication, if the communication between the access device and portal server is broken, new portal users are not able to log on and the online portal users are not able to log off normally. To address this problem, the access device needs to be able to detect the reachability changes of the portal server quickly and take corresponding actions to deal with the changes.
PAGE 181

• If both detection methods are specified, a portal server is regarded as unreachable as long as one detection method fails, and an unreachable portal server is regarded as recovered only when both detection methods succeed. • If multiple actions are specified, the access device executes all the specified actions when the status of a portal server changes.
PAGE 182

Step 2. Command Configure the portal user information synchronization function. Remarks Not configured by default. portal server server-name user-sync [ interval interval ] [ retry retries ] The portal server specified in the command must exist and must be an IPv4 portal server. This function can take effect only when the specified portal server is referenced on the interface connecting the users.
PAGE 183

Step Command Remarks 1. Enter system view. system-view N/A 2. Enable logging for portal packets. portal log packet By default, portal packet logging is disabled to avoid impacting system performances. Specifying the parameters to be carried in the redirection URL You can specify the following parameters that the redirection URL carries, and customize the parameter names: • nas-id—Carries the NAS ID parameter. • nas-ip—Carries the NAS IP parameter. • user-mac—Carries the user MAC parameter.
PAGE 184

Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the control mode for portal user packets. portal control-mode { mac | ip-mac } By default, the control mode is IP+MAC. Enabling host identity check through DHCP snooping When the device serves as a Layer 2 device, it might be unable to learn ARP entries. Therefore, the device cannot perform host identity check through ARP entries.
PAGE 185

Step Command Remarks By default, mandatory webpage pushing is disabled. 3. Configure the mandatory webpage pushing function on the interface. After you modify the redirection URL address, users are redirected based on their status: web-redirect url url-string [ interval interval ] • Online users are redirected to the original URL during the current redirection interval. After the redirection interval expires, online users are redirected to the new URL.
PAGE 186

Task Command Remarks Clear portal connection statistics on a specific interface or all interfaces. reset portal connection statistics {all | interface interface-type interface-number } Available in user view. Clear portal server statistics on a specific interface or all interfaces. reset portal server statistics { all | interface interface-type interface-number } Available in user view. Clear TCP spoofing statistics. reset portal tcp-cheat statistics Available in user view.
PAGE 187

Configuration prerequisites and guidelines • Configure IP addresses for the client, AC, and servers as shown in Figure 58, and make sure they have IP connectivity between each other. • Configure the RADIUS server properly to provide authentication/authorization services for users. Configuring the portal server This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Configure the portal server: a. Log in to IMC and click the Service tab. b.
PAGE 188

Figure 60 Adding an IP address group 3. Add a portal device: a. From the navigation tree, select User Access Manager > Portal Service > Device to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 61. c. Enter the device name AC. d. Enter the IP address of the router's interface connected to the user. e. Enter the key, which must be the same as that configured on the access device (AC). f. Set whether to enable IP address reallocation.
PAGE 189

Figure 62 Device list b. On the port group configuration page, click Add to enter the page shown in Figure 63. c. Enter the port group name. d. Select the configured IP address group. The client's IP address must be within this IP address group. e. Use the default settings for other parameters. f. Click OK. Figure 63 Adding a port group 5. From the navigation tree, select User Access Manager > Service Parameters > Validate System Configuration to validate the configurations. Configuring the AC 1.
PAGE 190

[AC] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [AC-isp-dm1] authentication portal radius-scheme rs1 [AC-isp-dm1] authorization portal radius-scheme rs1 [AC-isp-dm1] quit 3. Configure portal authentication: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal (in plaintext) { Port number: 50100 { URL: http://192.168.0.111/portal [AC] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.
PAGE 191

Figure 64 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the AC and servers as shown in Figure 64, and make sure that the client, AC, and servers have IP connectivity between each other. • Configure the RADIUS server to provide authentication/authorization services for users. • Configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. The configuration steps are omitted.
PAGE 192

[AC-isp-dm1] authorization portal radius-scheme rs1 [AC-isp-dm1] quit 3. Configure portal authentication on the AC: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal (in plaintext) { Port number: 50100 { URL: http://192.168.0.111/portal [AC] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the AC as a DHCP relay agent, and enable the invalid address check function.
PAGE 193

Figure 65 Network diagram Configuration prerequisites Configure IP addresses for the client, AC, and servers as shown in Figure 65 and make sure they have IP connectivity between each other. Configure the RADIUS server to provide authentication/authorization services for users. Configuration procedure 1. Configure a RADIUS scheme on the AC: # Create a RADIUS scheme named rs1 and enter its view. system-view [AC] radius scheme rs1 # Set the server type for the RADIUS scheme.
PAGE 194

[AC-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [AC-acl-adv-3000] quit [AC] acl number 3001 [AC-acl-adv-3001] rule permit ip [AC-acl-adv-3001] quit Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. 4. Configure extended portal authentication on the AC: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal (in plaintext) { Port number: 50100 { URL: http://192.168.0.
PAGE 195

Figure 66 Network diagram Portal server 192.168.0.111/24 DHCP server 192.168.0.112/24 AP Client automatically obtains an IP address L2 switch Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 RADIUS server 192.168.0.113/24 AC Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the AC and servers as shown in Figure 66, and make sure the client, AC, and servers have IP connectivity between each other.
PAGE 196

# Create an ISP domain named dm1 and enter its view. [AC] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [AC-isp-dm1] authentication portal radius-scheme rs1 [AC-isp-dm1] authorization portal radius-scheme rs1 [AC-isp-dm1] quit 3. On the AC, configure the ACL (ACL 3000) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources. [AC] acl number 3000 [AC-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.
PAGE 197

Configuring portal stateful failover Network requirements As shown in Figure 67, a failover link is present between AC 1 and AC 2. Both AC 1 and AC 2 support portal authentication. Configure stateful failover between AC 1 and AC 2 to support portal service backup and use VRRP to implement traffic switchover between the ACs. • When AC 1 operates normally, Host accesses AC 1 for portal authentication before accessing the Internet. When AC 1 fails, Host accesses the Internet through AC 2.
PAGE 198

For information about stateful failover configuration, see High Availability Configuration Guide. Configuring the portal server This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Configure the portal server: a. Log in to IMC and click the Service tab. b. From the navigation tree, select User Access Manager > Portal Service > Server to enter the portal server configuration page, as shown in Figure 68. c. Configure the portal server parameters as needed.
PAGE 199

Figure 69 Adding an IP address group 3. Add a portal device: a. From the navigation tree, select User Access Manager > Portal Service > Device to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 70. c. Enter the device name AC. d. Enter the virtual IP address of the VRRP group that holds the portal-enabled interface. e. Enter the key, which must be the same as that configured on the ACs. f. Set whether to enable IP address reallocation.
PAGE 200

Figure 71 Device list b. On the port group configuration page, click Add to enter the page shown in Figure 72. Perform the following configurations. c. Enter the port group name. d. Select the configured IP address group. The client's IP address must be within this IP address group. e. Use the default settings for other parameters. f. Click OK. Figure 72 Adding a port group 5.
PAGE 201

# Configure the server type for the RADIUS scheme. When using the IMC server, you must configure the RADIUS server type as extended. [AC1-radius-rs1] server-type extended # Specify the primary authentication/authorization server, and configure the shared key for secure communication with the server. [AC1-radius-rs1] primary authentication 192.168.0.111 [AC1-radius-rs1] key authentication simple expert # Configure the access device to not carry the ISP domain name in the username sent to the RADIUS server.
PAGE 202

NOTE: Make sure you add the access device with IP address 192.168.0.1 on the RADIUS server. 6. Configure the WLAN service: # Specify the backup AC address. [AC1] wlan backup-ac ip 1.1.1.2 # Enable hot backup. [AC1] hot-backup enable # Configure VLAN 8 as the VLAN for AC hot backup. [AC1] hot-backup vlan 8 [AC1] quit # Create interface WLAN-ESS 1, and add it to VLAN 10.
PAGE 203

# Set the priority of VLAN-interface 20 in the VRRP group to 150. [AC2–Vlan-interface20] vrrp vrid 1 priority 150 [AC2–Vlan-interface20] quit 2. Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. [AC2] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the IMC server, you must configure the RADIUS server type as extended.
PAGE 204

[AC2] nas device-id 2 # Specify the source IP address of outgoing RADIUS packets as 192.168.0.1, the virtual IP address of the VRRP group. [AC2] radius nas-backup-ip 192.168.0.1 NOTE: Make sure that you have added the access device with IP address 192.168.0.1 on the RADIUS server. 6. Configure the WLAN service: # Specify the backup AC address. [AC2] wlan backup-ac ip 1.1.1.1 # Enable hot backup. [AC2] hot-backup enable # Configure VLAN 8 as the VLAN for AC hot backup.
PAGE 205

Index:3 State:ONLINE SubState:NONE ACL:NONE Work-mode: primary MAC IP Vlan Interface --------------------------------------------------------------------000d-88f8-0eac 9.9.1.2 10 Vlan-interface10 Vlan Interface Total 1 user(s) matched, 1 listed. [AC2] display portal user all Index:2 State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary MAC IP --------------------------------------------------------------------000d-88f8-0eac 9.9.1.2 10 Vlan-interface10 Total 1 user(s) matched, 1 listed.
PAGE 206

Figure 73 Network diagram Configuration considerations • Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. • Configure the RADIUS server to implement authentication and authorization. • Configure direct portal authentication on interface VLAN-interface 10, which is connected to the client.
PAGE 207

Figure 74 Portal server configuration 2. Configure the IP address group: a. From the navigation tree, select User Access Manager > Portal Service > IP Group to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 75. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure the client's IP address is in the IP group. e. Select a service group. By default, the group Ungrouped is used. f.
PAGE 208

d. Enter the IP address of the AC's interface connected to the user. e. Enter the key, which must be the same as that configured on the AC. f. Set whether to enable IP address reallocation. This example uses direct portal authentication. Therefore, select No from the Reallocate IP list. g. Select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 76 Adding a portal device 4. Associate the portal device with the IP address group: a.
PAGE 209

Figure 78 Adding a port group 5. From the navigation tree, select User Access Manager > Service Parameters > Validate System Configuration to validate the configurations. Configuring the AC 1. Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. system-view [AC] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the IMC server, you must configure the RADIUS server type as extended.
PAGE 210

