HP MSR2000/3000/4000 Router Series Security Configuration Guide (V7) Part number: 5998-3996 Software version: CMW710-R0007P02 Document version: 6PW100-20130927
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring AAA ························································································································································· 1 Overview············································································································································································ 1 RADIUS ·············································································································································
802.1X client as the initiator································································································································ 53 Access device as the initiator ······························································································································· 54 802.
Password updating and expiration ····················································································································· 79 User login control ·················································································································································· 80 Password not displayed in any form ··················································································································· 80 Logging ···························
Exporting certificates ··················································································································································· 111 Removing a certificate ················································································································································· 112 Configuring a certificate access control policy ········································································································· 112 Displa
Configuring IKE ······················································································································································· 179 Overview······································································································································································· 179 IKE negotiation process ······································································································································ 1
Displaying and maintaining SSH ······························································································································· 226 Stelnet configuration examples ··································································································································· 226 Password authentication enabled Stelnet server configuration example ······················································ 226 Publickey authentication enabled Stelnet server config
Troubleshooting connection limits ······························································································································ 271 ACLs in the connection limit rules with overlapping segments ······································································· 271 Configuring ARP attack protection························································································································· 272 ARP attack protection configuration task list ····
Configuring a portal authentication server················································································································ 299 Configuring a portal Web server ······························································································································· 300 Enabling portal authentication on an interface········································································································· 300 Configuration restrictions and gu
Support and other resources ·································································································································· 348 Contacting HP ······························································································································································ 348 Subscription service ············································································································································ 348 Relate
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights and controls their access to resources and services.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: 1. The host sends a connection request that includes the user's username and password to the RADIUS client. 2.
RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format. Figure 4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings.
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information. This field can contain multiple attributes, each with three sub-fields: { Type—Type of the attribute.
No. Attribute No.
Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password 9) The user enters the password 10) Continue-authentication packet with the password 11) Response indicating succ
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends a user authorization request packet to the HWTACACS server. 13.
• PPP NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend on the configuration of the authentication modules. AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain.
• Command authorization—Enables the NAS to let the authorization server determine whether a command entered by a login user is permitted, and allow login users to execute only authorized commands. For more information about command authorization, see Fundamentals Configuration Guide. • Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device.
RFC 1492, An Access Control Protocol, Sometimes Called TACACS • RADIUS attributes Commonly used standard RADIUS attributes No. Attribute Description 1 User-Name Name of the user to be authenticated. 2 User-Password User password for PAP authentication, only present in Access-Request packets when PAP authentication is used. 3 CHAP-Password Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used.
No. Attribute Description Type of the Accounting-Request packet. Possible values include: 40 Acct-Status-Type • • • • • • • • 1—Start. 2—Stop. 3—Interim-Update. 4—Reset-Charge. 7—Accounting-On. (Defined in the 3rd Generation Partnership Project.) 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.) 9 to 14—Reserved for tunnel accounting. 15—Reserved for failed. Authentication method used by the user. Possible values include: 45 Acct-Authentic 60 CHAP-Challenge • 1—RADIUS.
No. Sub-attribute Description Operation for the session, used for session control. Possible values include: 20 24 Command Control_Identifier • • • • • 1—Trigger-Request. 2—Terminate-Request. 3—SetPolicy. 4—Result. 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.
No. Sub-attribute Description 206 Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes. 207 Backup-NAS-IP Backup source IP address for sending RADIUS packets. 255 Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes (Required.) Configure AAA methods for ISP domains: (Required.) Creating an ISP domain 1. 2. (Optional.) Configuring ISP domain attributes 3. (Required.
• Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For support and usage information about binding attributes, see "Configuring local user attributes.
Step Command Remarks 1. Enter system view. system-view N/A 2. Add a local user and enter local user view. local-user user-name [ class { manage | network } ] By default, no local user exists. • For a network access user: password { cipher | simple } password 3. (Optional.) Configure a password for the local user.
Step Command Remarks By default, a local user is assigned the user role of network-operator when the user is created by a network-admin user. 8. (Optional.) Configure authorization attributes for the local user. authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } * For PPP users, only the settings for acl, callback-number, and idle-cut take effect.
To configure user group attributes: Step Command Remarks system-view N/A 1. Enter system view. 2. Create a user group and enter its view. user-group group-name By default, there is a system-defined user group named system, which is the default user group. Configure authorization attributes for the user group.
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters that the device uses to exchange information with the RADIUS servers, including the IP addresses of the servers, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A • Specify the primary RADIUS 3. Specify RADIUS authentication servers.
Step Command Remarks • Specify the primary RADIUS 3. 4. accounting server: primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * Configure at least one command. By default, no accounting server is specified. Specify RADIUS accounting servers. • Specify a secondary RADIUS Two accounting servers in a scheme, primary or secondary, cannot have the same combination of IP address, port number, and VPN. (Optional.
Step 3. Specify a VPN for the RADIUS scheme. Command Remarks vpn-instance vpn-instance-name By default, a RADIUS scheme belongs to the public network. Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username. However, older RADIUS servers might not recognize usernames that contain the ISP domain names.
Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } • Set the status of a secondary RADIUS Set the RADIUS server status. 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A nas-ip { ipv4-address | ipv6 ipv6-address } By default, the source IP address specified by the radius nas-ip command in system view is used. If the source IP address is not specified, the IP address of the outbound interface is used. 3. Specify a source IP address for outgoing RADIUS packets.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Set the RADIUS server response timeout timer. timer response-timeout seconds The default setting is 3 seconds. 4. Set the quiet timer for the servers. timer quiet minutes The default setting is 5 minutes. 5. Set the real-time accounting timer. timer realtime-accounting minutes The default setting is 12 minutes.
Step 3. Command Specify a security policy server. Remarks security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, no security policy server is specified for a scheme. You can specify up to eight security policy servers for a RADIUS scheme. Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view. Task Command Display the RADIUS scheme configuration.
Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state. If redundancy is not required, specify only the primary server.
Step Command Remarks • Specify the primary HWTACACS 3. Specify HWTACACS authorization servers. authorization server: primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * • Specify a secondary HWTACACS authorization server: secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * Configure at least one command.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify a shared key for secure HWTACACS authentication, authorization, or accounting communication. key { accounting | authentication | authorization } { cipher | simple } string By default, no shared key is specified. The shared key configured on the device must be the same as that configured on the HWTACACS server.
Step Set the data flow and packet measurement units for traffic statistics. 4. Command Remarks data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }* Optional. By default, traffic is counted in bytes and packets. Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server.
Setting HWTACACS timers The device uses the following timers to control communication with an HWTACACS server: • Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval. The timer starts immediately after an HWTACACS authentication, authorization, or accounting request is sent. If the device does not receive a response from the server before the timer expires, it resends the request.
Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the device uses the system-defined AAA methods for users in the domain.
• Maximum number of online users—The device controls the number of online users in a domain to ensure the system performance and service reliability. • Authorization attributes—The device assigns the authorization attributes in the ISP domain to the authenticated users who do not receive authorization attributes from the server. An ISP domain attribute applies to all users in the domain. To configure ISP domain attributes: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A Specify the default authentication method for all types of users. authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } By default, the default authentication method is local.
If RADIUS authorization fails, the server sends an error message to the NAS, indicating that the server itself is not responding. • Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A Specify the default authorization method for all types of users.
3. Determine whether to configure the default accounting method for all access types or service types. The default accounting method applies to all access users, but it has a lower priority than the accounting method that is specified for an access type or service type. Configuration guidelines When configuring accounting methods, follow these guidelines: • Login users who use FTP services do not support accounting. • Local accounting does not provide statistics for charging.
Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the session-control feature. radius session-control enable By default, the session-control feature is disabled.
Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 10, the RADIUS authentication and authorization server runs on IMC. Configure the router to use the RADIUS server for SSH user authentication and authorization and add an account with the username hello@bbb on the RADIUS server, so that the SSH user can log in to the router and is authorized with the network-operator user role after login.
The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router, which is chosen in this order on the router: { IP address specified by the nas-ip command { IP address specified by the radius nas-ip command { IP address of the outbound interface (the default) Figure 11 Adding the router as an access device # Add an account for device management.
Figure 12 Adding an account for device management 2. Configure the router: # Assign an IP address to interface Ethernet 1/1, the SSH user access interface. system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0 [Router-Ethernet1/1] quit # Assign an IP address to interface Ethernet 1/2, through which the router communicates with the server. [Router] interface ethernet 1/2 [Router-Ethernet1/2] ip address 10.1.1.2 255.255.255.
[Router] role default-role enable # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Router-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0 [Router-Ethernet1/1] quit # Create local RSA and DSA key pairs. [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a device management user.
Set the shared keys for secure HWTACACS communication to expert. Configure the router to send usernames without domain names to the HWTACACS server. Figure 14 Network diagram HWTACACS server 10.1.1.1/24 Eth1/2 10.1.1.2/24 Eth1/1 192.168.1.70/24 SSH user 192.168.1.58/24 Internet Router Configuration procedure 1. Configure the HWTACACS server: # On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the SSH user, and specify the password.
