HP MSR Router Series Security Configuration Guide(V5) Part number: 5998-2028 Software version: CMW520-R2511 Document version: 6PW103-20140128
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ································································································································
802.1X overview ······················································································································································· 80 802.1X architecture ······················································································································································· 80 Controlled/uncontrolled port and port authorization status ······················································································ 80 802.
802.
Configuration procedure ···································································································································· 132 Configuring port security features ······························································································································ 133 Configuring NTK ················································································································································· 133 Configuring intrusi
Configuring IPsec for IPv6 routing protocols ············································································································· 180 Displaying and maintaining IPsec ······························································································································ 181 IPsec configuration examples······································································································································ 182 Configuring manual mod
Troubleshooting IKEv2 ················································································································································· 244 No matching IKEv2 proposal found ·················································································································· 244 IPsec tunnels cannot be set up ··························································································································· 245 Configuring PKI ············
Configuration procedure ············································································································································· 284 RSH configuration example ········································································································································ 284 Configuring portal authentication ·························································································································· 287 Overview·····
Troubleshooting portal ················································································································································· 338 Inconsistent keys on the access device and the portal server ········································································· 338 Incorrect server port number on the access device·························································································· 339 Configuring firewall ··································
Terminating the connection with the SFTP server ····························································································· 370 Configuring the device as an SCP client ··················································································································· 370 SCP client configuration task list ························································································································ 370 Transferring files with an SCP server ········
Configuration guidelines ···································································································································· 411 Configuration procedure ···································································································································· 412 Configuring IP source guard ·································································································································· 413 Overview·················
FIPS compliance ··························································································································································· 444 Password control configuration task list ····················································································································· 445 Enabling password control ········································································································································· 445 Setti
GM registration failure ······································································································································· 492 KS redundancy failure ········································································································································ 492 Configuring FIPS······················································································································································ 493 Overview·····
Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorized usage of some resource in a network system. Network security services provide solutions to solve or reduce those threats to different extents. Network security threats • Information disclosure—Information is leaked to an unauthorized person or entity. • Data integrity damage—Data integrity is damaged by unauthorized modification or malicious destruction.
Network security technologies Identity authentication AAA AAA provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies network users and determines whether the user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
Portal authentication Portal authentication, also called "Web authentication," controls user access at the access layer and other data entrance that needs protection. It does not require client software to authenticate users. Users only need to enter a username and a password on the webpage for authentication. With portal authentication, an access device redirects all unauthenticated users to a specific webpage, and users can freely access resources on the webpage.
• Destination port number The device compares the head information against the preset ACL rules and processes (discards or forwards) the packet based on the comparison result.
TCP attack protection Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks Other security technologies The device also provides other network security technologies to implement a multifunctional and full range of security protection for users.
Configuring AAA The HP MSR series routers support EXEC user access. The HP MSR series routers do not support the attribute access-limit command. The idle-cut enable command, which is used in ISP domain view to configure the idle cut function, takes effect only on LAN users. Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management.
You can implement any of the three security functions provided by AAA as needed. For example, if your company wants employees to be authenticated before they access specific resources, configure an authentication server. If network usage information is needed, you must also configure an accounting server. AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used.
Basic RADIUS message exchange process Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carries the user's username and password to the RADIUS client. 2.
Figure 4 RADIUS packet format 0 7 Code 15 31 7 Length Identifier Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 1 Main values of the Code field Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user.
{ { { Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes." Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length sub-fields.
No. Attribute No.
HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.
Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6.
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized. 14.
• X.25 PAD users • Portal users—Users who must pass portal authentication to access the network. • PPP users—Users who access through PPP. • VoIP users—Users who use the VoIP service. • SSL VPN users—Users who access through SSL VPN.
Figure 8 Devices functioning as a RADIUS server The device can serve as a RADIUS server to provide user information management, RADIUS client management, and RADIUS authentication and authorization. You can create, modify, and delete user information, including the username, password, authority, lifetime, and user description. You can create and delete RADIUS clients, which are identified by IP addresses and configured with attributes such as a shared key.
Figure 9 Network diagram This feature can help a multi-VPN-instance CE to implement portal authentication for VPNs. For more information about multi-VPN-instance CEs, see MPLS Configuration Guide. For more information about portal authentication, see "Configuring portal.
No. Attribute Description 8 Framed-IP-Address IP address assigned to the user. 11 Filter-ID Name of the filter list. 12 Framed-MTU MTU for the data link between the user and NAS. For example, with 802.1X EAP authentication, NAS uses this attribute to notify the server of the MTU for EAP packets, so as to avoid oversized EAP packets. 14 Login-IP-Host IP address of the NAS interface that the user accesses. 15 Login-Service Type of the service that the user uses for login.
No. Attribute Description 79 EAP-Message Used to encapsulate EAP packets to allow RADIUS to support EAP authentication. 80 Message-Authenticator Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. 87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes No.
No. Sub-attribute Description 61 User_Notify Information that must be sent from the server to the client transparently. User_HeartBeat Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and is used for verifying the handshake messages from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets.
1. Configure the required AAA schemes. { { 2. Local authentication—Configure local users and the related attributes, including the usernames and passwords for the users to be authenticated. Remote authentication—Configure the required RADIUS and HWTACACS schemes. You must configure user attributes on the servers accordingly. Configure AAA methods for the ISP domain.
Task Remarks Tearing down user connections Optional. Configuring a NAS ID-VLAN binding Optional. Configuring the router as a RADIUS server Optional. NOTE: To use AAA methods to control access of login users, you must configure the user interfaces to use AAA by using the authentication-mode command. For more information, see Fundamentals Configuration Guide.
password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control." For more information about password control commands, see Security Command Reference. • Binding attributes. Binding attributes are used for controlling the scope of users. They are checked during local authentication of a user.
To configure local user attributes: Step Command Remarks 1. Enter system view. system-view N/A 2. Add a local user and enter local user view. local-user user-name By default, a local user exists. Optional. • In non-FIPS mode: 3. Configure a password for the local user. password [ [ hash ] { cipher | simple } password ] • In FIPS mode: password A local user with no password configured directly passes authentication after providing the valid local username and attributes.
Step Command Remarks Optional. • Set the password aging time: password-control aging aging-time • Set the minimum password 7. Configure password control attributes for the local user.
Step 12. Assign the local user to a user group. Command Remarks Optional. group group-name By default, a local user belongs to the default user group system. Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group.
Displaying and maintaining local users and local user groups Task Command Remarks • In non-FIPS mode: Display local user information.
Creating a RADIUS scheme Before you perform other RADIUS configurations, first create a RADIUS scheme and enter RADIUS scheme view. A RADIUS scheme can be referenced by multiple ISP domains at the same time. To create a RADIUS scheme and enter RADIUS scheme view: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a RADIUS scheme and enter RADIUS scheme view. radius scheme radius-scheme-name By default, no RADIUS scheme is created.
Step Command Remarks Configure at least one command. • Specify the primary RADIUS 3. Specify RADIUS authentication/authorization servers.
Step Command Remarks Configure at least one command. • Specify the primary RADIUS 3. Specify RADIUS accounting servers. accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * • Specify a secondary RADIUS accounting server: secondary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] * 4. 5. 6.
Step Command Remarks By default, no shared key is specified. 3. Specify a shared key for secure RADIUS authentication/authorization or accounting communication. key { accounting | authentication } [ cipher | simple ] key In FIPS mode, the shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and must use 3DES for encryption and decryption.
Do not apply the RADIUS scheme to more than one ISP domain if you have configured the user-name-format without-domain command for that RADIUS scheme. Otherwise, users in different ISP domains are considered the same user if they use the same username. For level switching authentication, user-name-format keep-original and user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the RADIUS server carry no ISP domain name.
Step 3. Command Set the maximum number of RADIUS request transmission attempts. retry retry-times Remarks Optional. The default setting is 3. Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with which the device communicates when the current servers are no longer available.
By default, the device sets the status of all RADIUS servers to active. In some cases, however, you need to change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server. To set the status of RADIUS servers in a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view.
To specify a source IP address for all RADIUS schemes in a VPN or the public network: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing RADIUS packets. radius nas-ip { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific RADIUS scheme: Step Command Remarks 1. Enter system view.
• When a number of secondary servers are configured, the client connections of access modules that have a short client connection timeout period might still be timed out during initial authentication or accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values.
Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
The ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold. This threshold is in the range of 1% to 100%, and the default is 30%. This threshold can only be configured through the MIB. • The failure ratio is typically small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server.
Configuring HWTACACS schemes You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use. HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required. Specifying the HWTACACS authentication servers Required. Specifying the HWTACACS authorization servers Optional. Specifying the HWTACACS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure HWTACACS communication Required.
Step 2. Enter HWTACACS scheme view. Command Remarks hwtacacs scheme hwtacacs-scheme-name N/A • Specify the primary HWTACACS 3. Specify HWTACACS authentication servers.
Specifying the HWTACACS accounting servers and the relevant parameters You can specify one primary accounting server and one secondary accounting server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. In a scenario where redundancy is not required, specify only the primary server.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A By default, no shared key is specified. 3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication.
Step Specify the unit for data flows or packets sent to the HWTACACS servers. 4. Command Remarks data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }* Optional. The default unit is byte for data flows and one-packet for data packets. If an HWTACACS server does not support a username that carries the domain name, configure the device to remove the domain name before sending the username to the server.
Step Command Remarks 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify a source IP address for outgoing HWTACACS packets. nas-ip ip-address By default, the IP address of the outbound interface is used as the source IP address. Setting HWTACACS timers The device uses the following timers to control the communication with an HWTACACS server: • Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval.
Displaying and maintaining HWTACACS Task Command Remarks Display the configuration or statistics of HWTACACS schemes. display hwtacacs [ hwtacacs-server-name [ statistics ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about buffered stop-accounting requests for which no responses have been received. display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ | { begin | exclude | include } regular-expression ] Available in any view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an ISP domain and enter ISP domain view. domain isp-name N/A 3. Return to system view. quit N/A 4. Specify the default ISP domain. domain default enable isp-name 5. Specify an ISP domain for users with unknown domain names. domain if-unknown isp-name Optional. By default, the default ISP domain is the system-defined ISP domain system. Optional. By default, no ISP domain is specified for users with unknown domain names.
Step Command Remarks Optional. 3. Place the ISP domain to the active or blocked state. state { active | block } By default, an ISP domain is in active state, and users in the domain can request network services. 4. Specify the maximum number of online users in the ISP domain. access-limit enable max-user-number Optional. No limit is specified by default. Optional. Configure the idle cut function.
You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method. Configuration prerequisites Before configuring authentication methods, complete the following tasks: • For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. Local and none authentication methods do not require a scheme. • Determine the access type or service type to be configured.
Step Command Remarks • In non-FIPS mode 3. Specify the default authentication method for all types of users. authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } • In FIPS mode: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] } Optional. The default authentication method is local for all types of users. • In non-FIPS mode: 4.
Step Command Remarks • In non-FIPS mode: 8. 9. Specify the authentication method for PPP users. Specify the authentication method for SSL VPN users. authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } • In FIPS mode: authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] } authentication ssl-vpn radius-scheme radius-scheme-name 10.
2. Determine the access type or service type to be configured. With AAA, you can configure an authorization scheme for each access type and service type to limit the authorization protocols that can be used for access. 3. Determine whether to configure an authorization method for all access types or service types.
Step Command Remarks • In non-FIPS mode: 5. Specify the authorization method for DVPN users. authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] } • In FIPS mode: authorization dvpn { local | radius-scheme radius-scheme-name [ local ] } Optional. The default authorization method is used by default. • In non-FIPS mode: 6. Specify the authorization method for LAN users.
Configuring accounting methods for an ISP domain In AAA, accounting is a separate process at the same level as authentication and authorization. This process sends accounting start/update/end requests to the specified accounting server. Accounting is optional. AAA supports the following accounting methods: • No accounting (none)—The NAS does not perform accounting for the users. • Local accounting (local)—Local accounting is implemented on the NAS.
Step Command Remarks Optional. Disabled by default. 3. Enable the accounting optional feature. accounting optional With the accounting optional feature, a device allows users to use network resources when no accounting server is available or communication with all accounting servers fails. • In non-FIPS mode: 4. Specify the default accounting method for all types of users.
Step Command Remarks • In non-FIPS mode: 8. Specify the accounting method for login users. accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } • In FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] } Optional. The default accounting method is used by default. • In non-FIPS mode: 9. Specify the accounting method for portal users.
Configuring a NAS ID-VLAN binding The access locations of users can be identified by their access VLANs. In application scenarios where identifying the access locations of users is a must, configure NAS ID-VLAN bindings on the device. Then, when a user gets online, the device obtains the NAS ID by the access VLAN of the user and sends the NAS ID to the RADIUS server through the NAS-identifier attribute. To configure a NAS ID-VLAN binding: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command 3. Configure a password for the RADIUS user. password [ cipher | simple ] password 4. Configure the authorization attribute for the RADIUS user. authorization-attribute { acl acl-number | vlan vlan-id } * Remarks Optional. By default, no password is specified. Optional. Not configured by default. Optional. 5. Set the expiration time for the RADIUS user. expiration-date time 6. Configure a description for the RADIUS user.
Task Command Remarks Display information about user connections. display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ] Available in any view.
− Select the service type Device Management Service. − Select the access device type HP. − Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2). d. Click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the device, which is chosen in the following order: { IP address specified with the nas-ip command on the device.
Figure 13 Adding a user account for device management Configuring the RADIUS server on IMC PLAT 5.0 In this section, the RADIUS server runs on IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03). 1. Add the router to the IMC Platform as an access device: a. Click the Service tab. b. From the navigation tree, select User Access Manager > Access Device Management > Access Device. c.
{ IP address specified with the radius nas-ip command on the device. { IP address of the outbound interface (the default). Figure 14 Adding the router as an access device 2. Add a user account for device management: a. Click the User tab. b. From the navigation tree, select Access User View > Device Mgmt User. c. Click Add to configure a device management account as follows: − Enter the account name hello@bbb and specify the password. − Select the service type Telnet.
Figure 15 Adding an account for device management Configuring the router # Assign an IP address to interface Ethernet 1/1, the Telnet user access interface. system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0 [Router-Ethernet1/1] quit # Configure the IP address of interface Ethernet 1/2, through which the router communicates with the server. [Router] interface ethernet 1/2 [Router-Ethernet1/2] ip address 10.1.1.2 255.255.255.
# Set the shared key for secure authentication communication to expert. [Router-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs on IMC. [Router-radius-rad] server-type extended # Include the domain names in usernames sent to the RADIUS server. [Router-radius-rad] user-name-format with-domain [Router-radius-rad] quit # Configure the AAA methods for domain bbb.
[Router] telnet server enable # Configure the router to use AAA for Telnet users. [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Create local user named telnet. [Router] local-user telnet [Router-luser-telnet] service-type telnet [Router-luser-telnet] password simple aabbcc [Router-luser-telnet] quit # Configure the AAA methods for the ISP domain as local authentication and authorization.
Configuration procedure 1. Configure the HWTACACS server. On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the PPP user, and specify the password. (Details not shown.) 2. Configure the router: # Create HWTACACS scheme hwtac. system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server. [Router-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server.
Level switching authentication for Telnet users by a RADIUS server Network requirements As shown in Figure 18, configure the router to: • Use local authentication for the Telnet user and assign the privilege level of 0 to the user when the user passes authentication. • Use the RADIUS server for level switching authentication of the Telnet user. If the RADIUS server is not available, use local authentication. Figure 18 Network diagram Configuration considerations 1.
