HP MSR SERIES User manual
HPE FlexNetwork MSR Router Series
Comware 7 Security Configuration Guide
Part number: 5998-6958
Software version: CMW710-R0403L02
Document version: 6PW200-20160226
i
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® andAcrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ··············································································1
Overview··································································································································1
RADIUS ····························································································································2
HWTACACS ······················································································································7
LDAP································································································································9
AAA implementation on the device························································································12
AAA for MPLS L3VPNs ······································································································14
Protocols and standards ·····································································································14
RADIUS attributes·············································································································15
Command and hardware compatibility··························································································18
FIPS compliance······················································································································18
AAA configuration considerations and task list ···············································································18
Configuring AAA schemes ·········································································································19
Configuring local users·······································································································20
Configuring RADIUS schemes ·····························································································25
Configuring HWTACACS schemes························································································36
Configuring LDAP schemes·································································································42
Configuring AAA methods for ISP domains····················································································46
Configuration prerequisites··································································································46
Creating an ISP domain······································································································46
Configuring ISP domain attributes·························································································47
Configuring authentication methods for an ISP domain······························································49
Configuring authorization methods for an ISP domain ·······························································51
Configuring accounting methods for an ISP domain··································································52
Enabling the session-control feature ····························································································54
Configuring the RADIUS DAE server feature ·················································································55
Changing the DSCP priority for RADIUS packets············································································55
Setting the maximum number of concurrent login users····································································56
Configuring and applying an ITA policy·························································································56
Configuring a NAS-ID profile ······································································································57
Configuring the Acct-Session-Id format·························································································57
Displaying and maintaining AAA··································································································58
AAA configuration examples·······································································································58
Authentication and authorization for SSH users by a RADIUS server············································58
Local authentication and authorization for SSH users································································62
AAA for SSH users by an HWTACACS server·········································································63
Authentication for SSH users by an LDAP server ·····································································65
Authentication and authorization for SSL VPN users by an LDAP server·······································70
AAA for PPP users by an HWTACACS server·········································································75
Troubleshooting RADIUS···········································································································76
RADIUS authentication failure······························································································76
RADIUS packet delivery failure ····························································································77
RADIUS accounting error····································································································77
Troubleshooting HWTACACS·····································································································78
Troubleshooting LDAP··············································································································78
802.1X overview ············································································79
802.1X architecture ··················································································································79
Controlled/uncontrolled port and port authorization status·································································79
802.1X-related protocols············································································································80
Packet formats··················································································································80
EAP over RADIUS·············································································································81
802.1X authentication initiation ···································································································82
802.1X client as the initiator·································································································82
Access device as the initiator·······························································································82
802.1X authentication procedures ·······························································································83
Comparing EAP relay and EAP termination·············································································84
ii
EAP relay ························································································································84
EAP termination················································································································86
Configuring 802.1X·········································································88
Access control methods ············································································································88
802.1X VLAN manipulation ········································································································88
Authorization VLAN ···········································································································88
Guest VLAN·····················································································································90
Auth-Fail VLAN·················································································································91
Critical VLAN····················································································································91
Using 802.1X authentication with other features ·············································································92
ACL assignment················································································································92
EAD assistant···················································································································93
SmartOn··························································································································93
Compatibility information ···········································································································94
Feature and hardware compatibility·······················································································94
Command and hardware compatibility ···················································································94
Configuration prerequisites ········································································································95
802.1X configuration task list······································································································95
Enabling 802.1X ······················································································································95
Enabling EAP relay or EAP termination ························································································96
Setting the port authorization state·······························································································96
Specifying an access control method ···························································································97
Setting the maximum number of concurrent 802.1X users on a port····················································98
Setting the maximum number of authentication request attempts ·······················································98
Setting the 802.1X authentication timeout timers ············································································98
Configuring the online user handshake feature···············································································99
Configuration guidelines ·····································································································99
Configuration procedure ·····································································································99
Configuring the authentication trigger feature··············································································· 100
Configuration guidelines ··································································································· 100
Configuration procedure ··································································································· 100
Specifying a mandatory authentication domain on a port ································································ 100
Setting the quiet timer············································································································· 101
Enabling the periodic online user reauthentication feature······························································· 101
Configuring an 802.1X guest VLAN···························································································· 102