[Router-hwtacacs-hwtac] quit # Create ISP domain bbb and configure AAA methods for login users. [Router] domain bbb [Router-isp-bbb] authentication login hwtacacs-scheme hwtac [Router-isp-bbb] authorization login hwtacacs-scheme hwtac [Router-isp-bbb] accounting login hwtacacs-scheme hwtac [Router-isp-bbb] quit # Create local RSA and DSA key pairs. [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service.
• The username is in the userid@isp-name format and the ISP domain is correctly configured on the NAS. • The user is configured on the RADIUS server. • The correct password is entered. • The same shared key is configured on both the RADIUS server and the NAS. RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server.
Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS.
802.1X overview 802.1X is available only on the routers with Layer 2 Ethernet switching interface module installed. For more information about the Layer 2 Ethernet switching interface modules, see HP MSR Router Series Interface Module Guide. 802.1X is a port-based network access control protocol initially proposed for securing WLANs, and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
Figure 16 Authorization state of a controlled port In the unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.
Packet formats EAP packet format Figure 17 shows the EAP packet format. Figure 17 EAP packet format • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, Length, and Data fields. • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet.
Value Type Description 0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the network access device that it is logging off. • Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows. • Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP.
A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. authentication methods. EAP relay • The configuration and processing is simple on the network access device. • Supports only MD5-Challenge EAP EAP termination Works with any RADIUS server that supports PAP or CHAP authentication.
Figure 23 802.
9. The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. 10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11.
Figure 24 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port. It is described in "Configuring port security." HP implementation of 802.1X HP implements port-based access control as defined in the 802.
Tasks at a glance (Optional.) Specifying a mandatory authentication domain on a port (Optional.) Configuring the quiet timer (Optional.) Enabling the periodic online user re-authentication function Enabling 802.1X Step Command Remarks 1. Enter system view. system-view N/A 2. Enable 802.1X globally. dot1x By default, 802.1X is disabled globally. 3. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 4. Enable 802.1X on a port. dot1x By default, 802.
Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: • authorized-force—Places the port in the authorized state, enabling users on the port to access the network without authentication. • unauthorized-force—Places the port in the unauthorized state, denying any access requests from users on the port.
Step Command Remarks 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Set the maximum number of concurrent 802.1X users on a port. dot1x max-user user-number [ interface interface-list ] By default, the maximum number of concurrent 802.1X users on a port is 256.
Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state. If the network has 802.
• Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the network access device can both initiate 802.1X authentication. • Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication. • To avoid duplicate authentication packets, do not enable both triggers on a port. Configuration procedure To configure the authentication trigger function on a port: Step Command Remarks 1.
To configure the quiet timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. 3. (Optional.) Set the quiet timer. dot1x timer quiet-period quiet-period-value The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users, and updates the authorization attributes assigned by the server.
802.1X authentication configuration example Network requirements As shown in Figure 25, the access device performs 802.1X authentication for users that connect to port Ethernet 1/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users. Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device. Configure the host at 10.1.1.
[Device-luser-network-localuser] quit # Configure the idle cut function to log off any online user that has been idle for 20 minutes. [Device-luser-localuser] authorization-attribute idle-cut 20 [Device-luser-localuser] quit 5. Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter its view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.
# Specify aabbcc.net as the mandatory domain. [Device-Ethernet1/1] dot1x mandatory-domain aabbcc.net Verifying the configuration Use the display dot1x interface ethernet 1/1 command to verify the 802.1X configuration. After an 802.1X user passes authentication, you can use the display dot1x sessions command to view the user connection information.
Configuring MAC authentication The MAC authentication feature is available only on the routers with Layer 2 Ethernet switching interface module installed. For more information about the Layer 2 Ethernet switching interface modules, see HP MSR Router Series Interface Module Guide. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access.
• If you configure MAC-based accounts, the access device sends the source MAC address as the username and password to the RADIUS server for authentication. • If you configure a shared account, the access device sends the shared account username and password to the RADIUS server for authentication. For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA.
Step Command Remarks 3. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 4. Enable MAC authentication on the port. mac-authentication By default, MAC authentication is disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain.
Step Command Remarks • Use one MAC-based user account Configure the MAC authentication user account format. 2. for each user: mac-authentication user-name-format mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] • Use one shared user account for all users: mac-authentication user-name-format fixed [ account name ] [ password { cipher | simple } password ] Use either method.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Set the maximum number of concurrent MAC authentication users on the port. mac-authentication max-user user-number By default, the maximum number of concurrent MAC authentication users on the port is 256. Configuring MAC authentication delay When both 802.
Local MAC authentication configuration example Network requirements As shown in Figure 26, configure local MAC authentication on port GigabitEthernet 1/1 to control Internet access, as follows: • Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails authentication, deny the user for 180 seconds. • Configure all users to belong to the ISP domain aabbcc, and specify local authentication for users in the domain.
# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase Verifying the configuration # Display MAC authentication settings and statistics.
Figure 27 Network diagram Configuration procedure 1. Make sure the RADIUS server and the access device can reach each other. 2. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. 3. Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.
# Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics.
Configuring password control Overview Password control refers to a set of functions provided by the device to manage login and super password setup, expirations, and updates for device management users, and to control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users. For more information about local users, see "Configuring AAA.
configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough. • A character or number cannot be repeated three or more times consecutively. For example, password a111 is not complex enough.
the history records by at least four characters and the four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed. You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control functions can be configured in several different views, and different views support different functions.
Step Command Remarks 2. Enable the global password control feature. password-control enable By default, the global password control feature is disabled. 3. (Optional.) Enable a specific password control function. password-control { aging | composition | history | length } enable By default, all four password control functions are enabled.
Step Command Remarks Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts. password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again. Set the number of days during which a user is notified of the pending password expiration.
Setting local user password control parameters Step 1. Enter system view. Command Remarks system-view N/A By default, no local user exists. 2. Create a device management user and enter local user view. local-user user-name class manage Local user password control applies to device management users instead of network access users. For information about how to configure a local user, see "Configuring AAA." 3. 4. 5. Configure the password expiration time for the local user.
To set super password control parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the password expiration time for super passwords. password-control super aging aging-time The default setting is 90 days. 3. Configure the minimum length for super passwords. password-control super length length • In non-FIPS mode, the default setting is 10 characters. • In FIPS mode, the default setting is 15 characters.
• A password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: A super password must contain at least four character types and at least five characters for. each type.
[Sysname-luser-manage-test] password-control length 16 # Specify that the password of the local user must contain at least four character types and at least five characters for each type. [Sysname-luser-manage-test] password-control composition type-number 4 type-length 5 # Set the password for the local user to expire after 20 days. [Sysname-luser-manage-test] password-control aging 20 # Configure the password of the local user in interactive mode.
User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 5 characters per type) 88
Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, such as SSH and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 28.
Creating a local key pair Configuration guidelines When you create a local key pair, follow these guidelines: • The key algorithm must be the same as required by the security application. • The key modulus length must be appropriate (see Table 6). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Step Create local DSA or RSA key pairs. 2. Command Remarks public-key local create { dsa | ecdsa | rsa } [ name key-name ] By default, no local key pair exists. Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can use the public key to encrypt information sent to the local device or authenticate the digital signature signed by the local device. To distribute a local host public key: 1. Record the key or export the key to a file 2.
Step 1. Command Enter system view. system-view • Display RSA host public keys: { 2. Display local host public keys in a specific format.
Configuring a peer public key To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the public key of the peer device on the local device. Table 7 Peer public key configuration methods Method Import the peer public key from a public key file (recommended) Prerequisites Remarks 3. Save the host public key in a file on the peer device. 4. Get the file from the peer device, for example, by using FTP or TFTP in binary mode.
Displaying and maintaining public keys Execute display commands in any view. Task Command Display local public keys. display public-key local { dsa | ecdsa | rsa } public [ name key-name ] Display peer public keys. display public-key peer [ brief | name publickey-name ] [ name key-name ] Example for inputting a peer public key Network requirements As shown in Figure 29, to prevent illegal access, Device B authenticates Device A through a digital signature.
Time when key pair created: 16:48:31 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:3
45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements In Figure 30, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to the file devicea.pub.
[DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 98
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key.
CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in a certification practice statement (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies.
PKI operation The following describes how a PKI entity requests a local certificate from a CA, and how an RA is involved in entity enrollment: 1. A PKI entity submits a certificate request to the RA. 2. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. 3. The CA verifies the digital signature, approves the request, and issues a certificate. 4.
Figure 32 PKI support for MPLS L3VPN FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.) Configuring a PKI domain (Required.) Requesting a certificate • Configuring automatic certificate request • Manually requesting a certificate (Optional.
