HP 6600/HSR6600 Routers Security Configuration Guide Part number: 5998-1515 Software version: A6602-CMW520-R3303P05 A6600-CMW520-R3303P05-RPE A6600-CMW520-R3303P05-RSE HSR6602_MCP-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ································································································································
Initiating 802.1X authentication ··································································································································· 77 802.1X client as the initiator································································································································ 77 Access device as the initiator ······························································································································· 77 802.
Configuring the redirect URL ······································································································································· 107 Setting the EAD rule timer ··········································································································································· 107 Displaying and maintaining EAD fast deployment ··································································································· 107 EAD fast deployment c
Configuring portal stateful failover····························································································································· 138 Specifying an autoredirection URL for authenticated portal users ·········································································· 140 Configuring portal detection functions ······················································································································· 141 Configuring online Layer 3 portal user
Performing configurations in user profile view ········································································································· 199 Enabling a user profile ················································································································································ 199 Displaying and maintaining user profile ··················································································································· 199 Configuring password
Verifying PKI certificates ·············································································································································· 237 Verifying PKI certificates with CRL checking ····································································································· 237 Verifying PKI certificates without CRL checking································································································ 238 Destroying the local RSA key pair······
IKE security mechanism······································································································································· 297 IKE operation ······················································································································································· 297 IKE functions ························································································································································· 298 Relation
Displaying and maintaining SSH ······························································································································· 332 Stelnet configuration examples ··································································································································· 332 Password authentication enabled Stelnet server configuration example ······················································ 332 Publickey authentication enabled Stelnet server config
Configuring firewall ················································································································································ 440 Overview······································································································································································· 440 ACL based packet-filter ······································································································································· 44
Troubleshooting connection limiting ··························································································································· 467 Connection limit rules with overlapping segments ··························································································· 467 Connection limit rules with overlapping protocol types ·················································································· 467 Configuring Web filtering ··································
Configuring IP source guard ·································································································································· 502 Overview······································································································································································· 502 Static IP source guard entries ····························································································································· 502 Dynamic
Network requirements ········································································································································· 536 Configuration procedure ···································································································································· 536 Configuring FIPS······················································································································································ 537 Overview········
Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorized usage of some resource in a network system. Network security services provide solutions to solve or reduce those threats to different extents. Network security threats • Information disclosure—Information is leaked to an unauthorized person or entity. • Data integrity damage—Data integrity is damaged by unauthorized modification or malicious destruction.
Network security technologies Identity authentication AAA AAA provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies network users and determines whether the user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
Portal authentication Portal authentication, also called "Web authentication," controls user access at the access layer and other data entrance that needs protection. It does not require client software to authenticate users. Users only need to enter a username and a password on the webpage for authentication. With portal authentication, an access device redirects all unauthenticated users to a specific webpage, and users can freely access resources on the webpage.
• Source port number • Destination port number The device compares the head information against the preset ACL rules and processes (discards or forwards) the packet based on the comparison result.
comprehensive and effective solution against common ARP attacks, such as user and gateway spoofing attacks and flood attacks. ND attack defense The IPv6 ND protocol provides rich functions, but does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. To defend against such attacks, the device provides multiple ND attack detection technologies, such as source MAC consistency check for ND packets and ND Detection.
Password control Password control is a set of functions for enhancing the local password security. It controls user login passwords, super passwords, and user login status based on predefined policies. Those policies include minimum password length, minimum password update interval, password aging, and early notice on pending password expiration. RSH RSH allows users to execute OS commands on a remote host that runs the RSH daemon.
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carries the user's username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted using the MD5 algorithm and the shared key. 3. The RADIUS server authenticates the username and password.
Figure 4 RADIUS packet format 0 7 Code 15 31 7 Length Identifier Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 1 Main values of the Code field Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user.
{ { { Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes." Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length sub-fields.
No. Attribute No.
HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.
Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6.
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
• Portal users—Users who must pass portal authentication to access the network. • PPP users—Users who access through PPP. • SSL VPN users—Users who access through SSL VPN. In addition, AAA provides the following services for login users to enhance device security: • Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted, and allows login users to execute only authorized commands.
• RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support • RFC 2869, RADIUS Extensions • RFC 1492, An Access Control Protocol, Sometimes Called TACACS RADIUS attributes This section provides tables of commonly used standard RADIUS attributes and HP proprietary RADIUS sub-attributes. Commonly used standard RADIUS attributes No.
No. Attribute Description Type of the Accounting-Request packet. Possible values include: 40 Acct-Status-Type • • • • • • • • 1—Start. 2—Stop. 3—Interim-Update. 4—Reset-Charge. 7—Accounting-On. (Defined in the 3rd Generation Partnership Project.) 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.) 9 to 14—Reserved for tunnel accounting. 15—Reserved for failed. Authentication method used by the user. Possible values include: 45 Acct-Authentic 60 CHAP-Challenge • 1—RADIUS.
No. Sub-attribute Description 15 Remanent_Volume Total remaining available traffic for the connection, in different units for different server types. Operation for the session, used for session control. Possible values include: 20 24 Command Control_Identifier • • • • • 1—Trigger-Request. 2—Terminate-Request. 3—SetPolicy. 4—Result. 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.
No. Sub-attribute Description 205 Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. 206 Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes. 207 Backup-NAS-IP Backup source IP address for sending RADIUS packets. 255 Product_ID Product name. AAA configuration considerations and task list To configure AAA on the NAS: 1. Configure the required AAA schemes. { { 2.
Table 4 AAA configuration task list Task Configuring AAA schemes Remarks Configuring local users Required. Configuring RADIUS schemes Complete at least one task. Configuring HWTACACS schemes Configuring AAA methods for ISP domains Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring authentication methods for an ISP domain Required. Configuring authorization methods for an ISP domain Complete at least one task.
• User group. Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." • Password control attributes. Password control attributes help you control the security of local users' passwords. Password control attributes include password aging time, minimum password length, and password composition policy.
level authorized to the user. If the user interface authentication mode is password (password) or no authentication (none), which commands a login user can use after login depends on the level configured for the user interface by using the user privilege level command in user interface view. For an SSH user using public key authentication, which commands are available depends on the level configured for the user interface.
Step Command Remarks Optional. • Set the password aging time: password-control aging aging-time • Set the minimum password 7. Configure password control attributes for the local user.
Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
Task Command Remarks Display local user information. display local-user [ idle-cut { disable | enable } | service-type { dvpn | ftp | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Display the user group configuration. display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Creating a RADIUS scheme Before you perform other RADIUS configurations, first create a RADIUS scheme and enter RADIUS scheme view. A RADIUS scheme can be referenced by multiple ISP domains at the same time. To create a RADIUS scheme and enter RADIUS scheme view: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a RADIUS scheme and enter RADIUS scheme view. radius scheme radius-scheme-name By default, no RADIUS scheme is created.
Step Command Remarks Configure at least one command. By default, no authentication/authorization server is specified. • Specify the primary RADIUS 3. Specify RADIUS authentication/authorization servers.
Step Command Remarks Configure at least one command. • Specify the primary RADIUS 3. Specify RADIUS accounting servers. accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * • Specify a secondary RADIUS accounting server: secondary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * 4. 5. 6.
Step Command Remarks By default, no shared key is specified. 3. Specify a shared key for secure RADIUS authentication/authorization or accounting communication. key { accounting | authentication } [ cipher | simple ] key In FIPS mode, the shared key must be a string of at least 8 characters that contain numbers, uppercase letters, lowercase letters, and special characters. The shared key configured on the device must be the same as that configured on the RADIUS server.
Do not apply the RADIUS scheme to more than one ISP domain if you have configured the user-name-format without-domain command for that RADIUS scheme. Otherwise, users in different ISP domains are considered the same user if they use the same username. For level switching authentication, user-name-format keep-original and user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the RADIUS server carry no ISP domain name.
Step 3. Command Set the maximum number of RADIUS request transmission attempts. retry retry-times Remarks Optional. The default setting is 3. Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with which the device communicates when the current servers are no longer available.
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may need to change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server. To set the status of RADIUS servers in a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing RADIUS packets. radius nas-ip { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a backup source IP address for outgoing RADIUS packets. radius nas-backup-ip ip-address [ vpn-instance vpn-instance-name ] Not specified by default. To specify a backup source IP address for a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a backup source IP address for outgoing RADIUS packets.
• When a number of secondary servers are configured, the client connections of access modules that have a short client connection timeout period may still be timed out during initial authentication or accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values.
Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
The ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to 30%. This threshold can only be configured through the MIB. • The failure ratio is typically small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server.
Configuring HWTACACS schemes You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use. HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required. Specifying the HWTACACS authentication servers Required. Specifying the HWTACACS authorization servers Optional. Specifying the HWTACACS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure HWTACACS communication Required.
Step 2. Enter HWTACACS scheme view. Command Remarks hwtacacs scheme hwtacacs-scheme-name N/A • Specify the primary HWTACACS authentication server: primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * 3. Specify HWTACACS authentication servers. • Specify the secondary HWTACACS authentication server: secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. No authentication server is specified by default.
When the device receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the device to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the device discards the packet.
Step Command Remarks By default, no shared key is specified. 3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication. key { accounting | authentication | authorization } [ cipher | simple ] key In FIPS mode, the shared key must be a string of at least 8 characters that contain numbers, uppercase letters, lowercase letters, and special characters. The shared key configured on the device must be the same as that configured on the HWTACACS server.
If an HWTACACS server does not support a username that carries the domain name, configure the device to remove the domain name before sending the username to the server. For level switching authentication, user-name-format keep-original and user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the HWTACACS server carry no ISP domain name.
• Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval. After sending an HWTACACS request (authentication, authorization, or accounting request), the device starts the server response timeout timer. If the device receives no response from the server before the timer expires, it resends the request. • Primary server quiet timer (quiet)—Defines the duration to keep an unreachable primary server in blocked state.
Configuring AAA methods for ISP domains By default, the device uses local (default) AAA methods for users in an ISP domain. To use other AAA methods for them, configure the device to reference existing AAA schemes for the ISP domain. For information about configuring AAA schemes, see "Configuring RADIUS schemes" and "Configuring HWTACACS schemes." To use local authentication for users in an ISP domain, first configure local user accounts on the device (see "Configuring local user attributes").
To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default ISP domain by using the undo domain default enable command. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes: • Domain status—By placing the ISP domain to the active or blocked state, you allow or deny network service requests from users in the domain.
Step Command Remarks Define an IP address pool for allocating addresses to PPP users. ip pool pool-number low-ip-address [ high-ip-address ] 8. Specify the default authorization user profile. authorization-attribute user-profile profile-name 9. Set the device to include the idle cut time in the user online time to be uploaded to the server. 7. Optional. By default, no IP address pool is configured for PPP users. Optional. By default, an ISP domain has no default authorization user profile.
Configuration guidelines When configuring authentication methods, follow these guidelines: • If you configure an authentication method that references a RADIUS scheme and an authorization method that does not reference a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also carries the authorization information, but the device ignores the information. • You can configure a default authentication method for an ISP domain.
Step 7. 8. 9. Command Remarks Specify the authentication method for portal users. authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } Specify the authentication method for PPP users. authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Specify the authentication method for SSL VPN users. authentication ssl-vpn radius-scheme radius-scheme-name 10.
Configuration guidelines When configuring authorization methods, follow these guidelines: • To configure RADIUS authorization, you must also configure RADIUS authentication, and reference the same RADIUS scheme for RADIUS authentication and authorization. If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also fails. If RADIUS authorization fails, the server sends an error message to the NAS, indicating that the server itself is not responding.
Step 9. Specify the authorization method for PPP users. 10. Specify the authorization method for SSL VPN users. Command Remarks authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } Optional. authorization ssl-vpn radius-scheme radius-scheme-name The default authorization method is used by default. Optional. The default authorization method is used by default.
Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A Optional. Disabled by default. With the accounting optional feature, a device allows users to use network resources when no accounting server is available or communication with all accounting servers fails. 3. Enable the accounting optional feature. accounting optional 4.
Step Command Remarks 11. Specify the accounting method for SSL VPN users. accounting ssl-vpn radius-scheme radius-scheme-name Optional. The default accounting method is used by default. Tearing down user connections Step 1. 2. Command Remarks Enter system view. system-view N/A Tear down AAA user connections.
Two devices working in stateful failover mode for portal services are uniquely identified by their device IDs. A device ID can only be 1 or 2. For more information about the stateful failover mode for portal services, see "Configuring portal." The device ID must be used for stateful failover mode. Do not configure any device ID for a device working in stand-alone mode. Configuring or changing the device ID of a device will log out all online users of the device.
Figure 10 Network diagram Configuring the RADIUS server This section assumes that the RADIUS server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Add the router to the IMC Platform as an access device: a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. b. Click Add to configure an access device as follows: Set the shared key for secure authentication and accounting communication to expert.
Figure 11 Adding the router as an access device 2. Add a user account for device management: a. Click the User tab, and then select Access User View > Device Mgmt User from the navigation tree. b. Click Add to configure a device management account as follows: Enter the account name hello@bbb and specify the password. Select the service type Telnet. Set the EXEC privilege level to 3. This argument identifies the privilege level of the Telnet user after login and defaults to 0. Specify 10.1.1.0 to 10.1.1.
Figure 12 Adding an account for device management Configuring the router # Assign an IP address to interface GigabitEthernet 3/0/1, the Telnet user access interface. system-view [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet3/0/1] quit # Configure the IP address of interface GigabitEthernet 3/0/2, through which the router communicates with the server.
# Set the shared key for secure authentication communication to expert. [Router-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs on IMC. [Router-radius-rad] server-type extended # Include the domain names in usernames sent to the RADIUS server. [Router-radius-rad] user-name-format with-domain [Router-radius-rad] quit # Configure the AAA methods for domain bbb.
[Router] telnet server enable # Configure the router to use AAA for Telnet users. [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Create local user named telnet. [Router] local-user telnet [Router-luser-telnet] service-type telnet [Router-luser-telnet] password simple aabbcc [Router-luser-telnet] quit # Configure the AAA methods for the ISP domain as local authentication and authorization.
Configuration procedure 1. Configure the HWTACACS server. On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the PPP user, and specify the password. (Details not shown.) 2. Configure the router: # Create HWTACACS scheme hwtac. system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server. [Router-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server.
Level switching authentication for Telnet users by a RADIUS server Network requirements As shown in Figure 15, configure the router to: • Use local authentication for the Telnet user and assign the privilege level of 0 to the user when the user passes authentication. • Use the RADIUS server for level switching authentication of the Telnet user. If the RADIUS server is not available, use local authentication. Figure 15 Network diagram Configuration considerations 1.
[Router-GigabitEthernet3/0/1] quit # Configure the IP address of GigabitEthernet 3/0/2, through which the router communicates with the server. [Router] interface gigabitethernet 3/0/2 [Router-GigabitEthernet3/0/2] ip address 10.1.1.2 255.255.255.0 [Router-GigabitEthernet3/0/2] quit # Enable the router to provide Telnet service. [Router] telnet server enable # Configure the router to use AAA for Telnet users.
2. Configure the RADIUS server. The RADIUS server in this example runs ACSv4.0. Add the usernames and passwords for user privilege level switching authentication. Table 5 Adding username and passwords for user privilege level switching authentication Username Password Switching to level $enab1$ pass1 1 $enab2$ pass2 2 $enab3$ pass3 3 A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to switch.
Figure 17 List of the usernames for privilege level switching 3. Verify the configuration. After the configuration is complete, the user can Telnet to the router and use username test@bbb and password aabbcc to enter the user interface of the router, and access all level 0 commands. telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ...
Password: Å Enter the password for RADIUS privilege level switching authentication. Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Å Enter the password for local privilege level switching authentication. User privilege level is 3, and only those commands can be used whose level is equal or less than this.
b. Click Add to configure an access device as follows: Set the shared key for secure authentication communication to expert. Set the ports for authentication to 1812, respectively. Select the service type LAN Access Service. Select the access device type HP(General). Select the access device from the device list or manually add the device with the IP address 10.1.1.2. c. Leave the default settings for other parameters and click OK.
Figure 20 Adding a service 3. Add an access user account: a. Click the User tab, and then select Access User View > All Access Users from the navigation tree. b. Click Add to configure a user as follows: Select the user or add a user named hello. Enter the account name portal and specify the password. Select the access service Portal auth. Configure other parameters as needed. c. Click OK.
Figure 22 Portal server configuration 2. Configure an IP address group: a. Select User Access Manager > Portal Service > IP Group from the navigation tree. b. Click Add to configure an IP address group as follows: Enter the name Portal_user. Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255. Make sure the IP address group contains the IP address of the host. Select the action Normal. c. Click OK. Figure 23 Adding an IP address group 3.
Enter the IP address of the access interface on the router, which is 192.168.1.70. Enter the key, which is portal, the same as that configured on the router. Specify whether to enable IP address reallocation. This example uses direct portal authentication by selecting No from the Reallocate IP list. c. Leave the default settings for other parameters and click OK. Figure 24 Adding a portal device 4. Associate the portal device with the IP address group: a.
