HP MSR Router Series Security Configuration Guide(V7) Part number: 5998-5682 Software version: CMW710-R0106 Document version: 6PW100-20140607
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring AAA ························································································································································· 1 Overview············································································································································································ 1 RADIUS ·············································································································································
Packet formats ························································································································································ 69 EAP over RADIUS ·················································································································································· 70 Initiating 802.1X authentication ··································································································································· 71 802.
Configuring MAC authentication ······························································································································ 99 Overview········································································································································································· 99 User account policies ············································································································································ 99 Auth
Configuring cross-subnet portal authentication ································································································ 138 Configuring extended direct portal authentication ·························································································· 140 Configuring extended re-DHCP portal authentication ····················································································· 144 Configuring extended cross-subnet portal authentication ······················
Network requirements ········································································································································· 189 Configuration procedure ···································································································································· 189 Verifying the configuration ································································································································· 191 Managing public keys ····
Certificate request from an RSA Keon CA server in an NAT-PT network ······················································ 226 IKE negotiation with RSA digital signature from a Windows 2003 CA server············································ 229 Certificate access control policy configuration example················································································· 232 Certificate import and export configuration example ·······································································
FIPS compliance ··························································································································································· 289 Security strength ··························································································································································· 289 IKE configuration prerequisites ······························································································································
Password authentication enabled Stelnet server configuration example ······················································ 337 Publickey authentication enabled Stelnet server configuration example ······················································· 339 Password authentication enabled Stelnet client configuration example ························································ 345 Publickey authentication enabled Stelnet client configuration example ······················································
Configuring session logging ······································································································································· 380 Displaying and maintaining session management ··································································································· 381 Configuring connection limits ································································································································· 383 Overview·····················
Configuration example (on a DHCP relay agent)···························································································· 409 Configuring ARP detection ·········································································································································· 410 Configuring user validity check ························································································································· 411 Configuring ARP packet validity check ·····
Displaying and maintaining FIPS ······························································································································· 441 FIPS configuration examples ······································································································································· 441 Entering FIPS mode through automatic reboot ································································································· 441 Entering FIPS mode through manual
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services. For example, you can permit office users to read and print files and prevent guests from accessing files on the device.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
User authentication methods The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP. Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses the following workflow: 1. The host sends a connection request that includes the user's username and password to the RADIUS client. 2.
9. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for the user. 10. The RADIUS client notifies the user of the termination. RADIUS packet format RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth packet exchange between the RADIUS server and the client. These mechanisms include the timer mechanism, the retransmission mechanism, and the backup server mechanism.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered padding and are ignored by the receiver. If the length of a received packet is less than this length, the packet is dropped. • The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and to encrypt user passwords.
No. Attribute No.
Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password 9) The user enters the password 10) Continue-authentication packet with the password 11) Response indicating succ
9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends a user authorization request packet to the HWTACACS server. 13.
{ Obtain the access rights to the LDAP server. { Check the validity of user information. The search operation constructs search conditions and obtains the directory resource information of the LDAP server. • In LDAP authentication, the client completes the following tasks: 1. Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. 2.
2. After receiving the request, the LDAP client establishes a TCP connection with the LDAP server. 3. To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server. 4. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgement to the LDAP client. 5. The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP server. 6.
• Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal users can access through a console, AUX, or Async port. • Portal—Portal users must pass portal authentication to access the network. • PPP. NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies.
• No accounting—The NAS does not perform accounting for the users. • Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account, but does not provide statistics for charging. • Remote accounting—The NAS works with a RADIUS server or HWTACACS server for accounting. You can configure backup methods to be used when the remote server is not available.
Protocols and standards • RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support • RFC 2869, RADIUS Extensions • RFC 5176, Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) • RFC 1492, An Access Control Protocol, Sometimes Called TACACS • RFC 1777, Lightweight Directory Access Protocol • R
No. Attribute Description 28 Idle-Timeout Maximum idle time permitted for the user before termination of the session. 31 Calling-Station-Id User identification that the NAS sends to the server. For the LAN access service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. 32 NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server. Type of the Accounting-Request packet.
No. Sub-attribute Description 4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. 5 Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. 6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps. 15 Remanent_Volume Total remaining available traffic for the connection, in different units for different server types. Operation for the session, used for session control.
No. Sub-attribute Description 203 Input-Interval-Packets Number of packets input within an accounting interval in the unit set on the NAS. 204 Output-Interval-Packets Number of packets output within an accounting interval in the unit set on the NAS. 205 Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. 206 Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes.
To configure AAA, perform the following tasks: Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • • • • Configuring local users Configuring RADIUS schemes Configuring HWTACACS schemes Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: 1. (Required.) Creating an ISP domain 2. (Optional.) Configuring ISP domain attributes 3. (Required.
• User group—Each local user belongs to a local user group and has all attributes of the group. The attributes include the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." • Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user.
• For Telnet and terminal users, only the authorization attribute user-role is effective. • For SSH and FTP users, only the following authorization attributes are effective: user-role and work-directory. • For other types of local users, no authorization attribute is effective. To configure local user attributes: Step Command Remarks 4. Enter system view. system-view N/A 5. Add a local user and enter local user view.
Step Command Remarks By default, no binding attribute is configured for a local user. 10. (Optional.) Configure binding attributes for the local user. bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } * Binding attribute call-number applies only to PPP users. Binding attribute ip applies only to LAN users using 802.1X. Binding attributes location, mac, and vlan apply only to LAN users.
implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes. By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user group and enter user group view.
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Optional.) Configuring a test profile for RADIUS server status detection (Required.) Creating a RADIUS scheme (Required.
• The test profile configuration is removed for the RADIUS server in RADIUS scheme view. • The test profile is deleted. • The RADIUS server is manually set to the blocked state. • The RADIUS scheme is deleted. To configure a test profile for RADIUS server status detection: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a test profile for detecting the status of RADIUS authentication servers.
Step Command Remarks • Specify the primary RADIUS 3. Specify RADIUS authentication servers.
Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * 3. Specify RADIUS accounting servers. • Specify a secondary RADIUS 4. (Optional.) Set the maximum number of real-time accounting attempts.
Step Command Remarks 3. Specify a VPN for the RADIUS scheme. vpn-instance vpn-instance-name By default, a RADIUS scheme belongs to the public network. Setting the username format and traffic statistics units A username is in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username. However, older RADIUS servers might not recognize usernames that contain the ISP domain names.
Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers function as the backup of the primary server. The device chooses servers based on these rules: • When the primary server is in active state, the device communicates with the primary server.
Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } • Set the status of a secondary RADIUS 3. Set the RADIUS server status.
Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing RADIUS packets. radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, the IP address of the RADIUS packet outbound interface is used as the source IP address. To specify a source IP address for a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view.
• A short real-time accounting interval helps improve accounting precision but requires many system resources. When there are 1000 or more users, set the interval to 15 minutes or longer. To set RADIUS timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Set the RADIUS server response timeout timer. timer response-timeout seconds The default setting is 3 seconds. 4. Set the quiet timer for the servers.
Step Command Remarks 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a security policy server. security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, no security policy server is specified for a scheme. You can specify up to eight security policy servers for a RADIUS scheme.
Step Command Remarks 3. Configure the attribute 15 check mode for SSH, FTP, and terminal users. attribute 15 check-mode { loose | strict } The default check mode is strict. Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached.
Tasks at a glance (Optional.) Specifying the HWTACACS authorization servers (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.) Setting HWTACACS timers (Optional.
Step Command Remarks • Specify the primary HWTACACS 3. Specify HWTACACS authentication servers.
If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. HWTACACS does not support accounting for FTP, SFTP, and SCP users. To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify a VPN for the HWTACACS scheme. vpn-instance vpn-instance-name By default, an HWTACACS scheme belongs to the public network. Setting the username format and traffic statistics units A username is in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username.
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view or in system view. • The IP address specified in HWTACACS scheme view applies to one HWTACACS scheme. • The IP address specified in system view applies to all HWTACACS schemes whose servers are in a VPN or the public network. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: 1. The source IP address specified for the HWTACACS scheme. 2.
The server quiet timer setting affects the status of HWTACACS servers. If the scheme includes one primary HWTACACS server and multiple secondary HWTACACS servers, the device communicates with the HWTACACS servers based on the following rules: • When the primary server is in active state, the device communicates with the primary server. • If the primary server fails, the device performs the following tasks: • { Changes the server status to blocked. { Starts a quiet timer for the server.
Step Command Remarks By default, the real-time accounting interval is 12 minutes. 4. Set the real-time accounting interval. timer realtime-accounting minutes 5. Set the server quiet timer. timer quiet minutes A short interval helps improve accounting precision but requires many system resources. When there are 1000 or more users, set a longer interval. By default, the server quiet timer is 5 minutes.
Configuring the IP address of the LDAP server Step Command Remarks 1. Enter system view. System-view N/A 2. Enter LDAP server view. ldap server server-name N/A 3. Configure the IP address of the LDAP server. { ip ip-address | ipv6 ipv6-address } [ port port-number ] [ vpn-instance vpn-instance-name ] By default, an LDAP server has no IP address. You can configure either an IPv4 address or an IPv6 address for an LDAP server. The most recent configuration takes effect.
Step Command Remarks By default, no administrator DN is specified. 3. Specify the administrator DN. login-dn dn-string The administrator DN specified on the device must be the same as configured on the LDAP server. 4. Configure the administrator password. login-password { cipher | simple } password By default, no administrator password is specified. Configuring LDAP user attributes To authenticate a user, an LDAP client must complete the following tasks: 1.
Step 7. (Optional.) Specify the user object class. Command Remarks user-parameters user-object-class object-class-name By default, no user object is specified, and the default user object class on the LDAP server is used. The default user object class varies by device. Creating an LDAP scheme You can configure up to 16 LDAP schemes. An LDAP scheme can be referenced by multiple ISP domains. To create an LDAP scheme: Step Command Remarks 1. Enter system view. system-view N/A 2.
Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. See "Configuring local user attributes." To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS, or LDAP schemes. For more information about the scheme configuration, see "Configuring RADIUS schemes," "Configuring HWTACACS schemes," and "Configuring LDAP schemes.
Step Command Remarks 3. Return to system view. quit N/A 4. (Optional.) Specify the default ISP domain. domain default enable isp-name By default, the default ISP domain is the system-defined ISP domain system. 5. (Optional.) Specify the ISP domain used by users that include unknown domain names. domain if-unknown isp-domain-name By default, no ISP domain is specified for users that include unknown domain names.
Step Command Remarks 5. Configure authorization attributes for authenticated users in the ISP domain. authorization-attribute { idle-cut minute [ flow ] | ip-pool pool-name } By default, the authorization attributes are not configured and the idle cut function is disabled. session-time include-idle-time By default, the user online duration sent to the server does not include the idle cut period or user online detection period. 6.
Step Command Remarks 4. Specify the authentication method for LAN users. authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } 5. Specify the authentication method for login users.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A 3. Specify the default authorization method for all types of users. authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } 4. Specify the command authorization method.
Configuration guidelines When configuring accounting methods, follow these guidelines: • FTP, SFTP, and SCP users do not support accounting. • Local accounting does not provide statistics for charging. It only counts and controls the number of concurrent users who use the same local user account. The threshold is configured by using the access-limit command. Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2.
Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the session-control feature. radius session-control enable By default, the session-control feature is disabled.
Changing the DSCP priority for RADIUS packets The DSCP priority in the ToS field determines the transmission priority of RADIUS packets. A larger value represents a higher priority. To change the DSCP priority for RADIUS packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Change the DSCP priority for RADIUS packets. radius [ ipv6 ] dscp dscp-value By default, the DSCP priority is 0 for RADIUS packets.
AAA configuration examples Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 11, configure the router to meet the following requirements: • Use the RADIUS server for SSH user authentication and authorization. • Send usernames with domain names to the RADIUS server. • Assign the default user role network-operator to SSH users after they pass authentication. The RADIUS server runs on IMC.
f. Leave the default settings for other parameters and click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router. The source IP address is chosen in the following order on the router: { IP address specified by the nas-ip command. { IP address specified by the radius nas-ip command. { IP address of the outbound interface (the default).
Figure 13 Adding an account for device management 2. Configure the router: # Assign an IP address to interface GigabitEthernet 2/1/1, the SSH user access interface. system-view [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet2/1/1] quit # Assign an IP address to interface GigabitEthernet 2/1/2, through which the router communicates with the server.
[Router] role default-role enable # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Router-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
[Router] public-key local create dsa # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a device management user. [Router] local-user ssh class manage # Assign the SSH service for the local user. [Router-luser-manage-ssh] service-type ssh # Set a password for the local user to 123456TESTplat&! in plain text.
Figure 15 Network diagram Configuration procedure 1. Configure the HWTACACS server: # Set the shared keys for secure communication with the router to expert. (Details not shown.) # Add an account for the SSH user and specify the password. (Details not shown.) 2. Configure the router: # Create an HWTACACS scheme. system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server. [Router-hwtacacs-hwtac] primary authentication 10.1.1.
[Router] ssh server enable # Enable the default user role function to assign authenticated SSH users the default user role network-operator. [Router] role default-role enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Assign an IP address to interface GigabitEthernet 2/1/1, the SSH user access interface.
Configuration procedure 1. Configure the LDAP server: NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed. c. From the navigation tree, click Users under the ldap.com node. d.
Figure 18 Setting the user password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. On the right pane, right-click aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456. a. From the user list on the right pane, right-click Administrator and select Set Password. b. In the dialog box, enter the administrator password. (Details not shown.) 2.
