H3C S5120-HI Series User manual
H3C S5120-HI Switch Series
Security Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 52xx
Document version: 6W101-20140523
Copyright © 2013-2014, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow,
SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of
Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5120-HI documentation set includes 11 configuration guides, which describe the software
features for the H3C S5120-HI Switch Series, and guide you through the software configuration
procedures. These configuration guides also provide configuration examples to help you apply software
features to different network scenarios.
The Security Configuration Guide describes security fundamentals and configuration. It covers the
authentication features (including AAA, 802.1X, MAC authentication, portal authentication, and so on)
and attack protection features (including IP source guard, ARP attack protection, and so on).
This preface includes:
•Audience
•Added and modified features
•Conventions
•About the H3C S5120-HI documentation set
•Obtaining documentation
•Technical support
•Documentation feedback
Audience
This documentation is intended for:
•Network planners
•Field technical support and servicing engineers
•Network administrators working with the S5120-HI series
Added and modified features
This documentation set is for Release 52xx. The following describes the feature changes between
releases:
•Release 5206 has the following feature changes over Release 5203:
Confi
g
uration
g
uide Added and modified features
AAA Added feature: Specifying multiple secondary HWTACACS servers
MAC authentication Added feature: Enabling MAC authentication multi-VLAN mode
IP source guard Added feature: 802.1X-based dynamic IPv4 source guard binding entries.
ARP attack protection Added feature: ARP Detection logging function.
•Release 5203 has the following feature changes over Release 5101:
Confi
g
uration
g
uide Added and modified features
AAA
Added features:
•Setting a DSCP value for an ISP domain.
•Setting the DSCP value for RADIUS protocol packets.
•Configuring status detection for RADIUS authentication/authorization
servers
•RADIUS/HWTACACS authentication, authorization, and accounting
support ciphertext shared key configuration.
•Setting ciphertext shared keys for secure RADIUS communication.
Modified feature: Configuring a password for the local user.
Removed feature: Setting the password display mode for all local users.
802.1X
Added features:
•Configuring 802.1X critical VLAN.
•Specifying supported domain name delimiters.
•Configuring a port to send EAPOL frames untagged.
•Setting the maximum number of authentication request attempts.
•Configuring an 802.1X VLAN group.
EAD fast deployment N/A
MAC authentication
Added features:
•Configuring a MAC authentication critical VLAN.
•Configuring MAC authentication delay.
Portal N/A
Triple authentication N/A
Port security N/A
User profile N/A
Password control Modified features: Clearing all users from the password control blacklist.
HABP N/A
Public Key N/A
PKI Added feature: Setting a ciphertext password for certificate revocation.
IPsec IPsec is a newly added feature.
SSH2.0
Added features:
•Configuring the service type as SCP for SSH users.
•Configuring the device as an SCP client.
•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the SSH
server.
•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the Stelnet
client.
•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the SFTP
client.
SSL N/A
TCP attack protection N/A
IP source guard N/A
ARP attack protection Added feature: Configuring a user validity check rule.
Confi
g
uration
g
uide Added and modified features
ND attack defense N/A
SAVI Added feature: Setting the deletion delay time for SAVI.
Black list N/A
FIPS FIPS is a newly added feature.
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Descri
p
tion
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Descri
p
tion
Boldface Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention Descri
p
tion
< > Button names are inside angle brackets. For example, click <OK>.
[ ] Window names, menu items, data table and field names are inside square brackets. For
example, pop up the [New User] window.
/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].
Symbols
Convention Descri
p
tion
WARNING An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.
NOTE An alert that contains additional or supplementary information.
TIP An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C S5120-HI documentation set
The H3C S5120-HI documentation set includes:
Cate
g
or
y
Documents Pur
p
oses
Product description
and specifications
Marketing brochure Describe product specifications and benefits.
Technology white papers Provide an in-depth description of software features
and technologies.
Hardware
specifications and
installation
Compliance and safety manual
CE DOCs
Provide regulatory information and the safety
instructions that must be followed during installation.
Installation quick start Guides you through initial installation and setup
procedures to help you quickly set up your device.
