Hp 5120 si series User manual

HP 5120 SI Switch Series

Security

Configuration Guide

Part number: 5998-1815

Software version: Release 1513

Document version: 6W100-20130830

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or

use of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

Contents

AAA configuration ······················································································································································· 1

AAA overview ···································································································································································1

RADIUS······································································································································································2

HWTACACS ·····························································································································································8

Domain-based user management ························································································································ 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

FIPS compliance ····························································································································································· 14

AAA configuration considerations and task list·········································································································· 14

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 20

Configuring HWTACACS schemes····················································································································· 31

Configuring AAA methods for ISP domains················································································································ 36

Configuration prerequisites ·································································································································· 37

Creating an ISP domain ······································································································································· 37

Configuring ISP domain attributes······················································································································· 37

Configuring AAA authentication methods for an ISP domain·········································································· 38

Configuring AAA authorization methods for an ISP domain ··········································································· 40

Configuring AAA accounting methods for an ISP domain ··············································································· 42

Tearing down user connections forcibly······················································································································ 43

Configuring a NAS ID-VLAN binding·························································································································· 43

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples········································································································································ 44

AAA for Telnet users by an HWTACACS server ······························································································· 44

AAA for Telnet users by separate servers··········································································································· 46

Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47

Level switching authentication for Telnet users by an HWTACACS server····················································· 51

Troubleshooting AAA ···················································································································································· 55

Troubleshooting RADIUS······································································································································· 55

Troubleshooting HWTACACS······························································································································ 56

802.1X fundamentals ················································································································································57

Architecture of 802.1X·················································································································································· 57

Controlled/uncontrolled port and pot authorization status ······················································································· 57

802.1X-related protocols ·············································································································································· 58

Packet format ························································································································································· 58

EAP over RADIUS ·················································································································································· 60

Initiating 802.1X authentication··································································································································· 60

802.1X client as the initiator································································································································ 60

Access device as the initiator······························································································································· 60

802.1X authentication procedures ······························································································································ 61

A comparison of EAP relay and EAP termination······························································································ 61

EAP relay································································································································································ 62

EAP termination ····················································································································································· 63

802.1X configuration ················································································································································65

HP implementation of 802.1X ······································································································································ 65

Access control methods ········································································································································ 65

Using 802.1X authentication with other features ······························································································ 65

Configuring 802.1X ······················································································································································ 70

802.1X configuration task list······························································································································ 70

Enabling 802.1X··················································································································································· 71

Specifying EAP relay or EAP termination ··········································································································· 72

Setting the port authorization state······················································································································ 72

Specifying an access control method·················································································································· 73

Setting the maximum number of concurrent 802.1X users on a port······························································ 73

Setting the maximum number of authentication request attempts ···································································· 74

Setting the 802.1X authentication timeout timers ······························································································ 74

Configuring the online user handshake function································································································ 75

Configuring the authentication trigger function ································································································· 76

Specifying a mandatory authentication domain on a port··············································································· 76

Enabling the quiet timer········································································································································ 77

Enabling the periodic online user re-authentication function············································································ 77

Configuring an 802.1X guest VLAN··················································································································· 78

Configuring an Auth-Fail VLAN ··························································································································· 79

Configuring an 802.1X critical VLAN ················································································································ 80

Specifying supported domain name delimiters·································································································· 81

Displaying and maintaining 802.1X ··························································································································· 81

802.1X configuration examples··································································································································· 82

802.1X authentication configuration example ·································································································· 82

802.1X with guest VLAN and VLAN assignment configuration example······················································· 84

802.1X with ACL assignment configuration example······················································································· 87

EAD fast deployment configuration ··························································································································89

EAD fast deployment overview····································································································································· 89

EAD fast deployment implementation ················································································································· 89

Configuring EAD fast deployment································································································································ 89

Configuration procedure ······································································································································ 90

Displaying and maintaining EAD fast deployment····································································································· 91

EAD fast deployment configuration example·············································································································· 91

Troubleshooting EAD fast deployment························································································································· 93

Web browser users cannot be correctly redirected ·························································································· 93

MAC authentication configuration····························································································································95

MAC authentication overview ······································································································································ 95

User account policies············································································································································ 95

Authentication approaches ·································································································································· 95

MAC authentication timers··································································································································· 96

