HP 5120 SI Series User manual
HP 5120 SI Switch Series
Security
Configuration Guide
Part number: 5998-1815
Software version: Release 1513
Document version: 6W100-20130830
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
AAA configuration ······················································································································································· 1
AAA overview ···································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································8
Domain-based user management ························································································································ 10
Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 11
FIPS compliance ····························································································································································· 14
AAA configuration considerations and task list·········································································································· 14
Configuring AAA schemes············································································································································ 16
Configuring local users········································································································································· 16
Configuring RADIUS schemes······························································································································ 20
Configuring HWTACACS schemes····················································································································· 31
Configuring AAA methods for ISP domains················································································································ 36
Configuration prerequisites ·································································································································· 37
Creating an ISP domain ······································································································································· 37
Configuring ISP domain attributes······················································································································· 37
Configuring AAA authentication methods for an ISP domain·········································································· 38
Configuring AAA authorization methods for an ISP domain ··········································································· 40
Configuring AAA accounting methods for an ISP domain ··············································································· 42
Tearing down user connections forcibly······················································································································ 43
Configuring a NAS ID-VLAN binding·························································································································· 43
Displaying and maintaining AAA ································································································································ 44
AAA configuration examples········································································································································ 44
AAA for Telnet users by an HWTACACS server ······························································································· 44
AAA for Telnet users by separate servers··········································································································· 46
Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47
Level switching authentication for Telnet users by an HWTACACS server····················································· 51
Troubleshooting AAA ···················································································································································· 55
Troubleshooting RADIUS······································································································································· 55
Troubleshooting HWTACACS······························································································································ 56
802.1X fundamentals ················································································································································57
Architecture of 802.1X·················································································································································· 57
Controlled/uncontrolled port and pot authorization status ······················································································· 57
802.1X-related protocols ·············································································································································· 58
Packet format ························································································································································· 58
EAP over RADIUS ·················································································································································· 60
Initiating 802.1X authentication··································································································································· 60
802.1X client as the initiator································································································································ 60
Access device as the initiator······························································································································· 60
802.1X authentication procedures ······························································································································ 61
A comparison of EAP relay and EAP termination······························································································ 61
EAP relay································································································································································ 62
EAP termination ····················································································································································· 63
802.1X configuration ················································································································································65
HP implementation of 802.1X ······································································································································ 65
Access control methods ········································································································································ 65
Using 802.1X authentication with other features ······························································································ 65
ii
Configuring 802.1X ······················································································································································ 70
Configuration prerequisites ·································································································································· 70
802.1X configuration task list······························································································································ 70
Enabling 802.1X··················································································································································· 71
Specifying EAP relay or EAP termination ··········································································································· 72
Setting the port authorization state······················································································································ 72
Specifying an access control method·················································································································· 73
Setting the maximum number of concurrent 802.1X users on a port······························································ 73
Setting the maximum number of authentication request attempts ···································································· 74
Setting the 802.1X authentication timeout timers ······························································································ 74
Configuring the online user handshake function································································································ 75
Configuring the authentication trigger function ································································································· 76
Specifying a mandatory authentication domain on a port··············································································· 76
Enabling the quiet timer········································································································································ 77
Enabling the periodic online user re-authentication function············································································ 77
Configuring an 802.1X guest VLAN··················································································································· 78
Configuring an Auth-Fail VLAN ··························································································································· 79
Configuring an 802.1X critical VLAN ················································································································ 80
Specifying supported domain name delimiters·································································································· 81
Displaying and maintaining 802.1X ··························································································································· 81
802.1X configuration examples··································································································································· 82
802.1X authentication configuration example ·································································································· 82
802.1X with guest VLAN and VLAN assignment configuration example······················································· 84
802.1X with ACL assignment configuration example······················································································· 87
EAD fast deployment configuration ··························································································································89
EAD fast deployment overview····································································································································· 89
EAD fast deployment implementation ················································································································· 89
Configuring EAD fast deployment································································································································ 89
Configuration prerequisites ·································································································································· 89
Configuration procedure ······································································································································ 90
Displaying and maintaining EAD fast deployment····································································································· 91
EAD fast deployment configuration example·············································································································· 91
Troubleshooting EAD fast deployment························································································································· 93
Web browser users cannot be correctly redirected ·························································································· 93
MAC authentication configuration····························································································································95
MAC authentication overview ······································································································································ 95
User account policies············································································································································ 95
Authentication approaches ·································································································································· 95
MAC authentication timers··································································································································· 96
