Hp 3600 v2 series User manual

HP 3600 v2 Switch Series

Security

Configuration Guide

Part number: 5998-2355

Software version: Release 2101

Document version: 6W101-20130930

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or

use of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

Contents

AAA configuration ······················································································································································· 1

AAA overview ···································································································································································1

RADIUS······································································································································································2

HWTACACS ·····························································································································································7

Domain-based user management ···························································································································9

RADIUS server feature of the switch···················································································································· 10

AAA across MPLS L3VPNs ··································································································································· 11

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 12

AAA configuration considerations and task list·········································································································· 15

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 20

Configuring HWTACACS schemes····················································································································· 33

Configuring AAA methods for ISP domains················································································································ 39

Configuration prerequisites ·································································································································· 39

Creating an ISP domain ······································································································································· 39

Configuring ISP domain attributes······················································································································· 40

Configuring AAA authentication methods for an ISP domain·········································································· 41

Configuring AAA authorization methods for an ISP domain ··········································································· 42

Configuring AAA accounting methods for an ISP domain ··············································································· 44

Tearing down user connections···································································································································· 45

Configuring a NAS ID-VLAN binding·························································································································· 46

Specifying the device ID used in stateful failover mode ···························································································· 46

Configuring a switch as a RADIUS server··················································································································· 47

RADIUS server functions configuration task list ·································································································· 47

Configuring a RADIUS user·································································································································· 47

Specifying a RADIUS client ·································································································································· 48

Displaying and maintaining AAA ································································································································ 48

AAA configuration examples········································································································································ 49

AAA for Telnet users by an HWTACACS server ······························································································· 49

AAA for Telnet users by separate servers··········································································································· 50

Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 51

AAA for portal users by a RADIUS server ·········································································································· 55

AAA for 802.1X users by a RADIUS server······································································································· 64

Level switching authentication for Telnet users by an HWTACACS server····················································· 70

RADIUS authentication and authorization for Telnet users by a switch··························································· 73

Troubleshooting AAA ···················································································································································· 75

Troubleshooting RADIUS······································································································································· 75

Troubleshooting HWTACACS······························································································································ 76

802.1X fundamentals ················································································································································77

802.1X architecture······················································································································································· 77

Controlled/uncontrolled port and port authorization status······················································································ 77

802.1X-related protocols ·············································································································································· 78

Packet formats························································································································································ 79

EAP over RADIUS ·················································································································································· 80

Initiating 802.1X authentication··································································································································· 80

802.1X client as the initiator································································································································ 80

Access device as the initiator······························································································································· 81

802.1X authentication procedures······························································································································· 81

A comparison of EAP relay and EAP termination······························································································ 82

EAP relay································································································································································ 82

EAP termination ····················································································································································· 84

802.1X configuration ················································································································································85

HP implementation of 802.1X ······································································································································ 85

Access control methods ········································································································································ 85

Using 802.1X authentication with other features ······························································································ 85

Configuring 802.1X ······················································································································································ 88

802.1X configuration task list······························································································································ 88

Enabling 802.1X··················································································································································· 89

Enabling EAP relay or EAP termination ·············································································································· 89

Setting the port authorization state······················································································································ 90

Specifying an access control method·················································································································· 91

Setting the maximum number of concurrent 802.1X users on a port······························································ 91

Setting the maximum number of authentication request attempts ···································································· 91

Setting the 802.1X authentication timeout timers ······························································································ 92

Configuring the online user handshake function································································································ 92

Configuring the authentication trigger function ································································································· 93

Specifying a mandatory authentication domain on a port··············································································· 94

Configuring the quiet timer··································································································································· 94

Enabling the periodic online user re-authentication function············································································ 95

Configuring an 802.1X guest VLAN··················································································································· 95

Configuring an Auth-Fail VLAN ··························································································································· 97

Specifying supported domain name delimiters·································································································· 98

Displaying and maintaining 802.1X ··························································································································· 98

802.1X configuration examples··································································································································· 98

802.1X authentication configuration example ·································································································· 98

802.1X with guest VLAN and VLAN assignment configuration example·····················································101

802.1X with ACL assignment configuration example·····················································································103

EAD fast deployment configuration ······················································································································· 106

EAD fast deployment overview···································································································································106

EAD fast deployment implementation ···············································································································106

Configuring EAD fast deployment······························································································································106

Configuration procedure ····································································································································106