Figure 26 Associating the portal device with IP address group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using IMC, set the server type to extended.
[Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] portal server newpt method direct [Router-GigabitEthernet3/0/1] quit Verifying the configuration The user can initiate portal authentication by using the HP iNode client or by accessing a Web page. All the initiated Web requests will be redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page.
Solution Check that: • The NAS and the RADIUS server can ping each other. • The username is in the userid@isp-name format and the ISP domain is correctly configured on the NAS. • The user is configured on the RADIUS server. • The correct password is entered. • The same shared key is configured on both the RADIUS server and the NAS. Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server.
Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS.
802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Figure 28 Authorization state of a controlled port In unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.
Figure 29 EAP packet format • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The length is the sum of the Code, Identifier, Length, and Data fields. • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field comprises the request type (or the response type) and the type data.
• Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet. EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA." EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 31. The Type field takes 79, and the Value field can be up to 253 bytes.
The access device supports the following modes: • Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication. • Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address.
A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. authentication methods. EAP relay • The configuration and processing is simple on the network access device. • Supports only MD5-Challenge EAP termination Works with any RADIUS server that supports PAP or CHAP authentication.
Figure 35 802.
9. The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. 10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11.
Figure 36 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. For more information about port security, see "Configuring port security." NOTE: 802.
Access control VLAN manipulation • If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. MAC-based • If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns the first authenticated user's VLAN to the port as the PVID.
Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.
The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode. • On a port that performs port-based access control Authentication status VLAN manipulation A user that has not been assigned to any VLAN fails 802.1X authentication because all the RADIUS servers are unreachable. Assigns the critical VLAN to the port as the PVID. The 802.1X user and all subsequent 802.1X users on this port can access only resources in the critical VLAN.
Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails 802.1X authentication because all the 802.1X authentication server are unreachable. The user is removed from the MAC authentication VLAN and mapped to the 802.1X critical VLAN. To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. The network device assigns a hybrid port to an 802.
Task Remarks Setting the port authorization state Optional. Specifying an access control method Optional. Setting the maximum number of concurrent 802.1X users on a port Optional. Setting the maximum number of authentication request attempts Optional. Setting the 802.1X authentication timeout timers Optional. Configuring the online user handshake function Optional. Enabling the proxy detection function Optional. Configuring the authentication trigger function Optional.
Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: • The support of the RADIUS server for EAP packets • The authentication methods supported by the 802.1X client and the RADIUS server If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay.
Step 1. Enter system view. Command Remarks system-view N/A • In system view: 2. Set the port authorization state in system view or Ethernet interface view. dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ] • In Ethernet interface view: By default, auto applies. a. interface interface-type interface-number b.
Step Command Remarks • In system view: Set the maximum number of concurrent 802.1X users on a port in system view or Ethernet interface view. 2. dot1x max-user user-number [ interface interface-list ] • In Ethernet interface view: a. interface interface-type interface-number The default setting is 1024. b.
Step Set the server timeout timer. 3. Command Remarks dot1x timer server-timeout server-timeout-value The default is 100 seconds. Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command.
Enabling the proxy detection function The proxy detection function prevents users from using an authenticated 802.1X client as a network access proxy to bypass monitoring and accounting. When a user is detected accessing the network through a proxy, the network access device can send traps to the network management system or log the user off by sending an offline message.
Configuration guidelines Follow these guidelines when you configure the authentication trigger function: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication. • Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication. • To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response. To configure the quiet timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. 3.
If no critical VLAN is configured, RADIUS server unreachable can cause an online user being re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the original VLAN. Configuring an 802.1X guest VLAN Follow these guidelines when you configure an 802.1X guest VLAN: • You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different. • Assign different IDs to the voice VLAN, the port VLAN, and the 802.
Feature Relationship description Reference Port intrusion protection on a port that performs MAC-based access control The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. See "Configuring port security." Before configuring an 802.1X Auth-Fail VLAN, complete the following tasks: • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Configure an 802.1X critical VLAN on the port. dot1x critical vlan vlan-id By default, no critical VLAN is configured. 4. Configure the port to trigger 802.1X authentication on detection of a reachable authentication server for users in the critical VLAN. Optional.
Displaying and maintaining 802.1X Task Command Remarks Display 802.1X session information, statistics, or configuration information of specified or all ports. display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear 802.1X statistics. reset dot1x statistics [ interface interface-list ] Available in user view. 802.
For information about the RADIUS commands used on the Router in this example, see Security Command Reference. 3. Assign an IP address for each interface on the Router. (Details not shown.) 4. Configure user accounts for the 802.1X users on the Router: # Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.
# Configure the idle cut function to log off any online domain user that has been idle for 20 minutes. [Router-isp-aabbcc.net] idle-cut enable 20 [Router-isp-aabbcc.net] quit # Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain. [Router] domain default enable aabbcc.net 7. Configure 802.1X: # Enable 802.1X globally. [Router] dot1x # Enable 802.1X on port GigabitEthernet 3/0/1.
Figure 38 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the Router. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. 1. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown.) 2.
4. Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. system-view [Router] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Router-radius-2000] primary authentication 10.11.1.1 1812 [Router-radius-2000] primary accounting 10.11.1.
802.1X with ACL assignment configuration example Network requirements As shown in Figure 39, the host at 192.168.1.10 connects to port GigabitEthernet 3/0/1 of Router. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to GigabitEthernet 3/0/1 to deny the access of 802.1X users to the FTP server at 10.0.0.1/24 on weekdays during business hours from 8:00 to 18:00.
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Router] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.
Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, Router, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VLAN. Users can access only the free IP segments. To configure a free IP: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a free IP. dot1x free-ip ip-address { mask-address | mask-length } By default, no free IP is configured. Configuring the redirect URL Step Command Remarks N/A 1. Enter system view. system-view 2.
EAD fast deployment configuration example Network requirements As shown in Figure 40, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 3/0/1 of Router, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network. To allow all intranet users to install and update 802.1X client program from a web server, configure the following: • Allow unauthenticated users to access the segment of 192.
2. Configure DHCP relay: # Enable DHCP. system-view [Router] dhcp enable # Configure a DHCP server for a DHCP server group. [Router] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2. [Router] interface vlan-interface 2 [Router-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Router-Vlan-interface2] dhcp relay server-select 1 [Router-Vlan-interface2] quit 3. Configure a RADIUS scheme and an ISP domain.
The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service. Enter the external website address in dotted decimal notation, for example, 3.3.3.3 or http://3.3.3.3, in the address bar.
Configuring MAC authentication MAC authentication is available only for SAP modules that are operating in bridge mode. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
• If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication. For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle.
Task Remarks Basic configuration for MAC authentication: • Configuring MAC authentication globally • Configuring MAC authentication on a port Required. Specifying a MAC authentication domain Optional. Basic configuration for MAC authentication Before you perform basic configuration for MAC authentication, complete the following tasks: • Create and configure an authentication domain, also called "an ISP domain.
Configuring MAC authentication on a port You cannot add a MAC authentication-enabled port to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group. To configure MAC authentication on a port: Step Enter system view. 1. Command Remarks system-view N/A • In system view: Enable MAC authentication in system view or interface view. 2. mac-authentication interface interface-list • In interface view: a.
Step Command Remarks • In system view: Specify an authentication domain for MAC authentication users in system view or interface view. 2. mac-authentication domain domain-name • In interface view: a. interface interface-type interface-number By default, the system default authentication domain is used for MAC authentication users. b. mac-authentication domain domain-name Displaying and maintaining MAC authentication Task Command Remarks Display MAC authentication information.
[Router] local-user 00-e0-fc-12-34-56 [Router-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Router-luser-00-e0-fc-12-34-56] service-type lan-access [Router-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net to perform local authentication for LAN access users. [Router] domain aabbcc.net [Router-isp-aabbcc.net] authentication lan-access local [Router-isp-aabbcc.net] quit # Enable MAC authentication globally.
Slot: 3 Index=52 , Username=00-15-e9-43-82-73@aabbcc.net IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 3. Total 1 connection(s) matched. RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 42, a host connects to port GigabitEthernet 3/0/1 on the router. The router uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access.
[Router-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Enable MAC authentication globally. [Router] mac-authentication # Enable MAC authentication on port GigabitEthernet 3/0/1.
Index=52 , Username=aaa@2000 IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 3. Total 1 connection(s) matched. ACL assignment configuration example Network requirements As shown in Figure 43, a host connects to port GigabitEthernet 3/0/1 of the router, and the router uses RADIUS servers to perform authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access.
[Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally.
Configuring portal authentication Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. Overview Portal authentication helps control access to the Internet. Portal authentication is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page.
Figure 44 Portal system components Authentication client Authentication client Security policy server Access device Portal server Authentication/accounting server Authentication client Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal such as a PC. A client can use a browser or portal client software for portal authentication.
Security policy server A security policy server interacts with authentication clients and access devices for security check and resource authorization. The components of a portal system interact as follows: 1. When an unauthenticated user enters a website address in the browser's address bar to access the Internet, an HTTP request is created and sent to the access device. The access device then redirects the HTTP request to the portal server's Web authentication homepage.
• Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to be present between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address is used for client identification.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 46 Direct authentication/cross-subnet authentication process The direct authentication/cross-subnet authentication process is as follows: 1. An authentication client initiates authentication by sending an HTTP request.
Re-DHCP authentication process (with CHAP/PAP authentication) Figure 47 Re-DHCP authentication process Authentication client Portal server Access device Authentication/ accounting server Security policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication reply 6) Authentication succeeds 7) The user obtains a new IP address 8) Discover user IP change 9) Detect user IP change 10) Notify login success 11) IP change acknowledg
Portal support for EAP authentication process Figure 48 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following example uses direct portal authentication to show the EAP authentication process: 1. The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. 2.
8. The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. 9. The portal server notifies the authentication client of the authentication success. 10. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication. For more information about the steps, see the portal authentication process with CHAP/PAP authentication.
Stateful failover involves the following basic concepts: • Device states: Independence—A stable running status of a device when it does not establish the failover link with the other device. { Synchronization—A stable running status of a device when it establishes the failover link with the other device successfully and is ready for data backup. { • User modes: Stand-alone—Indicates that the user data is stored on the local device only.
For information about AAA implementation across VPNs, see "Configuring AAA." Portal configuration task list To configure Layer 3 portal authentication: Task Remarks Specifying a portal server for Layer 3 portal authentication Required. Enabling Layer 3 portal authentication Required. Configuring a portal-free rule Configuring an authentication source subnet Controlling access of portal users Configuring an authentication destination subnet Optional.
• With re-DHCP authentication, the IP address check function of the DHCP relay agent is enabled on the access device, and the DHCP server is installed and configured properly. • The portal client, access device, and servers can reach each other. • With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS server, and the RADIUS client configurations are performed on the access device. For information about RADIUS client configuration, see "Configuring AAA.
Configuration guidelines • You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a Layer 3 interface, and a user can access the network after passing either authentication. If you enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface, portal authentication will fail. For information about 802.1X, see "Configuring 802.1X.
Configuration guidelines • If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect. • You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the system prompts that the rule already exists. • Regardless of whether portal authentication is enabled or not, you can only add or remove a portal-free rule. You cannot modify it.
Step Command Remarks Optional. 3. Configure an authentication source subnet. portal auth-network network-address { mask-length | mask } By default, the authentication source subnet is 0.0.0.0/0, which means that users from any subnets must pass portal authentication. You can configure multiple authentication source subnets by executing this command. The system supports up to 16 authentication source subnets and destination subnets.
To set the maximum number of online portal users allowed in the system: Step 1. Enter system view. 2. Set the maximum number of online portal users. Command Remarks system-view N/A portal max-user max-number By default, the maximum number of online portal users is the maximum number of online portal users supported by the system.
Step Command • In system view: portal nas-id nas-identifier 2. Specify the NAS ID value carried in a RADIUS request. • In interface view: a. interface interface-type interface-number b. portal nas-id nas-identifier. Remarks By default, the device name configured by the sysname command is used as the NAS ID. For information about the sysname command, see Fundamentals Command Reference.
Step Configure the NAS-Port-ID value. 3. Command Remarks portal nas-port-id nas-port-id-value By default, no NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request. Specifying a NAS ID profile for an interface In some networks, user access points are identified by their access VLANs. Network carriers need to use NAS-identifiers to identify user access points.
Specifying a source IP address for outgoing portal packets After you specify a source IP address for outgoing portal packets on an interface, the IP address is used as the source IP address of packets that the access device sends to the portal server, and the destination IP address of packets that the portal server sends to the access device. To specify a source IP address for outgoing portal packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
CAUTION: • Specifying or changing the device ID of a device will log off all online users on the device. Therefore, perform the configuration only when necessary and, after the configuration, save the configuration and restart the device. • When two devices are running in stateful failover mode (one active, the other standby), do not delete the configured backup source IP addresses. Otherwise, online users on the backup may not be able to receive packets from the server.
Step 2. 3. 4. 5. Enter interface view. Command Remarks interface interface-type interface-number N/A By default, the portal service backup interface does not belong to any portal group. Specify the portal group to which the portal service backup interface belongs. portal backup-group group-id The portal service backup interfaces on the two devices for stateful failover must belong to the same portal group. Return to system view. quit N/A Specify the device ID in stateful failover mode.
Step Specify an autoredirection URL for authenticated portal users. 2. Command Remarks portal redirect-url url-string By default, an authenticated user is redirected to the URL the user typed in the address bar before portal authentication.
1. Detection methods (you can choose either or both) { { 2. Probing portal heartbeat packets—A portal server that supports the portal heartbeat function (only the IMC portal server supports this function) sends portal heartbeat packets to portal access devices periodically. If an access device receives a portal heartbeat packet or an authentication packet within a probe interval, the access device considers that the probe succeeds and the portal server is reachable.
Step Configure the portal server detection function. 2. Command Remarks portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ] Not configured by default. The portal server specified in the command must exist. The portal heartbeat detection method works only when the portal server supports the portal server heartbeat function. Only the IMC portal server supports the portal server heartbeat function.
Logging off portal users Logging off a user terminates the authentication process for the user or removes the user from the authenticated users list. To log off users: Step Command 1. Enter system view. system-view 2. Log off users. portal delete-user { ip-address | all | interface interface-type interface-number } Displaying and maintaining portal Task Command Remarks Display the ACLs on a specific interface.
Task Command Remarks Clear portal server statistics on a specific interface or all interfaces. reset portal server statistics { all | interface interface-type interface-number } Available in user view. Clear TCP spoofing statistics. reset portal tcp-cheat statistics Available in user view. Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 51, the host is assigned with a public network IP address either manually or through DHCP.
d. Click OK. Figure 52 Portal server configuration 2. Configure the IP address group: a. Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 53. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. e. Select a service group. By default, the group Ungrouped is used. f.
a. Select User Access Manager > Portal Service > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 54. c. Enter the device name NAS, enter the IP address of the router's interface connected to the user, and enter the key, which must be the same as that configured on the switch. d. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list. e.
Figure 56 Adding a port group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.
[Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host.
Figure 57 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 57 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and authorization functions for users. • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users.
Figure 58 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the host, routers, and servers as shown in Figure 58 and make sure they can reach each other. • Configure the RADIUS server properly to provide authentication and authorization functions for users. • Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 3. Configure portal authentication: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal { Port number: 50100 { URL: http://192.168.0.111:8080/portal [RouterA] portal server newpt ip 192.168.0.
Figure 59 Network diagram Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 59 and make sure they can reach each other before extended portal is enabled. • Configure the RADIUS server properly to provide authentication and authorization functions for users. Configuration procedure 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [Router] domain default enable dm1 3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources: [Router] acl number 3000 [Router-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.
Figure 60 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 60 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and authorization functions for users. • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server.
# Configure the IP address of the security policy server. [Router-radius-rs1] security-policy-server 192.168.0.114 [Router-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users.
[Router–GigabitEthernet3/0/2] quit Configuring cross-subnet portal authentication with extended functions Network requirements As shown in Figure 61, configure Router A to perform extended cross-subnet portal authentication for users on the host. If a user fails security check after passing identity authentication, the user can access only subnet 192.168.0.0/24. After passing the security check, the user can access Internet resources. A RADIUS server serves as the authentication/authorization server.
[RouterA-radius-rs1] key authentication simple radius [RouterA-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [RouterA-radius-rs1] security-policy-server 192.168.0.113 [RouterA-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain.
Configuring portal stateful failover(6600/HSR6600) Network requirements As shown in Figure 62, a failover link is present between Router A and Router B. Both Router A and Router B support portal authentication. Configure stateful failover between Router A and Router B to support portal service backup and use VRRP to implement traffic switchover between the routers. More specifically, • When Router A works normally, Host accesses Router A for portal authentication before accessing the Internet.
Configuring the portal server This example assumes that the portal server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Configure the portal server: a. Log in to IMC and select the Service tab. b. Select User Access Manager > Portal Service > Server from the navigation tree to enter the portal server configuration page, as shown in Figure 63. c. Configure the portal server parameters as needed. This example uses the default settings. d. Click OK. Figure 63 Portal server configuration 2.