Using MAC authentication with other features ··········································································································· 96
VLAN assignment ·················································································································································· 96
ACL assignment ····················································································································································· 97
Guest VLAN ··························································································································································· 97
Critical VLAN························································································································································· 97
MAC authentication configuration task list ················································································································· 97
Basic configuration for MAC authentication··············································································································· 98
Configuration prerequisites ·································································································································· 98
Configuration procedure ······································································································································ 98
Specifying an authentication domain for MAC authentication users ······································································· 99
Configuring a MAC authentication guest VLAN ······································································································100
Configuration prerequisites ································································································································100
Configuration procedure ····································································································································100
Configuring a MAC authentication critical VLAN····································································································101
iii
Configuration prerequisites ································································································································101
Configuration procedure ····································································································································101
Displaying and maintaining MAC authentication ····································································································101
MAC authentication configuration examples············································································································102
Local MAC authentication configuration example···························································································102
RADIUS-based MAC authentication configuration example···········································································103
ACL assignment configuration example············································································································105
Portal configuration················································································································································· 108
Overview·······································································································································································108
Extended portal functions ···································································································································108
Portal system components···································································································································108
Portal system using the local portal server········································································································110
Portal authentication modes ·······························································································································111
Portal support for EAP·········································································································································111
Layer 2 portal authentication process ···············································································································112
Layer 3 portal authentication process ···············································································································113
Portal configuration task list ········································································································································116
Configuration prerequisites·········································································································································117
Specifying the portal server ········································································································································118
Specifying the local portal server for Layer 2 portal authentication······························································118
Specifying a portal server for Layer 3 portal authentication ··········································································118
Configuring the local portal server ····························································································································119
Customizing authentication pages ····················································································································119
Configuring the local portal server····················································································································122
Enabling portal authentication····································································································································123
Enabling Layer 2 portal authentication ·············································································································123
Enabling Layer 3 portal authentication ·············································································································123
Controlling access of portal users ······························································································································124
Configuring a portal-free rule·····························································································································124
Configuring an authentication source subnet···································································································125
Setting the maximum number of online portal users························································································126
Specifying an authentication domain for portal users·····················································································126
Configuring Layer 2 portal authentication to support web proxy··································································127
Enabling support for portal user moving ··········································································································127
Specifying an Auth-Fail VLAN for portal authentication ··························································································128
Configuring RADIUS related attributes ······················································································································128
Specifying NAS-Port-Type for an interface ·······································································································129
Specifying a NAS ID profile for an interface ···································································································129
Specifying a source IP address for outgoing portal packets ···················································································130
Specifying an auto redirection URL for authenticated portal users·········································································130
Configuring portal detection functions·······················································································································131
Configuring online Layer 2 portal user detection ····························································································131
Configuring the portal server detection function······························································································131
Configuring portal user information synchronization······················································································133
Logging off portal users···············································································································································134
Displaying and maintaining portal ····························································································································134
Portal configuration examples ····································································································································135
Configuring direct portal authentication···········································································································135
Configuring cross-subnet portal authentication ································································································142
Configuring direct portal authentication with extended functions··································································144
Configuring cross-subnet portal authentication with extended functions·······················································146
Configuring portal server detection and portal user information synchronization·······································148
Configuring Layer 2 portal authentication········································································································156
Troubleshooting portal·················································································································································159
iv
Inconsistent keys on the access device and the portal server·········································································159
Incorrect server port number on the access device··························································································160
Triple authentication configuration ························································································································ 161
Introduction to triple authentication····························································································································161
Overview······························································································································································161
Triple authentication mechanism ·······················································································································161
Extended functions ··············································································································································162
Triple authentication configuration task list ···············································································································163
Triple authentication configuration examples ···········································································································163
Triple authentication basic function configuration example ···········································································163
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············166
Port security configuration ······································································································································ 171
Port security overview ··················································································································································171
Port security features ···········································································································································172
Port security modes ·············································································································································172
Support for guest VLAN and Auth-Fail VLAN···································································································174
Port security configuration task list ·····························································································································175