Displaying and maintaining EAD fast deployment···································································································108

EAD fast deployment configuration example············································································································108

Troubleshooting EAD fast deployment·······················································································································110

Web browser users cannot be correctly redirected ························································································110

MAC authentication configuration························································································································· 111

MAC authentication overview ····································································································································111

User account policies··········································································································································111

Authentication approaches ································································································································111

MAC authentication timers·································································································································112

Using MAC authentication with other features ·········································································································112

VLAN assignment ················································································································································112

ACL assignment ···················································································································································112

Guest VLAN ·························································································································································112

MAC authentication configuration task list ···············································································································113

Basic configuration for MAC authentication·············································································································113

iii

Specifying an authentication domain for MAC authentication users ·····································································114

Configuring a MAC authentication guest VLAN ······································································································115

Displaying and maintaining MAC authentication ····································································································116

MAC authentication configuration examples············································································································116

Local MAC authentication configuration example···························································································116

RADIUS-based MAC authentication configuration example···········································································118

ACL assignment configuration example············································································································120

Portal configuration················································································································································· 123

Portal overview·····························································································································································123

Introduction to portal···········································································································································123

Extended portal functions ···································································································································123

Portal system components···································································································································123

Portal system using the local portal server········································································································125

Portal authentication modes ·······························································································································126

Portal support for EAP·········································································································································127

Layer 2 portal authentication process ···············································································································128

Layer 3 portal authentication process ···············································································································129

Portal stateful failover··········································································································································133

Portal authentication across VPNs·····················································································································134

Portal configuration task list ········································································································································135

Configuration prerequisites·········································································································································136

Specifying the portal server ········································································································································136

Specifying the local portal server for Layer 2 portal authentication······························································136

Specifying a portal server for Layer 3 portal authentication ··········································································137

Configuring the local portal server ····························································································································138

Customizing authentication pages ····················································································································138

Configuring the local portal server····················································································································141

Enabling portal authentication····································································································································141

Enabling Layer 2 portal authentication ·············································································································142

Enabling Layer 3 portal authentication ·············································································································142

Controlling access of portal users ······························································································································143

Configuring a portal-free rule·····························································································································143

Configuring an authentication source subnet···································································································144

Setting the maximum number of online portal users························································································144

Specifying an authentication domain for portal users·····················································································145

Configuring Layer 3 portal authentication to support web proxy··································································145

Enabling support for portal user moving ··········································································································146

Specifying an Auth-Fail VLAN for portal authentication ··························································································147

Configuring RADIUS related attributes ······················································································································148

Specifying NAS-Port-Type for an interface ·······································································································148

Specifying a NAS ID profile for an interface ···································································································149

Specifying a source IP address for outgoing portal packets ···················································································149

Configuring portal stateful failover·····························································································································150

Specifying an auto redirection URL for authenticated portal users·········································································152

Configuring portal detection functions·······················································································································152

Configuring online Layer 2 portal user detection ····························································································152

Configuring the portal server detection function······························································································153

Configuring portal user information synchronization······················································································154

Logging off portal users···············································································································································155

Displaying and maintaining portal ····························································································································155

Portal configuration examples ····································································································································156

Configuring direct portal authentication···········································································································156

Configuring re-DHCP portal authentication······································································································161

Configuring cross-subnet portal authentication ································································································163

Configuring direct portal authentication with extended functions··································································165

Configuring re-DHCP portal authentication with extended functions ····························································167

Configuring cross-subnet portal authentication with extended functions·······················································169

Configuring portal stateful failover····················································································································171

Configuring portal server detection and portal user information synchronization·······································179

Configuring Layer 2 portal authentication········································································································185

Troubleshooting portal·················································································································································188

Inconsistent keys on the access device and the portal server·········································································188

Incorrect server port number on the access device··························································································189

Triple authentication configuration ························································································································ 190

Triple authentication overview····································································································································190

Triple authentication mechanism ·······················································································································190

Using triple authentication with other features·································································································191

Configuring triple authentication································································································································192

Triple authentication configuration examples ···········································································································192

Triple authentication basic function configuration example ···········································································192

Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············195

Port security configuration ······································································································································ 200

Port security overview ··················································································································································200

Port security features ···········································································································································200

Port security modes ·············································································································································200

Working with guest VLAN and Auth-Fail VLAN ······························································································203

Port security configuration task list ·····························································································································203