Figure 64 Adding an IP address group 3. Add a portal device: a. Select User Access Manager > Portal Service > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 65. c. Enter the device name NAS, enter the virtual IP address of the VRRP group that holds the portal-enabled interface, and enter the key, which must be the same as that configured on the routers. d. Set whether to enable IP address reallocation.
Figure 66 Device list b. On the port group configuration page, click Add to enter the page shown in Figure 67. c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Use the default settings for other parameters. f. Click OK. Figure 67 Adding a port group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations.
[RouterA–GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 192.168.0.1 # Set the priority of GigabitEthernet0/0/2 in VRRP group 2 to 200. [RouterA–GigabitEthernet0/0/2] vrrp vrid 2 priority 200 # On GigabitEthernet 0/0/2, configure the interface to be tracked as GigabitEthernet 0/0/1 and reduce the priority of GigabitEthernet 0/0/2 in VRRP group 2 by 150 when the interface state of GigabitEthernet 0/0/1 becomes Down or Removed.
5. Configure portal stateful failover: # Assign interface GigabitEthernet0/0/1 to portal group 1. [RouterA–GigabitEthernet0/0/1] portal backup-group 1 [RouterA–GigabitEthernet0/0/1] quit # Set the device ID for Router A in stateful failover mode to 1. [RouterA] nas device-id 1 # Specify the source IP address of outgoing RADIUS packets as 192.168.0.1, the virtual IP address of VRRP group 2. [RouterA] radius nas-ip 192.168.0.1 Make sure you have added the access device with IP address 192.168.0.
3. Configure an authentication domain: # Create ISP domain dm1 and enter its view. [RouterB] domain dm1 # Configure AAA methods for the ISP domain. [RouterB-isp-dm1] authentication portal radius-scheme rs1 [RouterB-isp-dm1] authorization portal radius-scheme rs1 [RouterB-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user.
ACL:NONE Work-mode: primary VPN instance:NONE MAC IP Vlan Interface --------------------------------------------------------------------000d-88f8-0eac 9.9.1.2 0 GigabitEthernet0/0/1 Vlan Interface Total 1 user(s) matched, 1 listed. [RouterB] display portal user all Index:2 State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary VPN instance:NONE MAC IP --------------------------------------------------------------------000d-88f8-0eac 9.9.1.
Figure 68 Network diagram Configuration considerations 1. Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. 2. Configure the RADIUS server to implement authentication and authorization. 3. Configure direct portal authentication on interface GigabitEthernet 3/0/2, which is directly connected with the host. 4.
Figure 69 Portal server configuration 2. Configure the IP address group: a. Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 70. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. e. Select a service group. By default, the group Ungrouped is used. f.
c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the user. e. Enter the key, which must be the same as that configured on the switch. f. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list. g. Select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 71 Adding a portal device 4.
Figure 73 Adding a port group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router 1. Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. system-view [Router] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the IMC server, configure the RADIUS server type as extended.
[Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Router] interface gigabitethernet 3/0/2 [Router–GigabitEthernet3/0/2] portal server newpt method direct [Router–GigabitEthernet3/0/2] quit 4.
Figure 74 Network diagram Configuration prerequisites • Before enabling portal authentication, be sure to configure the MPLS L3VPN capabilities properly and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example gives only the access authentication configuration on the user-side PE. For information about MPLS L3VPN, see MPLS Configuration Guide.
[RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 3. Configure portal authentication: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { VPN: vpn3 { Key: portal, in plain text { Port number: 50100 { URL: http://192.168.0.
Analysis The keys on the access device and those on the portal server are not configured consistently, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page. Solution • Use the display portal server command to display the key for the portal server on the access device and view the key for the access device on the portal server.
Configuring port security Overview Port security is available only for SAP modules that are operating in bridge mode. Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to networks that require different authentication methods for different users on a port.
Port security modes Port security supports the following categories of security mode: • MAC learning control—Includes autoLearn and secure. MAC address learning is permitted on ports in autoLearn mode and disabled on ports in secure mode. • Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
TIP: • userLogin specifies 802.1X authentication and port-based access control. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. • Typically, in a security mode with Or, the authentication method to be used depends on the protocol type of the authentication request.
Performing MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users. Performing a combination of MAC authentication and 802.1X authentication • macAddressOrUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The port performs MAC authentication 30 seconds after receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.
Enabling port security When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. Before you enable port security, disable 802.1X and MAC authentication globally. To enable port security: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable port security.
Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode. You can specify a port security mode when port security is disabled, but your configuration cannot take effect.
Configuring port security features Configuring NTK The NTK feature checks destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, see Table 8. The NTK feature supports the following modes: • ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
Step Command Remarks 3. Configure the intrusion protection feature. port-security intrusion-mode { blockmac | disableport | disableport-temporarily } By default, intrusion protection is disabled. 4. Return to system view. quit N/A 5. Set the silence timeout period during which a port remains disabled. port-security timer disableport time-value Optional. 20 seconds by default.
Table 9 A comparison of static, sticky, and dynamic secure MAC addresses Type Address sources Can be saved and survive a device reboot? Aging mechanism Not available. They never age out unless you manually remove them, change the port security mode, or disable the port security feature. Static Manually added Sticky Manually added, converted from dynamic secure MAC addresses, or automatically learned when the dynamic secure MAC function (port-security mac-address dynamic) is disabled.
Step Command Remarks Optional. 2. Set the secure MAC aging timer. port-security timer autolearn aging time-value By default, secure MAC addresses do note age out, and you can remove them only by performing the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature. • In system view: port-security mac-address security [sticky] mac-address interface interface-type interface-number vlan vlan-id 3. Configure a secure MAC address.
Displaying and maintaining port security Task Command Remarks Display port security configuration information, operation information, and statistics about one or more ports or all ports. display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about secure MAC addresses.
[Router] port-security trap intrusion [Router] interface gigabitethernet 3/0/1 # Set port security's limit on the number of MAC addresses to 64 on the port. [Router-GigabitEthernet3/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Router-GigabitEthernet3/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
# Perform the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message: #Jul 14 10:39:47:135 2009 Router PORTSEC/4/VIOLATION: -Slot=3; Trap1.3.6.1.4.1.255 06.2.26.1.3.
• Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values to access the port in addition to an 802.1X user. Figure 76 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Configuration procedures for the host and RADIUS servers are not shown. 1. Configure the RADIUS protocol: # Configure a RADIUS scheme named radsun.
[Router] port-security enable # Add five OUI values. [Router] port-security oui 1234-0100-1111 index 1 [Router] port-security oui 1234-0200-1111 index 2 [Router] port-security oui 1234-0300-1111 index 3 [Router] port-security oui 1234-0400-1111 index 4 [Router] port-security oui 1234-0500-1111 index 5 [Router] interface gigabitethernet 3/0/1 # Set the port security mode to userLoginWithOUI.
Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte Packet unit : one # Display the configuration of the ISP domain sun.
Proxy logoff checker is disabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout Reauth Period 100 s 3600 s The maximal retransmitting times 2 EAD quick deploy configuration: EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet3/0/1 is link-up 802.
[Router] display mac-address interface gigabitethernet 3/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 1234-0300-0011 1 Learned GigabitEthernet3/0/1 AGING --- 1 mac address(es) found --- Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 76, a client is connected to the Router through GigabitEthernet 3/0/1. The Router authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
# Set the NTK mode of the port to ntkonly. [Router-GigabitEthernet3/0/1] port-security ntk-mode ntkonly [Router-GigabitEthernet3/0/1] quit Verifying the configuration # Display the port security configuration.
1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS 15 # Display 802.1X authentication information. display dot1x interface GigabitEthernet 3/0/1 Equipment 802.
1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1 As NTK is enabled, frames with an unknown destination MAC address, multicast address, or broadcast address will be discarded. Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Router-GigabitEthernet3/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other.
Cannot change port security mode when a user is online Symptom Port security mode cannot be changed when an 802.1X authenticated or MAC authenticated user is online. [RouterGigabitEthernet3/0/1] undo port-security port-mode Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet3/0/1. Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online.
Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user profile, and enter its view. user-profile profile-name You can use the command to enter the view of an existing user profile. Performing configurations in user profile view After a user profile is created, perform configurations in user profile view. The configuration made in user profile view takes effect when the user profile is enabled and a user using the user profile goes online.
Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. • Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.
• Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
Password combination level Minimum number of character types Minimum number of characters for each type Level 3 Three One Level 4 Four One In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password. When a user sets or changes the password, the system checks if the password meets the composition requirement. If not, the system displays an error message.
Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: • Settings for super passwords apply only to super passwords. • Settings in local user view apply only to the password of the local user.
{ Password composition checking To enable password control: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the global password control feature. password-control enable By default, the global password control feature is disabled. 3. Enable a specific password control function. password-control { aging | composition | history | length } enable Optional. All of the four password control functions are enabled by default.
Step 7. 8. 9. Set the maximum number of history password records for each user. Command Remarks password-control history max-record-num Optional. 4 by default. Optional. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts.
Setting local user password control parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Create a local user and enter local user view. local-user user-name N/A Optional. 3. Configure the password aging time for the local user. password-control aging aging-time By default, the setting equals that for the user group to which the local user belongs. If no aging time is configured for the user group, the global setting applies to the local user. Optional. 4.
Step Command Remarks Optional. 3. Configure the minimum length for super passwords. password-control super length length 4. Configure the password composition policy for super passwords. password-control super composition type-number type-number [ type-length type-length ] By default, the minimum super password length is the same as the global minimum password length. Optional. By default, the super password composition policy is the same as the global password composition policy.
Password control configuration example Network requirements Implement the following global password control policy: • An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • The password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days.
[Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for the local user. [Sysname-luser-test] password-control length 12 # Specify that the passwords of the local user must contain at least two types of valid characters and each type contains at least five characters.
State: Active ServiceType: telnet Access-limit: Disable User-group: system Current AccessNum: 0 Bind attributes: Authorization attributes: Password aging: Enabled (20 days) Password length: Enabled (12 characters) Password composition: Enabled (2 types, Total 1 local user(s) matched.
Configuring RSH Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. The RSH daemon supports authentication of an RSH client by the username. Figure 77 shows a network diagram for the typical RSH application. Figure 77 RSH application Configuration prerequisites • Run RSH daemon on the remote host.
Figure 78 Network diagram Configuration Procedure 1. Check that the RSH daemon has been installed and started properly on the remote host: a. From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 79 Administrative Tools folder b. Double-click the Services icon to display the Services window. Figure 80 Services window c.
d. Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. e. Double-click the Remote Shell Daemon service row, and then in the popped up Remote Shell Daemon Properties window, click Start to start the service, as shown in Figure 81. Figure 81 Remote Shell Daemon Properties window 2. Configure the router: # Configure a route to the remote host. (Details not shown.) # Set the time of the host remotely. rsh 192.168.1.
Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 82.
Remar ks Task Creating a local asymmetric key pair Displaying or exporting the local host public key Configuring a local asymmetric key pair on the local device Destroying a local asymmetric key pair Exporting an RSA key pair Importing an RSA key pair 215 Choos e one or more tasks.
Remar ks Task Exporting an RSA key pair To copy a local RSA key pair to another device, you must export the RSA key pair on the local device and then import it to the target router. For information about importing an RSA key pair, see "Importing an RSA key pair." To export an RSA key pair: Step 4. 5. Enter system view.
Creating a local asymmetric key pair When you create an asymmetric key pair on the local device, follow these guidelines: • Create an asymmetric key pair of the proper type to work with a target application. • After you enter the command, specify a proper modulus length for the key pair. The following table compares these types of key pairs.
Displaying and recording the host public key information Task Command Remarks Display the local RSA public keys. display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local DSA host public key. display public-key local dsa public [ | { begin | exclude | include } regular-expression ] Use at least one command. The display public-key local rsa public command displays both the RSA server and host public keys.
After you export the host public key in a specific format to a file, transfer the file to the peer device. Destroying a local asymmetric key pair You might have to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the local certificate expires. For more information about the local certificate, see "Configuring PKI.
Step 2. Import an RSA key pair. Command Remarks public-key local import rsa name key-name pem After you execute the public-key local import command, copy the private key of the RSA key pair at the prompt (the public key is included in the private key), press Ctrl+C, and then enter the password used to encrypt the RSA key pair when the key pair was exported. You cannot use an imported RSA key pair as the default RSA key pair. The RSA key pair to be imported must be in PEM format.
Step Command Remarks 2. Specify a name for the public key and enter public key view. public-key peer keyname N/A 3. Enter public key code view. public-key-code begin N/A 4. Configure the peer public key. Type or copy the key Spaces and carriage returns are allowed between characters. 5. Return to public key view. public-key-code end When you exit public key code view, the system automatically saves the public key. 6. Return to system view.
system-view [RouterA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
Public key code view: return to last view with "public-key-code end".
system-view [RouterA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs.
[RouterA-luser-ftp] service-type ftp [RouterA-luser-ftp] authorization-attribute level 3 [RouterA-luser-ftp] quit 3. From Router B, use FTP to log in to Router A, and get the public key file routera.pub with the file transfer mode of binary. ftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1. 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get routera.
Exporting and importing an RSA key pair Network requirements Create and export an RSA key pair on Router A, and then import the key pair to Router B. Figure 85 Network diagram Configuration procedure 1. Configure Router A: # Create a local RSA key pair named rsa1 with the default modulus length of 1024 bits. system-view [RouterA] public-key local create rsa name rsa1 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Copy the private key (started from -----BEGIN RSA PRIVATE KEY----- ) to a file for later import. 2.
04C7F80D81F40B18105A88DFDE1802279062906F8DC65872A1F763F7BF471548D709118494C5F622 0E58D5F2722A7A183999075EB494828DB7843855A81A0E701C1CDC15BBEF136329308DC179CD9D38 BB30203010001 # Display the public key information of local RSA key pairs on Router A.
Configuring PKI Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. A key problem with PKI is how to manage the public keys.
CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.
PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it works: 1. An entity submits a certificate request to the RA. 2. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. 3. The CA verifies the digital signature, approves the application, and issues a certificate. 4.
Task Remarks Configuring automatic certificate request Requesting a certificate Required. Use either method. Manually requesting a certificate Obtaining certificates Optional. Verifying PKI certificates Optional. Destroying the local RSA key pair Optional. Removing a certificate Optional. Configuring an access control policy Optional.
Step Command Optional. 4. Configure the country code for the entity. country country-code-str 5. Configure the FQDN for the entity. fqdn name-str No country code is specified by default. Optional. No FQDN is specified by default. Optional. 6. Configure the IP address for the entity. ip ip-address 7. Configure the locality for the entity. locality locality-name No IP address is specified by default. Optional. No locality is specified by default. Optional. 8.
needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status. • IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you need to configure the IP address of the LDAP server.
Requesting a certificate When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an "out-of-band" means such as phone, disk, or email.
• If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps avoid inconsistency between the certificate and the registration information resulting from configuration changes. Before requesting a new certificate, use the pki delete-certificate command to delete the existing local certificate and the CA certificate stored locally.
If a PKI domain already has a CA certificate, you cannot obtain another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To obtain a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first. Be sure that the device system time falls in the validity period of the certificate so that the certificate is valid.
Step Command Remarks 6. Return to system view. quit N/A 7. Obtain the CA certificate. See "Obtaining certificates" N/A 8. Obtain the CRLs. pki retrieval-crl domain domain-name 9. Verify the validity of a certificate. pki validate-certificate { ca | local } domain domain-name N/A This command is not saved in the configuration file. N/A Verifying PKI certificates without CRL checking Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view.
Step 2. Command Delete certificates. pki delete-certificate { ca | local } domain domain-name Configuring an access control policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. To configure a certificate attribute-based access control policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a certificate attribute group and enter its view.
Task Command Remarks Display information about one or all certificate attribute-based access control policies. display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view. PKI configuration examples The SCEP add-on is required when you use the Windows Server as the CA.
After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that the device can request certificates and obtain CRLs properly. Configuring the router 1. Configure the entity DN: # Configure the entity name as aaa and the common name as router. system-view [Router] pki entity aaa [Router-pki-entity-aaa] common-name router [Router-pki-entity-aaa] quit 2. Configure the PKI domain: # Create PKI domain torsa and enter its view.
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success. # Obtain CRLs and save them locally. [Router] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success! # Request a local certificate manually.
19103439 3D4F9359 88FB59F3 8D4B2F6C 2B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl You can also use some other display commands (display pki certificate ca domain and display pki crl domain commands) to display detailed information about the CA certificate and CRLs. Certificate request from a Windows 2003 CA server Network requirements Configure PKI entity Router to request a local certificate from the CA server.
d. Specify the path for certificate service in the Local path text box. To avoid conflict with existing services, specify an available port number as the TCP port number of the default website. After completing the configuration, check that the system clock of the router is synchronous to that of the CA server, so that the router can request a certificate normally. Configuring the router 1. Configure the entity DN: # Configure the entity name as aaa and the common name as router.
SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success. # Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Router] Enrolling the local certificate,please wait a while...... Certificate request Successfully! Saving the local certificate to device......
keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.
