HP MSR2000 Series User manual
HP MSR2000/3000/4000 Router Series
Security
Configuration Guide (V7)
Part number: 5998-3996
Software version: CMW710-R0007P02
Document version: 6PW100-20130927
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Configuring AAA ························································································································································· 1
Overview············································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
AAA implementation on the device························································································································9
AAA for MPLS L3VPNs ········································································································································· 11
Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 12
FIPS compliance ····························································································································································· 15
AAA configuration considerations and task list·········································································································· 15
Configuring AAA schemes············································································································································ 16
Configuring local users········································································································································· 16
Configuring RADIUS schemes······························································································································ 21
Configuring HWTACACS schemes····················································································································· 29
Configuring AAA methods for ISP domains················································································································ 35
Configuration prerequisites ·································································································································· 35
Creating an ISP domain ······································································································································· 35
Configuring ISP domain attributes······················································································································· 35
Configuring authentication methods for an ISP domain ··················································································· 36
Configuring authorization methods for an ISP domain····················································································· 37
Configuring accounting methods for an ISP domain························································································· 38
Enabling the session-control feature ····························································································································· 40
Setting the maximum number of concurrent login users ···························································································· 40
Displaying and maintaining AAA ································································································································ 40
Authentication and authorization for SSH users by a RADIUS server······································································ 41
Network requirements··········································································································································· 41
Configuration procedure ······································································································································ 41
Verifying the configuration··································································································································· 44
Local authentication and authorization for SSH users ······························································································· 44
Network requirements··········································································································································· 44
Configuration procedure ······································································································································ 44
Verifying the configuration··································································································································· 45
AAA for SSH users by an HWTACACS server··········································································································· 45
Network requirements··········································································································································· 45
Configuration procedure ······································································································································ 46
Verifying the configuration··································································································································· 47
Troubleshooting RADIUS ··············································································································································· 47
RADIUS authentication failure······························································································································ 47
RADIUS packet delivery failure···························································································································· 48
RADIUS accounting error ····································································································································· 48
Troubleshooting HWTACACS ······································································································································ 49
802.1X overview ·······················································································································································50
802.1X architecture······················································································································································· 50
Controlled/uncontrolled port and port authorization status······················································································ 50
802.1X-related protocols ·············································································································································· 51
Packet formats························································································································································ 52
EAP over RADIUS ·················································································································································· 53
Initiating 802.1X authentication··································································································································· 53
ii
802.1X client as the initiator································································································································ 53
Access device as the initiator······························································································································· 54
802.1X authentication procedures ······························································································································ 54
A comparison of EAP relay and EAP termination······························································································ 55
EAP relay································································································································································ 55
EAP termination ····················································································································································· 57
Configuring 802.1X ··················································································································································59
HP implementation of 802.1X ······································································································································ 59
Configuration prerequisites··········································································································································· 59
802.1X configuration task list······································································································································· 59
Enabling 802.1X···························································································································································· 60
Enabling EAP relay or EAP termination ······················································································································· 60
Setting the port authorization state ······························································································································ 61
Specifying an access control method ·························································································································· 61
Setting the maximum number of concurrent 802.1X users on a port······································································· 61
Setting the maximum number of authentication request attempts ············································································· 62
Setting the 802.1X authentication timeout timers······································································································· 62
Configuring the online user handshake function ········································································································ 63
Configuring the authentication trigger function ·········································································································· 63
Configuration guidelines ······································································································································ 63
Configuration procedure ······································································································································ 64
Specifying a mandatory authentication domain on a port························································································ 64
Configuring the quiet timer ··········································································································································· 64
Enabling the periodic online user re-authentication function····················································································· 65
Displaying and maintaining 802.1X ··························································································································· 65
802.1X authentication configuration example ··········································································································· 66
Network requirements··········································································································································· 66
Configuration procedure ······································································································································ 66
Verifying the configuration··································································································································· 68
Configuring MAC authentication······························································································································69
Overview········································································································································································· 69
User account policies············································································································································ 69
Authentication methods········································································································································· 69
Configuration prerequisites··········································································································································· 70
Configuration task list ···················································································································································· 70
Enabling MAC authentication ······································································································································ 70
Specifying a MAC authentication domain·················································································································· 71
Configuring the user account format···························································································································· 71