Enabling port security ··················································································································································204

Setting port security’s limit on the number of MAC addresses on a port·······························································204

Setting the port security mode ····································································································································205

Configuring port security features ······························································································································206

Configuring NTK ·················································································································································206

Configuring intrusion protection ························································································································206

Enabling port security traps································································································································207

Configuring secure MAC addresses ··························································································································208

Ignoring authorization information from the server··································································································209

Displaying and maintaining port security··················································································································210

Port security configuration examples ·························································································································210

Configuring the autoLearn mode·······················································································································210

Configuring the userLoginWithOUI mode ········································································································213

Configuring the macAddressElseUserLoginSecure mode················································································217

Troubleshooting port security······································································································································220

Cannot set the port security mode·····················································································································220

Cannot configure secure MAC addresses ········································································································220

Cannot change port security mode when a user is online··············································································220

User profile configuration······································································································································· 222

User profile overview···················································································································································222

User profile configuration task list······························································································································222

Creating a user profile ················································································································································222

Creating a user profile········································································································································223

Configuring a user profile ···········································································································································223

Configuration guidelines ····································································································································223

Enabling a user profile ················································································································································224

Displaying and maintaining user profiles··················································································································224

HABP configuration················································································································································· 225

HABP overview·····························································································································································225

Configuring HABP························································································································································226

Configuring the HABP server ·····························································································································226

Configuring an HABP client ·······························································································································226

Displaying and maintaining HABP·····························································································································227

HABP configuration example······································································································································227

Public key configuration ········································································································································· 230

Overview·······································································································································································230

Public key configuration task list·································································································································230

Configuring a local asymmetric key pair on the local device·················································································231

Creating a local asymmetric key pair ···············································································································231

Displaying or exporting the local host public key ···························································································232

Destroying a local asymmetric key pair············································································································233

Specifying the peer public key on the local device··································································································233

Displaying and maintaining public keys ···················································································································234

Public key configuration examples·····························································································································235

Manually specifying the peer public key on the local device ········································································235

Importing a peer public key from a public key file··························································································236

PKI configuration····················································································································································· 240

Introduction to PKI ························································································································································240

PKI overview ························································································································································240

PKI terms·······························································································································································240

PKI architecture····················································································································································241

PKI applications ···················································································································································242

PKI operation ·······················································································································································242

PKI configuration task list ············································································································································242

Configuring an entity DN············································································································································243

Configuring a PKI domain···········································································································································244

Submitting a PKI certificate request····························································································································246

Submitting a certificate request in auto mode··································································································246

Submitting a certificate request in manual mode·····························································································246

Retrieving a certificate manually ································································································································247

Configuring PKI certificate verification ······················································································································248

Configuring CRL-checking-enabled PKI certificate verification ·······································································248

Configuring CRL-checking-disabled PKI certificate verification ······································································249

Destroying a local RSA key pair ································································································································249

Deleting a certificate····················································································································································250

Configuring an access control policy ························································································································250

Displaying and maintaining PKI ·································································································································251

PKI configuration examples·········································································································································251

Requesting a certificate from a CA server running RSA Keon ·······································································251

Requesting a certificate from a CA server running Windows 2003 Server ·················································254

Configuring a certificate attribute-based access control policy······································································257

Troubleshooting PKI ·····················································································································································259

Failed to retrieve a CA certificate······················································································································259

Failed to request a local certificate ···················································································································259

Failed to retrieve CRLs ········································································································································260

IPsec configuration·················································································································································· 261

IPsec overview ······························································································································································261

IPsec implementation···········································································································································261

Basic concepts ·····················································································································································262

IPsec for IPv6 routing protocols··························································································································264

Configuring IPsec for IPv6 routing protocols·············································································································264

Configuring an IPsec proposal ··························································································································264

Configuring an IPsec policy ·······························································································································265

Displaying and maintaining IPsec······························································································································267

IPsec for RIPng configuration example·······················································································································267

SSH2.0 configuration ············································································································································· 272

SSH2.0 overview ·························································································································································272

Introduction to SSH2.0 ·······································································································································272

SSH operation ·····················································································································································272

SSH connection across VPNs·····························································································································275

Configuring the switch as an SSH server ··················································································································275

SSH server configuration task list ······················································································································275

Generating a DSA or RSA key pair ··················································································································275

Enabling the SSH server function·······················································································································276