Installation guide Provides a complete guide to switch installation and
specifications.
LSPM1FAN and LSPM1FANB
Installation Manual
Describes the appearances, specifications,
installation, and removal of the pluggable fan
modules available for the products.
PSR150-A [ PSR150-D ] Power
Modules User Manual
Describe the specifications, installation, and
replacement of hot swappable 150W power
modules.
Cate
g
or
y
Documents Pur
p
oses
RPS Ordering Information for
H3C Low-End Ethernet Switches
Helps you order RPSs for switches that can work with
an RPS.
User manuals for RPSs Describe the specifications, installation, and
replacement of RPSs.
User manuals for interface
cards
Describe the specifications, installation, and
replacement of expansion interface cards.
H3C Low End Series Ethernet
Switches Pluggable Modules
Manual
Describes the specifications of pluggable transceiver
modules.
Pluggable SFP[SFP+][XFP]
Transceiver Modules Installation
Guide
Describe the installation, and replacement of
SFP/SFP+/XFP transceiver modules.
Software
configuration
Configuration guides Describe software features and configuration
procedures.
Command references Provide a quick reference to all available
commands.
Operations and
maintenance Release notes
Provide information about the product release,
including the version history, hardware and software
compatibility matrix, version upgrade information,
technical support information, and software
upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
servi[email protected]
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Configuring AAA ························································································································································· 1
AAA overview ···································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
Domain-based user management ···························································································································9
RADIUS server feature of the switch···················································································································· 10
Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 11
FIPS compliance ····························································································································································· 14
AAA configuration considerations and task list·········································································································· 14
Configuring AAA schemes············································································································································ 16
Configuring local users········································································································································· 16
Configuring RADIUS schemes······························································································································ 20
Configuring HWTACACS schemes····················································································································· 32
Configuring AAA methods for ISP domains················································································································ 38
Configuration prerequisites ·································································································································· 38
Creating an ISP domain ······································································································································· 38
Configuring ISP domain attributes······················································································································· 39
Configuring AAA authentication methods for an ISP domain·········································································· 40
Configuring AAA authorization methods for an ISP domain ··········································································· 42
Configuring AAA accounting methods for an ISP domain ··············································································· 43
Tearing down user connections···································································································································· 45
Configuring a NAS ID-VLAN binding·························································································································· 45
Configuring a switch as a RADIUS server··················································································································· 45
RADIUS server functions configuration task list ·································································································· 45
Configuring a RADIUS user·································································································································· 46
Specifying a RADIUS client ·································································································································· 46
Displaying and maintaining AAA ································································································································ 47
AAA configuration examples········································································································································ 47
AAA for Telnet users by an HWTACACS server ······························································································· 47
AAA for Telnet users by separate servers··········································································································· 48
Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 50
AAA for 802.1X users by a RADIUS server ······································································································· 53
Level switching authentication for Telnet users by an HWTACACS server····················································· 60
RADIUS authentication and authorization for Telnet users by a switch··························································· 63
Troubleshooting AAA ···················································································································································· 65
Troubleshooting RADIUS······································································································································· 65
Troubleshooting HWTACACS······························································································································ 66
802.1X overview ·······················································································································································67
802.1X architecture······················································································································································· 67
Controlled/uncontrolled port and port authorization status······················································································ 67
802.1X-related protocols ·············································································································································· 68
Packet formats························································································································································ 69
EAP over RADIUS ·················································································································································· 70
Initiating 802.1X authentication··································································································································· 70
802.1X client as the initiator································································································································ 70
Access device as the initiator······························································································································· 71
802.1X authentication procedures ······························································································································ 71
ii
A comparison of EAP relay and EAP termination······························································································ 72
EAP relay································································································································································ 72
EAP termination ····················································································································································· 75
Configuring 802.1X ··················································································································································76
H3C implementation of 802.1X··································································································································· 76
Access control methods ········································································································································ 76
Using 802.1X authentication with other features ······························································································ 76
Configuration prerequisites··········································································································································· 81
802.1X configuration task list······································································································································· 82
Enabling 802.1X···························································································································································· 82
Configuration guidelines ······································································································································ 82
Configuration procedure ······································································································································ 83
Enabling EAP relay or EAP termination ······················································································································· 83
Setting the port authorization state ······························································································································ 84
Specifying an access control method ·························································································································· 84
Setting the maximum number of concurrent 802.1X users on a port······································································· 85
Setting the maximum number of authentication request attempts ············································································· 85
Setting the 802.1X authentication timeout timers······································································································· 86
Configuring the online user handshake function ········································································································ 86
Configuration guidelines ······································································································································ 86
Configuration procedure ······································································································································ 87
Configuring the authentication trigger function ·········································································································· 87
Configuration guidelines ······································································································································ 87
Configuration procedure ······································································································································ 88
Specifying a mandatory authentication domain on a port························································································ 88
Configuring the quiet timer ··········································································································································· 88
Enabling the periodic online user re-authentication function····················································································· 89
Configuration guidelines ······································································································································ 89
Configuration procedure ······································································································································ 89
Configuring a port to send EAPOL frames untagged································································································· 90
Setting the maximum number of 802.1X authentication attempts for MAC authentication users························· 90
Configuring a VLAN group··········································································································································· 90
Configuring an 802.1X guest VLAN ··························································································································· 91