Using MAC authentication with other features ··········································································································· 96

VLAN assignment ·················································································································································· 96

ACL assignment ····················································································································································· 97

Guest VLAN ··························································································································································· 97

Critical VLAN························································································································································· 97

MAC authentication configuration task list ················································································································· 97

Basic configuration for MAC authentication··············································································································· 98

Specifying an authentication domain for MAC authentication users ······································································· 99

Configuring a MAC authentication guest VLAN ······································································································100

Configuring a MAC authentication critical VLAN····································································································101

iii

Displaying and maintaining MAC authentication ····································································································101

MAC authentication configuration examples············································································································102

Local MAC authentication configuration example···························································································102

RADIUS-based MAC authentication configuration example···········································································103

ACL assignment configuration example············································································································105

Portal configuration················································································································································· 108

Overview·······································································································································································108

Extended portal functions ···································································································································108

Portal system components···································································································································108

Portal system using the local portal server········································································································110

Portal authentication modes ·······························································································································111

Portal support for EAP·········································································································································111

Layer 2 portal authentication process ···············································································································112

Layer 3 portal authentication process ···············································································································113

Portal configuration task list ········································································································································116

Configuration prerequisites·········································································································································117

Specifying the portal server ········································································································································118

Specifying the local portal server for Layer 2 portal authentication······························································118

Specifying a portal server for Layer 3 portal authentication ··········································································118

Configuring the local portal server ····························································································································119

Customizing authentication pages ····················································································································119

Configuring the local portal server····················································································································122

Enabling portal authentication····································································································································123

Enabling Layer 2 portal authentication ·············································································································123

Enabling Layer 3 portal authentication ·············································································································123

Controlling access of portal users ······························································································································124

Configuring a portal-free rule·····························································································································124

Configuring an authentication source subnet···································································································125

Setting the maximum number of online portal users························································································126

Specifying an authentication domain for portal users·····················································································126

Configuring Layer 2 portal authentication to support web proxy··································································127

Enabling support for portal user moving ··········································································································127

Specifying an Auth-Fail VLAN for portal authentication ··························································································128

Configuring RADIUS related attributes ······················································································································128

Specifying NAS-Port-Type for an interface ·······································································································129

Specifying a NAS ID profile for an interface ···································································································129

Specifying a source IP address for outgoing portal packets ···················································································130

Specifying an auto redirection URL for authenticated portal users·········································································130

Configuring portal detection functions·······················································································································131

Configuring online Layer 2 portal user detection ····························································································131

Configuring the portal server detection function······························································································131

Configuring portal user information synchronization······················································································133

Logging off portal users···············································································································································134

Displaying and maintaining portal ····························································································································134

Portal configuration examples ····································································································································135

Configuring direct portal authentication···········································································································135

Configuring cross-subnet portal authentication ································································································142

Configuring direct portal authentication with extended functions··································································144

Configuring cross-subnet portal authentication with extended functions·······················································146

Configuring portal server detection and portal user information synchronization·······································148

Configuring Layer 2 portal authentication········································································································156

Troubleshooting portal·················································································································································159

Inconsistent keys on the access device and the portal server·········································································159

Incorrect server port number on the access device··························································································160

Triple authentication configuration ························································································································ 161

Introduction to triple authentication····························································································································161

Triple authentication mechanism ·······················································································································161

Extended functions ··············································································································································162

Triple authentication configuration task list ···············································································································163

Triple authentication configuration examples ···········································································································163

Triple authentication basic function configuration example ···········································································163

Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············166

Port security configuration ······································································································································ 171

Port security overview ··················································································································································171

Port security features ···········································································································································172

Port security modes ·············································································································································172

Support for guest VLAN and Auth-Fail VLAN···································································································174

Port security configuration task list ·····························································································································175

Enabling port security ··················································································································································175

Setting the maximum number of secure MAC addresses ························································································176

Setting the port security mode ····································································································································176

Configuring port security features ······························································································································178

Configuring NTK ·················································································································································178

Configuring intrusion protection ························································································································178

Configuring port security traps ··························································································································179

Configuring secure MAC addresses ··························································································································179

Ignoring authorization information from the server··································································································180

Displaying and maintaining port security··················································································································181

Port security configuration examples ·························································································································181

Configuring the autoLearn mode·······················································································································181

