Hp 5120 si series User manual

HP 5120 SI Switch Series

Security

Configuration Guide

Part number: 5998-1815

Software version: Release 1513

Document version: 6W100-20130830

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or

use of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

i

Contents

AAA configuration ······················································································································································· 1

AAA overview ···································································································································································1

RADIUS······································································································································································2

HWTACACS ·····························································································································································8

Domain-based user management ························································································································ 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

FIPS compliance ····························································································································································· 14

AAA configuration considerations and task list·········································································································· 14

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 20

Configuring HWTACACS schemes····················································································································· 31

Configuring AAA methods for ISP domains················································································································ 36

Configuration prerequisites ·································································································································· 37

Creating an ISP domain ······································································································································· 37

Configuring ISP domain attributes······················································································································· 37

Configuring AAA authentication methods for an ISP domain·········································································· 38

Configuring AAA authorization methods for an ISP domain ··········································································· 40

Configuring AAA accounting methods for an ISP domain ··············································································· 42

Tearing down user connections forcibly······················································································································ 43

Configuring a NAS ID-VLAN binding·························································································································· 43

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples········································································································································ 44

AAA for Telnet users by an HWTACACS server ······························································································· 44

AAA for Telnet users by separate servers··········································································································· 46

Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47

Level switching authentication for Telnet users by an HWTACACS server····················································· 51

Troubleshooting AAA ···················································································································································· 55

Troubleshooting RADIUS······································································································································· 55

Troubleshooting HWTACACS······························································································································ 56

802.1X fundamentals ················································································································································57

Architecture of 802.1X·················································································································································· 57

Controlled/uncontrolled port and pot authorization status ······················································································· 57

802.1X-related protocols ·············································································································································· 58

Packet format ························································································································································· 58

EAP over RADIUS ·················································································································································· 60

Initiating 802.1X authentication··································································································································· 60

802.1X client as the initiator································································································································ 60

Access device as the initiator······························································································································· 60

802.1X authentication procedures ······························································································································ 61

A comparison of EAP relay and EAP termination······························································································ 61

EAP relay································································································································································ 62

EAP termination ····················································································································································· 63

802.1X configuration ················································································································································65

HP implementation of 802.1X ······································································································································ 65

Access control methods ········································································································································ 65

Using 802.1X authentication with other features ······························································································ 65

ii

Configuring 802.1X ······················································································································································ 70

Configuration prerequisites ·································································································································· 70

802.1X configuration task list······························································································································ 70

Enabling 802.1X··················································································································································· 71

Specifying EAP relay or EAP termination ··········································································································· 72

Setting the port authorization state······················································································································ 72

Specifying an access control method·················································································································· 73

Setting the maximum number of concurrent 802.1X users on a port······························································ 73

Setting the maximum number of authentication request attempts ···································································· 74

Setting the 802.1X authentication timeout timers ······························································································ 74

Configuring the online user handshake function································································································ 75

Configuring the authentication trigger function ································································································· 76

Specifying a mandatory authentication domain on a port··············································································· 76

Enabling the quiet timer········································································································································ 77

Enabling the periodic online user re-authentication function············································································ 77

Configuring an 802.1X guest VLAN··················································································································· 78

Configuring an Auth-Fail VLAN ··························································································································· 79

Configuring an 802.1X critical VLAN ················································································································ 80

Specifying supported domain name delimiters·································································································· 81

Displaying and maintaining 802.1X ··························································································································· 81

802.1X configuration examples··································································································································· 82

802.1X authentication configuration example ·································································································· 82

802.1X with guest VLAN and VLAN assignment configuration example······················································· 84

802.1X with ACL assignment configuration example······················································································· 87

EAD fast deployment configuration ··························································································································89

EAD fast deployment overview····································································································································· 89

EAD fast deployment implementation ················································································································· 89

Configuring EAD fast deployment································································································································ 89

Configuration prerequisites ·································································································································· 89