Configuration guidelines ······································································································································ 91
Configuration prerequisites ·································································································································· 91
Configuration procedure ······································································································································ 92
Configuring an 802.1X Auth-Fail VLAN······················································································································ 92
Configuration guidelines ······································································································································ 92
Configuration prerequisites ·································································································································· 93
Configuration procedure ······································································································································ 93
Configuring an 802.1X critical VLAN ························································································································· 93
Configuration guidelines ······································································································································ 93
Configuration prerequisites ·································································································································· 93
Configuration procedure ······································································································································ 94
Specifying supported domain name delimiters··········································································································· 94
Displaying and maintaining 802.1X ··························································································································· 95
802.1X authentication configuration example ··········································································································· 95
Network requirements··········································································································································· 95
Configuration procedure ······································································································································ 95
Verifying the configuration··································································································································· 97
802.1X with guest VLAN and VLAN assignment configuration example ······························································· 97
Network requirements··········································································································································· 97
Configuration procedure ······································································································································ 98
Verifying the configuration··································································································································· 99
iii
802.1X with ACL assignment configuration example ·····························································································100
Network requirements·········································································································································100
Configuration procedure ····································································································································100
Verifying the configuration·································································································································101
Configuring EAD fast deployment ························································································································· 102
Overview·······································································································································································102
Free IP···································································································································································102
URL redirection·····················································································································································102
Configuration prerequisites·········································································································································102
Configuring a free IP ···················································································································································102
Configuring the redirect URL·······································································································································103
Setting the EAD rule timer ···········································································································································103
Displaying and maintaining EAD fast deployment···································································································104
EAD fast deployment configuration example············································································································104
Network requirements·········································································································································104
Configuration procedure ····································································································································105
Verifying the configuration·································································································································105
Troubleshooting EAD fast deployment·······················································································································106
Web browser users cannot be correctly redirected ························································································106
Configuring MAC authentication··························································································································· 107
Overview·······································································································································································107
User account policies··········································································································································107
Authentication approaches ································································································································107
MAC authentication timers·································································································································108
Using MAC authentication with other features ·········································································································108
VLAN assignment ················································································································································108
ACL assignment ···················································································································································108
Guest VLAN ·························································································································································108
Critical VLAN·······················································································································································109
Configuration task list ··················································································································································109
Basic configuration for MAC authentication·············································································································109
Configuring MAC authentication globally········································································································110
Configuring MAC authentication on a port ·····································································································110
Specifying a MAC authentication domain················································································································111
Configuring a MAC authentication guest VLAN ······································································································111
Configuring a MAC authentication critical VLAN····································································································112
Configuring MAC authentication delay·····················································································································113
Enabling MAC authentication multi-VLAN mode······································································································113
Displaying and maintaining MAC authentication ····································································································114
MAC authentication configuration examples············································································································114
Local MAC authentication configuration example···························································································114
RADIUS-based MAC authentication configuration example···········································································116
ACL assignment configuration example············································································································118
Configuring portal authentication·························································································································· 121
Overview·······································································································································································121
Extended portal functions ···································································································································121
Portal system components···································································································································121
Portal system using the local portal server········································································································123
Portal authentication modes ·······························································································································124
Layer 2 portal authentication process ···············································································································124
Portal configuration task list ········································································································································125
Configuration prerequisites·········································································································································126
Specifying the portal server ········································································································································127
iv
Configuring the local portal server ····························································································································127
Customizing authentication pages ····················································································································127
Configuring the local portal server····················································································································130
Enabling portal authentication····································································································································131
Controlling access of portal users ······························································································································132
Configuring a portal-free rule·····························································································································132
Setting the maximum number of online portal users························································································132
Specifying an authentication domain for portal users·····················································································133
Configuring portal authentication to support Web proxy···············································································133
Enabling support for portal user moving ··········································································································134
Specifying an Auth-Fail VLAN for portal authentication ··························································································134