Enabling port security ··················································································································································175
Configuration prerequisites ································································································································175
Configuration procedure ····································································································································175
Setting the maximum number of secure MAC addresses ························································································176
Setting the port security mode ····································································································································176
Configuration prerequisites ································································································································176
Configuration procedure ····································································································································177
Configuring port security features ······························································································································178
Configuring NTK ·················································································································································178
Configuring intrusion protection ························································································································178
Configuring port security traps ··························································································································179
Configuring secure MAC addresses ··························································································································179
Configuration prerequisites ································································································································180
Configuration procedure ····································································································································180
Ignoring authorization information from the server··································································································180
Displaying and maintaining port security··················································································································181
Port security configuration examples ·························································································································181
Configuring the autoLearn mode·······················································································································181
Configuring the userLoginWithOUI mode ········································································································183
Configuring the macAddressElseUserLoginSecure mode················································································187
Troubleshooting port security······································································································································190
Cannot set the port security mode·····················································································································190
Cannot configure secure MAC addresses ········································································································190
Cannot change port security mode when a user is online··············································································191
User profile configuration······································································································································· 192
User profile overview···················································································································································192
User profile configuration task list······························································································································192
Creating a user profile ················································································································································193
Configuration prerequisites ································································································································193
Creating a user profile········································································································································193
Configuring a user profile···········································································································································193
Enabling a user profile ················································································································································194
Displaying and maintaining user profile ···················································································································194
Password control configuration······························································································································ 195
Password control overview ·········································································································································195
v
FIPS compliance ···························································································································································197
Password control configuration task list·····················································································································198
Configuring password control ····································································································································198
Enabling password control·································································································································198
Setting global password control parameters····································································································199
Setting user group password control parameters ····························································································200
Setting local user password control parameters ······························································································201
Setting super password control parameters ·····································································································201
Setting a local user password in interactive mode ··························································································202
Displaying and maintaining password control ·········································································································202
Password control configuration example ··················································································································203
HABP configuration················································································································································· 206
Introduction to HABP····················································································································································206
Configuring HABP························································································································································207
Configuring the HABP server ·····························································································································207
Configuring an HABP client ·······························································································································207
Displaying and maintaining HABP·····························································································································208
HABP configuration example······································································································································208
Network requirements·········································································································································208
Configuration procedure ····································································································································209
Public key configuration ········································································································································· 211
Asymmetric key algorithm overview ··························································································································211
Basic concepts ·····················································································································································211
Key algorithm types·············································································································································211
Asymmetric key algorithm applications ············································································································212
FIPS compliance ···························································································································································212
Configuring the local asymmetric key pair ···············································································································212
Creating an asymmetric key pair ······················································································································212
Displaying or exporting the local RSA or DSA host public key······································································213
Destroying an asymmetric key pair ···················································································································213
Configuring a remote host's public key·····················································································································214
Displaying and maintaining public keys ···················································································································215
Public key configuration examples·····························································································································215
Configuring a remote host's public key manually ···························································································215
Importing a remote host's public key from a public key file···········································································217
PKI configuration····················································································································································· 220
Introduction to PKI ························································································································································220
PKI overview ························································································································································220
PKI terms·······························································································································································220
Architecture of PKI···············································································································································221
Applications of PKI··············································································································································222
Operation of PKI··················································································································································222
PKI configuration task list ············································································································································223
Configuring an entity DN············································································································································223
Configuring a PKI domain···········································································································································224
Submitting a PKI certificate request····························································································································226
Submitting a certificate request in auto mode··································································································226
Submitting a certificate request in manual mode·····························································································227