Configuration procedure ······································································································································ 90

Displaying and maintaining EAD fast deployment····································································································· 91

EAD fast deployment configuration example·············································································································· 91

Troubleshooting EAD fast deployment························································································································· 93

Web browser users cannot be correctly redirected ·························································································· 93

MAC authentication configuration····························································································································95

MAC authentication overview ······································································································································ 95

User account policies············································································································································ 95

Authentication approaches ·································································································································· 95

MAC authentication timers··································································································································· 96

Using MAC authentication with other features ··········································································································· 96

VLAN assignment ·················································································································································· 96

ACL assignment ····················································································································································· 97

Guest VLAN ··························································································································································· 97

Critical VLAN························································································································································· 97

MAC authentication configuration task list ················································································································· 97

Basic configuration for MAC authentication··············································································································· 98

Configuration prerequisites ·································································································································· 98

Configuration procedure ······································································································································ 98

Specifying an authentication domain for MAC authentication users ······································································· 99

Configuring a MAC authentication guest VLAN ······································································································100

Configuration prerequisites ································································································································100

Configuration procedure ····································································································································100

Configuring a MAC authentication critical VLAN····································································································101

iii

Configuration prerequisites ································································································································101

Configuration procedure ····································································································································101

Displaying and maintaining MAC authentication ····································································································101

MAC authentication configuration examples············································································································102

Local MAC authentication configuration example···························································································102

RADIUS-based MAC authentication configuration example···········································································103

ACL assignment configuration example············································································································105

Portal configuration················································································································································· 108

Overview·······································································································································································108

Extended portal functions ···································································································································108

Portal system components···································································································································108

Portal system using the local portal server········································································································110

Portal authentication modes ·······························································································································111

Portal support for EAP·········································································································································111

Layer 2 portal authentication process ···············································································································112

Layer 3 portal authentication process ···············································································································113

Portal configuration task list ········································································································································116

Configuration prerequisites·········································································································································117

Specifying the portal server ········································································································································118

Specifying the local portal server for Layer 2 portal authentication······························································118

Specifying a portal server for Layer 3 portal authentication ··········································································118

Configuring the local portal server ····························································································································119

Customizing authentication pages ····················································································································119

Configuring the local portal server····················································································································122

Enabling portal authentication····································································································································123

Enabling Layer 2 portal authentication ·············································································································123

Enabling Layer 3 portal authentication ·············································································································123

Controlling access of portal users ······························································································································124

Configuring a portal-free rule·····························································································································124

Configuring an authentication source subnet···································································································125

Setting the maximum number of online portal users························································································126

Specifying an authentication domain for portal users·····················································································126

Configuring Layer 2 portal authentication to support web proxy··································································127

Enabling support for portal user moving ··········································································································127

Specifying an Auth-Fail VLAN for portal authentication ··························································································128

Configuring RADIUS related attributes ······················································································································128

Specifying NAS-Port-Type for an interface ·······································································································129

Specifying a NAS ID profile for an interface ···································································································129

Specifying a source IP address for outgoing portal packets ···················································································130

Specifying an auto redirection URL for authenticated portal users·········································································130

Configuring portal detection functions·······················································································································131

Configuring online Layer 2 portal user detection ····························································································131

Configuring the portal server detection function······························································································131

Configuring portal user information synchronization······················································································133

Logging off portal users···············································································································································134

Displaying and maintaining portal ····························································································································134

Portal configuration examples ····································································································································135

Configuring direct portal authentication···········································································································135

Configuring cross-subnet portal authentication ································································································142

Configuring direct portal authentication with extended functions··································································144

Configuring cross-subnet portal authentication with extended functions·······················································146

Configuring portal server detection and portal user information synchronization·······································148

Configuring Layer 2 portal authentication········································································································156

Troubleshooting portal·················································································································································159

iv

Inconsistent keys on the access device and the portal server·········································································159

Incorrect server port number on the access device··························································································160

Triple authentication configuration ························································································································ 161