Specifying an auto redirection URL for authenticated portal users·········································································135
Configuring portal detection functions·······················································································································135
Logging off portal users···············································································································································136
Displaying and maintaining portal ····························································································································136
Portal configuration examples ····································································································································137
Network requirements·········································································································································137
Configuration procedures···································································································································137
Verifying the configuration·································································································································139
Troubleshooting portal·················································································································································140
Inconsistent keys on the access device and the portal server·········································································140
Incorrect server port number on the access device··························································································141
Configuring triple authentication ··························································································································· 142
Overview·······································································································································································142
Triple authentication mechanism ·······················································································································142
Using triple authentication with other features ·································································································143
Configuring triple authentication································································································································143
Triple authentication configuration examples ···········································································································144
Triple authentication basic function configuration example ···········································································144
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············146
Configuring port security········································································································································ 152
Overview·······································································································································································152
Port security features ···········································································································································152
Port security modes ·············································································································································152
Working with guest VLAN and Auth-Fail VLAN ······························································································155
Configuration task list ··················································································································································155
Enabling port security ··················································································································································156
Setting port security's limit on the number of MAC addresses on a port·······························································156
Setting the port security mode ····································································································································157
Configuration prerequisites ································································································································157
Configuration procedure ····································································································································157
Configuring port security features ······························································································································158
Configuring NTK ·················································································································································158
Configuring intrusion protection ························································································································158
Enabling port security traps································································································································159
Configuring secure MAC addresses ··························································································································159
Configuration prerequisites ································································································································160
Configuration procedure ····································································································································160
Ignoring authorization information ····························································································································161
Displaying and maintaining port security··················································································································162
Port security configuration examples ·························································································································162
Configuring the autoLearn mode·······················································································································162
Configuring the userLoginWithOUI mode ········································································································164
v
Configuring the macAddressElseUserLoginSecure mode················································································169
Troubleshooting port security······································································································································171
Cannot set the port security mode·····················································································································171
Cannot configure secure MAC addresses ········································································································172
Cannot change port security mode when a user is online··············································································172
Configuring a user profile ······································································································································ 174
Overview·······································································································································································174
User profile configuration task list······························································································································174
Creating a user profile ················································································································································174
Applying a QoS policy ···············································································································································175
Enabling a user profile ················································································································································175
Displaying and maintaining user profiles··················································································································176
Configuring password control································································································································ 177
Overview·······································································································································································177
FIPS compliance ···························································································································································179
Password control configuration task list·····················································································································180
Configuring password control ····································································································································180
Enabling password control·································································································································180
Setting global password control parameters····································································································181
Setting user group password control parameters ····························································································183
Setting local user password control parameters ······························································································183
Setting super password control parameters ·····································································································184
Setting a local user password in interactive mode ··························································································184
Displaying and maintaining password control ·········································································································185
Password control configuration example ··················································································································185
Configuring HABP··················································································································································· 188
Overview·······································································································································································188
Configuring HABP························································································································································189
Configuring the HABP server ·····························································································································189
Configuring an HABP client ·······························································································································189
Displaying and maintaining HABP·····························································································································190
HABP configuration example······································································································································190
Managing public keys············································································································································ 193
Overview·······································································································································································193
FIPS compliance ···························································································································································193
Configuration task list ··················································································································································194
Creating a local asymmetric key pair························································································································194
Displaying or exporting the local host public key ····································································································195
Destroying a local asymmetric key pair ····················································································································196
Specifying the peer public key on the local device··································································································196
Displaying and maintaining public keys ···················································································································198
Public key configuration examples·····························································································································198
Manually specifying the peer public key on the local device ········································································198
Importing a peer public key from a public key file··························································································200