Configuration guidelines ··································································································· 102
Configuration procedure ··································································································· 102
Configuring an 802.1X Auth-Fail VLAN······················································································· 102
Configuration guidelines ··································································································· 102
Configuration procedure ··································································································· 103
Configuring an 802.1X critical VLAN ·························································································· 103
Configuration guidelines ··································································································· 103
Configuration procedure ··································································································· 103
Specifying supported domain name delimiters·············································································· 103
Configuring the EAD assistant feature························································································ 104
Configuring 802.1X SmartOn···································································································· 105
Displaying and maintaining 802.1X···························································································· 106
802.1X authentication configuration examples·············································································· 106
Basic 802.1X authentication configuration example ································································ 106
802.1X guest VLAN and authorization VLAN configuration example··········································· 108
802.1X with ACL assignment configuration example······························································· 111
802.1X with EAD assistant configuration example (with DHCP relay agent) ································· 112
802.1X with EAD assistant configuration example (with DHCP server)········································ 115
802.1X SmartOn configuration example ··············································································· 117
Troubleshooting 802.1X ·········································································································· 119
Web browser users cannot be redirected correctly·································································· 119
Configuring MAC authentication ······················································ 120
Overview······························································································································ 120
User account policies······································································································· 120
Authentication methods ···································································································· 120
iii
VLAN assignment············································································································ 121
ACL assignment·············································································································· 121
Periodic MAC reauthentication ··························································································· 121
Compatibility information ········································································································· 122
Feature and hardware compatibility····················································································· 122
Command and hardware compatibility ················································································· 122
Configuration prerequisites ······································································································ 122
Configuration task list·············································································································· 123
Enabling MAC authentication···································································································· 123
Specifying a MAC authentication domain ···················································································· 123
Configuring the user account format··························································································· 124
Configuring MAC authentication timers······················································································· 124
Setting the maximum number of concurrent MAC authentication users on a port ································· 125
Configuring MAC authentication delay························································································ 125
Enabling MAC authentication multi-VLAN mode on a port······························································· 126
Configuring the keep-online feature ··························································································· 126
Displaying and maintaining MAC authentication ··········································································· 127
MAC authentication configuration examples ················································································ 127
Local MAC authentication configuration example ··································································· 127
RADIUS-based MAC authentication configuration example······················································ 129
ACL assignment configuration example ··············································································· 131
Configuring portal authentication ····················································· 134
Overview······························································································································ 134
Extended portal functions·································································································· 134
Portal system components ································································································ 134
Interaction between portal system components······································································ 136
Portal authentication modes ······························································································ 136
Portal authentication process····························································································· 137
Command and hardware compatibility························································································ 139
Portal configuration task list······································································································ 139
Configuration prerequisites ······································································································ 140
Configuring a portal authentication server ··················································································· 140
Configuring a portal Web server································································································ 141
Enabling portal authentication on an interface ·············································································· 141
Configuration restrictions and guidelines ·············································································· 142
Configuration procedure ··································································································· 142
Referencing a portal Web server for an interface ·········································································· 142
Controlling portal user access··································································································· 143
Configuring a portal-free rule ····························································································· 143
Configuring an authentication source subnet········································································· 144
Configuring an authentication destination subnet···································································· 145
Setting the maximum number of portal users········································································· 145
Specifying a portal authentication domain············································································· 146
Specifying a preauthentication domain················································································· 147
Configuring a preauthentication IP address pool for portal users················································ 148
Enabling strict-checking on portal authorization information······················································ 148
Enabling outgoing packets filtering on a portal-enabled interface ··············································· 149
Configuring portal detection features·························································································· 149
Configuring online detection of portal users··········································································· 149
Configuring portal authentication server detection ·································································· 150
Configuring portal Web server detection··············································································· 151
Configuring portal user synchronization················································································ 152
Configuring the portal fail-permit feature ····················································································· 153
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server······················ 153
Enabling portal roaming··········································································································· 154
Specifying a format for the NAS-Port-ID attribute ·········································································· 154
Logging out portal users·········································································································· 155
Configuring Web redirect········································································································· 155
Applying a NAS-ID profile to an interface ···················································································· 156
Displaying and maintaining portal······························································································ 156
Portal configuration examples··································································································· 157
iv
Configuring direct portal authentication ················································································ 157
Configuring re-DHCP portal authentication············································································ 167
Configuring cross-subnet portal authentication······································································· 170
Configuring extended direct portal authentication ··································································· 173
Configuring extended re-DHCP portal authentication ······························································ 176
Configuring extended cross-subnet portal authentication ························································· 180
Configuring portal server detection and portal user synchronization ··········································· 184
Configuring cross-subnet portal authentication for MPLS L3VPNs ············································· 192