• FQDN of the entity. • IP address of the entity. Whether the categories are required or optional depends on the CA policy. Follow the CA policy to configure the entity settings. For example, if the CA policy requires the entity DN, but you configure only the IP address, the CA rejects the certificate request from the entity. The SCEP add-on on the Windows 2000 CA server has restrictions on the data length of a certificate request.
If you do not specify the fingerprint for the PKI domain, the system asks you to verify the fingerprint manually. For an obtained CA root certificate in an automatic local certificate request process that IKE triggers, if its fingerprint does not match the one configured for the PKI domain, the device rejects the root certificate, and the local certificate request fails. If you do not specify the fingerprint for the PKI domain, the local certificate request fails.
Step 9. Specify the fingerprint for root certificate verification. Command Remarks • In non-FIPS mode: Optional if you manually request local certificates. root-certificate fingerprint { md5 | sha1 } string • In FIPS mode: root-certificate fingerprint sha1 string • Specify an RSA key pair: 10. Specify the key pair for certificate request.
To submit a certificate request in offline mode: a. Use pki request-certificate domain pkcs10 to print the request information on the terminal or use pki request-certificate domain pkcs10 filename to save the request information to a local file. b. Send the printed information or the saved file to the CA by an out-of-band means to submit the request. Online mode—A certificate request can be automatically or manually submitted. The following sections describe the online request mode.
Manually requesting a certificate IMPORTANT: Before you manually request a certificate, make sure the system time of the device is synchronized with the CA server. Otherwise, the device might fail to request the certificate because it regards the certificate out of the validity period. For information about how to change the system time, see Fundamentals Configuration Guide.
Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request to change some parameters, such as the common name, country code, and FQDN, in the certificate request. You can use display pki certificate request-status to display the certificate request status. Alternatively, you can also remove the PKI domain to abort the certificate request. To abort a certificate request: Step Command Remarks 1. Enter system view. system-view N/A 2.
• If a PKI domain already has local or peer certificates, you can still perform the obtain operation, and the obtained local or peer certificates overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and the other for encryption. • If CRL checking is enabled, CRL checking is triggered when you obtain a certificate. If the certificate to be obtained has been revoked, the certificate cannot be obtained.
Step Command Remarks 3. (Optional.) Specify the URL of the CRL repository. crl url url-string [ vpn-instance vpn-instance-name ] By default, the URL of the CRL repository is not specified. 4. Enable CRL checking. crl check enable By default, CRL checking is enabled. 5. Return to system view. quit N/A 6. Obtain the CA certificate. See "Obtaining certificates." N/A 7. (Optional.) Obtain the CRL and save it locally. pki retrieve-crl domain domain-name 8.
After you change the storage path for the certificates or CRLs, the certificate files (with the file extension .cer or .p12) and CRL files (with the extension .crl) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Specify the storage path for the certificates and CRLs.
Removing a certificate CAUTION: When you remove the CA certificate in a domain, the system also removes the local certificates, peer certificates, and CRLs in the same PKI domain. Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private key is compromised, do the following tasks: 1. Remove the local certificate. 2. Use public-key local destroy to destroy the existing local key pair. 3. Use public-key local create to generate a new key pair. 4.
To configure a certificate access control policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a certificate attribute group and enter its view. pki certificate attribute-group group-name By default, no certificate attribute group exists. 3. (Optional.) Configure an attribute rule for issuer name, subject name, or alternative subject name.
If you use RSA Keon, the SCEP add-on is not required. When you configure a PKI domain, you must use the certificate request from ca command to specify the CA to accept certificate requests for PKI entity enrollment to a CA. Certificate request from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 33 Network diagram Configuring the CA server 1.
[Device-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 # Specify the CA for accepting certificate requests. [Device-pki-domain-torsa] certificate request from ca # Specify the PKI entity name as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.
OU=test CN=myca Validity Not Before: Aug 24 09:06:29 2011 GMT Not After : Aug 23 09:06:29 2012 GMT Subject: CN=Device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6
Figure 34 Network diagram Configuring the CA server 1. Install the certificate service component: a. Select Control Panel > Add or Remove Programs from the start menu. b. Select Add/Remove Windows Components > Certificate Services. c. Click Next to begin the installation. d. Set the CA name. In this example, set the CA name to myca. 2. Install the SCEP add-on: The Windows 2003 server does not support SCEP by default.
[Device] pki domain winserver # Specify the name of the trusted CA as myca. [Device-pki-domain-winserver] ca identifier myca # Configure the URL of the registration server in the form of http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server. [Device-pki-domain-winserver] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Specify the RA to accept certificate requests.
Issuer: CN=myca Validity Not Before: Aug 24 09:06:29 2011 GMT Not After : Aug 23 09:06:29 2012 GMT Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F
Certificate request from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 35 Network diagram Configuring the CA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device 1.
4. Generate a local RSA key pair. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully. 5. Request a local certificate: # Obtain the CA certificate and save it locally.
0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE
81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. IKE negotiation with RSA digital signature from a Windows 2003 CA server Network requirements Device A and Device B establish an IPsec tunnel to protect the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet 1.1.1.0/24. Device A and Device use IKE to set up SAs, and the IKE proposal uses RSA digital signature for identity authentication.
[DeviceA-pki-entity-en] quit # Configure a PKI domain. [DeviceA] pki domain 1 [DeviceA-pki-domain-1] ca identifier CA1 [DeviceA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [DeviceA-pki-domain-1] certificate request entity en [DeviceA-pki-domain-1] ldap-server host 1.1.1.102 # Specify the RA to accept certificate requests. [DeviceA-pki-domain-1] certificate request from ra # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits.
[DeviceB-pki-domain-1] certificate request entity en [DeviceB-pki-domain-1] ldap-server host 1.1.1.102 # Specify the RA to accept certificate requests. [DeviceB-pki-domain-1] certificate request from ra # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [DeviceB-pki-domain-1] public-key rsa general name abc length 1024 [DeviceB-pki-domain-1] quit # Generate a local RSA key pair.
Figure 37 Network diagram Configuration procedure 1. Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111. [DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename pkilocal.
Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=beijing/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----MIICxjBA
Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00: ee:a3:aa:03:cb:b3:49:c4:f8:ae
Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.
CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.
Troubleshooting PKI configuration This section describes common PKI problems and how to troubleshoot them. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. • The URL of the registration server is not correct or not specified. • The system time of the device is not synchronized with the CA server.
Solution 1. Make sure the network connection is physically proper. 2. Obtain or import the CA certificate. 3. Configure the correct LDAP server. 4. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. 5. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity. 6. Obtain CRLs. 7.
9. Synchronize the system time of the device with the CA server. Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured, and the proper URL cannot be obtained from the CA certificate or local certificates in the PKI domain.
Solution 1. Use undo crl check enable to disable CRL checking. 2. Make sure the format of the imported file is proper. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain has no CA certificate, and the certificate file to be imported does not contain the CA certificate chain. • CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. • The specified format does not match the actual format of the imported file.
2. Use mkdir to create the required path. 3. Specify a correct export path. 4. Configure the proper key pair in the PKI domain. 5. Clear up the disk space of the device. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. • The disk space is full. 1. Use mkdir to create the path. 2. Specify the correct storage path for certificates or CRLs. 3.
Configuring IPsec Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order.
Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. • AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure 40. AH can provide data origin authentication, data integrity, and anti-replay services to prevent data tampering, but it cannot prevent eavesdropping.
Figure 40 shows how the security protocols encapsulate an IP packet in different encapsulation modes. Figure 40 Security protocol encapsulations in different modes Mode Transport Protocol AH IP AH ESP IP ESP AH-ESP IP AH ESP Tunnel Data Data ESP-T Data ESP-T IP AH IP IP ESP IP AH ESP IP Data Data IP ESP-T Data ESP-T Security association A security association (SA) is an agreement negotiated between two communicating parties called "IPsec peers.
receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid. IPsec uses the Hash-based Message Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure. Encryption algorithms IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys.
encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the device processes the packet. Otherwise, it drops the packet. The device supports the following data flow protection modes: • Standard mode—One IPsec tunnel protects one data flow.
Figure 41 IPsec VPN nel c tun IPse IPse c tunn e l IPsec Reverse Route Inject (RRI) enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or peer IPsec tunnel gateways to a routing table. As shown in Figure 41, you can enable IPsec RRI on the gateway at the enterprise center. After an IPsec tunnel is established, the gateway automatically adds a static route to the routing table, which can be queried as other routing entries.
IPsec tunnels can be established in different methods. Choose a proper method to establish IPsec tunnels according to your network conditions: • ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an interface (see "Implementing ACL-based IPsec"). The IPsec tunnel establishment steps are the same in an IPv4 network and in an IPv6 network.
Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. To use IPsec to protect VPN traffic, specify the VPN parameters in the ACL rules. Keywords in ACL rules An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.
# ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority security acl 3000 ike-profile aa transform-set 1 # ipsec policy testa 2 isakmp <---IPsec policy entry with a lower priority security acl 3001 ike-profile bb transform-set 1 • IPsec configurations on Router B: acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.