Configuring the userLoginWithOUI mode ········································································································183

Configuring the macAddressElseUserLoginSecure mode················································································187

Troubleshooting port security······································································································································190

Cannot set the port security mode·····················································································································190

Cannot configure secure MAC addresses ········································································································190

Cannot change port security mode when a user is online··············································································191

User profile configuration······································································································································· 192

User profile overview···················································································································································192

User profile configuration task list······························································································································192

Creating a user profile ················································································································································193

Creating a user profile········································································································································193

Configuring a user profile···········································································································································193

Enabling a user profile ················································································································································194

Displaying and maintaining user profile ···················································································································194

Password control configuration······························································································································ 195

Password control overview ·········································································································································195

Password control configuration task list·····················································································································198

Configuring password control ····································································································································198

Enabling password control·································································································································198

Setting global password control parameters····································································································199

Setting user group password control parameters ····························································································200

Setting local user password control parameters ······························································································201

Setting super password control parameters ·····································································································201

Setting a local user password in interactive mode ··························································································202

Displaying and maintaining password control ·········································································································202

Password control configuration example ··················································································································203

HABP configuration················································································································································· 206

Introduction to HABP····················································································································································206

Configuring HABP························································································································································207

Configuring the HABP server ·····························································································································207

Configuring an HABP client ·······························································································································207

Displaying and maintaining HABP·····························································································································208

HABP configuration example······································································································································208

Network requirements·········································································································································208

Public key configuration ········································································································································· 211

Asymmetric key algorithm overview ··························································································································211

Basic concepts ·····················································································································································211

Key algorithm types·············································································································································211

Asymmetric key algorithm applications ············································································································212

Configuring the local asymmetric key pair ···············································································································212

Creating an asymmetric key pair ······················································································································212

Displaying or exporting the local RSA or DSA host public key······································································213

Destroying an asymmetric key pair ···················································································································213

Configuring a remote host's public key·····················································································································214

Displaying and maintaining public keys ···················································································································215

Public key configuration examples·····························································································································215

Configuring a remote host's public key manually ···························································································215

Importing a remote host's public key from a public key file···········································································217

PKI configuration····················································································································································· 220

Introduction to PKI ························································································································································220

PKI overview ························································································································································220

PKI terms·······························································································································································220

Architecture of PKI···············································································································································221

Applications of PKI··············································································································································222

Operation of PKI··················································································································································222

PKI configuration task list ············································································································································223

Configuring an entity DN············································································································································223

Configuring a PKI domain···········································································································································224

Submitting a PKI certificate request····························································································································226

Submitting a certificate request in auto mode··································································································226

Submitting a certificate request in manual mode·····························································································227

Retrieving a certificate manually ································································································································228

Configuring PKI certificate verification ······················································································································228

Destroying a local RSA key pair ································································································································230

Deleting a certificate····················································································································································230

Configuring an access control policy ························································································································230

Displaying and maintaining PKI ·································································································································231

PKI configuration examples·········································································································································231

Requesting a certificate from a CA running RSA Keon···················································································231

Requesting a certificate from a CA running Windows 2003 Server ····························································235

Configuring a certificate attribute-based access control policy······································································238

Troubleshooting PKI ·····················································································································································239

Failed to retrieve a CA certificate······················································································································239

Failed to request a local certificate ···················································································································240

Failed to retrieve CRLs ········································································································································241

SSH2.0 configuration ············································································································································· 242

SSH2.0 overview ·························································································································································242

Introduction to SSH2.0 ·······································································································································242

SSH operation ·····················································································································································242

Configuring the device as an SSH server··················································································································245

SSH server configuration task list ······················································································································245

Generating a DSA or RSA key pair ··················································································································245

Enabling the SSH server function·······················································································································246

Configuring the user interfaces for SSH clients································································································246

Configuring a client public key··························································································································247

Configuring an SSH user····································································································································248

Setting the SSH management parameters ········································································································249

Configuring the device as an SSH client···················································································································250

SSH client configuration task list························································································································250

Specifying a source IP address/interface for the SSH client ··········································································250

Configuring whether first-time authentication is supported·············································································250

Establishing a connection between the SSH client and server ·······································································251

Displaying and maintaining SSH ·······························································································································252

SSH server configuration examples ···························································································································253