[AC] interface vlan-interface 10 [AC–Vlan-interface10] portal domain dm1 [AC–Vlan-interface10] portal server newpt method direct [AC–Vlan-interface10] quit 4.
PAGE 211

Configuring direct portal authentication using local portal server Network requirements As shown in Figure 79, a wireless client is connected to the network through the AP. The client belongs to VLAN 2 and the AP belongs to VLAN 3. The client must pass direct portal authentication to access Internet resources. Before authentication, the client can access only the local portal server. The AC (access device) uses the local portal server that runs HTTPS to perform direct portal authentication for users.
PAGE 212

[AC-radius-rs1] server-type extended # Specify the primary authentication/authorization server, and configure the shared key for secure communication with the server. [AC-radius-rs1] primary authentication 1.1.1.2 [AC-radius-rs1] key authentication simple radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [AC-radius-rs1] user-name-format without-domain [AC-radius-rs1] quit 2.
PAGE 213

[AC] portal local-server bind ssid abc file ssid1.zip # Configure the local portal server name as newpt and IP address as 192.168.1.1. Other parameters do not need to be configured. [AC] portal server newpt ip 192.168.1.1 # On VLAN-interface 2, the interface connected to the client, specify the authentication domain dm1 and portal server newpt for portal users and enable direct portal authentication.
PAGE 214

Figure 80 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the server, client, switches, and ACs and make sure they have IP connectivity between each other. • Make sure the client can access the authentication server through AC 1 and AC 2. • Configure VRRP group 1 and VRRP group 2 to implement backup for downstream and upstream links respectively. For more information about VRRP, see High Availability Configuration Guide.
PAGE 215

# On VLAN-interface 100, configure the interface to be tracked as VLAN-interface 8 and reduce the priority of VLAN-interface 100 in VRRP group 1 by 120 when the interface state of VLAN-interface 8 becomes Down or Removed. [AC1–Vlan-interface100] vrrp vrid 1 track interface vlan-interface8 reduced 120 [AC1–Vlan-interface100] quit # Create VRRP group 2, and configure the virtual IP address of VRRP group 2 as 8.1.1.68. [AC1] interface vlan-interface 8 [AC1–Vlan-interface8] vrrp vrid 2 virtual-ip 8.1.1.
PAGE 216

[AC1] portal local-server http # On the interface connected to the client, specify the authentication domain dm1 for portal users and enable portal authentication. [AC1] interface vlan-interface 100 [AC1–Vlan-interface100] portal domain dm1 [AC1–Vlan-interface100] portal server local method direct # Specify the source IP address for outgoing portal packets as 16.16.0.8, the virtual IP address of VRRP group 1. [AC1–Vlan-interface100] portal nas-ip 16.16.0.8 5.
PAGE 217

[AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit 7. Configure the stateful failover function: # Configure VLAN 10 as the backup VLAN for stateful failover. [AC1] dhbk vlan 10 # Enable symmetric-path mode stateful failover. [AC1] dhbk enable backup-type symmetric-path Configuring AC 2 1. Configure VRRP: # Create VRRP group 1, and configure the virtual IP address of VRRP group 1 as 16.16.0.8. system-view [AC2] interface vlan-interface 100 [AC2–Vlan-interface100] vrrp vrid 1 virtual-ip 16.16.0.
PAGE 218

# Configure a portal-free rule on AC 2, allowing packets from AC 1 to pass through without portal authentication. This configuration is required only when the roles (master/backup) of the ACs for stateful failover are different from those for VRRP. [AC2]portal free-rule 0 source interface bridge-aggregation 1 destination any # Configure the local portal server to support HTTP.
PAGE 219

[AC2] wlan ap ap1 model MSM460-WW [AC2-wlan-ap-ap1] serial-id CN2AD330S8 [AC2-wlan-ap-ap1] radio 1 [AC2-wlan-ap-ap1-radio-1] service-template 1 [AC2-wlan-ap-ap1-radio-1] radio enable [AC2-wlan-ap-ap1-radio-1] quit [AC2-wlan-ap-ap1] quit 7. Configure the stateful failover function: # Configure VLAN 10 as the backup VLAN for stateful failover. [AC2] dhbk vlan 10 # Enable symmetric-path mode stateful failover.
PAGE 220

• The client can access only the portal server before authentication and can access the external network after passing portal authentication. • When reconnecting to the external network, the authenticated client can pass portal authentication without the username and password. • Use the RADIUS server as the authentication/authorization server. Figure 81 Network diagram Configuring the AC 1. Configure a RADIUS scheme on the AC: # Create a RADIUS scheme named rs1, and enter its view.
PAGE 221

{ Port number: 50100 { URL: http://8.1.1.40:8080/portal [AC] portal server 5 ip 8.1.1.40 key simple 123456789 port 50100 url http://8.1.1.40:8080/portal # Create VLAN 5 and configure the IP address of VLAN-interface 5 as 112.115.1.1/16. [AC] vlan 5 [AC-vlan5] quit [AC] interface vlan 5 [AC-Vlan-interface5] ip address 112.115.1.1 16 [AC-Vlan-interface5] quit # Create VLAN 3 and configure the IP address of VLAN-interface 3 as 112.113.1.1/16.
PAGE 222

Figure 82 Configuring the portal server 2. Configure the IP address group: a. From the navigation tree, select User Access Manager > Portal Service > IP Group. b. Click Add to enter the page shown in Figure 83. c. Enter the IP group name IP_group. d. Enter the start IP address 112.113.0.0 and the end IP address 112.113.255.254. Make sure the client's IP address is in the IP group. e. Select the service group Ungrouped. f. Select Normal for Action. g. Click OK. Figure 83 Adding an IP address group 3.
PAGE 223

d. Select the IP address 112.113.1.1, which is the IP address of the AC interface that connects to the client. e. Enter the key 123456789, which must be the same as that configured on the AC. f. Select No for both Support Server Heartbeat and Support User Heartbeat. g. Click OK. Figure 84 Adding a portal device 4. Associate the portal device with the IP address group: a. From the navigation tree, select User Access Manager > Portal Service > Device. b.
PAGE 224

h. Click OK. Figure 86 Adding a port group 5. Configure an access rule: a. From the navigation tree, select User Access Manager > Access Rule Management. b. Click Add to enter the page shown in Figure 87. c. Enter the access rule name mac-trigger. d. Use default values for other parameters. e. Click OK.
PAGE 225

Figure 87 Adding an access rule 6. Configure fast authentication on smart terminals: a. From the navigation tree, select User Access Manager > Service Configuration. b. Click Add to enter the page shown in Figure 88. c. Enter the service name dot1x. d. Select mac-trigger for Default Access Rule. e. Select Portal Fast Authentication on Endpoints. f. Click OK.
PAGE 226

7. Configure the access device: a. From the navigation tree, select User Access Manager > Access Device Management > Access Device. b. On the access device configuration page, click Add. c. Enter and confirm the shared key 123456789. d. Click Add Manually on the device list. e. On the Add Access Device Manually window, enter the access device IP address 112.113.1.1 in the Start IP field, and click OK. Figure 89 Adding an access device 8. Configure the access user: a. Click the User tab. b.
PAGE 227

Figure 90 Adding an access user 9. Configure HTTP user agent feature identification: a. Click the Service tab. b. From the navigation tree, select User Access Manager > Endpoint Identification Management. c. Click the HTTP User Agent Feature Identification Configuration tab. The page displays smart terminals in the HTTP User Agent Feature Identification Configuration List. If the list contains no smart terminals, click Add to add devices. Figure 91 Configuring HTTP user agent feature identification 10.
PAGE 228

Figure 92 Configuring BYOD system settings 11. From the navigation tree, select User Access Manager > Service Parameters > Validate to validate the configurations. Verifying the configuration # Use the client to access an external network, the portal authentication page appears. Enter the username Portal and password 123456789 to log in. # On the AC, display portal user information.
PAGE 229

Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays a blank webpage, rather than the portal authentication page or an error message. Analysis The keys on the access device and those on the portal server are not configured consistently, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page.
PAGE 230

Configuring port security Port security is available on Ethernet and WLAN ports. Supported port types depend on the command. For more information, see Security Command Reference. Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. HP recommends that you configure port security in a WLAN network.
PAGE 231

Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the two authentication methods. • Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the pre-defined NTK, intrusion protection, or trapping action.
PAGE 232

Controlling MAC address learning secure: MAC address learning is disabled on a port in this mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2 Configuration Guide. A port in secure mode allows only frames sourced from the manually configured MAC addresses to pass. Performing 802.1X authentication • userLogin A port in this mode performs 802.
PAGE 233

This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. { { • For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X frames. For wireless users, the port performs MAC authentication upon receiving non-802.1X frames. Upon receiving 802.1X frames, the port performs MAC authentication, and if the MAC authentication fails, it performs 802.1X authentication.
PAGE 234

• userLoginSecureExtOrPresharedKey mode—The number of PSK users on the port cannot exceed the port limit on the number of wireless users, the number of 802.1X users cannot exceed the 802.1X feature's limit on the number of concurrent users, and the total number of PSK and 802.1X users cannot exceed port security's limit on the number of MAC addresses on the port. The maximum number of PSK or 802.1X users also depends on the system specification. Working with guest VLAN and Auth-Fail VLAN An 802.
PAGE 235

Task Remarks Configuring port security features: Optional. • Configuring NTK • Configuring intrusion protection • Enabling port security traps Configure one or more features as required. Configuring port security for WLAN ports: • Setting the port security mode of a WLAN port • Enabling key negotiation • Configuring a PSK Required for WLAN ports. Ignoring authorization information from the server Optional. Configuring NAS ID profile for port security Optional.
PAGE 236

The port security's limit on the number of MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration in the Layer 2 Configuration Guide. To set the maximum number of secure MAC addresses allowed on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Set the limit of port security on the number of MAC addresses.
PAGE 237

Configuring port security features Configuring NTK The NTK feature checks destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, see Table 10. The NTK feature supports the following modes: • ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
PAGE 238

Step Command Remarks By default, intrusion protection is disabled. Configure the intrusion protection feature. port-security intrusion-mode { blockmac | disableport | disableport-temporarily } 4. Return to system view. quit N/A 5. Set the silence timeout period during which a port remains disabled. port-security timer disableport time-value Optional. 3. The disableport keyword is not supported on a WLAN-ESS interface. 20 seconds by default.
PAGE 239