Figure 42 Mirror image ACLs If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met: • The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer. As shown in Figure 43, the range specified by the ACL rule configured on Router A is covered by its counterpart on Router B. • The peer with the narrower rule initiates SA negotiation.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPsec transform set and enter its view. ipsec transform-set transform-set-name By default, no IPsec transform set exists. 3. Specify the security protocol for the IPsec transform set. protocol { ah | ah-esp | esp } Optional. By default, the IPsec transform set uses ESP as the security protocol. • (In non-FIPS mode.
Step Command Remarks By default, the PFS feature is not used for SA negotiation. (Optional.) Enable the Perfect Forward Secrecy (PFS) feature for the IPsec policy. 6. • In non-FIPS mode: For more information about PFS, see "Configuring IKE." • In FIPS mode: The security level of the Diffie-Hellman (DH) group of the initiator must be higher than or equal to that of the responder.
Step 3. 4. 5. (Optional.) Configure a description for the IPsec policy. Specify an ACL for the IPsec policy. Specify an IPsec transform set for the IPsec policy. Command Remarks description text By default, no description is configured. security acl [ ipv6 ] { acl-number | name acl-name } transform-set transform-set-name By default, an IPsec policy references no ACL. An IPsec policy can reference only one ACL. By default, an IPsec policy references no IPsec transform set.
Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key in character format for AH: sa string-key { inbound | outbound } ah { cipher | simple } key-value • Configure a key in character 8. Configure keys for the IPsec SA.
• An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder.
Step 7. Command Specify the local IP address of the IPsec tunnel. local-address { ipv4-address | ipv6 ipv6-address } Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv4 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. 8.
Step Command Remarks 2. Create an IPsec policy template and enter its view. ipsec { ipv6-policy-template | policy-template } template-name seq-number By default, no IPsec policy template exists. 3. (Optional.) Configure a description for the IPsec policy template. description text By default, no description is configured. (Optional.) Specify an ACL for the IPsec policy template.
Step Command Remarks 13. (Optional.) Enable the global IPsec SA idle timeout function, and set the global SA idle timeout. ipsec sa idle-time seconds By default, the global IPsec SA idle timeout function is disabled. 14. Create an IPsec policy by referencing the IPsec policy template. ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name By default, no IPsec policy exists.
To enable ACL checking for de-encapsulated packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ACL checking for de-encapsulated packets. ipsec decrypt-check enable By default, this feature is enabled. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.
respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to re-negotiate SAs, resulting in service interruption. To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.
Enabling logging of IPsec packets Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded IPsec packet, and the reason for the failure. To enable the logging of IPsec packets: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step 3. Configure the DF bit of IPsec packets on the interface. Command Remarks ipsec df-bit { clear | copy | set } By default, the interface uses the global DF bit setting. To configure the DF bit of IPsec packets globally: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the DF bit of IPsec packets globally. ipsec global-df-bit { clear | copy | set } By default, IPsec copies the DF bit in the original IP header to the new IP header.
Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number isakmp 2. Enter IPsec policy view or IPsec policy template view. • To enter IPsec policy template view: ipsec { policy-template | ipv6-policy-template } template-name seq-number Use either command. By default, IPsec RRI is disabled. 3. Enable IPsec RRI. reverse-route dynamic IPsec RRI is supported in both tunneling mode and transport mode. 4. (Optional.
• The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. • The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the key at one end is entered as a string of characters, the key on the other end must also be entered as a string of characters.
Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important events of the module. The notifications are sent to the SNMP module of the device. You can decide how the SNMP module outputs notifications by configuring the notification transmission parameters for the SNMP module. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
Task Command Clear IPsec statistics. reset ipsec statistics [ tunnel-id tunnel-id ] IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 44, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
# Specify the ESP encryption and authentication algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create a manual IPsec policy named map1, with the sequence number as 10. [RouterA] ipsec policy map1 10 manual # Apply ACL 3101. [RouterA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set tran1.
# Create a manual IPsec policy named use1, with the sequence number as 10. [RouterB] ipsec policy use1 10 manual # Apply ACL 3101. [RouterB-ipsec-policy-manual-use1-10] security acl 3101 # Apply IPsec transform set tran1. [RouterB-ipsec-policy-manual-use1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.2.1. [RouterB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1 # Configure the inbound and outbound SPIs for ESP.
[Outbound ESP SA] SPI: 12345 (0x00003039) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure 45, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [RouterA] ike keychain keychain1 # # Specify the plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.3.1. [RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1.
----------------------------IPsec policy: map1 Sequence number: 10 Mode: isakmp ----------------------------Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Path MTU: 1443 Tunnel: local address: 2.2.3.1 remote address: 2.2.2.1 Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: IP dest addr: 2.2.2.1/0.0.0.
Figure 46 Network diagram Router A Router B Eth1/2 111::1/64 Internet Eth1/1 333::1/64 Eth1/2 222::1/64 Eth1/1 555::1/64 Host A Host B 333::3/64 555::5/64 Configuration procedure 1. Configure Router A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Define an ACL to identify data flows from subnet 333::/64 to subnet 555::/64.
# Apply IPv6 ACL 3101. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1 [RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1 # Apply the IKE profile profile1.
# Create an IKE-based IPsec policy named use1, with the sequence number as 10. [RouterB] ipsec ipv6-policy use1 10 isakmp # Apply ACL 3101. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101 # Apply the IPsec transform set tran1. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 3840956402 (0xe4f057f2) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1 UDP encaps
# Configure basic RIPng. system-view [RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ripng 1 enable [RouterA-Ethernet1/1] quit # Create and configure the IPsec transform set named tran1.
[RouterB-ipsec-profile-profile001] transform-set tran1 [RouterB-ipsec-profile-profile001] sa spi outbound esp 123456 [RouterB-ipsec-profile-profile001] sa spi inbound esp 123456 [RouterB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [RouterB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [RouterB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [RouterB] ripng 1 [RouterB-ripng-1] enable ipsec-profile profile001 [RouterB-ripng-1] quit 3.
Preference : 100 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time : 30 sec(s) Suppress time : 120 sec(s) Timeout time : 180 sec(s) Garbage-Collect time : 120 sec(s) Number of periodic updates sent : 186 Number of trigger updates sent : 1 IPsec profile name: profile001 # Use the display ipsec sa command to display the established IPsec SAs.
Figure 48 Network diagram Branch Eth1/2 5.5.5.1/24 Eth1/1 2.2.2.2/24 RouterB Host B Enterprise Center Branch Eth1/1 1.1.1.1/24 Eth1/2 4.4.4.1/24 Internet Router C Router A Host A Branch Router D Configuration procedure 1. Assign IPv4 addresses to the interfaces on the routers according to Figure 48. (Details not shown.) 2.
# Create an IKE keychain named key1 and specify the plaintext 123 as the pre-shared key to be used with the remote peer at 2.2.2.2. [RouterA] ike keychain key1 [RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [RouterA-ike-keychain-key1] quit # Apply the IPsec policy map1 to interface Ethernet1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipsec apply policy map1 [RouterA-Ethernet1/1] quit 3.
Make sure Router B has a route to the peer private network, with the outgoing interface as Ethernet1/1. 4. Configure Router C and Router D in the same way Router B is configured.. 5. Verify the configuration: Send traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B. # Display IPsec information on Router A.
The output shows that IPsec SAs are established. # Display the routing table on Router A. [RouterA] display ip routing-table Destination/Mask Proto Pre Cost NextHop Interface 5.5.5.0/24 static 100 1000 2.2.2.2 Eth1/1 The output shows that a correct static route is created by IPsec RRI. After the IPsec tunnels are established between Router A and Router C and Router D, the associated static routes are also created on Router A. (Details not shown.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, dramatically simplifying the configuration and maintenance of IPsec.
2. Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 50 IKE exchange process in main mode As shown in Figure 50, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
authentication method can simplify the configuration because only one PKI domain is required. If you use the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys.
Tasks at a glance Remarks (Optional.) Configuring the global identity information N/A (Optional.) Configuring the IKE keepalive function N/A (Optional.) Configuring the IKE NAT keepalive function N/A (Optional.) Configuring IKE DPD N/A (Optional.) Enabling invalid SPI recovery N/A (Optional.) Setting the maximum number of IKE SAs N/A (Optional.) Configuring SNMP notifications for IKE N/A Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
a. First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority. c. If a tie still exists, the device prefers an IKE profile configured earlier. To configure an IKE profile: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 8. (Optional.) Configure IKE DPD. dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in system view. If the IKE DPD function is not configured in system either, the device does not perform dead IKE peer detection. 9. (Optional.) Specify the local interface or IP address to which the IKE profile can be applied.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IKE proposal and enter its view. ike proposal proposal-number By default, there is an IKE proposal that is used as the default IKE proposal. • In non-FIPS mode: • In non-FIPS mode, an IKE 3. Specify an encryption algorithm for the IKE proposal. encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } • In FIPS mode: encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } 4.
c. If a tie still exists, the device prefers an IKE keychain configured earlier. To configure the IKE keychain: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IKE keychain and enter its view. ike keychain keychain-name [ vpn-instance vpn-name ] By default, no IKE keychain exists. 3. Configure a pre-shared key.
