H3C S5120-HI Series User manual

H3C S5120-HI Switch Series

Security Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Software version: Release 52xx

Document version: 6W101-20140523

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow,

SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of

Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C S5120-HI documentation set includes 11 configuration guides, which describe the software

features for the H3C S5120-HI Switch Series, and guide you through the software configuration

procedures. These configuration guides also provide configuration examples to help you apply software

features to different network scenarios.

The Security Configuration Guide describes security fundamentals and configuration. It covers the

authentication features (including AAA, 802.1X, MAC authentication, portal authentication, and so on)

and attack protection features (including IP source guard, ARP attack protection, and so on).

This preface includes:

•Audience

•Added and modified features

•Conventions

•About the H3C S5120-HI documentation set

•Obtaining documentation

•Technical support

•Documentation feedback

Audience

This documentation is intended for:

•Network planners

•Field technical support and servicing engineers

•Network administrators working with the S5120-HI series

Added and modified features

This documentation set is for Release 52xx. The following describes the feature changes between

releases:

•Release 5206 has the following feature changes over Release 5203:

Confi

g

uration

g

uide Added and modified features

AAA Added feature: Specifying multiple secondary HWTACACS servers

MAC authentication Added feature: Enabling MAC authentication multi-VLAN mode

IP source guard Added feature: 802.1X-based dynamic IPv4 source guard binding entries.

ARP attack protection Added feature: ARP Detection logging function.

•Release 5203 has the following feature changes over Release 5101:

Confi

g

uration

g

uide Added and modified features

AAA

Added features:

•Setting a DSCP value for an ISP domain.

•Setting the DSCP value for RADIUS protocol packets.

•Configuring status detection for RADIUS authentication/authorization

servers

•RADIUS/HWTACACS authentication, authorization, and accounting

support ciphertext shared key configuration.

•Setting ciphertext shared keys for secure RADIUS communication.

Modified feature: Configuring a password for the local user.

Removed feature: Setting the password display mode for all local users.

802.1X

Added features:

•Configuring 802.1X critical VLAN.

•Specifying supported domain name delimiters.

•Configuring a port to send EAPOL frames untagged.

•Setting the maximum number of authentication request attempts.

•Configuring an 802.1X VLAN group.

EAD fast deployment N/A

MAC authentication

Added features:

•Configuring a MAC authentication critical VLAN.

•Configuring MAC authentication delay.

Portal N/A

Triple authentication N/A

Port security N/A

User profile N/A

Password control Modified features: Clearing all users from the password control blacklist.

HABP N/A

Public Key N/A

PKI Added feature: Setting a ciphertext password for certificate revocation.

IPsec IPsec is a newly added feature.

SSH2.0

Added features:

•Configuring the service type as SCP for SSH users.

•Configuring the device as an SCP client.

•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the SSH

server.

•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the Stelnet

client.

•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the SFTP

client.

SSL N/A

TCP attack protection N/A

IP source guard N/A

ARP attack protection Added feature: Configuring a user validity check rule.

Confi

g

uration

g

uide Added and modified features

ND attack defense N/A

SAVI Added feature: Setting the deletion delay time for SAVI.

Black list N/A

FIPS FIPS is a newly added feature.

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Descri

p

tion

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which

you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, from

which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical

bars, from which you select one choice, multiple choices, or none.

&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can

be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Descri

p

tion

Boldface Window names, button names, field names, and menu items are in Boldface. For

example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Convention Descri

p

tion

< > Button names are inside angle brackets. For example, click <OK>.

[ ] Window names, menu items, data table and field names are inside square brackets. For

example, pop up the [New User] window.

/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

Symbols

Convention Descri

p

tion

WARNING An alert that calls attention to important information that if not understood or followed can

result in personal injury.

CAUTION An alert that calls attention to important information that if not understood or followed can

result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports

Layer 2 forwarding and other Layer 2 features.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

About the H3C S5120-HI documentation set

The H3C S5120-HI documentation set includes:

Cate

g

or

y

Documents Pur

p

oses

Product description

and specifications

Marketing brochure Describe product specifications and benefits.

Technology white papers Provide an in-depth description of software features

and technologies.

Hardware

specifications and

installation

Compliance and safety manual

CE DOCs

Provide regulatory information and the safety

instructions that must be followed during installation.

Installation quick start Guides you through initial installation and setup

procedures to help you quickly set up your device.

Installation guide Provides a complete guide to switch installation and

specifications.