Configuring PKI ······················································································································································· 203
Overview·······································································································································································203
PKI terms·······························································································································································203
PKI architecture····················································································································································204
PKI operation ·······················································································································································204
PKI applications ···················································································································································205
PKI configuration task list ············································································································································205
Configuring an entity DN············································································································································206
vi
Configuring a PKI domain···········································································································································207
Configuration guidelines ····································································································································208
Configuration procedure ····································································································································208
Submitting a PKI certificate request····························································································································208
Submitting a certificate request in auto mode··································································································209
Submitting a certificate request in manual mode·····························································································209
Retrieving a certificate manually ································································································································210
Configuration guidelines ····································································································································210
Configuration procedure ····································································································································211
Configuring PKI certificate verification ······················································································································211
Configuration guidelines ····································································································································211
Configuring CRL-checking-enabled PKI certificate verification ·······································································211
Configuring CRL-checking-disabled PKI certificate verification ······································································212
Destroying a local RSA key pair ································································································································212
Deleting a certificate····················································································································································213
Configuring an access control policy ························································································································213
Displaying and maintaining PKI ·································································································································213
PKI configuration examples·········································································································································214
Certificate request from an RSA Keon CA server ····························································································214
Certificate request from a Windows 2003 CA server ····················································································217
Certificate attribute access control policy configuration example ·································································220
Troubleshooting PKI ·····················································································································································222
Failed to retrieve a CA certificate······················································································································222
Failed to request a local certificate ···················································································································222
Failed to retrieve CRLs ········································································································································223
Configuring IPsec ···················································································································································· 224
Overview·······································································································································································224
Basic concepts ·····················································································································································224
Protocols and standards ·····································································································································227
Configuring IPsec ·························································································································································227
Implementing ACL-based IPsec ···································································································································227
Feature Restrictions··············································································································································227
ACL-based IPsec configuration task list ·············································································································227
Configuring ACLs ················································································································································228
Configuring an IPsec proposal ··························································································································229
Configuring an IPsec policy ·······························································································································230
Applying an IPsec policy group to an interface·······························································································233
Configuring the IPsec session idle timeout········································································································234
Enabling ACL checking of de-encapsulated IPsec packets ·············································································234
Configuring the IPsec anti-replay function ········································································································235
Configuring packet information pre-extraction ································································································235
Displaying and maintaining IPsec······························································································································236
IPsec configuration examples······································································································································236
IKE-based IPsec tunnel for IPv4 packets configuration example·····································································236
Configuring IKE······················································································································································· 239
Overview·······································································································································································239
IKE security mechanism·······································································································································239
IKE operation ·······················································································································································239
IKE functions·························································································································································240
Relationship between IKE and IPsec··················································································································241
Protocols and standards ·····································································································································241
IKE configuration task list ············································································································································241
Configuring a name for the local security gateway·································································································242
vii
Configuring an IKE proposal ······································································································································242
Configuring an IKE peer··············································································································································243
Setting keepalive timers···············································································································································245
Setting the NAT keepalive timer·································································································································245
Configuring a DPD detector········································································································································246
Disabling next payload field checking ······················································································································246
Displaying and maintaining IKE·································································································································247
IKE configuration example ··········································································································································247
Troubleshooting IKE ·····················································································································································250
Invalid user ID······················································································································································250
Proposal mismatch ··············································································································································250
Failing to establish an IPsec tunnel····················································································································251
ACL configuration error ······································································································································251
Configuring SSH2.0 ··············································································································································· 252
Overview·······································································································································································252
SSH operation ·····················································································································································252
FIPS compliance ···························································································································································254
Configuring the switch as an SSH server ··················································································································255
SSH server configuration task list ······················································································································255
Generating DSA or RSA key pairs ····················································································································255
Enabling the SSH server function·······················································································································256
Configuring the user interfaces for SSH clients································································································256
Configuring a client public key··························································································································256