Introduction to triple authentication····························································································································161

Overview······························································································································································161

Triple authentication mechanism ·······················································································································161

Extended functions ··············································································································································162

Triple authentication configuration task list ···············································································································163

Triple authentication configuration examples ···········································································································163

Triple authentication basic function configuration example ···········································································163

Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············166

Port security configuration ······································································································································ 171

Port security overview ··················································································································································171

Port security features ···········································································································································172

Port security modes ·············································································································································172

Support for guest VLAN and Auth-Fail VLAN···································································································174

Port security configuration task list ·····························································································································175

Enabling port security ··················································································································································175

Configuration prerequisites ································································································································175

Configuration procedure ····································································································································175

Setting the maximum number of secure MAC addresses ························································································176

Setting the port security mode ····································································································································176

Configuration prerequisites ································································································································176

Configuration procedure ····································································································································177

Configuring port security features ······························································································································178

Configuring NTK ·················································································································································178

Configuring intrusion protection ························································································································178

Configuring port security traps ··························································································································179

Configuring secure MAC addresses ··························································································································179

Configuration prerequisites ································································································································180

Configuration procedure ····································································································································180

Ignoring authorization information from the server··································································································180

Displaying and maintaining port security··················································································································181

Port security configuration examples ·························································································································181

Configuring the autoLearn mode·······················································································································181

Configuring the userLoginWithOUI mode ········································································································183

Configuring the macAddressElseUserLoginSecure mode················································································187

Troubleshooting port security······································································································································190

Cannot set the port security mode·····················································································································190

Cannot configure secure MAC addresses ········································································································190

Cannot change port security mode when a user is online··············································································191

User profile configuration······································································································································· 192

User profile overview···················································································································································192

User profile configuration task list······························································································································192

Creating a user profile ················································································································································193

Configuration prerequisites ································································································································193

Creating a user profile········································································································································193

Configuring a user profile···········································································································································193

Enabling a user profile ················································································································································194

Displaying and maintaining user profile ···················································································································194

Password control configuration······························································································································ 195

Password control overview ·········································································································································195

v

FIPS compliance ···························································································································································197

Password control configuration task list·····················································································································198

Configuring password control ····································································································································198

Enabling password control·································································································································198

Setting global password control parameters····································································································199

Setting user group password control parameters ····························································································200

Setting local user password control parameters ······························································································201

Setting super password control parameters ·····································································································201

Setting a local user password in interactive mode ··························································································202

Displaying and maintaining password control ·········································································································202

Password control configuration example ··················································································································203

HABP configuration················································································································································· 206

Introduction to HABP····················································································································································206

Configuring HABP························································································································································207

Configuring the HABP server ·····························································································································207

Configuring an HABP client ·······························································································································207

Displaying and maintaining HABP·····························································································································208

HABP configuration example······································································································································208

Network requirements·········································································································································208

Configuration procedure ····································································································································209

Public key configuration ········································································································································· 211

Asymmetric key algorithm overview ··························································································································211

Basic concepts ·····················································································································································211

Key algorithm types·············································································································································211

Asymmetric key algorithm applications ············································································································212

FIPS compliance ···························································································································································212

Configuring the local asymmetric key pair ···············································································································212

Creating an asymmetric key pair ······················································································································212

Displaying or exporting the local RSA or DSA host public key······································································213

Destroying an asymmetric key pair ···················································································································213

Configuring a remote host's public key·····················································································································214

Displaying and maintaining public keys ···················································································································215

Public key configuration examples·····························································································································215

Configuring a remote host's public key manually ···························································································215

Importing a remote host's public key from a public key file···········································································217

PKI configuration····················································································································································· 220

Introduction to PKI ························································································································································220

PKI overview ························································································································································220

PKI terms·······························································································································································220

Architecture of PKI···············································································································································221

Applications of PKI··············································································································································222

Operation of PKI··················································································································································222

PKI configuration task list ············································································································································223