Configuring MAC authentication timers ······················································································································ 72
Setting the maximum number of concurrent MAC authentication users on a port·················································· 72
Configuring MAC authentication delay······················································································································· 73
Displaying and maintaining MAC authentication ······································································································ 73
Local MAC authentication configuration example ····································································································· 74
Network requirements··········································································································································· 74
Configuration procedure ······································································································································ 74
Verifying the configuration··································································································································· 75
RADIUS-based MAC authentication configuration example ····················································································· 75
Network requirements··········································································································································· 75
Configuration procedure ······································································································································ 76
Verifying the configuration··································································································································· 77
Configuring password control···································································································································78
Overview········································································································································································· 78
Password setting···················································································································································· 78
iii
Password updating and expiration ····················································································································· 79
User login control ·················································································································································· 80
Password not displayed in any form··················································································································· 80
Logging··································································································································································· 80
FIPS compliance ····························································································································································· 81
Password control configuration task list······················································································································· 81
Enabling password control ··········································································································································· 81
Setting global password control parameters ·············································································································· 82
Setting user group password control parameters······································································································· 83
Setting local user password control parameters········································································································· 84
Setting super password control parameters ················································································································ 84
Displaying and maintaining password control ··········································································································· 85
Password control configuration example ···················································································································· 85
Managing public keys···············································································································································89
Overview········································································································································································· 89
FIPS compliance ····························································································································································· 89
Creating a local key pair ·············································································································································· 90
Configuration guidelines ······································································································································ 90
Configuration procedure ······································································································································ 90
Distributing a local host public key ······························································································································ 91
Exporting a host public key in a specific format to a file·················································································· 91
Displaying a host public key in a specific format and saving it to a file ························································ 91
Displaying a host public key································································································································ 92
Destroying a local key pair··········································································································································· 92
Configuring a peer public key······································································································································ 93
Importing a peer host public key from a public key file···················································································· 93
Entering a peer public key ··································································································································· 93
Displaying and maintaining public keys ····················································································································· 94
Example for inputting a peer public key ····················································································································· 94
Example for importing a public key from a public key file ······················································································· 96
Configuring PKI ··························································································································································99
Overview········································································································································································· 99
PKI terminology······················································································································································ 99
PKI architecture····················································································································································100
PKI operation ·······················································································································································101
PKI applications ···················································································································································101
Support for MPLS L3VPN····································································································································101
FIPS compliance ···························································································································································102
PKI configuration task list ············································································································································102
Configuring a PKI entity ··············································································································································102
Configuring a PKI domain···········································································································································103
Requesting a certificate ···············································································································································105
Configuring automatic certificate request·········································································································106
Manually requesting a certificate ······················································································································107
Aborting a certificate request ·····································································································································108
Obtaining certificates ··················································································································································108
Configuration prerequisites ································································································································108
Configuration guidelines ····································································································································108
Configuration procedure ····································································································································109
Verifying PKI certificates··············································································································································109
Verifying certificates with CRL checking ···········································································································109
Verifying certificates without CRL checking ······································································································110
Specifying the storage path for the certificates and CRLs ·······················································································110
iv
Exporting certificates ···················································································································································111
Removing a certificate ·················································································································································112
Configuring a certificate access control policy·········································································································112
Displaying and maintaining PKI ·································································································································113
PKI configuration examples·········································································································································113
Certificate request from an RSA Keon CA server ····························································································114
Certificate request from a Windows 2003 CA server ····················································································116
Certificate request from an OpenCA server·····································································································120
IKE negotiation with RSA digital signature from a Windows 2003 CA server············································123
Certificate import and export configuration example ·····················································································125
Troubleshooting PKI configuration······························································································································131
Failed to obtain the CA certificate·····················································································································131
Failed to obtain local certificates·······················································································································131
Failed to request local certificates ·····················································································································132
Failed to obtain CRLs ··········································································································································133
Failed to import the CA certificate·····················································································································133