Configuring direct portal authentication with a preauthentication domain ····································· 194
Configuring re-DHCP portal authentication with a preauthentication domain································· 196
Troubleshooting portal ············································································································ 199
No portal authentication page is pushed for users ·································································· 199
Cannot log out portal users on the access device··································································· 199
Cannot log out portal users on the RADIUS server ································································· 200
Users logged out by the access device still exist on the portal authentication server ······················ 200
Re-DHCP portal authenticated users cannot log in successfully ················································ 200
Configuring port security································································ 202
Overview······························································································································ 202
Port security features ······································································································· 202
Port security modes········································································································· 202
Feature and hardware compatibility ··························································································· 205
Configuration task list·············································································································· 205
Enabling port security ············································································································· 205
Setting port security's limit on the number of secure MAC addresses on a port···································· 206
Setting the port security mode ·································································································· 206
Configuring port security features······························································································ 208
Configuring NTK ············································································································· 208
Configuring intrusion protection ·························································································· 208
Configuring secure MAC addresses··························································································· 209
Configuration prerequisites································································································ 210
Configuration procedure ··································································································· 210
Ignoring authorization information from the server········································································· 211
Enabling MAC move··············································································································· 211
Enabling the authorization-fail-offline feature················································································ 212
Applying a NAS-ID profile to port security···················································································· 212
Displaying and maintaining port security ····················································································· 213
Port security configuration examples·························································································· 213
autoLearn configuration example························································································ 213
userLoginWithOUI configuration example············································································· 215
macAddressElseUserLoginSecure configuration example························································ 218
Troubleshooting port security···································································································· 222
Cannot set the port security mode······················································································· 222
Cannot configure secure MAC addresses············································································· 222
Configuring user profiles································································ 223
Overview······························································································································ 223
Compatibility information ········································································································· 223
Feature and hardware compatibility····················································································· 223
Command and hardware compatibility ················································································· 223
User profile configuration task list······························································································ 223
Configuration restrictions and guidelines····················································································· 224
Configuring a user profile········································································································· 224
Displaying and maintaining user profiles ····················································································· 224
Configuring password control·························································· 225
Overview······························································································································ 225
Password setting············································································································· 225
Password updating and expiration ······················································································ 226
User login control ············································································································ 227
Password not displayed in any form ···················································································· 227
Logging························································································································· 227
v
FIPS compliance···················································································································· 228
Password control configuration task list ······················································································ 228
Enabling password control······································································································· 228
Setting global password control parameters················································································· 229
Setting user group password control parameters ·········································································· 230
Setting local user password control parameters············································································ 231
Setting super password control parameters ················································································· 231
Displaying and maintaining password control··············································································· 232
Password control configuration example····················································································· 232
Network requirements ······································································································ 232
Configuration procedure ··································································································· 233
Verifying the configuration································································································· 234
Managing public keys···································································· 236
Overview······························································································································ 236
FIPS compliance···················································································································· 236
Creating a local key pair·········································································································· 236
Distributing a local host public key····························································································· 237
Exporting a host public key································································································ 238
Displaying a host public key······························································································· 238
Destroying a local key pair······································································································· 238
Configuring a peer host public key····························································································· 239
Importing a peer host public key from a public key file ····························································· 239
Entering a peer host public key ·························································································· 239
Displaying and maintaining public keys······················································································· 240
Examples of public key management ························································································· 240
Example for entering a peer host public key·········································································· 240
Example for importing a public key from a public key file·························································· 242
Configuring PKI ··········································································· 245
Overview······························································································································ 245
PKI terminology ·············································································································· 245
PKI architecture ·············································································································· 246
PKI operation ················································································································· 246
PKI applications·············································································································· 247
Support for MPLS L3VPN ································································································· 247
FIPS compliance···················································································································· 248
PKI configuration task list········································································································· 248
Configuring a PKI entity··········································································································· 248
Configuring a PKI domain········································································································ 249
Requesting a certificate··········································································································· 251
Configuration guidelines ··································································································· 251
Configuring automatic certificate request·············································································· 252