Step Command (Optional.) Configure the local device to always obtain the identity information from the local certificate for signature authentication. 3. Remarks By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication.
Step Command Remarks 1. Enter system view. system-view N/A 2. Set the IKE NAT keepalive interval. ike nat-keepalive seconds The default interval is 20 seconds. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. • Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of dead peers, but consumes more bandwidth and CPU. • On-demand DPD—Sends a DPD message based on traffic.
it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
To configure SNMP notifications for IKE: Step Command Remarks 1. Enter system view system-view N/A 2. Enable SNMP notifications for IKE globally. snmp-agent trap enable ike global By default, SNMP notifications for IKE are enabled. Enable SNMP notifications for the specified type of failures or events.
Figure 51 Network diagram Device A Eth1/1 1.1.1.1/16 Internet Eth1/1 2.2.2.2/16 Device B Eth1/2 10.1.1.1/24 Eth1/2 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure 1. Configure Device A: # Assign an IP address to each interface. (Details not shown.) # Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. system-view [DeviceA] acl number 3101 [DeviceA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.
# Reference IPsec transform set tran1 for the IPsec policy. [DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy. [DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [DeviceA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface Ethernet 1/1. [DeviceA-Ethernet1/1] ipsec apply policy map1 [DeviceA-Ethernet1/1] quit # Configure a static route to subnet 10.1.2.0/24. [DeviceA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 2.
[DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [DeviceB-ipsec-policy-isakmp-use1-10] quit # Apply IPsec policy use1 to interface Ethernet 1/1. [DeviceB-Ethernet1/1] ipsec apply policy use1 # Configure a static route to the subnet where Host A resides. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1 Verifying the configuration When there is traffic between subnets 10.1.1.0/24 and 10.1.2.0/24, IKE negotiation is triggered.
Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.
[DeviceA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
# Set the local identity to the FQDN name www.routera.com. [DeviceA-ike-profile-profile1] local-identity fqdn www.routera.com # Configure a peer ID with the identity type of FQDN name and the value of www.routerb.com. [DeviceA-ike-profile-profile1] match remote identity fqdn www.routerb.com [DeviceA-ike-profile-profile1] quit # Create an IKE proposal named 10. [DeviceA] ike proposal 10 # Specify the authentication algorithm as HMAC-SHA1.
# Set the common name as routerb for the PKI entity. [DeviceB-pki-entity-entity2] common-name routerb [DeviceA-pki-entity-entity1] quit # Create a PKI domain named domain2. [DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
# Create an IPsec policy named use1, with the sequence number as 1, referencing the IPsec policy template template1. [DeviceB] ipsec policy use1 1 isakmp template template1 # Apply IPsec policy use1 to interface Ethernet 1/1. [DeviceB-Ethernet1/1] ipsec apply policy use1 [DeviceB-Ethernet1/1] quit # Configure a static route to the subnet where Host A resides. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1 Verifying the configuration When there is traffic between subnets 10.1.1.0/24 and 10.1.2.
Public-Key: (1024 bit) Modulus: 00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42: 00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43: c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14: 70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27: d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb: 4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0: ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66: 2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33: 1b:31:03:78:4f:77:a0:db:af Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 9a:6d:8c:46:d3:1
X509v3 extensions: X509v3 CRL Distribution Points: Full Name: URI:http://xx.rsa.com:447/8088.
[Outbound ESP SAs] SPI: 738451674 (0x2c03e0da) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: active # Use the same commands to verify the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device B. (Details not shown.
# Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-transform1] protocol esp # Specify the encryption and authentication algorithms. [DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceA-ipsec-transform-set-transform1] quit # Create an IKE keychain named keychain1.
[DeviceB] ipsec transform-set transform1 # Use the ESP protocol for the IPsec transform set. [DeviceB-ipsec-transform-set-transform1] protocol esp # Specify the encryption and authentication algorithms. [DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceB-ipsec-transform-set-transform1] quit # Create IKE keychain keychain1.
13 2.2.2.2 RD IPSEC Flags: RD--READY RL--REPLACED FD-FADING [DeviceA] display ike sa verbose ----------------------------------------------Connection ID: 13 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Initiator ----------------------------------------------Local IP: 1.1.1.1 Local ID type: FQDN Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.
dest addr: 10.2.1.0/255.255.255.
Solution 1. Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals. 2. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals. IKE negotiation failed due to malformed payload Symptom 1. The IKE SA is in Unknown state. display ike sa Connection-ID Remote Flag DOI -----------------------------------------------------------------1 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING 2.
Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IPsec policy settings are incorrect. Solution 1. Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. 2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom 1.
Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Check whether the IPsec policy is referencing an IKE profile.
IPsec Policy: policy1 Interface: Ethernet0/1 ------------------------------------------- ----------------------------Sequence number: 1 Mode: isakmp ----------------------------Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution 1.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description Key exchange The two parties use the DH exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for identifying the SSH connection. In this stage, the client authenticates the server as well. Authentication The SSH server authenticates the client in response to the client's authentication request.
• Password-publickey authentication—The server requires SSH2 clients to pass both password authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements.
Configuration guidelines • SSH supports locally generated DSA and RSA key pairs only with default names. For more information about the commands that are used to generate keys, see Security Command Reference. • The public-key local create rsa command generates a server key pair and a host key pair for RSA. SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key.
Configuring the user lines for SSH clients An SSH client accesses the device through a VTY user line. You must configure the user lines for SSH clients to allow SSH login. The configuration takes effect only on the clients at next login. To configure the user lines for SSH clients: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VTY user line view. line vty number [ ending-number ] N/A Set the login authentication mode to scheme. 3.
Step Enter public key view. 2. Configure a client's host public key. 3. Command Remarks public-key peer keyname N/A Enter the content of the host public key When you enter the contents for a host public key, you can use spaces and carriage returns between characters. When you save the host public key, spaces and carriage returns are removed automatically. For more information, see "Managing public keys." Return to system view. 4.
{ If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view. • If you change the authentication method or public key for an SSH user that has been logged in, the change can take effect only on the user at next login. • Except password authentication, the other authentication methods require a client's host public key to be specified.
Step Command Remarks N/A 1. Enter system view. system-view 2. Enable the SSH server to support SSH1 clients. ssh server compatible-ssh1x enable By default, the SSH server supports SSH1 clients. This command is not available in FIPS mode. By default, the RSA server key pair is not updated. Set the RSA server key pair update interval. ssh server rekey-interval hours 4. Set the SSH user authentication timeout period.
Specifying a source IP address or source interface for the Stelnet client By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server. You can specify a source IP address or source interface for the client to communicate with the server.
Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publ
Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance (Optional.) Specifying a source IP address or source interface for the SFTP client (Required.) Establishing a connection to an SFTP server (Optional.) Working with SFTP directories (Optional.) Working with SFTP files (Optional.) Displaying help information (Optional.
When an SFTP client accesses an SFTP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SFTP client, the device supports the first authentication by default. When the device accesses an SFTP server for the first time but it is not configured with the host public key of the SFTP server, it can access the server and locally save the server's host public key for future use.
Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefercompress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey
Working with SFTP directories Task Command Remarks Change the working directory on the SFTP server. cd [ remote-path ] Available in SFTP client view. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working directory on the SFTP server. pwd Available in SFTP client view. Display files under a directory. • dir [ -a | -l ] [ remote-path ] • ls [ -a | -l ] [ remote-path ] Change the name of a directory on the SFTP server.
Task Command Remarks Use either command. Display the help information of an SFTP client command. • help • ? Available in SFTP client view. These two commands function in the same way. Terminating the connection with the SFTP server Task Command Terminate the connection with the SFTP server and return to user view. • bye • exit • quit Remarks Use one of the commands. Available in SFTP client view. These three commands function in the same way.
Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefe
Displaying and maintaining SSHExecute display commands in any view. Task Command Display the source IP address or source interface information configured for the SFTP client. display sftp client source Display the source IP address or source interface information configured for the Stelnet client. display ssh client source Display SSH server status information or session information on an SSH server. display ssh server { session | status } Display SSH user information on the SSH server.
system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully. # Enable the SSH server function. [Router] ssh server enable # Assign an IP address to interface Ethernet 1/1.
Figure 55 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.
Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58. The configuration procedure is as follows: 1. Generate the RSA key pairs on the Stelnet client: a. Run PuTTYGen.exe, select SSH-2 RSA and click Generate.
Figure 58 Generating process c. After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save.
d. Click Save private key to save the private key. A confirmation dialog box appears. e. Click Yes, enter a file name (private.ppk in this example), and click Save. f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Figure 60 Specifying the host name (or IP address) c. Select Connection > SSH from the navigation tree. The window shown in Figure 61 appears. d. Specify the Preferred SSH protocol version as 2.
e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 62 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 62 Specifying the private key file g. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server.