Configuration procedure 1. Configure Router A: # Configure the entity DN. system-view [RouterA] pki entity en [RouterA-pki-entity-en] ip 2.2.2.1 [RouterA-pki-entity-en] common-name routera [RouterA-pki-entity-en] quit # Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterA] pki domain 1 [RouterA-pki-domain-1] ca identifier CA1 [RouterA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.
[RouterB-pki-domain-1] ldap-server ip 1.1.1.102 # Set the registration authority to RA. [RouterB-pki-domain-1] certificate request from ra # Configure the CRL distribution URL. This is not necessary if CRL checking is disabled. [RouterB-pki-domain-1] crl url ldap://1.1.1.102 [RouterB-pki-domain-1] quit # Create a local key pair using RSA. [RouterB] public-key local create rsa # Request a certificate.
Configuration procedure For more information about SSL configuration, see "Configuring SSL." NOTE: The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a PKI domain, see "Configuring a PKI domain." 1. Configure the HTTPS server. # Configure the SSL policy for the HTTPS server to use.
Troubleshooting PKI Failed to obtain a CA certificate Symptom Failed to obtain a CA certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request. • The system clock of the device is not synchronized with that of the CA. 1.
5. Use the ping command to verify that the RA server is reachable. 6. Specify the authority for certificate request. 7. Configure the required entity DN parameters. Failed to obtain CRLs Symptom Failed to obtain CRLs. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been obtained before you try to obtain CRLs. • The IP address of LDAP server is not configured.
Configuring IPsec Unless otherwise specified, the term "IKE" in this chapter refers to IKE version 1. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5 and SHA-1. The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 91 shows the format of IPsec packets.
Figure 91 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms 1. Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
IPsec tunnel interface An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including multicast packets that are routed to an IPsec tunnel interface are IPsec protected. The IPsec tunnel interface has the following advantages: • Simplified configuration—The IPsec tunnel interface is easier to configure compared to using access control lists (ACLs) to identify protected packets.
Figure 93 De-encapsulation process of an IPsec packet 5. The router forwards an IPsec packet received on the inbound interface to the forwarding module. 6. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation. 7. The IPsec tunnel interface de-encapsulates the packet, and then delivers the resulting clear text packet back to the forwarding module. 8.
Figure 94 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway.
ACL-based IPsec and Tunnel interface-based IPsec are available for both IPv4 and IPv6 packets, and the configuration procedures are the same for IPv4 and IPv6. Implementing ACL-based IPsec The following is the generic configuration procedure for implementing ACL-based IPsec: 1. Configure an ACL for identifying data flows to be protected. 2. Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and encapsulation mode. 3.
• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0. • In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires protection and continues to process it.
ipsec policy test 2 isakmp security acl 3001 ike-peer bb transform-set 1 • Configure Router B: acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255 rule 1 deny ip # ipsec policy test 1 isakmp security acl 3001 ike-peer aa transform-set 1 Configuring ACL rules To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer.
Figure 96 Non-mirror image ACLs Protection modes Data flows can be protected in the following modes: • Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one tunnel that is established solely for it. • Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL. This mode is configurable only when IKE is used for IPsec policy negotiation.
Step Command Remarks Configure at least one command. By default, no security algorithm is specified. • Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } 4. Specify the security algorithms.
IPsec policies include the following categories: • Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode. • IPsec policy that uses IKE—The parameters are automatically negotiated through IKE. • IPsec GDOI policy—Group members obtain policies that belong to their home GDOI group from the key server.
Step Command Remarks Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. 3. Assign an ACL to the IPsec policy. By default, an IPsec policy references no ACL. security acl [ ipv6 ] acl-number The ACL supports match criteria of the VPN attribute. An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the last one takes effect. 4. Assign an IPsec transform set to the IPsec policy.
NOTE: You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec policy. Configuring an IPsec policy that uses IKE To configure an IPsec policy that uses IKE, use one of the following methods: • Directly configure it by configuring the parameters in IPsec policy view.
Step Command Remark Optional. By default, the PFS feature is not used for negotiation. Enable and configure the perfect forward secrecy feature for the IPsec policy. 7. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } If the local end is configured with the PFS feature, the remote end that initiates the negotiation must also be configured with this feature, and the DH group specified at the both ends must be the same. Otherwise, the negotiation fails.
Step Command Remark Optional. 3. Specify the ACL for the IPsec policy to reference. security acl [ ipv6 ] acl-number By default, an IPsec policy does not reference any ACL In IKE negotiation mode, ACL only supports fuzzy match. By default, an IPsec policy does not reference any IPsec transform set. 4. Specify the IPsec transform sets for the IPsec policy to reference. 5. Specify the IKE peer for the IPsec policy to reference.
Step Command Remark 10. Configure the global SA lifetime. ipsec sa global-duration { time-based seconds | traffic-based kilobytes } 11. Create an IPsec policy by referencing an IPsec policy template. ipsec policy policy-name seq-number isakmp template template-name Optional. By default, time-based SA lifetime is 3600 seconds and traffic-based SA lifetime is 1843200 kilobytes. By default, no IPsec policy exists.
If the encryption engine is disabled or has failed but the IPsec module backup function is enabled, the IPsec module takes over the responsibility of IPsec processing. If the IPsec module backup function is disabled, the matching packets are discarded. To enable the encryption engine: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable the encryption engine. cryptoengine enable [ slot slot-number ] Optional. By default, the encryption engine is enabled.
IMPORTANT: • IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. • A wider anti-replay window results in higher resource cost and more system performance degradation, which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window size that is as small as possible. To configure IPsec anti-replay checking: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable IPsec anti-replay checking.
The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission.
Step 1. Enter system view. Command Remarks system-view N/A • To enter IPsec policy view: 2. Enter IPsec policy view or IPsec policy template view. ipsec policy policy-name seq-number [ isakmp | manual ] • To enter IPsec policy template view: Use either command. ipsec policy-template template-name seq-number Disabled by default. 3. Enable IPsec RRI. reverse-route [ remote-peer ip-address [ gateway | static ] | static ] To enable static IPsec RRI, specify the static keyword.
Step Command • Enable IPsec packet Enable IPsec packet fragmentation before or after encryption. 2. fragmentation before encryption: ipsec fragmentation before-encryption enable • Enable IPsec packet fragmentation after encryption: undo ipsec fragmentation before-encryption enable Remarks Use either command. By default, IPsec packet fragmentation before encryption is enabled. Only the tunnel encapsulation mode supports IPsec packet fragmentation before encryption.
applied to an interface, for each packet arriving at the interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. One IPsec tunnel will be established for each data flow to be protected, and multiple IPsec tunnels might exist on an interface. An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified by its name and it does not support ACL configuration.
Step Command Remarks Optional. 6. Set the SA lifetime. sa duration { time-based seconds | traffic-based kilobytes } By default, the SA lifetime of an IPsec profile equals the current global SA lifetime. 7. Return to system view. quit N/A Optional. Set the global SA lifetime. 8. ipsec sa global-duration { time-based seconds | traffic-based kilobytes } 3600 seconds for time-based SA lifetime by default. 1843200 kilobytes for traffic-based SA lifetime by default.
Step Command Remarks • To assign an IPv4 address: ip address ip-address { mask | mask-length } [ sub ] • To assign a global unicast address or site-local address: { 3. Assign a private IP address to the tunnel interface. { ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 Configure one type of address. By default, no private IP address is assigned to a tunnel interface. • To assign a link-local address: { { 4. 5. 6. 7.
Enabling packet information pre-extraction on the IPsec tunnel interface Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of the original packets. To address this problem, enable packet information pre-extraction on the tunnel interface.
Step 3. Apply a QoS policy to the IPsec tunnel interface. Command Remarks qos apply policy policy-name { inbound | outbound } For more information about the command, see ACL and QoS Command Reference. Configuring IPsec for IPv6 routing protocols IMPORTANT: Do not apply an IPsec policy used for an IPv6 routing protocol to an interface. If you do so, the interface will drop all packets, because the IPsec policy references no ACL.
Task Command Remarks Display IPsec tunnel information. display ipsec tunnel [ | { begin | exclude | include } regular-expression ] Available in any view. Clear SAs. reset ipsec sa [ parameters [ ipv6 ] dest-address protocol spi | policy policy-name [ seq-number ] | remote [ ipv6 ] ip-address ] Available in user view. Clear IPsec statistics. reset ipsec statistics Available in user view.
# Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create manual IPsec policy map1. [RouterA] ipsec policy map1 10 manual # Apply the ACL. [RouterA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set.
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy. [RouterB] ipsec policy use1 10 manual # Apply the ACL. [RouterB-ipsec-policy-manual-use1-10] security acl 3101 # Apply the IPsec transform set. [RouterB-ipsec-policy-manual-use1-10] transform-set tran1 # Configure the remote IP address of the tunnel. [RouterB-ipsec-policy-manual-use1-10] tunnel remote 2.2.2.1 # Configure the local IP address of the tunnel.
# Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Configure the IKE peer. [RouterB] ike peer peer [RouterB-ike-peer-peer] pre-shared-key abcde [RouterB-ike-peer-peer] remote-address 2.2.2.1 [RouterB-ike-peer-peer] quit # Create an IPsec policy that uses IKE for IPsec SA negotiation. [RouterB] ipsec policy use1 10 isakmp # Apply the ACL.
[RouterA] acl ipv6 number 3101 [RouterA-acl-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-adv-3101] quit # Configure a static route to Host B. [RouterA] ipv6 route-static 555::0 64 222::1 # Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP.
# Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Configure the IKE peer.
Figure 99 Network diagram Configuration considerations Configure an IPsec tunnel interface on each router and configure a static route on each router to route the packets destined to the peer to the IPsec tunnel interface for IPsec protection. Configuration procedure 1. Configure Router A: # Name the local gateway routera. system-view [RouterA] ike local-name routera # Configure an IKE peer named atob.
[RouterA–Tunnel1] ip address 10.1.1.1 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4. [RouterA–Tunnel1] tunnel-protocol ipsec ipv4 # Set the source interface of the tunnel to Serial 2/1/1 on Tunnel 1. [RouterA–Tunnel1] source serial 2/1/1 # Set the tunnel destination address to 1.1.1.1, the source address of the remote peer. [RouterA–Tunnel1] destination 1.1.1.1 # Apply IPsec profile atob to tunnel interface Tunnel 1.
[RouterB] interface tunnel 1 # Assign IPv4 address 10.1.1.2/24 to tunnel interface Tunnel 1. [RouterB–Tunnel1] ip address 10.1.1.2 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4. [RouterB–Tunnel1] tunnel-protocol ipsec ipv4 # Set the source interface of the tunnel to Serial 2/1/1 on Tunnel 1. [RouterB–Tunnel1] source serial 2/1/1 # Apply IPsec profile btoa to tunnel interface Tunnel 1.
----------------------------PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow : sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP dest addr: 0.0.0.0/0.0.0.
Network requirements As shown in Figure 100, Router A, Router B, and Router C are connected. They learn IPv6 routing information through RIPng. Configure IPsec for RIPng so that RIPng packets exchanged between the routers are transmitted through an IPsec tunnel. Configure IPsec to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.
[RouterA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [RouterA] ripng 1 [RouterA-ripng-1] enable ipsec-policy policy001 [RouterA-ripng-1] quit 2. Configure Router B: # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2.
[RouterC-ripng-1] quit [RouterC] interface gigabitethernet 3/0/1 [RouterC-GigabitEthernet3/0/1] ripng 1 enable [RouterC-GigabitEthernet3/0/1] quit # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
# Execute the display ipsec sa command on Router A to view the information about the inbound and outbound SAs.
Figure 101 Network diagram Configuration procedure 1. Assign IPv4 addresses to the interfaces on the routers according to Figure 101. Make sure Router A and Router B can reach each other. (Details not shown.) 2. Configure Router A: # Configure ACL 3101 to identify traffic from subnet 10.4.4.0/24 to subnet 10.5.5.0/24. system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.4.4.0 0.0.0.255 destination 10.5.5 0 0.0.0.
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer peer. [RouterA-ipsec-policy-isakmp-map1-10] ike-peer peer # Enable dynamic IPsec RRI and use 1.1.1.2 as the next hop of the static route. [RouterA-ipsec-policy-isakmp-map1-10] reverse-route remote-peer 1.1.1.2 [RouterA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface GigabitEthernet 3/0/1.
# Apply IPsec policy use1 to interface GigabitEthernet 3/0/1. [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] ipsec policy use1 4. Verify the configuration: # Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24, or from subnet 10.4.4.0/24 to 10.5.5.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B. # Display the routing table on Router A.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKE version 1. Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.
Figure 102 IKE exchange process in main mode Peer 1 Send local IKE policy Peer 2 Confirmed policy SA exchange Receive the policy Search for matched policy Key generation Initiator’s key information Receiver’s key information Key exchange Algorithm negotiation Initiator’s policy Generate the key Identity authentication Generate the key Initiator’s identity and authentication data Receiver’s identity and ID and authentication data exchange Perform ID/exchange authentication Perform ID/exchang
Relationship between IKE and IPsec Figure 103 Relationship between IKE and IPsec Figure 103 illustrates the relationship between IKE and IPsec: • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
Task Remarks Configuring a name for the local security gateway Optional. Optional. Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional.
• In FIPS mode, both the IPsec SAs and the corresponding IKE SAs are renegotiated. • In non-FIPS mode, only the IPsec SAs are renegotiated. To configure an IKE proposal: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IKE proposal and enter its view. ike proposal proposal-number N/A Optional. 3. 4. 5. Specify an encryption algorithm for the IKE proposal.
• Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When acting as the responder, the local end uses the IKE proposals configured in system view for negotiation. • Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature authentication. • Specify the ID type for the local end to use in IKE negotiation phase 1.
Step Command Remarks Optional. 7. Configure a name for the local security gateway. local-name name By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used. Optional. 8. Specify the name of the remote security gateway. 9. Configure an IP address for the local gateway.
NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. Setting keepalive timers IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. 3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello. 4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
Task Command Remarks Display IKE SA information. display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IKE proposal information. display ike proposal [ | { begin | exclude | include } regular-expression ] Available in any view. Clear SAs established by IKE. reset ike sa [ connection-id ] Available in user view.
[RouterA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use security protocol ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify encryption and authentication algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create IKE peer peer.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 3. Configure Router B: # Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. system-view [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3101] quit # Create IPsec transform set tran1. [RouterB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
4. Verify the configuration: # Check the IKE proposal configuration.
dest addr: 10.1.2.0/255.255.255.
Configuration procedure 1. Configure Router A: # Specify a name for the local security gateway. system-view [RouterA] ike local-name routera # Configure an ACL. [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule 0 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure an IKE proposal.
[RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] ip address 172.16.0.1 255.255.255.0 [RouterA-GigabitEthernet3/0/1] quit # Configure a static route to the branch LAN. [RouterA] ip route-static 192.168.0.0 255.255.255.0 serial 2/1/1 2. Configure Router B: # Specify a name for the local security gateway. system-view [RouterB] ike local-name routerb # Configure an ACL. [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule 0 permit ip source 192.168.0.0 0.0.0.
[RouterB] dialer-rule 1 ip permit # Configure dialer interface Dialer 0. Use the username and password assigned by the ISP for dial and PPP authentication.
got NOTIFY of type INVALID_ID_INFORMATION Or drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION Solution Verify that the ACLs in the IPsec policies configured on the interfaces at both ends are compatible. Configure the ACLs to mirror each other. For more information about ACL mirroring, see "Configuring IPsec." Proposal mismatch Symptom The proposals mismatch. Analysis The following is the debugging information: got NOTIFY of type NO_PROPOSAL_CHOSEN Or drop message from A.B.C.
ACL configuration error Symptom ACL configuration error results in data flow blockage. Analysis When multiple devices create different IPsec tunnels early or late, a device might have multiple peers. If the device is not configured with ACL rule, the peers send packets to it to set up different IPsec tunnels in different protection granularity respectively.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description Algorithm negotiation SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the encryption algorithm for encrypting data, public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity.
signature. Finally, it informs the client of the authentication result. The device supports using the publickey algorithms RSA and DSA for digital signature. A client can send public key information to the device that acts as the server for validity check in either of the following methods: { { The client directly sends the user's public key information to the server, and the server checks the validity of the user's public key.
FIPS compliance The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Configuring the device as an SSH server You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet, SFTP, and SCP server unless otherwise specified.
The public-key local create dsa command generates only the host key pair. SSH1 does not support the DSA algorithm. To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server. In FIPS mode, the DSA algorithm is not available. To generate local DSA or RSA key pairs on the SSH server: Step Command Remarks 1. Enter system view. system-view N/A 2. Generate DSA or RSA key pairs.
IMPORTANT: Before you configure a user interface to support SSH, you must configure its authentication mode to scheme. Otherwise, the protocol inbound command fails. To configure the user interface for SSH clients: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VTY user interface view. user-interface vty number [ ending-number ] N/A 3. Set the login authentication mode to scheme. By default, the authentication mode is password.