Configuring the user interfaces for SSH clients································································································276

Configuring a client public key··························································································································277

Configuring an SSH user····································································································································278

Setting the SSH management parameters ········································································································279

Configuring the switch as an SSH client ···················································································································280

SSH client configuration task list························································································································280

Specifying a source ip address/interface for the SSH client··········································································280

Configuring whether first-time authentication is supported ·············································································281

Establishing a connection between the SSH client and server ·······································································281

Displaying and maintaining SSH ·······························································································································282

SSH server configuration examples ···························································································································283

When the switch acts as a server for password authentication ·····································································283

When the switch acts as a server for publickey authentication ·····································································285

SSH client configuration examples·····························································································································290

When switch acts as client for password authentication ················································································290

When switch acts as client for publickey authentication ················································································293

SFTP configuration ·················································································································································· 296

SFTP overview·······························································································································································296

Configuring the switch as an SFTP server ·················································································································296

Enabling the SFTP server ····································································································································296

Configuring the SFTP connection idle timeout period ·····················································································296

Configuring the switch an SFTP client························································································································297

Specifying a source ip address or interface for the SFTP client ·····································································297

Establishing a connection to the SFTP server····································································································297

Working with SFTP directories···························································································································298

Working with SFTP files······································································································································298

Displaying help information ·······························································································································299

Terminating the connection to the remote SFTP server ····················································································299

vii

SFTP client configuration example ·····························································································································300

SFTP server configuration example ····························································································································303

SSL configuration ···················································································································································· 306

SSL overview·································································································································································306

SSL security mechanism ······································································································································306

SSL protocol stack ···············································································································································307

SSL configuration task list············································································································································307

Configuring an SSL server policy ·······························································································································307

SSL server policy configuration example ··········································································································309

Configuring an SSL client policy ································································································································310

Displaying and maintaining SSL·································································································································311

Troubleshooting SSL·····················································································································································312

SSL handshake failure·········································································································································312

TCP attack protection configuration······················································································································· 313

TCP attack protection overview ··································································································································313

Enabling the SYN Cookie feature ······························································································································313

Displaying and maintaining TCP attack protection ··································································································314

IP source guard configuration ································································································································ 315

IP source guard overview············································································································································315

Static IP source guard binding entries···············································································································315

Dynamic IP source guard binding entries·········································································································316

IP source guard configuration task list ·······················································································································316

Configuring the IPv4 source guard function··············································································································316

Configuring IPv4 source guard on a port·········································································································316

Configuring a static IPv4 source guard binding entry·····················································································317

Setting the maximum number of IPv4 source guard binding entries ·····························································318

Configuring the IPv6 source guard function··············································································································318

Configuring IPv6 source guard on a port·········································································································319

Configuring a static IPv6 source guard binding entry·····················································································319

Setting the maximum number of IPv6 source guard binding entries ·····························································320

Displaying and maintaining IP source guard············································································································320

IP source guard configuration examples ···················································································································321

Static IPv4 source guard binding entry configuration example ·····································································321

Dynamic IPv4 source guard binding by DHCP snooping configuration example ·······································323

Dynamic IPv4 source guard binding by DHCP relay configuration example···············································324

Static IPv6 source guard binding entry configuration example ·····································································325

Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example ···································326

Dynamic IPv6 source guard binding by ND snooping configuration example············································328

Troubleshooting IP source guard ································································································································329

Neither static binding entries nor the dynamic binding function can be configured···································329

ARP attack protection configuration ······················································································································ 330

ARP attack protection overview··································································································································330

ARP attack protection configuration task list ·············································································································330

Configuring ARP defense against IP packet attacks·································································································331

Introduction ··························································································································································331

Configuring ARP source suppression ················································································································331

Enabling ARP black hole routing ·······················································································································332

Displaying and maintaining ARP defense against IP packet attacks·····························································332

viii

ARP defense against IP packet attack configuration example········································································332

Configuring ARP packet rate limit ······························································································································334

Configuring ARP packet rate limit ·····················································································································334

Configuring source MAC address based ARP attack detection··············································································335

Displaying and maintaining source MAC address based ARP attack detection··········································336

Source MAC address based ARP attack detection configuration example ··················································336

Configuring ARP packet source MAC address consistency check ·········································································337

Configuring ARP active acknowledgement ···············································································································337

Configuring ARP detection··········································································································································338

Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x

security entries/OUI MAC addresses ···············································································································338

Configuring ARP detection based on specified objects ··················································································339

Configuring ARP restricted forwarding ·············································································································340

Displaying and maintaining ARP detection ······································································································340

ARP detection configuration example I ·············································································································341

ARP detection configuration example II ············································································································342

ARP restricted forwarding configuration example ···························································································343

Configuring ARP automatic scanning and fixed ARP·······························································································345

Configuring ARP gateway protection ························································································································346

ARP gateway protection configuration example······························································································347

Configuring ARP filtering·············································································································································348

ARP filtering configuration example··················································································································348

ND attack defense configuration ··························································································································· 350

Introduction to ND attack defense······························································································································350

Enabling source MAC consistency check for ND packets·······················································································351

Configuring the ND detection function······················································································································351

Introduction to ND detection ······························································································································351

Configuring ND detection ··································································································································352

Displaying and maintaining ND detection ·······································································································352

ND detection configuration example·························································································································353

URPF configuration·················································································································································· 355

URPF overview······························································································································································355

What is URPF·······················································································································································355

URPF check modes ··············································································································································355

How URPF works ·················································································································································356

Network application ···········································································································································359

Configuring URPF·························································································································································359

URPF configuration example·······································································································································359

MFF configuration ··················································································································································· 361

MFF overview ·······························································································································································361

MFF function ························································································································································361

Operation modes ················································································································································362

Working mechanism···········································································································································363

Configuring MFF ··························································································································································363

Displaying and maintaining MFF ·······························································································································365

MFF configuration examples·······································································································································365

Auto-mode MFF configuration example in a tree network··············································································365

Auto-mode MFF configuration example in a ring network ·············································································367

Manual-mode MFF configuration example in a tree network·········································································369

Manual-mode MFF configuration example in a ring network ········································································370

SAVI configuration·················································································································································· 372

SAVI overview ······························································································································································372

Global SAVI configuration··········································································································································372

SAVI configuration in DHCPv6-only address assignment scenario ········································································373

SAVI configuration in SLAAC-only address assignment scenario···········································································375

SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································377

Blacklist configuration············································································································································· 380

Blacklist overview·························································································································································380

Configuring the blacklist feature·································································································································380

Displaying and maintaining the blacklist ··················································································································380

Blacklist configuration example··································································································································381

Network requirements·········································································································································381

Verifying the configuration·································································································································381

Support and other resources ·································································································································· 382

Contacting HP ······························································································································································382

Subscription service ············································································································································382

Related information······················································································································································382

Documents····························································································································································382

Websites·······························································································································································382

Conventions ··································································································································································383

Index ········································································································································································ 385

AAA configuration

AAA overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. It can provide the following security functions:

•Authentication—Identifies users and determines whether a user is valid.

•Authorization—Grants different users different rights and controls their access to resources and

services. For example, a user who has successfully logged in to the switch can be granted read and

print permissions to the files on the switch.

•Accounting—Records all user network service usage information, including the service type, start

time, and traffic. The accounting function not only provides the information required for charging,

but also allows for network security surveillance.

AAA usually uses a client/server model. The client runs on the network access server (NAS), which is

also referred to as the access device. The server maintains user information centrally. In an AAA network,

a NAS is a server for users but a client for the AAA servers. See Figure 1.

Figure 1 Network diagram

When a user tries to log in to the NAS, use network resources, or access other networks, the NAS

authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and

accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and

a remote server exchange user information between them.

In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose

different servers for different security functions. For example, you can use the HWTACACS server for

authentication and authorization, and the RADIUS server for accounting.

You can choose the three security functions provided by AAA as required. For example, if your company

only wants employees to be authenticated before they access specific resources, you only need to

configure an authentication server. If network usage information is needed, you must also configure an

accounting server.

AAA can be implemented through multiple protocols. The switch supports using RADIUS and

HWTACACS. RADIUS is often used in practice.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that

uses a client/server model. It can protect networks against unauthorized access and is often used in

network environments where both high security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813

for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS

provides access authentication and authorization services, and its accounting function collects and

records network resource usage information.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

designated RADIUS servers and acts on the responses (for example, rejects or accepts user access

requests).

The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It listens to connection requests, authenticates

users, and returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.

Figure 2 RADIUS server components

•Users: Stores user information, such as usernames, passwords, applied protocols, and IP addresses.