# Configure the IP address of Ethernet 1/2, through which the router communicates with the server. [Router] interface ethernet 1/2 [Router-Ethernet1/2] ip address 10.1.1.2 255.255.255.0 [Router-Ethernet1/2] quit # Enable the router to provide Telnet service. [Router] telnet server enable # Configure the router to use AAA for Telnet users.
The RADIUS server in this example runs ACSv4.0. Add the usernames and passwords for user privilege level switching authentication. Table 6 Adding username and passwords for user privilege level switching authentication Username Password Switching to level $enab1$ pass1 1 $enab2$ pass2 2 $enab3$ pass3 3 A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to switch.
Verifying the configuration After the configuration is complete, the user can Telnet to the router and use username test@bbb and password aabbcc to enter the user interface of the router, and access all level 0 commands. telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2004-2014 Hewlett-Packard Development Company, L.P .
RADIUS authentication/authorization portal users Network requirements As shown in Figure 21, the host automatically obtains a public network IP address through DHCP. Configure the router to: • Use the RADIUS server for authentication/authorization of portal users. • Provide direct portal authentication so that the host can access only the portal server before passing portal authentication and can access the Internet after passing portal authentication.
d. Leave the default settings for other parameters and click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router, which is chosen in the following order on the router: { IP address specified with the nas-ip command. { IP address specified with the radius nas-ip command. { IP address of the outbound interface (the default). Figure 22 Adding the router as an access device 2. Add a service: a. Click the Service tab.
c. Click Add to configure a user as follows: − Select the user or add a user named hello. − Enter the account name portal and specify the password. − Select the access service Portal auth. − Configure other parameters as needed. d. Click OK. Figure 24 Adding an access user account Configuring the portal server In this section, the RADIUS server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Configure the portal server: a. Click the Service tab. b.
Figure 25 Portal server configuration 2. Configure an IP address group: a. From the navigation tree, select User Access Manager > Portal Service> IP Group. b. Click Add to configure an IP address group as follows: − Enter the name Portal_user. − Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255. Make sure the IP address group contains the IP address of the host. − Select the action Normal. c. Click OK. Figure 26 Adding an IP address group 3.
− Enter the key, which is portal, the same as that configured on the router. − Specify whether to enable IP address reallocation. This example uses direct portal authentication by selecting No from the Reallocate IP list. c. Leave the default settings for other parameters and click OK. Figure 27 Adding a portal device 4. Associate the portal device with the IP address group: a. In the portal device list, click the icon in the Port Group column for NAS. b.
Figure 29 Associating the portal device with IP address group 5. From the navigation tree, select User Access Manager > Service Parameters > Validate to validate the configurations. Configuring the router # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using IMC, set the server type to extended.
[Router] interface ethernet 1/1 [Router-Ethernet1/1] portal server newpt method direct [Router-Ethernet1/1] quit Verifying the configuration The user can initiate portal authentication by using the HP iNode client or by accessing a Web page. All the initiated Web requests will be redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page.
Figure 30 Network diagram NAS Telnet user 192.168.1.2 RADIUS server Eth1/2 10.1.1.1/24 Eth1/1 192.168.1.1/24 Eth1/1 10.1.1.2/24 Router A Router B Configuration procedure 1. Configure an IP address for each interface as shown in Figure 30. (Details not shown.) 2. Configure the NAS: # Enable the Telnet server on Router A. system-view [RouterA] telnet server enable # Configure Router A to use AAA for Telnet users.
system-view [RouterB] radius-server user aaa # Configure a plaintext password aabbcc for user aaa. [RouterB-rdsuser-aaa] password simple aabbcc [RouterB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc in plain text. [RouterB] radius-server client-ip 10.1.1.1 key simple abc Verifying the configuration After entering username aaa@bbb or aaa and password aabbcc, user aaa can Telnet to Router A.
Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. • The authentication/authorization and accounting UDP ports configured on the NAS are incorrect. • The RADIUS server's authentication/authorization and accounting port numbers are being used by other applications.
802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Figure 32 Authorization state of a controlled port In unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.
Packet formats EAP packet format Figure 33 shows the EAP packet format. Figure 33 EAP packet format • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The length is the sum of the Code, Identifier, Length, and Data fields. • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet.
Value Type Description 0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the network access device that it is logging off. • Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows. • Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets (for example, an 802.1X client available with Windows XP). The access device supports the following modes: • Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication.
Comparing EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. authentication methods. • The configuration and processing is EAP relay simple on the network access device. • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication initiated by an HP iNode 802.1X client.
1. When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. 2. The network access device responds with an Identity EAP-Request packet to ask for the client username. 3. In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device. 4.
Figure 40 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. For more information about port security, see "Configuring port security." HP implementation of 802.
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The following describes the way that the network access device handles VLANs on the port that performs port-based access control.
Authentication status VLAN manipulation • Assigns the VLAN specified for the user to the port as the PVID, and A user passes 802.1X authentication removes the port from the Auth-Fail VLAN. After the user logs off, the user-configured PVID restores. • If the authentication server assigns no VLAN, the initial PVID applies. The user and all subsequent 802.1X users are assigned to the user-configured PVID. After the user logs off, the PVID remains unchanged.
Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port can cause the users to be removed from the critical VLAN: • An authentication server is reconfigured, added, or removed. • The status of any RADIUS authentication server automatically changes to active or is administratively set to active. • The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active.
Task Remarks Setting the 802.1X authentication timeout timers Optional. Configuring the online user handshake function Optional. Enabling the proxy detection function Optional. Configuring the authentication trigger function Optional. Specifying a mandatory authentication domain on a port Optional. Configuring the quiet timer Optional. Enabling the periodic online user re-authentication function Optional. Configuring an 802.1X guest VLAN Optional. Configuring an Auth-Fail VLAN Optional.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP termination" for help. For more information about EAP relay and EAP termination, see "802.1X authentication procedures.
Step Command Remarks • In system view: 2. Set the port authorization state in system view or Ethernet interface view. dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ] • In Ethernet interface view: By default, auto applies. a. interface interface-type interface-number b.
Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.
of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state. If iNode clients are deployed, you can also enable the online handshake security function to check for 802.1X users that use illegal client software to bypass security inspection such as proxy detection and dual network interface cards (NICs) detection. This function checks the authentication information in client handshake messages.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the proxy detection function globally. dot1x supp-proxy-check { logoff | trap } By default, the function is disabled. • In system view: 3. Enable the proxy detection function on one or more ports in system view or Ethernet interface view. dot1x supp-proxy-check { logoff | trap } interface interface-list • In Ethernet interface view: a. interface interface-type interface-number By default, the function is disabled. b.
Configuration procedure To configure the authentication trigger function on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the username request timeout timer. dot1x timer tx-period tx-period-value Optional. 3. Enter Ethernet interface view. interface interface-type interface-number 4. Enable an authentication trigger. dot1x { multicast-trigger | unicast-trigger } The default setting is 30 seconds. N/A Required if you want to enable the unicast trigger.
Step Set the quiet timer. 3. Command Remarks dot1x timer quiet-period quiet-period-value Optional. The default setting is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. The re-authentication interval is user configurable.
• You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different. • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic. • You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN. For more information about super VLAN, see Layer 2—LAN Switching Configuration Guide.
member. For more information about the MAC-based VLAN function, see Layer 2—LAN Switching Configuration Guide. Configuration procedure To configure an Auth-Fail VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Configure the Auth-Fail VLAN on the port. dot1x auth-fail vlan authfail-vlan-id By default, no Auth-Fail VLAN is configured. Configuring an 802.
Step 4. Command Configure the port to trigger 802.1X authentication on detection of a reachable authentication server for users in the critical VLAN. Remarks Optional. dot1x critical recovery-action reinitialize By default, when a reachable RADIUS server is detected, the system removes the port or 802.1X users from the critical VLAN without triggering authentication. Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter.
802.1X authentication configuration example Network requirements As shown in Figure 41, the access device performs 802.1X authentication for users that connect to port Ethernet 1/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users. Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device.
[Device-luser-localuser] quit 5. Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter its view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.
[Device-Ethernet1/1] quit # Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.) [Device] dot1x port-method macbased interface ethernet 1/1 Verifying the configuration Use the display dot1x interface ethernet 1/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information.
Figure 42 Network diagram Update server Authentication server VLAN 10 VLAN 2 Eth1/1 Eth1/4 VLAN 1 Eth1/2 VLAN 5 Eth1/3 Device Internet Host Port added to the guest VLAN Update server Update server Authentication server VLAN 10 VLAN 2 Eth1/1 Eth1/4 VLAN 10 Eth1/2 Authentication server VLAN 10 VLAN 2 Eth1/1 Eth1/4 User gets online VLAN 5 Eth1/2 VLAN 5 Eth1/3 VLAN 5 Eth1/3 Device Device Internet Internet Host Host Configuration procedure The following configuration procedure covers most AA
4. Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.
802.1X with ACL assignment configuration example Network requirements As shown in Figure 43, the host at 192.168.1.10 connects to port Ethernet 1/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to Ethernet 1/1 to deny the access of 802.1X users to the FTP server at 10.0.0.
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Device] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.
Configuring EAD fast deployment The following matrix shows the feature and router compatibility: Feature MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000 EAD fast deployment No No No No Only available on MSR30-11E and MSR30-11F No No Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a netw
Configuring a free IP When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain a dynamic IP address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment. When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP does not take effect. If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure the free IP segments are in both guest VLAN and Auth-Fail VLAN.
Displaying and maintaining EAD fast deployment Task Command Remarks Display 802.1X session information, statistics, or configuration information. display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. EAD fast deployment configuration example Network requirements As shown in Figure 44, the hosts on the intranet 192.168.1.
• Configure the web server so that users can log in to the web page to download 802.1X clients. • Configure the authentication server to provide authentication, authorization, and accounting services. Configuration procedure 1. Configure an IP address for each interface. (Details not shown.) 2. Configure DHCP relay: # Enable DHCP. system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.
Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service.
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources.
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
Configuration task list Task Remarks Basic configuration for MAC authentication: • Configuring MAC authentication globally • Configuring MAC authentication on a port Required. Specifying a MAC authentication domain Optional. Configuring MAC authentication delay Optional. Basic configuration for MAC authentication Before you perform basic configuration for MAC authentication, complete the following tasks: • Create and configure an authentication domain, also called "an ISP domain.
Configuring MAC authentication on a port The following matrix shows the feature and router compatibility: Feature MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000 Configuring MAC authentication for a list of ports in system view Yes No Yes Yes Yes Yes No You cannot add a MAC authentication enabled port in to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group. To configure MAC authentication on a port: Step 1. Enter system view.
Specify an authentication domain for an individual port in interface view. • MAC authentication chooses an authentication domain for users on a port in the following order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step 1. Enter system view. Command Remarks system-view N/A • In system view: 2.
MAC authentication configuration examples Local MAC authentication configuration example Network requirements In the network in Figure 45, perform local MAC authentication on port GigabitEthernet 1/1 to control Internet access. • All users belong to domain aabbcc.net. • Local users use their MAC address as the username and password for MAC authentication. The MAC addresses are hyphen separated and in lower case. • The access device detects whether a user has gone offline every 180 seconds.
Verifying the configuration # Display MAC authentication settings and statistics. display mac-authentication MAC address authentication is enabled. User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx Fixed username:mac Fixed password:not configured Offline detect period is 180s Quiet period is 180s. Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is aabbcc.
Figure 46 Network diagram Configuration procedure 1. Make sure the RADIUS server and the access device can reach each other. 2. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. 3. Configure the device: # Configure a RADIUS scheme. system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.
Verifying the configuration # Display MAC authentication settings and statistics. display mac-authentication MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password: ****** Offline detect period is 180s Quiet period is 180s.
Figure 47 Network diagram Configuration procedure 1. Make sure the RADIUS server and the access device can reach each other. 2. Configure the ACL assignment on the device: Configure ACL 3000 to deny packets destined for 10.0.0.1. system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit 3. Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.
4. Configure the RADIUS servers: Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration # After the host passes authentication, use the display connection command on the device to display online user information.
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to networks that require different authentication methods for different users on a port, such as a WLAN. Port security prevents unauthorized access to a network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic.
Port security modes Port security supports the following categories of security mode: • MAC learning control—Includes autoLearn and secure. MAC address learning is permitted on ports in autoLearn mode and disabled on ports in secure mode. • Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
TIP: • userLogin specifies 802.1X authentication and port-based access control. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. • Typically, in a security mode with Or, the authentication method to be used depends on the protocol type of the authentication request.
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI. { { For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication.
Table 9 Port security modes for WLAN ports Features that can be triggered Security mode Description presharedKey A user must use a pre-configured static key, also called "the pre-shared key (PSK)," to negotiate the session key with the device and can access the network only after the negotiation succeeds. macAddressAndP resharedKey A user must pass MAC authentication and then use the pre-configured PSK to negotiate with the device. Only when the negotiation succeeds, can the user access the network.
Task Remarks Configuring port security features: Optional. • Configuring NTK • Configuring intrusion protection • Enabling port security traps Configure one or more features as required. Configuring secure MAC addresses Optional. Configuring port security for WLAN ports: • Setting the port security mode of a WLAN port • Enabling key negotiation • Configuring a PSK Required for WLAN ports. Ignoring authorization information from the server Optional.
The port security's limit on the number of MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration in the Layer 2—LAN Switching Configuration Guide. To set the maximum number of secure MAC addresses allowed on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Set the limit of port security on the number of MAC addresses.
Step Command Remarks 4. port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } By default, a port operates in noRestrictions mode. Set the port security mode.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the NTK feature. port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } By default, NTK is disabled on a port and all frames are allowed to be sent.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and 802.1X user logoff. • ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user logon, and MAC authentication user logoff. • intrusion—Detection of illegal frames. To enable port security traps: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable port security traps.
Type Address sources Dynamic Converted from sticky MAC addresses or automatically learned after the dynamic secure MAC function is enabled. Can be saved and survive a device reboot? Aging mechanism No. All dynamic secure MAC addresses are lost at reboot. Same as sticky MAC addresses. Configuration prerequisites • Enable port security. • Set port security's limit on the number of MAC addresses on the port. Perform this task before you enable autoLearn mode.
Step Command Remarks Optional. 6. Enable the dynamic secure MAC function. port-security mac-address dynamic By default, sticky MAC addresses can be saved to the configuration file, and once saved, can survive a device reboot. Configuring port security for WLAN ports Table 11 describes the key negotiation and PSK requirements for different port security modes on WLAN ports.
Enabling key negotiation After a user passes 802.1X authentication, a WLAN port uses EAPOL-Key frames to negotiate the link-layer session key with the user if the key negotiation function is enabled. • If key negotiation is enabled, an authenticated user is allowed to access to the port only after the key negotiation succeeds. • If key negotiation is disabled, a user can directly access the port after passing authentication. To enable key negotiation: Step Command Remarks 1. Enter system view.
Displaying and maintaining port security Task Command Remarks Display port security configuration information, operation information, and statistics about one or more ports or all ports. display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about secure MAC addresses.
# Enable intrusion protection traps on port Ethernet 1/1. [Device] port-security trap intrusion [Device] interface ethernet 1/1 # Set port security's limit on the number of MAC addresses to 64 on the port. [Device-Ethernet1/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Device-Ethernet1/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
port-security mac-address security sticky 0002-0000-0011 vlan 1 # Perform the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message: #Jul 14 10:39:47:135 2009 Device PORTSEC/4/VIOLATION: Trap1.3.6.1.4.1.25506.2.26.1.3.