# Assign an IP address to interface GigabitEthernet 2/1/1, the SSH user access interface. system-view [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ip address 192.168.1.20 24 [Router-GigabitEthernet2/1/1] quit # Assign an IP address to interface GigabitEthernet 2/1/2, through which the router communicates with the server. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] ip address 10.1.1.2 255.255.255.
Verifying the configuration # Initiate an SSH connection to the router, and enter the username aaa@bbb and password ldap!123456. (Details not shown.) The user logs in to the router. # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) AAA for PPP users by an HWTACACS server Network requirements As shown in Figure 21: • Router A uses the HWTACACS server to perform PAP authentication for users from Router B.
[RouterA-hwtacacs-hwtac] key accounting simple expert # Configure the router to send usernames without domain names. [RouterA-hwtacacs-hwtac] user-name-format without-domain [RouterA-hwtacacs-hwtac] quit # Create ISP domain bbb and configure the domain to use the HWTACACS scheme for authentication, authorization, and accounting for PPP users.
Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The username is not in the format userid@isp-name, or the ISP domain is not correctly configured on the NAS. • The user is not configured on the RADIUS server. • The password entered by the user is incorrect. • The RADIUS server and the NAS are configured with different shared keys. Solution To resolve the problem: 1. Check the following items: { { 2.
RADIUS accounting error Symptom A user is authenticated and authorized, but accounting for the user is not normal. Analysis The accounting server configuration on the NAS is not correct. Possible reasons include: • The accounting port number configured on the NAS is incorrect. • The accounting server IP address configured on the NAS is incorrect.
{ { { The IP address and port number of the LDAP server configured on the NAS match those of the server. The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS. { The user is configured on the LDAP server. { The correct password is entered. { The administrator DN and the administrator password are correctly configured. { { 2. The NAS and the LDAP server can ping each other.
802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model. It includes three entities: the client (the supplicant), the network access device (the authenticator), and the authentication server. Figure 22 802.
− Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. Figure 23 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.
• Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, Length, and Data fields. • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 25 shows the EAPOL packet format.
Figure 26 EAP-Message attribute format Message-Authenticator RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication. Figure 27 Message-Authenticator attribute format Initiating 802.
• EAP relay mode: EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure 28. Figure 28 EAP relay In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to use the dot1x authentication-method eap command to enable EAP relay.
EAP relay Figure 30 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 30 802.
7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the network access device. 8. The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-Request packet to the authentication server. 9. The authentication server compares the received encrypted password with the encrypted password it generated at step 5.
Figure 31 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port. For more information about the port security feature, see "Configuring port security." In this chapter, "MSR2000" refers to MSR2003.
{ VLAN name. The VLAN name represents the VLAN description on the access device. { Combination of VLAN ID and VLAN name. In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names. { VLAN group name. For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide. { VLAN ID with suffix. The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not.
VLAN types in a group VLAN selection and assignment rules 3. The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost. Authorized VLAN IDs include suffixes 4. The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through.
The 802.1X guest VLAN on a port accommodates users who have not performed 802.1X authentication. Users in the guest VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches. Once a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources. The following table describes how the access device handles VLANs on an 802.
Authentication status VLAN manipulation • The device assigns the authorization VLAN of the user to the port as the A user passes 802.1X authentication. PVID, and it removes the port from the Auth-Fail VLAN. After the user logs off, the guest VLAN is assigned to the port as the PVID. If no guest VLAN is configured, the initial PVID of the port is restored. • If the authentication server does not authorize a VLAN, the initial PVID of the port applies. The user and all subsequent 802.
Authentication status VLAN manipulation A user in the 802.1X guest VLAN fails authentication because all the RADIUS servers are unreachable. The device assigns the 802.1X critical VLAN to the port as the PVID, and all 802.1X users on this port are in this VLAN. A user in the 802.1X Auth-Fail VLAN fails authentication because all the RADIUS servers are unreachable. The PVID of the port remains unchanged. All 802.1X users on this port can access only resources in the 802.1X Auth-Fail VLAN.
NOTE: After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate]. Specify the switch ID and password for the QX_ID and QX_PASSWORD, respectively. The switch ID and password must be the same as the switch ID and password configured on the device. Configuration prerequisites • Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
Enabling 802.1X Do not enable 802.1X on a port that is in a link aggregation or service loopback group. To enable 802.1X: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable 802.1X globally. dot1x By default, 802.1X is disabled globally. 3. Enter Ethernet interface view. interface interface-type interface-number N/A 4. Enable 802.1X on a port. dot1x By default, 802.1X is disabled on a port.
Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: • authorized-force—Places the port in the authorized state, enabling users on the port to access the network without authentication. • unauthorized-force—Places the port in the unauthorized state, denying any access requests from users on the port.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Set the maximum number of concurrent 802.1X users on a port. dot1x max-user user-number [ interface interface-list ] The default value is 256.
Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the access device has made the maximum handshake attempts (set by the dot1x retry command), the device sets the user to the offline state.
• Unicast trigger—Enables the network device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time. This process continues until the maximum number of request attempts set with the dot1x retry command is reached (see "Setting the maximum number of authentication request attempts").
Step Command Remarks 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Specify a mandatory 802.1X authentication domain on the port. dot1x mandatory-domain domain-name By default, no mandatory 802.1X authentication domain is specified. Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.
Step Command Remarks 2. (Optional.) Set the periodic reauthentication timer. dot1x timer reauth-period reauth-period-value The default is 3600 seconds. 3. Enter Ethernet interface view. interface interface-type interface-number N/A 4. Enable periodic online user reauthentication. dot1x re-authenticate By default, the function is disabled. dot1x re-authenticate server-unreachable keep-online By default, this feature is disabled. The device logs off online 802.
Configuring an 802.1X Auth-Fail VLAN Configuration guidelines When you configure an 802.1X Auth-Fail VLAN, follow these restrictions and guidelines: • Configure the VLAN on an 802.1X-enabled port that performs port-based access control. • Assign different IDs to the port VLAN and the 802.1X Auth-Fail VLAN on the port, so the port can correctly process VLAN-tagged incoming traffic. • You can configure only one 802.1X Auth-Fail VLAN on the port. The 802.
• Enable 802.1X multicast trigger on the port. Configuration procedure To configure an 802.1X critical VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Configure the 802.1X critical VLAN on the port. dot1x critical vlan vlan-id By default, no 802.1X critical VLAN is configured. Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter.
made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client. • If the device receives an EAP-Response/Notification packet within the timer or before the maximum retransmission attempts have been made, it starts the SmartOn authentication. If the SmartOn switch ID and the MD5 digest of the SmartOn password in the packet match those on the device, 802.1X authentication continues for the client. Otherwise, the device denies the client's 802.
802.1X authentication configuration examples Basic 802.1X authentication configuration example Network requirements As shown in Figure 33, the access device performs 802.1X authentication for users who connect to port GigabitEthernet 2/1/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users. Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users.
[Device-luser-network-localuser] quit 5. Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter RADIUS scheme view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.
Verifying the configuration # Use the display dot1x interface command to verify the 802.1X configuration on GigabitEthernet 2/1/1. (Details not shown.) # After an 802.1X user passes authentication, use the display dot1x sessions command to display the user connection information. (Details not shown.) 802.1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 34, use RADIUS servers to perform authentication, authorization, and accounting for 802.
2. Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users. (Details not shown.) 3. Create VLANs, and assign ports to the VLANs on the access device.
[Device] interface gigabitethernet 2/1/2 [Device-GigabitEthernet2/1/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet2/1/2] dot1x port-method portbased # Set the port authorization mode to auto. By default, the port uses the auto mode. [Device-GigabitEthernet2/1/2] dot1x port-control auto # Set VLAN 10 as the 802.1X guest VLAN on port GigabitEthernet 2/1/2. [Device-GigabitEthernet2/1/2] dot1x guest-vlan 10 [Device-GigabitEthernet2/1/2] quit # Enable 802.1X globally.
# Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.2 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.2 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
Configuring MAC authentication In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access.
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Authorization VLAN assignment You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources. • On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN name. • On the local access device, the authorization VLAN must be specified in the form of VLAN ID.
1. Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." { { 2. For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users. For RADIUS authentication, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server.
Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users: • Specify a global authentication domain in system view. This domain setting applies to all ports enabled with MAC authentication. • Specify an authentication domain for an individual port in interface view.
• Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user. • Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user who has failed MAC authentication. All packets from the MAC address are dropped during the quiet time.
To configure MAC authentication delay: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable MAC authentication delay and set the delay timer. mac-authentication timer auth-delay time By default, MAC authentication delay is disabled.
Step 3. Enable the keep-online feature for authenticated MAC authentication users on the port. Command Remarks By default, the keep-online feature is disabled. mac-authentication re-authenticate server-unreachable keep-online This command takes effect only when the authentication server assigns reauthentication attributes to the device. Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view.
Figure 36 Network diagram Configuration procedure # Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56. system-view [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 # Specify the LAN access service for the user.
Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s Authentication domain : bbb Max MAC-auth users : 1024 per slot Online MAC-auth users : 1 Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 8 GigabitEthernet2/1/1 1 GigabitEthernet2/1/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Max online users : 256 Authentication attempts : successf
Configuration procedure 1. Make sure the RADIUS server and the access device can reach each other. (Details not shown.) 2. Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set the username aaa and password 123456 for the account. (Details not shown.) 3. Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.
Server timeout : 100 s Authentication domain : bbb Max MAC-auth users : 1024 per slot Online MAC-auth users : 1 Silent MAC users: MAC address VLAN ID GigabitEthernet2/1/1 is link-down From port MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Max online users : 256 Authentication attempts : successful 1, failed 0 Current online users : 0 MAC address Auth state 00e0-fc12-3456 Authenticated 109 Por
Configuring portal authentication Overview Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server. The users can access the resources on the website without authentication.
Figure 38 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application. Security check for the user host is implemented through the interaction between the portal client and the security policy server.
Interaction between portal system components The components of a portal system interact as follows: 1. An unauthenticated user initiates authentication by accessing an Internet website through a Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. 2.
Only the HP iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP address uniquely identifies the user.
4. The portal authentication server adds the username and password into an authentication request packet and sends it to the access device. Meanwhile, the portal authentication server starts a timer to wait for an authentication reply packet. 5. The access device and the RADIUS server exchange RADIUS packets. 6. The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure. 7.
10. The access device detects the IP change of the client through DHCP and then notifies the portal authentication server that it has detected an IP change of the client IP. 11. After receiving the IP change notification packets sent by the client and the access device, the portal authentication server notifies the client of login success. 12. The portal authentication server sends an IP change acknowledgement packet to the access device. Step 13 and step 14 are for extended portal functions. 13.
• The portal authentication server, portal Web server, and RADIUS server have been installed and configured correctly. • To use the re-DHCP portal authentication mode, make sure the DHCP relay agent is enabled on the access device, and the DHCP server is installed and configured correctly. • The portal client, access device, and servers can reach each other. • To use the remote RADIUS server, configure usernames and passwords on the RADIUS server, and configure the RADIUS client on the access device.
Configuring a portal Web server Perform this task to configure the following portal Web server parameters: • VPN instance of the portal Web server • URL of the portal Web server • Parameters carried in the URL when the device redirects the URL to users The device supports multiple portal Web servers. To configure a portal Web server: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a portal Web server and enter its view.
• With re-DHCP portal authentication, HP recommends that you also configure authorized ARP on the interface to make sure only valid users can access the network. With authorized ARP configured on the interface, the system learns ARP entries only from the users who have obtained a public address from DHCP. • An IPv6 portal server does not support the re-DHCP portal authentication mode. • You can enable both IPv4 portal authentication and IPv6 portal authentication on an interface.
Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.
Step Command Remarks 2. Configure a source-based portal-free rule. portal free-rule rule-number source { interface interface-type interface-number | mac mac-address | vlan vlan-id } * By default, no source-based portal-free rule exists. If you specify both a VLAN and an interface, the interface must belong to the VLAN. Otherwise, the portal-free rule does not take effect.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A portal ipv6 layer3 source ipv6-network-address prefix-length By default, no IPv6 portal authentication source subnet is configured, and IPv6 users from any subnets must pass portal authentication. 3. Configure an IPv6 portal authentication source subnet.
If the maximum number of portal users you set is less than that of the current login portal users, the limit can be set successfully and does not impact the login portal users. However, the system does not allow new portal users to log in until the number drops down below the limit. Step Command Remarks 1. Enter system view. system-view N/A 2. Set the maximum number of portal users. portal max-user max-number By default, no limit is set on the number of portal users.
Configuring portal detection functions Configuring online detection of portal users Configure online detection of portal users on an interface to find abnormal logouts in time. If a portal user is idle for the specified period of time (idle time), the device sends detection packets to the user at a specific interval (interval interval) to identify whether the user is still online.
With the portal authentication server detection function, the device periodically detects portal packets sent by a portal authentication server to determine the reachability of the server. If the portal authentication server receives a portal packet within a detection timeout (timeout timeout) and the portal packet is valid, the device considers the portal authentication server to be reachable. Otherwise, the device considers the portal authentication server to be unreachable.
• Detection interval—Interval at which the device detects the server reachability. • Maximum number of consecutive failures—If the number of consecutive detection failures reaches this value, the access device considers that the portal Web server is unreachable. You can configure the device to take one or more of the following actions when the server reachability status changes: • Sending a trap message to the NMS. The trap message contains the name and current state of the portal Web server.
portal authentication server is not greater than the synchronization detection timeout configured on the access device. Deleting a portal authentication server on the access device also deletes the user synchronization configuration for the portal authentication server. To configure the portal user information synchronization function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter portal authentication server view. portal server server-name N/A 3.
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server If the device runs Portal 2.0, the unsolicited packets sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, the unsolicited packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute. If IPv4 portal authentication is enabled on an interface, you can configure the BAS-IP attribute on the interface.