When switch acts as server for password authentication···············································································253

When switch acts as server for publickey authentication ···············································································255

SSH client configuration examples·····························································································································260

When switch acts as client for password authentication ················································································260

When switch acts as client for publickey authentication ················································································263

SFTP configuration ·················································································································································· 266

SFTP overview·······························································································································································266

Configuring the device as an SFTP server·················································································································266

Enabling the SFTP server ····································································································································266

Configuring the SFTP connection idle timeout period ·····················································································267

Configuring the device an SFTP client ·······················································································································267

Specifying a source IP address or interface for the SFTP client······································································267

Establishing a connection to the SFTP server····································································································267

Working with SFTP directories···························································································································268

Working with SFTP files······································································································································269

Displaying help information ·······························································································································269

Terminating the connection to the remote SFTP server ····················································································269

SFTP client configuration example ·····························································································································270

SFTP server configuration example ····························································································································273

SCP configuration ··················································································································································· 276

SCP overview································································································································································276

Configuring the switch as an SCP server ··················································································································276

Configuring the switch as the SCP client···················································································································277

vii

SCP client configuration example······················································································································277

SCP server configuration example ····················································································································278

SSL configuration ···················································································································································· 280

SSL overview·································································································································································280

SSL security mechanism ······································································································································280

SSL protocol stack ···············································································································································281

SSL configuration task list············································································································································282

Configuring an SSL server policy ·······························································································································282

SSL server policy configuration example ··········································································································283

Configuring an SSL client policy ································································································································285

Displaying and maintaining SSL·································································································································286

Troubleshooting SSL·····················································································································································286

SSL handshake failure·········································································································································286

TCP attack protection configuration······················································································································· 288

TCP attack protection overview ··································································································································288

Enabling the SYN Cookie feature ······························································································································288

Enabling protection against Naptha attacks·············································································································289

Displaying and maintaining TCP attack protection ··································································································289

IP source guard configuration ································································································································ 290

IP source guard overview············································································································································290

IP source guard entries ················································································································································290

Configuring IPv4 source guard···································································································································291

Configuring static IPv4 source guard················································································································291

Configuring dynamic IPv4 source guard ··········································································································292

Setting the maximum number of IPv4 source guard entries············································································293

Configuring IPv6 source guard···································································································································293

Configuring static IPv6 source guard················································································································293

Configuring dynamic IPv6 source guard ··········································································································294

Setting the maximum number of IPv6 source guard entries············································································295

Displaying and maintaining IP source guard············································································································295

IP source guard configuration examples ···················································································································296

Static IPv4 source guard configuration example ·····························································································296

Dynamic IPv4 source guard using DHCP snooping configuration example·················································297

Dynamic IPv4 source guard using DHCP relay configuration example ························································299

Static IPv6 source guard configuration example ·····························································································300

Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································300

Dynamic IPv6 source guard using ND snooping configuration example ·····················································302

Troubleshooting IP source guard ································································································································303

Neither static nor dynamic IP source guard can be configured·····································································303

ARP attack protection configuration ······················································································································ 304

ARP attack protection overview··································································································································304

ARP attack protection configuration task list ·············································································································304

Configuring ARP packet rate limit ······························································································································305

Configuring ARP packet rate limit ·····················································································································305

Configuring source MAC address based ARP attack detection ·············································································306

Introduction ··························································································································································306

viii

Displaying and maintaining source MAC address based ARP attack detection··········································307

Configuring ARP packet source MAC address consistency check ·········································································307

Configuring ARP active acknowledgement ···············································································································307

Configuring ARP detection··········································································································································308

Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X

security entries/OUI MAC addresses ···············································································································308

Configuring ARP detection based on specified objects ··················································································309

Configuring ARP restricted forwarding ·············································································································310

Displaying and maintaining ARP detection ······································································································310

ARP detection configuration example I·············································································································311

ARP detection configuration example II ············································································································312

ARP restricted forwarding configuration example ···························································································313

Configuring ARP gateway protection ························································································································315

ARP gateway protection configuration example······························································································316

Configuring ARP filtering·············································································································································317

ARP filtering configuration example··················································································································317

ND attack defense configuration ··························································································································· 319

Introduction to ND attack defense······························································································································319

Enabling source MAC consistency check for ND packets·······················································································320