Failed to import a local certificate·····················································································································134
Failed to export certificates ································································································································134
Failed to set the storage path·····························································································································135
Configuring IPsec ···················································································································································· 136
Overview·······································································································································································136
Security protocols and encapsulation modes···································································································137
Security association·············································································································································138
Authentication and encryption···························································································································138
IPsec implementation···········································································································································139
IPsec RRI································································································································································140
Protocols and standards ·····································································································································141
IPsec tunnel establishment ···········································································································································141
Implementing ACL-based IPsec ···································································································································142
Configuring an ACL ············································································································································143
Configuring an IPsec transform set····················································································································145
Configuring a manual IPsec policy····················································································································147
Configuring an IKE-based IPsec policy ·············································································································149
Applying an IPsec policy to an interface ··········································································································153
Enabling ACL checking for de-encapsulated packets······················································································153
Configuring the IPsec anti-replay function ········································································································154
Binding a source interface to an IPsec policy ··································································································154
Enabling QoS pre-classify ··································································································································155
Enabling logging of IPsec packets·····················································································································156
Configuring the DF bit of IPsec packets ············································································································156
Configuring IPsec RRI··········································································································································157
Configuring IPsec for IPv6 routing protocols·············································································································158
Configuration task list ·········································································································································158
Configuring a manual IPsec profile···················································································································158
Configuring SNMP notifications for IPsec ·················································································································160
Displaying and maintaining IPsec ······························································································································160
IPsec configuration examples······································································································································161
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································161
Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································164
Configuring an IKE-based IPsec tunnel for IPv6 packets ·················································································167
Configuring IPsec for RIPng································································································································171
Configuring IPsec RRI··········································································································································174
v
Configuring IKE······················································································································································· 179
Overview·······································································································································································179
IKE negotiation process ······································································································································179
IKE security mechanism·······································································································································180
Protocols and standards ·····································································································································181
IKE configuration prerequisites ···································································································································181
IKE configuration task list ············································································································································181
Configuring an IKE profile ··········································································································································182
Configuring an IKE proposal ······································································································································184
Configuring an IKE keychain······································································································································185
Configuring the global identity information ··············································································································186
Configuring the IKE keepalive function······················································································································187
Configuring the IKE NAT keepalive function ············································································································187
Configuring IKE DPD····················································································································································188
Enabling invalid SPI recovery ·····································································································································188
Setting the maximum number of IKE SAs···················································································································189
Configuring SNMP notifications for IKE ····················································································································189
Displaying and maintaining IKE·································································································································190
IKE configuration examples ········································································································································190
Main mode IKE with pre-shared key authentication configuration example ················································190
Aggressive mode with RSA signature authentication configuration example ··············································194
Aggressive mode with NAT traversal configuration example········································································201
Troubleshooting IKE ·····················································································································································205
IKE negotiation failed because no matching IKE proposals were found·······················································205
IKE negotiation failed due to malformed payload···························································································206
IPsec SA negotiation failed because no matching IPsec transform sets were found····································206
IPsec SA negotiation failed due to invalid identity information······································································207
Configuring SSH ····················································································································································· 210
Overview·······································································································································································210
How SSH works···················································································································································210
SSH authentication methods·······························································································································211
FIPS compliance ···························································································································································212
Configuring the device as an SSH server··················································································································212
SSH server configuration task list ······················································································································212
Generating local DSA or RSA key pairs···········································································································212
Enabling the SSH server function·······················································································································213
Enabling the SFTP server function······················································································································213
Configuring the user lines for SSH clients·········································································································214
Configuring a client's host public key···············································································································214
Configuring an SSH user····································································································································215
Setting the SSH management parameters ········································································································216
Configuring the device as an Stelnet client···············································································································217
Stelnet client configuration task list····················································································································217
Specifying a source IP address or source interface for the Stelnet client ······················································218
Establishing a connection to an Stelnet server ·································································································218
Configuring the device as an SFTP client ··················································································································220
SFTP client configuration task list·······················································································································220
Specifying a source IP address or source interface for the SFTP client ·························································220
Establishing a connection to an SFTP server ····································································································220
Working with SFTP directories···························································································································223
Working with SFTP files······································································································································223