Manually requesting a certificate························································································· 252
Aborting a certificate request···································································································· 253
Obtaining certificates ·············································································································· 253
Configuration prerequisites································································································ 253
Configuration guidelines ··································································································· 254
Configuration procedure ··································································································· 254
Verifying PKI certificates·········································································································· 254
Verifying certificates with CRL checking ··············································································· 254
Verifying certificates without CRL checking··········································································· 255
Specifying the storage path for the certificates and CRLs ······························································· 256
Exporting certificates ·············································································································· 256
Removing a certificate············································································································· 257
Configuring a certificate-based access control policy ····································································· 257
Displaying and maintaining PKI································································································· 258
PKI configuration examples······································································································ 259
Requesting a certificate from an RSA Keon CA server ···························································· 259
Requesting a certificate from a Windows Server 2003 CA server··············································· 261
Requesting a certificate from an OpenCA server···································································· 265
Requesting a certificate from an RSA Keon CA server in an NAT-PT network ······························ 268
vi
IKE negotiation with RSA digital signature from a Windows Server 2003 CA server······················· 271
Certificate-based access control policy configuration example ·················································· 274
Certificate import and export configuration example································································ 275
Troubleshooting PKI configuration····························································································· 281
Failed to obtain the CA certificate ······················································································· 281
Failed to obtain local certificates························································································· 281
Failed to request local certificates ······················································································· 282
Failed to obtain CRLs······································································································· 283
Failed to import the CA certificate ······················································································· 283
Failed to import a local certificate························································································ 284
Failed to export certificates································································································ 284
Failed to set the storage path····························································································· 285
Configuring IPsec········································································· 286
Overview······························································································································ 286
Security protocols and encapsulation modes········································································· 286
Security association········································································································· 288
Authentication and encryption ···························································································· 288
IPsec implementation······································································································· 289
IPsec RRI······················································································································ 290
Protocols and standards ··································································································· 291
FIPS compliance···················································································································· 291
Security strength···················································································································· 291
IPsec tunnel establishment ······································································································ 291
Implementing ACL-based IPsec································································································ 292
Configuring an ACL ········································································································· 292
Configuring an IPsec transform set ····················································································· 295
Configuring a manual IPsec policy ······················································································ 297
Configuring an IKE-based IPsec policy················································································· 299
Applying an IPsec policy to an interface ··············································································· 303
Enabling ACL checking for de-encapsulated packets ······························································ 304
Configuring IPsec anti-replay ····························································································· 305
Configuring IPsec anti-replay redundancy············································································· 305
Binding a source interface to an IPsec policy········································································· 306
Enabling QoS pre-classify ································································································· 307
Enabling logging of IPsec packets······················································································· 307
Configuring the DF bit of IPsec packets················································································ 307
Configuring IPsec RRI······································································································ 308
Configuring IPsec for IPv6 routing protocols ················································································ 309
Configuration task list······································································································· 309
Configuring a manual IPsec profile······················································································ 309
Configuring IPsec for tunnels···································································································· 311
Configuration task list······································································································· 311
Configuring an IKE-based IPsec profile················································································ 311
Applying an IKE-based IPsec profile to a tunnel interface························································· 312
Configuring SNMP notifications for IPsec···················································································· 312
Displaying and maintaining IPsec······························································································ 313
IPsec configuration examples··································································································· 314
Configuring a manual mode IPsec tunnel for IPv4 packets ······················································· 314
Configuring an IKE-based IPsec tunnel for IPv4 packets·························································· 317
Configuring an IKE-based IPsec tunnel for IPv6 packets·························································· 320
Configuring IPsec for RIPng ······························································································ 324
Configuring IPsec RRI······································································································ 327
Configuring IKE ··········································································· 331
Overview······························································································································ 331
IKE negotiation process···································································································· 331
IKE security mechanism ··································································································· 332
Protocols and standards ··································································································· 333
FIPS compliance···················································································································· 333
IKE configuration prerequisites ································································································· 333
IKE configuration task list········································································································· 333
vii
Configuring an IKE profile········································································································ 334
Configuring an IKE proposal····································································································· 336
Configuring an IKE keychain ···································································································· 337
Configuring the global identity information ··················································································· 338
Configuring the IKE keepalive function ······················································································· 339
Configuring the IKE NAT keepalive function················································································· 339
Configuring IKE DPD·············································································································· 339
Enabling invalid SPI recovery ··································································································· 340
Setting the maximum number of IKE SAs···················································································· 341
Configuring SNMP notifications for IKE······················································································· 341
Displaying and maintaining IKE································································································· 342
IKE configuration examples······································································································ 342
Main mode IKE with pre-shared key authentication configuration example··································· 342
Aggressive mode with RSA signature authentication configuration example································· 346