• Allow only one 802.1X user to be authenticated. • Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values to access the port in addition to an 802.1X user. Figure 49 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Configuration procedures for the host and RADIUS servers are not shown. 1.
# Enable port security. [Device] port-security enable # Add five OUI values. [Device] port-security oui 1234-0100-1111 index 1 [Device] port-security oui 1234-0200-1111 index 2 [Device] port-security oui 1234-0300-1111 index 3 [Device] port-security oui 1234-0400-1111 index 4 [Device] port-security oui 1234-0500-1111 index 5 [Device] interface ethernet 1/1 # Set the port security mode to userLoginWithOUI.
Packet unit : one # Display the configuration of the ISP domain sun. display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Session-time : exclude-idle-time Self-service : Disabled Authorization attributes: # Display the port security configuration.
Supp Timeout 30 s, Reauth Period Server Timeout 100 s 3600 s The maximal retransmitting times 2 EAD quick deploy configuration: EAD timeout: 30m The maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 Ethernet1/1 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled 802.
Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 49, a client is connected to the Device through Ethernet 1/1. The Device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port Ethernet 1/1 of the Device: • Allow more than one MAC authenticated user to log on. • For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication.
Trap is disabled Disableport Timeout: 20s OUI value: Ethernet1/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute # Display MAC authentication information. display mac-authentication interface ethernet 1/1 MAC address authentication is enabled.
Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout The maximal retransmitting times 100 s 2 EAD quick deploy configuration: EAD timeout: 30m Total maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 Ethernet1/1 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled 802.
Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Device-Ethernet1/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For ports operating in a port security mode other than noRestrictions, you cannot change the port security mode directly using the port-security port-mode command. Solution Set the port security mode to noRestrictions first.
Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode.
Configuring IPsec Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints. IPsec provides the following security services in insecure network environments: • Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting the packets from being eavesdropped en route.
Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 50 shows the format of IPsec packets. Security association A security association is an agreement negotiated between two communicating parties called IPsec peers.
Authentication algorithms and encryption algorithms 1. Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use an encryption card to offload IPsec tasks. The card processes all IPsec protected packets and hands the processed packets back to the device for forwarding. IPsec tunnel interface An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing.
Figure 52 shows how an IPsec packet is de-encapsulated on an IPsec tunnel interface. Figure 52 De-encapsulation process of an IPsec packet 5. The router forwards an IPsec packet received on the inbound interface to the forwarding module. 6. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation. 7.
Figure 53 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway.
and apply them to IPsec tunnel interfaces (see "Implementing tunnel interface-based IPsec"). By using IPsec profiles, this IPsec implementation method simplifies IPsec VPN configuration and management, and improves the scalability of large VPN networks. Application-based IPsec protects the packets of a service. This IPsec implementation method can be used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the routing mechanism.
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec configured. Configuring an ACL ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is desired, such as QoS and IPsec. Keywords in ACL rules IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules.
• Configure Router A: acl number 3000 rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255 rule 1 deny ip acl number 3001 rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255 rule 1 deny ip # ipsec policy test 1 isakmp security acl 3000 ike-peer aa transform-set 1 # ipsec policy test 2 isakmp security acl 3001 ike-peer bb transform-set 1 • Configure Router B: acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.
• The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer. As shown in Figure 55, the range specified by the ACL rule configured on Router A is covered by its counterpart on Router B. • The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA initiator, the negotiation request might be rejected because the matching traffic is beyond the scope of the responder.
Step 2. Command Create an IPsec transform set and enter its view. ipsec transform-set transform-set-name Remarks By default, no IPsec transform set exists. You can configure up to 10000 IPsec transform sets in the system. Optional. ESP by default. 3. Specify the security protocol for the IPsec transform set. transform { ah | ah-esp | esp } You can configure security algorithms for a security protocol only after you select the protocol.
Step 6. Command Enable the ESN function. Remarks Optional. esn enable By default, ESN is disabled. Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the updated parameters. To modify an existing IPsec transform set, use the undo ipsec transform-set command to delete it, and then configure a new one.
Configure the keys on all routers within the routed network scope in the same format. For example, if you enter the keys in hexadecimal format on one router, do so across the routed network scope. • Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and IPsec transform sets. ACLs are not required for IPsec policies for an IPv6 protocol. To configure a manual IPsec policy: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher | simple ] hex-key • Configure an authentication key in characters for AH: sa string-key { inbound | outbound } ah [ cipher | simple ] string-key • Configure a key in characters Configure keys for the SA. 8.
Step Command Remark Optional. 3. Configure an IPsec connection name. connection-name name By default, no IPsec connection name is configured. 4. Assign an ACL to the IPsec policy. security acl acl-number [ aggregation ] By default, an IPsec policy references no ACL. By default, an IPsec policy references no IPsec transform set. 5. Assign IPsec transform sets to the IPsec policy. transform-set transform-set-name&<1-6> 6. Specify an IKE peer for the IPsec policy.
Step Command Remark Optional. Tunnel mode by default. 10. Specify the IP packet encapsulation mode. encapsulation-mode { transport | tunnel } This command is available only for IKEv2. Transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel. IPsec for IPv6 routing protocols supports only the transport mode. 11. Enable the traffic flow confidentiality (TFC) padding function. Optional. tfc enable Disabled by default. Optional.
{ { Required configuration: The IPsec transform sets and IKE peer. Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration, ACL configuration to be referenced by an IPsec policy is optional. The responder without ACL configuration accepts the initiator's ACL configuration. To configure an IPsec policy that uses IKE by referencing an IPsec policy template: Step Command Remark 1. Enter system view. system-view N/A 2.
Step Command Remark 8. Enable the IPsec policy. policy enable 9. Return to system view. quit Optional. Enabled by default. N/A Optional. 10. Configure the global SA lifetime. ipsec sa global-duration { time-based seconds | traffic-based kilobytes } 11. Create an IPsec policy by referencing an IPsec policy template. ipsec policy policy-name seq-number isakmp template template-name By default, time-based SA lifetime is 3600 seconds and traffic-based SA lifetime is 1843200 kilobytes.
Feature Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption module MSR90 0 No MSR93 X No MSR20 -1X No MSR20 No MSR30 MSR50 Yes Yes MIM encryption module required FIC encryption module required MSR1000 No You can bind an IPsec policy, IPsec policy group, or IPsec profile to one or more encryption cards to implement data authentication, encryption, and decryption.
Enabling the encryption engine The encryption engine is a coprocessor that provides an encryption/decryption algorithm interface for IPsec processing. If an encryption card is bound, IPsec processing is performed by the card as long as it operates correctly. If the encryption card fails, the matching packets are discarded. If no encryption card is bound, there are two cases: • If the encryption engine is enabled, the engine takes over the responsibility of IPsec processing.
Subsequent data flows search the session entries according to the quintuplet to find a matched item. If found, the data flows are processed according to the tunnel information. Otherwise, they are processed according to the original IPsec process: search the policy group or policy at the interface, and then the matched tunnel. The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec forwarding efficiency.
IMPORTANT: • IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. • A wider anti-replay window results in higher resource cost and more system performance degradation, which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window size that is as small as possible. To configure IPsec anti-replay checking: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable IPsec anti-replay checking.
Configuring packet information pre-extraction If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet information pre-extraction feature. For more information about QoS policy and classification, see ACL and QoS Configuration Guide.
Static IPsec RRI Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec policy references. The next hop address of the route is a user specified remote peer address, or the IP address of the remote tunnel endpoint. Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and apply the IPsec policy.
IPsec RRI can operate in both tunnel mode and transport mode. When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static routes. It does not delete or modify static routes it has created.
1. Configure an IPsec transform set to specify the security protocols, authentication and encryption algorithms, and encapsulation mode. 2. Configure an IPsec profile to associate data flows with the IPsec transform set, and to specify the IKE peer parameters and the SA lifetime. 3. Configure an IPsec tunnel interface and apply the IPsec profile to the interface. To enhance the encryption and decryption speed of the IPsec tunnel, bind the IPsec profile to one or more encryption cards.
IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces. The IPsec tunnel established using an IPsec profile protects all IP data routed to the tunnel interface. Before configuring an IPsec profile, complete the following tasks: • Configure the IPsec transform set for the IPsec profile to reference. For more information, see "Configuring an IPsec profile." • Configure the IKE peer for IKEv1 negotiation. For more information, see "Configuring an IKE peer.
Step Command Remarks Optional. Enable and configure the PFS feature for the IPsec profile. 8. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } By default, the PFS feature is not used. For more information about PFS, see "Configuring IKE." The dh-group1 keyword is not available for FIPS mode. Optional. Set the SA lifetime. 9. 10. Return to system view.
Step Command Remarks 2. Create a tunnel interface and enter its view. interface tunnel number By default, no tunnel interface exists on the device. 3. Assign a private IPv4 address to the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] By default, no private IPv4 address is assigned to a tunnel interface. 4. Set the tunnel mode of the tunnel interface to IPsec over IPv4. tunnel-protocol ipsec ipv4 N/A 5. 6. 7.
To implement QoS for IPsec packets, however, you also need to apply a QoS policy to the physical outbound interface. For more information about how to apply a QoS policy to a physical interface, see ACL and QoS Configuration Guide. IMPORTANT: When the QoS policy applied to the physical outbound interface provides congestion management, IPsec packets arriving at the destination might be out of order. This might cause IPsec out of order to be dropped by the IPsec anti-replay function.
Task Remarks Required. Configuring a manual IPsec policy ACLs and IPsec tunnel addresses are not needed. Required. Applying an IPsec policy to an IPv6 routing protocol See Layer 3—IP Routing Configuration Guide. Displaying and maintaining IPsec Task Command Remarks Display IPsec policy information. display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPsec policy template information.
IPsec configuration examples Configuring manual mode IPsec tunnel Network requirements As shown in Figure 56, configure an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96. Figure 56 Network diagram Router A Router B S2/1 2.2.2.1/24 Internet S2/2 2.2.3.1/24 Eth1/1 10.1.1.1/24 Eth1/1 10.1.2.
# Apply the IPsec transform set. [RouterA-ipsec-policy-manual-map1-10] transform-set tran1 # Configure the remote IP address of the tunnel. [RouterA-ipsec-policy-manual-map1-10] tunnel remote 2.2.3.1 # Configure the local IP address of the tunnel. [RouterA-ipsec-policy-manual-map1-10] tunnel local 2.2.2.1 # Configure the SPIs. [RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the keys.
# Configure the local IP address of the tunnel. [RouterB-ipsec-policy-manual-use1-10] tunnel local 2.2.3.1 # Configure the SPIs. [RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the keys.
[RouterA] ike peer peer [RouterA-ike-peer-peer] pre-shared-key abcde [RouterA-ike-peer-peer] remote-address 2.2.3.1 [RouterA-ike-peer-peer] quit # Create an IPsec policy that uses IKE for IPsec SA negotiation. [RouterA] ipsec policy map1 10 isakmp # Apply the IPsec transform set. [RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Apply the ACL. [RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IKE peer.
[RouterB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set. [RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Apply the IKE peer. [RouterB-ipsec-policy-isakmp-use1-10] ike-peer peer [RouterB-ipsec-policy-isakmp-use1-10] quit # Configure the IP address of the serial interface. [RouterB] interface serial 2/2 [RouterB-Serial2/2] ip address 2.2.3.1 255.255.255.0 # Apply the IPsec policy group to the interface. [RouterB-Serial2/2] ipsec policy use1 3.
# Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify the algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Configure the IKE peer.
[RouterB-acl-adv-3101] quit # Configure a static route to Host A. [RouterB] ip route-static 10.1.1.0 255.255.255.0 serial 2/2 # Create an IPsec transform set named tran1. [RouterB] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] transform esp # Specify the algorithms.
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up, the traffic between the two subnets will be IPsec protected through the encryption card. Configuring IPsec interface backup Network requirements As shown in Figure 58, configure two IPsec tunnels operating in backup mode between Router A and Router B to protect data flows between subnet 10.1.1.
[RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1 [RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 [RouterA-ipsec-policy-isakmp-map1-10] ike-peer peer [RouterA-ipsec-policy-isakmp-map1-10] quit # Configure a loopback interface. [RouterA] interface loopback 0 [RouterA-LoopBack0] ip address 1.1.1.1 32 [RouterA-LoopBack0] quit # Configure IPsec policy group map1 as a shared source interface policy group.
[RouterB-ike-peer-peer] pre-shared-key abcde [RouterB-ike-peer-peer] remote-address 1.1.1.1 [RouterB-ike-peer-peer] quit # Configure an IPsec policy named map1, specifying to use the IKE negotiation mode. [RouterB] ipsec policy map1 10 isakmp [RouterB-ipsec-policy-isakmp-map1-10] transform-set tran1 [RouterB-ipsec-policy-isakmp-map1-10] security acl 3101 [RouterB-ipsec-policy-isakmp-map1-10] ike-peer peer [RouterB-ipsec-policy-isakmp-map1-10] quit # Configure a loopback interface.
----------------------------IPsec policy name: "map1" sequence number: 10 acl version: ACL4 mode: isakmp ----------------------------PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 3.3.3.3 flow : sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.
[RouterA] ike peer atob [RouterA-ike-peer-atob] exchange-mode aggressive [RouterA-ike-peer-atob] pre-shared-key simple aabb [RouterA-ike-peer-atob] id-type name [RouterA-ike-peer-atob] remote-name routerb [RouterA-ike-peer-atob] quit # Create an IPsec transform set named method1. This IPsec transform set uses the default settings: the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5.
# Configure an IKE peer named btoa. As the remote peer obtains the IP address automatically, set the IKE negotiation mode to aggressive. [RouterB] ike peer btoa [RouterB-ike-peer-btoa] exchange-mode aggressive [RouterB-ike-peer-btoa] pre-shared-key simple aabb [RouterB-ike-peer-btoa] id-type name [RouterB-ike-peer-btoa] remote-name routera [RouterB-ike-peer-btoa] quit # Create an IPsec transform set named method1.
Link: ADM - administratively down; Stby – standby Protocol: (s) – spoofing Interface Link Protocol Main IP Tun1 UP UP Description 10.1.1.2 # Execute the display ike sa command on Router B. The output shows that the SAs of two phases are established. [RouterB] display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 1.1.1.2 RD 1 IPSEC 2 1.1.1.
spi: 0x8CF16C54(2364632148) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 2 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3503 anti-replay detection: Enabled anti-replay window size(counter based) : 32 udp encapsulation used for nat traversal: N # On Router B, ping the IP address of the interface on Router A that connects to the branch. [RouterB] ping -a 192.168.1.1 172.17.17.1 PING 172.17.17.
• Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface to protect RIPng packets traveling through the interface. Configuration procedure 1. Configure Router A: # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on Ethernet 1/1.
[RouterB-Ethernet1/2] quit # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
[RouterC-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [RouterC-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [RouterC-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [RouterC-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [RouterC-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [RouterC] ripng 1 [RouterC-ripng-1] enable ipsec-policy policy001 [RouterC-ripng-1] quit 4.
in use setting: Transport connection id: 13 No duration limit for this sa [outbound ESP SAs] spi: 0x3039(123456) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Transport connection id: 14 No duration limit for this sa Similarly, you can view the information on Router B and Router C. (Details not shown.) Configuring IPsec RRI Network requirements As shown in Figure 61, configure an IPsec tunnel between Router A and Router B to protect the traffic between the headquarters and the branch.