Port security mode Description Port security modes other than presharedKey, userLoginSecureExtOrPresharedKey, and macAddressAndPresharedKey No key negotiation is performed and you do not need to enable key negotiation. For more information about WLAN service templates, see WLAN Configuration Guide. By default, an 802.1X-enabled access device periodically multicasts Identity EAP-Request packets out of ports to detect 802.1X clients and trigger authentication.
PAGE 240

Configuring a PSK A PSK pre-configured on the device is used to negotiate the session key between the user and the device. To configure a PSK: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure a PSK. port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key By default, no PSK is configured.
PAGE 241

Step Command 2. port-security nas-id-profile profile-name Specify a NAS ID profile. Remarks Optional. By default, no NAS ID profile is specified in system view. To specify a NAS ID profile for port security on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify a NAS ID profile. port-security nas-id-profile profile-name Optional.
PAGE 242

Step Enable stateful failover for port security. 3. Command Remarks port-security synchronization enable By default, stateful failover is disabled for port security. Displaying and maintaining port security Task Command Remarks Display port security configuration information, operation information, and statistics about one or more ports or all ports. display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view.
PAGE 243

• All users use the default authentication, authorization, and accounting methods of ISP domain sun, which can accommodate up to 30 users. • The RADIUS server response timeout time is 5 seconds. The maximum number of RADIUS packet retransmission attempts is five. The AC sends real-time accounting packets to the RADIUS server at an interval of 15 minutes, and sends user names without domain names to the RADIUS server. Configure port WLAN-ESS 1 of the AC to: • Allow only one 802.
PAGE 244

# Set the interval between sending real time accounting packets to the RADIUS server to 15 minutes. [AC-radius-radsun] timer realtime-accounting 15 # Exclude the ISP domain name in the username sent to the RADIUS server. [AC-radius-radsun] user-name-format without-domain [AC-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users.
PAGE 245

# Map service template 2 to radio 1, and enable the radio. [AC-wlan-ap-ap1-radio-1] service-template 2 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return Verifying the configuration # Display the configuration of the RADIUS scheme named radsun. display radius scheme radsun SchemeName : radsun Index = 1 Type : standard Primary Auth Server: IP: 192.168.1.
PAGE 246

Default authentication scheme : radius=radsun Default authorization scheme : radius=radsun Default accounting scheme : radius=radsun Domain User Template: Idle-cut = Disable Session-time : exclude-idle-time Self-service = Disable Authorization attributes: # Display the port security configuration.
PAGE 247

User Profile=N/A CAR=Disable Traffic Statistic: InputOctets =12121212 InputGigawords=1 OutputOctets =12120 OutputGigawords=0 Priority=Disable Start=2013-07-01 15:39:49 ,Current=2013-07-01 15:50:07 ,Online=00h10m18s Total 1 connection matched. Configuring the userLoginSecureExt mode on a WLAN port Network requirements Clients are wirelessly connected to the AC through port WLAN-ESS 1. The AC uses the RADIUS server to authenticate its clients.
PAGE 248

[AC-radius-2000] primary authentication 192.168.1.2 [AC-radius-2000] primary accounting 192.168.1.3 # Specify the IP address of the secondary authentication RADIUS server as 192.168.1.3/24, and that of the secondary accounting RADIUS server as 192.168.1.2/24. [AC-radius-2000] secondary authentication 192.168.1.3 [AC-radius-2000] secondary accounting 192.168.1.2 # Set the shared keys for authenticating RADIUS authentication and accounting packets as name.
PAGE 249

[AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and set its model to MSM460-WW and serial ID to CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind the service template 1 to the port radio 1, and enable the radio.
PAGE 250

Channel Band-width : 40MHz SM Power Save Enable : Disabled Short GI for 20MHz : Not Supported Short GI for 40MHz : Supported LDPC : Not Supported STBC Tx Capability : Supported STBC Rx Capability : Supported Support MCS Set : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 BLOCK ACK-TID 0 : IN QoS Mode : WMM Listen Interval (Beacon Interval) : 10 RSSI : 37 Rx/Tx Rate : 5.
PAGE 251

Configuration procedure This example covers only some of the required AAA and RADIUS configuration commands. For more information, see Security Command Reference. The client-side and RADIUS server-side configuration procedures are not shown in this example. For more information about WLAN configuration, see WLAN Configuration Guide. 1. Perform RADIUS-related configurations. See steps in "Configuring the userLoginWithOUI mode." 2. Configure the AC: # Create VLAN 2.
PAGE 252

Verifying the configuration # Before Client 1 is authenticated (using the username of mac and MAC address of 000f-e2cc-6a21), the guest VLAN function takes effect. You can use the display mac-vlan all command to display the MAC-to-VLAN mapping.
PAGE 253

Figure 96 Network diagram AC Authentication server AP AN VL Client 2 VLAN 10 VLAN 5 Update server Client IP network As shown in Figure 97, enable 802.1X and set VLAN 10 as the guest VLAN on port WLAN-ESS 1. If the AC sends an EAP-Request/Identity packet from the port for the maximum number of times but still receives no response, the AC adds the MAC address of the client to its guest VLAN.
PAGE 254

Figure 98 Network diagram Configuration procedure Use the iNode client in this example. The client that comes with Windows does not support the function. This example covers only some of the required AAA and RADIUS configuration commands. For more information, see Security Command Reference. # Configure RADIUS scheme 2000. system-view [AC] radius scheme 2000 [AC-radius-2000] primary authentication 10.11.1.1 1812 [AC-radius-2000] primary accounting 10.11.1.
PAGE 255

# Configure wireless port WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port link-type hybrid [AC-WLAN-ESS1] port hybrid vlan 1 to 2 5 10 untagged [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] mac-vlan enable [AC-WLAN-ESS1] dot1x guest-vlan 10 [AC-WLAN-ESS1] dot1x mandatory-domain test [AC-WLAN-ESS1] quit # Configure service template 1. The template must be in clear text mode.
PAGE 256

CAR=Disable Traffic Statistic: InputOctets =12121212 InputGigawords=1 OutputOctets =12120 OutputGigawords=0 Priority=Disable Start=2013-01-21 15:16:08 ,Current=2013-01-21 15:16:40 ,Online=00h00m31s Total 1 connection matched. Configuring 802.1X stateful failover for port security Network requirements AC 1 and AC 2 support stateful failover. To avoid 802.
PAGE 257

• Configure IP addresses for interfaces. Create VLAN 8 and VLAN 10. Configure the RADIUS server. (Details not shown.) • Create the WLAN-ESS interface, set a port security mode for 802.1X authentication on the interface, and enable stateful failover for port security. • Enable global port security. • Enable stateful failover and specify the backup VLAN. • Configure a VRRP group on the interface connected to the RADIUS server. • Configure an AAA authentication domain and a RADIUS scheme.
PAGE 258

[AC1] nas device-id 1 # Configure RADIUS scheme 2003. [AC1] radius scheme 2003 [AC1-radius-2003] primary authentication 192.168.0.2 [AC1-radius-2003] primary accounting 192.168.0.2 [AC1-radius-2003] key authentication simple aabbcc [AC1-radius-2003] key accounting simple aabbcc [AC1-radius-2003] user-name-format without-domain [AC1-radius-2003] nas-ip 192.168.100.5 [AC1-radius-2003] quit # Create authentication domain 2003, and specify the AAA methods.
PAGE 259

# Enable the AC hot backup function. [AC1] hot-backup enable # Set VLAN 10 as the VLAN for AC hot backup. [AC1] hot-backup vlan 10 Configuring AC 2 1. Configure port security: # Specify the 802.1X authentication method as EAP. system-view [AC2] dot1x authentication-method eap # Create interface WLAN-ESS 1 and enter its view. [AC2] interface wlan-ess 1 # Set the port security mode to userlogin-secure-ext.
PAGE 260

[AC2-radius-2003] user-name-format without-domain [AC2-radius-2003] nas-ip 192.168.100.5 [AC2-radius-2003] quit # Create authentication domain 2003, and specify the AAA methods. [AC2] domain 2003 [AC2-isp-2003] authentication lan-access radius-scheme 2003 [AC2-isp-2003] authorization lan-access radius-scheme 2003 [AC2-isp-2003] accounting lan-access radius-scheme 2003 [AC2-isp-2003] quit 5. Configure AC backup and client information backup: # Specify AC 1 as the backup AC of AC 2.
PAGE 261

Verifying the configuration After you complete the configurations, use the display dot1x synchronization status command to display the 802.1X stateful failover status on AC 1 and AC 2. After the client passes 802.1X authentication, execute the display wlan client verbose command on AC 1 (the primary AC) to display detailed information about the client. Execute the display wlan client verbose command on AC 2 (the backup AC), and you can see the same client information as that on AC 1.
PAGE 262

Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Committed Access Rate (CAR) policy or a Quality of Service (QoS) policy. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that are associated only with this user. User-based traffic policing is more flexible than interface-based traffic policing.
PAGE 263

Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user profile, and enter its view. user-profile profile-name You can use the command to enter the view of an existing user profile. Performing configurations in user profile view After a user profile is created, perform configurations in user profile view. The configuration made in user profile view takes effect when the user profile is enabled and a user using the user profile goes online.
PAGE 264

Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. • Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.
PAGE 265

• Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
PAGE 266

Password combination level Minimum number of character types Minimum number of characters for each type Level 3 Three One Level 4 Four One In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password. When a user sets or changes a password, the system checks if the password meets the composition requirement. If not, the system displays an error message.
PAGE 267

Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: • Global settings in system view apply to all local user passwords and super passwords. • Settings in user group view apply to the passwords of all local users in the user group.
PAGE 268

Step Command Remarks • In non-FIPS mode, the global 2. 3. password control feature is disabled by default. Enable the global password control feature. password-control enable Enable a specific password control function. password-control { aging | composition | history | length } enable • In FIPS mode, the global password control feature is enabled and cannot be disabled by default. Optional. By default, all of the four password control functions are enabled.
PAGE 269

Step 7. 8. 9. Set the maximum number of history password records for each user. Command Remarks password-control history max-record-num Optional. 4 by default. Optional. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts.
PAGE 270

Setting local user password control parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Create a local user and enter local user view. local-user user-name N/A Optional. 3. Configure the password aging time for the local user. password-control aging aging-time By default, the setting equals that for the user group to which the local user belongs. If no aging time is configured for the user group, the global setting applies to the local user. Optional. 4.
PAGE 271