• Then re-authenticate on the new Layer 2 port. To enable portal roaming: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable portal roaming. By default, portal roaming is disabled. portal roaming enable You cannot enable portal roaming when login users exist on the device. Logging out portal users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list. To log out users: Step Command 1. Enter system view.
Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 41, the host is directly connected to the router (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server.
Figure 42 Portal server configuration 2. Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure 43. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group. Make sure the host IP address is in the IP group. e. Select a service group. This example uses the default group Ungrouped. f.
3. Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 44. c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e. Enter the key, which must be the same as that configured on the router. f. Set whether to enable IP address reallocation.
Figure 45 Device list Figure 46 Adding a port group 5. Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [Router] domain default enable dm1 3. Configure portal authentication: # Configure a portal authentication server.
IPv6: Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action -- -- -- Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page.
Figure 47 Network diagram Portal server 192.168.0.111/24 GE2/1/2 20.20.20.1/24 10.0.0.1/24 sub Host Automatically obtains an IP address GE2/1/1 192.168.0.100/24 DHCP server Router 192.168.0.112/24 RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 47 and make sure the host, router, and servers can reach each other.
[Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit # Enable RADIUS session control. [Router] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain.
[Router–GigabitEthernet2/1/2] portal bas-ip 20.20.20.1 [Router–GigabitEthernet2/1/2] quit Verifying the configuration # Verify that the portal configuration has taken effect. [Router] display portal interface gigabitethernet 2/1/2 Portal information of GigabitEthernet2/1/2 IPv4: Portal status: Enabled Authentication type: Redhcp Portal Web server: newpt Authentication domain: Not configured BAS-IP: 20.20.20.
Authorization ACL: None VPN instance: -MAC IP VLAN Interface 0015-e9a6-7cfe 20.20.20.2 -- GigabitEthernet2/1/2 Configuring cross-subnet portal authentication Network requirements As shown in Figure 48, Router A supports portal authentication. The host accesses Router A through Router B. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server. Configure Router A for cross-subnet portal authentication.
# Exclude the ISP domain name from the username sent to the RADIUS server. [RouterA-radius-rs1] user-name-format without-domain [RouterA-radius-rs1] quit # Enable RADIUS session control. [Router] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain.
Portal Web server: newpt Authentication domain: Not configured BAS-IP: 20.20.20.
portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server. Configure extended direct portal authentication. If the host fails security check after passing identity authentication, it can access only subnet 192.168.0.0/24. After passing security check, the host can access Internet resources.
# Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [Router] domain default enable dm1 3.
Portal status: Enabled Authentication type: Direct Portal Web server: newpt Authentication domain: Not configured BAS-IP: 2.2.2.
Configuring extended re-DHCP portal authentication Network requirements As shown in Figure 50, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server. Configure extended re-DHCP portal authentication. Before passing portal authentication, the host is assigned a private IP address.
# Create a RADIUS scheme named rs1 and enter its view. system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.113 [Router-radius-rs1] primary accounting 192.168.0.
[Router] interface gigabitethernet 2/1/2 [Router–GigabitEthernet2/1/2] ip address 20.20.20.1 255.255.255.0 [Router–GigabitEthernet2/1/2] ip address 10.0.0.1 255.255.255.0 sub [Router-GigabitEthernet2/1/2] dhcp select relay [Router-GigabitEthernet2/1/2] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Router-GigabitEthernet2/1/2] arp authorized enable [Router-GigabitEthernet2/1/2] quit 5. Configure portal authentication: # Configure a portal authentication server.
IPv6: Portal status: Disabled Authentication type: Disabled Portal Web server: Not configured Authentication domain: Not configured BAS-IPv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action -- -- -- Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HP iNode client can access only the authentication page http://192.168.0.
Figure 51 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 51 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. • Make sure the IP address of the portal device added on the portal server is the IP address (20.20.20.1) of the router's interface connecting the host.
[RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [RouterA] domain default enable dm1 3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [RouterA] acl number 3000 [RouterA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.
Authentication type: Layer3 Portal Web server: newpt Authentication domain: Not configured BAS-IP: 20.20.20.
Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 52, the host is directly connected to the router (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server.
1. Configure the portal authentication server: a. Log in to IMC and click the Service tab. b. Select User Access Manager > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure 53. c. Configure the portal server heartbeat interval and user heartbeat interval. d. Use the default settings for other parameters. e. Click OK. Figure 53 Portal authentication server configuration 2. Configure the IP address group: a.
Figure 54 Adding an IP address group 3. Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure 55. c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e. Enter the key, which must be the same as that configured on the router. f. Set whether to enable IP address reallocation.
a. As shown in Figure 56, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. b. Click Add to enter the page shown in Figure 57. c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Use the default settings for other parameters. f. Click OK. Figure 56 Device list Figure 57 Adding a port group 5.
# Exclude the ISP domain name from the username sent to the RADIUS server. [Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit # Enable RADIUS session control. [Router] radius session-control enable 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain.
# Reference the portal Web server newpt on interface GigabitEthernet 2/1/2. [Router–GigabitEthernet2/1/2] portal apply web-server newpt # Configure the BAS-IP as 2.2.2.1 for portal packets sent from GigabitEthernet 2/1/2 to the portal authentication server. [Router–GigabitEthernet2/1/2] portal bas-ip 2.2.2.1 [Router–GigabitEthernet2/1/2] quit Verifying the configuration # Use the following command to display information about the portal authentication server.
• Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on Router A. 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [RouterA] radius scheme rs1 # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3.
[RouterA-portal-server-newpt] port 50100 [RouterA-portal-server-newpt] quit # Configure a portal Web server. [RouterA] portal web-server newpt [RouterA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [RouterA-portal-websvr-newpt] vpn-instance vpn3 [RouterA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on interface GigabitEthernet 2/1/1.
• If no key is configured, configure the right key. • If a key is configured, use the ip or ipv6 command in the portal authentication server view to correct the key, or correct the key configured for the access device on the portal authentication server. Cannot log out portal users on the access device Symptom You cannot use the portal delete-user command on the access device to log out a portal user, but the portal user can log out by clicking the Disconnect button on the portal authentication client.
Users logged out by the access device still exist on the portal authentication server Symptom After you log out a portal user on the access device, the user still exists on the portal authentication server. Analysis When you execute the portal delete-user command on the access device to log out a user, the access device sends an unsolicited logout notification to the portal authentication server.
Configuring port security In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port.
Port security modes Port security supports the following categories of security modes: • MAC learning control—Includes two modes: autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode. • Authentication—Security modes in this category implement MAC authentication, 802.1X authentication, or a combination of these two authentication methods.
TIP: • userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first.
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI. { { For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication.
Configuration task list Tasks at a glance Remarks (Required.) Enabling port security N/A (Optional.) Setting port security's limit on the number of secure MAC addresses on a port N/A (Required.) Setting the port security mode N/A (Required.) Configuring port security features: • Configuring NTK • Configuring intrusion protection Configure one or more port security features according to the network requirements. (Optional.) Configuring secure MAC addresses N/A (Optional.
• Controlling the number of concurrent users on the port. For a port operating in a security mode that performs MAC authentication, 802.1X authentication, or both, the maximum number of concurrent users on the port equals this limit or the limit of the authentication mode in use, whichever is smaller. • Controlling the number of secure MAC addresses on the port in autoLearn mode.
Step Command Remarks 3. Enter interface view. interface interface-type interface-number N/A 4. Set the port security mode. port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } By default, a port operates in noRestrictions mode.
A blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed. • disableport—Disables the port until you bring it up manually. • disableport-temporarily—Disables the port for a specific period of time. The period can be configured with the port-security timer disableport command. To configure the intrusion protection feature: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Type Address sources Can be saved and survive a device reboot? Aging mechanism NOTE: When the maximum number of secure MAC address entries is reached, the port changes to secure mode, and it cannot add or learn any more secure MAC addresses. The port allows only frames sourced from a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address static command to pass through. Configuration prerequisites • Enable port security.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Ignore the authorization information received from the authentication server. port-security authorization ignore By default, a port uses the authorization information received from the authentication server. Enabling MAC move MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an authenticated 802.
Port security configuration examples autoLearn configuration example Network requirements As shown in Figure 59, configure port GigabitEthernet 2/1/1 on the device to meet the following requirements: • Accept up to 64 users without authentication. • Be permitted to learn and add MAC addresses as sticky MAC addresses. The secure MAC aging timer is 30 minutes. • Stop learning MAC addresses after the number of secure MAC addresses reaches 64.
Disableport timeout : 30 s MAC move : Denied OUI value list : GigabitEthernet2/1/1 is link-up Port mode : autoLearn NeedToKnow mode : Disabled Intrusion protection mode : DisablePortTemporarily Max secure MAC addresses : 64 Current secure MAC addresses : 5 Authorization : Permitted The output shows the following information: • The port security's limit on the number of secure MAC addresses on the port is 64. • The port security mode is autoLearn.
userLoginWithOUI configuration example Network requirements As shown in Figure 60, a client is connected to the device through port GigabitEthernet 2/1/1. The device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. • The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary accounting server. The RADIUS server at 192.168.1.
[Device-radius-radsun] quit # Configure ISP domain sun. [Device] domain sun [Device-isp-sun] authentication lan-access radius-scheme radsun [Device-isp-sun] authorization lan-access radius-scheme radsun [Device-isp-sun] accounting lan-access radius-scheme radsun [Device-isp-sun] access-limit enable 30 [Device-isp-sun] quit 2. Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap 3.
State: Active VPN : Not configured Accounting-On function : Disabled retransmission times : 50 retransmission interval(seconds) : 3 Timeout Interval(seconds) : 5 Retransmission Times : 5 Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) : 5 Realtime Accounting Interval(minutes) : 15 NAS IP Address : Not configured VPN : Not configured User Name Format : without-domain Data flow unit : Million Byte Packet unit : one Attribute 25 : standard # Verify the ISP
Port mode : userLoginWithOUI NeedToKnow mode : Disabled Intrusion protection mode : NoAction Max secure MAC addresses : 64 Current secure MAC addresses : 1 Authorization : Permitted # Display information about the online 802.1X user to verify 802.1X configuration. [Device] display dot1x # Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication.
system-view [Device] port-security enable # Use MAC-based accounts for MAC authentication. Each MAC address is in the hexadecimal notation with hyphens, and letters are in upper case. [Device] mac-authentication user-name-format mac-address with-hyphen uppercase # Specify the MAC authentication domain. [Device] mac-authentication domain sun # Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.
Authentication domain : sun Max MAC-auth users : 1024 per slot Online MAC-auth users : 3 Silent MAC users: MAC address VLAN ID From port Port index GigabitEthernet2/1/1 is link-up MAC authentication : Enabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Critical VLAN : Not configured Max online users : 256 Authentication attempts : successful 3, failed 7 Current online users : 0 MAC address Auth
Port role : Authenticator Authorization mode : Auto Port access control : MAC-based Multicast trigger : Enabled Mandatory auth domain : Not configured Guest VLAN : Not configured Auth-Fail VLAN : Not configured Critical VLAN : Not configured Re-auth server-unreachable : Logoff Max online users : 256 SmartOn : Disabled EAPOL packets: Tx 16331, Rx 102 Sent EAP Request/Identity packets : 16316 EAP Request/Challenge packets: 6 EAP Success packets: 4 EAP Failure packets: 5 Received EAPOL Star
Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution To resolve the problem: 1. Set the port security mode to autoLearn.
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users. For more information about local users, see "Configuring AAA.
Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to ensure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail.
Password history With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters. The four characters must be different from one another.
Maximum account idle time You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid. Password not displayed in any form For security purposes, nothing is displayed when a user enters a password. Logging The system logs all successful password changing events and user adding events to the password control blacklist.
Enabling the global password control feature is the prerequisite for all password control configurations to take effect. Then, for a specific password control function to take effect, enable this password control function. After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. However, the configuration for network access user passwords can be displayed.
Step Command Remarks • In non-FIPS mode, a default password must contain at least one character type and at least one character for each type. 5. Configure the password composition policy. password-control composition type-number type-number [ type-length type-length ] • In FIPS mode, a default 6. Configure the password complexity checking policy. password-control complexity { same-character | user-name } check By default, the system does not perform password complexity checking. 7.
Step Command Remarks 5. Configure the password composition policy for the user group. password-control composition type-number type-number [ type-length type-length ] By default, the password composition policy of the user group equals the global password composition policy. 6. Configure the password complexity checking policy for the user group.
Step 6. Configure the password complexity checking policy for the local user. 7. Configure the login attempt limit. Command Remarks password-control complexity { same-character | user-name } check By default, the settings equal those for the user group to which the local user belongs. If no password complexity checking policy is configured for the user group, the global settings apply to the local user.
Task Command Display information about users in the password control blacklist. display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] Delete users from the password control blacklist. reset password-control blacklist [ user-name name ] Clear history password records.
# Disable a user account permanently if a user fails two consecutive login attempts on the user account. [Sysname] password-control login-attempt 2 exceed lock # Set all passwords to expire after 30 days. [Sysname] password-control aging 30 # Globally set the minimum password length to 16 characters. [Sysname] password-control length 16 # Set the minimum password update interval to 36 hours.
Updating user information. Please wait ... ... [Sysname-luser-manage-test] quit Verifying the configuration # Display the global password control configuration.
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 62.
Creating a local key pair Configuration guidelines When you create a local key pair, follow these guidelines: • The key algorithm must be the same as required by the security application. • The key modulus length must be appropriate (see Table 11). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create local DSA or RSA key pairs. public-key local create { dsa | ecdsa | rsa } [ name key-name ] By default, no local key pairs exist. Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. • Authenticate the digital signature signed by the local device.