Displaying help information ·······························································································································223
Terminating the connection with the SFTP server ·····························································································224
Configuring the device as an SCP client ···················································································································224
vi
Displaying and maintaining SSH ·······························································································································226
Stelnet configuration examples···································································································································226
Password authentication enabled Stelnet server configuration example ······················································226
Publickey authentication enabled Stelnet server configuration example·······················································228
Password authentication enabled Stelnet client configuration example························································233
Publickey authentication enabled Stelnet client configuration example························································236
SFTP configuration examples ······································································································································238
Password authentication enabled SFTP server configuration example··························································238
Publickey authentication enabled SFTP client configuration example ···························································240
SCP file transfer with password authentication·········································································································243
Configuring ASPF···················································································································································· 246
Overview·······································································································································································246
ASPF basic concepts ···········································································································································246
ASPF inspections··················································································································································247
ASPF configuration task list·········································································································································249
Configuring an ASPF policy········································································································································249
Applying an ASPF policy to an interface ··················································································································249
Displaying and maintaining ASPF······························································································································250
ASPF configuration examples ·····································································································································250
ASPF FTP application inspection configuration example ················································································250
ASPF TCP application inspection configuration example ···············································································252
ASPF H.323 application inspection configuration example ··········································································253
Configuring APR······················································································································································ 255
Overview·······································································································································································255
PBAR ·····································································································································································255
Group-based application recognition ···············································································································255
Configuring PBAR ························································································································································256
Configuring application groups ·································································································································256
Enabling application statistics on an interface ·········································································································257
Displaying and maintaining APR································································································································258
APR configuration example·········································································································································258
Network requirements·········································································································································258
Configuration procedure ····································································································································259
Verifying the configuration·································································································································259
Managing sessions ················································································································································· 260
Overview·······································································································································································260
Session management operation·························································································································260
Session management functions ··························································································································260
Session management task list ·····································································································································261
Setting the session aging time for different protocol states ·····················································································261
Setting the session aging time for different application layer protocols ································································262
Specifying persistent sessions ·····································································································································263
Setting the maximum number of sessions ··················································································································263
Configuring session logging ·······································································································································263
Displaying and maintaining session management···································································································264
Configuring connection limits································································································································· 266
Connection limit configuration task list ······················································································································266
Creating a connection limit policy ·····························································································································266
Configuring the connection limit policy ·····················································································································267
Applying the connection limit policy··························································································································267
Displaying and maintaining connection limits ··········································································································268
Connection limit configuration example····················································································································269
vii
Troubleshooting connection limits ······························································································································271
ACLs in the connection limit rules with overlapping segments ·······································································271
Configuring ARP attack protection························································································································· 272
ARP attack protection configuration task list ·············································································································272
Configuring unresolvable IP attack protection ··········································································································273
Configuring ARP source suppression ················································································································273
Enabling ARP blackhole routing ························································································································273
Displaying and maintaining unresolvable IP attack protection ······································································273
Configuration example ·······································································································································274
Configuring ARP packet rate limit ······························································································································275
Configuration guidelines ····································································································································275
Configuration procedure ····································································································································275
Configuring source MAC-based ARP attack detection ····························································································276
Configuration procedure ····································································································································276
Displaying and maintaining source MAC-based ARP attack detection·························································276
Configuration example ·······································································································································277
Configuring ARP packet source MAC consistency check························································································278
Configuring ARP active acknowledgement ···············································································································278
Configuring authorized ARP ·······································································································································278
Configuration procedure ····································································································································279
Configuration example (on a DHCP server)·····································································································279
Configuration example (on a DHCP relay agent)····························································································280
Configuring ARP detection··········································································································································281
Configuring user validity check ·························································································································282
Configuring ARP packet validity check·············································································································282
Configuring ARP restricted forwarding ·············································································································283
Displaying and maintaining ARP detection ······································································································284
User validity check configuration example·······································································································284
User validity check and ARP packet validity check configuration example··················································285
Configuring ARP automatic scanning and fixed ARP·······························································································287
Configuration guidelines ····································································································································287