# Set the packet encapsulation mode to tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use ESP as the security protocol. [RouterA-ipsec-transform-set-tran1] transform esp # Use DES as the encryption algorithm and SHA1-HMAC-96 as the authentication algorithm. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create IKE peer peer.
# Use DES as the encryption algorithm and SHA1-HMAC-96 as the authentication algorithm. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create IKE peer peer. [RouterB] ike peer peer # Set the pre-shared key. [RouterB-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [RouterB-ike-peer-peer] remote-address 1.1.1.
Configuring IKE Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically. Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them, and calculate shared keys respectively.
2. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 62 IKE exchange process in main mode As shown in Figure 62, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the security policy. • Key exchange—Used for exchanging the DH public value and other values like the random number. Key data is generated in this stage.
Relationship between IKE and IPsec Figure 63 Relationship between IKE and IPsec Figure 63 illustrates the relationship between IKE and IPsec: • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
Hardware FIPS mode MSR1000 Yes. IKE configuration task list Determine the following parameters prior to IKE configuration: • The strength of the algorithms for IKE negotiation (the security protection level), including the identity authentication method, encryption algorithm, authentication algorithm, and DH group. Different algorithms provide different levels of protection. A stronger algorithm means more resistance to decryption of protected data but requires more resources.
Configuring an IKE proposal An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You can create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the preference. Two peers must have at least one matching IKE proposal for successful IKE negotiation.
Step Command Remarks Optional. 86400 seconds by default. Set the ISAKMP SA lifetime for the IKE proposal. 7. sa duration seconds Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in IKE negotiation takes time, especially on low-end devices. To prevent SA updates from influencing normal communication, set the lifetime greater than 10 minutes.
Step Command Remarks Optional. 3. Specify the IKE negotiation mode for phase 1. exchange-mode { aggressive | main } The default is main. In FIPS mode, the aggressive mode is not supported. Optional. 4. Specify the IKE proposals for the IKE peer to reference. proposal proposal-number&<1-6> By default, an IKE peer references no IKE proposals, and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.
Step Command Remarks Optional. 10. Specify the IP addresses of the remote gateway. remote-address { hostname [ dynamic ] | low-ip-address [ high-ip-address ] } The remote IP address configured with the remote-address command on the local gateway must be identical to the local IP address configured with the local-address command on the peer. Optional. 11. Enable the NAT traversal function for IPsec/IKE. nat traversal Required when a NAT gateway is present in the VPN tunnel constructed by IPsec/IKE.
Step Command Remarks 2. Set the ISAKMP SA keepalive interval. ike sa keepalive-timer interval seconds No keepalive packet is sent by default. 3. Set the ISAKMP SA keepalive timeout. ike sa keepalive-timer timeout seconds No keepalive packet is sent by default. Setting the NAT keepalive timer If IPsec traffic needs to pass through NAT security gateways, you must configure the NAT traversal function.
Step 4. Command Set the DPD packet retransmission interval. time-out time-out Remarks Optional. 5 seconds by default. Disabling next payload field checking The Next payload field is in the generic payload header of the last payload of the IKE negotiation message (the message comprises multiple payloads). According to the protocol, this field must be 0 if the payload is the last payload of the packet. However, it might be set to other values on some brands of devices.
Figure 64 Network diagram Router A Eth1/1 1.1.1.1/16 Internet Eth1/1 2.2.2.2/16 Router B Eth1/2 10.1.1.1/24 Eth1/2 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure 1. Make sure that Router A and Router B can reach each other. 2. Configure Router A: # Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.
[RouterA-ike-proposal-10] sa duration 5000 [RouterA-ike-proposal-10] quit # Create an IPsec policy that uses IKE negotiation. [RouterA] ipsec policy map1 10 isakmp # Reference IPsec transform set tran1. [RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Reference ACL 3101 to identify the protected traffic. [RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer peer.
[RouterB-ike-peer-peer] quit # Create an IPsec policy that uses IKE negotiation. [RouterB] ipsec policy use1 10 isakmp # Reference ACL 3101 to identify the protected traffic. [RouterB-ipsec-policy-isakmp-use1-10] security acl 3101 # Reference IPsec transform set tran1. [RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Reference IKE peer peer. [RouterB-ipsec-policy-isakmp-use1-10] ike-peer peer [RouterB-ipsec-policy-isakmp-use1-10] quit # Assign an IP address to interface Ethernet 1/2.
flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT RK-REKEY # Display information about the established IPsec SAs, which protect traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configuring aggressive mode IKE with NAT traversal Network requirements As shown in Figure 65, the branch and the headquarters connect to an ATM network through Router B and Router A. Router B connects to the public network through an ADSL line and acts as the PPPoE client. The interface connecting to the public network uses a private address dynamically assigned by the ISP. Router A uses a fixed public IP address for the interface connected to the public network.
[RouterA-ike-peer-peer] quit # Configure an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel [RouterA-ipsec-transform-set-tran1] transform esp [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm 3des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create an IPsec policy, specifying to set up SAs through IKE negotiation.
[RouterB-ike-peer-peer] pre-shared-key abc [RouterB-ike-peer-peer] id-type name [RouterB-ike-peer-peer] remote-name routera [RouterB-ike-peer-peer] remote-address 100.1.1.1 [RouterB-ike-peer-peer] nat traversal [RouterB-ike-peer-peer] quit # Create an IPsec transform set named tran1.
[RouterB-Virtual-Ethernet0] pppoe-client dial-bundle-number 1 [RouterB-Virtual-Ethernet0] mac-address 0011-0022-0012 # Map the virtual Ethernet interface to a PVC on interface ATM 1/0.
For the negotiation in phase 2, verify that the parameters of the IPsec policies applied on the interfaces are matched, and that the referred IPsec transform sets have a match in protocol, encryption and authentication algorithms. Failed to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established. Analysis Sometimes this might happen if an IPsec tunnel cannot be established or there is no way to communicate in the presence of an IPsec tunnel in an unstable network.
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks to provide reliable identity authentication, key distribution, and IPsec SA establishment services. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs less protocol message exchanges than IKEv1.
New features in IKEv2 DH guessing At the IKE_SA_INIT exchange phase, the initiator guesses the DH group that the responder is most likely to use and sends it in the first message, and the responder uses the guessed DH group to respond. If the initiator's guess is correct, the IKE_SA_INIT exchange is finished at the cost of two messages. If the guess is wrong, the responder will respond with an INVALID_KE_PAYLOAD message, indicating the DH group that it wants to use.
IKEv2 configuration task list Determine the following parameters prior to IKEv2 configuration: • The strength of the algorithms for IKEv2 negotiation, namely the security protection level, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources.
Step Configure the cookie challenging function. 2. Command Remarks ikev2 cookie-challenge number Disabled by default. Configuring the IKEv2 DPD function The IKEv2 DPD function detects dead IKE peers in on-demand or periodic mode. In periodic mode, the DPD function sends DPD hellos to the peer at the specified interval to detect the liveliness of the peer. In on-demand mode, the DPD function works as follows: 1.
Configuring an address pool for assigning addresses to initiators You can configure an address pool on the device so that the device, when working as IKEv2 negotiation responder, can assign addresses to negotiation initiators. To configure an address pool for IKEv2 to use to assign addresses to initiators: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an address pool for IKEv2 to use to assign addresses to initiators.
Step Command Remarks By default, an IKEv2 proposal has no encryption algorithm. 3. Specify the encryption algorithms. encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } * 4. Specify the integrity protection algorithms. integrity { aes-xcbc-mac | md5 | sha1 | sha2-256 } * By default, an IKEv2 proposal has no integrity protection algorithm. 5. Specify the PRF algorithms.
Configuring an IKEv2 keyring An IKEv2 keyring specifies the pre-shared keys used for IKEv2 negotiation. An IKEv2 keyring might have multiple peers. Each peer has a symmetric or asymmetric pre-shared key, and an argument for identifying the peer (such as the peer's host name, IP address or address range, or ID). An IKEv2 negotiation initiator uses the peer host name or IP addresses/address range as the matching criterion to search for a peer.
Step 2. Create an IKEv2 profile and enter IKEv2 profile view. Command Remarks ikev2 profile profile-name By default, no IKEv2 profile exists. Optional. 3. Configure the local or remote identity authentication method. authentication { local | remote } { pre-share | rsa-sig } By default, both the local end and remote end use the pre-shared key authentication method. You can specify only one local identity authentication method but can specify multiple remote identity authentication methods.
Step Command Remarks If the local end uses the RSA digital signature authentication method, you must configure a PKI domain for certificate signing on the local end and a PKI domain for certificate verification on the remote end. 7. Specify the PKI domains.
Displaying and maintaining IKEv2 Task Command Remarks Display IKEv2 profile configuration information. display ikev2 profile [ profile-name] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IKEv2 policy configuration information. display ikev2 policy [ policy-name | default ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the current IKEv2 SA information.
Figure 67 Network diagram Configuration prerequisites Make sure Router A and Router B can reach each other. Configure the security gateway Router A 1. Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit 2. Configure an IPsec transform set: # Create IPsec transform set transform_a.
[RouterA-policy-policy_a] quit 5. Configure an IKEv2 keyring: # Create IKEv2 keyring keyring_a. [RouterA] ikev2 keyring keyring_a # Create IKEv2 peer peer_a. [RouterA-keyring-keyring_a] peer peer_a # Configure the address range 2.2.2.2/16 for the peer. [RouterA-keyring-keyring_a-peer-peer_a] address 2.2.2.2 16 # Use the plain text key 123 for both certificate signing and certificate authentication.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 Configure the security gateway Router B 1. Configure an ACL: # Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. system-view [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3101] quit 2. Configure an IPsec transform set: # Create IPsec transform set transform_b.
[RouterB-keyring-keyring_b] quit 6. Configure an IKEv2 profile: # Create IKEv2 profile profile_b. [RouterB] ikev2 profile profile_b # Set both the local and remote authentication methods to pre-shared key. [RouterB-profile-profile_b] authentication local pre-share [RouterB-profile-profile_b] authentication remote pre-share # Use the FQDN router_b as the local identity information. [RouterB-profile-profile_b] identity local fqdn router_b # Use the keyring keyring_b.
PRF : MD5 DH Group : MODP1024/Group 2 IKEv2 proposal : default Encryption : AES-CBC-128 Integrity : SHA1 PRF : SHA1 DH Group : MODP1536/Group 5 MODP1024/Group 2 3DES-CBC MD5 MD5 # Display the IKEv2 profile configuration information.
=============================== Interface: Ethernet1/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map" sequence number: 1 acl version: ACL4 mode: isakmp ----------------------------PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.
• Use IKEv2 to dynamically negotiate keys and establish and maintain IPsec SAs. • Configure IKEv2 to use the encryption algorithm AES-CBC-192, integrity protection algorithm MD5, PRF algorithm MD5, and 1024-bit DH group. • Set both the local and remote authentication methods to RSA digital certificate. Figure 68 Network diagram Configuration prerequisites Make sure Router A and Router B can reach each other.
# Import the CA certificate for certificate signing in offline mode. [RouterA] pki import-certificate ca domain domain_b der filename bbb_ca.crt Is the finger print correct?(Y/N):y 2. Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit 3. Configure an IPsec transform set: # Create IPsec transform set transform_a.
[RouterA-profile-profile_a] pki domain domain_b verify [RouterA-profile-profile_a] pki domain domain_a sign [RouterA-profile-profile_a] quit 7. Configure an IPsec policy that uses IKEv2. [RouterA] ipsec policy map 1 isakmp [RouterA-ipsec-policy-isakmp-map1-1] encapsulation-mode tunnel [RouterA-ipsec-policy-isakmp-map1-1] security acl 3101 [RouterA-ipsec-policy-isakmp-map1-1] ikev2 profile profile_a [RouterA-ipsec-policy-isakmp-map1-1] remote-address 2.2.2.
[RouterB-pki-domain-domain_b] quit # Import the CA certificate for certificate signing in offline mode. [RouterB] pki import-certificate ca domain domain_b der filename bbb_ca.crt Is the finger print correct?(Y/N):y # Import the local certificate in offline mode. [RouterB] pki import-certificate local domain domain_b p12 filename hw002.pfx 2. Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.
[RouterB-profile-profile_b] match address local interface ethernet 1/1 # Use PKI domain domain_b for certificate signing and PKI domain domain_a for certificate authentication. [RouterB-profile-profile_b] pki domain domain_a verify [RouterB-profile-profile_b] pki domain domain_b sign [RouterB-profile-profile_b] quit 7. Configure an IPsec policy that uses IKEv2.
DH Group : MODP1536/Group 5 MODP1024/Group 2 # Display the IKEv2 profile configuration information.
[inbound ESP SAs] spi: 110534512 (0x6969f70) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/965 anti-replay detection: Enabled anti-replay window size(counter based): 32 udp encapsulation used for nat traversal: N communication entity: Responder status: -- [outbound ESP SAs] spi: 118757629 (0x71418fd) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa du
IPsec tunnels cannot be set up Symptom In an unstable network environment, the expected IPsec tunnels cannot be set up or do not operate correctly. Analysis If the two peers have the correct ACLs and a matching IKEv2 proposal, it is most likely that the tunnels have been set up but the device at one end restarted, resulting in unmatched IKEv2 SAs or IPsec SAs.
Configuring PKI Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. A key problem with PKI is how to manage the public keys.
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email. Because different CAs might use different methods to examine the binding of a public key with an entity, make sure you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in Figure 69.
3. The CA verifies the digital signature, approves the application, and issues a certificate. 4. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution points to provide directory navigation service, and notifies the entity that the certificate is successfully issued. 5. The entity retrieves the certificate. With the certificate, the entity can communicate with other entities safely through encryption and digital signature. 6.
Task Remarks Configuring a PKI domain Required. Configuring automatic certificate request Requesting a PKI certificate Required. Use either method. Manually requesting a certificate Retrieving a certificate manually Optional. Verifying PKI certificates Optional. Destroying the local RSA key pair Optional. Deleting a certificate Optional. Configuring a certificate access control policy Optional.
Step Command Optional. 3. Configure the common name for the entity. common-name name 4. Configure the country code for the entity. country country-code-str 5. Configure the FQDN for the entity. fqdn name-str 6. Configure the IP address for the entity. ip ip-address 7. Configure the locality for the entity. locality locality-name 8. Configure the organization name for the entity. organization org-name 9. Configure the unit name for the entity. organization-unit org-unit-name 10.
• Polling interval and count—After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status. • IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.
Requesting a PKI certificate When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an "out-of-band" means such as phone, disk, or email. Online certificate request falls into manual mode and auto mode.
Step Command Remarks By default, the manual request mode applies. Specify the num-days argument in the command to enable an entity to request a new certificate the specified number of days before the current certificate expires. 3. Set the certificate request mode to auto.
• A newly created key pair will overwrite the existing one. If you perform the public-key local create command in the presence of a local RSA key pair, the system will ask you whether you want to overwrite the existing one. • If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps avoid inconsistency between the certificate and the registration information resulting from configuration changes.
Prepare for certificate verification. • Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration. If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes.
Step Command Remarks 6. Return to system view. quit N/A 7. Retrieve the CA certificate. See "Retrieving a certificate manually" N/A 8. Retrieve the CRLs. pki retrieval-crl domain domain-name 9. Verify the validity of a certificate. pki validate-certificate { ca | local } domain domain-name N/A This command is not saved in the configuration file. N/A Verifying certificates without CRL checking Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view.