Step Command 1. Enter system view. system-view • Display RSA host public keys: { 2. Display local host public keys in a specific format. { In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } • Display DSA host public keys: public-key local export dsa [ name key-name ] { openssh | ssh2 } Displaying a host public key Display a host public key and copy it to an unformatted file.
Configuring a peer public key To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the public key of the peer device on the local device. Table 12 Peer public key configuration methods Method Import the peer public key from a public key file (recommended) Prerequisites Remarks 3. Save the host public key in a file on the peer device. 4. Get the file from the peer device, for example, by using FTP or TFTP in binary mode.
Displaying and maintaining public keys Execute display commands in any view. Task Command Display local public keys. display public-key local { dsa | ecdsa | rsa } public [ name key-name ] Display peer public keys. display public-key peer [ brief | name publickey-name ] [ name key-name ] Public key management examples Example for entering a peer public key Network requirements As shown in Figure 63, to prevent illegal access, Device B authenticates Device A through a digital signature.
============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 =====================================
Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements As shown in Figure 64, Device B authenticates Device A through a digital signature.
CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to the file devicea.pub.
[DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 201
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key.
A certificate must be revoked when, for example, the username changes, the private key is compromised, or the user is no longer certified by the CA. The CA periodically publishes a CRL that contains the serial numbers of all revoked certificates. CRLs provide an effective method to verify the validity of certificates. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, issuing and revoking certificates, and publishing CRLs.
PKI operation The following workflow describes how a PKI entity requests a local certificate from a CA, and how an RA is involved in entity enrollment: 1. A PKI entity submits a certificate request to the RA. 2. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. 3. The CA verifies the digital signature, approves the request, and issues a certificate. 4.
Figure 66 PKI support for MPLS L3VPN FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Security strength By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance.
Configuring a PKI entity A CA identifies a certificate applicant by the identity information. A valid PKI entity must include at least one of following identity categories: • Distinguished name (DN) of the entity, which further includes the common name, county code, locality, organization, unit in the organization, and state. If you configure the DN for an entity, a common name is required. • FQDN of the entity. • IP address of the entity.
The fingerprint of a CA root certificate is the hash value of the root certificate content. Each CA root certificate has a unique hash value. You can specify the fingerprint used for verifying the root certificate in the PKI domain.
Step 8. Specify the LDAP server. Command Remarks ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ] • In non-FIPS mode: 9. Specify the fingerprint for root certificate verification. root-certificate fingerprint { md5 | sha1 } string • In FIPS mode: root-certificate fingerprint sha1 string • Specify an RSA key pair: 10. Specify the key pair for certificate request.
Requesting a certificate To request a certificate, a PKI entity must provide its identity information and public key to a CA. A certificate request can be submitted to a CA in offline or online mode. • Offline mode—A certificate request is submitted by using an out-of-band method, such as phone, disk, or email. You can use this mode as required or if you fail to request a certificate in online mode. To submit a certificate request in offline mode: a.
Step Command Remarks By default, the manual request mode applies. 3. Set the certificate request mode to auto. certificate request mode auto [ password { cipher | simple } password ] In auto request mode, set a password for certificate revocation if the CA policy requires the password. Manually requesting a certificate IMPORTANT: Before you manually request a certificate, make sure the system time of the device is synchronized with the CA server.
Step Command Remarks This command is not saved in the configuration file. 6. Submit a certificate request or generate a certificate request in PKCS#10 format. pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ] Executing the command triggers the PKI entity to automatically generate a key pair according to the key name, algorithm and length defined in the PKI domain if the key pair specified in the PKI domain does not exist.
To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA server administrator, if necessary. • Configuration guidelines • If a CA certificate already exists locally, you cannot obtain it again in online mode. To obtain a new one, use pki delete-certificate to remove the CA certificate and local certificates, and then obtain the CA certificate.
2. CRL repository in the certificate to be verified. 3. CRL repository in the CA certificate, or CRL repository CRL in the upper-level CA certificate if the CA certificate is the certificate to be verified. After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. To use SCEP to obtain the CRL, the CA certificate and the local certificates must have been obtained.
Step Command Remarks 4. Return to system view. quit N/A 5. Obtain the CA certificate. See "Obtaining certificates." N/A pki validate-certificate domain domain-name { ca | local } This command is not saved in the configuration file. 6. Verify the certificates. validity of the Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs.
Step Command Remarks • Export certificates in DER format: pki export domain domain-name der { all | ca | local } filename filename • Export certificates in PKCS12 format: pki export domain domain-name p12 { all | local } passphrase p12passwordstring filename filename • Export certificates in PEM format: 2. Export certificates. { { Low encryption: pki export domain domain-name pem { { all | local } [ des-cbc pempasswordstring ] | ca } [ filename filename ] Configure at least one command.
A certificate access control policy is a set of certificate access control rules (permit or deny statements), each associating with a certificate attribute group. A certificate attribute group contains multiple attribute rules, each defining a matching criterion for the issuer name, subject name, or alternative subject names of the certificate. A certificate matches a statement if it matches all attribute rules in the certificate attribute group used in the statement.
Task Command Display certificate request status. display pki certificate request-status [ domain domain-name ] Display locally stored CRLs. display pki crl domain domain-name Display certificate attribute group information. display pki certificate attribute-group [ group-name ] Display certificate access control policy information.
Configuring the device 1. Synchronize the system time of the device with the CA server, so that the device can correctly request certificates or obtain CRLs. 2. Create an entity named aaa with the common name as Device. system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name Device [Device-pki-entity-aaa] quit 3. Configure a PKI domain: # Create a PKI domain named torsa and enter its view. [Device] pki domain torsa # Specify the name of the trusted CA as myca.
[Device] pki request-certificate domain torsa password 1111 Start to request the general certificate ... …… Request certificate of domain torsa successfully Verifying the configuration # After obtaining the local certificate, display information about the certificate.
75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate request from a Windows 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. A Windows 2003 server acts as the CA server. Figure 68 Network diagram Configuring the CA server 1. Install the certificate service component: a.
Configuring the device 1. Synchronize the system time of the device with the CA server, so that the device can correctly request a certificate. 2. Create an entity named aaa with the common name as test. system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name test [Device-pki-entity-aaa] quit 3. Configure a PKI domain: # Create a PKI domain named winserver and enter its view. [Device] pki domain winserver # Specify the name of the trusted CA as myca.
Request certificate of domain winserver successfully Verifying the configuration # After obtaining the local certificate, display information about the certificate.
Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B … To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate request from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 69 Network diagram Configuring the CA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals.
# Specify the PKI entity name as aaa. [Device-pki-domain-openca] certificate request entity aaa # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-openca] public-key rsa general name abc length 1024 [Device-pki-domain-openca] quit 4. Generate a local RSA key pair. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort.
c3:90:a5:d3:fd:ee:ff:c6:28:c6:32:fb:04:6e:9c: d6:5a:4f:aa:bb:50:c4:10:5c:eb:97:1d:a7:9e:7d: 53:d5:31:ff:99:ab:b6:41:f7:6d:71:61:58:97:84: 37:98:c7:7c:79:02:ac:a6:85:f3:21:4d:3c:8e:63: 8d:f8:71:7d:28:a1:15:23:99:ed:f9:a1:c3:be:74: 0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Rep
8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command.
[DeviceB] interface gigabitethernet 2/1/1 [DeviceB-GigabitEthernet2/1/1] ipv6 address 2001::9/64 [DeviceB-GigabitEthernet2/1/1] natpt enable [DeviceB-GigabitEthernet12/1/1] quit # Assign an IPv4 address to interface GigabitEthernet 2/1/2, and enable NAT-PT for the interface. [DeviceB] interface gigabitethernet 2/1/2 [DeviceB-GigabitEthernet2/1/2] ip address 192.168.1.1 255.255.255.0 [DeviceB-GigabitEthernet2/1/2] natpt enable [DeviceB-GigabitEthernet2/1/2] quit # Specify the NAT-PT prefix.
[DeviceA-pki-domain-torsa] public-key rsa general name abc length 1024 [DeviceA-pki-domain-torsa] quit 4. Generate a local RSA key pair: [DeviceA] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully. 5.
Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C 2B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://192.168.1.2:447/myca.
Figure 71 Network diagram Configuring the CA server In this example, a Windows 2003 server acts as the CA server. For information about how to configure such a server, see "Certificate request from a Windows 2003 CA server." Configuring Device A # Configure a PKI entity. system-view [DeviceA] pki entity en [DeviceA-pki-entity-en] ip 2.2.2.1 [DeviceA-pki-entity-en] common-name devicea [DeviceA-pki-entity-en] quit # Configure a PKI domain.
The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceA] pki retrieve-certificate domain 1 ca # Submit a certificate request manually.
.....................................++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceB] pki retrieve-certificate ca domain 1 # Submit a certificate request manually. [DeviceB] pki request-certificate domain 1 # Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[Device-ssl-server-policy-abc] client-verify enable [Device-ssl-server-policy-abc] quit 2. Configure the certificate attribute group: # Create a certificate attribute group named mygroup1 and add two attribute rules. The first rule defines that the DN in the subject DN contains the string of aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1.
• Encrypt the private key in the local certificates using 3DES_CBC with the password 111111 when you export the local certificates from Device A. • Save the certificates on Device A in PEM format into the PKI domain importdomain on Device B. Figure 73 Network diagram Configuration procedure 1. Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format.
-----END ENCRYPTED PRIVATE KEY----- # # Display the local certificate file pkilocal.pem-encryption. more pkicachain.
Certificate: Data: Version: 3 (0x2) Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:
1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.
Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.
Troubleshooting PKI configuration This section describes common PKI problems and how to troubleshoot them. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. • The URL of the registration server is not correct or not specified. • The system time of the device is not synchronized with the CA server.
Solution 1. Make sure the network connection is physically proper. 2. Obtain or import the CA certificate. 3. Configure the correct LDAP server. 4. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. 5. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity. 6. Obtain CRLs. 7.
9. Synchronize the system time of the device with the CA server. Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured, and the proper URL cannot be obtained from the CA certificate or local certificates in the PKI domain.
2. Make sure the format of the imported file is proper. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain has no CA certificate, and the certificate file to be imported does not contain the CA certificate chain. • CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. • The specified format does not match the actual format of the imported file. • The device and the certificate do not have the local key pair.
5. Clear up the disk space of the device. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. • The disk space is full. 1. Use mkdir to create the path. 2. Specify the correct storage path for certificates or CRLs. 3. Clear up the disk space of the device.
Configuring IPsec In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways).
tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for transmitting non-confidential data. AH supports authentication algorithms HMAC-MD5 and HMAC-SHA1. • ESP (protocol 50) defines the encapsulation of the ESP header and trailer in an IP packet, as shown in Figure 76. ESP can provide data encryption, data origin authentication, data integrity, and anti-replay services.
Figure 76 Security protocol encapsulations in different modes Mode Transport Protocol AH IP AH ESP IP ESP AH-ESP IP AH ESP Tunnel Data Data ESP-T Data ESP-T IP AH IP IP ESP IP AH ESP IP Data Data IP ESP-T Data ESP-T Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA comprises the following parameters for data protection: • Security protocols (AH, ESP, or both).
Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid.
ACL-based IPsec To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and encapsulated with IPsec.
Figure 77 IPsec VPN nel c tun IPse IPse c tunn e l IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or static routes destined for peer IPsec tunnel gateways to a routing table. As shown in Figure 77, you can enable IPsec RRI on the gateway at the enterprise center. After an IPsec tunnel is established, the gateway automatically adds a static route to the routing table, which can be looked up.
higher encryption performance. For more information about obtaining the Strong Cryptography feature license, see the release notes or contact your HP sales representative. Support for features, commands, and parameters differs with the cryptography capability. IPsec tunnel establishment CAUTION: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively.
Tasks at a glance (Optional.) Enabling ACL checking for de-encapsulated packets (Optional.) Configuring the IPsec anti-replay function (Optional.) Binding a source interface to an IPsec policy (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging of IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring IPsec RRI (Optional.) Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected.
out as normal packets. If they match a permit statement at the receiving end, they will be dropped by IPsec. The following example shows how an improper statement causes unexpected packet dropping. Only the ACL-related configurations are presented. Assume Router A connects subnet 1.1.2.0/24 and Router B connects subnet 3.3.3.0/24, and the IPsec policy configurations on Router A and Router B are as follows: • IPsec configurations on Router A: acl number 3000 rule 0 permit ip source 1.1.1.0 0.0.0.
B are mirror images of the rules on Router A. In this way, SAs can be created successfully for the traffic between Host A and Host C and for the traffic between Network 1 and Network 2. Figure 78 Mirror image ACLs If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met: • The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other peer.
To configure an IPsec transform set: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPsec transform set and enter its view. ipsec transform-set transform-set-name By default, no IPsec transform set exists. 3. Specify the security protocol for the IPsec transform set. Optional. protocol { ah | ah-esp | esp } By default, the IPsec transform set uses ESP as the security protocol. • (Low encryption.
Step Command Remarks By default, the PFS feature is not used for SA negotiation. 6. (Optional.) Enable the Perfect Forward Secrecy (PFS) feature for the IPsec policy. • In non-FIPS mode: For more information about PFS, see "Configuring IKE." • In FIPS mode: The security level of the Diffie-Hellman (DH) group of the initiator must be higher than or equal to that of the responder.