Configuring an entity DN············································································································································223

Configuring a PKI domain···········································································································································224

Submitting a PKI certificate request····························································································································226

Submitting a certificate request in auto mode··································································································226

Submitting a certificate request in manual mode·····························································································227

Retrieving a certificate manually ································································································································228

Configuring PKI certificate verification ······················································································································228

Destroying a local RSA key pair ································································································································230

Deleting a certificate····················································································································································230

Configuring an access control policy ························································································································230

vi

Displaying and maintaining PKI ·································································································································231

PKI configuration examples·········································································································································231

Requesting a certificate from a CA running RSA Keon···················································································231

Requesting a certificate from a CA running Windows 2003 Server ····························································235

Configuring a certificate attribute-based access control policy······································································238

Troubleshooting PKI ·····················································································································································239

Failed to retrieve a CA certificate······················································································································239

Failed to request a local certificate ···················································································································240

Failed to retrieve CRLs ········································································································································241

SSH2.0 configuration ············································································································································· 242

SSH2.0 overview ·························································································································································242

Introduction to SSH2.0 ·······································································································································242

SSH operation ·····················································································································································242

FIPS compliance ···························································································································································245

Configuring the device as an SSH server··················································································································245

SSH server configuration task list ······················································································································245

Generating a DSA or RSA key pair ··················································································································245

Enabling the SSH server function·······················································································································246

Configuring the user interfaces for SSH clients································································································246

Configuring a client public key··························································································································247

Configuring an SSH user····································································································································248

Setting the SSH management parameters ········································································································249

Configuring the device as an SSH client···················································································································250

SSH client configuration task list························································································································250

Specifying a source IP address/interface for the SSH client ··········································································250

Configuring whether first-time authentication is supported·············································································250

Establishing a connection between the SSH client and server ·······································································251

Displaying and maintaining SSH ·······························································································································252

SSH server configuration examples ···························································································································253

When switch acts as server for password authentication···············································································253

When switch acts as server for publickey authentication ···············································································255

SSH client configuration examples·····························································································································260

When switch acts as client for password authentication ················································································260

When switch acts as client for publickey authentication ················································································263

SFTP configuration ·················································································································································· 266

SFTP overview·······························································································································································266

Configuring the device as an SFTP server·················································································································266

Configuration prerequisites ································································································································266

Enabling the SFTP server ····································································································································266

Configuring the SFTP connection idle timeout period ·····················································································267

Configuring the device an SFTP client ·······················································································································267

Specifying a source IP address or interface for the SFTP client······································································267

Establishing a connection to the SFTP server····································································································267

Working with SFTP directories···························································································································268

Working with SFTP files······································································································································269

Displaying help information ·······························································································································269

Terminating the connection to the remote SFTP server ····················································································269

SFTP client configuration example ·····························································································································270

SFTP server configuration example ····························································································································273

SCP configuration ··················································································································································· 276

SCP overview································································································································································276

Configuring the switch as an SCP server ··················································································································276

Configuring the switch as the SCP client···················································································································277

vii

SCP client configuration example······················································································································277

SCP server configuration example ····················································································································278

SSL configuration ···················································································································································· 280

SSL overview·································································································································································280

SSL security mechanism ······································································································································280

SSL protocol stack ···············································································································································281

FIPS compliance ···························································································································································282

SSL configuration task list············································································································································282

Configuring an SSL server policy ·······························································································································282

Configuration prerequisites ································································································································282

Configuration procedure ····································································································································282

SSL server policy configuration example ··········································································································283

Configuring an SSL client policy ································································································································285

Configuration prerequisites ································································································································285

Configuration procedure ····································································································································285

Displaying and maintaining SSL·································································································································286

Troubleshooting SSL·····················································································································································286

SSL handshake failure·········································································································································286

TCP attack protection configuration······················································································································· 288

TCP attack protection overview ··································································································································288

Enabling the SYN Cookie feature ······························································································································288