Configuring an SSH user····································································································································257
Setting the SSH management parameters ········································································································259
Setting the DSCP value for packets sent by the SSH server············································································260
Configuring the switch as an SSH client ···················································································································260
SSH client configuration task list························································································································260
Specifying a source IP address/interface for the SSH client ··········································································261
Configuring whether first-time authentication is supported·············································································261
Establishing a connection between the SSH client and server ·······································································262
Setting the DSCP value for packets sent by the SSH client ·············································································262
Displaying and maintaining SSH ·······························································································································263
SSH server configuration examples ···························································································································263
When the switch acts as a server for password authentication ·····································································264
When the switch acts as a server for publickey authentication ·····································································266
SSH client configuration examples·····························································································································271
When switch acts as client for password authentication ················································································271
When switch acts as client for publickey authentication ················································································274
Configuring SFTP····················································································································································· 277
Overview·······································································································································································277
FIPS compliance ···························································································································································277
Configuring the switch as an SFTP server ·················································································································277
Enabling the SFTP server ····································································································································277
Configuring the SFTP connection idle timeout period ·····················································································278
Configuring the switch as an SFTP client···················································································································278
Specifying a source IP address or interface for the SFTP client······································································278
Establishing a connection to the SFTP server····································································································278
Working with SFTP directories···························································································································279
Working with SFTP files······································································································································280
Displaying help information ·······························································································································280
Terminating the connection to the remote SFTP server ····················································································281
Setting the DSCP value for packets sent by the SFTP client ············································································281
viii
SFTP client configuration example ·····························································································································281
SFTP server configuration example ····························································································································285
Configuring SCP······················································································································································ 288
Overview·······································································································································································288
FIPS compliance ···························································································································································288
Configuring the switch as an SCP server ··················································································································288
Configuring the switch as the SCP client···················································································································289
SCP client configuration example······················································································································290
SCP server configuration example ····················································································································291
Configuring SSL······················································································································································· 293
Overview·······································································································································································293
SSL security mechanism ······································································································································293
SSL protocol stack ···············································································································································293
FIPS compliance ···························································································································································294
Configuration task list ··················································································································································294
Configuring an SSL server policy ·······························································································································294
SSL server policy configuration example ··········································································································296
Configuring an SSL client policy ································································································································298
Displaying and maintaining SSL·································································································································299
Troubleshooting SSL·····················································································································································299
Configuring TCP attack protection························································································································· 300
Overview·······································································································································································300
Enabling the SYN Cookie feature ······························································································································300
Displaying and maintaining TCP attack protection ··································································································300
Configuring IP source guard ·································································································································· 301
Overview·······································································································································································301
Static IP source guard entries·····························································································································301
Dynamic IP source guard binding entries·········································································································302
Configuration task list ··················································································································································302
Configuring the IPv4 source guard function··············································································································303
Configuring IPv4 source guard on a port·········································································································303
Configuring a static IPv4 source guard entry···································································································304
Setting the maximum number of IPv4 source guard entries············································································305
Configuring the IPv6 source guard function··············································································································306
Configuring IPv6 source guard on a port·········································································································306
Configuring a static IPv6 source guard entry···································································································307
Setting the maximum number of IPv6 source guard entries············································································308
Displaying and maintaining IP source guard············································································································308
IP source guard configuration examples ···················································································································309
Static IPv4 source guard configuration example ·····························································································309
Dynamic IPv4 source guard using DHCP snooping configuration example·················································311
Dynamic IPv4 source guard using DHCP relay configuration example ························································312
Static IPv6 source guard configuration example ·····························································································313
Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································314
Dynamic IPv6 source guard using ND snooping configuration example ·····················································315
Global static IP source guard configuration example ·····················································································316
Troubleshooting IP source guard ································································································································318
Configuring ARP attack protection························································································································· 319
Overview·······································································································································································319
ARP attack protection configuration task list ·············································································································319
Configuring ARP defense against IP packet attacks·································································································320
Configuring ARP source suppression ················································································································320
ix
Enabling ARP black hole routing ·······················································································································321
Displaying and maintaining ARP defense against IP packet attacks·····························································321
Configuration example ·······································································································································321
Configuring ARP packet rate limit ······························································································································322
Introduction ··························································································································································322
Configuration procedure ····································································································································322