Configuration procedure ····································································································································287
Configuring ARP gateway protection ························································································································288
Configuration guidelines ····································································································································288
Configuration procedure ····································································································································288
Configuration example ·······································································································································288
Configuring ARP filtering·············································································································································289
Configuration guidelines ····································································································································289
Configuration procedure ····································································································································290
Configuration example ·······································································································································290
Configuring crypto engines···································································································································· 291
Overview·······································································································································································291
Configuring hardware crypto engines·······················································································································291
Displaying and maintaining crypto engines ·············································································································292
Configuring portal authentication·························································································································· 293
Overview·······································································································································································293
Extended portal functions ···································································································································293
Portal system components···································································································································293
Interaction between portal system components································································································295
Portal authentication modes ·······························································································································295
Portal authentication process ·····························································································································296
Portal configuration task list ········································································································································298
Configuration prerequisites·········································································································································298
viii
Configuring a portal authentication server················································································································299
Configuring a portal Web server·······························································································································300
Enabling portal authentication on an interface·········································································································300
Configuration restrictions and guidelines ·········································································································300
Configuration procedure ····································································································································301
Referencing a portal Web server for an interface····································································································301
Controlling portal user access ····································································································································302
Configuring a portal-free rule·····························································································································302
Configuring an authentication source subnet···································································································303
Configuring an authentication destination subnet ···························································································304
Setting the maximum number of portal users ···································································································304
Specifying a portal authentication domain ······································································································305
Configuring portal detection functions·······················································································································306
Configuring online detection of portal users ····································································································306
Configuring portal authentication server detection··························································································306
Configuring portal Web server detection·········································································································307
Configuring portal user synchronization···········································································································308
Configuring the portal fail-permit function·················································································································309
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server··································309
Enabling portal roaming ·············································································································································310
Logging out portal users··············································································································································310
Displaying and maintaining portal ····························································································································311
Portal configuration examples ····································································································································311
Configuring direct portal authentication···········································································································311
Configuring re-DHCP portal authentication······································································································316
Configuring cross-subnet portal authentication ································································································319
Configuring extended direct portal authentication··························································································320
Configuring extended re-DHCP portal authentication·····················································································322
Configuring extended cross-subnet portal authentication ···············································································325
Configuring portal server detection and portal user synchronization ···························································327
Configuring cross-subnet portal authentication for MPLS L3VPNs ·································································333
Troubleshooting portal·················································································································································335
No portal authentication page is pushed for users ·························································································335
Cannot log out portal users on the access device ···························································································335
Cannot log out portal users on the RADIUS server··························································································336
Users logged out by the access device still exist on the portal authentication server··································336
Re-DHCP portal authenticated users cannot log in successfully······································································336
Configuring FIPS······················································································································································ 338
Overview·······································································································································································338
Configuration restrictions and guidelines··················································································································338
Configuring FIPS mode················································································································································339
Entering FIPS mode ·············································································································································339
Configuration changes in FIPS mode ················································································································340
Exiting FIPS mode················································································································································341
FIPS self-tests ·································································································································································342
Power-up self-tests················································································································································342
Conditional self-tests············································································································································343
Triggering self-tests ··············································································································································343
Displaying and maintaining FIPS ·······························································································································343
FIPS configuration examples·······································································································································343
Entering FIPS mode through automatic reboot·································································································343
Entering FIPS mode through manual reboot·····································································································344
Exiting FIPS mode through automatic reboot ···································································································346
Exiting FIPS mode through manual reboot ·······································································································346
ix
Support and other resources ·································································································································· 348
Contacting HP ······························································································································································348
Subscription service ············································································································································348
Related information······················································································································································348
Documents····························································································································································348
Websites·······························································································································································348
Conventions ··································································································································································349
Index ········································································································································································ 351
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, you can use this function to grant a user who has successfully logged in to the
device read and print permissions to the files on the device, and prevent a guest from reading or
printing the files.