Step Command Remarks Optional. 3. Configure the minimum length for super passwords. password-control super length length 4. Configure the password composition policy for super passwords. password-control super composition type-number type-number [ type-length type-length ] By default, the minimum super password length is the same as the global minimum password length. Optional. By default, the super password composition policy is the same as the global password composition policy.
PAGE 272

Password control configuration example The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
PAGE 273

[AC] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username. [AC] password-control complexity user-name check # Specify that no character can appear three or more times consecutively in a password. [AC] password-control complexity same-character check # Specify that a super password must contain at least three character types and at least five characters for each type.
PAGE 274

Enabled (repeated characters checking) # Display the password control configuration for super passwords. display password-control super Super password control configurations: Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (3 types, 5 characters per type) # Display the password control configuration for local user test.
PAGE 275

Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 100.
PAGE 276

Task Remarks Specifying the peer public key on the local device Creating a local asymmetric key pair When you create a local asymmetric key pair, follow these guidelines: • The key algorithm must be the same as required by the security application. • The key modulus length must be appropriate (see Table 14).
PAGE 277

If your local device functions to authenticate the peer device, you must specify the peer public key on the local device. For more information, see "Specifying the peer public key on the local device." Displaying and recording the host public key information Task Command Remarks Display the local RSA public keys. display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local DSA public keys.
PAGE 278

To export a local host public key in a specific format to a file: Step 1. Enter system view. Command Remarks system-view N/A • Export a local RSA host public key in a specific format to a file: { 2. Export a local host public key in a specific format to a file. { In non-FIPS mode: public-key local export rsa { openssh | ssh1 | ssh2 } filename In FIPS mode: public-key local export rsa { openssh | ssh2 } filename Use at least one command.
PAGE 279

To specify the peer public key on the local device: Method Import the public key from a public key file (recommended) Prerequisites Remarks 1. Save the host public key of the intended asymmetric key pair in a file. 2. Transfer a copy of the file through FTP or TFTP in binary mode to the local device. • Display and record the public key of the intended asymmetric key pair.
PAGE 280

Public key configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
PAGE 281

===================================================== Time of Key pair created: 09:50:06 2013/08/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4
PAGE 282

The output shows that the host public key of the device saved on the AC is consistent with the one created on the device. Importing a public key from a public key file Network requirements As shown in Figure 102, to prevent illegal access, the AC (the local device) authenticates the device (the peer device) through a digital signature.
PAGE 283

Time of Key pair created: 09:50:07 2013/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0 203010001 # Export the RSA host public key HOST_KEY to a file named device.pub.
PAGE 284

[AC] display public-key peer name device ===================================== Key Name : device Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 T
PAGE 285

Configuring PKI Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret, but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. A key problem with PKI is how to manage the public keys.
PAGE 286

CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.
PAGE 287

PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA, and the device can check the validity of certificates. Here is how it works: 1. An entity submits a certificate request to the RA. 2. The RA reviews the identity of the entity, and then sends the identity information and the public key with a digital signature to the CA. 3. The CA verifies the digital signature, approves the application, and issues a certificate. 4.
PAGE 288

Task Remarks Configuring a certificate access control policy Optional. Configuring a PKI entity A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA identifies a certificate applicant uniquely by entity DN. An entity DN is defined by these parameters: • Common name of the entity. • Country code of the entity, a standard 2-character code.
PAGE 289

Step 8. 9. Command Configure the organization name for the entity. organization org-name Configure the unit name for the entity. organization-unit org-unit-name 10. Configure the state or province for the entity. Remarks Optional. No organization is specified by default. Optional. No unit is specified by default. Optional. state state-name No state or province is specified by default. NOTE: The Windows 2000 CA server has some restrictions on the data length of a certificate request.
PAGE 290

Step 2. Command Create a PKI domain and enter its view. Remarks No PKI domain exists by default. pki domain domain-name You can configure up to 32 PKI domains on a device. No trusted CA is specified by default. 3. Specify the trusted CA. ca identifier name The CA name is required only when you obtain a CA certificate. It is not used for local certificate request. 4. Specify the entity for certificate request. certificate request entity entity-name No entity is specified by default. 5.
PAGE 291

To configure automatic certificate request: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view. pki domain domain-name N/A 3. Set the certificate request mode to auto. certificate request mode auto [ key-length key-length | password { cipher | simple } password ] * Manual by default. Manually requesting a certificate In manual mode, you must submit a local certificate request for an entity.
PAGE 292

Step Command Remarks N/A 2. Enter PKI domain view. pki domain domain-name 3. Set the certificate request mode to manual. certificate request mode manual 4. Return to system view. quit N/A 5. Retrieve a CA certificate manually. See "Obtaining certificates" N/A 6. Generate a local RSA key pair. public-key local create rsa Submit a local certificate request manually. pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] 7. Optional. Manual by default.
PAGE 293

Verifying PKI certificates A certificate needs to be verified before you use it. Verifying a certificate examines that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. You can specify whether CRL checking is required in certificate verification. If you enable CRL checking, CRLs are used in verification of a certificate. In this case, make sure to obtain the CA certificate and CRLs to the local device before the certificate verification.
PAGE 294

Step Command Remarks 4. Return to system view. quit N/A 5. Retrieve the CA certificate. See "Obtaining certificates" N/A 6. Verify the validity of the certificate. pki validate-certificate { ca | local } domain domain-name N/A Destroying the local RSA key pair A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate is about to expire, you can destroy the old RSA key pair, and then create a pair to request a new certificate.
PAGE 295

Step Command Remarks 3. Configure an attribute rule for the certificate issuer name, certificate subject name, or alternative subject name. attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value Optional. 4. Return to system view. quit N/A 5. Create a certificate access control policy and enter its view. pki certificate access-control-policy policy-name No access control policy exists by default. 6.
PAGE 296

When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch or an 870 appliance are Access interfaces in VLAN 1.
PAGE 297

Configure the AC 1. Synchronize the system time of the AC with the CA server, so that the AC can correctly request a certificate. 2. Configure the entity name as aaa and the common name as name. system-view [AC] pki entity aaa [AC-pki-entity-aaa] common-name name [AC-pki-entity-aaa] quit 3. Configure the PKI domain: # Create PKI domain torsa and enter its view. [AC] pki domain torsa # Configure the name of the trusted CA as myca.
PAGE 298

# Retrieve CRLs and save them locally. [AC] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success! # Request a local certificate manually. [AC]pki request-certificate domain torsa Certificate is being requested, please wait...... Enrolling the local certificate,please wait a while...... [AC] Certificate request Successfully! Saving the local certificate to device......
PAGE 299

URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs.
PAGE 300

c. Click Properties, and then select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate. 4. Modify the Internet Information Services (IIS) attributes: a. From the start menu, select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager. b. From the navigation tree, select Web Sites. c. Right-click Default Web Site and select Properties > Home Directory. d.
PAGE 301

+++++++++++++++++++++++ 5. Apply for certificates: # Retrieve the CA certificate and save it locally. [AC] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while...... The trusted CA's finger print is: MD5 fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success.
PAGE 302

CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.
PAGE 303

Configuration procedure For more information about SSL configuration, see "Configuring SSL." The PKI domain to be referenced by the SSL policy must be created in advance. For more information about PKI domain configuration, see "Configure the PKI domain" in Configure the AC. 1. Configure the SSL policy for the HTTPS server to use: system-view [AC] ssl server-policy myssl [AC-ssl-server-policy-myssl] pki-domain 1 [AC-ssl-server-policy-myssl] client-verify enable [AC-ssl-server-policy-myssl] quit 2.
PAGE 304

Troubleshooting PKI Failed to obtain the CA certificate Symptom Failed to obtain a CA certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • The system clock of the device is not synchronized with that of the CA. 1.
PAGE 305

5. Use the ping command to verify that the RA server is reachable. 6. Specify the authority for certificate request. 7. Configure the required entity DN parameters. Failed to obtain CRLs Symptom Failed to obtain CRLs. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been obtained before you try to obtain CRLs. • The IP address of LDAP server is not configured.
PAGE 306

Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
PAGE 307

Stages Description SSH supports multiple algorithms. Based on the local algorithms, the two parties determine to use the following algorithms: Algorithm negotiation • • • • Key exchange algorithm for generating session keys. Encryption algorithm for encrypting data. Public key algorithm for digital signature and authentication. HMAC algorithm for protecting data integrity.
PAGE 308

NOTE: Only clients that run SSH2 or a later version support secondary password authentication that is initiated by the AAA server. • Publickey authentication—The server authenticates the client through the digital signature. During publickey authentication, the client sends the server a publickey authentication request that contains the following information: { Username. { Public key of the client. { Publickey algorithm information (or the digital certificate that carries the public key information).
PAGE 309

Task Remarks Configuring the user interfaces for SSH clients Required. Configuring a client's host public key Required if publickey authentication is configured for users and the clients directly send the public keys to the server for validity check. See "Configuring PKI." Required if the following conditions exist: Configuring the PKI domain for verifying the client certificate • If publickey authentication is configured for users.
PAGE 310

Enabling the SSH server function The SSH server function on the device allows clients to communicate with the device through SSH. When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time. To enable the SSH server function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SSH server function. ssh server enable Disabled by default.
PAGE 311

For more information about the authentication-mode and protocol inbound commands, see Fundamentals Command Reference. Configuring a client's host public key This configuration task is only necessary for the clients that directly send the public key to the server in publickey authentication. In publickey authentication, the server first compares the SSH username and client's host public key received from the client with those saved locally.
PAGE 312

Importing the client's host public key from the public key file Step Command 1. Enter system view. system-view 2. Import the client's public key from the public key file. public-key peer keyname import sshkey filename Configuring an SSH user To configure an SSH user that uses publickey authentication, you must perform the procedure in this section.
PAGE 313

{ The command level accessible to a password authenticated user is authorized by AAA. • SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or all. • For an SFTP SSH user, the working folder depends on the authentication method: { { If the authentication method is password, the working folder is authorized by AAA. If the authentication method is publickey or password-publickey, the working folder is set by using the ssh user command.
PAGE 314

Step Command Remarks Optional. 2. Enable the SSH server to support SSH1 clients. ssh server compatible-ssh1x enable 3. Set the RSA server key pair update interval. ssh server rekey-interval hours By default, the interval is 0, and the RSA server key pair is not updated. 4. Set the SSH user authentication timeout period. ssh server authentication-timeout time-out-value Optional. By default, the SSH server supports SSH1 clients. Optional. 60 seconds by default. Optional. 3 by default. 5.
PAGE 315