Step Command 1. Enter system view. system-view 2. Delete certificates. pki delete-certificate { ca | local } domain domain-name Configuring a certificate access control policy By configuring a certificate access control policy, you can further control access to the server, providing additional security for the server. To configure a certificate access control policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a certificate attribute group and enter its view.
Task Command Remarks Display information about certificate access control policies. display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view. PKI configuration examples The SCEP add-on is required when you use the Windows Server as the CA. In this case, when you configure the PKI domain, you must use the certificate request from ra command to specify that the entity requests a certificate from an RA.
Configuring the router 1. Configure the entity DN: # Configure the entity name as aaa and the common name as router. system-view [Router] pki entity aaa [Router-pki-entity-aaa] common-name router [Router-pki-entity-aaa] quit 2. Configure the PKI domain: # Create PKI domain torsa and enter its view. [Router] pki domain torsa # Configure the name of the trusted CA as myca.
Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success. # Retrieve CRLs and save them locally. [Router] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success! # Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Router] Enrolling the local certificate,please wait a while......
X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl You can also use some other display commands (display pki certificate ca domain and display pki crl domain commands) to display detailed information about the CA certificate and CRLs. Certificate request from a Windows 2003 CA server Network requirements Configure PKI entity Router to request a local certificate from the CA server. Figure 71 Network diagram Configuring the CA server 1. Install the certificate service suites: a.
Configuring the router 1. Configure the entity DN: # Configure the entity name as aaa and the common name as router. system-view [Router] pki entity aaa [Router-pki-entity-aaa] common-name router [Router-pki-entity-aaa] quit 2. Configure the PKI domain: # Create PKI domain torsa and enter its view. [Router] pki domain torsa # Configure the name of the trusted CA as myca.
# Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Router] Enrolling the local certificate,please wait a while...... Certificate request successfully! Saving the local certificate to device...... Done! Verifying the configuration # Use the following command to display information about the retrieved local certificate.
CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e … You can also use some other display command, for example, the display pki certificate ca domain command, to display more information about the CA certificate.
# Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterA] pki domain 1 [RouterA-pki-domain-1] ca identifier CA1 [RouterA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [RouterA-pki-domain-1] certificate request entity en [RouterA-pki-domain-1] ldap-server ip 1.1.1.102 # Set the registration authority to RA. [RouterA-pki-domain-1] certificate request from ra # Configure the CRL distribution URL.
# Request a certificate. [RouterB] pki retrieval-certificate ca domain 1 [RouterB] pki retrieval-crl domain 1 [RouterB] pki request-certificate domain 1 # Configure IKE proposal 1, using RSA signature for identity authentication. [RouterB] ike proposal 1 [RouterB-ike-proposal-1] authentication-method rsa-signature [RouterB-ike-proposal-1] quit # Specify the PKI domain for the IKE peer.
system-view [Router] ssl server-policy myssl [Router-ssl-server-policy-myssl] pki-domain 1 [Router-ssl-server-policy-myssl] client-verify enable [Router-ssl-server-policy-myssl] quit 2. Configure the certificate attribute group. # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1.
Troubleshooting PKI configurationTroubleshooting PKI configuration Failed to obtain the CA certificate Symptom The CA certificate cannot be retrieved. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. • The URL of the registration server is not correct or not specified. • The URL of the registration server for certificate request is not correct or not specified.
3. Regenerate a key pair. 4. Specify a trusted CA. 5. Use the ping command to verify that the RA server is reachable. 6. Specify the authority for certificate request. 7. Configure the required entity DN parameters. Failed to retrieve CRLs Symptom CRLs cannot be retrieved. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No CA certificate has been retrieved before you try to obtain CRLs.
Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 74.
Hardware FIPS mode MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. Configuration task list Public key configuration tasks enable you to manage the local asymmetric key pairs and configure the peer host public keys on the local device. By completing these tasks, the local device is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature.
Table 16 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length HP recommendation • In non-FIPS mode: { { RSA If you specify the key pair name, the command creates a host key pair. If you do not specify the key pair name, the command creates one server key pair and one host key pair, and both key pairs use their default names. • In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits. • In FIPS mode: 2048 bits.
Displaying and recording the host public key information Task Command Remarks Display the local RSA public keys display public-key local rsa public [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local DSA host public key. display public-key local dsa public [ | { begin | exclude | include } regular-expression ] Use at least one command. The display public-key local rsa public command displays both the RSA server and host public keys.
Destroying a local asymmetric key pair You might have to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the local certificate expires. For more information about the local certificate, see "Configuring PKI." To destroy a local asymmetric key pair: Step Command 1. Enter system view. system-view 2. Destroy a local asymmetric key pair.
Step 2. Command Export an RSA key pair in PEM format. Remarks public-key local export rsa name key-name pem { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } password The command displays the public key and private key of the exported RSA key pair in PEM format on the terminal. The private key is encrypted by the encryption algorithm and password specified in the command. You cannot export the default RSA key pair.
Method Prerequisites Remarks • Display and record the public key of the • The recorded public key must be in intended asymmetric key pair. Manually configure the public key by inputting or copying the key data • If the peer device is an HP device, use the display public-key local public command to view and record its public key. A public key displayed by other methods for the HP device might not be in a correct format.
Public key configuration examples Manually specifying the peer public key on the local device Network requirements As shown in Figure 75, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B. • Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A.
8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF
The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A. Importing a public key from a public key file Network requirements As shown in Figure 76, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F020301000 1 # Export the RSA host public key HOST
[DeviceB] public-key peer devicea import sshkey devicea.pub # Display the host public key of Device A on Device B.
-----BEGIN PUBLIC KEY----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6Ne4EtnoKqBCL2YZvSjrG+8He sae5FWtyj9D25PEkXagpLqb3i9Gm/Qbb6cqLLPUIgDS8eK7Wt/dXLeFUCDc0lY8V gujJPvarFL4+Jn+VuL9znNbboA9IxPH2fMvew8lkPCwkXoP+52J+1LRpYkh+rIpE Kj7FG/3/wzGsXu8WJQIDAQAB -----END PUBLIC KEY---------BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,7F8FAB15399DF87C MGaftNqe4esjetm7bRJHSpsbwZ9YUpvA9iWh8R406NGq8e+1A/ZiK23+t1XqRwaU 1FXnwbqHgW1pZ7JxQdgBuC9uXc4VQyP/xe6xCyUepdMC71fmeOaiwUFrj6LAzzBg o3SfhX1NHyHBnr7c6SnI
HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----^C Please input the password: Verifying the configuration Verify that the public key of RSA key pair rsa1 on Device B is the same as the public key of RSA key pair rsa1 on Device A. # Display the public key information of local RSA key pairs on Device B.
Configuring RSH Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. The RSH daemon supports authentication of an RSH client by the username. Figure 78 shows a network diagram for the typical RSH application. Figure 78 RSH application Configuration prerequisites • Run RSH daemon on the remote host.
Configuration Procedure 1. Check that the RSH daemon has been installed and started properly on the remote host: a. From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 80 Administrative Tools folder b. Double-click the Services icon to display the Services window. Figure 81 Services window c. Check for the Remote Shell Daemon entry.
Figure 82 Remote Shell Daemon Properties window 2. Configure the router: # Configure a route to the remote host. (Details not shown.) # Set the time of the host remotely. rsh 192.168.1.10 command time Trying 192.168.1.10 ... Press CTRL+K to abort The current time is: 6:56:42.
Configuring portal authentication Overview Portal authentication helps control access to the Internet. Portal authentication is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website. However, to access the Internet, a user must pass portal authentication.
Figure 83 Portal system components Authentication client Authentication client Security policy server Access device Portal server Authentication/accounting server Authentication client Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal such as a PC. A client can use a browser or portal client software for portal authentication.
The components of a portal system interact as follows: 1. When an unauthenticated user enters a website address in the browser's address bar to access the Internet, an HTTP request is created and sent to the access device. The access device then redirects the HTTP request to the portal server's Web authentication homepage. For extended portal functions, authentication clients must run the portal client software. 2.
Authentication page customization support The local portal server function allows you to customize authentication pages. You can customize authentication pages by editing the corresponding HTML files and then compress and save the files to the storage medium of the device. A set of customized authentication pages consists of six authentication pages: the logon page, the logon success page, the online page, the logoff success page, the logon failure page, and the system busy page.
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to be present between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address is used for client identification. After a client passes authentication, the access device generates an ACL for the client based on the client's IP address to permit packets from the client to go through the access port.
The local Layer 2 portal authentication process is as follows: 1. The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the access device redirects the request to the listening IP address of the local portal server, which then pushes a Web authentication page to the authentication client. The user types the username and password on the Web authentication page.
2. The portal server and the access device exchange CHAP messages. This step is skipped for PAP authentication. 3. The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication reply message. 4. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. 5. The access device sends an authentication reply to the portal server. 6.
8. The portal server notifies the access device that the authentication client has obtained a new public IP address. 9. Detecting the change of the IP address by examining ARP packets received, the access device notifies the portal server of the change. 10. The portal server notifies the authentication client of logon success. 11. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: 12.
Portal support for EAP authentication process Figure 90 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following example uses direct portal authentication to show the EAP authentication process: 1. The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. 2.
8. The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. 9. The portal server notifies the authentication client of the authentication success. 10. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication. For more information about the steps, see the portal authentication process with CHAP/PAP authentication.
Task Remarks Specifying an authentication domain for portal users Configuring Layer 2 portal authentication to support Web proxy Enabling support for portal user moving Specifying an autoredirection URL for authenticated portal users Optional. Configuring online Layer 2 portal user detection Optional. Logging off portal users Optional. To configure Layer 3 portal authentication: Task Remarks Specifying a portal server for Layer 3 portal authentication Required.
The prerequisites for portal authentication configuration are as follows: • The portal server and the RADIUS server have been installed and configured correctly. Local portal authentication requires no independent portal server be installed. • With re-DHCP authentication, the IP address check function of the DHCP relay agent is enabled on the access device, and the DHCP server is installed and configured correctly. • The portal client, access device, and servers can reach each other.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the listening IP address of the local portal server for Layer 2 portal authentication. portal local-server ip ip-address By default, no listening IP address is specified. The specified listening IP address can be changed or deleted only if Layer 2 portal authentication is not enabled on any port.
Feature Configuring the local portal server for Layer 2 portal authentication MSR9 00 No MSR93 X No MSR20 -1X No MSR20 MSR30 MSR50 MSR10 00 No Supported on MIM-FSW modules, MSR30-11E, and MSR30-11F No Yes Configuring a local portal server is required only for local portal authentication. During local portal authentication, the local portal server pushes authentication pages to users. You can define the authentication pages for users.
Page request rules The local portal server supports only Get and Post requests. • Get requests—Used to get the static files in the authentication pages and allow no recursion. For example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm cannot include any reference to file Logon.htm. • Post requests—Used when users submit username and password pairs, log on the system, and log off the system. Post request attribute rules 1.
3 -rw- 1405 Feb 28 2008 15:53:44 ssid4.zip 2540 KB total (1319 KB free) File size and content rules The following size and content requirements for authentication pages allows the system to push customized authentication pages smoothly: • The size of the zip file of each set of authentication pages, including the main authentication pages and the page elements, must be no more than 500 KB.
2. Add the function for page loading pt_init() to logonSucceess.htm. See the contents in gray:
LogonSuccessed ... ... NOTE: HP recommends using browser IE 6.0 or above on the authentication clients.An AC in a different subnet from an AP cannot obtain the SSID of a client associated with that AP and thus does not support binding SSIDs to an authentication page file. For more information about AC and SSID, see WLAN Configuration Guide. Enabling portal authentication You must first enable portal authentication on an access interface before it can perform portal authentication for connected clients.
In re-DHCP authentication mode, a client can use a public IP address to send packets before passing portal authentication. However, responses to the packets are restricted. • Configuration prerequisites Before enabling Layer 3 portal authentication on an interface, make sure the following requirements are met: • An IP address is configured for the interface. • The interface is not added to any port aggregation group. • The portal server to be referenced on the interface exists.
A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group. • Configuration procedure To configure a portal-free rule: Step Command 1. Enter system view. system-view 2. Configure a portal-free rule.
By configuring authentication destination subnets, you specify that only users accessing the specified subnets (excluding the destination IP addresses and subnets specified in portal-free rules) trigger portal authentication. Users can access other subnets without portal authentication. If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnet takes effect.
Step 3. Specify an authentication domain for portal users on the interface. Command Remarks portal domain domain-name By default, no authentication domain is specified for portal users. The device selects the authentication domain for a portal user on an interface in this order: the authentication domain specified for the interface, the authentication domain carried in the username, and the system default authentication domain.
Feature MSR90 0 MSR93 X MSR201X MSR20 MSR30 MSR5 0 MSR1 000 Support for portal user moving No No No No Supported on MIM-FSW modules, MSR30-11E, and MSR30-11F No No In cases where there are hubs, Layer 2 switches, or APs between users and the access devices and an authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled port of the device without logging off, the user will not have access as long as the original port is still active.
To specify the NAS-Port-Type value for an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the NAS-Port-Type value for the interface. portal nas-port-type { ethernet | wireless } Not configured by default.
Step Command Remarks 2. Create a NAS ID profile and enter NAS ID profile view. aaa nas-id profile profile-name For more information about the command, see Security Command Reference. 3. Bind a NAS ID with a VLAN. nas-id nas-identifier bind vlan vlan-id For more information about the command, see Security Command Reference. 4. Return to system view. quit N/A 5. Enter interface view. interface interface-type interface-number N/A 6. Specify a NAS ID profile for the interface.
local portal authentication, if the URL a user entered in the address bar before portal authentication is more than 255 characters, the user cannot be redirected to the page of the URL after passing portal authentication. To use this feature for remote Layer 3 portal authentication, the portal server must be an IMC portal server that supports the page auto-redirection function. To specify an autoredirection URL for authenticated portal users: Step 1. 2. Enter system view.
• If the device receives a reply from a portal user before sending probe packets to the portal user for the maximum number of times, it considers that the portal user is online and keeps sending probe packets to the portal user. • If the device receives no reply from a portal user after sending probe packets to the portal user for the maximum number of times, it considers that the portal user is offline and stops sending probe packets to the portal user and deletes the user.
{ 3. Maximum number of probe attempts—Maximum number of consecutive probe attempts allowed. If the number of consecutive probes reaches this value, the access device considers that the portal server is unreachable. Actions to be taken when the server reachability status changes (you can choose one or more) { { { Sending a trap message—When the status of a portal server changes, the access device sends a trap message to the NMS.
the device provides the portal user information synchronization function. This function is implemented by sending and detecting the portal synchronization packet. The process is as follows: 1. The portal server sends the online user information to the access device in a user synchronization packet at the user heartbeat interval, which is set on the portal server. 2. Upon receiving the user synchronization packet, the access device checks the user information carried in the packet with its own.
the first time, namely, the Web request will be redirected to a specific URL. Then, the user can access network resources. After a specific period of time, if the user sends a Web access request again, the system will push the specified Web page to the user again. This function can be used, for example, by a hotel or a network carrier to push advertisement pages to customers periodically.
Task Command Remarks Display information about portal users on a specific interface or all interfaces. display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Clear portal connection statistics on a specific interface or all interfaces. reset portal connection statistics {all | interface interface-type interface-number } Available in user view.
a. Log in to IMC and select the Service tab. b. Select User Access Manager > Portal Service > Server from the navigation tree to enter the portal server configuration page, as shown in Figure 93. c. Configure the portal server parameters as needed. This example uses the default settings. d. Click OK. Figure 93 Portal server configuration 2. Configure the IP address group: a.