Step 4. Specify an ACL for the IPsec policy. 5. Specify an IPsec transform set for the IPsec policy. Command Remarks security acl [ ipv6 ] { acl-number | name acl-name } transform-set transform-set-name By default, an IPsec policy references no ACL. An IPsec policy can reference only one ACL. By default, an IPsec policy references no IPsec transform set. A manual IPsec policy can reference only one IPsec transform set. By default, the remote IP address of the IPsec tunnel is not specified. 6.
Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key in character format for AH: sa string-key { inbound | outbound } ah { cipher | simple } key-value • Configure a key in character 8. Configure keys for the IPsec SA.
• An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder.
Step 7. Specify the local IP address of the IPsec tunnel. Command local-address { ipv4-address | ipv6 ipv6-address } Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. 8.
Step Command Remarks 2. Create an IPsec policy template and enter its view. ipsec { ipv6-policy-template | policy-template } template-name seq-number By default, no IPsec policy template exists. 3. (Optional.) Configure a description for the IPsec policy template. description text By default, no description is configured. 4. (Optional.) Specify an ACL for the IPsec policy template. security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ] 5.
Step Command Remarks 13. (Optional.) Enable the global IPsec SA idle timeout function, and set the global SA idle timeout. ipsec sa idle-time seconds By default, the global IPsec SA idle timeout function is disabled. 14. Create an IPsec policy by referencing the IPsec policy template. ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name By default, no IPsec policy exists.
Enabling ACL checking for de-encapsulated packets This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid attacks using forged packets. To enable ACL checking for de-encapsulated packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ACL checking for de-encapsulated packets.
Step Command Remarks 3. Set the size of the IPsec anti-replay window. ipsec anti-replay window width The default size is 64. Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
Step Command Remarks 1. Enter system view. system-view N/A • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] 2. Enter IPsec policy view or IPsec policy template view. • To enter IPsec policy template N/A 3. Enable QoS pre-classify. qos pre-classify By default, QoS pre-classify is disabled.
• If the DF bit is set, the devices on the path cannot fragment the IPsec packets. Therefore, make sure the path MTU is larger than the IPsec packets. Otherwise, the IPsec packets will be discarded. If the path MTU is smaller than the IPsec packets, clear the DF bit. To configure the DF bit of IPsec packets on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3.
Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number isakmp 2. Enter IPsec policy view or IPsec policy template view. • To enter IPsec policy template view: ipsec { policy-template | ipv6-policy-template } template-name seq-number N/A By default, IPsec RRI is disabled. 3. Enable IPsec RRI. reverse-route dynamic IPsec RRI is supported in both tunneling mode and transport mode. 4. Optional.
consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group. • The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the key at one end is entered as a string of characters, the key on the other end must also be entered as a string of characters. To configure a manual IPsec profile: Step Command Remarks 1. Enter system view. system-view N/A By default, no IPsec profile exists. 2.
Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
Task Command Clear IPsec SAs. reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile policy-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ] Clear IPsec statistics.
# Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms.
# Specify the ESP encryption and authentication algorithms. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy entry with the name use1 and the sequence number 10. [RouterB] ipsec policy use1 10 manual # Apply ACL 3101. [RouterB-ipsec-policy-manual-use1-10] security acl 3101 # Apply IPsec transform set tran1.
[Inbound ESP SA] SPI: 54321 (0x0000d431) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 12345 (0x00003039) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure 81, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
[RouterA-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [RouterA] ike keychain keychain1 # # Specify the plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.3.1.
# Create an IPsec transform set named tran1. [RouterB] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms.
------------------------------- ----------------------------IPsec policy: map1 Sequence number: 10 Mode: isakmp ----------------------------Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Path MTU: 1443 Tunnel: local address: 2.2.3.1 remote address: 2.2.2.1 Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: IP dest addr: 2.2.2.1/0.0.0.
Figure 82 Network diagram Configuration procedure 1. Configure Router A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure an ACL to identify data flows from subnet 333::/64 to subnet 555::/64. system-view [RouterA] acl ipv6 number 3101 [RouterA-acl-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-adv-3101] quit # Configure a static route to Host B. The command uses the direct next hop address (111::2) as an example.
# Apply IPv6 ACL 3101. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1 [RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1 # Apply the IKE profile profile1.
# Create an IKE-based IPsec policy entry with the name use1 and the sequence number 10. [RouterB] ipsec ipv6-policy use1 10 isakmp # Apply ACL 3101. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.
SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 3840956402 (0xe4f057f2) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: N Status: active Co
system-view [RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ripng 1 enable [RouterA-GigabitEthernet2/1/1] quit # Create and configure the IPsec transform set named tran1.
[RouterB-ipsec-profile-profile001] sa spi outbound esp 123456 [RouterB-ipsec-profile-profile001] sa spi inbound esp 123456 [RouterB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [RouterB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [RouterB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [RouterB] ripng 1 [RouterB-ripng-1] enable ipsec-profile profile001 [RouterB-ripng-1] quit 3.
Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time : 30 sec(s) Suppress time : 120 sec(s) Timeout time : 180 sec(s) Garbage-Collect time : 120 sec(s) Number of periodic updates sent : 186 Number of trigger updates sent : 1 IPsec profile name: profile001 # Use the display ipsec sa command to display the established IPsec SAs.
Figure 84 Network diagram Configuration procedure 1. Assign IPv4 addresses to the interfaces on the routers according to Figure 84. (Details not shown.) 2. Configure Router A: # Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
# Create an IKE keychain named key1 and specify the plaintext 123 as the pre-shared key to be used with the remote peer at 2.2.2.2. [RouterA] ike keychain key1 [RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [RouterA-ike-keychain-key1] quit # Apply the IPsec policy map1 to interface GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipsec apply policy map1 [RouterA-GigabitEthernet2/1/1] quit 3.
Make sure Router B has a route to the peer private network, with the outgoing interface as GigabitEthernet 2/1/1. 4. Configure Router C and Router D in the same way Router B is configured. Verifying the configuration 1. Verify that IPsec RRI can automatically create a static route from Router A to Router B: # Initiate a connection from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B.
Status: active # Verify that IPsec RRI has created a static route to reach Router B. [RouterA] display ip routing-table verbose 2. Verify that Router A can automatically create static routes to Router C and Router D in the same way that you verify the IPsec RRI function by using Router A and Router B. (Details not shown.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: • Automatically negotiates IPsec parameters. • Performs DH exchanges to calculate shared keys, making sure each SA has a key that is independent of other keys.
Figure 86 IKE exchange process in main mode As shown in Figure 86, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number. The two peers use the exchanged data to generate key data and use the encryption key and authentication key to ensure the security of IP packets.
the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. PFS The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
IKE configuration task list Tasks at a glance Remarks (Optional.) Configuring an IKE profile N/A (Optional.) Configuring an IKE proposal Required when the IKE profile needs to reference IKE proposals. (Optional.) Configuring an IKE keychain Required when pre-shared authentication is used in IKE negotiation phase 1. (Optional.) Configuring the global identity information N/A (Optional.) Configuring the IKE keepalive function N/A (Optional.
7. Specify a local interface or IP address for the IKE profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that references the IPsec policy. 8. Specify an inside VPN instance. This setting determines where the device should forward received IPsec protected data.
Step 7. Configure the local ID. Command Remarks local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] } By default, no local ID is configured for an IKE profile, and an IKE profile uses the local ID configured in system view. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy or IPsec policy template is applied as the local ID. 8. (Optional.
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA. Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings. To configure an IKE proposal: Step Command Remarks 1. Enter system view. system-view N/A 2.
1. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication. 2. You can specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface that references the IPsec policy. 3. You can specify a priority number for the IKE keychain. To determine the priority of an IKE keychain: a.
Step Command Remarks 2. Configure the global identity to be used by the local end. ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] } By default, the IP address of the interface to which the IPsec policy or IPsec policy template is applied is used as the IKE identity. By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. 3. (Optional.
Configuring the IKE NAT keepalive function If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted, disabling the tunnel from transmitting data to the intended end. To prevent NAT sessions from being aged, configure the NAT keepalive function on the IKE gateway behind the NAT device to send NAT keepalive packets to its peer periodically to keep the NAT session alive.
Step Command Remarks 2. Enable sending IKE DPD messages. ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } By default, IKE DPD is disabled. Enabling invalid SPI recovery An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered.
Configuring SNMP notifications for IKE After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
IKE configuration examples Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in Figure 87, configure an IPsec tunnel that uses IKE negotiation between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure Device A and Device B to use the default IKE proposal for the IKE negotiation to set up the IPsec SAs.
[DeviceA] ike keychain keychain1 # Specify plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.2.2. [DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 123456TESTplat&! [DeviceA-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [DeviceA] ike profile profile1 # Specify IKE keychain keychain1.
# Specify the encryption and authentication algorithms. [DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceB-ipsec-transform-set-tran1] quit # Create and IKE keychain named keychain1. [DeviceB]ike keychain keychain1 # Specify plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 1.1.1.1. [DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.
[DeviceB] display ike proposal Priority Authentication Authentication Encryption method algorithm algorithm Diffie-Hellman Duration group (seconds) ---------------------------------------------------------------------------default PRE-SHARED-KEY SHA1 AES-CBC-128 Group 1 # Display the IKE SA on Device A. [DeviceA] display ike sa Connection-ID Remote Flag DOI -----------------------------------------------------------------1 2.2.2.
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: UDP encapsulation used for NAT traversal: N Status: active # Display the IKE SA and IPsec SAs on Device B. (Details not shown.
# Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
[DeviceA-ike-profile-profile1] match remote identity fqdn www.routerb.com [DeviceA-ike-profile-profile1] quit # Create an IKE proposal named 10. [DeviceA] ike proposal 10 # Specify the authentication algorithm as HMAC-SHA1. [DeviceA-ike-proposal-10] authentication-algorithm sha # Specify the RSA authentication method. [DeviceA-ike-proposal-10] authentication-method rsa-signature [DeviceA-ike-proposal-10] quit # Create an IKE-based IPsec policy entry with the name map1 and the sequence number 10.
[DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate. [DeviceB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e # Specify the trusted CA 8088.
# Configure a static route to the subnet where Host A resides. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1 Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec protected. # Display the IKE proposal configuration on Device A and Device B.
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27: d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb: 4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0: ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66: 2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33: 1b:31:03:78:4f:77:a0:db:af Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90: 08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8: 7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7: f9:45:21:05:75:2c:bf:
Signature Algorithm: sha1WithRSAEncryption 73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61: 9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e: cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98: 30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78: f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5: 21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff: 65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90: 7e:cd # Display the IPsec SA information on Device A.
Max received sequence-number: UDP encapsulation used for NAT traversal: N Status: active # Display the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device B. [DeviceB] display ike sa [DeviceB] display pki certificate domain domain2 ca [DeviceB] display pki certificate domain domain2 local [DeviceB] display ipsec sa Aggressive mode with NAT traversal configuration example This configuration example is not available when the device is operating in FIPS mode.
[DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceA-ipsec-transform-set-transform1] quit # Create an IKE keychain named keychain1. [DeviceA] ike keychain keychain1 # Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote peer at 2.2.2.2. [DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [DeviceA-ike-keychain-keychain1] quit # Create an IKE profile named profile1.
[DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceB-ipsec-transform-set-transform1] quit # Create IKE keychain keychain1. [DeviceB]ike keychain keychain1 # Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote peer at 1.1.1.1. [DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.
----------------------------------------------Connection ID: 13 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Initiator ----------------------------------------------Local IP: 1.1.1.1 Local ID type: FQDN Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: active [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: UDP
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly Symptom 1. The IKE SA is in Unknown state. display ike sa Connection-ID Remote Flag DOI -----------------------------------------------------------------1 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING 2. The following IKE event debugging or packet debugging message appeared: IKE event debugging message: Notification PAYLOAD_MALFORMED is received.
Solution 1. Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. 2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom 1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet. 2.
# Verify that the IPsec policy is referencing an IKE profile. [Sysname] display ipsec policy ------------------------------------------IPsec Policy: policy1 Interface: GigabitEthernet2/1/1 ------------------------------------------- ----------------------------Sequence number: 1 Mode: isakmp ----------------------------Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.
Sequence number: 1 Mode: isakmp ----------------------------Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution 1. If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove the reference. 2.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Stages Description SSH supports multiple algorithms. Based on the local algorithms, the two parties determine to use the following algorithms: Algorithm negotiation • • • • Key exchange algorithm for generating session keys. Encryption algorithm for encrypting data. Public key algorithm for digital signature and authentication. HMAC algorithm for protecting data integrity.
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. • Publickey authentication—The server authenticates a client through the digital signature. In a publickey authentication, a client sends the server a publickey authentication request that contains the following information: { Username. { Public key of the client. { Publickey algorithm (or the digital certificate that carries the public key information).
Tasks at a glance Remarks (Required.) Configuring the user lines for Stelnet clients N/A (Required.) Configuring a client's host public key Required if the authentication method is publickey, password-publickey, or any. See "Configuring PKI." Required if the following conditions exist: Configuring the PKI domain for verifying the client certificate • Publickey authentication is configured for users. • The clients send the public keys to the server through digital certificates for validity check.
Configuration procedure To generate local DSA or RSA key pairs on the SSH server: Step Command Remarks 1. Enter system view. system-view N/A 2. Generate local DSA or RSA key pairs. public-key local create { dsa | rsa } By default, both DSA and RSA key pairs do not exist. Enabling the SSH server function The SSH server function on the device allows clients to communicate with the device through SSH.
Step 3. Set the login authentication mode to scheme. Command Remarks By default, the authentication mode is password. authentication-mode scheme For more information about this command, see Fundamentals Command Reference. Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with those locally saved. If they are consistent, the server checks the digital signature that the client sends.