Configuration procedure 1. Configure the Stelnet server: # Generate the RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully. # Enable the SSH server function.
{ If you do not configure the host public key of the server on the client, select Yes to access the server without authenticating the server, and save the host public key of the server locally. ssh2 192.168.1.40 Username: client001 The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: After you enter the correct password, you can log in to Router B successfully.
8716261214A5A3B493E866991113B2D [RouterA-pkey-public-key-key1]485348 [RouterA-pkey-public-key-key1] peer-public-key end [RouterA] quit # Establish an SSH connection to the server, and specify the host public key of the server. ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you log in to Router B successfully.
[RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .
SFTP configuration examples This section provides examples of configuring SFTP on routers. Unless otherwise noted, the devices in the configuration examples are in non-FIPS mode. If you configure an SFTP server in FIPS mode, follow these guidelines: • The modulus length of the key pair must be 2048 bits. • Do not generate a DSA key pair on the Stelnet server. Only RSA key pairs are supported.
[Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.45 255.255.255.0 [Router-Ethernet1/1] quit # Set the authentication mode of the user lines to AAA. [Router] line vty 0 15 [Router-line-vty0-15] authentication-mode scheme [Router-line-vty0-15] quit # Create a local device management user client002 with the plaintext password aabbcc, the service type ssh, the user role network-admin, and the working directory cfa0:/.
Figure 66 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 67, you can log in to Router B through the SFTP client that runs on Router A and are assigned the user role network-admin to execute file management and transfer operations. Router B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.
The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully. # Export the host public key to the file pubkey. [RouterA] public-key local export rsa ssh2 pubkey [RouterA] quit # Transmit the public key file pubkey to the server through FTP or TFTP.
[RouterB] ssh user client001 service-type sftp authentication-type publickey assign publickey routerkey # Create a local device management user client001 with the service type ssh, the user role network-admin, and the working directory cfa0:/. [RouterB] local-user client001 class manage [RouterB-luser-manage-client001] service-type ssh [RouterB-luser-manage-client001] authorization-attribute user-role network-admin work-directory cfa0:/ [RouterB-luser-manage-client001] quit 3.
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 # Download the pubkey2 file from the server and save it as a local file public. sftp> get pubkey2 public Fetching / pubkey2 to public /pubkey2 100% 225 1.
system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully. # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048).
[RouterA-Ethernet1/1] quit [RouterA] quit 3. Connect to the SCP server, download the file remote.bin from the server, and save it locally to the file local.bin. scp 192.168.0.1 get remote.bin local.bin Username: client001 Connected to 192.168.0.1 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter password: 18471 bytes transfered in 0.001 seconds.
Configuring ASPF Overview A packet-filter firewall is a static firewall. It cannot solve the following issues: • Predefine security policies for multi-channel application layer protocols, such as FTP. • Detects attacks from the transport layer and application layer, such as SYN Flood. • Prevents ICMP attacks. A packet-filter firewall cannot recognize faked ICMP error messages from the network. • Permits the non-SYN packets which are the first packets over a TCP connection.
{ • Multi-channel protocol—A multi-channel protocol establishes more than one connection for a user and transfers control messages and user data through different connections. FTP is one example of multi-channel protocols.
The following uses FTP to explain the process of multi-channel application layer protocol inspection.
Generic TCP/UDP inspection requires a full match between the packets returned to the external interface and the packets previously sent out of the external interface, namely a perfect match of the source and destination addresses and port numbers. Otherwise, the return packets are blocked. Therefore, for multi-channel application layer protocols like FTP, the deployment of TCP inspection without application layer inspection leads to failure of establishing a data connection.
You can apply both ASPF and packet filtering to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows response packets from external to the internal network.
Figure 71 Network diagram Router A Eth1/0 10.1.1.1/24 Router B Eth1/1 192.168.1.1/24 Internal network External network Host Server 192.168.1.2/24 2.2.2.11/24 Configuration procedure # Configure ACL 3111 to deny all IP packets. system-view [RouterA] acl number 3111 [RouterA-acl-adv-3111] rule deny ip [RouterA-acl-adv-3111] quit # Create ASPF policy 1 for FTP inspection.
ASPF TCP application inspection configuration example Network requirements Local users on the internal network need to access the external network. To protect the internal network against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A to drop faked ICMP error messages and non-SYN packets that are the first packets over TCP connections. Figure 72 Network diagram Router A Internal network Eth1/0 10.1.1.1/24 Router B Eth1/1 192.168.1.
Enable TCP SYN packet check Detect these protocols: Router A can recognize the faked ICMP error messages from external networks, and drop the non-SYN packets that are the first packets over TCP connections. ASPF H.323 application inspection configuration example Network requirements Figure 73 displays a typical H.323 application network. Gateway B on the external network needs to access the H.323 Gatekeeper, and with the assistance of Gatekeeper, to establish a connection with the H.323 Gateway A.
[RouterA-Ethernet1/0] aspf 1 inbound [RouterA-Ethernet1/0] quit Verifying the configuration # Display ASPF sessions on Router A. [RouterA] display aspf session ipv4 Initiator: Source IP/port: 1.1.1.111/33184 Destination IP/port: 192.168.1.3/32828 VPN instance/VLAN ID/VLL ID: -/-/Protocol: UDP(17) Initiator: Source IP/port: 1.1.1.111/1719 Destination IP/port: 192.168.1.2/1719 VPN instance/VLAN ID/VLL ID: -/-/Protocol: UDP(17) Initiator: Source IP/port: 1.1.1.111/3521 Destination IP/port: 192.168.1.
Configuring APR Overview The application recognition (APR) feature enables QoS and ASPF to recognize application protocols of packets sent on ports that are not well known. APR separately counts the number of packets or bytes that an interface has received or sent based on application protocols. It also calculates the transmission rates of the interface at the same time. APR uses the following methods to recognize an application protocol: • Port-based application recognition (PBAR).
You can add application protocols with the same properties to one application group, or copy application protocols from one application group to another. If a packet is recognized as the packet of an application protocol in an application group, the packet is considered as the packet of the application group. Features such as QoS and ASPF can handle packets belonging to the same group in bulk.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an application group and enter application group view. app-group group-name N/A (Optional.) Configure a description for the user-defined application group. description group-description By default, the description is "User-defined application group." 3. By default, the user-defined application group does not contain any application protocol. 4. Add an application protocol to the group.
Displaying and maintaining APR Execute display commands in any view and reset commands in user view. Task Command Display information about application protocols. display application [ name app-name | pre-defined | user-defined ] Display information about application groups. display app-group [ name group-name | pre-defined | user-defined ] Display statistics for the specified application protocols (MSR2000/MSR3000).
Configuration procedure # Create an application group named group1, and enter application group view. system-view [Router] app-group group1 # Add HTTP to the application group. [Router-app-group-group1] include application http [Router-app-group-group1] quit # Map HTTP to TCP and port 8080. [Router] port-mapping application http port 8080 protocol tcp # Create a traffic class named classifier_1, and match group1 to the class.
Managing sessions Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services.
Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets. • Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. • Supports persistent sessions, which are kept alive for a long period of time. • Supports session management for the control channels and dynamic data channels of application layer protocols, for example, FTP.
Step Command Remarks By default, the session aging time is as follows: 2. Set the session aging time for different protocol states session aging-time state { fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value • • • • • • FIN-WAIT: 30 seconds. ICMP-REPLY: 30 seconds. ICMP-REQUEST: 60 seconds. RAWIP-OPEN: 30 seconds. RAWIP-READY: 60 seconds. TCP SYN-SENT and SYN-RCV: 30 seconds. • TCP-ESTABLISHED: seconds. 3600 • UDP-OPEN: 30 seconds.
Specifying persistent sessions This task is for only TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.
If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session. If you enable session logging but specify neither the traffic-based nor the time-based type, the device outputs a session log when a session entry is created or removed. To configure session logging: Step Command Remarks 1. Enter system view. system-view N/A 2. (Optional.
Task Command Clear IPv4 session table entries (MSR4000). reset session table ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Clear IPv6 session table entries (MSR2000/MSR3000).
Configuring connection limits As shown in Figure 75, the following types of network problems are commonly encountered: • An internal user initiates large numbers of connections to external networks in a short period of time, consuming large amounts of system resources and causing other internal users unable to access network resources correctly. • An internal server receives large numbers of connection requests in a short period of time, making the server unable to accept other normal requests.
Configuring the connection limit policy A connection limit policy contains one or more connection limit rules, each of which specifies a range for the limit. Connections in the range will be limited based on the parameters in the rule. When the number of connections reaches the upper limit max-amount, the device does not accept new connections until the number of connections goes below the lower limit min-amount. Connections not matching any connection limit rule are not limited.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A By default, no connection limit is applied to an interface. 3. Apply a connection limit policy to an interface. Step 1. Enter system view. connection-limit apply { ipv6-policy | policy } policy-id Only one IPv4 or IPv6 connection limit policy can be applied to an interface. A new IPv4 or IPv6 connection limit policy overwrites an old policy.