3. Add a portal device: a. Select User Access Manager > Portal Service > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 95. c. Enter the device name NAS, enter the IP address of the router's interface connected to the user, and enter the key, which must be the same as that configured on the switch. d. Set whether to enable IP address reallocation.
Figure 97 Adding a port group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.
[Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host.
Figure 98 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 98 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and authorization functions for users. • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users.
Figure 99 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the host, routers, and servers as shown in Figure 99 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and authorization functions for users. • Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 3. Configure portal authentication: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal { Port number: 50100 { URL: http://192.168.0.111:8080/portal [RouterA] portal server newpt ip 192.168.0.
Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 100 and make sure they can reach each other before extended portal is enabled. • Configure the RADIUS server correctly to provide authentication and authorization functions for users. Configuration procedure 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme.
{ Name: newpt { IP address: 192.168.0.111 { Key: portal, in plain text { Port number: 50100 { URL: http://192.168.0.111:8080/portal [Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable extended portal authentication on the interface connecting the host.
• For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown.) • For re-DHCP portal authentication, the router must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
[Router-acl-adv-3001] rule permit ip [Router-acl-adv-3001] quit Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. 4. Configure extended portal authentication: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { Key: portal, in plain text { Port number: 50100 { URL: http://192.168.0.111:8080/portal [Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.
Figure 102 Network diagram Router A Eth1/1 192.168.0.100/24 Portal server 192.168.0.111/24 Eth1/2 20.20.20.1/24 Eth1/2 8.8.8.1/24 Eth1/1 20.20.20.2/24 Radius server 192.168.0.112/24 Router B Host 8.8.8.2/24 Security policy server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the host, routers, and servers as shown in Figure 102 and make sure that routes are available between devices.
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 3. Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet resources: [RouterA] acl number 3000 [RouterA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.
connection failure, network device failure, or portal server failure, the access device can disable portal authentication, allowing users to access the Internet without authentication. • The access device can synchronize portal user information with the portal server periodically. Figure 103 Network diagram Portal server Eth1/1 192.168.0.100/24 Eth1/2 2.2.2.1/24 Host 192.168.0.111/24 Router 2.2.2.2/24 Gateway : 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration considerations 1.
Figure 104 Portal server configuration 2. Configure the IP address group: a. Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 105. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. e. Select a service group. By default, the group Ungrouped is used. f.
d. Enter the IP address of the router's interface connected to the user. e. Enter the key, which must be the same as that configured on the switch. f. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list. g. Select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 106 Adding a portal device 4. Associate the portal device with the IP address group: a.
Figure 108 Adding a port group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router 1. Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. system-view [Router] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the IMC server, configure the RADIUS server type as extended.
[Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Router] interface ethernet 1/2 [Router–Ethernet1/2] portal server newpt method direct [Router–Ethernet1/2] quit 4.
Figure 109 Network diagram Configuration prerequisites • Before enabling portal authentication, be sure to configure the MPLS L3VPN capabilities correctly and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example gives only the access authentication configuration on the user-side PE. For information about MPLS L3VPN, see MPLS Configuration Guide.
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 3. Configure portal authentication: # Configure the portal server as follows: { Name: newpt { IP address: 192.168.0.111 { VPN: vpn3 { Key: portal, in plain text { Port number: 50100 { URL: http://192.168.0.
Solution 1. Use the display portal server command to display the key for the portal server on the access device and view the key for the access device on the portal server. 2. Use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to ensure key consistency.
Configuring firewall Overview A firewall blocks unauthorized Internet access to a protected network while allowing internal network users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet. Many of today's firewalls offer additional features, such as identity authentication and encryption.
The information of Layer 3 and above carried in each first fragment is recorded by packet-filter firewalls that are configured with advanced ACL rules providing for exact match. When subsequent fragments arrive, the firewall uses saved information to implement exact match with each match condition of an ACL rule. For more information about ACL, see ACL and QoS Configuration Guide. Exact match slightly decreases the efficiency of packet filtering.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the network with a security policy that is more comprehensive and better satisfies the actual needs. Basic concepts of ASPF • Java blocking Java blocking is a feature for blocking malicious Java applets that are transported by HTTP.
Figure 110 Application layer protocol inspection Packets of other sessions are blocked Client A Client A initiates a session WAN Return packets of the session are permitted to pass Router Server Protected network Client B After the application layer protocol inspection is enabled on the router, the ASPF inspects each application layer session and creates a status entry and a temporary access control list (TACL) for the session.
ASPF creates a TACL for the data connection. For a data connection, the ASPF does not perform status inspection. 7. For returned control connection packets, the ASPF first matches these packets against the control connection TACL, and then checks their application status based on the application type, and determines whether to permit the packets to pass according to the results of the match checks. For returned data connection packets, the ASPF only performs the data connection TACL match. 8.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the IPv6 firewall function. firewall ipv6 enable Disabled by default. Configuring the default filtering action of the firewall The default filtering action configuration is used for the firewall to determine whether to permit a data packet to pass or deny the packet when there is no appropriate criterion for judgment. IPv4 application To configure the default filtering action of the IPv4 firewall: Step 1. Enter system view.
carried in the first fragment will be added into the non-first fragments before the matching procedure starts. To enable the IPv6 fragment inspection function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6 fragment inspection. firewall ipv6 fragments-inspect Disabled by default.
Follow these restrictions and guidelines when you configure packet filtering on an interface: • You cannot enable packet filtering on a member interface of an aggregation group. If an interface is enabled with packet filtering, you cannot add the interface to an aggregation group. • You can apply only one ACL to filter packets in one direction of an interface. Configuring IPv4 packet filtering on an interface Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure Ethernet frame filtering for the inbound/outbound direction of interface and set the number of the ACL to be used. firewall ethernet-frame-filter { acl-number | name acl-name } { inbound | outbound } No filtering is performed by default.
Figure 112 Network diagram Configuration procedure # Enable the firewall function on the router. system-view [Router] firewall enable # Create advanced ACL 3001. [Router] acl number 3001 # Configure rules to permit specific hosts to access external networks and permit internal servers to access external networks. [Router-acl-adv-3001] rule permit ip source 129.1.1.1 0 [Router-acl-adv-3001] rule permit ip source 129.1.1.2 0 [Router-acl-adv-3001] rule permit ip source 129.1.1.
Configuring an ASPF ASPF configuration task list Task Remarks Enabling the firewall function Required Configuring an ASPF policy Required Applying an ASPF policy to an interface Required Enabling the session logging function for ASPF Optional Configuring port mapping Optional Enabling the firewall function Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the IPv4 firewall function. firewall enable Disabled by default.
Step Command Remarks Optional. 4. Configure ASPF inspection for application layer and transport layer protocols. The default timeouts are as follows: detect protocol [ java-blocking acl-number ] [ aging-time seconds ] • 3600 seconds for application layer protocols. • 3600 seconds for TCP; and 30 seconds for UDP.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ASPF policy view. aspf-policy aspf-policy-number N/A 3. Enable the session logging function of the ASPF. log enable Optional. Disabled by default. Configuring port mapping Two mapping mechanisms exist: general port mapping and basic ACL–based host port mapping. • General port mapping—Refers to a mapping of a user-defined port number to an application layer protocol.
ASPF configuration example Network requirements Configure an ASPF policy on Router A to inspect the FTP and HTTP traffic flows passing through Router A. Only return packets for FTP and HTTP connections initiated by users on the internal network are permitted to pass through Router A and get into the internal network. All other types of packets are blocked. In addition, this ASPF policy should be able to block Java applets carried in HTTP packets from the server 2.2.2.11.
[RouterA-Serial2/0] firewall aspf 1 outbound [RouterA-Serial2/0] firewall packet-filter 3111 inbound 354
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description Key exchange The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for identifying the SSH connection. In this stage, the client authenticates the server as well. Authentication The SSH server authenticates the client in response to the client's authentication request.
client of the authentication result. The device supports using the publickey algorithms RSA and DSA for digital signature. A client can send public key information to the device that acts as the server for validity check in either of the following methods: { { The client directly sends the user's public key information to the server, and the server checks the validity of the user's public key.
Hardware FIPS mode MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. Configuring the device as an SSH server You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless otherwise specified. SSH server configuration task list Task Remarks Generating local DSA or RSA key pairs Required.
that receives from the server. If the digital signatures are consistent, the authentication succeeds. If the digital signatures are consistent, the authentication succeeds. The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. Each of the key pairs consists of a public key and a private key. The public key in the server key pair of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key.
Configuring the user interfaces for SSH clients An SSH client accesses the device through a VTY user interface. You must configure the user interfaces for SSH clients to allow SSH login. The configuration takes effect only on the clients at next login. IMPORTANT: Before you configure a user interface to support SSH, you must configure its authentication mode to scheme. Otherwise, the protocol inbound command fails. To configure the user interfaces for SSH clients: Step Command Remarks 1.
process, the server automatically converts the public key in the public key file to a string in PKCS format. You can configure up to 20 SSH client public keys on an SSH server. For more information about client public key configuration, see "Managing public keys." Configuring a client public key manually Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public key view. public-key peer keyname N/A 3. Enter public key code view. public-key-code begin N/A 4.
{ Any—The user can use either password authentication or publickey authentication. All authentication methods, except password authentication, require a client's host public key or digital certificate to be specified. • { { If a client directly sends the user's public key information to the server, the server must specify the client's public key and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key.
Step Command Remarks • In non-FIPS mode, create an SSH user, and specify the service type and authentication method for Stelnet users: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign { pki-domain pkiname | publickey keyname } } • In FIPS mode, create an SSH user, and specify the Create an SSH user, and specify the service type and authentication method. 2.
Step Command Remarks Optional. 3. Set the RSA server key pair update interval. ssh server rekey-interval hours By default, the interval is 0, and the RSA server key pair is not updated. 4. Set the SSH user authentication timeout period. ssh server authentication-timeout time-out-value Optional. 60 seconds by default. Optional. 3 by default. 5. Set the maximum number of SSH authentication attempts.
Step Command Remarks • Specify a source IPv4 address or source Specify a source IP address or source interface for the Stelnet client. 2. interface for the Stelnet client: ssh client source { interface interface-type interface-number | ip ip-address } • Specify a source IPv6 address or source Use either command.
Establishing a connection to an Stelnet server You can launch the Stelnet client to establish a connection to an Stelnet server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm.
SFTP client configuration task list Task Remarks Specifying a source IP address or source interface for the SFTP client Optional. Enabling and disabling first-time authentication Optional. Establishing a connection to an SFTP server Required. Working with SFTP directories Optional. Working with SFTP files Optional. Displaying help information Optional. Terminating the connection with the SFTP server Optional.
Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * • In FIP
Step Command Remarks 1. Enter SFTP client view. For more information, see "Establishing a connection to an SFTP server." N/A 2. Change the working directory of the remote SFTP server. cd [ remote-path ] Optional. 3. Return to the upper-level directory. cdup Optional. 4. Display the current working directory on the SFTP server. pwd Optional. 5. Display files under a directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] 6.
Step 6. Command Delete one or more directories from the SFTP server. Remarks Optional. • delete remote-file&<1-10> • remove remote-file&<1-10> The delete command functions as the remove command. Displaying help information Use the help command to display all commands or the help information of an SFTP client command, including the command format and parameters. To display all commands or the help information of an SFTP client command: Step Command 1. Enter SFTP client view.
Transferring files with an SCP server Task Command Remarks • In non-FIPS mode, upload a file to the SCP server: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha
Task Command Remarks Display SSH server status information or session information on an SSH server. display ssh server { status | session } [ | { begin | exclude | include } regular-expression ] Available in any view. Display the mappings between SSH servers and their host public keys on an SSH client. display ssh server-info [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about one or all SSH users on an SSH server.
Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function.
Figure 116 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server. Publickey authentication enabled Stelnet server configuration example Network requirements As shown in Figure 117, you can log in to the router through the Stelnet client (SSH2) that runs on the host.
Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following example takes PuTTY version 0.58 on the Stelnet client. Configuration procedure 1. Generate an RSA key pair on the Stelnet client: c. Launch PuTTYGen.exe, select SSH-2 RSA and click Generate.
Figure 119 Generating process c. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
d. Click Save private key to save the private key. A confirmation dialog box appears. e. Click Yes and enter the name of the file for saving the key (private.ppk in this example). f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
[Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: a. Launch PuTTY.exe on the Stelnet client to enter the following interface. b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server . Figure 121 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d.
Figure 122 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 123, you can log in to Router B through the Stelnet client running on Router A. Router B acts as the Stelnet server and uses password authentication.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
[RouterA] quit { If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
# Specify the host public key for the Stelnet server 192.168.1.40 as key1. [RouterA] ssh client authentication server 10.165.87.136 assign publickey key1 [RouterA] quit # Establish an SSH connection to SSH server 192.168.1.40. ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort Connected to 192.168.1.40... Enter password: After you enter the correct username and password, you can log in to Router B successfully.
# Export the DSA public key to file key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
# Create an SSH user client002 with the authentication method publickey, and assign the public key ClientKey to the user. [RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey 3. Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server 192.168.1.40. ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated.
++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function. [Router] ssh server enable # Enable the SFTP server.
Figure 126 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 127, you can log in to Router B through the SFTP client that runs on Router A. Router B acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm. Figure 127 Network diagram Configuration considerations In the server configuration, the client public key is required.
The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Export the host public key to file pubkey. [RouterA] public-key local export rsa ssh2 pubkey [RouterA] quit # Transmit the public key file to the server through FTP or TFTP . (Details not shown.) 2. Configure the SFTP server: # Generate the RSA key pairs.
# Set the authentication mode of the user interfaces to AAA. [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it RouterKey.
New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename the directory new1 to new2 and verify the result.
Network requirements As shown in Figure 128, Router A acts as an SCP client and Router B acts as an SCP server. A user can securely transfer files with Router B through Router A. Router B uses the password authentication method and the client's username and password are saved on Router B. Figure 128 Network diagram Configuration procedure 1. Configure the SCP server: system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048).
# Enable the user interfaces to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Create a local user named client001 with the password aabbcc and the service type ssh. [RouterB] local-user client001 [RouterB-luser-client001] password simple aabbcc [RouterB-luser-client001] service-type ssh [RouterB-luser-client001] quit # Create an SSH user client001 with the service type scp and the authentication method password. (Optional.
Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. SSL security mechanism Secure connections provided by SSL have these features: • Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric key algorithm of RSA to encrypt the key to be used by the symmetric encryption algorithm.
Figure 130 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
Configuring an SSL server policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application such as HTTPS. SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify the SSL 2.0 Client Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.
Step 6. Command Set the handshake timeout time for the SSL server. Remarks Optional. handshake timeout time The default handshake timeout time is 3600 seconds. Optional. 7. Set the SSL connection close mode. close-mode wait By default, An SSL server sends a close-notify alert message to the client and closes the connection without waiting for the close-notify alert message from the client. Optional. 8. Set the maximum number of cached sessions and the caching timeout time.
Step Command Remarks Optional. No PKI domain is specified by default. 3. Specify a PKI domain for the SSL client policy. pki-domain domain-name If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain. For information about how to configure a PKI domain, see "Configuring PKI." • In non-FIPS mode: 4. Specify the preferred cipher suite for the SSL client policy.