Configuring the ND detection function······················································································································320

Introduction to ND detection ······························································································································320

Configuring ND detection ··································································································································321

Displaying and maintaining ND detection ·······································································································322

ND detection configuration example·························································································································322

SAVI configuration·················································································································································· 325

SAVI overview ······························································································································································325

Global SAVI configuration··········································································································································325

SAVI configuration in DHCPv6-only address assignment scenario ········································································326

SAVI configuration in SLAAC-only address assignment scenario···········································································328

SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································330

System-guard configuration···································································································································· 333

Configuring system-guard ···········································································································································333

Displaying system-guard··············································································································································334

System-guard configuration example·························································································································334

Configuring FIPS······················································································································································ 335

FIPS self-tests ·································································································································································335

Power-up self-test ·················································································································································335

Conditional self-tests············································································································································335

Triggering a self-test ············································································································································335

Configuration procedure·············································································································································336

Enabling the FIPS mode······································································································································336

Displaying and maintaining FIPS ·······························································································································337

FIPS configuration example·········································································································································337

Verifying the configuration·································································································································338

Configuring IPsec ···················································································································································· 340

Implementing ACL-based IPsec ···································································································································343

Feature Restrictions··············································································································································343

ACL-based IPsec configuration task list ·············································································································343

Configuring ACLs ················································································································································344

Configuring an IPsec proposal ··························································································································345

Configuring an IPsec policy ·······························································································································346

Applying an IPsec policy group to an interface·······························································································349

Configuring the IPsec session idle timeout········································································································350

Enabling ACL checking of de-encapsulated IPsec packets ·············································································350

Configuring the IPsec anti-replay function ········································································································351

Configuring packet information pre-extraction ································································································351

Displaying and maintaining IPsec ······························································································································352

IPsec configuration examples······································································································································352

IKE-based IPsec tunnel for IPv4 packets configuration example·····································································352

Configuring IKE······················································································································································· 355

IKE security mechanism·······································································································································355

IKE operation ·······················································································································································355

IKE functions·························································································································································356

Relationship between IKE and IPsec··················································································································357

IKE configuration task list ············································································································································357

Configuring a name for the local security gateway·································································································358

Configuring an IKE proposal ······································································································································358

Configuring an IKE peer··············································································································································359

Setting keepalive timers···············································································································································361

Setting the NAT keepalive timer·································································································································361

Configuring a DPD detector········································································································································362

Disabling next payload field checking ······················································································································362

Displaying and maintaining IKE·································································································································363

IKE configuration example ··········································································································································363

Troubleshooting IKE ·····················································································································································366

Invalid user ID······················································································································································366

Proposal mismatch ··············································································································································366

Failing to establish an IPsec tunnel····················································································································367

ACL configuration error ······································································································································367

Support and other resources ·································································································································· 368

Contacting HP ······························································································································································368

Subscription service ············································································································································368

Related information······················································································································································368

Documents····························································································································································368

Websites·······························································································································································368

Conventions ··································································································································································369

Index ········································································································································································ 371

AAA configuration

This chapter includes these sections:

•AAA overview

•AAA configuration considerations and task list

•Displaying and maintaining AAA

•AAA configuration examples

•Troubleshooting AAA

AAA overview

This section covers these topics:

•RADIUS

•HWTACACS

•Domain-based user management

•Protocols and standards

•RADIUS attributes

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. It provides the following security functions:

•Authentication—Identifies users and determines whether a user is valid.

•Authorization—Grants different users different rights and controls their access to resources and

services. For example, a user who has successfully logged in to the device can be granted read and

print permissions to the files on the device.

•Accounting—Records all network service usage information of users, including the service type,

start time, and traffic. The accounting function not only provides the information required for

charging, but also allows for network security surveillance.

AAA usually uses a client/server model. The client runs on the network access server (NAS) and the

server maintains user information centrally. In an AAA network, a NAS is a server for users but a client

for the AAA servers, as shown in Figure 1.

Figure 1 Network diagram for AAA

When a user tries to log in to the NAS, use network resources, or access other networks, the NAS

authenticates the user. The NAS can transparently pass the user's authentication, authorization, and

accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and

a remote server exchange user information between them.

In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose

different servers for different security functions. For example, you can use the HWTACACS server for

authentication and authorization, and the RADIUS server for accounting.