Configuring source MAC address based ARP attack detection ·············································································323
Configuration procedure ····································································································································323
Displaying and maintaining source MAC address based ARP attack detection··········································324
Configuration example ·······································································································································324
Configuring ARP packet source MAC address consistency check ·········································································326
Introduction ··························································································································································326
Configuration procedure ····································································································································326
Configuring ARP active acknowledgement ···············································································································326
Introduction ··························································································································································326
Configuration procedure ····································································································································326
Configuring ARP detection··········································································································································327
Introduction ··························································································································································327
Configuring user validity check ·························································································································327
Configuring ARP packet validity check·············································································································328
Configuring ARP restricted forwarding ·············································································································329
Configuring the ARP detection logging function······························································································329
Displaying and maintaining ARP detection ······································································································330
User validity check configuration example·······································································································330
User validity check and ARP packet validity check configuration example··················································331
ARP restricted forwarding configuration example ···························································································333
Configuring ARP automatic scanning and fixed ARP·······························································································334
Configuration guidelines ····································································································································335
Configuration procedure ····································································································································335
Configuring ARP gateway protection ························································································································335
Configuration guidelines ····································································································································335
Configuration procedure ····································································································································336
Configuration example ·······································································································································336
Configuring ARP filtering·············································································································································337
Configuration guidelines ····································································································································337
Configuration procedure ····································································································································337
Configuration example ·······································································································································337
Configuring ND attack defense ····························································································································· 339
Overview·······································································································································································339
Enabling source MAC consistency check for ND packets·······················································································340
Configuring the ND detection function······················································································································340
Introduction to ND detection ······························································································································340
Configuration guidelines ····································································································································340
Configuration procedure ····································································································································341
Displaying and maintaining ND detection·······································································································341
ND detection configuration example·························································································································341
Network requirements·········································································································································341
Configuration procedure ····································································································································342
Configuring SAVI ···················································································································································· 344
Overview·······································································································································································344
Configuring global SAVI ·············································································································································344
SAVI configuration in DHCPv6-only address assignment scenario ········································································345
Network requirements·········································································································································345
x
Configuration considerations ·····························································································································345
Packet check principles·······································································································································346
Configuration procedure ····································································································································346
SAVI configuration in SLAAC-only address assignment scenario···········································································347
Network requirements·········································································································································347
Configuration considerations ·····························································································································347
Packet check principles·······································································································································348
Configuration procedure ····································································································································348
SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································349
Network requirements·········································································································································349
Configuration considerations ·····························································································································349
Packet check principles·······································································································································350
Configuration procedure ····································································································································350
Configuring blacklist··············································································································································· 352
Overview·······································································································································································352
Configuring the blacklist feature·································································································································352
Displaying and maintaining the blacklist ··················································································································352
Blacklist configuration example··································································································································353
Network requirements·········································································································································353
Configuration procedure ····································································································································353
Verifying the configuration·································································································································353
Configuring FIPS······················································································································································ 355
Overview·······································································································································································355
FIPS self-tests ·································································································································································355
Power-up self-test ·················································································································································355
Conditional self-tests············································································································································355
Triggering a self-test ············································································································································355
Configuration procedure·············································································································································356
Enabling the FIPS mode······································································································································356
Triggering a self-test ············································································································································357
Displaying and maintaining FIPS ·······························································································································357
FIPS configuration example·········································································································································357
Network requirements·········································································································································357
Configuration procedure ····································································································································357
Verifying the configuration·································································································································358
Index ········································································································································································ 360
1
Configuring AAA
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It can provide the following security functions:
•Authentication—Identifies users and determines whether a user is valid.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the switch can be granted read and
print permissions to the files on the switch.