LSPM1FAN and LSPM1FANB

Installation Manual

Describes the appearances, specifications,

installation, and removal of the pluggable fan

modules available for the products.

PSR150-A [ PSR150-D ] Power

Modules User Manual

Describe the specifications, installation, and

replacement of hot swappable 150W power

modules.

Cate

g

or

y

Documents Pur

p

oses

RPS Ordering Information for

H3C Low-End Ethernet Switches

Helps you order RPSs for switches that can work with

an RPS.

User manuals for RPSs Describe the specifications, installation, and

replacement of RPSs.

User manuals for interface

cards

Describe the specifications, installation, and

replacement of expansion interface cards.

H3C Low End Series Ethernet

Switches Pluggable Modules

Manual

Describes the specifications of pluggable transceiver

modules.

Pluggable SFP[SFP+][XFP]

Transceiver Modules Installation

Guide

Describe the installation, and replacement of

SFP/SFP+/XFP transceiver modules.

Software

configuration

Configuration guides Describe software features and configuration

procedures.

Command references Provide a quick reference to all available

commands.

Operations and

maintenance Release notes

Provide information about the product release,

including the version history, hardware and software

compatibility matrix, version upgrade information,

technical support information, and software

upgrading.

Obtaining documentation

You can access the most up-to-date H3C product documentation on the World Wide Web

at http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software

upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with the

software version.

Technical support

servi[email protected]

http://www.h3c.com

Documentation feedback

You can e-mail your comments about product documentation to info@h3c.com.

We appreciate your comments.

i

Contents

Configuring AAA ························································································································································· 1

AAA overview ···································································································································································1

RADIUS······································································································································································2

HWTACACS ·····························································································································································7

Domain-based user management ···························································································································9

RADIUS server feature of the switch···················································································································· 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

FIPS compliance ····························································································································································· 14

AAA configuration considerations and task list·········································································································· 14

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 20

Configuring HWTACACS schemes····················································································································· 32

Configuring AAA methods for ISP domains················································································································ 38

Configuration prerequisites ·································································································································· 38

Creating an ISP domain ······································································································································· 38

Configuring ISP domain attributes······················································································································· 39

Configuring AAA authentication methods for an ISP domain·········································································· 40

Configuring AAA authorization methods for an ISP domain ··········································································· 42

Configuring AAA accounting methods for an ISP domain ··············································································· 43

Tearing down user connections···································································································································· 45

Configuring a NAS ID-VLAN binding·························································································································· 45

Configuring a switch as a RADIUS server··················································································································· 45

RADIUS server functions configuration task list ·································································································· 45

Configuring a RADIUS user·································································································································· 46

Specifying a RADIUS client ·································································································································· 46

Displaying and maintaining AAA ································································································································ 47

AAA configuration examples········································································································································ 47

AAA for Telnet users by an HWTACACS server ······························································································· 47

AAA for Telnet users by separate servers··········································································································· 48

Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 50

AAA for 802.1X users by a RADIUS server ······································································································· 53

Level switching authentication for Telnet users by an HWTACACS server····················································· 60

RADIUS authentication and authorization for Telnet users by a switch··························································· 63

Troubleshooting AAA ···················································································································································· 65

Troubleshooting RADIUS······································································································································· 65

Troubleshooting HWTACACS······························································································································ 66

802.1X overview ·······················································································································································67

802.1X architecture······················································································································································· 67

Controlled/uncontrolled port and port authorization status······················································································ 67

802.1X-related protocols ·············································································································································· 68

Packet formats························································································································································ 69

EAP over RADIUS ·················································································································································· 70

Initiating 802.1X authentication··································································································································· 70

802.1X client as the initiator································································································································ 70

Access device as the initiator······························································································································· 71

802.1X authentication procedures ······························································································································ 71

ii

A comparison of EAP relay and EAP termination······························································································ 72

EAP relay································································································································································ 72

EAP termination ····················································································································································· 75

Configuring 802.1X ··················································································································································76

H3C implementation of 802.1X··································································································································· 76

Access control methods ········································································································································ 76

Using 802.1X authentication with other features ······························································································ 76

Configuration prerequisites··········································································································································· 81

802.1X configuration task list······································································································································· 82

Enabling 802.1X···························································································································································· 82

Configuration guidelines ······································································································································ 82

Configuration procedure ······································································································································ 83

Enabling EAP relay or EAP termination ······················································································································· 83

Setting the port authorization state ······························································································································ 84

Specifying an access control method ·························································································································· 84