You can use AAA to provide only one or two security functions, if desired. For example, if your company

only wants employees to be authenticated before they access specific resources, you only need to

configure an authentication server. If network usage information is expected to be recorded, you also

need to configure an accounting server.

AAA can be implemented through multiple protocols. The device supports using RADIUS and

HWTACACS for AAA. RADIUS is often used in practice.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that

uses a client/server model. RADIUS can protect networks against unauthorized access and is often used

in network environments where both high security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813

for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.

RADIUS provides access authentication and authorization services, and its accounting function collects

and records network resource usage information.

Client/Server Model

The RADIUS client runs on the NAS located throughout the network. It passes user information to

designated RADIUS servers and acts on the responses (for example, rejects or accepts user access

requests).

The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It listens to connection requests, authenticates

users, and returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary, as

shown in Figure 2.

Figure 2 RADIUS server components

•Users—Stores user information such as the usernames, passwords, applied protocols, and IP

addresses.

•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary—Stores RADIUS protocol attributes and their values.

Security and Authentication Mechanisms

Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared

key, which is never transmitted over the network. This enhances the information exchange security. In

addition, to prevent user passwords from being intercepted in non-secure networks, RADIUS encrypts

passwords before transmitting them.

A RADIUS server supports multiple user authentication methods, such as the Password Authentication

Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS

server can act as the client of another AAA server to provide authentication proxy services.

RADIUS Basic Message Exchange Process

Figure 3 illustrates the interaction between the host, the RADIUS client, and the RADIUS server.

Figure 3 RADIUS basic message exchange process

RADIUS operates in the following manner:

1. The host initiates a connection request carrying the username and password to the RADIUS client.

2. Having received the username and password, the RADIUS client sends an authentication request

(Access-Request) to the RADIUS server, with the user password encrypted by using the

Message-Digest 5 (MD5) algorithm and the shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, it

sends back an Access-Accept message containing the user's authorization information. If the

authentication fails, it returns an Access-Reject message.

4. The RADIUS client permits or denies the user according to the returned authentication result. If it

permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a

stop-accounting request (Accounting-Request) to the RADIUS server.

8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops

accounting for the user.

9. The user stops access to network resources.

RADIUS Packet Format

RADIUS uses UDP to transmit messages. It ensures smooth message exchange between the RADIUS

server and the client through a series of mechanisms, including: the timer management mechanism, the

retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet

format.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible

values and their meanings.

Table 1 Main values of the Code field

Code Packet t

e Descri

tion

1 Access-Request

From the client to the server. A packet of this type carries user

information for the server to authenticate the user. It must contain

the User-Name attribute and can optionally contain the attributes

of NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

From the server to the client. If all the attribute values carried in

the Access-Request are acceptable, the authentication succeeds,

and the server sends an Access-Accept response.

3 Access-Reject

From the server to the client. If any attribute value carried in the

Access-Request is unacceptable, the authentication fails and the

server sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type carries user

information for the server to start or stop accounting for the user.

The Acct-Status-Type attribute in the packet indicates whether to

start or stop accounting.

5 Accounting-Response

From the server to the client. The server sends a packet of this

type to notify the client that it has received the

Accounting-Request and has correctly recorded the accounting

information.

•The Identifier field (1 byte long) is used to match request packets and response packets and to detect

retransmitted request packets. Request and response packets of the same type have the same

identifier.

•The Length field (2 bytes long) indicates the length of the entire packet, including the Code,

Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered

padding and are neglected upon reception. If the length of a received packet is less than this length,

the packet is dropped. The value of this field is in the range 20 to 4096.

•The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to

encrypt user passwords. There are two types of authenticators: request authenticator and response

authenticator.

•The Attribute field, with a variable length, carries the specific authentication, authorization, and

accounting information that defines the configuration details of the request or response. This field

contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value.

{Type—One byte, in the range 1 to 255. It indicates the type of the attribute. Commonly used

attributes for RADIUS authentication, authorization and accounting are listed in Table 2.

{Length—One byte for indicating the length of the attribute (including the Type, Length, and

Value fields), in bytes.

{Value—Attribute value, up to 253 bytes. Its format and content depend on the Type and Length

fields.