Step Command 1. Enter system view. 2. Specify a source IP address or source interface for SSH packets.
PAGE 316

Establishing a connection to an Stelnet server You can launch the Stelnet client to establish a connection to an Stelnet server, and specify the following algorithms for SSH connection establishment: • Public key algorithm • Preferred encryption algorithm • Preferred HMAC algorithm • Preferred key exchange algorithm To establish a connection to an Stelnet server: Task Command Remarks • Establish a connection to an IPv4 server: { { Establish a connection to an Stelnet server.
PAGE 317

SFTP client configuration task list Task Remarks Specifying a source IP address or source interface for SFTP packets Optional. Enabling and disabling first-time authentication Optional. Establishing a connection to an SFTP server Required. Working with SFTP directories Optional. Working with SFTP files Optional. Displaying help information Optional. Terminating the connection with the SFTP server Optional.
PAGE 318

After the connection is established, you can directly enter SFTP client view on the server to perform directory and file operations. To establish a connection to an SFTP server: Task Command Remarks • Establish a connection to an IPv4 SFTP server: { { Establish a connection to an SFTP server and enter SFTP client view.
PAGE 319

Step Command Remarks 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." N/A 2. Change the working directory of the remote SFTP server. cd [ remote-path ] Optional. 3. Return to the upper-level directory. cdup Optional. 4. Display the current working directory on the SFTP server. pwd Optional. 5. Display files under a directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] 6.
PAGE 320

Step 6. Command Delete one or more directories from the SFTP server. Remarks Optional. • delete remote-file&<1-10> • remove remote-file&<1-10> The delete command functions as the remove command. Displaying help information Use the help command to display all commands or the help information of an SFTP client command, including the command format and parameters. To display all commands or the help information of an SFTP client command: Step Command 1. Enter SFTP client view.
PAGE 321

Transferring files with an SCP server Task Command • Upload a file to the SCP server: { { Connect to the SCP server, and transfer files with the server.
PAGE 322

Task Command Remarks Display information about one or all SSH users on an SSH server. display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the public keys of the local key pairs. display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the public keys of the SSH peers.
PAGE 323

Configuration procedure 1. Configure the Stelnet server AC: # Generate the RSA key pairs. system-view [AC] public-key local create rsa # Enable the SSH server function. [AC] ssh server enable # Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection. [AC] interface vlan-interface 2 [AC-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [AC-Vlan-interface2] quit # Set the authentication mode to AAA for the user interfaces.
PAGE 324

Figure 108 Specifying the host name (or IP address) b. In the Host Name (or IP address) filed, enter the IP address 192.168.1.40 of the Stelnet server. c. Click Open to connect to the server. If the connection is successfully established, the system prompts you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.
PAGE 325

Figure 109 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following example uses PuTTY version 0.58 on the Stelnet client. Configuration procedure 1. Generate an RSA key pair on the Client: a. Launch PuTTYGen.
PAGE 326

Figure 111 Generating process c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. d. Enter a file name (key.pub in this example), and click Save.
PAGE 327

e. On the page as shown in Figure 112, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk, in this example), and click Save. h. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server AC: # Generate the RSA key pairs. system-view [AC] public-key local create rsa # Enable the SSH server function.
PAGE 328

Figure 113 Specifying the host name (or IP address) b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. c. Select Connection > SSH > Auth from the navigation tree. d. Click Browse… to bring up the file selection window, navigate to the private key file (private in this example) and click OK.
PAGE 329

Figure 114 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system prompts you to enter the username and password. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 115: • You can log in to the switch through the Stelnet client that runs on AC.
PAGE 330

Configuration procedure 1. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Switch] public-key local create rsa # Enable the SSH server function. [Switch] ssh server enable # Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.
PAGE 331

[AC-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3 68950387811C7DA33021500C773218C [AC-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E 14EC474BAF2932E69D3B1F18517AD95 [AC-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 [AC-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 [AC-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 [AC-pkey-key
PAGE 332

Figure 116 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. Configuration procedure 1. Configure the Stelnet client AC: # Create VLAN-interface 2 and assign an IP address to it. system-view [AC] interface vlan-interface 2 [AC-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [AC-Vlan-interface2] quit # Generate RSA key pairs.
PAGE 333

# Create an SSH user client002 with the authentication method publickey, and assign the public key Key001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Key001 3. Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
PAGE 334

Figure 117 Network diagram Configuration procedure 1. Configure the SFTP server AC 2: # Generate RSA key pairs and enable the SSH server. system-view [AC2] public-key local create rsa [AC2] ssh server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination address for SSH connection. [AC2] interface vlan-interface 2 [AC2-Vlan-interface2] ip address 192.168.0.1 255.255.255.
PAGE 335

system-view [AC1] interface vlan-interface 2 [AC1-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [AC1-Vlan-interface2] quit [AC1] quit # Establish a connection with the remote SFTP server and enter SFTP client view. sftp 192.168.0.1 Input Username: client001 Trying 192.168.0.1 ... Press CTRL+K to abort Connected to 192.168.0.1 ... The Server is not authenticated.
PAGE 336

-rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 startup.cfg 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 End of file Success # Rename the directory new1 to new2 and verify the result.
PAGE 337

SCP configuration example This section provides examples of configuring SCP for file transfer with password authentication. The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch.
PAGE 338

# Enable the user interfaces to support SSH. [AC2-ui-vty0-4] protocol inbound ssh [AC2-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh. [AC2] local-user client001 [AC2-luser-client001] password simple aabbcc [AC2-luser-client001] service-type ssh [AC2-luser-client001] quit # Create an SSH user client001. Specify the service type as scp and authentication method as password for the user.
PAGE 339

Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to provide secure data transmission over the Internet.
PAGE 340

Figure 120 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
PAGE 341

Step Command Remarks Optional. By default, no PKI domain is specified for an SSL server policy, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server. 3. Specify a PKI domain for the SSL server policy. pki-domain domain-name If SSL clients authenticate the server through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL server in the PKI domain.
PAGE 342

Step Command Remarks Optional. 9. Enable SSL client weak authentication. Disabled by default. client-verify weaken This command takes effect only when the client-verify enable command is configured. Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. To configure an SSL client policy: Step Command Remarks 1.
PAGE 343

Step 6. Command Enable certificate-based SSL server authentication. server-verify enable Remarks Optional. Enabled by default. Displaying SSL Task Command Remarks Display SSL server policy information. display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view. Display SSL client policy information. display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view.
PAGE 344

Configuration procedure 1. Request a certificate for the AC: # Create a PKI entity named en and configure it. system-view [AC] pki entity en [AC-pki-entity-en] common-name http-server1 [AC-pki-entity-en] fqdn ssl.security.com [AC-pki-entity-en] quit # Create a PKI domain and configure it. [AC] pki domain 1 [AC-pki-domain-1] ca identifier ca1 [AC-pki-domain-1] certificate request url http://10.1.2.
PAGE 345

Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the device fails to handshake with the SSL client. Analysis SSL handshake failure might result from the following causes: • The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate, or the certificate is not trusted. • The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate, or the certificate is not trusted.
PAGE 346

Configuring TCP attack protection Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes: 1. The request originator sends a SYN message to the target server. 2.
PAGE 347

Displaying TCP attack protection Task Command Remarks Display current TCP connection state. display tcp status [ | { begin | exclude | include } regular-expression ] Available in any view.
PAGE 348

Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
PAGE 349

Task Remarks Optional. Configuring ARP detection Configure this function on access devices (recommended). Optional. Configuring ARP gateway protection Configure this function on access devices (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended).
PAGE 350

Displaying and maintaining ARP source suppression Task Command Remarks Display ARP source suppression configuration information. display arp source-suppression [ | { begin | exclude | include } regular-expression ] Available in any view. Configuration example The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module and might vary by device model.
PAGE 351

Configuration considerations If the attack packets have the same source address, you can enable the ARP source suppression function as follows: 1. Enable ARP source suppression. 2. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5 seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse. If the attack packets have different source addresses, enable the ARP blackhole routing function on the AC.
PAGE 352

• Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address. After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can be processed correctly. You can exclude the MAC addresses of some gateways and servers from detection. This feature does not inspect ARP packets from those devices even if they are attackers. Only the ARP packets delivered to the CPU are checked.
PAGE 353

By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Network requirements As shown in Figure 123, the hosts access the Internet through a gateway (AC).
PAGE 354

# Exclude 0012-3f86-e94c from this detection. [AC] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries. To enable ARP packet source MAC address consistency check: Step Command Remarks 1. Enter system view. system-view N/A 2.
PAGE 355

Static ARP entries can overwrite authorized ARP entries, and authorized ARP entries can overwrite dynamic ARP entries. But authorized ARP entries cannot overwrite static ARP entries, and dynamic ARP entries cannot overwrite authorized ARP entries. • For more information about DHCP server and DHCP relay agent, see Layer 3 Configuration Guide. To enable authorized ARP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
PAGE 356

[AC] dhcp enable [AC] dhcp server ip-pool 10 [AC-dhcp-pool-10] network 10.1.1.0 mask 255.255.255.0 [AC-dhcp-pool-10] gateway-list 10.1.1.1 [AC-dhcp-pool-10] quit # Configure the IP address of VLAN-interface 10. [AC] interface vlan-interface 10 [AC-Vlan-interface10] ip address 10.1.1.1 255.255.255.0 # Enable authorized ARP.
PAGE 357

Figure 125 Network diagram DHCP Server Device 10.2.1.2/24 DHCP Relay DHCP Client VLAN 10 10.1.1.1/24 AC Switch AP Client Configuration procedure 1. Configure the DHCP server: system-view [Device] dhcp enable [Device] dhcp server ip-pool 10 [Device-dhcp-pool-10] network 10.1.1.0 mask 255.255.255.0 [Device-dhcp-pool-10] gateway-list 10.1.1.1 [Device] interface vlan-interface 20 [Device-Vlan-interface20] ip address 10.2.1.2 255.255.255.0 [Device-Vlan-interface20] quit 2.
PAGE 358