In this example, the CA server runs Windows Server and has the SCEP plug-in installed. Figure 131 Network diagram Configuration considerations To meet the network requirements, perform the following tasks: • Configure Device to work as the HTTPS server and request a certificate for Device. • Request a certificate for Host so that Device can authenticate the identity of Host. • Configure a CA server to issue certificates to Device and Host.
# Specify the PKI domain for the SSL server policy as 1. [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera, and set the password to 123 and service type to web.
Solution 1. Issue the debugging ssl command and view the debugging information to locate the problem: { { { 2. If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it. If the server’s certificate cannot be trusted, install the root certificate of the CA that issued the local certificate to the SSL server on the SSL client, or let the server request a certificate from the CA that the SSL client trusts.
Configuring SSL VPN SSL VPN is a VPN technology based on Secure Sockets Layer (SSL). It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that the SSL protocol provides, SSL VPN can establish secure connections for communications at the application layer. SSL VPN has been widely used for secure, remote Web-based access.
Configuration procedure This section describes how to enable the SSL VPN service. You must use the Web interface provided by the router to configure SSL VPN functions. For more information, see the Web configuration manual. Complete the following tasks to enable SSL VPN: • Specify the SSL server policy to be used by the SSL VPN service. To access the SSL VPN gateway or the internal resources, remote users need to log in to the web interface of the SSL VPN gateway through HTTPS.
• The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server, which is used to issue certificates to the SSL VPN gateway and remote users. Figure 133 Network diagram Host Remote user 10.1.1.1/24 Internet Device SSL VPN gateway Internal servers 10.2.1.1/24 CA Configuration procedure In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA.
[Device-ssl-server-policy-myssl] quit 3. Configure SSL VPN: # Specify the SSL server policy myssl and port 443 (default) for the SSL VPN service. [Device] ssl-vpn server-policy myssl # Enable the SSL VPN service. [Device] ssl-vpn enable 4. Verify the configuration. On the user host, launch the IE browser and input https://10.1.1.1/svpn in the address bar. You can open the web login interface of the SSL VPN gateway.
Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.
Creating a user profile Before you create a user profile, complete the following tasks: • Configure authentication parameters on the device. • Perform configurations on the client, the device, and the authentication server, for example, username, password, authentication scheme, domain, and binding a user profile with a user. To create a user profile: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user profile, and enter its view.
Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
The device keeps trying to resolve target IP addresses, overloading its CPU. • To protect the device from attack packets that have the same source address, you can configure ARP source suppression. You can set the maximum number of unresolvable IP packets that the device can process within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse. Configuring ARP source suppression Step Command Remarks 1. Enter system view.
Figure 134 Network diagram IP network ARP attack protection Gateway Device Host A VLAN 10 VLAN 20 Host B Host C R&D Host D Office Configuration considerations If the attack packets have the same source address, you can enable the ARP source suppression function as follows: 1. Enable ARP source suppression. 2. Set the threshold to 100.
You can exclude the MAC addresses of some gateways and servers from detection. This feature does not inspect ARP packets from those devices even if they are attackers. To configure source MAC-based ARP attack detection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable source MAC-based ARP attack detection and specify the handling method. arp anti-attack source-mac { filter | monitor } Disabled by default. 3. Configure the threshold.
Figure 135 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway as follows: 1. Enable source MAC-based ARP attack detection and specify the handling method. 2. Set the threshold. 3. Set the lifetime for ARP attack entries. 4.
Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries. To enable ARP packet source MAC address consistency check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ARP packet source MAC address consistency check. arp anti-attack valid-check enable Disabled by default.
• ARP automatic scanning might take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. • The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. • Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries.
Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag.
IP source guard uses static IPv4 source guard binding entries on a port to filter IPv4 packets received by the port. Dynamic IP source guard binding entries Dynamic IP source guard binding entries are generated dynamically according to client entries on the DHCP snooping device. They are applicable in cases where many hosts reside on a LAN and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, the DHCP snooping device generates a snooping entry.
Hardware MSR30 IPv4 source guard function IPv4 binding entries Yes on the following models: Yes. • The MSR30 routers installed with • MSR30-10 router installed with MIM-FSW or DMIM-FSW modules. XMIM-FSW modules support only MAC-port bindings. • The MSR30-11E Layer 2 fixed Ethernet ports. • The MSR30-11F Layer 2 fixed Ethernet ports. MSR50 Yes on MSR50 routers installed with FIC-FSW or DFIC-FSW modules. • MSR30-11F Layer 2 fixed Configured on multiple ports Yes.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable IPv4 source guard on the port. ip verify source { ip-address | ip-address mac-address | mac-address } Disabled by default. NOTE: Although dynamic IPv4 source guard binding entries are generated based on DHCP entries, the number of dynamic IPv4 source guard binding entries is not necessarily the same as that of the DHCP entries.
To configure the maximum number of IPv4 binding entries allowed on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the maximum number of IPv4 binding entries allowed on the port. ip verify source max-entries number Optional. Displaying and maintaining IP source guard Task Command Remarks Display static IP source guard binding entries.
Figure 137 Network diagram Configuration procedure 1. Configure Device A: # Enable IPv4 source guard on Ethernet 1/2 to filter packets based on both the source IP address and MAC address. system-view [DeviceA] interface ethernet 1/2 [DeviceA-Ethernet1/2] ip verify source ip-address mac-address # Configure Ethernet 1/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
# Enable IPv4 source guard on Ethernet 1/1 to filter packets based on the source IP address. [DeviceB] interface ethernet 1/1 [DeviceB-Ethernet1/1] ip verify source ip-address # Configure Ethernet 1/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass. [DeviceB-Ethernet1/1] ip source binding ip-address 192.168.0.2 [DeviceB-Ethernet1/1] quit Verifying the configuration # On Device A, display information about static IPv4 source guard binding entries.
system-view [Device] dhcp-snooping # Configure port Ethernet 1/2, which is connected to the DHCP server, as a trusted port. [Device] interface ethernet1/2 [Device-Ethernet1/2] dhcp-snooping trust [Device-Ethernet1/2] quit 2. Enable IPv4 source guard on port Ethernet 1/1 to filter packets based on both the source IP address and MAC address.
Configuring attack detection and protection Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
Single-packet attack Description Route Record An attacker exploits the route record option in the IP header to probe the topology of a network. Smurf An attacker sends an ICMP echo request to the broadcast address of the target network. As a result, all hosts on the target network reply to the request, causing the network congested and hosts on the target network unable to provide services. Source Route An attacker exploits the source route option in the IP header to probe the topology of a network.
Blacklist function The blacklist function is an attack protection measure that filters packets by source IP address. Compared with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
• ICMP session establishment rate • Number of RAW IP sessions • RAW IP session establishment rate The device collects statistics to calculate the session establishment rates at an interval of 5 seconds. Therefore, the session establishment rates displayed on the device are based on the statistics collected during the latest 5-second interval. The traffic statistics function does not concern about the session status (except the TCP half-open and half-close states).
Configuring attack protection functions for an interface Creating an attack protection policy Before configuring attack protection functions for an interface, you need to create an attack protection policy and enter its view. In attack protection policy view, you can define one or more signatures used for attack detection and specify the corresponding protection measures. When creating an attack protection policy, you can also specify an interface so that the interface uses the policy exclusively.
Step 4. Configure the ICMP packet length threshold that triggers large ICMP attack protection. Command Remarks signature-detect large-icmp max-length length Optional. 4000 bytes by default. Optional. 5. Configure the device to drop single-packet attack packets. signature-detect action drop-packet By default, the device only outputs alarm logs if detecting a single-packet attack.
Configuring a flood attack protection policy The flood attack protection function is used to protect servers. It detects various flood attacks by monitoring the rate at which connection requests are sent to a server. The flood attack protection function is usually applied to the interfaces connecting the internal network and inspects only outbound packets of the interfaces. With flood attack protection enabled, the device is in attack detection state.
Step Command Remarks Optional. 4. Configure the global action and silence thresholds for ICMP flood attack protection. defense icmp-flood rate-threshold high rate-number [ low rate-number ] By default, the action threshold is 1000 packets per second and the silence threshold is 750 packets per second. 5. Configure the action and silence thresholds for ICMP flood attack protection of a specific IP address.
Step Command Apply an attack protection policy to the interface. 3. attack-defense apply policy policy-number Remarks By default, no attack protection policy is applied to any interface. The attack protection policy to be applied to an interface must already exist. Configuring the blacklist function You can configure a device to filter packets from certain IP addresses by configuring the blacklist function.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable traffic statistics on the interface. flow-statistics enable { destination-ip | inbound | outbound | source-ip } Disabled by default. Displaying and maintaining attack detection and protection Task Command Remarks Display the attack protection statistics of an interface.
• On GigabitEthernet 1/2, configure Smurf attack protection and scanning attack protection, enable the blacklist function for scanning attack protection, and set the connection rate threshold that triggers the scanning attack protection to 4500 connections per second.
# Enable SYN flood attack protection. [Router-attack-defense-policy-2] defense syn-flood enable # Configure SYN flood attack protection for the internal server 10.1.1.2 and set the action threshold to 5000 and silence threshold to 1000. [Router-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000 low 1000 # Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
system-view [Router] blacklist enable # Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it. [Router] blacklist ip 5.5.5.5 # Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes. [Router] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration Use the display blacklist all command to view the added blacklist entries through.
[Router-attack-defense-policy-1] defense udp-flood rate-threshold high 100 # Configure the policy to drop the subsequent packets once a UDP flood attack is detected. [Router-attack-defense-policy-1] defense udp-flood action drop-packet [Router-attack-defense-policy-1] quit # Apply policy 1 to GigabitEthernet 1/1. [Router] interface gigabitethernet 1/1 [Router-GigabitEthernet1/1] attack-defense apply policy 1 # Enable the traffic statistics function in the outbound direction of GigabitEthernet 1/1.
ICMP session establishment rate : 0/s RAWIP sessions : 0 RAWIP session establishment rate : 0/s The output shows that on GigabitEthernet 1/1, a large number of UDP packets destined for 10.1.1.2 exist, and the session establishment rate has exceeded the specified threshold. You can determine that the server is under a UDP flood attack. Use the display attack-defense statistics command to view the related statistics collected after the UDP flood protection function takes effect.
Configuring TCP attack protection Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks This chapter describes the attacks that these features can prevent, working mechanisms of these features, and configuration procedures.
Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.
Configuring connection limits Overview An internal user initiating a large quantity of connections to external networks in a short period of time occupies large amounts of system resources on the device, limiting access to network resources for other users. An internal server that receives large numbers of connection requests within a short period of time cannot process them in time or accept other normal connection requests.
If the default connection limit action is permit, the user connections are limited according to the configured default connection limit parameters. When the number of connections reaches the upper limit, users cannot establish new connections. When the connection number goes below the lower limit, users can establish new connections. • The default connection limit parameters of a connection limit policy take effect only after the policy is applied.
Step Command 1. Enter system view. system-view 2. Enter connection limit policy view. connection-limit policy policy-number 3. Configure an ACL-based connection limit rule. limit limit-id acl acl-number [ { per-destination | per-service | per-source } * amount max-amount min-amount ] Applying the connection limit policy To make a connection limit policy take effect, apply it to a NAT service module. To apply a connection limit policy: Step Command Remarks 1. Enter system view.
On the router, create a connection limit policy and configure two rules for the policy. One limits connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and another limits connections from 192.168.0.100 with the upper connection limit 100. system-view [Router] connection-limit policy 0 [Router-connection-limit-policy-0] limit 0 source ip 192.168.0.
Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. • Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.
With this feature enabled, the system maintains passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message. You can set the maximum number of history password records for the system to maintain for each user.
Password combination level Minimum number of character types Minimum number of characters for each type Level 3 Three One Level 4 Four One In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password. When a user sets or changes the password, the system checks if the password meets the composition requirement. If not, the system displays an error message.
Table 23 Hardware and FIPS mode compatibility matrix Hardware FIPS mode MSR900 No. MSR93X No. MSR20-1X No. MSR20 Yes. MSR30 Yes (except the MSR30-16). MSR50 Yes. MSR1000 Yes. Password control configuration task list The password control functions can be configured in several views, and different views support different functions.
1. Enable the global password control feature in system view. Password control configurations take effect only after the password control feature is enabled globally. 2. Enable password control functions individually. The following password control functions need to be enabled individually after the password control feature is enabled globally: { Password aging { Minimum password length { Password history { Password composition checking To enable password control: Step Command Remarks 1.
Step Command Remarks Optional. • In non-FIPS mode, a default 5. Configure the password composition policy. password-control composition type-number type-number [ type-length type-length ] password must contain at least one character type and at least one character for each type. • In FIPS mode, a default password must contain four character types and at least one character for each type. 6. Configure the password complexity checking policy.
Step Command Remarks Optional. 4. Configure the minimum password length for the user group. password-control length length Configure the password composition policy for the user group. password-control composition type-number type-number [ type-length type-length ] By default, the minimum password length of the user group is the same as the global minimum password length. Optional. 5.
To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password. For more information on super passwords, see Fundamentals Configuration Guide. To set super password control parameters: Step Command Remarks N/A 1. Enter system view. system-view 2. Set the password aging time for super passwords. password-control super aging aging-time Optional.
Task Command Remarks Available in user view. Clear history password records. reset password-control history-record [ user-name name | super [ level level ] ] This command can delete the history password records of one or all users even when the password history function is disabled.
# Specify that no character of the password can be repeated three or more times consecutively. [Sysname] password-control complexity same-character check # Specify that the super passwords must each contain at least three character types and at least five characters for each type. [Sysname] password-control super composition type-number 3 type-length 5 # Configure a super password. [Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test.
Super password control configurations: Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (3 types, 5 characters per type) # Display the password control configuration for local user test.
Configuring HABP The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 142, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C. On Switch A, 802.1X authentication is enabled globally and on the ports connecting the downstream network devices. The end-user devices (the supplicants) run the 802.
IMPORTANT: In a cluster, if a member device with 802.1X authentication or MAC authentication enabled is attached to some other member devices of the cluster, you must also configure HABP server on this device. Otherwise, the cluster management device will not be able to manage the devices attached to this member device. For more information about the cluster function, see Network Management and Monitoring Configuration Guide.
Step Command Remarks Optional. HABP operates in client mode by default. 3. Configure HABP to operate in client mode. undo habp server 4. Specify the VLAN to which the HABP client belongs. habp client vlan vlan-id The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for transmitting HABP packets. Optional. By default, an HABP client belongs to VLAN 1. Displaying and maintaining HABP Task Command Remarks Display HABP configuration information.
Figure 143 Network diagram Internet Authentication server HABP server GE1/2 GE1/1 Device HABP client HABP client VLAN 1 VLAN 1 Switch B Switch A Host A Host B Host C Host D Configuration procedure 1. Configure the device: # Perform 802.1X related configurations on the device. For detailed configurations, see "Configuring 802.1X." # Enable HABP. (HABP is enabled by default. This configuration is optional.
# Display HABP configuration information. display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries.
Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 145 shows how URPF works. Figure 145 URPF work flow Check the received packet Yes A broadcast source address? No Yes An all-zero source address? A No broadcast destination address? Yes No Does the source address match a FIB entry? Discard No Yes A default route? No Does the receiving interface match the output interface of the matching FIB entry? Yes Is the default route allowed for URPF check? No Yes No No Loose URPF? Yes Yes Check passed 1.
3. URPF checks whether the matching route is a default route: { { 4. If not, proceeds to step 4. URPF checks whether the receiving interface matches the output interface of the matching FIB entry: { { 5. If yes, URPF checks whether the allow-default-route keyword is configured to allow the default route: if yes, proceeds to step 4, if not, proceeds to step 5. If yes, the packet is forwarded.