Retrieving a certificate manually ································································································································228
Configuring PKI certificate verification ······················································································································228
Destroying a local RSA key pair ································································································································230
Deleting a certificate····················································································································································230
Configuring an access control policy ························································································································230
vi
Displaying and maintaining PKI ·································································································································231
PKI configuration examples·········································································································································231
Requesting a certificate from a CA running RSA Keon···················································································231
Requesting a certificate from a CA running Windows 2003 Server ····························································235
Configuring a certificate attribute-based access control policy······································································238
Troubleshooting PKI ·····················································································································································239
Failed to retrieve a CA certificate······················································································································239
Failed to request a local certificate ···················································································································240
Failed to retrieve CRLs ········································································································································241
SSH2.0 configuration ············································································································································· 242
SSH2.0 overview ·························································································································································242
Introduction to SSH2.0 ·······································································································································242
SSH operation ·····················································································································································242
FIPS compliance ···························································································································································245
Configuring the device as an SSH server··················································································································245
SSH server configuration task list ······················································································································245
Generating a DSA or RSA key pair ··················································································································245
Enabling the SSH server function·······················································································································246
Configuring the user interfaces for SSH clients································································································246
Configuring a client public key··························································································································247
Configuring an SSH user····································································································································248
Setting the SSH management parameters ········································································································249
Configuring the device as an SSH client···················································································································250
SSH client configuration task list························································································································250
Specifying a source IP address/interface for the SSH client ··········································································250
Configuring whether first-time authentication is supported·············································································250
Establishing a connection between the SSH client and server ·······································································251
Displaying and maintaining SSH ·······························································································································252
SSH server configuration examples ···························································································································253
When switch acts as server for password authentication···············································································253
When switch acts as server for publickey authentication ···············································································255
SSH client configuration examples·····························································································································260
When switch acts as client for password authentication ················································································260
When switch acts as client for publickey authentication ················································································263
SFTP configuration ·················································································································································· 266
SFTP overview·······························································································································································266
Configuring the device as an SFTP server·················································································································266
Configuration prerequisites ································································································································266
Enabling the SFTP server ····································································································································266
Configuring the SFTP connection idle timeout period ·····················································································267
Configuring the device an SFTP client ·······················································································································267
Specifying a source IP address or interface for the SFTP client······································································267
Establishing a connection to the SFTP server····································································································267
Working with SFTP directories···························································································································268
Working with SFTP files······································································································································269
Displaying help information ·······························································································································269
Terminating the connection to the remote SFTP server ····················································································269
SFTP client configuration example ·····························································································································270
SFTP server configuration example ····························································································································273
SCP configuration ··················································································································································· 276
SCP overview································································································································································276
Configuring the switch as an SCP server ··················································································································276
Configuring the switch as the SCP client···················································································································277
vii
SCP client configuration example······················································································································277
SCP server configuration example ····················································································································278
SSL configuration ···················································································································································· 280
SSL overview·································································································································································280
SSL security mechanism ······································································································································280
SSL protocol stack ···············································································································································281
FIPS compliance ···························································································································································282
SSL configuration task list············································································································································282
Configuring an SSL server policy ·······························································································································282
Configuration prerequisites ································································································································282
Configuration procedure ····································································································································282
SSL server policy configuration example ··········································································································283
Configuring an SSL client policy ································································································································285
Configuration prerequisites ································································································································285
Configuration procedure ····································································································································285
Displaying and maintaining SSL·································································································································286
Troubleshooting SSL·····················································································································································286
SSL handshake failure·········································································································································286
TCP attack protection configuration······················································································································· 288
TCP attack protection overview ··································································································································288
Enabling the SYN Cookie feature ······························································································································288
Enabling protection against Naptha attacks·············································································································289
Displaying and maintaining TCP attack protection ··································································································289
IP source guard configuration ································································································································ 290