IP Address MAC Address VLAN ID Interface Aging Type 10.1.1.2 0000-8279-aa02 10 WLAN-DBSS5:52 N/A A The output shows that the AC assigned an IP address 10.1.1.2 to the client. The client must use the IP address and MAC address in the authorized ARP entry to communicate with AC. Otherwise, the communication fails, and the user validity is ensured.
PAGE 359

Step Command Remarks 4. Enable ARP detection. arp detection enable Disabled by default. 5. Return to system view. quit N/A 6. Enter Layer 2 Ethernet interface view/Layer 2 aggregate interface/WLAN-ESS interface view. interface interface-type interface-number N/A Configure the port as a trusted port that is excluded from ARP detection. arp detection trust 7. Optional. A port is an untrusted port by default. At least a user validity check rule, a DHCP snooping entry, or an 802.
PAGE 360

Configuring ARP restricted forwarding ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows: • If the packets are ARP requests, they are forwarded through the trusted interface. • If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface.
PAGE 361

• Configure 802.1X on the AC. • Enable ARP detection in VLAN 10 to check user validity based on 802.1X entries. • Configure Client 1 and Client 2 as 802.1X users. Figure 126 Network diagram Gateway DHCP server Device 10.1.1.1/24 Radius server DHCP snooping Switch AP1 Client 1 DHCP client AC AP2 Client 2 10.1.1.6 0001-0203-0607 Configuration procedure 1. Add the port connecting the device on the switch to VLAN 10, and configure the IP address of VLAN-interface 10 on the device.
PAGE 362

# Set the service type of the RADIUS server to extended. [AC-radius-rad] server-type extended # Exclude the domain name from the username sent to the RADIUS server. [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Create ISP domain imc. [AC] domain imc # Configure RADIUS authentication, authorization, and accounting for LAN access users.
PAGE 363

[AC-wlan-ap-2100-radio-1] service-template 1 [AC-wlan-ap-2100-radio-1] radio enable # The ports connecting the AC and APs reside in VLAN 1 by default. Configure the IP address for the VLAN interface on the AC and APs. (Details not shown.) # Enable ARP detection for VLAN 10 to check user validity based on 802.1X entries. [AC] vlan 10 [AC-vlan10] arp detection enable # Configure the upstream port as a trusted port. The downstream WLAN-ESS port uses the default setting untrusted.
PAGE 364

Figure 127 Network diagram Configuration procedure 1. Add the port connecting the device on the switch to VLAN 10, and configure the IP address of VLAN-interface 10 on the device. (Details not shown.) 2. Configure DHCP address pool 0 on the device. system-view [Device] dhcp enable [Device] dhcp server ip-pool 0 [Device-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure DHCP clients Client 1 and Client 2. (Details not shown.) 4.
PAGE 365

[AC-wlan-ap-2100-radio-1] radio enable # The ports connecting the AC and APs reside in VLAN 1 by default. Configure the IP address of the VLAN interface on the AC and APs. (Details not shown.) # Enable DHCP snooping. system-view [AC] dhcp-snooping [AC] interface ten-gigabitethernet 1/0/1 [AC-Ten-GigabitEthernet1/0/1] dhcp-snooping trust [AC-Ten-GigabitEthernet1/0/1] quit # Enable ARP detection for VLAN 10 to check user validity.
PAGE 366

Configuration example The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module and might vary by device model. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
PAGE 367

Configuring ARP filtering The ARP filtering feature can prevent gateway spoofing and user spoofing attacks. An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded. Follow these guidelines when you configure ARP filtering: • You can configure up to eight permitted entries on an interface.
PAGE 368

Figure 129 Network diagram Configuration procedure # Configure wireless services and the AP, and configure the radio port as WLAN-ESS 0. (Details not shown.) # Configure ARP filtering on the AC. system-view [AC] interface wlan-ess 0 [AC-WLAN-ESS0] arp filter binding 10.1.1.2 000f-e349-1233 [AC-WLAN-ESS0] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 permits ARP packets from Client 1 and Client 2, and discards other ARP packets.
PAGE 369

Configuring IPsec The term "router" in this document refers to both routers and routing-capable HP wireless products. All HP wireless products support IPsec between ACs and APs. Only HP 830 series PoE+ unified wired-WLAN switches support IPsec between ACs. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It transmits data in a secure tunnel established between two endpoints.
PAGE 370

encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5 and SHA-1. The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP, and then by AH. Figure 130 shows the format of IPsec packets.
PAGE 371

Figure 130 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms • Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
PAGE 372

IPsec stateful failover Support for this feature depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. The IPsec stateful failover function enables hot backup of IPsec service data between two devices. It is usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec service. The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature.
PAGE 373

Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • RFC 4301, Security Architecture for the Internet Protocol • RFC 4302, IP Authentication Header • RFC 4303, IP Encapsulating Security Payload (ESP) Implementing ACL-based IPsec The following is the generic configuration procedure for implementing ACL-based IPsec: 1. Configure an ACL for identifying data flows to be protected. 2.
PAGE 374

• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0. • In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires protection and continues to process it.
PAGE 375

# ipsec policy test 2 isakmp security acl 3001 ike-peer bb transform-set 1 • Configure Router B: acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255 rule 1 deny ip # ipsec policy test 1 isakmp security acl 3001 ike-peer aa transform-set 1 Mirror image ACLs To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer.
PAGE 376

Figure 133 Non-mirror image ACLs Protection modes Data flows can be protected in the following modes: • Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one tunnel that is established solely for it. • Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This mode is configurable only in IPsec policies that use IKE negotiation. • Per-host mode—One tunnel protects one host-to-host data flow.
PAGE 377

Step Command Remarks Configure at least one command. • Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } * 4. Specify the security algorithms. You configure security algorithms for a security protocol only after you specify the security protocol in the IPsec transform set. For example, you can specify the ESP-specific security algorithms only when you select ESP as the security protocol.
PAGE 378

IKE-based IPsec policy—The parameters are automatically negotiated through IKE. • Configuring a manual IPsec policy When you configure a manual IPsec policy, make sure the IPsec configuration at both ends of the IPsec tunnel meets the following requirements: • The IPsec policies at the two ends must have IPsec proposals that use the same security protocols, security algorithms, and encapsulation mode.
PAGE 379

Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher string-key | simple hex-key ] • Configure an authentication key in characters for AH: sa string-key { inbound | outbound } ah [ cipher | simple ] string-key • Configure a key in characters 8. Configure keys for the SA.
PAGE 380

Step Command Remark 1. Enter system view. system-view N/A 2. Create an IKE-based IPsec policy and enter its view. ipsec policy policy-name seq-number isakmp By default, no IPsec policy exists. 3. Configure an IPsec connection name. connection-name name By default, no IPsec connection name is configured. 4. Assign an ACL to the IPsec policy. security acl acl-number [ aggregation | per-host ] By default, an IPsec policy references no ACL. 5. Assign IPsec transform sets to the IPsec policy.
PAGE 381

To configure an IKE-based IPsec policy by referencing an IPsec policy template: Step Command Remark 1. Enter system view. system-view N/A 2. Create an IPsec policy template and enter its view. ipsec policy-template template-name seq-number By default, no IPsec policy template exists. 3. Specify the ACL for the IPsec policy to reference. security acl acl-number By default, an IPsec policy references no ACL. 4. Specify the IPsec transform sets for the IPsec policy to reference.
PAGE 382

An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer, whichever are smaller. You can set both the time-based SA lifetime and the traffic-based SA lifetime. Once the time-based lifetime or traffic-based lifetime of an SA elapses, the SA is aged. You cannot modify an IPsec policy created by referencing an IPsec policy template in IPsec policy view.
PAGE 383

IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. IMPORTANT: • IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. • A wider anti-replay window results in higher resource cost and more system performance degradation, which is against the original intention of the IPsec anti-replay function.
PAGE 384

• IPsec stateful failover supports only the active/standby failover mode. • RSA signature authentication is not supported in IKE negotiation. • The keepalive mechanism for IKE to maintain the link status of IKE SAs is not supported. Support for this feature depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products.
PAGE 385

Displaying and maintaining IPsec Task Command Remarks Display IPsec policy information. display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPsec policy template information. display ipsec policy-template [ brief | name template-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPsec transform set information.
PAGE 386

IPsec configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
PAGE 387

Figure 134 Network diagram Configuring AC 1 # Configure an IP address for VLAN-interface 1. system-view [AC1] interface Vlan-interface 1 [AC1-Vlan-interface1] ip address 133.1.1.1 16 [AC1-Vlan-interface1] quit # Enable stateful failover and set the stateful failover heartbeat interval. [AC1] hot-backup enable [AC1] hot-backup hellointerval 100 # Set the IKE SA keepalive interval. [AC1] ike sa keepalive-timer interval 20 # Set the IKE SA keepalive timeout.
PAGE 388

# Create a DPD named dpd. [AC1] ike dpd dpd [AC1-ike-dpd-dpd] quit # Create an IKE peer named peer1. [AC1] ike peer peer1 # Apply dpd to IKE peer peer1. [AC1-ike-peer-peer1] dpd dpd # Apply IKE proposal 1 to IKE peer peer1. [AC1-ike-peer-peer1] proposal 1 # Configure a plaintext pre-shared key 123456 for IKE negotiation. [AC1-ike-peer-peer1] pre-shared-key simple 123456 # Specify the IP address of the remote IKE peer as 133.1.1.33. [AC1-ike-peer-peer1] remote-address 133.1.1.
PAGE 389

[AC1-wlan-ap-ap] quit [AC1] quit # Reboot the AP. reset wlan ap name ap This command will reset all master connection AP's. Do you want to continue [Y/N]:y Configuring AC 2 # Configure an IP address for VLAN-interface 1. system-view [AC2] interface vlan-interface 1 [AC2-Vlan-interface1] ip address 133.1.1.2 16 [AC2-Vlan-interface1] quit # Enable stateful failover and set the stateful failover heartbeat interval.
PAGE 390

# Configure a plaintext pre-shared key 123456 for IKE negotiation. [AC2-ike-peer-peer1] pre-shared-key simple 123456 # Specify the IP address of the remote IKE peer as 133.1.1.33. [AC2-ike-peer-peer1] remote-address 133.1.1.33 [AC2-ike-peer-peer1] quit # Create an IPsec policy template named pt with the sequence number 1. [AC2] ipsec policy-template pt 1 # Reference the IPsec transform set tran1 for the IPsec policy template.
PAGE 391