Aggressive mode with NAT traversal configuration example ····················································· 353
Troubleshooting IKE··············································································································· 357
IKE negotiation failed because no matching IKE proposals were found······································· 357
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 358
IPsec SA negotiation failed because no matching IPsec transform sets were found······················· 358
IPsec SA negotiation failed due to invalid identity information ··················································· 359
Configuring IKEv2 ········································································ 362
Overview······························································································································ 362
IKEv2 negotiation process································································································· 362
New features in IKEv2······································································································ 363
Protocols and standards ··································································································· 363
IKEv2 configuration task list ····································································································· 363
Configuring an IKEv2 profile····································································································· 364
Configuring an IKEv2 policy ····································································································· 367
Configuring an IKEv2 proposal·································································································· 368
Configuring an IKEv2 keychain ································································································· 369
Configure global IKEv2 parameters···························································································· 370
Enabling the cookie challenging feature ··············································································· 370
Configuring the IKEv2 DPD feature ····················································································· 370
Configuring the IKEv2 NAT keepalive feature········································································ 371
Configuring IKEv2 address pools························································································ 371
Displaying and maintaining IKEv2······························································································ 371
IKEv2 configuration examples··································································································· 372
IKEv2 with pre-shared key authentication configuration example ··············································· 372
IKEv2 with RSA signature authentication configuration example················································ 376
IKEv2 with NAT traversal configuration example ···································································· 384
Troubleshooting IKEv2············································································································ 389
IKEv2 negotiation failed because no matching IKEv2 proposals were found································· 389
IPsec SA negotiation failed because no matching IPsec transform sets were found······················· 389
IPsec tunnel establishment failed························································································ 390
Configuring SSH·········································································· 391
Overview······························································································································ 391
How SSH works·············································································································· 391
SSH authentication methods······························································································ 392
FIPS compliance···················································································································· 393
Configuring the device as an SSH server···················································································· 393
SSH server configuration task list ······················································································· 393
Generating local DSA or RSA key pairs················································································ 394
Enabling the Stelnet server································································································ 395
Enabling the SFTP server ································································································· 395
Enabling the SCP server··································································································· 395
Enabling NETCONF over SSH··························································································· 396
Configuring the user lines for SSH login ··············································································· 396
Configuring a client's host public key ··················································································· 396
Configuring an SSH user ·································································································· 397
Configuring the SSH management parameters······································································ 399
viii
Configuring the device as an Stelnet client ·················································································· 400
Stelnet client configuration task list······················································································ 400
Generating local DSA or RSA key pairs················································································ 400
Specifying the source IP address for SSH packets ································································· 400
Establishing a connection to an Stelnet server······································································· 401
Configuring the device as an SFTP client···················································································· 403
SFTP client configuration task list ······················································································· 403
Generating local DSA or RSA key pairs················································································ 403
Specifying the source IP address for SFTP packets································································ 403
Establishing a connection to an SFTP server········································································· 404
Working with SFTP directories ··························································································· 405
Working with SFTP files···································································································· 405
Displaying help information································································································ 406
Terminating the connection with the SFTP server··································································· 406
Configuring the device as an SCP client ····················································································· 406
SCP client configuration task list························································································· 406
Generating local DSA or RSA key pairs················································································ 406
Establishing a connection to an SCP server·········································································· 407
Displaying and maintaining SSH ······························································································· 408
Stelnet configuration examples ································································································· 408
Password authentication enabled Stelnet server configuration example ······································ 409
Publickey authentication enabled Stelnet server configuration example······································· 411
Password authentication enabled Stelnet client configuration example ······································· 417
Publickey authentication enabled Stelnet client configuration example········································ 420
SFTP configuration examples··································································································· 422
Password authentication enabled SFTP server configuration example········································ 422
Publickey authentication enabled SFTP client configuration example ········································· 424
SCP configuration example······································································································ 428
Network requirements ······································································································ 428
Configuration procedure ··································································································· 428
NETCONF over SSH configuration example················································································ 429
Network requirements ······································································································ 430
Configuration procedure ··································································································· 430
Verifying the configuration································································································· 431
Configuring SSL··········································································· 432
Overview······························································································································ 432
SSL security services······································································································· 432
SSL protocol stack··········································································································· 432
Feature and hardware compatibility ··························································································· 433
FIPS compliance···················································································································· 433
SSL configuration task list········································································································ 433
Configuring an SSL server policy······························································································· 434
Configuring an SSL client policy································································································ 435
Displaying and maintaining SSL································································································ 436
SSL server policy configuration example····················································································· 436
Configuring ASPF ········································································ 439
Overview······························································································································ 439
ASPF basic concepts······································································································· 439
ASPF inspections············································································································ 440