IP source guard overview············································································································································290
IP source guard entries ················································································································································290
Configuring IPv4 source guard···································································································································291
Configuring static IPv4 source guard················································································································291
Configuring dynamic IPv4 source guard ··········································································································292
Setting the maximum number of IPv4 source guard entries············································································293
Configuring IPv6 source guard···································································································································293
Configuring static IPv6 source guard················································································································293
Configuring dynamic IPv6 source guard ··········································································································294
Setting the maximum number of IPv6 source guard entries············································································295
Displaying and maintaining IP source guard············································································································295
IP source guard configuration examples ···················································································································296
Static IPv4 source guard configuration example ·····························································································296
Dynamic IPv4 source guard using DHCP snooping configuration example·················································297
Dynamic IPv4 source guard using DHCP relay configuration example ························································299
Static IPv6 source guard configuration example ·····························································································300
Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································300
Dynamic IPv6 source guard using ND snooping configuration example ·····················································302
Troubleshooting IP source guard ································································································································303
Neither static nor dynamic IP source guard can be configured·····································································303
ARP attack protection configuration ······················································································································ 304
ARP attack protection overview··································································································································304
ARP attack protection configuration task list ·············································································································304
Configuring ARP packet rate limit ······························································································································305
Configuring ARP packet rate limit ·····················································································································305
Configuring source MAC address based ARP attack detection ·············································································306
Introduction ··························································································································································306
Configuration procedure ····································································································································306
viii
Displaying and maintaining source MAC address based ARP attack detection··········································307
Configuring ARP packet source MAC address consistency check ·········································································307
Introduction ··························································································································································307
Configuration procedure ····································································································································307
Configuring ARP active acknowledgement ···············································································································307
Introduction ··························································································································································307
Configuration procedure ····································································································································307
Configuring ARP detection··········································································································································308
Introduction ··························································································································································308
Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X
security entries/OUI MAC addresses ···············································································································308
Configuring ARP detection based on specified objects ··················································································309
Configuring ARP restricted forwarding ·············································································································310
Displaying and maintaining ARP detection ······································································································310
ARP detection configuration example I·············································································································311
ARP detection configuration example II ············································································································312
ARP restricted forwarding configuration example ···························································································313
Configuring ARP gateway protection ························································································································315
Introduction ··························································································································································315
Configuration procedure ····································································································································315
ARP gateway protection configuration example······························································································316
Configuring ARP filtering·············································································································································317
Introduction ··························································································································································317
Configuration procedure ····································································································································317
ARP filtering configuration example··················································································································317
ND attack defense configuration ··························································································································· 319
Introduction to ND attack defense······························································································································319
Enabling source MAC consistency check for ND packets·······················································································320
Configuring the ND detection function······················································································································320
Introduction to ND detection ······························································································································320
Configuring ND detection ··································································································································321
Displaying and maintaining ND detection ·······································································································322
ND detection configuration example·························································································································322
SAVI configuration·················································································································································· 325
SAVI overview ······························································································································································325
Global SAVI configuration··········································································································································325
SAVI configuration in DHCPv6-only address assignment scenario ········································································326
SAVI configuration in SLAAC-only address assignment scenario···········································································328
SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································330
System-guard configuration···································································································································· 333
Configuring system-guard ···········································································································································333
Displaying system-guard··············································································································································334
System-guard configuration example·························································································································334
Network requirements·········································································································································334
Configuration procedure ····································································································································334
Configuring FIPS······················································································································································ 335
Overview·······································································································································································335
FIPS self-tests ·································································································································································335
Power-up self-test ·················································································································································335
Conditional self-tests············································································································································335
Triggering a self-test ············································································································································335
Configuration procedure·············································································································································336
ix
Enabling the FIPS mode······································································································································336
Triggering a self-test ············································································································································337
Displaying and maintaining FIPS ·······························································································································337
FIPS configuration example·········································································································································337
Network requirements·········································································································································337
Configuration procedure ····································································································································337