Total Number of auto APs connected : 0 AP Profiles State : I = Idle, J = Join, JA = JoinAck, C = Config, R = Run, IL = ImageLoad KU = KeyUpdate, KC = KeyCfm --------------------------------------------------------------------------AP Name State Model Serial-ID --------------------------------------------------------------------------ap R/B MSM460-WW CN2AD330S8 -------------------------------------------------------------------------- # Execute the display ipsec sa command on each AC to d
PAGE 392

sa remaining duration (kilobytes/sec): 1843192/3261 max received sequence-number: 127 udp encapsulation used for nat traversal: N status: -- ----------------------------IPsec policy name: "pt" sequence number: 1 mode: template ----------------------------connection id: 8 encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 133.1.1.1 remote address: 133.1.1.33 flow: sour addr: 133.1.1.1/255.255.255.255 dest addr: 133.1.1.33/255.255.255.
PAGE 393

IPsec policy name: "pt" sequence number: 1 mode: template ----------------------------connection id: 6 encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 133.1.1.2 remote address: 133.1.1.33 flow: sour addr: 133.1.1.2/255.255.255.255 dest addr: 133.1.1.33/255.255.255.
PAGE 394

dest addr: 133.1.1.33/255.255.255.
PAGE 395

After the IKE negotiation succeeds and IPsec SAs are successfully established, all packets between the AP and the ACs are encrypted by IPsec.
PAGE 396

Configuring IKE Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically. Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them, and calculate shared keys.
PAGE 397

Figure 135 IKE exchange process in main mode Peer 1 Send local IKE policy Peer 2 Confirmed policy SA exchange Receive the policy Search for matched policy Key generation Initiator’s key information Receiver’s key information Key exchange Algorithm negotiation Initiator’s policy Generate the key Identity authentication Generate the key Initiator’s identity and authentication data Receiver’s identity and ID and authentication data exchange Perform ID/exchange authentication Perform ID/exchang
PAGE 398

Relationship between IKE and IPsec Figure 136 Relationship between IKE and IPsec Figure 136 illustrates the relationship between IKE and IPsec: • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
PAGE 399

Task Remarks Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional.
PAGE 400

Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IKE proposal and enter its view. ike proposal proposal-number N/A Optional. 3. 4. 5. Specify an encryption algorithm for the IKE proposal. encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } Specify an authentication method for the IKE proposal. authentication-method { pre-share | rsa-signature } Specify an authentication algorithm for the IKE proposal.
PAGE 401

• Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature authentication. • Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key authentication, the ID type must be IP address for main mode IKE negotiation. It can be IP address, FQDN, or user FQDN for aggressive mode IKE negotiation. • Specify the name or IP address of the local security gateway.
PAGE 402

Step Command Remarks Optional. 7. Configure a name for the local security gateway. local-name name By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used. Optional. 8. Specify the name of the remote security gateway. 9. Enable the NAT traversal function for IPsec/IKE.
PAGE 403

NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. Setting keepalive timers IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
PAGE 404

2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. 3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello. 4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
PAGE 405

Task Command Remarks Available in any view. Display IKE SA information. display ike sa [ active | standby | verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ] Display IKE proposal information. display ike proposal [ | { begin | exclude | include } regular-expression ] Support for the active and standby keywords depends on your device model.
PAGE 406

Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, verify that the parameters of the IPsec policies applied on the interfaces are matched, and that the referred IPsec transform sets have a match in protocol, encryption and authentication algorithms. Failing to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established.
PAGE 407

Configuring ALG The term "router" in this document refers to both routers and routing-capable WX series access controllers. Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. NAT typically translates only IP address and port information in packet headers and does not analyze fields in application layer payloads.
PAGE 408

As shown in Figure 137, the host on the external network accesses the FTP server on the internal network in passive mode through the ALG-enabled router.
PAGE 409

Enabling ALG Step Command Remarks 1. Enter system view. system-view N/A Enable ALG. alg { all | dns | ftp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Optional. 2. By default, ALG is enabled for all protocols. ALG configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
PAGE 410

[AC-acl-basic-2001] rule permit [AC-acl-basic-2001] quit # Enable ALG for FTP. [AC] alg ftp # Configure NAT. [AC] interface vlan-interface 3 [AC-Vlan-interface3] nat outbound 2001 address-group 1 # Configure internal FTP server. [AC-Vlan-interface3] nat server protocol tcp global 5.5.5.10 ftp inside 192.168.1.2 ftp SIP/H.323 ALG configuration example H.323 ALG configuration is similar to SIP ALG configuration.
PAGE 411

[AC-Vlan-interface3] nat outbound 2001 address-group 1 NBT ALG configuration example The example describes ALG configurations, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 140, a company using the private network segment 192.168.1.0/24 wants to provide NBT services to the outside. Configure NAT and ALG on the AC so that Host A uses 5.5.5.9 as its external IP address, the WINS server uses 5.5.5.
PAGE 412

Configuring firewall The term "router" in this document refers to both routers and routing-capable HP wireless products. Overview A firewall blocks unauthorized Internet access to a protected network while allowing internal network users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet.
PAGE 413

non-SYN packets of existing TCP connections passing the firewall for the first time are dropped, breaking the existing TCP connections. ASPF ASPF was proposed to address the issues that a static firewall cannot solve. An ASPF implements application layer and transport specific, namely status-based, packet filtering. An ASPF can detect application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, and H.323 (Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
PAGE 414

{ { • Single-channel protocol—A single-channel protocol establishes only one channel to exchange both control messages and data for a user. SMTP and HTTP are examples of single-channel protocols. Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user and transfers control messages and user data through different channels. FTP and RTSP are examples of multi-channel protocols.
PAGE 415

multi-channel application layer protocols like FTP and H.323, the deployment of TCP inspection without application layer inspection will lead to failure of establishing a data connection. Configuring a packet-filter firewall WLAN-ESS interfaces do not support IPv6 packet-filter firewall. User profiles do not support IPv6 packet-filter firewall. Packet-filter firewall configuration task list Task Remarks Enabling the firewall function Required.
PAGE 416

To configure the default filtering action of the IPv6 firewall: Step Command Remarks N/A 1. Enter system view. system-view 2. Specify the default filtering action of the IPv6 firewall. firewall ipv6 default { deny | permit } Optional. By default, the firewall permits packets to pass. Applying an ACL packet-filter firewall to an interface When an ACL is applied to an interface, the time range-based filtering will also work at the same time.
PAGE 417

Applying an ACL packet-filter firewall to a user profile Perform this task to implement user-based packet filtering. After a user passes authentication, if the user is authorized with a user profile and the user profile is configured with a packet-filter firewall, the packets received or sent by the user are filtered by the firewall as configured. To apply an ACL-based packet-filter firewall to a user profile: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter user profile view.
PAGE 418

aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Network requirements As shown in Figure 142, the internal network of a company is connected to VLAN-interface 2 of the AC, and the internal users access the Internet through VLAN-interface 3 of the AC. The company provides WWW, FTP and Telnet services to the outside. The internal subnet of the company is 129.1.1.0/24, on which the internal FTP server address is 129.1.1.
PAGE 419

[AC] acl number 3002 # Configure a rule to allow a specific external user to access internal servers. [AC-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255 # Configure a rule to permit specific data (only packets of which the port number is greater than 1024) to get access to the internal network. [AC-acl-adv-3002] rule permit tcp destination 20.1.1.
PAGE 420

To configure an ASPF policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an ASPF policy and enter its view. aspf-policy aspf-policy-number N/A 3. Drop ICMP error messages. icmp-error drop 4. Drop non-SYN packet that is the first packet over a TCP connection. Optional. By default, ICMP error messages are not dropped. Optional. tcp syn-check By default, a non-SYN packet that is the first packet over a TCP connection is not dropped.
PAGE 421

Step Apply an ASPF policy to the user profile. 3. Command Remarks firewall aspf aspf-policy-number { inbound | outbound } By default, no ASPF policy is applied to any user profile. Configuring port mapping Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping. • General port mapping—Refers to a mapping of a user-defined port number to an application layer protocol.
PAGE 422

When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch or an 870 appliance are Access interfaces in VLAN 1.
PAGE 423

Managing sessions Overview Session management is a common feature designed to implement session-based services such as NAT and ASPF. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet. Session management allows multiple features to process the same service packet. Session management can be applied for the follow purposes: • Fast match between packets and sessions.
PAGE 424

Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. • Supporting persistent sessions, which are kept alive for a long period of time. • Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.
PAGE 425

Step Command Remarks This aging time setting is effective on only the sessions that are being established. The default values are as follows: 2. Set the aging time for sessions of a specified protocol and in a specified state. session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value • • • • • • • • • • accelerate—10 seconds. fin—30 seconds. icmp-closed—30 seconds. icmp-open—60 seconds. rawip-open—30 seconds.
PAGE 426

processes only packets with correct checksums. Packets with incorrect checksums will be processed by other services based on the session management. IMPORTANT: Checksum verification might degrade the device performance. Enable it with caution. To enable checksum verification for protocol packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable checksum verification. session checksum { all | { icmp | tcp | udp } * } Disabled by default.
PAGE 427

Step Command Remarks • Set the hybrid mode: Specify an operating mode for session management. 2. session mode hybrid • Set the bidirectional mode: By default, bidirectional mode is used. undo session mode Configuring session logging Session logs provide information about user access, IP address translation, and network traffic for security auditing. These logs are sent in flow log format to the log server or the information center. Enabling session logging Step Command Remarks 1.
PAGE 428

Displaying and maintaining session management Task Command Remarks Display the session aging times for application layer protocols. display application aging-time [ | { begin | exclude | include } regular-expression ] Available in any view. Display the session aging times in different protocol states. display session aging-time [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about sessions.
PAGE 429

Configuring Web filtering Overview In legacy network security solutions, network protection mainly targets external attacks. With the popularity of network applications in every walk of life, however, the internal network also faces security threats caused by internal user access to illegal networks. To protect the internal network against such threats, the network devices must be able to filter illegal access requests from internal users.
PAGE 430

• If URL address filtering does not support IP addresses, the device checks the ACL rules for URL address filtering. If the ACL permits the IP address, the device forwards the request. Otherwise, the device drops the request. URL parameter filtering Many Web pages are dynamic, connected with databases, and support data query and modification through Web requests.
PAGE 431