Step Command Remarks 4. Return to system view. peer-public-key end N/A Importing a client's host public key from the public key file Step Command 1. Enter system view. system-view 2. Import a client's host public key from the public key file. public-key peer keyname import sshkey filename Configuring an SSH user To configure an SSH user that uses publickey authentication, perform the procedure in this section.
• For all authentication methods except password authentication, you must specify the client's host public key or digital certificate. { { • For a client that sends the user's public key information directly to the server, you must specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SSH server to support SSH1 clients. ssh server compatible-ssh1x enable By default, the SSH server supports SSH1 clients. This command is not available in FIPS mode. By default, the RSA server key pair is not updated. 3. Set the RSA server key pair update interval. ssh server rekey-interval hours 4. Set the SSH user authentication timeout period.
• Improving the manageability of Stelnet clients in authentication service. To specify the source IP address for SSH packets: Step Command Remarks 1. Enter system view. system-view N/A • Specify the source IPv4 address for By default, the source IP address for SSH packets is not configured. The IPv4 SSH packets use the primary IP address of the output interface specified in the routing entry as their source address.
Task Command Remarks • (Low encryption.
Task Command Remarks • (Low encryption.
Tasks at a glance (Optional.) Displaying help information (Optional.) Terminating the connection with the SFTP server Specifying the source IP address for SFTP packets HP recommends that you specify the IP address of the loopback or dialer interface as the source address for SFTP packets for the following purposes: • Ensuring the communication between the SFTP client and the Stelnet server. • Improving the manageability of SFTP clients in authentication service.
Task Command Remarks • (Low encryption.
Task Command Remarks • (Low encryption.
Task Command Remarks Change the name of a directory on the SFTP server. rename oldname newname Available in SFTP client view. Create a new directory on the SFTP server. mkdir remote-path Available in SFTP client view. Delete one or more directories from the SFTP server. rmdir remote-path Available in SFTP client view. Task Command Remarks Change the name of a file on the SFTP server. rename old-name new-name Available in SFTP client view.
Configuring the device as an SCP client This section describes how to configure the device as an SCP client to establish a connection with an SCP server and transfer files with the server. When you try to access an SCP server, the device must use the server's host public key to authenticate the server. If the server's host public key is not configured on the device, the device will prompt you to confirm whether you want to continue with the access.
To transfer files with an IPv6 SCP server: Task Command Remarks • (Low encryption.
Task Command Display the source IP address or source interface information configured for the SFTP client. display sftp client source Display the source IP address or source interface information configured for the Stelnet client. display ssh client source Display SSH server status information or session information on an SSH server. display ssh server { session | status } Display SSH user information on the SSH server.
The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully. # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
a. Launch PuTTY.exe to enter the interface shown in Figure 91. b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 91 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system prompts you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.
Figure 92 Network diagram Stelnet client Stelnet server 192.168.1.56/24 Host GE2/1/1 192.168.1.40/24 Router Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58. The configuration procedure is as follows: 1.
Figure 94 Generating process c. Click Save public key to save the public key after the key pair is generated. A file saving window appears. d. Enter a file name (key.pub in this example), and click Save.
e. Click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048).
# Create an SSH user client002 with the authentication method publickey, and assign the public key clientkey to the user. [Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey # Create a local device management user client002 with the service type ssh and the user role network-admin.
Figure 97 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 98 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.
Figure 98 Specifying the private key file g. Click Open to connect to the server. If the connection is successfully established, the system prompts you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in Figure 99: • You can log in to Router B through the Stelnet client that runs on Router A.
# Generate the RSA key pairs. system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully. # Generate a DSA key pair.
system-views [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 192.168.1.56 255.255.255.0 [RouterA-GigabitEthernet2/1/1] quit [RouterA] quit Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.
# Establish an SSH connection to the server, and specify the host public key of the server. ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you log in to Router B successfully. { If you do not configure the server's host public key on the client, when you access the server, the system will prompt you to confirm whether to continue with the access.
If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+ ...+.................+..........+...+ Create the key pair successfully. # Export the DSA host public key to the file key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file key.
[RouterB-line-vty0-63] quit # Import the peer public key from the file key.pub, and name it clientkey. [RouterB] public-key peer clientkey import sshkey key.pub # Create an SSH user client002 with the authentication method publickey, and assign the public key clientkey to the user. [RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey # Create a local device management user client002 with the service type ssh and the user role network-admin.
Figure 101 Network diagram Configuration procedure 1. Configure the SFTP server: # Generate the RSA key pairs. system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully.
[Router-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Router-luser-manage-client002] quit # Create an SSH user client002 with the authentication method password and service type sftp. By default, password authentication is used if no SSH user is created. [Router] ssh user client002 service-type sftp authentication-type password 2. Establish a connection to the SFTP server: The device supports different types of SFTP client software.
• After login, you are assigned the user role network-admin to execute file management and transfer operations. • Router B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm. Figure 103 Network diagram Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate the RSA key pairs on the client before configuring the SFTP server. 1.
..++++++++ ............++++++++ Create the key pair successfully. # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+ ...+.................+..........+...
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 013 z sftp> delete z Removing /z sftp> dir -l -rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub # Add a directory named new1 and verify the result. sftp> mkdir new1 sftp> dir -l -rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub -rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.
Network requirements As shown in Figure 104: • You can log in to Router B through the SCP client that runs on Router A. • After login, you are assigned the user role network-admin and can securely transfer files with Router B. • Router B uses the password authentication method. • The client's username and password are saved on Router B. Figure 104 Network diagram SCP client SCP server GE2/1/1 192.168.0.2/24 GE2/1/1 192.168.0.1/24 Router A Router B Configuration procedure 1.
[RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 192.168.0.1 255.255.255.0 [RouterB-GigabitEthernet2/1/1] quit # Create a local device management user named client001 with the plaintext password aabbcc, the service type ssh, and the user role network-admin.
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: • Privacy—SSL uses a symmetric encryption algorithm to encrypt data.
Figure 106 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
NOTE: SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0. When the SSL server receives SSL 2.0 Client Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication. To configure an SSL server policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an SSL server policy and enter its view.
Step Command Remarks By default, the SSL server does not authenticate SSL clients through digital certificates. 6. Enable the SSL server to authenticate SSL clients through digital certificate. client-verify enable When authenticating a client by using the digital certificate, the SSL server performs the following operations: • Verifies the certificate chain presented by the client. • Checks that the certificates in the certificate chain (except the root CA certificate) are not revoked.
Step Command Remarks • Low encryption: prefer-cipher { exp_rsa_des_cbc_sha | rsa_des_cbc_sha } • High encryption (in non-FIPS mode): prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } 4. Specify the preferred cipher suite for the SSL client policy.
Configuring ASPF Overview Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve. An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection.
ASPF inspections This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols. Application layer protocol inspection As shown in Figure 107, ACLs on the edge device deny incoming packets to the internal network. The ASPF application layer protocol inspection allows return packets from the external network to the internal network.
Figure 108 FTP inspection As shown in Figure 108, FTP connections are established and removed as follows: 1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server. 2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client. 3. When data transmission times out or ends, the data connection is removed. ASPF implements FTP inspection during the FTP connection lifetime: 4.
addresses and source/destination port numbers as the outgoing packets (but reversed). Otherwise, the return packets are blocked. Therefore, for multi-channel application layer protocols like FTP, the deployment of TCP inspection without application layer inspection leads to failure of establishing a data connection. ASPF configuration task list Tasks at a glance (Required.) Configuring an ASPF policy (Required.
You can apply both ASPF and packet filter to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows return packets from external to the internal network.
Figure 109 Network diagram Configuration procedure # Configure ACL 3111 to deny all IP packets. system-view [RouterA] acl number 3111 [RouterA-acl-adv-3111] rule deny ip [RouterA-acl-adv-3111] quit # Create ASPF policy 1 for FTP inspection. [RouterA] aspf-policy 1 [RouterA-aspf-policy-1] detect ftp [RouterA-aspf-policy-1] quit # Apply ACL 3111 to deny all incoming IP packets on interface GigabitEthernet 2/1/1.
ASPF TCP application inspection configuration example Network requirements Local users on the internal network need to access the external network. To protect the internal network against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A. Router A can then drop faked ICMP error messages and non-SYN packets that are the first packets over TCP connections. Figure 110 Network diagram Configuration procedure # Configure ACL 3111 to deny all IP packets.
Enable TCP SYN packet check Detect these protocols: Router A can recognize faked ICMP error messages from external networks, and drop the non-SYN packets that are the first packets to establish TCP connections. ASPF H.323 application inspection configuration example Network requirements Figure 111 displays a typical H.323 application network. Gateway B on the external network needs to access the H.323 Gatekeeper, and with the assistance of Gatekeeper, to establish a connection with the H.323 Gateway A.
Verifying the configuration # Display ASPF sessions on Router A. [RouterA] display aspf session ipv4 Initiator: Source IP/port: 1.1.1.111/33184 Destination IP/port: 192.168.1.3/32828 VPN instance/VLAN ID/VLL ID: -/-/Protocol: UDP(17) Initiator: Source IP/port: 1.1.1.111/1719 Destination IP/port: 192.168.1.2/1719 VPN instance/VLAN ID/VLL ID: -/-/Protocol: UDP(17) Initiator: Source IP/port: 1.1.1.111/3521 Destination IP/port: 192.168.1.
Configuring APR Overview The application recognition (APR) feature enables QoS and ASPF to recognize application protocols of packets sent on ports that are not well known. APR separately counts the number of packets or bytes that an interface has received or sent based on application protocols. It also calculates the transmission rates of the interface at the same time. APR uses the following methods to recognize an application protocol: • Port-based application recognition (PBAR).
If a packet is recognized as the packet of an application protocol in an application group, the packet is considered to be the packet of the application group. Features such as QoS and ASPF can handle packets belonging to the same group in bulk. The following types of application groups are available: • Pre-defined—The pre-defined application groups exist on the device by default, and you cannot modify or delete these application groups.
Step Command Remarks 2. Create an application group and enter application group view. app-group group-name 3. (Optional.) Configure a description for the user-defined application group. description group-description By default, pre-defined application groups exist on the device. You cannot modify or delete the pre-defined application groups. By default, the description is "User-defined application group." By default, the user-defined application group does not contain any application protocol. 4.
Displaying and maintaining APR Execute display commands in any view and reset commands in user view. Task Command Display information about application protocols. display application [ name application-name | pre-defined | user-defined ] Display information about application groups. display app-group [ name group-name | pre-defined | user-defined ] Display statistics for the specified application protocols.
# Map HTTP to TCP and port 8080. [Router] port-mapping application http port 8080 protocol tcp # Create a traffic class named classifier_1, and match group1 to the class. [Router] traffic classifier classifier_1 [Router-classifier-classifier_1] if-match app-group group1 [Router-classifier-classifier_1] quit # Create a traffic behavior named bdeny, and configure the action as deny.
Managing sessions In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the follow purposes: • Fast match between packets and sessions. • Management of transport layer protocol states.
• Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states. • Supports port mapping for application layer protocols (see "Configuring PBAR"), enabling application layer protocols to use customized ports. • Sets aging time for sessions based on application layer protocols. • Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets.
Step Command Remarks The default aging time for sessions in different protocol states is as follows: • TCP SYN-SENT and SYN-RCV: 30 seconds. 2. Set the session aging time for different protocol states session aging-time state { fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value • TCP ESTABLISHED: 3600 seconds. • • • • • • • FIN_WAIT: 30 seconds. UDP-OPEN: 30 seconds. UDP-READY: 60 seconds. ICMP-REQUEST: 60 seconds. ICMP-REPLY: 30 seconds.
Step Command Remarks By default, the session aging time is as follows: 2. Set the session aging time for different application layer protocols. session aging-time application { dns | ftp | gtp | h225 | h245 | ils | mgcp | nbt | pptp | ras | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp } time-value • • • • • • • • • • • • • • • • • DNS: 60 seconds. FTP: 3600 seconds. GTP: 60 seconds. H.225: 3600 seconds. H.245: 3600 seconds. RAS: 300 seconds. RTSP: 3600 seconds. SIP: 3600 seconds. TFTP: 60 seconds.
• Time-based logging—The device outputs session logs at an interval. • Traffic-based logging—The device outputs a session log when the traffic amount of a session reaches a threshold. After outputting a session log, the device resets the traffic counter for the session. The traffic-based thresholds can be byte-based and packet-based. If you set both thresholds, the last configuration takes effect.
Task Command Display session statistics (MSR4000). display session statistics [ slot slot-number ] Display relation table entries (MSR2000/MSR3000). display session relation-table { ipv4 | ipv6 } Display relation table entries (MSR4000). display session relation-table { ipv4 | ipv6 } [ slot slot-number ] Clear IPv4 session table entries (MSR2000/MSR3000).
Configuring connection limits In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview The connection limit feature enables the device to monitor and limit the number of established connections.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a connection limit policy and enter its view. connection-limit { ipv6-policy | policy } policy-id By default, no connection limit policy exists. Configuring the connection limit policy To use a connection limit policy, you need to add limit rules to the policy. Each rule defines a range of connections and the criteria for limiting the connections. Connections in the range will be limited based on the criteria.
the inbound interface, the global policy, and the policy on the outbound interface. Once any upper limit of the connection is reached, the device cannot accept any new connections. To apply a connection limit policy to an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A By default, no connection limit is applied to an interface.
Task Command Clear the connection limit statistics globally or on an interface (MSR2000/MSR3000). reset connection-limit statistics { global | interface interface-type interface-number } Clear the connection limit statistics globally or on an interface (MSR4000). reset connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ] Connection limit configuration example Network requirements As shown in Figure 114, a company has five public IP addresses: 202.38.