•Clients: Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary: Stores RADIUS protocol attributes and their values.

Security and authentication mechanisms

A RADIUS client and the RADIUS server use the same keys, which are therefore also called the shared

keys, to authenticate RADIUS packets and encrypt user passwords that are exchanged between them.

The keys are never transmitted over the network. This security mechanism improves the security of

RADIUS communication and prevents user passwords from being intercepted on insecure networks.

A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the

client of another AAA server to provide authentication proxy services.

Basic RADIUS message exchange process

Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS message exchange process

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

7) Accounting-Request (stop)

8) Accounting-Response

9) Notification of access termination

Host

6) The host accesses the resources

RADIUS operates in the following manner:

1. The host initiates a connection request that carries the user’s username and password to the

RADIUS client.

2. Having received the username and password, the RADIUS client sends an authentication request

(Access-Request) to the RADIUS server, with the user password encrypted by using the

Message-Digest 5 (MD5) algorithm and the shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, the

server sends back an Access-Accept message containing the user’s authorization information. If

the authentication fails, the server returns an Access-Reject message.

4. The RADIUS client permits or denies the user according to the returned authentication result. If it

permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a

stop-accounting request (Accounting-Request) to the RADIUS server.

8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops

accounting for the user.

9. The user stops access to network resources.

RADIUS packet format

RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS

server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism,

the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet

format.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

1. The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible

values and their meanings.

Table 1 Main values of the Code field

Code Packet type Description

1 Access-Request

From the client to the server. A packet of this type carries user

information for the server to authenticate the user. It must contain

the User-Name attribute and can optionally contain the attributes

of NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

From the server to the client. If all the attribute values carried in

the Access-Request are acceptable, the authentication succeeds,

and the server sends an Access-Accept response.

3 Access-Reject

From the server to the client. If any attribute value carried in the

Access-Request is unacceptable, the authentication fails and the

server sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type carries user

information for the server to start or stop accounting for the user.

The Acct-Status-Type attribute in the packet indicates whether to

start or stop accounting.

5 Accounting-Response

From the server to the client. The server sends a packet of this

type to notify the client that it has received the

Accounting-Request and has successfully recorded the

accounting information.

2. The Identifier field (1 byte long) is used to match request and response packets and to detect

duplicate request packets. Request and response packets of the same type have the same

identifier.

3. The Length field (2 byte long) indicates the length of the entire packet, including the Code,

Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered

padding and are ignored at the receiver. If the length of a received packet is less than this length,

the packet is dropped. The value of this field is in the range of 20 to 4096.

4. The Authenticator field (16 byte long) is used to authenticate replies from the RADIUS server and

to encrypt user passwords. There are two types of authenticators: request authenticator and

response authenticator.

5. The Attributes field, variable in length, carries the specific authentication, authorization, and

accounting information that defines the configuration details of the request or response. This field

may contain multiple attributes, each with three sub-fields: Type, Length, and Value.

•Type (1 byte long)—Indicates the type of the attribute. It is in the range of 1 to 255. Commonly used

RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows

a list of the attributes. For more information about commonly used standard RADIUS attributes, see

“Commonly used standard RADIUS attributes.“

•Length (1 byte long)—Indicates the length of the attribute in bytes, including the Type, Length, and

Value fields.

•Value (up to 253 bytes)—Value of the attribute. Its format and content depend on the Type and

Length fields.

Table 2 Commonly used RADIUS attributes

No. Attribute No. Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

No. Attribute No. Attribute

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific), an attribute defined

by RFC 2865, allows a vender to define extended attributes to implement functions that the standard

RADIUS protocol does not provide.

A vendor can encapsulate multiple sub-attributes in the type-length-value (TLV) format in RADIUS packets

for extension of applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists

of the following parts:

•Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes

contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS

sub-attributes of HP, see “HP proprietary RADIUS sub-attributes.“

•Vendor-Type—Indicates the type of the sub-attribute.

•Vendor-Length—Indicates the length of the sub-attribute.

•Vendor-Data—Indicates the contents of the sub-attribute.