Command and hardware compatibility························································································ 442
ASPF configuration task list······································································································ 442
Configuring an ASPF policy······································································································ 442
Applying an ASPF policy to an interface······················································································ 443
Applying an ASPF policy to a zone pair ······················································································ 443
Displaying and maintaining ASPF······························································································ 444
ASPF configuration examples··································································································· 445
ASPF FTP application inspection configuration example·························································· 445
ASPF TCP application inspection configuration example ························································· 446
ASPF H.323 application inspection configuration example ······················································· 447
ASPF application to a zone pair configuration example···························································· 448
ix
Configuring APR·········································································· 451
Overview······························································································································ 451
PBAR ··························································································································· 451
Group-based application recognition ··················································································· 451
Command and hardware compatibility························································································ 452
Configuring PBAR·················································································································· 452
Configuring application groups·································································································· 453
Enabling application statistics on an interface ·············································································· 453
Displaying and maintaining APR ······························································································· 454
APR configuration example······································································································ 455
Network requirements ······································································································ 455
Configuration procedure ··································································································· 455
Verifying the configuration································································································· 455
Managing sessions······································································· 456
Overview······························································································································ 456
Session management operation ························································································· 456
Session management functions·························································································· 456
Command and hardware compatibility························································································ 457
Session management task list ·································································································· 457
Setting the session aging time for different protocol states······························································ 457
Setting the session aging time for different application layer protocols··············································· 458
Specifying persistent sessions·································································································· 459
Enabling session statistics collection·························································································· 459
Configuring session logging ····································································································· 459
Displaying and maintaining session management ········································································· 460
Configuring connection limits·························································· 463
Command and hardware compatibility························································································ 463
Interface-based connection limit configuration task list ··································································· 463
Creating a connection limit policy ······························································································ 464
Configuring the connection limit policy························································································ 464
Applying the connection limit policy···························································································· 465
Displaying and maintaining connection limits ··············································································· 465
Connection limit configuration example······················································································· 466
Network requirements ······································································································ 466
Configuration procedure ··································································································· 467
Verifying the configuration································································································· 468
Troubleshooting connection limits······························································································ 468
ACLs in the connection limit rules with overlapping segments ··················································· 468
Configuring object groups ······························································ 470
Overview······························································································································ 470
Feature and hardware compatibility ··························································································· 470
Configuring an IPv4 address object group ··················································································· 470
Configuring an IPv6 address object group ··················································································· 471
Configuring a port object group································································································· 471
Configuring a service object group····························································································· 471
Displaying and maintaining object groups···················································································· 472
Configuring object policies ····························································· 473
Overview······························································································································ 473
Compatibility information ········································································································· 473
Feature and hardware compatibility····················································································· 473
Command and hardware compatibility ················································································· 473
Object policy rules·················································································································· 473
Rule numbering ·············································································································· 473
Rule match order············································································································· 474
Rule description·············································································································· 474
Object policy configuration task list ···························································································· 474
Configuration prerequisites ······································································································ 474
x
Creating object policies ··········································································································· 474
Creating an IPv4 object policy···························································································· 474
Creating an IPv6 object policy···························································································· 475
Configuring object policy rules ·································································································· 475
Configuring an IPv4 object policy rule ·················································································· 475
Configuring an IPv6 object policy rule ·················································································· 476
Applying object policies to zone pairs························································································· 476
Changing the rule match order·································································································· 477
Enabling rule matching acceleration··························································································· 477
Displaying and maintaining object policies··················································································· 477
Object policy configuration example··························································································· 478
Network requirements ······································································································ 478
Configuration procedure ··································································································· 479
Verifying the configuration································································································· 480
Configuring attack detection and prevention······································· 481
Overview······························································································································ 481
Command and hardware compatibility························································································ 481
Attacks that the device can prevent···························································································· 481
Single-packet attacks······································································································· 481
Scanning attacks············································································································· 483
Flood attacks·················································································································· 483
TCP fragment attacks······································································································· 484
Blacklist feature····················································································································· 484
Client verification ··················································································································· 485
TCP client verification······································································································· 485