[Router-acl-adv-3001] quit # Create connection limit policy 1. [Router] connection-limit policy 1 # Configure connection limit rule 1 to permit up to 100000 connections from all the hosts matching ACL 3000. When the number of connections exceeds 100000, new connections cannot be established until the number drops below 95000. [Router-connlmt-1] limit 1 acl 3000 amount 100000 95000 # Configure connection limit rule 2 to permit up to 10000 connections to the servers matching ACL 3001.
GigabitEthernet2/1/1 Troubleshooting ACLs in the connection limit rules with overlapping segments Symptom A connection limit policy has two rules. One rule sets the upper limit to 10 for the connections from each host on segment 192.168.0.0/24, and the other set the upper limit to 100 for the connections from 192.168.0.100/24. system-view [Router] acl number 2001 [Router-acl-basic-2001] rule permit source 192.168.0.0 0.0.0.
Configuring object groups Overview An object group is a group of objects that can be referenced by an ACL, object policy, or object group to identify packets. Object groups are divided into the following types: • IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet. • IPv6 address object group—A group of IPv6 address objects used to match the IPv6 address in a packet.
Step Command Remarks 4. Configure an IPv6 address object. [ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address { mask-length | mask } | range ip-address1 ipv6-address2 | group-object object-group-name } } By default, no object exists. Configuring a port object group Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a port object group and enter its view.
Task Command Display information about all IPv6 address object groups. display object-group ipv6 address Display information about all port object groups. display object-group port Display information about all service object groups. display object-group service Display information about the default IPv4 address object group. display object-group ip address default Display information about the default IPv6 address object group.
Configuring IP source guard In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops all packets that do not match the table. The IP source guard binding table can include the following binding entries: • IP-interface. • MAC-interface. • IP-MAC-interface.
IP source guard can use static IPv4 binding entries on an interface to implement the following functions: • Filter incoming IPv4 packets on the interface. • Cooperate with the ARP detection feature to check user validity. IP source guard can use static IPv6 binding entries on an interface to implement the following functions: • Filter incoming IPv6 packets on the interface. • Cooperate with the ND detection feature to check user validity.
Tasks at a glance (Required.) Enabling IPv4 source guard on an interface (Optional.) Configuring a static IPv4 source guard binding entry on an interface To configure IPv6 source guard, perform the following tasks: Tasks at a glance (Required.) Enabling IPv6 source guard on an interface (Optional.
• You can configure the same static IPv4 source guard binding entry on different interfaces. • The maximum number of static IPv4 source guard binding entries on a Layer 2 interface varies by hardware: { MSR routers installed with the Layer 2 switching module HMIM-24GSW/24GSWP or HMIM-8GSW: 384 To configure a static IPv4 source guard binding entry on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Configuring a static IPv6 source guard binding entry on an interface When you configure a static IPv6 source guard binding entry on an interface, follow these guidelines: • To configure a static IPv6 binding entry for the ND detection function, the vlan vlan-id option must be specified, and ND detection must be enabled for the specified VLAN. • You can configure the same static IPv6 source guard binding entry on different interfaces.
Task Command Display IPv6 source guard binding entries (MSR4000). display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] IP source guard configuration examples Static IPv4 source guard configuration example Network requirements As shown in Figure 116, all hosts use static IP addresses.
[DeviceA-GigabitEthernet2/1/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceA-GigabitEthernet2/1/1] quit 2. Configure Device B: # Configure an IP address for each interface. (Details not shown.) # Enable IPv4 source guard on GigabitEthernet 2/1/2. system-view [DeviceB] interface gigabitethernet 2/1/2 [DeviceB-GigabitEthernet2/1/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet2/1/2] quit # Enable IPv4 source guard on GigabitEthernet 2/1/1.
Figure 117 Network diagram Configuration procedure 1. Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. 2. Configure the device: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. system-view [Device] dhcp snooping enable # Configure GigabitEthernet 2/1/2 as a trusted interface.
Figure 118 Network diagram Configuration procedure # Enable IPv6 source guard on GigabitEthernet 2/1/1. system-view [Device] interface gigabitethernet 2/1/1 [Device-GigabitEthernet2/1/1] ipv6 verify source ip-address mac-address # On GigabitEthernet 2/1/1, configure a static IPv6 source guard binding entry for the host.
[Device] ipv6 dhcp snooping enable # Configure GigabitEthernet 2/1/2 as a trusted interface. [Device] interface gigabitethernet 2/1/2 [Device-GigabitEthernet2/1/2] ipv6 dhcp snooping trust [Device-GigabitEthernet2/1/2] quit 2. Enable IPv6 source guard: # Enable IPv6 source guard on GigabitEthernet 2/1/1 and verify the source IP address and MAC address for dynamic IPv6 source guard.
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
• The device keeps trying to resolve target IP addresses, overloading its CPU. To protect the device from such unresolvable IP attacks, you can configure the following features: • ARP source suppression—Stops resolving packets from a host if the upper limit on unresolvable IP packets from the host is reached within an interval of 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.
Figure 120 Network diagram IP network ARP attack protection Gateway Device Host A VLAN 10 VLAN 20 Host B Host C R&D Host D Office Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: 1. Enable ARP source suppression. 2. Set the threshold to 100.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers. Configuration procedure To configure source MAC-based ARP attack detection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable source MAC-based ARP attack detection and specify the handling method. arp source-mac { filter | monitor } By default, this feature is disabled. 3. Configure the threshold.
Figure 121 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway in the following steps: 1. Enable source MAC-based ARP attack detection and specify the handling method as filter. 2. Set the threshold. 3.
Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries. To enable ARP packet source MAC address consistency check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ARP packet source MAC address consistency check.
Step Command Remarks 2. Enter Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, Layer 3 aggregate interface, or Layer 3 aggregate subinterface view. interface interface-type interface-number N/A 3. Enable authorized ARP on the interface. arp authorized enable By default, authorized ARP is disabled. Configuration example (on a DHCP server) Network requirements As shown in Figure 122, configure authorized ARP on GigabitEthernet 2/1/1 of Device A (a DHCP server) to ensure user validity.
Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid IP Address MAC Address VLAN Interface Aging Type 10.1.1.2 0012-3f86-e94c N/A GE2/1/1 20 D The output shows that IP address 10.1.1.2 has been assigned to Device B. Device B must use the IP address and MAC address in the authorized ARP entry to communicate with Device A. Otherwise, the communication fails. Thus user validity is ensured.
[DeviceB-GigabitEthernet2/1/1] quit [DeviceB] interface gigabitethernet 2/1/2 [DeviceB-GigabitEthernet2/1/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on GigabitEthernet 2/1/2. [DeviceB-GigabitEthernet2/1/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1. [DeviceB-GigabitEthernet2/1/2] dhcp relay server-address 10.1.1.1 # Enable authorized ARP.
Configuring user validity check Upon receiving an ARP packet from an ARP untrusted interface, the device matches the sender IP and MAC addresses against the following entries: • Static IP source guard binding entries. • DHCP snooping entries. If a match is found, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded. Static IP source guard binding entries are created by using the ip source binding command.
• ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. To configure ARP packet validity check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Enable ARP detection. arp detection enable By default, ARP detection is disabled. 4. Return to system view. quit N/A 5.
Task Command Display the VLANs enabled with ARP detection. display arp detection Display the ARP detection statistics. display arp detection statistics [ interface interface-type interface-number ] Clear the ARP detection statistics.
[SwitchB-GigabitEthernet2/1/3] dhcp snooping trust [SwitchB-GigabitEthernet2/1/3] quit # Enable recording of client information in DHCP snooping entries on GigabitEthernet 2/1/1. [SwitchB] interface gigabitethernet 2/1/1 [SwitchB-GigabitEthernet2/1/1] dhcp snooping binding record [SwitchB-GigabitEthernet2/1/1] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface.
Figure 125 Network diagram Configuration procedure 1. Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of the VLAN-interface. (Details not shown.) 2. Configure the DHCP server on Switch A, and configure DHCP address pool 0. system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure Host A (DHCP client) and Host B. (Details not shown.) 4.
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac # Configure port isolation.
• To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries. Configuration procedure To configure ARP scanning and fixed ARP: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Enable ARP scanning. arp scan [ start-ip-address to end-ip-address ] 4.
Step Command Remarks 3. Enable ARP gateway protection for the specified gateway. arp filter source ip-address By default, ARP gateway protection is disabled. Configuration example Network requirements As shown in Figure 126, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 126 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.
NOTE: • This feature is available on only the routers installed with Layer 2 switching modules. • The term "switch" in this section refers to the router installed with Layer 2 switching modules. Configuration guidelines Follow these guidelines when you configure ARP filtering: • You can configure a maximum of eight permitted entries on an interface. • Do not configure both the arp filter source and arp filter binding commands on an interface.
Figure 127 Network diagram Configuration procedure # Configure ARP filtering on Switch B. system-view [SwitchB] interface gigabitethernet 2/1/1 [SwitchB-GigabitEthernet2/1/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet2/1/1] quit [SwitchB] interface gigabitethernet 2/1/2 [SwitchB-GigabitEthernet2/1/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that GigabitEthernet 2/1/1 permits ARP packets from Host A, and discards other ARP packets.
Configuring uRPF In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator.
allow-default-route), uRPF permits packets that only match the default route. By default, uRPF discards packets that can only match a default route. Typically, you do not need to configure the allow-default-route keyword on a PE device because it has no default route pointing to the customer edge (CE) device. If you enable uRPF on a CE that has a default route pointing to the PE, select the allow-default-route keyword. Link layer check—Strict uRPF check can further perform link layer check on a packet.
Figure 129 uRPF work flow 423
1. uRPF checks address validity: { { { 2. 3. If yes, proceeds to step 3. { If no, proceeds to step 7. A non-unicast source address matches a non-unicast route. uRPF checks whether the matching route is to the host itself: { If no, proceeds to step 4. If yes, uRPF checks whether the allow-default-route keyword is configured to allow using the default route. If yes, proceeds to step 5. If no, proceeds to step 7. If no, proceeds to step 5.
Network application Figure 130 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User • Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. • Configure ACLs for special packets or users. Configuring uRPF When you configure uRPF, follow these guidelines: • uRPF checks only incoming packets on an interface.
Step Command Remarks 3. Enable uRPF on the interface. ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] } By default, uRPF is disabled. Displaying and maintaining uRPF Execute display commands in any view. Task Command Display uRPF configuration (MSR2000/MSR3000). display ip urpf [ interface interface-type interface-number ] Display uRPF configuration (MSR4000).
system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 1.1.1.1 255.255.255.0 # Configure strict uRPF check on GigabitEthernet 2/1/1 and allow use of the default route for uRPF check.
Configuring IPv6 uRPF In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator.
route (by using allow-default-route), IPv6 uRPF permits packets that only match the default route. By default, IPv6 uRPF discards packets that can only match a default route. Typically, you do not need to configure the allow-default-route keyword on a PE device because it has no default route pointing to the CE device. If you enable IPv6 uRPF on a CE that has a default route pointing to the PE, select the allow-default-route keyword.
Figure 133 IPv6 uRPF work flow Checks the received packet Multicast destination address? Yes No Uses source address to look up the FIB table Matching FIB entry found? No Yes InLoop interface found? Yes InLoop receiving interface? No Do interfaces match? Yes No Yes Default route found? No Loose check? No Yes Yes Default route allowed? No No Yes Yes Permitted by ACL? No Discards the packet End 1. 2. 3.
{ { 4. { If yes, proceeds to step 5. If no, IPv6 uRPF checks whether the check mode is loose. If yes, proceeds to step 5. If no, proceeds to step 6. IPv6 uRPF checks whether the matching route is a default route: { { 6. If no, proceeds to step 4. IPv6 uRPF checks whether the receiving interface matches the output interface of the matching FIB entry: { 5. If yes, the output interface of the matching route is an InLoop interface.
Configuring IPv6 uRPF When you configure IPv6 uRPF, follow these restrictions and guidelines: • IPv6 uRPF checks only incoming packets on an interface. • You can use the display ipv6 interface command to display statistics about packets discarded by IPv6 uRPF (displayed as "Drops" and "Suppressed drops"). • Do not configure the allow-default-route keyword for loose IPv6 uRPF check. Otherwise, IPv6 uRPF might fail to work. To enable IPv6 uRPF on an interface: Step Command Remarks 1.
# Define IPv6 ACL 2010 to permit traffic from network 1010::/64. system-view [RouterB] acl ipv6 number 2010 [RouterB-acl-basic-2010] rule permit source 1010:: 64 [RouterB-acl-basic-2010] quit # Specify the IPv6 address of GigabitEthernet 2/1/1. [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ipv6 address 1000::2/64 # Configure strict uRPF check on GigabitEthernet 2/1/1. [RouterB-GigabitEthernet2/1/1] ipv6 urpf strict acl 2010 2.
Configuring crypto engines In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card.
Step Command • To disable hardware crypto engines: 2. Disable or enable hardware crypto engines. crypto-engine accelerator disable • To enable hardware crypto engines: undo crypto-engine accelerator disable Displaying and maintaining crypto engines Execute display commands in any view and reset commands in user view. Task Command Display information about crypto engines. display crypto-engine Display statistics for crypto engines (MSR2000/MSR3000).
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device supports Level 2. Unless otherwise noted, in this document the term "FIPS" refers to FIPS 140-2.
{ • Other commands used for configuration preparation to enter FIPS mode. Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g.
1. Enable the password control function globally. 2. Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. 3. Set the minimum length of user passwords to 15 characters. 4. Add a local user account for device management, including the following items: { A username. { A password that complies with the password control policies as described in step 2 and step 3. { A user role of network-admin.