•Accounting—Records all user network service usage information, including the service type, start
time, and traffic. The accounting function not only provides the information required for charging,
but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS), which is
also referred to as the access device. The server maintains user information centrally. In an AAA network,
a NAS is a server for users but a client for the AAA servers. See Figure 1.
Figure 1 Network diagram
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS
authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and
a remote server exchange user information between them.
In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose
different servers for different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and the RADIUS server for accounting.
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, configure an
authentication server. If network usage information is needed, you must also configure an accounting
server.
AAA can be implemented through multiple protocols. The switch supports using RADIUS and
HWTACACS. RADIUS is often used in practice.
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS
provides access authentication and authorization services, and its accounting function collects and
records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server components
•Users—Stores user information, such as usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
A RADIUS client and the RADIUS server use the shared key to authenticate RADIUS packets and encrypt
user passwords that are exchanged between them. The keys are never transmitted over the network. This
security mechanism improves the security of RADIUS communication and prevents user passwords from
being intercepted on insecure networks.
A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the
client of another AAA server to provide authentication proxy services.
Basic RADIUS message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
RADIUS servers
Users Clients Dictionary
3
Figure 3 Basic RADIUS message exchange process
RADIUS operates in the following manner:
1. The host initiates a connection request that carries the user’s username and password to the
RADIUS client.
2. Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the
Message-Digest 5 (MD5) algorithm and the shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept message containing the user’s authorization information. If
the authentication fails, the server returns an Access-Reject message.
4. The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops
accounting for the user.
RADIUS packet format
RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS
server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism,
the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet
format.
Other manuals for S5120-HI Series
4
Table of contents
Other H3C Switch manuals
H3C
H3C S5830 Series User manual
H3C
H3C S12500 Series User manual
H3C
H3C NSQ1GP24TXEA0 LPU User manual
H3C
H3C S7502 User manual
H3C
H3C S3610 Series User manual
H3C
H3C LS-3100-52P-OVS-H3 User manual
H3C
H3C H3C S7500E Series User manual
H3C
H3C S9500E Series User manual
H3C
H3C S9800 Series User manual
H3C
H3C S7500E-XS Series Installation manual
H3C
H3C H3C S5800-32F User manual
H3C
H3C S6520-EI Series User manual
H3C
H3C S3610 Series Installation instructions
H3C
H3C S5120-HI Series User manual
H3C
H3C S6520-SI Series Installation manual
H3C
H3C S6860 Series User manual
H3C
H3C S5120-EI Series Installation manual
H3C
H3C S6805 Series User manual
H3C
H3C S12500X-2L User manual
H3C
H3C S6800 Series User manual
Popular Switch manuals by other brands
HPE
HPE FlexNetwork 5130 24G 4SFP+ 1-slot HI installation guide
CyberData
CyberData 011539 Installation quick reference
Gomax
Gomax VP-5004MZ2-C user manual
Nortel
Nortel 3510-24T Technical specifications
Honeycomb Aeronautical
Honeycomb Aeronautical Alpha Flight Controls manual
Gefen
Gefen EXT-HDMI-841 user manual
Ruijie Networks
Ruijie Networks RG-S6220-48XS4QXSV1 Hardware installation and reference guide
Link electronics
Link electronics 860-XL325V Specification sheet
Rose electronics
Rose electronics Vista KVL-4PCA Product overview
Field Controls
Field Controls WMO-1 manual
NETGEAR
NETGEAR ProSAFE GS105Ev2 user manual
Gefen
Gefen 4x1 Multiview Seamless Switcher user manual
GEORGIN
GEORGIN P Series user manual
Altronix
Altronix DSHubWayLD16CD - E20I Brochure & specs
schmersal
schmersal AZM300B-I2-ST-SD2P instructions
Moxa Technologies
Moxa Technologies NPort S8000 Series quick start guide
Sea Wit
Sea Wit 9138H user guide
Belden
Belden Grass Valley Kayenne Installation & service manual