DNS client verification ······································································································ 487
HTTP client verification····································································································· 488
Attack detection and prevention configuration task list···································································· 489
Configuring an attack defense policy·························································································· 489
Creating an attack defense policy ······················································································· 489
Configuring a single-packet attack defense policy··································································· 489
Configuring a scanning attack defense policy ········································································ 491
Configuring a flood attack defense policy·············································································· 491
Configuring attack detection exemption················································································ 496
Applying an attack defense policy to an interface ··································································· 497
Applying an attack defense policy to the device ····································································· 497
Disabling log aggregation for single-packet attack events························································· 498
Configuring TCP fragment attack prevention················································································ 498
Configuring TCP client verification····························································································· 498
Configuring DNS client verification····························································································· 499
Configuring HTTP client verification ··························································································· 500
Configuring the blacklist feature ································································································ 500
Displaying and maintaining attack detection and prevention···························································· 501
Attack detection and prevention configuration examples································································· 506
Interface-based attack detection and prevention configuration example ······································ 506
Blacklist configuration example ·························································································· 509
TCP client verification configuration example········································································· 510
DNS client verification configuration example ········································································ 511
HTTP client verification configuration example······································································· 512
Configuring IP source guard··························································· 514
Overview······························································································································ 514
Static IPSG bindings········································································································ 514
Dynamic IPSG bindings···································································································· 515
Compatibility information ········································································································· 515
Feature and hardware compatibility····················································································· 515
Command and hardware compatibility ················································································· 515
IPSG configuration task list ······································································································ 516
Configuring the IPv4SG feature································································································· 516
Enabling IPv4SG on an interface ························································································ 516
Configuring a static IPv4SG binding ···················································································· 517
xi
Configuring the IPv6SG feature································································································· 517
Enabling IPv6SG on an interface ························································································ 517
Configuring a static IPv6SG binding ···················································································· 517
Displaying and maintaining IPSG ······························································································ 518
IPSG configuration examples ··································································································· 519
Static IPv4SG configuration example··················································································· 519
Dynamic IPv4SG using DHCP snooping configuration example ················································ 520
Dynamic IPv4SG using DHCP relay configuration example ······················································ 521
Static IPv6SG configuration example··················································································· 522
Dynamic IPv6SG using DHCPv6 snooping configuration example ············································· 522
Configuring ARP attack protection ··················································· 524
Command and hardware compatibility························································································ 524
ARP attack protection configuration task list ················································································ 524
Configuring unresolvable IP attack protection··············································································· 525
Configuring ARP source suppression··················································································· 525
Enabling ARP blackhole routing ························································································· 525
Displaying and maintaining unresolvable IP attack protection···················································· 525
Configuration example······································································································ 526
Configuring source MAC-based ARP attack detection···································································· 527
Configuration procedure ··································································································· 527
Displaying and maintaining source MAC-based ARP attack detection········································· 527
Configuration example······································································································ 528
Configuring ARP packet source MAC consistency check································································ 529
Configuring ARP active acknowledgement ·················································································· 529
Configuring authorized ARP····································································································· 529
Configuration procedure ··································································································· 530
Configuration example (on a DHCP server)··········································································· 530
Configuration example (on a DHCP relay agent)···································································· 531
Configuring ARP detection······································································································· 532
Configuring user validity check··························································································· 533
Configuring ARP packet validity check················································································· 534
Configuring ARP restricted forwarding ················································································· 534
Displaying and maintaining ARP detection············································································ 535
User validity check and ARP packet validity check configuration example···································· 535
ARP restricted forwarding configuration example ··································································· 536
Configuring ARP scanning and fixed ARP ··················································································· 538
Configuration restrictions and guidelines ·············································································· 538
Configuration procedure ··································································································· 538
Configuring ARP gateway protection·························································································· 539
Configuration guidelines ··································································································· 539
Configuration procedure ··································································································· 539
Configuration example······································································································ 539
Configuring ARP filtering ········································································································· 540
Configuration guidelines ··································································································· 540
Configuration procedure ··································································································· 540
Configuration example······································································································ 541
Configuring uRPF········································································· 542
Overview······························································································································ 542
uRPF check modes ········································································································· 542
Features························································································································ 542
uRPF operation··············································································································· 543
Network application ········································································································· 546
Command and hardware compatibility························································································ 546
Configuring uRPF ·················································································································· 546
Displaying and maintaining uRPF······························································································ 547
uRPF configuration example ···································································································· 547
Configuring IPv6 uRPF·································································· 549
Overview······························································································································ 549
IPv6 uRPF check modes··································································································· 549