Verifying the configuration·································································································································338
Configuring IPsec ···················································································································································· 340
Overview·······································································································································································340
Basic concepts ·····················································································································································340
Protocols and standards ·····································································································································343
Configuring IPsec ·························································································································································343
Implementing ACL-based IPsec ···································································································································343
Feature Restrictions··············································································································································343
ACL-based IPsec configuration task list ·············································································································343
Configuring ACLs ················································································································································344
Configuring an IPsec proposal ··························································································································345
Configuring an IPsec policy ·······························································································································346
Applying an IPsec policy group to an interface·······························································································349
Configuring the IPsec session idle timeout········································································································350
Enabling ACL checking of de-encapsulated IPsec packets ·············································································350
Configuring the IPsec anti-replay function ········································································································351
Configuring packet information pre-extraction ································································································351
Displaying and maintaining IPsec ······························································································································352
IPsec configuration examples······································································································································352
IKE-based IPsec tunnel for IPv4 packets configuration example·····································································352
Configuring IKE······················································································································································· 355
Overview·······································································································································································355
IKE security mechanism·······································································································································355
IKE operation ·······················································································································································355
IKE functions·························································································································································356
Relationship between IKE and IPsec··················································································································357
Protocols and standards ·····································································································································357
IKE configuration task list ············································································································································357
Configuring a name for the local security gateway·································································································358
Configuring an IKE proposal ······································································································································358
Configuring an IKE peer··············································································································································359
Setting keepalive timers···············································································································································361
Setting the NAT keepalive timer·································································································································361
Configuring a DPD detector········································································································································362
Disabling next payload field checking ······················································································································362
Displaying and maintaining IKE·································································································································363
IKE configuration example ··········································································································································363
Troubleshooting IKE ·····················································································································································366
Invalid user ID······················································································································································366
Proposal mismatch ··············································································································································366
Failing to establish an IPsec tunnel····················································································································367
ACL configuration error ······································································································································367
Support and other resources ·································································································································· 368
Contacting HP ······························································································································································368
Subscription service ············································································································································368
Related information······················································································································································368
Documents····························································································································································368
x
Websites·······························································································································································368
Conventions ··································································································································································369
Index ········································································································································································ 371
1
AAA configuration
This chapter includes these sections:
•AAA overview
•AAA configuration considerations and task list
•Displaying and maintaining AAA
•AAA configuration examples
•Troubleshooting AAA
AAA overview
This section covers these topics:
•RADIUS
•HWTACACS
•Domain-based user management
•Protocols and standards
•RADIUS attributes
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
•Authentication—Identifies users and determines whether a user is valid.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the device can be granted read and
print permissions to the files on the device.
•Accounting—Records all network service usage information of users, including the service type,
start time, and traffic. The accounting function not only provides the information required for
charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, a NAS is a server for users but a client
for the AAA servers, as shown in Figure 1.
2
Figure 1 Network diagram for AAA
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS
authenticates the user. The NAS can transparently pass the user's authentication, authorization, and
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and
a remote server exchange user information between them.
In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose
different servers for different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and the RADIUS server for accounting.
You can use AAA to provide only one or two security functions, if desired. For example, if your company
only wants employees to be authenticated before they access specific resources, you only need to
configure an authentication server. If network usage information is expected to be recorded, you also
need to configure an accounting server.
AAA can be implemented through multiple protocols. The device supports using RADIUS and
HWTACACS for AAA. RADIUS is often used in practice.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. RADIUS can protect networks against unauthorized access and is often used
in network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services, and its accounting function collects
and records network resource usage information.
Client/Server Model
The RADIUS client runs on the NAS located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
3
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary, as
shown in Figure 2.
Figure 2 RADIUS server components
•Users—Stores user information such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Security and Authentication Mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared
key, which is never transmitted over the network. This enhances the information exchange security. In
addition, to prevent user passwords from being intercepted in non-secure networks, RADIUS encrypts
passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, such as the Password Authentication
Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS
server can act as the client of another AAA server to provide authentication proxy services.
RADIUS Basic Message Exchange Process
Figure 3 illustrates the interaction between the host, the RADIUS client, and the RADIUS server.
4
Figure 3 RADIUS basic message exchange process
RADIUS operates in the following manner:
1. The host initiates a connection request carrying the username and password to the RADIUS client.
2. Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the
Message-Digest 5 (MD5) algorithm and the shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, it
sends back an Access-Accept message containing the user's authorization information. If the
authentication fails, it returns an Access-Reject message.
4. The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops
accounting for the user.
9. The user stops access to network resources.
RADIUS Packet Format
RADIUS uses UDP to transmit messages. It ensures smooth message exchange between the RADIUS
server and the client through a series of mechanisms, including: the timer management mechanism, the
retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet
format.
5
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible
values and their meanings.
Table 1 Main values of the Code field
Code Packet t
yp
e Descri
p
tion
1 Access-Request
From the client to the server. A packet of this type carries user
information for the server to authenticate the user. It must contain
the User-Name attribute and can optionally contain the attributes
of NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all the attribute values carried in
the Access-Request are acceptable, the authentication succeeds,
and the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value carried in the
Access-Request is unacceptable, the authentication fails and the
server sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type carries user
information for the server to start or stop accounting for the user.