You can configure up to 20 SSH client public keys on an SSH server. For more information about client public key configuration, see "Managing public keys." Configuring a client public key manually Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public key view. public-key peer keyname N/A 3. Enter public key code view. public-key-code begin N/A 4. Configure a client's host public key.
All authentication methods, except password authentication and keyboard-interactive authentication, require a client's host public key or digital certificate to be specified. • { { If a client directly sends the user's public key information to the server, the server must specify the client's public key and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key.
• SSH user authentication timeout period. This parameter is used to reject a connection if the authentication for the connection is not completed before the timeout period expires. • Maximum number of SSH authentication attempts. This parameter is used to prevent malicious password cracking. • SFTP connection idle timeout period. Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.
Specifying a source IP address or source interface for the Stelnet client By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server as the source IP address to communicate with the Stelnet server. You can change the source IP address or specify a source interface for the client.
Disabling first-time authentication Step Command Remarks 1. Enter system view. system-view N/A 2. Disable first-time authentication. undo ssh client first-time Enabled by default. 3. Configure the server host public key. See "Configuring a client's host public key" The method for configuring the server host public key on the client is similar to that for configuring client public key on the server. 4. Specify the host public key name of the server.
Configuring the device as an SFTP client This section describes how to configure the device as an SFTP client. SFTP client configuration task list Task Remarks Specifying a source IP address or source interface for the SFTP client Optional. Enabling and disabling first-time authentication Optional. Establishing a connection to an SFTP server Required. Working with SFTP directories Optional. Working with SFTP files Optional. Displaying help information Optional.
Establishing a connection to an SFTP server You can launch the SFTP client to establish a connection to an SFTP server, and specify the public key algorithm, the preferred encryption algorithm, preferred HMAC algorithm, and preferred key exchange algorithm. After the connection is established, you can directly enter SFTP client view on the server to perform directory and file operations.
Creating or deleting a directory • To work with the SFTP directories: Step Command Remarks 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." N/A 2. Change the working directory of the remote SFTP server. cd [ remote-path ] Optional. 3. Return to the upper-level directory. cdup Optional. 4. Display the current working directory on the SFTP server. pwd Optional. 5. Display files under the specified directory.
Step Command Remarks Optional. 4. Upload a local file to the SFTP server. put local-file [ remote-file ] 5. Display the files under the specified directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] 6. Delete one or more directories from the SFTP server. • delete remote-file&<1-10> • remove remote-file&<1-10> Optional. The dir command functions as the ls command. Optional. The delete command functions as the remove command.
SCP client configuration task list Task Remarks Enabling and disabling first-time authentication Optional. Transferring files with an SCP server Required. Transferring files with an SCP server Task Command Remarks • Upload a file to the SCP server: { { Connect to the SCP server, and transfer files with the server.
Displaying and maintaining SSH Task Command Remarks Display the source IP address or interface configured for the SFTP client. display sftp client source [ | { begin | exclude | include } regular-expression ] Available in any view. Display the source IP address or interface information configured for the Stelnet client. display ssh client source [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuration procedure 1. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair.
2. Establish a connection to the Stelnet server: The device supports different types of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY version 0.58 on the Stelnet client. To establish a connection to the Stelnet server: a. Launch PuTTY.exe to enter the following interface. b. In the Host Name (or IP address)field, enter the IP address of the Stelnet server. Figure 108 Specifying the host name (or IP address) c. Click Open to connect to the server.
Figure 109 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports different types of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY version 0.58 on the Stelnet client. Configuration procedure 1. Generate an RSA key pair on the Stelnet client: a. Launch PuTTYGen.
Figure 111 Generating process c. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
d. Click Save private key to save the private key. A confirmation dialog box appears. e. Click Yes and enter the name of the file for saving the key (private.ppk in this example). f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
[Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: a. Launch PuTTY.exe on the Stelnet client to enter the following interface. b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 113 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d.
Figure 114 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 115, you can log in to Router B through the Stelnet client running on Router A.
[RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
[RouterA-GigabitEthernet3/0/1] quit [RouterA] quit { If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
[RouterA-pkey-public-key] peer-public-key end # Specify the host public key for the Stelnet server 192.168.1.40 as key1. [RouterA] ssh client authentication server 10.165.87.136 assign publickey key1 [RouterA] quit # Establish an SSH connection to SSH server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort Connected to 192.168.1.40... Enter password: After you enter the correct username and password, you can log in to Router B successfully.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048).
[RouterB] public-key peer ClientKey import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key ClientKey to the user. [RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.
+++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function.
Figure 118 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 119, you can log in to Router B through the SFTP client that runs on Router A. Router B acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm. Figure 119 Network diagram Configuration considerations In the server configuration, the client public key is required.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++ # Export the host public key to file pubkey. [RouterA] public-key local export rsa ssh2 pubkey [RouterA] quit # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2.
# Set the authentication mode of the user interface to AAA. [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it RouterKey.
sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename the directory new1 to new2 and verify that the directory name has been changed successfully.
Network requirements As shown in Figure 120, Router A acts as an SCP client and Router B acts as an SCP server. A user can securely transfer files with Router B through Router A. Router B uses the password authentication method and the client's username and password are saved on Router B. Figure 120 Network diagram Configuration procedure 1. Configure the SCP server: # Generate RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048).
[RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh.
Configuring SSL This feature is supported only on 6602 router. Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to provide secure data transmission over the Internet.
SSL protocol stack The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 122 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end.
SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify the SSL 2.0 Client Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, and notify the client to use SSL 3.0 or TLS 1.0 for communication. In FIPS mode, only TLS 1.0 is supported. To configure an SSL server policy: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks Optional. 7. Set the maximum number of cached sessions and the caching timeout time. The defaults are as follows: session { cachesize size | timeout time } * • 500 for the maximum number of cached sessions. • 3600 seconds for the caching timeout time. 8. Configure the server to require certificate-based SSL client authentication. Optional. client-verify enable By default, the SSL server does not require the client to be authenticated. Optional. 9.
Step Command Remarks • In non-FIPS mode: Specify the preferred cipher suite for the SSL client policy. 4. prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } • In FIPS mode: Optional. rsa_rc4_128_md5 by default. prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } 5. 6. Specify the SSL protocol version for the SSL client policy. version { ssl3.0 | tls1.
• The server and the client have no matching cipher suite. 1. Issue the debugging ssl command and view the debugging information to locate the problem: Solution { { { 2. If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it.
Configuring SSL VPN This feature is supported only on 6602 router. Overview SSL VPN is a VPN technology based on Secure Sockets Layer (SSL). It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that the SSL protocol provides, SSL VPN can establish secure connections for communications at the application layer. SSL VPN has been widely used for secure, remote Web-based access.
4. After logging in to the Web interface, the user finds the resources to access on the Web interface and then sends an access request to the SSL VPN gateway through an SSL connection. 5. The SSL VPN gateway resolves the request, interacts with the corresponding server, and then forwards the server’s reply to the user. Advantages of SSL VPN SSL VPN provides these advantages: Support for various application protocols SSL VPN can secure any application without knowing the details.
through HTTPS. Therefore, you must specify an SSL server policy on the SSL VPN gateway so that the gateway can determine the SSL parameters to be used for providing the SSL VPN service. • Specify the TCP port number to be used by the SSL VPN service. The SSL VPN gateway acts as the HTTPS server to provide the web interface for remote users to log in. • Enable the SSL VPN service. Remote users can access the web interface of the SSL VPN gateway only after the SSL VPN service is enabled on the gateway.
Figure 124 Network diagram Host Remote user 10.1.1.1/24 Internet Router SSL VPN gateway Internal servers 10.2.1.1/24 CA Configuration procedure In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA. Before the following configurations, make sure the intended SSL VPN gateway, the CA, and the host used by the remote user can reach each other, and the CA is enabled with the CA service and can issue certificates to the device (SSL VPN gateway) and the host. 1.
# Specify the SSL server policy myssl and port 443 (default) for the SSL VPN service. [Router] ssl-vpn server-policy myssl # Enable the SSL VPN service. [Router] ssl-vpn enable 4. Verify the configuration. On the user host, launch the IE browser and input https://10.1.1.1/svpn in the address bar. You can open the Web login interface of the SSL VPN gateway.
Step Remarks Required. Configure a user group, add local users to the user group, and select the resource groups that the user group can access. 6. Configuring a user group By default, a user group named Guests exists, and no users and resource groups are assigned for it. IMPORTANT: You can also add a local user to existing user groups when creating the local user. Optional. 7. Viewing user information 8.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes require different configurations. Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. 1. Creating a PKI entity A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of the entity.
Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode. 5. Requesting a local certificate • In online mode, if the request is granted, the local certificate will be retrieved to the local system automatically.
Task Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. 2. Creating a PKI domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. Optional. 3.
Figure 126 Creating a PKI entity 3. Configure the parameters as described in Table 16. 4. Click Apply. Table 13 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the FQDN for the entity. FQDN An FQDN is a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.
Figure 127 PKI domains 2. Click Add. Figure 128 Creating a PKI domain 3. Configure the parameters as described in Table 17. 4. Click Apply. Table 14 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query.
Item Description Select the local PKI entity. Entity Name When submitting a certificate request to a CA, an entity needs to show its identity information. Available PKI entities are those that have been configured. Select the authority for certificate request. • CA—Entity requests a certificate from a CA. • RA—Entity requests a certificate from an RA. Institution Generally, an independent RA is in charge of certificate request management.
Item Polling Count Polling Interval Enable CRL Checking Description Set the polling interval and attempt limit for querying the certificate request status. After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.
Figure 130 Generating an RSA key pair 3. Set the key length. 4. Click Apply. Destroying the RSA key pair 1. From the navigation tree, select Authentication > Certificate Management > Certificate. 2. Click Destroy Key. 3. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 131 Destroying the RSA key pair Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Table 15 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Enable Offline Mode Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means like FTP, disk, or email).
Figure 134 Requesting a certificate 3. Configure the parameters as described in Table 19. Table 16 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email. Enable Offline Mode 4. If you cannot request a certificate from the CA through the SCEP protocol, you can enable the offline mode.
Figure 136 CRLs 2. Click Retrieve CRL to retrieve the CRL of a domain. 3. Click View CRL for the domain to display the contents of the CRL. Figure 137 Displaying CRL information Configuring the SSL VPN service Before you configure the SSL VPN service, go to Certificate Management to configure a PKI domain and get a certificate for the SSL VPN gateway. An administrator or user uses the certificate to authenticate the SSL VPN gateway to avoid logging in to an invalid SSL VPN gateway.
Figure 138 Service management 2. Configure the SSL VPN service information as described in Table 20. 3. Click Apply. Table 17 Configuration items Item Description Enable SSL VPN Select the box before this item to enable the SSL VPN service. Port Specify the port for providing the SSL VPN service. The default port number is 443. PKI Domain Select a PKI domain for the SSL VPN service. Configuring Web proxy server resources Typically, Web servers provide services in webpages.
Figure 140 Adding a Web proxy server resource 3. Configure the Web proxy server resource as described in Table 21. Table 18 Configuration items Item Description Enter a name for the Web proxy server source. Resource Name The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. Specify the Website address for providing Web services. It must start with http:// and end with /, for example, http://www.domain.com/web1/.
After you enable single login and configure single login parameters, when a user accesses the resource through the SSL VPN service interface, the user is redirected to the specified website if the user's username and password for accessing the website are the same as those for logging in to the SSL VPN service interface. 5. Click Apply. Figure 141 Configuring single login Table 19 Configuration items Item Description Select this box to allow IP access to the resource.
A message will tell you that the single login function is configured successfully. During this process, the system automatically gets the username parameter name and the password parameter name. When the website login page requires parameters other than the username and password, you cannot configure single login in this method.
4. Click Apply. Table 20 Configuration items Item Description Enter a name for the remote access service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Figure 145 Adding a desktop sharing service resource 4. Configure the desktop sharing service as described in Table 24. 5. Click Apply. Table 21 Configuration items Item Description Enter a name for the desktop sharing service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Figure 146 Email services 3. Click Add to enter the page for adding an email service. Figure 147 Adding an email service resource 4. Configure the email service resource as described in Table 25. 5. Click Apply. Table 22 Configuration items Item Description Enter a name for the email service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Item Description Configure the Windows command for the resource. Command Users must manually start the email service application. You do not need to configure this item. Configuring a Notes service resource Notes, a platform for implementing office automation, provides email services in a client/server model. SSL VPN can improve the security of Notes mail services. Hereafter, the term Notes service refers to Notes mail services. 1.
Table 23 Configuration items Item Description Enter a name for the Notes service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Figure 151 Adding a TCP service resource 4. Configure the common TCP service as described in Table 27. 5. Click Apply. Table 24 Configuration items Item Description Enter a name for the common TCP service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Recommended configuration procedure Step Remarks 1. Configuring global parameters 2. Configuring host resources Required. Configure global parameters, such as the address pool, gateway address, timeout time, WINS server, and DNS server, for IP network resources. Required. Configure the host resources that users can access from the IP networks list of the SSL VPN interface. Optional. 3. Configuring a user-IP binding Configure user-IP bindings.
Table 25 Configuration items Item Description Start IP End IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter. Gateway IP Enter the default gateway IP address to be assigned to a client's virtual network adapter. Timeout Set an idle timeout for client connections.
Figure 154 Adding a host resource 4. Enter a name for the host resource. 5. Click the Add button under the network services list to enter the page for adding a network service. Figure 155 Adding an available network service 6. Add a network service that the host resource provides for users, as described in Table 29. Table 26 Configuration items Item Description Destination IP Enter the destination address of the network service. Subnet Mask Enter the subnet mask of the network service.
Item Description Enter a description for the network service. IMPORTANT: Description If you have configured the system to show network services by description, HP recommends that you include the network services' network information (subnet IP/mask) in the description so that users can view desired information after they log in to the SSL VPN system. 7. Click Apply to add the network service to the network service list. 8. Repeat steps 5 to 7 to add multiple network resources. 9.
Figure 158 Adding a user-IP binding 4. Configure the user-IP binding as described in Table 30. 5. Click Apply. Table 27 Configuration items Item Description Username Specify the username to be bound with an IP address. The username must contain the domain name. For example, aaa@local. Specify the IP address to be bound with the username.
5. Click Apply. Table 28 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static. • Dynamic: To use this method, you also need to configure domain name resolution at IP Setting Method the CLI. The gateway will first resolve the domain name to get an IP address and then issue the IP address to clients. • Static: To use this method, you must specify an IP address in the next field.
Figure 162 Adding a resource group 3. Configure the resource group as describe in Table 32. 4. Click Apply. Table 29 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Available Resources Specify resources for the resource group. Configuring local users Configure SSL VPN users for local authentication in the following methods: • Configure local users one by one in the SSL VPN system.
Figure 163 Local users 2. Click Add to enter the page for adding a local user. Figure 164 Adding a local user 3. Configure the local user information as described in Table 33.
4. Click Apply. Table 30 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Specify a password for the local user and enter the password again to confirm the password. Confirm Password Certificate SN Enable public account Specify a certificate sequence number for the local user. The certificate number will be used for identity authentication of the local user.
Figure 165 Batch import of local users Configuring a user group 1. Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears. Figure 166 User groups 2. Click Add to add a user group.
Figure 167 Adding a user group 3. Configure the user group as described in Table 34. 4. Click Apply. Table 31 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to access the resources in the selected resource groups. Available Resources Selected Local Users Available Local Users Select local users for the user group.
Viewing user information Viewing online user information 1. Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, displaying the information of the current online users. Figure 168 Online users 2. View information of the online users. Table 32 Field description Field Description Login Time Time when the user logged in to the SSL VPN system. Username Username of the user, with the domain name. IP Address IP address of the user host.
Figure 169 History information Performing basic configurations for the SSL VPN domain Configure a domain policy, caching policy, and a bulletin: • Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from the SSL VPN system. • Bulletin management—Allows you to provide different information to different users. Configuring the domain policy 1.
Table 33 Configuration items Item Description Select this item to enable security check. Enable security check With security check enabled, the SSL VPN system checks a user host based on the security policy and determines whether to allow the user to access resources according to the check result. IMPORTANT: To implement user host security check, you must also configure the security policy. See "Configuring a security policy." Select this item to use verification codes.
2. Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure 171. 3. Select the operations to be done on a user host when the user logs out, including: { Clear cached webpages. { Clear cookies. { { 4. Clear downloaded programs. Downloaded programs refer to the SSL VPN client software that was automatically downloaded and run when the users logged in to the SSL VPN system. Clear configuration files.
Figure 173 Adding a bulletin 4. Configure the bulletin settings as described in Table 37. 5. Click Apply. Table 34 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Available User Groups Select the user groups that can view the bulletin.
• Password—Authenticates only a user's password. • Password+Certificate—Authenticates a user's password and client certificate. • Certificate—Authenticates only a user's client certificate. RADIUS authentication supports only two authentication policies: password and password+certificate. Configuring local authentication Local authentication authenticates users by using the user information saved on the SSL VPN gateway.
Figure 175 RADIUS scheme list a. Click Add. Figure 176 RADIUS scheme configuration page c. Configure the parameters, as described in Table 38. d. Click Apply. Table 35 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Common Configuration Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and accounting packets.