Do not configure the allow-default-route keyword for loose URPF check. Otherwise, URPF might fail to work. After configuring the URPF check on an interface, you can use the display ip interface command to view statistics about packets discarded by URPF (displayed as "Drops" and "Suppressed drops"). To enable URPF on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable URPF check on the interface.
# Enable strict URPF check on Ethernet 1/1 and allow use of the default route for URPF check.
Configuring WLAN client isolation The terms AP and fat AP in this document refer to MSR900 and MSR20-1X routers with IEEE 802.11b/g and MSR series routers installed with a SIC WLAN module. WLAN client isolation enables a fat AP to isolate Layer 2 packets (unicast/broadcast) that are exchanged between wireless clients associated with it, disabling them from direct communication.
Configuring group domain VPN Group domain Virtual Private Network (group domain VPN) provides a point-to-multipoint tunnel-less VPN solution. It is mainly used to protect multicast traffic. Overview Group domain VPN uses a group-based IPsec model. Members in a group use a common IPsec policy, which includes security protocols, algorithms, and keys.
Figure 149 Group domain VPN structure KS GM GM IP network Reigster Update keys GM The KS maintains security policies for groups, and creates and maintains key information. It responds to registration requests from GMs and sends rekey messages to GMs. After a GM registers with the KS, the KS sends the IPsec policy and keys to the GM. The keys are periodically updated. Before the key lifetime expires, the KS notifies all GMs to update keys by sending rekey messages.
Figure 150 Registration process GM KS 1) IKE negotiation 2) Group ID 3) SA policy 4) Acknowledgement 5) TEK and KEK As shown in Figure 150, 1. The GM and KS perform IKE negotiation. 2. The GM sends its group ID to the KS. 3. The KS sends an IPsec policy to the GM according to the group ID. 4. The GM verifies the IPsec policy. If the IPsec policy settings are acceptable, for example, the security protocols and encryption algorithms are supported, the GM sends an acknowledge message to the KS. 5.
Rekey If rekey parameters are configured on the KS, the KS periodically unicasts or multicasts (the default mode is multicast) rekey messages to registered GMs to update their IPsec SAs or rekey SAs. The rekey messages are protected by the current rekey SA on the KS. GMs authenticate the rekey messages by using the public key that it received from the KS during registration. If a GM does not receive any rekey messages before its IPsec SA or rekey SA expires, the GM re-registers to the KS.
Keepalive The primary periodically sends hello messages to secondary KSs. If secondary KSs receive no hello messages within a specific interval, they consider the primary KS has failed, and re-elect a new primary KS. During the election, the secondary KSs do not accept registrations from GMs.
• Group ID—Identifies the GDOI KS group in the Group Domain VPN. A KS uses the group ID received from a GM to determine the GDOI KS group that the GM wants to join. Each group can have only one group ID, which must be a group number or an IP address. • Key pair—Used to generate local asymmetric key pairs carried in rekey messages. Each GDOI KS group can reference only one key pair. The public key in the key pair is used as part of the KEK assigned to GMs. A GM uses the public key to authenticate the KS.
Command Step Remarks By default, no GDOI group ID is specified. Configure an ID for the GDOI KS group. identity { address ip-address | number number } 4. Reference a key pair for KS rekey. rekey authentication public-key rsa key-name By default, no key pair is referenced. 5. Specify a rekey ACL. rekey acl { acl-number | name acl-name } By default, no rekey ACL is specified. 6. Create an IPsec policy for the GDOI KS group and enter GDOI KS group IPsec policy view. 3.
The IP address of a peer KS specified on the local KS must be the same as the source address that the peer KS uses to send redundancy protocol packets. • To configure GDOI KS redundancy: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the UDP port number for listening to redundancy protocol packets. gdoi ks redundancy port port-number By default, the KS listens to UDP port 19000 for redundancy protocol packets. 3. Enter GDOI KS group view.
Step Specify the source address for packets sent by the KS. 3. Command Remarks source address ip-address By default, the KS uses the source address specified in the first rule of the rekey ACL as the source address of sent packets. For information about the rekey ACL, see "Configuring basic settings for a GDOI KS group." Configuring rekey parameters The following describes the rekey parameters: • Rekey encryption—Specifies the encryption algorithm used by the KEK.
Task Command Display GDOI KS group information. display gdoi ks [ group group-name ] Display GDOI KS group ACL information. display gdoi ks acl [ group group-name ] Display GDOI KS redundancy information. display gdoi ks redundancy [ group group-name ] Display information about online GDOI KS group members. display gdoi ks members [ group group-name ] [ ip ip-address ] Display GDOI KS group rekey information. display gdoi ks rekey [ group group-name ] Display GDOI KS group policy information.
Registration interface—The GM uses the registration interface to send registration packets to the KS. By default, the registration interface of a GM is the output interface of the route from the GM to the KS. • Follow these guidelines when you configure a GDOI GM group: • A GDOI GM group can have only one group ID. A newly configured group ID overwrites the previous one. • Different GDOI GM groups must have different group IDs and KS addresses.
To configure a GDOI IPsec policy: Step 1. Enter system view. 2. Create a GDOI IPsec policy entry and enter GDOI IPsec policy entry view. Command Remarks system-view N/A ipsec policy policy-name seq-number gdoi By default, no GDOI IPsec policy exists. For more information about this command, see Security Command Reference. By default, no GDOI GM group is referenced. 3. Reference a GDOI GM group for the GDOI IPsec policy entry.
Command Step Remarks By default, no GDOI IPsec policy is applied to an interface. 3. Apply a GDOI IPsec policy to the interface. ipsec policy policy-name You can apply only one GDOI IPsec policy to an interface. A GDOI IPsec policy can be applied to multiple interfaces. For more information about this command, see Security Command Reference. Displaying and maintaining GDOI GM Execute display commands in any view and reset commands in user view. Task Command Display the GDOI GM group information.
Group domain VPN configuration example Network requirements As shown in Figure 153, set up a group domain VPN on the network to protect traffic between subnets, as follows: • Add GM 1, GM 2, and GM 3 to GDOI group 12345, and configure them to register with the KS that manages the group. • Use the IPsec security protocol ESP, encryption algorithm AES-CBC 128, and authentication algorithm SHA1 to protect the data. • Configure IPsec to protect traffic from subnet 10.1.1.0 to subnet 10.1.2.
Configuring KS 1 # Configure IP addresses for interfaces. (Details not shown.) # Configure IKE proposal 1. system-view [KS1] ike proposal 1 # Specify the encryption algorithm AES-CBC 128 for IKE proposal 1. [KS1-ike-proposal-1] encryption-algorithm aes-cbc 128 # Specify the authentication algorithm SHA1 for IKE proposal 1. [KS1-ike-proposal-1] authentication-algorithm sha # Specify DH group 2 for IKE proposal 1.
# Create an ACL named fortek. [KS1] acl number 3000 name fortek # Create ACL rules to identify the directional traffic to be protected. [KS1-acl-adv-3000-fortek] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [KS1-acl-adv-3000-fortek] rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [KS1-acl-adv-3000-fortek] rule 2 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 [KS1-acl-adv-3000-fortek] rule 3 permit ip source 10.1.3.0 0.0.0.
c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL 8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg==
# Specify DH group 2 for IKE proposal 1. [KS2-ike-proposal-1] dh group2 [KS2-ike-proposal-1] quit # Create the IKE peer toks1 for IKE negotiation with KS 1. [KS2] ike peer toks1 # Apply IKE proposal 1 to the IKE peer. [KS2-ike-peer-toks1] proposal 1 # Configure the pre-shared key as tempkey1 in plaintext. [KS2-ike-peer-toks1] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 100.1.1.100. [KS2-ike-peer-toks1] remote-address 100.1.1.
10.1.1.0 0.0.0.255 [KS2-acl-adv-3000-fortek] quit # Create an ACL named forrekey. [KS2] acl number 3001 name forrekey # Configure a rule to permit rekey traffic destined for 225.0.0.1. [KS2-acl-adv-3001-forrekey] rule 0 permit ip destination 225.0.0.1 0 [KS2-acl-adv-3001-forrekey] quit # Import the RSA key or key pair that was exported on KS 1 to KS 2 by using PEM format, and name the key or key pair as rsa1.
# Reference the ACL fortek. [KS2-gdoi-ks-group-ks2-ipsec-10] security acl name fortek [KS2-gdoi-ks-group-ks2-ipsec-10] quit # Specify the peer KS 100.1.1.100. [KS2-gdoi-ks-group-ks2] peer address 100.1.1.100 # Specify the source address of sent packets as 200.2.2.200. [KS2-gdoi-ks-group-ks2]source address 200.2.2.200 # Specify the local priority as 10000. [KS2-gdoi-ks-group-ks2] local priority 100 # Enable GDOI KS redundancy.
# Create GDOI GM group 1. [GM1] gdoi gm group 1 # Set the GDOI GM group ID to 12345. [GM1-gdoi-gm-group-1] identity number 12345 # Specify the KS addresses as 100.1.1.100 and 200.2.2.200. [GM1-gdoi-gm-group-1] server address 100.1.1.100 [GM1-gdoi-gm-group-1] server address 200.2.2.200 [GM1-gdoi-gm-group-1] quit # Create a GDOI IPsec policy. [GM1] ipsec policy map 1 gdoi # Reference GDOI GM group 1 for the GDOI IPsec policy.
# Configure the pre-shared key used in IKE negotiation as the plaintext string tempkey1. [GM2-ike-peer-toks2] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 200.2.2.200. [GM2-ike-peer-toks2] remote-address 200.2.2.200 [GM2-ike-peer-toks2] quit # Create GDOI GM group 1. [GM2] gdoi gm group 1 # Set the GDOI GM group ID to 12345. [GM2-gdoi-gm-group-1] identity number 12345 # Specify the KS addresses as 100.1.1.100 and 200.2.2.200. [GM2-gdoi-gm-group-1] server address 100.1.1.
[GM3-ike-peer-toks1] quit # Create IKE peer toks2. [GM3] ike peer toks2 # Reference IKE proposal 1 for the IKE peer. [GM3-ike-peer-toks2] proposal 1 # Configure the pre-shared key used in IKE negotiation as the plaintext string tempkey1. [GM3-ike-peer-toks2] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 200.2.2.200. [GM3-ike-peer-toks2] remote-address 200.2.2.200 [GM3-ike-peer-toks2] quit # Create GDOI GM group 1. [GM3] gdoi gm group 1 # Set the GDOI GM group ID to 12345.
[GM1] display ipsec sa =============================== Interface: Ethernet1/1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map" sequence number: 1 mode: gdoi ----------------------------PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 0.0.0.0 flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.
transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 326 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/853 anti-replay detection: Disabled ----------------------------IPsec policy name: "map" sequence number: 1 mode: gdoi ----------------------------PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 0.0.0.0 flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.3.0/255.255.255.
spi: 0x640321A(104870426) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 330 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/851 anti-replay detection: Disabled The output shows that two groups of IPsec SAs have been generated on GM 1 for secure communication with other group members. # Execute the display gdoi gm command to display the registration information on GM 1.
Key size : 128 Sig hash algorithm : SHA1 Sig key length (bit) : 2048 TEK Policy: Interface Ethernet1/1: IPsec SA: SPI: 0x640321A(104870426) Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 SA timing: remaining key lifetime (sec): 123 Anti-replay detection: Disabled Packets between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 are encrypted/de-encrypted by GM 1 and GM 2. # Display GM information on KS 1. display gdoi ks members Group Name: ks1 Group member ID : 1.1.1.1 Group member version : 1.
Local role : Primary Primary address : 100.1.1.100 Sessions: Peer address : 200.2.2.200 Peer version : 1.0 Peer priority : 100 Peer role : Secondary Peer status : Ready # Display KS redundancy information on KS 2. display gdoi ks redundancy Group Name :ks2 Local address : 200.2.2.200 Local version : 1.0 Local priority : 100 Local role : Secondary Primary address : 100.1.1.100 Sessions: Peer address : 100.1.1.100 Peer version : 1.
If the failure occurred between KSs, verify that the IKE proposal and IKE peer configurations on the KSs match, and that the KSs can reach each other. GM registration failure Symptom The GM failed to register with the KS. Analysis Execute the following command on the GM. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi status ---------------------------------------------------------------------------18 90.1.1.
Configuring FIPS Table 24 shows the support of devices for the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.
Table 25 List of power-up self-tests Type Operations Tests the following algorithms: Cryptographic algorithm self-test • • • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryption and decryption) AES 3DES SHA1 SHA256 SHA512 HMAC-SHA1 Random number generator algorithms Tests the following algorithms used by cryptographic engines: Cryptographic engine self-test • • • • • • • • DSA (signature and authentication) RSA (signature and authentication) RSA (encryp
To trigger a self-test: Step Command 1. Enter system view. system-view 2. Trigger a self-test. fips self-test Configuring FIPS mode Configuration considerations To enter the FIPS mode, follow these steps: 1. Enable FIPS mode. 2. Enable the password control function. 3. Configure a username and password used to log in to the device. The password must include at least 10 characters that must contain uppercase and lowercase letters, digits, and special characters. 4.
• The SSH server does not support SSHv1 clients. • RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus length from 1024 to 2048 bits. • SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5. Displaying and maintaining FIPS Task Command Remarks Display the FIPS mode state. display fips status Available in any view. FIPS configuration example Network requirements As shown in Figure 154, the host connects to the router through a console port.
[Sysname-luser-test] service-type terminal [Sysname-luser-test] authorization-attribute level 3 [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait........... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[cfa0:/startup.cfg] (To leave the existing filename unchanged, press the enter key): cfa0:/startup.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHILMNOPRSTUV Configuring an HABP client,454 A Configuring an HABP server,454 AAA configuration considerations and task list,20 Configuring an IKE peer,208 AAA configuration examples,58 Configuring an IKE proposal,207 Applying the connection limit policy,440 Configuring an IKEv2 keyring,228 ARP attack protection configuration task list,406 Configuring an IKEv2 policy,227 Attack detection and protection configuration examples,430 Configuring an IKEv2 profile,228 Configuring an IKEv2 p
Displaying and recording the host public key information,273 Configuring the local portal server,299 Configuring the local RSA key pair for certificate request,274 Displaying or exporting the local host public key,272 Configuring the online user handshake function,95 Displaying public keys,276 Configuring the quiet timer,98 Displaying the host public key in a specific format and saving it to a file,273 Configuring the redirect URL,111 Configuring unresolvable IP attack protection,406 Dynamic IPv4 so
IKE configuration examples,212 P IKE configuration task list,206 Password control configuration example,450 IKEv2 configuration examples,231 Password control configuration task list,445 IKEv2 configuration task list,224 Performing configurations in user profile view,405 Implementing ACL-based IPsec,157 PKI configuration examples,258 Implementing IPsec,156 PKI configuration task list,248 Implementing tunnel interface-based IPsec,175 Port security configuration examples,139 Importing an RSA key
Specifying the portal server,298 Troubleshooting IP source guard,420 SSL server policy configuration example,396 Troubleshooting PKI configurationTroubleshooting PKI configuration,268 SSL VPN configuration example,401 Static IPv4 source guard binding entry configuration example,417 Troubleshooting port security,149 Stelnet configuration examples,372 Troubleshooting SSL,398 T U Tearing down user connections,55 URPF configuration example,461 Troubleshooting portal,338 Troubleshooting AAA,78 User