xii
Features························································································································ 549
IPv6 uRPF operation········································································································ 550
Network application ········································································································· 552
Command and hardware compatibility························································································ 552
Configuring IPv6 uRPF············································································································ 552
Displaying and maintaining IPv6 uRPF······················································································· 553
IPv6 uRPF configuration example······························································································ 553
Configuring crypto engines····························································· 555
Overview······························································································································ 555
Command and hardware compatibility························································································ 555
Configuring hardware crypto engines ························································································· 555
Displaying and maintaining crypto engines·················································································· 556
Configuring FIPS·········································································· 557
Overview······························································································································ 557
Feature and hardware compatibility ··························································································· 557
Configuration restrictions and guidelines····················································································· 557
Configuring FIPS mode··········································································································· 558
Entering FIPS mode········································································································· 558
Configuration changes in FIPS mode··················································································· 559
Exiting FIPS mode··········································································································· 560
FIPS self-tests······················································································································· 561
Power-up self-tests·········································································································· 561
Conditional self-tests········································································································ 562
Triggering self-tests ········································································································· 562
Displaying and maintaining FIPS······························································································· 562
FIPS configuration examples···································································································· 562
Entering FIPS mode through automatic reboot······································································· 562
Entering FIPS mode through manual reboot·········································································· 563
Exiting FIPS mode through automatic reboot········································································· 565
Exiting FIPS mode through manual reboot············································································ 565
Configuring DPI engine ································································· 567
Command and hardware compatibility························································································ 567
Overview······························································································································ 567
DPI engine inspection rules ······························································································· 567
DPI engine mechanism····································································································· 567
DPI engine configuration task list······························································································· 569
Configure a DPI application profile····························································································· 570
Activating DPI services············································································································ 570
Configuring action parameter profiles························································································· 571
Configuring a block source parameter profile········································································· 571
Configuring a capture parameter profile················································································ 571
Configuring a logging parameter profile················································································ 572
Configuring a redirect parameter profile················································································ 572
Configuring an email parameter profile················································································· 572
Optimizing the DPI engine ······································································································· 573
Disabling inspection suspension upon excessive CPU usage·························································· 574
Displaying and maintaining DPI engine······················································································· 574
Configuring IPS ··········································································· 576
Overview······························································································································ 576
IPS signatures················································································································ 576
Signature actions ············································································································ 576
IPS mechanism··············································································································· 577
IPS signature library management ······················································································ 578
IPS configuration task list········································································································· 579
Configuring an IPS policy········································································································· 579
Specifying a parameter profile for an IPS signature action ······························································ 580
Applying an IPS policy to a DPI application profile········································································· 580
Importing user-defined IPS signatures························································································ 580
xiii
Using a DPI application profile in an object policy rule···································································· 581
Using a DPI application profile in an IPv4 object policy rule ······················································ 581
Using a DPI application profile in an IPv6 object policy rule ······················································ 581
Applying object policies to zone pairs························································································· 581
Managing the IPS signature library ···························································································· 582
Scheduling an IPS signature automatic update······································································ 582
Triggering an immediate IPS signature update······································································· 583
Specifying the URL for IPS signature auto update ·································································· 583
Performing an IPS signature manual update ········································································· 583
Rolling back the IPS signature library··················································································· 584
Activating DPI services············································································································ 584
Displaying and maintaining IPS································································································· 584
IPS configuration examples······································································································ 585
Default IPS policy application example················································································· 585
User-defined IPS policy application example········································································· 586
IPS signature library manual update configuration example······················································ 588
IPS signature library automatic update configuration example··················································· 590
Document conventions and icons ···················································· 591
Conventions ························································································································· 591
Network topology icons ··········································································································· 592
Support and other resources ·························································· 593
Accessing Hewlett Packard Enterprise Support ············································································ 593
Accessing updates················································································································· 593
Websites ······················································································································· 594
Customer self repair········································································································· 594
Remote support ·············································································································· 594
Documentation feedback ·································································································· 594
Index························································································· 595
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information toAAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet andADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packetverifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
5
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
{Value—Value of the attribute. Its format and content depend on the Type subfield.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No. Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
Other manuals for MSR SERIES
14
Table of contents
Other HP Network Router manuals
HP
HP A8800 Series User manual
HP
HP A5500 EI Switch Series Installation manual
HP
HP VSR1000 User manual
HP
HP MSR930 Series Assembly instructions
HP
HP FlexNetwork MSR2003 User manual
HP
HP 5820X Series User manual
HP
HP StorageWorks MPX200 Programming manual
HP
HP ProCurve Secure 7102dl User manual
HP
HP 6400/8400 User manual
HP
HP MSR93x Series User manual