ActiveX blocking ActiveX blocking protects networks from being attacked by malicious ActiveX plugins. After the ActiveX blocking function is enabled, requests for ActiveX plugins to all Web pages will be filtered. If the ActiveX plugins in some Web pages are expected, you can configure ACL rules to permit requests to the ActiveX plugins of these Web pages. Processing procedure • If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces the suffix .ocx with .
PAGE 432

Step Command Remarks firewall http url-filter host ip-address { deny | permit } Deny by default. 3. Configure IP address-supported URL address filtering. 4. Specify an ACL for URL address filtering. firewall http url-filter host acl acl-number 5. Display information about URL address filtering. display firewall http url-filter host [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Optional. By default, no ACL is specified for URL address filtering.
PAGE 433

Configuring ActiveX blocking Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the ActiveX blocking function. firewall http activex-blocking enable Disabled by default. 3. Add an ActiveX blocking suffix keyword. firewall http activex-blocking suffix keywords Optional. Optional. 4. Specify an ACL for ActiveX blocking. firewall http activex-blocking acl acl-number 5. Display information about ActiveX blocking.
PAGE 434

switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same.
PAGE 435

# Configure an ACL for URL address filtering. [AC] acl number 2000 [AC-acl-basic-2000] rule 0 permit source 3.3.3.3 0.0.0.0 [AC-acl-basic-2000] rule 1 deny source any [AC-acl-basic-2000] quit # Allow users to use IP addresses to access websites. [AC] firewall http url-filter host ip-address permit [AC] firewall http url-filter host acl 2000 After the configurations are completed, open a Web browser on a host in the LAN, enter website http://www.webflt.com or http://3.3.3.
PAGE 436

Figure 145 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Configure a NAT policy for the outbound interface. system-view [AC] acl number 2200 [AC-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255 [AC-acl-basic-2200] rule 1 deny source any [AC-acl-basic-2200] quit [AC] nat address-group 1 2.2.2.10 2.2.2.
PAGE 437

Java blocking configuration example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through the AC. Enable Java blocking on the AC, add suffix keyword .js, and configure the device to allow only Java applet requests to the website at 5.5.5.5. Figure 146 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Configure a NAT policy for the outbound interface.
PAGE 438

# Use the display firewall http java-blocking verbose command to display detailed Java blocking information. [AC] display firewall http java-blocking verbose Java blocking is enabled. The configured ACL group is 2100. There are 0 packet(s) being filtered. There are 1 packet(s) being passed. # Use the display firewall http java-blocking all command to display Java blocking information for all blocking suffix keywords.
PAGE 439

Solution Make sure that all entered characters are valid. Invalid use of wildcard Symptom When you configure a URL address filtering entry or URL parameter filtering entry, the system prompts you that the wildcards are not used correctly.
PAGE 440

Invalid blocking suffix Symptom When you configure a Java blocking suffix keyword or ActiveX blocking suffix keyword, the system prompts you that there are invalid suffix keywords. Analysis A blocking suffix requires a dot (.) as part of it. If no dot or multiple dots are configured, the configuration fails. Solution Configure a suffix keyword according to the description in the analysis.
PAGE 441

Configuring user isolation User isolation includes the following types: • VLAN-based user isolation—Isolates users in the same VLAN from accessing each other at Layer 2. • SSID-based user isolation—Isolates users using the same SSID from accessing each other at Layer 2. VLAN-based user isolation VLAN-based user isolation allows users to access the network, and at the same time, it isolates users from accessing each other at Layer 2 for security purposes.
PAGE 442

Figure 147 Network diagram SSID-based user isolation For security purposes and accounting accuracy, enable SSID-based user isolation. It disables wireless users that use the same SSID from accessing each other at Layer 2. When SSID-based user isolation is enabled on the AC, all the wireless users using the same SSID are disabled from forwarding Layer 2 unicast or broadcast packets to each other. Configuring VLAN-based user isolation Step Command Remarks 1. Enter system view. system-view N/A 2.
PAGE 443

Step 4. Command Permit broadcast and multicast packets from a wired user to a wireless user. Remarks Optional. user-isolation permit broadcast By default, broadcast and multicast packets from a wired user to a wireless user are permitted. Configuring SSID-based user isolation Step Command Remarks 1. Enter system view. system-view N/A 2. Configure WLAN service template. wlan service-template service-template-number { clear | crypto } N/A 3. Enable SSID-based user isolation. Optional.
PAGE 444

Network requirements As shown in Figure 148, configure user isolation on the AC, so Client A, Client B, and Host A in VLAN 2 can access the Internet, but they cannot access one another at Layer 2. Figure 148 Network diagram Internet Gateway MAC address: 000f-e2127788 AC AP Host A Client A VLAN 2 Client B Configuration procedure 1. Configure the AC: # Configure the AP so that a connection can be established between the AC and AP. (Details not shown.
PAGE 445

Configuring source IP address verification Overview Source IP address verification is intended to improve wireless network security by blocking illegal packets. For example, it can prevent illegal hosts from using a valid IP address to access the network. Source IP address verification can filter packets based on the IP-MAC binding entries.
PAGE 446

For a client using an SSID configured with source IP address verification, if it accesses the network through AP local authentication, the source IP address verification feature is effective but the IP-MAC binding entry for the client cannot be displayed on the AC. If the client needs to roam to an AP of another AC in the roaming group, the AC to which the client roams must be configured with source IP address verification for the specified SSID. Otherwise, the client connection is lost.
PAGE 447

Source IPv4 address verification configuration example Network requirements As shown in Figure 150, the clients access the network using the SSID "service", and the DHCP server dynamically assigns IP addresses for the clients. Enable source IP address verification for the clients using the SSID to prevent illegal access. Figure 150 Network diagram DHCP server Eth1/1 Client 1 IP network AC Switch Client 2 AP Client 3 Configuration procedure 1. Configure the DHCP server: # Enable DHCP.
PAGE 448

# Enable source IP address verification for IPv4 clients. [AC-wlan-st-1] ip verify source [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure 802.11gn radio.
PAGE 449

Figure 151 Network diagram DHCPv6 server Eth1/1 Client 1 IP network AC Switch AP Client 2 Client 3 Configuration procedure 1. Configure the DHCPv6 server: # Enable IPv6 forwarding and DHCPv6 server. system-view [DHCPv6] ipv6 [DHCPv6] ipv6 dhcp server enable # Create DHCPv6 address pool 1, and assign network segment 2001:2::/64 to the address pool.
PAGE 450

[AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure 802.11gn radio. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable Verifying the configuration The MAC address of Client 1 is 001d-0f31-87dd, and that of Client 2 is 001c-f08f-f7f1.
PAGE 451

Figure 152 Network diagram Router Eth1/1 Client 1 IP network AC Switch AP Client 2 Client 3 Configuration procedure 1. Configure the router: # Enable IPv6 forwarding. system-view [Router] ipv6 # Assign an IPv6 address to interface Ethernet 1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 address 2001::1/64 # Enable interface Ethernet 1/1 to send RA messages.
PAGE 452

# Configure 802.11gn radio. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable Verifying the configuration The MAC address of Client 1 is 001d-0f31-87dd, and that of Client 2 is 001c-f08f-f7f1. They are legal clients but Client 3 is an illegal client. After they obtain IPv6 address prefixes through ND, you can see the IPv6 binding entries for the two clients by using the display wlan client ipv6 source binding command.
PAGE 453

Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4" from low to high. The device supports Level 2. Unless otherwise noted, in this document the term "FIPS" refers to FIPS 140-2.
PAGE 454

Type Operations Tests the following algorithms used by cryptographic engines: Cryptographic engine self-test • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryption and decryption) AES 3DES SHA1 HMAC-SHA1 Random number generator algorithms Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked.
PAGE 455

6. Save the configuration. Enabling FIPS mode Follow these guidelines when you enable FIPS mode: • If you must enable both FIPS mode and the password control function, enable FIPS mode first. • If you must disable both FIPS mode and the password control function, disable password control first. • After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP, or FTP before you reboot the device. To enable FIPS mode: Step Command Remarks 1. Enter system view.
PAGE 456

When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch or an 870 appliance are Access interfaces in VLAN 1.
PAGE 457

Updating user(s) information, please wait........... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[cfa0:/startup.cfg] (To leave the existing filename unchanged, press the enter key): cfa0:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait.... Configuration is saved to device successfully. # Reboot the device.
PAGE 458

Configuring protocol packet rate limit This feature helps you rate-limit packets of a specific protocol to prevent the packets from occupying too much bandwidth. Protocol packets can be rate-limited in the following modes: • Bandwidth limit per protocol—You set a maximum bandwidth for packets of a specific protocol. When the maximum bandwidth is exceeded, the packets are discarded.
PAGE 459

Configuring the threshold for per-flow bandwidth limit Step Command Remarks 1. Enter system view. system-view N/A 2. Enable per-flow bandwidth limit and configure the threshold. anti-attack protocol protocol flow-threshold flow-rate-limit By default, per-flow bandwidth limit is disabled for packets of all protocols.
PAGE 460

Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
PAGE 461

Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
PAGE 462

Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
PAGE 463

Index ABCDEFHILMNOPRSTUVW Configuring ARP active acknowledgement,342 A Configuring ARP detection,346 AAA configuration considerations and task list,20 Configuring ARP filtering,355 AAA configuration examples,61 Configuring ARP gateway protection,353 ALG configuration examples,397 Configuring ARP packet rate limit,339 ALG process,395 Configuring ARP packet source MAC consistency check,342 ARP attack protection configuration task list,336 Associating an SSID and AP with a portal server and an authe
PAGE 464

Contacting HP,448 Enabling Layer 3 portal authentication,156 Controlled/uncontrolled port and port authorization status,97 Enabling password control,255 Controlling access of portal users,157 Enabling port security,223 Enabling logging for portal packets,170 Conventions,449 Creating a local asymmetric key pair,264 Enabling the periodic online user re-authentication function,115 Creating a user profile,250 Enabling the SYN Cookie feature,334 D Exporting the host public key in a specific format to
PAGE 465

Overview,334 Setting the port security mode,224 Overview,294 Setting user group password control parameters,257 Overview,327 SFTP configuration example,321 Overview,384 Overview,250 Source IP address verification configuration example,434 Overview,273 Specifying a MAC authentication domain,128 Specifying a mandatory authentication domain on a port,114 Overview,124 Overview,252 Specifying a portal server for Layer 3 portal authentication,151 Overview,433 Overview,441 P Specifying a source IP add