Item Description RADIUS Server Configuration Configure the parameters of the RADIUS authentication servers and accounting servers. For more information about RADIUS server configuration, see "Add RADIUS servers." 2. Configure common parameters: a. Click the expand button before Advanced in the Common Configuration area to expand the advanced configuration area. Figure 177 Common configuration b. Configure the parameters, as described in Table 39.
Table 36 Configuration items Item Description Select the type of the RADIUS servers supported by the device, which can be: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS Server Type server communicate by using the standard RADIUS protocol and packet format defined in RFC 2865/2866 or later. • Extended—Extended RADIUS servers, usually running on IMC. The RADIUS client and the RADIUS server communicate by using the proprietary RADIUS protocol and packet format.
Item Request Transmission Attempts Description Set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still does not receive a response from the RADIUS server, the device considers the request a failure.
Item Description Enable or disable the accounting-on feature, and set the interval and the maximum number of attempts for sending accounting-on packets. Send accounting-on packets Accounting-On Interval Accounting-On Attempts The accounting-on feature enables a device to send accounting-on packets to RADIUS servers after it reboots, making the servers forcedly log out users who logged in through the device before the reboot.
Table 38 Configuration items Item Description Server Type Select the type of the RADIUS server to be configured. Possible values include primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server. Specify the IPv4 or IPv6 address of the RADIUS server. IP Address The IP addresses of the primary and secondary servers for a scheme must be different. Otherwise, the configuration fails.
Configuring LDAP authentication The LDAP is a cross-platform, standard directory service system that is based on TCP/IP. It is developed on the basis of the X.500 protocol but is better than X.500 in data reading, browsing, and search. LDAP is suitable for saving data that will not change frequently. A typical application of LDAP is to save user information of a system.
Item Description Authentication Mode Select an authentication mode for LDAP authentication. Options include Password, Password+Certificate, and Certificate. User Group Attribute Specify the name of the user group attribute configured on the LDAP server. Specify conditions to query user DN Select this option to query user DN by specified conditions, including the administrator DN, password, search base DN, and search template.
4. Click Apply. Table 41 Configuration items Item Description Enable AD authentication Select this item to enable AD authentication. AD Domain Name Enter the name of the AD domain. Enter the IP addresses of the AD servers. AD Server IP You can specify four AD servers at most. When one server fails, the system uses another server to authenticate users. The system selects the specified servers in the configuration order of the servers. The first configured server has the highest priority.
Table 42 Configuration items Item Description Enable combined authentication Select this item to enable combined authentication. First-Time Authentication Method Select an authentication method as the first-time authentication method. Second-Time Authentication Method Select an authentication method as the second-time authentication method.
2. Click Add to add a new security policy. Figure 184 Adding a security policy 3. Configure the security policy as describe in Table 46. 4. Click Apply. Table 43 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. Level Description If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Item Description Set check rules for the security policy. Check rules are divided into seven categories: operating system, browser, antivirus software, firewall, certificate, file, and process. Policy Configuration To pass the check of a category, a host needs to satisfy at least one rule of the category. To pass the check of a security policy, a host must satisfy all categories of the policy. Click the expansion button before a category to view the rule information.
Item Description Set an operator for antivirus software version check and virus definitions version check. • >=: The antivirus software and its virus definitions must be of the specified version or a later version. • >: The antivirus software and its virus definitions must have a version later Operator than the specified version. • =: The antivirus software and its virus definitions must be of the specified version.
• Full customization—You can edit a webpage file of your own to provide a fully customized user access interface. Figure 185 Customizable information on the login page Copyright (c) 2010 Hewlett-Packard Development Company, L.P.
Figure 186 Customizable information on the service page Partially customizing the SSL VPN interface 1. Configure the text information: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. The Text Information tab appears, as shown in Figure 187. b. Configure the service page banner information, login page welcome information, and login page title on the page. c. Click Apply. Figure 187 Text information 2. Configure the login page logo: a.
b. Click the Login Page Logo tab to enter the page shown in Figure 188. c. Click Browse to select a local picture file. d. Set whether to directly overwrite the file with the same name on the device. e. Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the login page. Figure 188 Specifying a login page logo picture 3. Configure the service page logo: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. b.
Figure 190 Specifying a service page background picture Fully customizing the SSL VPN interface Before full customization of the SSL VPN interface, upload the customized page file to the SSL VPN gateway through FTP or TFTP. 1. Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full customization page appears. Figure 191 Full customization 2. Configure the full customization settings as described in Table 48. 3. Click Apply.
Logging in to the SSL VPN service interface After the SSL VPN gateway is well configured, a user can log in to the SSL VPN service interface, following these steps: 1. Launch a browser on the user's host. 2. Enter https://192.168.1.1:44300/svpn/ in the address bar of the browser to enter the SSL VPN login page, as shown in Figure 192. 192.168.1.1 and 44300 are the SSL VPN gateway's host address and service port number. The service port number can be omitted when it is 443, the default value.
Figure 193 SSL VPN service interface Figure 194 SSL VPN client software Accessing SSL VPN resources After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: • Clicking a resource name under Websites to access the website.
• Clicking a resource name under TCP Applications to run the command you configured for the resource (if any), or performing configurations according to the information provided by the resource name and then access the resource. For example, a user can configure the Outlook email receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service.
Changing the login password To change the login password, a user needs to perform the following configurations: 1. Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 196. 2. Enter the new password, and confirm the new password. 3. Click Apply. When the user logs in again, the user must enter the new password.
• Specify the default authentication method as RADIUS for the SSL VPN domain and enable verification code authentication. Figure 197 Network diagram Host Remote user 10.1.1.1/24 Internet Router SSL VPN gateway Internal servers 10.2.1.1/24 CA Configuration prerequisites • The SSL VPN gateway, the CA, and the hosts used by remote users can reach each other. • The CA is enabled with the CA service and can issue certificates to the SSL VPN gateway and the hosts.
Figure 198 Configuring a PKI entity named en 2. Configure a PKI domain named sslvpn: a. Select Authentication > Certificate Management > Domain from the navigation tree. b. Click Add. c. On the page that appears, as shown in Figure 199, enter the PKI domain name sslvpn, enter the CA identifier CA server, select en as the local entity, select RA as the registration authority, enter the certificate requesting URL http://10.2.1.1/certsrv/mscep/mscep.
a. Select Authentication > Certificate Management > Certificate from the navigation tree. b. Click Create Key to enter the key generation page, as shown in Figure 200. c. Set the key length to 1024. d. Click Apply. Figure 200 Generating an RSA key pair 4. Retrieve the CA certificate: a. After the key pair is generated, click the Retrieve Cert button on the certificate management page. The Retrieve Certificate page appears, as shown in Figure 201. b. Select sslvpn as the PKI domain. c.
Figure 202 Requesting a local certificate You can view the retrieved CA certificate and the local certificate on the certificate management page. Figure 203 Certificate management page 6. Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service: a. Select VPN > SSL VPN > Service Management from the navigation tree. b. Select the box before Enable SSL VPN. c. Set the port number to 443. d. Select sslvpn as the PKI domain. e. Click Apply.
a. Select VPN > SSL VPN > Resource Management > Web Proxy from the navigation tree. b. Click Add. The Web proxy server resource configuration page appears, as shown in Figure 205. c. Enter the resource name tech. d. Enter the website address http://10.153.1.223/. e. Click Apply. Figure 205 Configuring a Web proxy resource 2. Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: a.
Figure 206 Configuring a desktop sharing service resource 3. Configure global parameters for IP network resources: a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global Configuration tab appears, as shown in Figure 207. b. Enter the start IP address 192.168.0.1. c. Enter the end IP address 192.168.0.100. d. Enter the subnet mask 24. e. Enter the gateway IP address 192.168.0.101. f. Click Apply. Figure 207 Configuring global parameters for IP network resources 4.
The network service is added to the host resource. g. Click the Add button under the Shortcuts list. h. On the page that appears, as shown in Figure 209, enter the shortcut name ftp_security-server and the shortcut command ftp 10.153.2.25, and click Apply. The shortcut is added to the host resource. Now, the host resource configuration page is as shown Figure 210. i. Click Apply.
Figure 210 Configuring a host resource 5. Configure resource group res_gr1, and add resource desktop to it: a. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to enter the resource group list page. b. Click Add to enter the resource group configuration page, as shown in Figure 211. c. Enter the resource group name res_gr1. d. Select desktop on the Available Resources list and click the << button to add it to the Selected Resources list. e. Click Apply.
6. Configure resource group res_gr2, and add resources tech and sec_srv to it: a. On the resource group list page, click Add. b. Enter the resource group name res_gr2. c. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list. d. Click Apply. Figure 212 Configuring resource group res_gr2 Configuring SSL VPN users 1. Configure a local user account usera: a.
Figure 213 Adding local user usera 2. Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: a. Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the user group list page. b. Click Add. The user group configuration page appears, as shown in Figure 214. c. Enter the user group name user_gr1. d.
Figure 214 Configuring user group user_gr1 3. Configure user group user_gr2, and assign resource group res_gr2 to the user group: a. On the user group list page, click Add. b. Enter the user group name user_gr2. c. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list. d. Click Apply.
Figure 215 Configuring user group user_gr2 Configuring an SSL VPN domain 1. Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 216. b. Select the box before Use verification code. c. Select RADIUS as the default authentication method. d. Click Apply.
Figure 216 Configuring the domain policy 2. Configure a RADIUS scheme named system: a. Select Authentication > RADIUS from the navigation tree. b. Click Add to enter the RADIUS scheme configuration page. c. Enter the scheme name system. d. In the Common Configuration area, select Extended as the supported RADIUS server type, and select Without domain name as the username format. e. Click the Add button in the RADIUS Server Configuration area.
Figure 218 Configuring RADIUS scheme named system 3. Enable RADIUS authentication for the SSL VPN domain: a. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. b. Click the RADIUS Authentication tab. c. Select the box before Enable RADIUS authentication. d. Click Apply. Figure 219 Enable RADIUS authentication Verifying the configuration Launch a browser on a host, and enter https://10.1.1.
Figure 220 SSL VPN login page Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 221. Clicking the resource name, you can access the shared desktop of the specified host, as shown in Figure 222.
Figure 222 Access the desktop sharing resource Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 223. Click tech to access the technology website. Click shortcut ftp_security-server to access the security server through FTP, as shown in Figure 224.
Figure 223 Resources that a non-public account can access Figure 224 Access the IP network resource 439
Configuring firewall Overview A firewall blocks unauthorized Internet access to a protected network while allowing internal network users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet. Many of today's firewalls offer additional features, such as identity authentication and encryption.
ASPF functions An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and monitors the connection-oriented application layer protocol status. ASPF maintains the status information of each connection, and based on such information, determines whether to permit a packet to pass through the firewall into the internal network, thus defending the internal network against attacks.
{ { • Single-channel protocol—A single-channel protocol establishes only one channel to exchange both control messages and data for a user. SMTP and HTTP are examples of single-channel protocols. Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user and transfers control messages and user data through different channels. FTP and RTSP are examples of multi-channel protocols.
Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP inspection without application layer inspection will lead to failure of establishing a data connection. Configuring a packet-filter firewall Packet-filter firewall configuration task list Task Remarks Enabling the firewall function Required. Configuring the default filtering action of the firewall Optional. Configuring packet filtering on an interface Required.
Step Command Remarks Optional. 2. Specify the default filtering action of the firewall. firewall default { deny | permit } { all | slot slot-number } permit (permit packets to pass the firewall) by default. Use the deny action with caution. If you specify the deny action, routing protocol packets are denied, resulting in network disconnectivity. IPv6 application To configure the default filtering action of the IPv6 firewall: Step 1. Enter system view. Command Remarks system-view N/A Optional.
You can apply only one ACL to filter packets in one direction of an interface. Configuring IPv6 packet filtering on an interface IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet filtering in the inbound or outbound direction of an interface so that the interface filters packets that match the IPv6 ACL rules. To configure IPv6 packet filtering on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
• By using the firewall feature, the company intends to achieve the following aim: only specific users on external networks are given access to the internal servers, and only specific hosts on the internal network are permitted to access external networks. • Assume that the IP address of a specific external user is 20.3.3.3. Figure 226 Network diagram 129.1.1.1/24 129.1.1.2/24 FTP server Telnet server 129.1.1.3/24 WWW server Internal network GE3/0/1 129.1.1.5/24 S2/1/1 20.1.1.
[Router-GigabitEthernet3/0/1] firewall packet-filter 3001 inbound # Apply ACL 3002 to packets that come in through Serial 2/1/1. [Router-GigabitEthernet3/0/1] quit [Router] interface serial 2/1/1 [Router-Serial2/1/1] firewall packet-filter 3002 inbound Configuring an ASPF ASPF configuration task list Task Remarks Enabling the firewall function Required. Configuring an ASPF policy Required. Applying an ASPF policy to an interface Required. Configuring port mapping Optional.
Applying an ASPF policy to an interface Two concepts are distinguished in ASPF policy: internal interface and external interface. If the device is connected to both the internal network and the Internet, and employs ASPF to protect the internal servers, the interface connected to the internal network is the internal interface and the one connected to the Internet is the external interface.
Displaying ASPF Task Command Remarks Display all ASPF policy and session information. display aspf all [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ASPF policy configuration applied the interface. display aspf interface [ | { begin | exclude | include } regular-expression ] Available in any view. Display the configuration information of a specific ASPF policy.
# Create ACL 2001 to block Java applets from site 2.2.2.11. [RouterA] acl number 2001 [RouterA-acl-basic-2001] rule deny source 2.2.2.11 0 [RouterA-acl-basic-2001] rule permit [RouterA-acl-basic-2001] quit # Create ASPF policy1. [RouterA] aspf-policy 1 [RouterA-aspf-policy-1] icmp-error drop [RouterA-aspf-policy-1] tcp syn-check [RouterA-aspf-policy-1] quit # Apply ACL 3111 and the ASPF policy to the interface Serial 2/1/1.
Configuring ALG Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. Usually NAT translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which may cause problems if not translated.
Figure 228 Network diagram for ALG-enabled FTP application in passive mode Inside network Outside network NAT Host Router FTP-ALG enabled FTP server FTP_CMD (“PASV”) FTP_CMD (“PASV”) FTP_EnterPassive (“IP1, Port1”) ALG IP1, Port1-------> IP2, Port2 FTP_EnterPassive (“IP2, Port2”) FTP_Connet (IP2, Port2) FTP_Connet (IP1, Port1) The communication process includes the following steps: 1. Establishing a control connection. The host sends a TCP connection request to the server.
Enabling ALG Step 1. 2. Command Remarks Enter system view. system-view N/A Optional. Enable ALG. alg { all | dns | ftp | gtp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } By default, ALG is enabled for all protocols. FTP ALG configuration example The example describes only ALG configuration, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 229, a company uses the private network segment 192.168.1.
SIP/H.323 ALG configuration example H.323 ALG configuration is similar to SIP ALG configuration. The following example describes SIP ALG configuration. The example describes only ALG configurations, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 230, a company uses the private network segment 192.168.1.0/24, and has four public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11.
Configure NAT and ALG on the router so that Host A uses 5.5.5.9 as its external IP address, the WINS server uses 5.5.5.10 as its external IP address, and Host B can access the WINS server and Host A by using host names. Figure 231 Network diagram Configuration procedure # Configure a static NAT entry. system-view [Router] nat static 192.168.1.3 5.5.5.9 # Enable ALG for NBT. [Router] alg nbt # Configure NAT.
Managing sessions Overview Session management is a common feature designed to implement session-based services such as NAT, ASPF, and intrusion protection. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet. Session management allows multiple features to process the same service packet.
Supporting ICMP error packet mapping and allowing the system to search for original sessions according to the payload of these packets. • Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. • Supporting persistent sessions, which are not aged within a long period of time. • Supporting session management of control channels and dynamic data channels of application layer protocols, for example, FTP.
Step Command Remarks This aging time setting is effective for only the sessions that are being established. The defaults are as follows: 2. Set the aging time for sessions of a specified protocol and in a specified state. session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value • • • • • • • • • • accelerate—10 seconds. fin—30 seconds. icmp-closed—30 seconds. icmp-open—60 seconds. rawip-open—30 seconds.
Configuring early aging for sessions A device that does not support attack detection or attack protection is vulnerable to attacks on session resources. If session resources are used up, the device cannot support normal forwarding services, for example, NAT processing. To prevent such attacks, you can configure early aging for sessions.
To enable checksum verification for protocol packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable checksum verification. session checksum { all | { icmp | tcp | udp } * } Disabled by default. Specifying the persistent session rule You can set sessions with specific characteristics as persistent sessions. The aging time of a persistent session does not change with session state transitions, and the session will not be removed even when no packets match it.
Configuring session logging Session logs help track information about user access, IP address translation, and traffic, and can be sent to the log server or exported to the information center in flow log format. It can help network administrators in security auditing. VLAN interfaces do not support session logging. Enabling session logging Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable session logging.