Figure 5 Segment of a RADIUS packet containing an extended attribute

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol

based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information

exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up

Network (VPDN) users, and terminal users. In a typical HWTACACS scenario, some terminal users need

to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the usernames

and passwords of the users to the HWTACACS sever for authentication. After passing authentication and

being authorized, the users log in to the switch and performs operations, and the HWTACACS server

records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They

have many features in common, such as using a client/server model, using shared keys for user

information security, and providing flexibility and extensibility. Table 3 lists their primary differences.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, providing more reliable network

transmission. Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the HWTACACS

header.

Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated and authorization is

independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization

process is combined with the authentication process.

Supports authorization of configuration commands.

Which commands a user can use depends on both the

user level and the AAA authorization. A user can use

only commands that are at, or lower than, the user

level and authorized by the HWTACACS server.

Does not support authorization of configuration

commands. Which commands a user can use solely

depends on the level of the user. A user can use all the

commands at, or lower than, the user level.

Basic HWTACACS message exchange process

The following takes a Telnet user as an example to describe how HWTACACS performs user

authentication, authorization, and accounting.

Figure 6 Basic HWTACACS message exchange process for a Telnet user

Host HWTACACS client HWTACACS server

1) The user logs in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user inputs the username

6) Authentication continuance packet with the

username

7) Authentication response requesting the login

password

8) Request for password

9) The user inputs the password

11) Authentication response indicating successful

authentication

12) User authorization request packet

13) Authorization response indicating successful

authorization

14) The user logs in successfully

15) Start-accounting request

16) Accounting response indicating the start of

accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Authentication continuance packet with the

Here is the process:

1. A Telnet user sends an access request to the HWTACACS client.

2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the

HWTACACS server.

3. The HWTACACS server sends back an authentication response to request the username.

4. Upon receiving the response, the HWTACACS client asks the user for the username.

5. The user enters the username.

6. After receiving the username from the user, the HWTACACS client sends the server a

continue-authentication packet that carries the username.

7. The HWTACACS server sends back an authentication response, requesting the login password.

8. Upon receipt of the response, the HWTACACS client asks the user for the login password.

9. The user enters the password.

10. After receiving the login password, the HWTACACS client sends the HWTACACS server a

continue-authentication packet that carries the login password.

11. The HWTACACS server sends back an authentication response to indicate that the user has

passed authentication.

12. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

13. The HWTACACS server sends back the authorization response, indicating that the user is now

authorized.

14. Knowing that the user is now authorized, the HWTACACS client pushes its configuration interface

to the user.

15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

16. The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request.

17. The user logs off.

18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19. The HWTACACS server sends back a stop-accounting response, indicating that the

stop-accounting request has been received.

Domain-based user management

A NAS manages users based on Internet service provider (ISP) domains. On a NAS, each user belongs

to one ISP domain. A NAS determines the ISP domain a user belongs to by the username entered by the

user at login, as shown in Figure 7.

Figure 7 Determine the ISP domain of a user by the username

The authentication, authorization, and accounting of a user depends on the AAA methods configured for

the domain that the user belongs to. If no specific AAA methods are configured for the domain, the

default methods are used. By default, a domain uses local authentication, local authorization, and local

accounting.

AAA allows you to manage users based on their access types:

•LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access the

network.

•Login users—Users who want to log in to the switch, including SSH users, Telnet users, web users,

FTP users, and terminal users.

Other manuals for 3600 v2 Series

This manual suits for next models

Table of contents

Popular Network Router manuals by other brands

Siemens

Siemens RUGGEDCOM RS900 installation guide

Tenda

Tenda TEH160SK Technical specifications

QNAP

QNAP iVW-FH233 user manual

Juniper

Juniper MX960 Hardware guide

Corinex

Corinex Powerline Router user guide

Cradlepoint

Cradlepoint 5G Internet Kit quick start guide

Netis

Netis WF-2407 user manual

ei3

ei3 Amphion S14-N quick start guide

Enterasys

Enterasys 6H308-24 installation guide

Aceex

Aceex Powerline 200M user manual

Ruijie

Ruijie Reyee RG-NBR-E Series Cookbook

NetComm

NetComm 3G38WV user guide

D-Link

D-Link DI-304 user guide

D-Link

D-Link xStack DGS-3200-10 user guide

Ovislink

Ovislink AirLive Ether-FSH2400NS user manual

Sapido

Sapido WE-1510 user guide

Buffalo

Buffalo AirStation Nfiniti WZR-HP-AG300H user manual

Motorola

Motorola MR1700 quick start

HP 3600 v2 Series User manual

Popular Network Router manuals by other brands