Setting the maximum number of concurrent 802.1X users on a port······································································· 85

Setting the maximum number of authentication request attempts ············································································· 85

Setting the 802.1X authentication timeout timers······································································································· 86

Configuring the online user handshake function ········································································································ 86

Configuration guidelines ······································································································································ 86

Configuration procedure ······································································································································ 87

Configuring the authentication trigger function ·········································································································· 87

Configuration guidelines ······································································································································ 87

Configuration procedure ······································································································································ 88

Specifying a mandatory authentication domain on a port························································································ 88

Configuring the quiet timer ··········································································································································· 88

Enabling the periodic online user re-authentication function····················································································· 89

Configuration guidelines ······································································································································ 89

Configuration procedure ······································································································································ 89

Configuring a port to send EAPOL frames untagged································································································· 90

Setting the maximum number of 802.1X authentication attempts for MAC authentication users························· 90

Configuring a VLAN group··········································································································································· 90

Configuring an 802.1X guest VLAN ··························································································································· 91

Configuration guidelines ······································································································································ 91

Configuration prerequisites ·································································································································· 91

Configuration procedure ······································································································································ 92

Configuring an 802.1X Auth-Fail VLAN······················································································································ 92

Configuration guidelines ······································································································································ 92

Configuration prerequisites ·································································································································· 93

Configuration procedure ······································································································································ 93

Configuring an 802.1X critical VLAN ························································································································· 93

Configuration guidelines ······································································································································ 93

Configuration prerequisites ·································································································································· 93

Configuration procedure ······································································································································ 94

Specifying supported domain name delimiters··········································································································· 94

Displaying and maintaining 802.1X ··························································································································· 95

802.1X authentication configuration example ··········································································································· 95

Network requirements··········································································································································· 95

Configuration procedure ······································································································································ 95

Verifying the configuration··································································································································· 97

802.1X with guest VLAN and VLAN assignment configuration example ······························································· 97

Network requirements··········································································································································· 97

Configuration procedure ······································································································································ 98

Verifying the configuration··································································································································· 99

iii

802.1X with ACL assignment configuration example ·····························································································100

Network requirements·········································································································································100

Configuration procedure ····································································································································100

Verifying the configuration·································································································································101

Configuring EAD fast deployment ························································································································· 102

Overview·······································································································································································102

Free IP···································································································································································102

URL redirection·····················································································································································102

Configuration prerequisites·········································································································································102

Configuring a free IP ···················································································································································102

Configuring the redirect URL·······································································································································103

Setting the EAD rule timer ···········································································································································103

Displaying and maintaining EAD fast deployment···································································································104

EAD fast deployment configuration example············································································································104

Network requirements·········································································································································104

Configuration procedure ····································································································································105

Verifying the configuration·································································································································105

Troubleshooting EAD fast deployment·······················································································································106

Web browser users cannot be correctly redirected ························································································106

Configuring MAC authentication··························································································································· 107

Overview·······································································································································································107

User account policies··········································································································································107

Authentication approaches ································································································································107

MAC authentication timers·································································································································108

Using MAC authentication with other features ·········································································································108

VLAN assignment ················································································································································108

ACL assignment ···················································································································································108

Guest VLAN ·························································································································································108

Critical VLAN·······················································································································································109

Configuration task list ··················································································································································109

Basic configuration for MAC authentication·············································································································109

Configuring MAC authentication globally········································································································110

Configuring MAC authentication on a port ·····································································································110

Specifying a MAC authentication domain················································································································111

Configuring a MAC authentication guest VLAN ······································································································111

Configuring a MAC authentication critical VLAN····································································································112

Configuring MAC authentication delay·····················································································································113

Enabling MAC authentication multi-VLAN mode······································································································113

Displaying and maintaining MAC authentication ····································································································114

MAC authentication configuration examples············································································································114

Local MAC authentication configuration example···························································································114

RADIUS-based MAC authentication configuration example···········································································116

ACL assignment configuration example············································································································118

Configuring portal authentication·························································································································· 121

Overview·······································································································································································121

Extended portal functions ···································································································································121

Portal system components···································································································································121

Portal system using the local portal server········································································································123

Portal authentication modes ·······························································································································124

Layer 2 portal authentication process ···············································································································124

Portal configuration task list ········································································································································125

Configuration prerequisites·········································································································································126

Specifying the portal server ········································································································································127

H3C S5120-HI Series User manual

Popular Switch manuals by other brands