Configuring session log export Session logs are exported in the form of flow logs. To configure session log exporting: Step Command Remarks N/A 1. Enter system view. system-view 2. Specify the flow log version. userlog flow export version version-number 3. 4. 5. Optional. 1.0 by default. Optional. Specify the source IP address for UDP packets carrying flow logs. userlog flow export source-ip ip-address Specify the IP address and UDP port number of the flow log server.
Task Command Remarks Display statistics for sessions display session statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Display session relationship table information. display session relation-table [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display configuration and statistics about logs. display userlog export slot slot-number [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring connection limits Overview An internal user initiating a large quantity of connections to external networks in a short period of time occupies large amounts of system resources on the device, limiting access to network resources for other users. An internal server that receives large numbers of connection requests within a short period of time cannot process them in time or accept other normal connection requests.
An IP address-based connection limit rule can be of any of the following types: • Source-to-destination—Limits connections from a specific internal host or segment to a specific external host or segment. • Source-to-any—Limits connections from a specific internal host or segment to external networks. • Any-to-destination—Limits connections from external networks to a specific internal server. • Any-to-any—Limits the total number of connections passing through the device.
• Each host on segment 192.168.0.0/24 can establish up to 100 connections to external network and all the other hosts can establish as many connections as possible. • Permit up to 10000 connections from the external network to the DNS server. • Permit up to 10000 connections from the external network to the Web server. Figure 232 Network diagram Configuration procedure The following describes only connection limit configuration.
Connection-limit policy 0, refcount 1, 3 limits limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100 per-source limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000 limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000 Troubleshooting connection limiting Connection limit rules with overlapping segments Symptom On the router, create a connection limit policy and configure two rules for the policy.
Analysis Both rules limit 0 and limit 1 involve HTTP connections, and the rule with a smaller ID is matched first. Rule 0 is used for HTTP connections. Solution Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for HTTP connections is matched first.
Configuring Web filtering Overview In legacy network security solutions, network protection mainly targets external attacks. With the popularity of network applications in every walk of life, however, the internal network also faces security threats caused by internal user access to illegal networks. To protect the internal network against such threats, the network devices must be able to filter illegal access requests from internal users.
• If URL address filtering does not support IP addresses, the device checks the ACL rules for URL address filtering. If the ACL permits the IP address, the device forwards the request. Otherwise, the device drops the request. URL parameter filtering Many webpages are dynamic, connected with databases, and support data query and modification through Web requests.
ActiveX blocking ActiveX blocking protects networks from being attacked by malicious ActiveX plugins. After the ActiveX blocking function is enabled, requests for ActiveX plugins to all webpages will be filtered. If the ActiveX plugins in some webpages are expected, you can configure ACL rules to permit requests to the ActiveX plugins of these webpages. Processing procedure • If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces the suffix .ocx with .
Step Command Remarks 2. Enable the URL address filtering function. firewall http url-filter host enable Disabled by default. 3. Configure IP address-supported URL address filtering. firewall http url-filter host ip-address { deny | permit } Deny by default. 4. Specify an ACL for URL address filtering. firewall http url-filter host acl acl-number 5. Display information about URL address filtering.
Step 5. Display information about Java blocking. Command Remarks display firewall http java-blocking [ all | item keywords | verbose ] [ | { begin | exclude | include } regular-expression ] Optional. In the ACL for Java blocking, you need to configure the source IP addresses as the IP addresses of the HTTP servers allowed to be accessed, and set the action to permit. Configuring ActiveX blocking Step Command Remarks 1. Enter system view. system-view N/A 2.
Task Command Remarks Clear Web filtering statistics. reset firewall http { activex-blocking | java-blocking | url-filter host | url-filter parameter } counter Available in user view. URL address filtering configuration example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through the device. The device is enabled with the URL address filtering function, and allows the hosts to access only www.webflt.com using the URL address or IP address.
[Router-acl-basic-2000] quit # Specify to allow users to use IP addresses to access websites. [Router] firewall http url-filter host ip-address deny [Router] firewall http url-filter host acl 2000 After the above configuration, open a Web browser on a host in the LAN, enter website http://www.webflt.com or http://3.3.3.3 and you can access this website correctly. Enter other website addresses, and you are not allowed to access the corresponding websites.
[Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1 [Router-GigabitEthernet3/0/1] quit # Enable the URL parameter filtering function and add URL parameter filtering entry group.
[Router-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1 [Router-GigabitEthernet3/0/1] quit # Configure an ACL numbered 2100 for Java blocking. [Router] acl number 2100 [Router-acl-basic-2100] rule 0 permit source 5.5.5.5 0.0.0.
Analysis The number of URL address filtering entries, URL parameter filtering entries, Java blocking suffix keywords, or ActiveX blocking suffix keywords has reached the upper limit. Solution If necessary, remove some configured entries or keywords before adding new ones. Invalid characters are present in the configured parameter Symptom When you configure a URL address filtering entry or URL parameter filtering entry, the system displays a character error message.
Table 47 Wildcards for URL parameter filtering entries Wildcard Meaning Usage guidelines ^ Matches parameters starting with the keyword Can be present once at the beginning of a filtering entry. $ Matches parameters ending with the keyword It can be present once at the end of a filtering entry. & Stands for one valid character It can be present multiple times at any position of a filtering entry, consecutively or inconsecutively, and cannot be used next to an asterisk (*).
Unable to access the HTTP server by IP address Symptom After the URL address filtering function is enabled, you cannot access the HTTP server by its IP address. Analysis By default, the URL address filtering function disables access by IP address. Web requests that use the IP address to access the HTTP server will be filtered. Solution Configure an ACL to permit Web requests to the IP address of the HTTP server.
Configuring attack detection and protection Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
Single-packet attack Description Large ICMP For some hosts and devices, large ICMP packets cause memory allocation error and thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. Route Record An attacker exploits the route record option in the IP header to probe the topology of a network. Smurf An attacker sends an ICMP echo request to the broadcast address of the target network.
An attacker sends a large number of UDP packets to the target in a short time, making the target too busy to process normal services. Blacklist function The blacklist function is an attack protection measure that filters packets by source IP address. Compared with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
• RAW IP session establishment rate The device collects statistics to calculate the session establishment rates at an interval of 5 seconds. Therefore, the session establishment rates displayed on the device are based on the statistics collected during the latest 5-second interval. The traffic statistics function does not concern about the session status (except the TCP half-open and half-close states). As long as a session is established, the count increases by 1.
Figure 238 Data exchange process in unidirectional proxy mode TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (invalid sequence number) 3) RST 4) SYN (retransmitting) 5) SYN (forwarding) 6) SYN ACK 7) ACK 8) ACK (forwarding) When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate, responds with an RST message.
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a connection between itself and the server through a three-way handshake on behalf of the client. Thus, two TCP connections are established, and the two connections use different sequence numbers.
Configuring attack protection functions for an interface Creating an attack protection policy Before configuring attack protection functions for an interface, you need to create an attack protection policy and enter its view. In attack protection policy view, you can define one or more signatures used for attack detection and specify the corresponding protection measures. When creating an attack protection policy, you can also specify an interface so that the interface uses the policy exclusively.
Step 4. Configure the ICMP packet length threshold that triggers large ICMP attack protection. Command Remarks signature-detect large-icmp max-length length Optional. 4000 bytes by default. Optional. 5. Configure the device to drop single-packet attack packets. signature-detect action drop-packet By default, the device does not process the attack packets if it detects an attack. 6. Return to system view. quit N/A 7. Enable attack protection logging. attack-defense logging enable Optional.
Step 7. Enable the blacklist function. Command Remarks blacklist enable Required to make the blacklist entries added by the scanning attack protection function take effect. By default, the blacklist function is disabled. Configuring a flood attack protection policy The flood attack protection function is used to protect servers. It detects various flood attacks by monitoring the rate at which connection requests are sent to a server.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter attack protection policy view. attack-defense policy policy-number N/A 3. Enable ICMP flood attack protection. defense icmp-flood enable Disabled by default. 4. Configure the global action and silence thresholds for ICMP flood attack protection.
To apply an attack protection policy to an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Apply an attack protection policy to the interface. attack-defense apply policy policy-number By default, no attack protection policy is applied to any interface. The attack protection policy to be applied to an interface must already exist.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the blacklist function. blacklist enable Disabled by default. Optional. Add a blacklist entry. 3. blacklist ip source-ip-address [ timeout minutes ] The scanning attack protection function can add blacklist entries automatically. You can add blacklist entries manually, or configure the device to automatically add the IP addresses of detected scanning attackers to the blacklist.
Task Command Remarks Display the configuration information about one or all attack protection policies. display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about blacklist entries. display blacklist { all | ip source-ip-address [ slot slot-number ] | slot slot-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display the traffic statistics of an interface.
Figure 240 Network diagram Host A Host B GE3/0/1 192.168.1.1/16 Router Attacker GE3/0/2 202.1.0.1/16 Internet GE3/0/3 10.1.1.1/24 Host D 5.5.5.5/24 Host C Server 10.1.1.2/24 Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Enable the blacklist function. system-view [Router] blacklist enable # Create attack protection policy 1. [Router] attack-defense policy 1 # Enable Smurf attack protection.
# Configure the policy to drop the subsequent packets after a SYN flood attack is detected. [Router-attack-defense-policy-2] defense syn-flood action drop-packet [Router-attack-defense-policy-2] quit # Apply policy 2 to GigabitEthernet 3/0/3. [Router] interface gigabitethernet 3/0/3 [Router-GigabitEthernet3/0/3] attack-defense apply policy 2 [Router-GigabitEthernet3/0/3] quit # Enable attack protection logging.
[Router] blacklist ip 5.5.5.5 # Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes. [Router] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Execute the display blacklist all command to display the added blacklist entries.
# Configure the policy to drop the subsequent packets once a UDP flood attack is detected. [Router-attack-defense-policy-1] defense udp-flood action drop-packet [Router-attack-defense-policy-1] quit # Apply policy 1 to GigabitEthernet 3/0/1. [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] attack-defense apply policy 1 # Enable the traffic statistics function in the outbound direction of GigabitEthernet 3/0/1.
RAWIP session establishment rate : 0/s The output shows that on GigabitEthernet 3/0/1, a large number of UDP packets destined for 10.1.1.2 exist, and the session establishment rate has exceeded the specified threshold. You can determine that the server is under a UDP flood attack. Use the display attack-defense statistics command to view the related statistics collected after the UDP flood protection function takes effect.
[Router-GigabitEthernet3/0/1] quit # Enable TCP proxy on GigabitEthernet 3/0/1. [Router] interface gigabitethernet 3/0/2 [Router-GigabitEthernet3/0/2] tcp-proxy enable [Router-GigabitEthernet3/0/2] quit Verifying the configuration When a SYN flood attack targeting an internal server occurs, execute the display tcp-proxy protected-ip command to display information about the IP addresses protected by the TCP proxy function.
Configuring TCP attack protection Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks This chapter describes the attacks that these features can prevent, working mechanisms of these features, and configuration procedures.
Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.
Configuring IP source guard This feature is available only for SAP interface modules operating in Layer 2 mode. Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag.
A static IPv4 source guard entry binds an IP address, MAC address, VLAN, or any combination of the three with a port. Such an entry is effective on only the specified port. A port forwards a packet only when the IP address, MAC address, and VLAN tag (if any) of the packet all match those in a static binding entry on the port. All other packets will be dropped. The router does not support static IPv6 source guard entries.
Follow these guidelines when you enable IPv4 source guard on a port: • You cannot enable IPv4 source guard on a link aggregation member port. If IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group. • The keyword specified in the ip verify source command is only for instructing the generation of dynamic IPv4 source guard entries. It does not affect static IP source guard entries.
Step 3. Configure a static IPv4 source guard entry on the port. Command Remarks ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ] By default, no static IPv4 binding entry is configured on a port. A static source guard entry can be configured on only Layer 2 Ethernet ports.
Static IPv4 source guard entry configuration example Network requirements As shown in Figure 245, Host A and Host B are connected to ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/1 of Router B respectively, Host C is connected to port GigabitEthernet 3/0/2 of Router A, and Router B is connected to port GigabitEthernet 3/0/1 of Router A. All hosts use static IP addresses.
[RouterA-GigabitEthernet3/0/1] ip verify source ip-address mac-address # Configure GigabitEthernet 3/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. [RouterA-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [RouterA-GigabitEthernet3/0/1] quit 2. Configure Router B: # Enable IPv4 source guard on GigabitEthernet 3/0/2 to filter packets based on both the source IP address and MAC address.
Dynamic IPv4 source guard by DHCP snooping configuration example Network requirements As shown in Figure 246, the router connects to the host (client) and the DHCP server through ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. The host obtains an IP address from the DHCP server. Enable DHCP snooping on the router to record the DHCP snooping entry of the host.
DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= D 192.168.0.1 0001-0203-0406 86335 1 GigabitEthernet3/0/1 The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry.
[Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] ip verify source ip-address mac-address [Router-GigabitEthernet3/0/1] quit Verifying the configuration # Display the generated IPv4 source guard entries. [Router] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 N/A GE3/0/1 DHCP-RLY Troubleshooting IP source guard Symptom Failed to configure static IP source guard or dynamic IP source guard on a port.
Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
Task Remarks Optional. Configuring ARP gateway protection Configure this function on access devices (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended). Configuring unresolvable IP attack protection If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called unresolvable IP packets), the following situations can occur: • The device sends a large number of ARP requests, overloading the target subnets.
Displaying and maintaining ARP source suppression Task Command Remarks Display ARP source suppression configuration information. display arp source-suppression [ | { begin | exclude | include } regular-expression ] Available in any view. Configuration example Network requirements As shown in Figure 248, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. The two areas connect to the gateway (Device) through an access switch respectively.
system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 # Enable ARP black hole routing. system-view [Device] arp resolving-route enable Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU.
To configure ARP active acknowledgement: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the ARP active acknowledgement function. arp anti-attack active-ack enable Disabled by default. Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.
Figure 249 Network diagram Configuration procedure 1. Configure Router A: # Configure the IP address of GigabitEthernet 3/0/1. system-view [RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] ip address 10.1.1.1 24 [RouterA-GigabitEthernet3/0/1] quit # Configure DHCP. [RouterA] dhcp enable [RouterA] dhcp server ip-pool 1 [RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-1] quit # Enter Layer 3 Ethernet interface view.
Authorized ARP configuration example (on a DHCP relay agent) Network requirements Configure Router A as a DHCP server with an IP address pool of 10.10.1.0/24. Configure Router B as a DHCP relay agent. Enable authorized ARP on GigabitEthernet 3/0/2 of Router B to ensure user validity. Configure Router C as a DHCP client to obtain an IP address. Figure 250 Network diagram Configuration procedure 1. Configure Router A: # Configure the IP address of GigabitEthernet 3/0/1.
[RouterB-GigabitEthernet3/0/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on GigabitEthernet 3/0/2. [RouterB-GigabitEthernet3/0/2] dhcp select relay [RouterB-GigabitEthernet3/0/2] quit # Add the DHCP server 10.1.1.1 to DHCP server group 1. [RouterB] dhcp relay server-group 1 ip 10.1.1.1 # Correlate GigabitEthernet 3/0/2 to DHCP server group 1. [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] dhcp relay server-select 1 # Configure the DHCP server to support authorized ARP.
ARP detection does not check ARP packets received from ARP trusted ports. Configuring user validity check After you enable this feature, the device checks user validity as follows: 1. Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the ARP packet is processed according to the rule. 2.
At least a user validity check rule, a static IP source guard binding entry, a DHCP snooping entry, or an 802.1X security entry must be available to perform user validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded. You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can match the IP source guard binding entry.
To enable ARP restricted forwarding: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Enable ARP restricted forwarding. arp restricted-forwarding enable Disabled by default. Displaying and maintaining ARP detection Task Command Remarks Display the VLANs enabled with ARP detection. display arp detection [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ARP detection statistics.
Configuration procedure 1. Add all ports on Router B into VLAN 10, and configure the IP address of VLAN-interface 10 on Router A. (Details not shown.) 2. Configure the DHCP server on Router A. system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.) 4. Configure Router B: # Enable the 802.
• Configure DHCP snooping on Router B. • Configure a static IP source guard binding entry for Host B on Router B. • Enable ARP detection and ARP packet validity check in VLAN 10. Figure 252 Network diagram Configuration procedure 1. Add all ports on Router B to VLAN 10, and configure the IP address of VLAN-interface 10 on Router A. (Details not shown.) 2.
# Configure a static IP source guard binding entry on interface GigabitEthernet 3/0/2 for user validity check. [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] port link-mode bridge [RouterB-GigabitEthernet3/0/2] ip source binding ip-address 10.1.1.
[RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure the DHCP client on Hosts A and Host B. (Details not shown.) 4. Configure Router B: # Enable DHCP snooping, and configure GigabitEthernet 3/0/3 as a DHCP-trusted port.
After the configuration, Router B forwards ARP broadcast requests from Host A to Router A through the trusted port GigabitEthernet 3/0/3, and thus Host B cannot receive such packets. Port isolation works correctly. Configuring ARP automatic scanning and fixed ARP ARP automatic scanning is usually used together with the fixed ARP feature.