• The keys must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters. This requirement applies to the following passwords: { AAA server's shared key. { IKE pre-shared key. { SNMPv3 authentication key. The password for a device management local user and password for switching user roles depend on password control policies.
Step Command Remarks 1. Enter system view. system-view N/A 2. Disable FIPS mode. undo fips mode enable By default, the FIPS mode is disabled. FIPS self-tests To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails, the card where the self-test process exists reboots.
Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types: • Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails.
FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters):root Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode.
Entering FIPS mode through manual reboot Network requirements Use the manual reboot method to enter FIPS mode, and use a console/AUX/Async port to log in to the device in FIPS mode. Configuration procedure # Enable the password control function globally. system-view [Sysname] password-control enable # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.
Verifying the configuration After the device reboots, enter the username test and the password 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters. For more information about the requirements for the password, see the system output.
Use the manual reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode. [Sysname] undo fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y The system will create a new startup configuration file for non-FIPS mode, and then reboot automatically. Continue? [Y/N]:n Change the configuration to meet non-FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter non-FIPS mode.
Configuring attack detection and prevention In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, blacklisting, and client verification.
Single-packet attack Description Large ICMP packet An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory allocation error and crash the protocol stack. Large ICMPv6 packet An attacker sends large ICMPv6 packets to crash the victim. Large ICMPv6 packets can cause memory allocation error and crash the protocol stack. IP options An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to probe the network topology.
Scanning attacks Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows the attacker to find a way into the target network and to disguise the attacker's identity. Attackers use scanning tools to probe a network, find vulnerable hosts, and discover services that are running on the hosts. Attackers can use the information to launch attacks. The device can detect and prevent the IP sweep and port scan attacks.
A DNS flood attacker sends a large number of forged DNS queries. This attack consumes the bandwidth and resources of the DNS server, which prevents the server from processing and replying legal DNS queries. • HTTP flood attack. Upon receiving an HTTP GET request, the HTTP server performs complex operations including character string searching, database traversal, data reassembly, and format switching. These operations consume a large amount of system resources.
Figure 136 Safe reset mode application • SYN cookie—Enables bidirectional TCP proxy for TCP clients and servers. As shown in Figure 137, if packets from clients and servers pass through the TCP proxy device, either safe reset or SYN cookie can be used. Figure 137 Safe reset/SYN cookie mode application TCP proxy in safe reset mode As shown in Figure 138, the safe reset mode functions as follows: 1.
Figure 138 TCP proxy in safe reset mode TCP client TCP proxy TCP server (1) SYN (2) SYN ACK (invalid sequence number) (3) RST (4) SYN (retransmitting) (5) SYN (forwarding) (6) SYN ACK (7) ACK (8) ACK (forwarding) TCP proxy in SYN cookie mode As shown in Figure 139, SYN cookie mode requires two TCP connections to be established using the following steps: 1. After receiving a SYN packet from a client to a protected server, the TCP proxy sends back a SYN ACK packet with the window size 0.
DNS client verification The DNS client verification function protects DNS servers against DNS flood attacks. It is configured on the device where packets from the DNS clients to the DNS servers pass through. The device with DNS client verification function configured is called a DNS client authenticator. As shown in Figure 140, the DNS client verification functions as follows: 1.
packet. The HTTP Redirect packet contains a redirect URI and requires the client to terminate the TCP connection. 3. After receiving the HTTP Redirect packet, the client terminates the TCP connection and then establishes a new TCP connection with the authenticator. 4. When the authenticator receives the HTTP Get packet, it performs the second redirection verification. The authenticator verifies the following information: { The client has passed the first redirection verification.
Attack detection and prevention configuration task list Tasks at a glance (Required.) Configuring an attack defense policy: • (Required.) Creating an attack defense policy • (Required.) Perform at least one of the following tasks to configure attack detection: { Configuring a single-packet attack defense policy { Configuring a scanning attack defense policy { Configuring a flood attack defense policy • (Optional.) Configuring attack detection exemption (Required.
To configure a single-packet attack defense policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter attack defense policy view.
Step Command Remarks 5. (Optional.) Specify the actions against single-packet attacks of a specific level. signature level { high | info | low | medium } action { { drop | logging } * | none } 6. (Optional.) Enable signature detection for single-packet attacks of a specific level. signature level { high | info | low | medium } detect The default action is logging for single-packet attacks of the informational and low levels.
below the silence threshold (three-fourths of the threshold), the device considers that the threat is over and returns to the attack detection state. You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings. Configuring a SYN flood attack defense policy Step Command Remarks 1. Enter system view. system-view N/A 2. Enter attack defense policy view. attack-defense policy policy-name N/A 3.
Configuring a SYN-ACK flood attack defense policy Step Command Remarks 1. Enter system view. system-view N/A 2. Enter attack defense policy view. attack-defense policy policy-name N/A 3. Enable SYN-ACK flood attack detection for non-specific IP addresses. syn-ack-flood detect non-specific By default, SYN-ACK flood attack detection is disabled for non-specific IP addresses. 4. Set the global trigger threshold for SYN-ACK flood attack prevention.
Step Command Remarks 2. Enter attack defense policy view. attack-defense policy policy-name N/A 3. Enable RST flood attack detection for non-specific IP addresses. rst-flood detect non-specific By default, RST flood attack detection is disabled for non-specific IP addresses. 4. Set the global trigger threshold for RST flood attack prevention. rst-flood threshold threshold-value By default, the global trigger threshold is 1000 for RST flood attack prevention. 5.
Step Command Remarks 4. Set the global trigger threshold for ICMPv6 flood attack prevention. icmpv6-flood threshold threshold-value By default, the global trigger threshold is 1000 for ICMPv6 flood attack prevention. 5. Specify against attacks. icmpv6-flood action { drop | logging } * By default, no global action is specified for ICMPv6 flood attacks.
Step Command Remarks 5. (Optional.) Specify the global ports to be protected against DNS flood attacks. dns-flood port port-list By default, DNS flood attack prevention protects port 53. 6. Specify global actions against DNS flood attacks. dns-flood action { client-verify | drop | logging } * By default, no global action is specified for DNS flood attacks. 7. Configure IP-specific DNS flood attack detection.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter attack defense policy view. attack-defense policy policy-name N/A 3. Configure attack exemption. exempt acl [ ipv6 ] { acl-number | name acl-name } By default, the attack defense policy applies to all incoming packets. detection Applying an attack defense policy to a Layer 3 interface An attack defense policy does not take effect unless you apply it to a Layer 3 interface.
Enabling non-aggregated log output for single-packet attack events Aggregated log output aggregates all logs generated in a period and sends one log. The logs with the same attributes for the following items can be aggregated: • Interface where the attack is detected. • Attack type. • Attack defense action. • Source and destination IP addresses. • VPN instance. HP recommends you disable non-aggregated log output. A large number of logs will consume the display resources of the console.
Step Command Remarks 2. (Optional.) Specify an IP address to be protected by the TCP client verification function. client-verify tcp protected { ip destination-ip-address | ipv6 destination-ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] By default, the TCP client verification function does not protect any IP address. 3. Enter Layer 3 interface view. interface interface-type interface-number N/A • To set the safe reset mode: 4. Enable TCP client verification on the interface.
Configuring HTTP client verification Configure HTTP client verification on the interface that connects to the external network. The HTTP client verification protects internal HTTP servers against HTTP flood attacks. IP addresses protected by HTTP client verification can be manually added or automatically learned: • You can manually add protected IP addresses. The device performs client verification when it receives the first HTTP Get packet destined for a protected IP address.
Step Command Remarks By default, the global blacklist function is disabled. 2. (Optional.) Enable the global blacklist function. blacklist global enable 3. (Optional.) Add an IPv4 blacklist entry. blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] By default, no IPv4 blacklist entry exists. 4. (Optional.) Add an IPv6 blacklist entry.
Task Command Display information about IPv6 scanning attackers (MSR4000). display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ slot slot-number ] [ count ] Display information about IPv4 scanning attack victims (MSR2000/MSR3000). display attack-defense scan victim ip [ interface interface-type interface-number | local ] [ count ] Display information about IPv4 scanning attack victims (MSR4000).
Task Command Display information about IPv6 addresses protected by flood attack detection and prevention (MSR4000). display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ] Display IPv4 blacklist entries (MSR2000/MSR3000).
Task Command Clear blacklist statistics. reset blacklist statistics Clear protected IP statistics for client verification. reset client-verify { dns | http | tcp } protected { ip | ipv6 } statistics Clear the trusted IP list for client verification.
# Enable the global blacklist function. system-view [Router] blacklist global enable # Create attack defense policy a1. [Router] attack-defense policy a1 # Configure signature detection for smurf attacks, and specify the prevention action as logging. [Router-attack-defense-policy-a1] signature detect smurf action logging # Configure low level scanning attack detection. Specify the prevention action as logging and block-source, and set the aging time to 10 minutes for the blacklist entries.
Tiny fragment Disabled low L IP option abnormal Disabled medium L,D Smurf Enabled medium L Traceroute Disabled low L Ping of death Disabled medium L,D Large ICMP Disabled info L info L Max length Large ICMPv6 Max length 4000 bytes Disabled 4000 bytes TCP invalid flags Disabled medium L,D TCP null flag Disabled medium L,D TCP all flags Disabled medium L,D TCP SYN-FIN flags Disabled medium L,D TCP FIN only flag Disabled medium L,D TCP Land Disabled medium L,D
Scan attack defense configuration: Defense : Enabled Level : low Actions : L,BS(10) Flood attack defense configuration: Flood type Global thres(pps) Global actions Service ports Non-specific SYN flood 1000(default) - - Disabled ACK flood 1000(default) - - Disabled SYN-ACK flood 1000(default) - - Disabled RST flood 1000(default) - - Disabled FIN flood 1000(default) - - Disabled UDP flood 1000(default) - - Disabled ICMP flood 1000(default) - - Disabled ICMPv6 flood 1
TCP null flag Disabled medium L,D TCP all flags Disabled medium L,D TCP SYN-FIN flags Disabled medium L,D TCP FIN only flag Disabled medium L,D TCP Land Disabled medium L,D Winnuke Disabled medium L,D UDP Bomb Disabled medium L,D UDP Snork Disabled medium L,D UDP Fraggle Disabled medium L,D IP option record route Disabled info L IP option internet timestamp Disabled info L IP option security Disabled info L IP option loose source routing Disabled info L IP
SYN-ACK flood 1000(default) - - Disabled RST flood 1000(default) - - Disabled FIN flood 1000(default) - - Disabled UDP flood 1000(default) - - Disabled ICMP flood 1000(default) - - Disabled ICMPv6 flood 1000(default) - - Disabled DNS flood 1000(default) - 53 Disabled HTTP flood 1000(default) - 80 Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 10.1.1.
Configuration procedure # Configure IP addresses for the interfaces on Router. (Details not shown.) # Enable the global blacklist function. system-view [Router] blacklist global enable # Add a blacklist entry for Host D. [Router] blacklist ip 5.5.5.5 # Add a blacklist entry for Host C and set the aging time to 50 minutes for the entry. [Router] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Verify that the blacklist entries are successfully added.
[Router-attack-defense-policy-a1] syn-flood action logging client-verify [Router-attack-defense-policy-a1] quit # Apply attack defense policy a1 to interface GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] attack-defense apply policy a1 [Router-GigabitEthernet2/1/1] quit # Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 2/1/1.
[Router-attack-defense-policy-a1] dns-flood action logging client-verify [Router-attack-defense-policy-a1] quit # Apply attack defense policy a1 to interface GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] attack-defense apply policy a1 [Router-GigabitEthernet2/1/1] quit # Enable DNS client verification on interface GigabitEthernet 2/1/1.
[Router-attack-defense-policy-a1] http-flood action logging client-verify [Router-attack-defense-policy-a1] quit # Apply attack defense policy a1 to interface GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] attack-defense apply policy a1 [Router-GigabitEthernet2/1/1] quit # Enable HTTP client verification on interface GigabitEthernet 2/1/1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point. Represents a mesh access point.
Index ABCDEFILMOPRSTUV Configuring AAA schemes,18 A Configuring an 802.1X Auth-Fail VLAN,90 AAA configuration considerations and task list,17 Configuring an 802.1X critical VLAN,90 AAA configuration examples,52 Configuring an 802.
Displaying and maintaining IKE,298 Configuring SNMP notifications for IKE,298 Configuring SNMP notifications for IPsec,268 Displaying and maintaining IP source guard,396 Configuring source MAC-based ARP attack detection,404 Displaying and maintaining IPsec,268 Configuring TCP client verification,463 Displaying and maintaining MAC authentication,105 Displaying and maintaining IPv6 uRPF,432 Configuring the authentication trigger function,86 Displaying and maintaining object groups,390 Configuring th
FIPS compliance,184 P FIPS configuration examples,441 Password control configuration example,189 FIPS self-tests,440 Password control configuration task list,184 I PKI configuration examples,217 Ignoring authorization information from the server,169 PKI configuration task list,205 Port security configuration examples,171 IKE configuration examples,299 Portal configuration examples,129 IKE configuration prerequisites,289 Portal configuration task list,115 IKE configuration task list,290 Impleme
Troubleshooting HWTACACS,66 SFTP configuration examples,350 Specifying a MAC authentication domain,102 Troubleshooting IKE,314 Specifying a mandatory authentication domain on a port,87 Troubleshooting LDAP,66 Specifying an access control method,84 Troubleshooting port security,179 Specifying persistent sessions,380 Troubleshooting portal,158 Troubleshooting PKI configuration,239 Specifying supported domain name delimiters,91 Troubleshooting RADIUS,64 Specifying the storage path for the certifica