Task Command Clear the connection limit statistics globally or on an interface (MSR4000). reset connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ] Connection limit configuration example Network requirements As shown in Figure 76, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The internal network address is 192.168.0.0/16.
# Configure connection limit rule 1 to permit up to 100000 connections from all the hosts matching ACL 3000 to the external network. When the connection number exceeds 100000, new connections cannot be established until the connection number goes below 95000. [Router-connection-limit-policy-1] limit 1 acl 3000 amount 100000 95000 # Configure connection limit rule 2 to permit up to 10000 connections to the servers matching ACL 3001.
Troubleshooting connection limits ACLs in the connection limit rules with overlapping segments Symptom On the router, create a connection limit policy and configure two rules for the policy. One limits connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and the other limits connections from 192.168.0.100/24 with the upper connection limit 100. system-view [Router] acl number 2001 [Router-acl-basic-2001] rule permit source 192.168.0.0 0.0.0.
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
Configuring unresolvable IP attack protection If a device receives a large number of unresolvable IP packets from a host, the following situations can occur. • The device sends a large number of ARP requests, overloading the target subnets. • The device keeps trying to resolve target IP addresses, overloading its CPU.
Configuration example Network requirements As shown in Figure 77, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack. To prevent such attacks, configure ARP source suppression and ARP blackhole routing.
Configuring ARP packet rate limit NOTE: This feature is not supported in the current release, and it is reserved for future use. The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the device CPU is overloaded because all ARP packets are redirected to the CPU for inspection. As a result, the device fails to provide other functions or even crash.
Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods: • Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
Task Command Display ARP attack entries detected by source MAC-based ARP attack detection (MSR4000). display arp source-mac { slot slot-number | interface interface-type interface-number } Configuration example Network requirements As shown in Figure 78, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients.
# Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user spoofing and allows only authorized clients to access network resources. Configuration procedure To enable authorized ARP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 3 Ethernet interface or Layer 3 Ethernet subinterface view. interface interface-type interface-number N/A 3. Enable authorized ARP on the interface.
[RouterB-Ethernet1/1] ip address dhcp-alloc [RouterB-Ethernet1/1] quit 3. After Router B obtains an IP address from Router A, display the authorized ARP entry information on Router A. [RouterA] display arp all Type: S-Static D-Dynamic M-Multiport I-Invalid IP Address MAC Address VLAN Interface Aging Type 10.1.1.2 0012-3f86-e94c N/A Eth1/1 20 D The output shows that IP address 10.1.1.2 has been assigned to Router B.
system-view [RouterB] dhcp enable # Specify the IP addresses of Ethernet 1/1 and Ethernet 1/2. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 10.1.1.2 24 [RouterB-Ethernet1/1] quit [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on Ethernet 1/2. [RouterB-Ethernet1/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1. [RouterB-Ethernet1/2] dhcp relay server-address 10.1.1.1 # Enable authorized ARP.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. Configuring user validity check Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and MAC addresses against the static IP source guard binding entries, the DHCP snooping entries, and 802.1X security entries. If a match is found from those entries, the ARP packet is considered valid and is forwarded.
• src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded. • dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
Step Enable ARP restricted forwarding. 3. Command Remarks arp restricted-forwarding enable By default, ARP restricted forwarding is disabled. Displaying and maintaining ARP detection Execute display commands in any view and reset commands in user view. Task Command Display the VLANs enabled with ARP detection. display arp detection Display the ARP detection statistics. display arp detection statistics [ interface interface-type interface-number ] Clear the ARP detection statistics.
3. Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.) 4. Configure Switch B: # Enable the 802.1X function. system-view [SwitchB] dot1x [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] dot1x [SwitchB-Ethernet1/1] quit [SwitchB] interface ethernet 1/2 [SwitchB-Ethernet1/2] dot1x [SwitchB-Ethernet1/2] quit # Add a local user test.
Figure 82 Network diagram Gateway DHCP server Switch A Eth1/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping Switch B Eth1/1 Eth1/3 Eth1/2 Host A DHCP client Host B 10.1.1.6 0001-0203-0607 Configuration procedure 1. Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) 2. Configure the DHCP server on Switch A, and configure DHCP address pool 0.
[SwitchB-Ethernet1/2] quit # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the configurations are completed, ARP packets received on interfaces Ethernet 1/1 and Ethernet 1/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.
Configuring ARP gateway protection NOTE: This feature is not supported in the current release, and it is reserved for future use. Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks. When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.
Figure 83 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B. system-view [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] arp filter source 10.1.1.1 [SwitchB-Ethernet1/1] quit [SwitchB] interface ethernet 1/2 [SwitchB-Ethernet1/2] arp filter source 10.1.1.1 After the configuration is complete, Ethernet 1/1 and Ethernet 1/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.
Configuration procedure To configure ARP filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Enable ARP filtering and configure a permitted entry. arp filter binding ip-address mac-address By default, ARP filtering is disabled. Configuration example Network requirements As shown in Figure 84, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233 respectively.
Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU. Hardware crypto engines can accelerate encryption/decryption speed, improving device processing efficiency. You can enable or disable hardware crypto engines globally as required. • Software crypto engines—A software crypto engine is a set of software encryption algorithms.
Displaying and maintaining crypto engines Execute display commands in any view and reset commands in user view. Task Command Display information about crypto engines. display crypto-engine Display statistics for crypto engines. (MSR2000/MSR3000) display crypto-engine statistics [ engine-id engine-id ] Display statistics for crypto engines. (MSR4000) display crypto-engine statistics [ engine-id engine-id slot slot-number ] Clear statistics for crypto engines.
Configuring portal authentication Overview Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server. The users can access the resources on the website without authentication.
Figure 85 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application. Security check for the user host is implemented through the interaction between the portal client and the security policy server.
Interaction between portal system components The components of a portal system interact as follows: 1. An unauthenticated user initiates authentication by accessing an Internet website through a Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. 2.
Only the HP iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP address uniquely identifies the user.
4. The portal authentication server adds the username and password into an authentication request packet and sends it to the access device. Meanwhile, the portal authentication server starts a timer to wait for an authentication reply packet. 5. The access device and the RADIUS server exchange RADIUS packets. 6. The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure. 7.
10. The access device detects the IP change of the client through DHCP and then notifies the portal authentication server that it has detected an IP change of the client IP. 11. After receiving the IP change notification packets sent by the client and the access device, the portal authentication server notifies the client of login success. 12. The portal authentication server sends an IP change acknowledgement packet to the access device. Step 13 and step 14 are for extended portal functions. 13.
The prerequisites for portal authentication configuration are as follows: • The portal authentication server, portal Web server, and RADIUS server have been installed and configured correctly. • To use the re-DHCP portal authentication mode, make sure the DHCP relay agent is enabled on the access device, and the DHCP server is installed and configured correctly. • The portal client, access device, and servers can reach each other.
Configuring a portal Web server A portal Web server pushes the authentication page to users during portal authentication. It is also the Web server to which the device redirects user HTTP requests. Perform this task to configure the following portal Web server parameters: • VPN instance of the portal Web server • URL of the portal Web server • Parameters carried in the URL when the device redirects the URL to users The device supports multiple portal Web servers.
• Do not add the interface enabled with portal authentication to an aggregation group. Otherwise, portal authentication does not take effect. • Cross-subnet authentication mode (layer3) does not require Layer 3 forwarding devices between the access device and the portal authentication clients. However, if a Layer 3 forwarding device exists between the authentication client and the access device, you must use the cross-subnet portal authentication mode.
Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.
Step Command Configure a source-based portal-free rule. 2. Remarks portal free-rule rule-number source { interface interface-type interface-number | mac mac-address | vlan vlan-id } * By default, no source-based portal-free rule exists. If you specify both a VLAN and an interface, the interface must belong to the VLAN. Otherwise, the portal-free rule does not take effect.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A portal ipv6 layer3 source ipv6-network-address prefix-length By default, no IPv6 portal authentication source subnet is configured, and IPv6 users from any subnets must pass portal authentication. 3. Configure an IPv6 portal authentication source subnet.
If the maximum number of portal users you set is less than that of the current login portal users, the limit can be set successfully and does not impact the login portal users, but the system does not allow new portal users to log in until the number drops down below the limit. Step Command Remarks 1. Enter system view. system-view N/A 2. Set the maximum number of portal users. portal max-user max-number By default, no limit is set on the number of portal users.
Configuring portal detection functions Configuring online detection of portal users Configure online detection of portal users on an interface to find abnormal logouts in time. If a portal user is idle for the specified period of time (idle time), the device sends detection packets to the user at a specific interval (interval interval) to identify whether the user is still online.