Table 2 RADIUS attributes

No. Attribute No. Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

27 Session-Timeout 74 ARAP-Security-Data

No. Attribute No. Attribute

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

NOTE:

•The attribute types listed in Table 2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

•For more information about commonly used standard RADIUS attributes, see "Commonly used

standard RADIUS attributes."

Extended RADIUS Attributes

The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865

allows a vender to define extended attributes to implement functions that the standard RADIUS protocol

does not provide.

A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension

in applications. As shown in Figure 5, a sub-attribute that can be encapsulated in Attribute 26 consists

of the following parts:

•Vendor-ID—ID of the vendor (4 bytes long). Its most significant byte is 0; the other three bytes

contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS

sub-attributes of HP, see "Proprietary RADIUS sub-attributes of HP."

•Vendor-Type—Type of the sub-attribute.

•Vendor-Length—Length of the sub-attribute.

•Vendor-Data—Contents of the sub-attribute.

Figure 5 Segment of a RADIUS packet containing an extended attribute

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol

based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information

exchange between the NAS and the HWTACACS server.

HWTACACS mainly provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up

Network (VPDN) users, and terminal users. In a typical HWTACACS application, some terminal users

need to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the

username and password of a user to the HWTACACS sever for authentication. After passing

authentication and being authorized, the user logs in to the device and performs operations, and the

HWTACACS server records the operations that the user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They

have many features in common, like using a client/server model, using shared keys for user information

security, and providing flexibility and extensibility. HWTACACS and RADIUS do have differences, as

listed in Table 3.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, providing more reliable network

transmission. Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the HWTACACS

header.

Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated and authorization is

independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization

process is combined with the authentication process.

Supports authorization of configuration commands.

Which commands a user can use depends on both the

user level and AAA authorization. A user can use only

commands that are not only of, or lower than, the user

level but also authorized by the HWTACACS server.

Does not support authorization of configuration

commands. Which commands a user can use

depends on the level of the user and a user can use all

the commands of, or lower than, the user level.

HWTACACS basic message exchange process

The following takes a Telnet user as an example to describe how HWTACACS performs user

authentication, authorization, and accounting.

Other manuals for 5120 SI Series

Table of contents

Other HP Network Router manuals

HP MSR4080 User manual

HP 6400/8400 User manual

HP IntelliJack NJ1000G User manual

HP FlexFabric 12900 series User manual

HP MSR900-W User manual

HP MSR SERIES User manual

HP ProCurve Series 2600 User manual

HP StorageWorks MPX200 Instruction Manual

HP StorageWorks M2402 User manual

HP ProCurve Secure 7102dl Assembly instructions

HP 10500 series User manual

HP J4093A User manual

HP Pavilion 501 Instruction Manual

HP 5120 EI Series User manual

HP MSR930 Series Assembly instructions

HP A5500 EI Switch Series Installation manual

HP StorageWorks MPX200 Programming manual

HP Series 200 User guide

HP MSR2000 Series User manual

HP Wireless TV Connect Specification sheet

HP FlexNetwork MSR3044 Assembly instructions

HP MSR93x Series User manual

HP Pavilion 8800 - Desktop PC User manual

HP HPE 1820 Switch Series User manual

Popular Network Router manuals by other brands

Black Box

Black Box LBS3041AE user manual

Multitech

Multitech MultiConnect rCell 100 Series user guide

Modecom

Modecom MC-420 user manual

AirLive

AirLive N450R user manual

3One data

3One data ES208G Quick installation guide

Blackmagicdesign

Blackmagicdesign Videohub Hardware Control Installation and operation manual

BLACK DECKER

BLACK DECKER KW1200E Original instructions

Planet

Planet WGSW-2620HP Quick installation guide

Planet

Planet MGSW SERIES Quick installation guide

Show Tec

Show Tec Net-8/3 manual

Multitech

Multitech RouteFinder MTASR1-100 user guide

Planet

Planet IAD-200 specification

CalAmp

CalAmp Guardian-100 user manual

Planet

Planet FGSW-2402VS user manual

Planet

Planet MGSW-2402 user manual

smart home

smart home SH - CT4R user guide

Multitech

Multitech MultiFrad FR3060 user guide

Black Box

Black Box LB8415A-US user guide

HP 5120 SI Series User manual

Popular Network Router manuals by other brands