The Acct-Status-Type attribute in the packet indicates whether to
start or stop accounting.
5 Accounting-Response
From the server to the client. The server sends a packet of this
type to notify the client that it has received the
Accounting-Request and has correctly recorded the accounting
information.
•The Identifier field (1 byte long) is used to match request packets and response packets and to detect
retransmitted request packets. Request and response packets of the same type have the same
identifier.
•The Length field (2 bytes long) indicates the length of the entire packet, including the Code,
Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered
padding and are neglected upon reception. If the length of a received packet is less than this length,
the packet is dropped. The value of this field is in the range 20 to 4096.
•The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to
encrypt user passwords. There are two types of authenticators: request authenticator and response
authenticator.
6
•The Attribute field, with a variable length, carries the specific authentication, authorization, and
accounting information that defines the configuration details of the request or response. This field
contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value.
{Type—One byte, in the range 1 to 255. It indicates the type of the attribute. Commonly used
attributes for RADIUS authentication, authorization and accounting are listed in Table 2.
{Length—One byte for indicating the length of the attribute (including the Type, Length, and
Value fields), in bytes.
{Value—Attribute value, up to 253 bytes. Its format and content depend on the Type and Length
fields.
Table 2 RADIUS attributes
No. Attribute No. Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
7
No. Attribute No. Attribute
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
NOTE:
•The attribute types listed in Table 2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
•For more information about commonly used standard RADIUS attributes, see "Commonly used
standard RADIUS attributes."
Extended RADIUS Attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865
allows a vender to define extended attributes to implement functions that the standard RADIUS protocol
does not provide.
A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension
in applications. As shown in Figure 5, a sub-attribute that can be encapsulated in Attribute 26 consists
of the following parts:
•Vendor-ID—ID of the vendor (4 bytes long). Its most significant byte is 0; the other three bytes
contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS
sub-attributes of HP, see "Proprietary RADIUS sub-attributes of HP."
•Vendor-Type—Type of the sub-attribute.
•Vendor-Length—Length of the sub-attribute.
•Vendor-Data—Contents of the sub-attribute.
8
Figure 5 Segment of a RADIUS packet containing an extended attribute
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information
exchange between the NAS and the HWTACACS server.
HWTACACS mainly provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up
Network (VPDN) users, and terminal users. In a typical HWTACACS application, some terminal users
need to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the
username and password of a user to the HWTACACS sever for authentication. After passing
authentication and being authorized, the user logs in to the device and performs operations, and the
HWTACACS server records the operations that the user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They
have many features in common, like using a client/server model, using shared keys for user information
security, and providing flexibility and extensibility. HWTACACS and RADIUS do have differences, as
listed in Table 3.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, providing more reliable network
transmission. Uses UDP, providing higher transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication process.
Supports authorization of configuration commands.
Which commands a user can use depends on both the
user level and AAA authorization. A user can use only
commands that are not only of, or lower than, the user
level but also authorized by the HWTACACS server.
Does not support authorization of configuration
commands. Which commands a user can use
depends on the level of the user and a user can use all
the commands of, or lower than, the user level.
HWTACACS basic message exchange process
The following takes a Telnet user as an example to describe how HWTACACS performs user
authentication, authorization, and accounting.
Other manuals for 5120 SI Series
3
Table of contents
Other HP Network Router manuals
HP
HP MSR900-W User manual
HP
HP A-MSR20 User manual
HP
HP HP ProCurve Series 6600 Installation manual
HP
HP MSR SERIES Installation manual
HP
HP A-MSR900 Series Assembly instructions
HP
HP MSR1003-8S Installation manual
HP
HP 5920 User manual
HP
HP FlexNetwork HSR6800 User manual
HP
HP FlexNetwork MSR Series User manual
HP
HP StoreOnce 2900 Manual
HP
HP 6602 User instructions
HP
HP MSR SERIES Installation manual
HP
HP ProCurve Secure 7102dl User manual
HP
HP 6125XLG User manual
HP
HP A5830 Series User manual
HP
HP MSR20-10 User manual
HP
HP 5900 User manual
HP
HP VSR1000 User manual
HP
HP Wireless TV Connect Specification sheet
HP
HP StorageWorks MPX200 Programming manual