Configuring ARP gateway protection NOTE: This feature is supported only when SAP modules operate in bridge mode. Configure this feature on interfaces not connected with the gateway to prevent gateway spoofing attacks. When such a port receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.
Figure 254 Network diagram Configuration procedure # Configure ARP gateway protection on Router B. system-view [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] port link-mode bridge [RouterB-GigabitEthernet3/0/1] arp filter source 10.1.1.1 [RouterB-GigabitEthernet3/0/1] quit [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] port link-mode bridge [RouterB-GigabitEthernet3/0/2] arp filter source 10.1.1.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Enable ARP filtering and configure a permitted entry. arp filter binding ip-address mac-address This feature is disabled by default. ARP filtering configuration example Network requirements As shown in Figure 255, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233, respectively. The IP and MAC addresses of Host B are 10.1.1.
Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid. • To identify forged ND packets, HP developed the ND detection feature. For more information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide.
Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
URPF work flow Figure 258 shows how URPF works.
NOTE: URPF does not check multicast packets. 1. URPF checks source address validity: { { { 2. 3. Proceeds to step 2 for other packets. { If yes, proceeds to step 3. { If not, proceeds to step 5. URPF checks whether the matching route is a default route: { If yes, URPF checks whether the allow-default-route keyword is configured to allow the default route: if yes, proceeds to step 4. If not, proceeds to step 5. If not, proceeds to step 4.
Network application Figure 259 Network diagram • Configure strict URPF check between an ISP network and a customer network, and loose URPF check between ISPs. • Configure ACLs for special packets or users. Configuring URPF on an interface URPF checks only packets arriving at an enabled interface. Do not configure the allow-default-route keyword for loose URPF check. Otherwise, URPF might fail to work.
URPF configuration example Network requirements As shown in Figure 260, enable strict URPF check on GigabitEthernet 3/0/1 of Router B and permit packets from network 10.1.1.0/24. Enable strict URPF check on GigabitEthernet 3/0/1 of Router A to allow using the default route for URPF check. Figure 260 Network diagram Configuration procedure 1. Configure Router B: # Define ACL 2010 to permit traffic from network 10.1.1.0/24 to pass.
Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the device supports Level 2. Unless otherwise noted, FIPS in the document refers to FIPS 140-2.
Type Operations Test the following algorithms used by cryptographic engines: Cryptographic engine self-tests • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryption and decryption) AES 3DES SHA1 HMAC-SHA1 Random number generator algorithms Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked.
• Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits. • SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5. Configuration considerations To enter the FIPS mode, follow these steps: 1. Enable FIPS mode. 2. Enable the password control function. 3. Configure the username and password to log in to the device in FIPS mode. The password must comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters. 4.
FIPS configuration example Network requirements As shown in Figure 261, Host connects to Router through a console port. Configure Router to operate in FIPS mode and create a local user for Host so that Host can log in to the router. Figure 261 Network diagram Configuration procedure CAUTION: After you enable the FIPS mode, be sure to create a local user and its password before you reboot the device. Otherwise, you cannot log in to the device.
(To leave the existing filename unchanged, press the enter key): cfa0:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait.... The current configuration is saved to the active main board successfully. Configuration is saved to device successfully. [Sysname] quit # Reboot the device. reboot Verifying the configuration After the device reboots, enter the username (test) and password (AAbbcc1234%).
Configuring group domain VPN Group domain Virtual Private Network (group domain VPN) provides a point-to-multipoint tunnel-less VPN solution. It is mainly used to protect multicast traffic. Overview Group domain VPN uses a group-based IPsec model. Members in a group use a common IPsec policy, which includes security protocols, algorithms, and keys.
Figure 262 Group domain VPN structure KS GM GM IP network Reigster Update keys GM The KS maintains security policies for groups, and creates and maintains key information. It responds to registration requests from GMs and sends rekey messages to GMs. After a GM registers with the KS, the KS sends the IPsec policy and keys to the GM. The keys are periodically updated. Before the key lifetime expires, the KS notifies all GMs to update keys by sending rekey messages.
Figure 263 Registration process GM KS 1) IKE negotiation 2) Group ID 3) SA policy 4) Acknowledgement 5) TEK and KEK As shown in Figure 263, 1. The GM and KS perform IKE negotiation. 2. The GM sends its group ID to the KS. 3. The KS sends an IPsec policy to the GM according to the group ID. 4. The GM verifies the IPsec policy. If the IPsec policy settings are acceptable, for example, the security protocols and encryption algorithms are supported, the GM sends an acknowledge message to the KS. 5.
Rekey If rekey parameters are configured on the KS, the KS periodically unicasts or multicasts (the default mode is multicast) rekey messages to registered GMs to update their IPsec SAs or rekey SAs. The rekey messages are protected by the current rekey SA on the KS. GMs authenticate the rekey messages by using the public key that it received from the KS during registration. If a GM does not receive any rekey messages before its IPsec SA or rekey SA expires, the GM re-registers to the KS.
Keepalive The primary periodically sends hello messages to secondary KSs. If secondary KSs receive no hello messages within a specific interval, they consider the primary KS has failed, and re-elect a new primary KS. During the election, the secondary KSs do not accept registrations from GMs.
Task Remarks GDOI KS redundancy can be used to achieve KS high availability and load sharing. The following describes GDOI KS redundancy settings: • UDP port number—Specifies the UDP port number that a GDOI KS uses to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number. • Peer address—Specifies the IP address of a peer KS. • Local priority—Specifies the priority of the local KS for primary KS election.
Task Remarks Configuring rekey parameters Optional. Configuring basic settings for a GDOI KS group A device supports multiple GDOI KS groups. A GDOI KS group includes all settings required by a KS in the group. The following describes basic GDOI KS group settings: • Group name—Identifies the GDOI KS group on the device. • Group ID—Identifies the GDOI KS group in the Group Domain VPN. A KS uses the group ID received from a GM to determine the GDOI KS group that the GM wants to join.
Step Command Remarks Specify an IP address or a number as the group ID. Configure an ID for the GDOI KS group. identity { address ip-address | number number } 4. Reference a key pair for KS rekey. rekey authentication public-key rsa key-name By default, no key pair is referenced. 5. Specify a rekey ACL. rekey acl { acl-number | name acl-name } By default, no rekey ACL is specified. 6. Create an IPsec policy for the GDOI KS group and enter GDOI KS group IPsec policy view.
To configure GDOI KS redundancy: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the UDP port number for listening to redundancy protocol packets. gdoi ks redundancy port port-number By default, the KS listens to UDP port 19000 for redundancy protocol packets. 3. Enter GDOI KS group view. gdoi ks group group-name N/A 4. Specify a peer KS. peer address ip-address By default, no peer KS is specified. 5. (Optional.) Configure a local priority.
Configuring rekey parameters The following describes the rekey parameters: • Rekey encryption—Specifies the encryption algorithm used by the KEK. • Rekey lifetime—Specifies the lifetime of the KEK. • Rekey transport unicast—Enables unicasting rekey messages. By default, the KS multicasts rekey messages. Configure this setting only when the network does not support multicasting because unicast transmission increases overheads and affects device performance.
Task Command Clear GDOI information for GMs and initiate registrations. reset gdoi [ group group-name ] Enforce rekey. gdoi ks rekey [ group group-name ] Configuring the GDOI GM The GDOI GM needs IKE settings that include an IKE proposal and an IKE peer used for phase-1 IKE negotiation. The IKE peer is identified by the IP address of the KS. For information about IKE configuration, see "Configuring IKE." GDOI GM configuration task list Task Remarks Configuring a GDOI GM group Required.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a GDOI GM group and enter GDOI GM group view. gdoi gm group group-name By default, no GDOI GM group exists. Configure a GDOI GM group ID. identity { address ip-address | number number } Configure a KS address. server address ip-address 3. 4. Specify an IP address or a number as the group ID. By default, no GDOI GM group ID is specified. By default, no KS address is specified. Optional. 5.
Step Command Remarks By default, no GDOI GM group is referenced. 3. Reference a GDOI GM group for the GDOI IPsec policy entry. group group-name You can reference only one GDOI GM group for a GDOI IPsec policy entry. For a GDOI IPsec policy entry to take effect, the referenced GDOI GM group must have correct KS addresses and group ID. Optional. By default, no ACL is referenced. 4. Reference an ACL for the GDOI IPsec policy entry.
Task Command Display the GDOI GM group information. display gdoi gm [ group group-name ] [ | { begin | exclude | include } regular-expression ] Display information about IPsec SAs obtained by the GM. display gdoi gm ipsec sa [ group group-name ] [ | { begin | exclude | include } regular-expression ] Display brief information of the GM. display gdoi gm members [ group group-name ] [ | { begin | exclude | include } regular-expression ] Display the ACL information of the GM.
Figure 266 Network diagram Configuration procedure Make sure each GM (GM 1, GM 2, and GM 3) and each KS can reach each other, and the two KSs can reach each other. Make sure the multicast packets between the GMs and the multicast rekey messages between the KS and GMs can be forwarded correctly. By default, the KS multicasts rekey messages. To unicast rekey messages, use the rekey transport unicast command. Configuring KS 1 # Configure IP addresses for interfaces. (Details not shown.
# Configure the pre-shared key as tempkey1 in plaintext. [KS1-ike-peer-toks2] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 200.2.2.200. [KS1-ike-peer-toks2] remote-address 200.2.2.200 [KS1-ike-peer-toks2] quit # Create the IKE peer togm for IKE negotiation with GMs. [KS1] ike peer togm # Apply IKE proposal 1 to the IKE peer. [KS1-ike-peer-togm] proposal 1 # Configure the pre-shared key as tempkey1 in plaintext.
# Create a local RSA key pair named rsa1. [KS1] public-key local create rsa name rsa1 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ # Export the local RSA key pair rsa1 by using 3DES CBC and password 12345678. Copy the key or key pair as needed, which will be used in RSA key import on KS 2.
# Create an IPsec policy. [KS1-gdoi-ks-group-ks1] ipsec 10 # Reference the IPsec profile fortek. [KS1-gdoi-ks-group-ks1-ipsec-10] profile fortek # Reference the ACL fortek. [KS1-gdoi-ks-group-ks1-ipsec-10] security acl name fortek [KS1-gdoi-ks-group-ks1-ipsec-10] quit # Specify the peer KS 200.2.2.200. [KS1-gdoi-ks-group-ks1] peer address 200.2.2.200 # Specify the source address of sent packets as 100.1.1.100. [KS1-gdoi-ks-group-ks1] source address 100.1.1.100 # Specify the local priority as 10000.
# Configure the pre-shared key as tempkey1 in plaintext. [KS2-ike-peer-togm] pre-shared-key simple tempkey1 [KS2-ike-peer-togm] quit # Create an IPsec transform set fortek. [KS2] ipsec transform-set fortek # Specify the ESP protocol for the IPsec transform set fortek. [KS2-ipsec-transform-set-fortek] transform esp # Specify the encryption algorithm AES-CBC 128 for the IPsec transform set fortek.
MGaftNqe4esjetm7bRJHSpsbwZ9YUpvA9iWh8R406NGq8e+1A/ZiK23+t1XqRwaU 1FXnwbqHgW1pZ7JxQdgBuC9uXc4VQyP/xe6xCyUepdMC71fmeOaiwUFrj6LAzzBg o3SfhX1NHyHBnr7c6SnIeUTG2g/qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7 ZBTjv+vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN/v1 lCsD2PscXnPOloLTE/8EDLRHNE8RpIYDWqI/YI8Yg6wlx29mf29+cj/9r4gPrDPy c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxG
[GM1] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for the IKE proposal. [GM1-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm SHA1 for the IKE proposal. [GM1-ike-proposal-1] authentication-algorithm sha # Specify DH group2 for the IKE proposal. [GM1-ike-proposal-1] dh group2 [GM1-ike-proposal-1] quit # Create IKE peer toks1. [GM1] ike peer toks1 # Reference IKE proposal 1 for the IKE peer.
[GM1-Ethernet1/1] quit Configuring GM 2 # Configure IP addresses for interfaces. (Details not shown.) # Create IKE proposal 1. system-view [GM2] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for the IKE proposal. [GM2-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm SHA1 for the IKE proposal. [GM2-ike-proposal-1] authentication-algorithm sha # Specify DH group2 for the IKE proposal.
# Reference GDOI GM group 1 for the GDOI IPsec policy. [GM2-ipsec-policy-gdoi-map-1] group 1 [GM2-ipsec-policy-gdoi-map-1] quit # Apply the GDOI IPsec policy to interface Ethernet 1/1. [GM2] interface ethernet 1/1 [GM2-Ethernet1/1] ipsec policy map [GM2-Ethernet1/1] quit Configuring GM 3 # Configure IP addresses for interfaces. (Details not shown.) # Create IKE proposal 1. system-view [GM3] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for the IKE proposal.
[GM3-gdoi-gm-group-1] server address 100.1.1.100 [GM3-gdoi-gm-group-1] server address 200.2.2.200 [GM3-gdoi-gm-group-1] quit # Create a GDOI IPsec policy. [GM3] ipsec policy map 1 gdoi # Reference GDOI GM group 1 for the GDOI IPsec policy. [GM3-ipsec-policy-gdoi-map-1] group 1 [GM3-ipsec-policy-gdoi-map-1] quit # Apply the IPsec policy to interface Ethernet 1/1.
current outbound spi: 0xDB865076(3683012726) [inbound ESP SAs] spi: 0xDB865076(3683012726) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 317 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/63 anti-replay detection: Disabled spi: 0x640321A(104870426) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 325 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/853 anti-replay detection: D
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.3.0/255.255.255.
Group Server List : 100.1.1.100 Group Member : 1.1.1.1 Registration status : Registered Registered with : 100.1.1.100 Re-register in : 81 sec Succeeded registrations : 1 Attempted registrations : 1 Last rekey from : 100.1.1.
Group member version : 1.0 Group ID : 12345 Rekeys sent : 0 Rekey retries : 0 Rekey ACKs received : 0 Rekey ACKs missed : 0 Group member ID : 2.2.2.2 Group member version : 1.0 Group ID : 12345 Rekeys sent : 0 Rekey retries : 0 Rekey ACKs received : 0 Rekey ACKs missed : 0 Group member ID : 3.3.3.3 Group member version : 1.0 Group ID : 12345 Rekeys sent : 0 Rekey retries : 0 Rekey ACKs received : 0 Rekey ACKs missed : 0 KS 2 stores the same GM information.
Sessions: Peer address : 100.1.1.100 Peer version : 1.0 Peer priority : 10000 Peer role : Primary Peer status : Ready Troubleshooting group domain VPN IKE SA negotiation failure Symptom Phase 1 IKE negotiation failed. Analysis If the failure occurred between GM and KS, the IKE configurations on the GM and KS do not match, or the GM and KS cannot reach each other. If the failure occurred between KSs, the IKE configurations on the KSs do not match, or the KSs cannot reach each other.
Solution Verify that the GM and KS have the same group ID. KS redundancy failure Symptom KS redundancy configuration does not take effect. Analysis Display KS redundancy information on KS 1. The output shows that each KS considers itself as the primary KS. display gdoi ks redundancy Group Name :ks1 Local address : 100.1.1.100 Local version : 1.0 Local priority : 10000 Local role : Primary Primary address : 100.1.1.100 Sessions: Session 1: Peer address : 200.2.2.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHIJLMNOPRSTUV Configuring an access control policy,239 A Configuring an ASPF,447 AAA configuration considerations and task list,20 Configuring an Auth-Fail VLAN,96 AAA configuration examples,54 Configuring an IKE peer,301 Advantages of SSL VPN,359 Configuring an IKE proposal,300 ALG process,451 Configuring an SSL client policy,355 Applying the connection limit policy,465 Configuring an SSL server policy,353 ARP attack protection configuration task list,511 Configuring ARP active a
Displaying the host public key in a specific format and saving it to a file,218 Configuring the online user handshake function,92 Configuring the quiet timer,95 Dynamic IPv4 source guard by DHCP relay configuration example,509 Configuring the redirect URL,107 Configuring unresolvable IP attack protection,512 Dynamic IPv4 source guard by DHCP snooping configuration example,508 Configuring URPF on an interface,535 Configuring Web filtering,471 Connection limit configuration example,465 E Connection lim
The command displays the public key and private key of the exported RSA key pair in PEM format on the terminal. The private key is encrypted using the encryption algorithm and password specified in the command. FIPS self-tests,537 You cannot export the default RSA key pair. H FTP ALG configuration example,453 G Group domain VPN configuration example,555 HP implementation of 802.
Setting the maximum number of concurrent 802.1X users on a port,90 Overview,229 Overview,198 Setting the NAT keepalive timer,304 Overview,500 Setting the port authorization state,89 Overview,121 Overview,297 Setting the port security mode,181 Overview,316 Setting user group password control parameters,205 SFTP configuration examples,344 Overview,481 SIP/H.
URPF configuration example,536 V User access to SSL VPN,418 Verifying PKI certificates,237 User profile configuration task list,198 Using MAC authentication with other features,112 579