Enabling protection against Naptha attacks·············································································································289

Displaying and maintaining TCP attack protection ··································································································289

IP source guard configuration ································································································································ 290

IP source guard overview············································································································································290

IP source guard entries ················································································································································290

Configuring IPv4 source guard···································································································································291

Configuring static IPv4 source guard················································································································291

Configuring dynamic IPv4 source guard ··········································································································292

Setting the maximum number of IPv4 source guard entries············································································293

Configuring IPv6 source guard···································································································································293

Configuring static IPv6 source guard················································································································293

Configuring dynamic IPv6 source guard ··········································································································294

Setting the maximum number of IPv6 source guard entries············································································295

Displaying and maintaining IP source guard············································································································295

IP source guard configuration examples ···················································································································296

Static IPv4 source guard configuration example ·····························································································296

Dynamic IPv4 source guard using DHCP snooping configuration example·················································297

Dynamic IPv4 source guard using DHCP relay configuration example ························································299

Static IPv6 source guard configuration example ·····························································································300

Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································300

Dynamic IPv6 source guard using ND snooping configuration example ·····················································302

Troubleshooting IP source guard ································································································································303

Neither static nor dynamic IP source guard can be configured·····································································303

ARP attack protection configuration ······················································································································ 304

ARP attack protection overview··································································································································304

ARP attack protection configuration task list ·············································································································304

Configuring ARP packet rate limit ······························································································································305

Configuring ARP packet rate limit ·····················································································································305

Configuring source MAC address based ARP attack detection ·············································································306

Introduction ··························································································································································306

Configuration procedure ····································································································································306

viii

Displaying and maintaining source MAC address based ARP attack detection··········································307

Configuring ARP packet source MAC address consistency check ·········································································307

Introduction ··························································································································································307

Configuration procedure ····································································································································307

Configuring ARP active acknowledgement ···············································································································307

Introduction ··························································································································································307

Configuration procedure ····································································································································307

Configuring ARP detection··········································································································································308

Introduction ··························································································································································308

Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X

security entries/OUI MAC addresses ···············································································································308

Configuring ARP detection based on specified objects ··················································································309

Configuring ARP restricted forwarding ·············································································································310

Displaying and maintaining ARP detection ······································································································310

ARP detection configuration example I·············································································································311

ARP detection configuration example II ············································································································312

ARP restricted forwarding configuration example ···························································································313

Configuring ARP gateway protection ························································································································315

Introduction ··························································································································································315

Configuration procedure ····································································································································315

ARP gateway protection configuration example······························································································316

Configuring ARP filtering·············································································································································317

Introduction ··························································································································································317

Configuration procedure ····································································································································317

ARP filtering configuration example··················································································································317

ND attack defense configuration ··························································································································· 319

Introduction to ND attack defense······························································································································319

Enabling source MAC consistency check for ND packets·······················································································320

Configuring the ND detection function······················································································································320

Introduction to ND detection ······························································································································320

Configuring ND detection ··································································································································321

Displaying and maintaining ND detection ·······································································································322

ND detection configuration example·························································································································322

SAVI configuration·················································································································································· 325

SAVI overview ······························································································································································325

Global SAVI configuration··········································································································································325

SAVI configuration in DHCPv6-only address assignment scenario ········································································326

SAVI configuration in SLAAC-only address assignment scenario···········································································328

SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································330

System-guard configuration···································································································································· 333

Configuring system-guard ···········································································································································333

Displaying system-guard··············································································································································334

System-guard configuration example·························································································································334

Network requirements·········································································································································334

Configuration procedure ····································································································································334

Configuring FIPS······················································································································································ 335

Overview·······································································································································································335

FIPS self-tests ·································································································································································335

Power-up self-test ·················································································································································335

Conditional self-tests············································································································································335

Triggering a self-test ············································································································································335

Configuration procedure·············································································································································336

HP 5120 SI Series User manual

Popular Network Router manuals by other brands