If the portal authentication server receives a portal packet within a detection timeout (timeout timeout) and the portal packet is valid, the device considers the detection succeeds and the portal authentication server is reachable. Otherwise, the device considers the detection fails and the portal authentication server is unreachable.
• Sending a log message, which contains the name, the current state, and the original state of the portal Web server. • Enabling portal fail-permit. When the portal Web server is unreachable, the portal fail-permit feature on an interface allows users on the interface to have network access. When the server recovers, it resumes portal authentication on the interface. For more information, see "Configuring the portal fail-permit function.
Step 2. 3. Command Remarks Enter portal authentication server view. portal server server-name N/A Configure the portal user synchronization function. user-sync timeout timeout By default, portal user synchronization is disabled. Configuring the portal fail-permit function Perform this task to configure the portal fail-permit function on an interface.
During a re-DHCP portal authentication or mandatory user logout process, the device sends portal notification packets to the portal authentication server. For the authentication or logout process to complete, make sure the BAS-IP/BAS-IPv6 attribute is the same as the device IP or IPv4 address specified on the portal authentication server. To configure the BAS-IP attribute for unsolicited portal packets sent to the portal authentication server: Step Command Remarks 1. Enter system view.
To log out users: Step Command 1. Enter system view. system-view 2. Log out IPv4 portal users. portal delete-user { ipv4-address | all | interface interface-type interface-number } 3. Log out IPv6 portal users. portal delete-user { all | interface interface-type interface-number | ipv6 ipv6-address } Displaying and maintaining portal Execute display commands in any view and the reset command in user view. Task Command Display portal rules on an interface (centralized devices).
Figure 88 Network diagram Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 88 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication/authorization functions. Configuring the portal authentication server This example assumes that the portal server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Configure the portal authentication server: a.
a. Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 90. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure the host IP address is in the IP group. e. Select a service group. This example uses the default group Ungrouped. f. Select the IP group type Normal. g. Click OK. Figure 90 Adding an IP address group 3.
Figure 91 Adding a portal device 4. Associate the portal device with the IP address group: a. As shown in Figure 92, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. b. Click Add to enter the page shown in Figure 93. c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Use the default settings for other parameters. f.
Configuring the router 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Specify the primary authentication/authorization server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] key authentication simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.
Verifying the configuration Verify that the portal configuration has taken effect. [Router] display portal interface ethernet 1/2 Portal information of Ethernet 1/2 IPv4: Portal status: Enabled Authentication type: Direct Portal Web server: newpt Authentication domain: Not configured Bas-ip: 2.2.2.
Figure 94 Network diagram Portal server 192.168.0.111/24 Eth1/2 20.20.20.1/24 10.0.0.1/24 sub Host Automatically obtains an IP address Eth1/1 192.168.0.100/24 DHCP server Router 192.168.0.112/24 RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 94 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions.
[Router] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
Configuring cross-subnet portal authentication Network requirements As shown in Figure 95, Router A supports portal authentication. The host accesses Router A through Router B. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server. Configure Router A for cross-subnet portal authentication. Before passing the authentication, the host can access only the portal server.
[Router] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain. [RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
Figure 96 Network diagram Portal server 192.168.0.111/24 Eth1/2 2.2.2.1/24 Host Eth1/1 192.168.0.100/24 RADIUS server Router 192.168.0.112/24 2.2.2.2/24 Gateway : 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 96 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions.
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [Router] domain default enable dm1 3. Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet resources: [Router] acl number 3000 [Router-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.
Figure 97 Network diagram Portal server 192.168.0.111/24 Eth1/2 20.20.20.1/24 10.0.0.1/24 sub Host automatically obtains an IP address Eth1/1 192.168.0.100/24 DHCP server 192.168.0.112/24 Router RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 97 and make sure the host, router, and servers can reach each other.
# Enable RADIUS session control. [Router-radius-rs1] radius session-control enable [Router-radius-rs1] quit # Enable RADIUS session control. [Router] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain.
[Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on interface Ethernet 1/2.
• Make sure the IP address of the portal device added on the portal server is the IP address (20.20.20.1) of the router's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24). Configuration procedure Perform the following configurations on Router A. 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. 4. Configure portal authentication: # Configure a portal authentication server. [RouterA] portal server newpt [RouterA-portal-server-newpt] ip 192.168.0.111 key simple portal [RouterA-portal-server-newpt] port 50100 [RouterA-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [RouterA-portal-websvr-newpt] url http://192.168.0.
Figure 99 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 99 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication/authorization functions. • Configure the portal authentication server. Be sure to enable the server heartbeat function and the user heartbeat function.
Figure 100 Portal authentication server configuration 2. Configure the IP address group: a. Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 101. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure the host IP address is in the IP group. e. Select a service group. This example uses the default group Ungrouped. f.
c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e. Enter the key, which must be the same as that configured on the router. f. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list. g. Select whether to support sever heartbeat and user heartbeat functions. In this example, select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK.
Figure 104 Adding a port group 5. Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Specify the primary authentication/authorization server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.
# Configure reachability detection of the portal authentication server: configure the server detection interval as 40 seconds, and send log messages upon reachability status changes. [Router-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval. # Configure portal user synchronization with the portal authentication server, and configure the synchronization detection interval as 600 seconds.
Configuring cross-subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 105, the PE device Router A provides portal authentication for the host in VPN 1. A portal server in VPN 3 serves as the portal authentication server, portal Web server, and RADIUS server. Configure cross-subnet portal authentication on Router A, so the host can access Internet resources after passing identity authentication.
[RouterA-radius-rs1] nas-ip 3.3.0.3 [RouterA-radius-rs1] quit # Enable RADIUS session control. [RouterA] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain.
Authorization ACL: None VPN instance: vpn3 MAC IP VLAN Interface 000d-88f7-c268 3.3.0.1 -- Ethernet1/1 Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the portal Web server for authentication, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.
2. Use the portal server command in system view to change the listening port number to the actual listening port of the portal authentication server. Cannot log out portal users on the RADIUS server Symptom The access device uses the HP IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server. Analysis The HP IMC server uses session control packets to send disconnection requests to the access device.
Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server. The portal authentication server notifies of the authentication success only after it receives the IP change notification from both the access device and the client.
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device supports Level 2. Unless otherwise noted, in this document the term "FIPS" refers to FIPS 140-2.
• Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: d. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. e. Save the current configuration file. f. Specify the current configuration file as the startup configuration file. g. Reboot the device.
2. Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to 1. 3. Set the minimum length of user passwords to 15 characters. 4. Add a local user account for device management, including the following items: { A username. { A password that complies with the password control policies as described in step 2 and step 3. { A user role of network-admin. { A service type of terminal. 5.
• The password control function cannot be disabled globally. The undo password control enable command does not take effect. • The keys must contain at least 15 characters and 4 compositions of uppercase and lowercase letters, digits, and special characters. This requirement applies to the following passwords (the last two passwords are used for password control): { AAA server's shared key. { IKE per-shared key. { SNMPv3 authentication key. { Password for a device management local user.
To disable FIPS mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Disable FIPS mode. undo fips mode enable By default, the FIPS mode is disabled. FIPS self-tests To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails, the device reboots. If the conditional self-test fails, the system outputs self-test failure information.
Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types: • Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails.
[Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters):root Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode.
Configuration procedure # Enable the password control function globally. system-view [Sysname] password-control enable # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to 1. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters.
First login or password reset. For security reason, you need to change your pass word. Please enter your password. old password: new password: confirm: Updating user information. Please wait ... ... … # Display the current FIPS mode state. display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Networking requirements A user has logged in to the device in FIPS mode through a console/AUX/Async port. Use the automatic reboot method to exit FIPS mode.
Change the configuration to meet non-FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter non-FIPS mode. # Set the authentication mode for VTY lines to scheme. [Sysname] line vty 0 4 [Sysname-line-vty0-4] authentication-mode scheme # Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file. [Sysname] save The current configuration will be written to the device.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ACDEFHILOPRSTV Configuring ARP packet rate limit,275 A Configuring ARP packet source MAC consistency check,278 AAA configuration considerations and task list,15 AAA for SSH users by an HWTACACS server,45 Configuring authorized ARP,278 Aborting a certificate request,108 Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server,309 Applying an ASPF policy to an interface,249 Applying the connection limit policy,267 Configuring FIPS mode,339 APR configuration exa
Conventions,349 FIPS compliance,81 Creating a connection limit policy,266 FIPS configuration examples,343 Creating a local key pair,90 FIPS self-tests,342 D H Destroying a local key pair,92 HP implementation of 802.1X,59 Displaying and maintaining 802.
RADIUS-based MAC authentication configuration example,75 Setting the session aging time for different application layer protocols,262 Referencing a portal Web server for an interface,301 Setting the session aging time for different protocol states,261 Related information,348 Setting user group password control parameters,83 Removing a certificate,112 SFTP configuration examples,238 Requesting a certificate,105 Specifying a MAC authentication domain,71 S Specifying a mandatory authentication domai