•Accounting—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.
Typically, AAA uses a client/server model. The client runs on the access device, or the network access
server (NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
A user who wants to access networks or resources beyond the NAS sends its identity information to the
NAS, which transparently passes the user information to the servers. The servers perform user
authentication, authorization, and accounting and return the result to the NAS. Based on the result, the
NAS determines whether to permit or deny the access request.
AAA has various implementations, including RADIUS and HWTACACS, and RADIUS is most often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company wants
employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an accounting
server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments that require both high security and remote user access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for
authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support additional
access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It receives authentication, authorization, and
accounting requests from RADIUS clients, performs user authentication, authorization, or accounting,
and returns user access control information (for example, rejecting or accepting the user access request)
to the clients. In addition, the RADIUS server can act as the client of another RADIUS server to provide
authentication proxy services.
The RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server databases
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys, which
are pre-configured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.
This field includes a signature generated by using the MD5 algorithm, the shared key, and some other
information. The receiver of the packet verifies the signature and accepts the packet only when the
signature is correct. This mechanism ensures the security of information exchanged between the RADIUS
client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client encrypts the user password by using the MD5 algorithm, the shared key, and
other necessary information, encapsulates the username and the encrypted password to an
authentication request (Access-Request), and sends the request to the RADIUS server.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept packet that contains the user's authorization information. If
the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to
the RADIUS server.
5. The RADIUS server returns an acknowledgement (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the RADIUS
server.
9. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for
the user.
10. The RADIUS client notifies the user of the termination.
4
RADIUS packet format
RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server
and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission
mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values
and their meanings.
Table 1 Main values of the Code field
Code Packet t
yp
e Descri
p
tion
1 Access-Request
From the client to the server. A packet of this type includes user information
for the server to authenticate the user. It must contain the User-Name attribute
and can optionally contain the attributes of NAS-IP-Address, User-Password,
and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the server
sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server sends
an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user information
for the server to start or stop accounting for the user. The Acct-Status-Type
attribute in the packet indicates whether to start or stop accounting.
5 Accounting-Response
From the server to the client. The server sends a packet of this type to notify
the client that it has received the Accounting-Request and has successfully
recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to detect
duplicate request packets. The request and response packets of the same exchange process for the
same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code,
Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered
padding and are ignored by the receiver. If the length of a received packet is less than this length,
the packet is dropped.
5
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and
to encrypt user passwords. There are two types of authenticators: request authenticator and
response authenticator.
•The Attributes field (variable in length) includes specific authentication, authorization, and
accounting information. This field can contain multiple attributes, each with three sub-fields:
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value sub-fields.
{Value—Value of the attribute. Its format and content depend on the Type sub-field.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
6
No. Attribute No.
Attribute
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined
in RFC 2865, allows a vendor to define extended attributes to implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a sub-attribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code
compliant to RFC 1700. The vendor ID of HP is 25506.
•Vendor-Type—Type of the sub-attribute.
•Vendor-Length—Length of the sub-attribute.
•Vendor-Data—Contents of the sub-attribute.
For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS
sub-attributes."
7
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for
information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the
NAS sends users' usernames and passwords to the HWTACACS sever for authentication. After passing
authentication and obtaining authorized rights, a user logs in to the device and performs operations. The
HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model, using
shared keys for data encryption, and providing flexibility and scalability. Table 3 lists their primary
differences.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication process.
Supports authorization of configuration commands.
Access to commands depends on both the user's roles
and authorization. A user can use only commands that
are permitted by the user roles and authorized by the
HWTACACS server.
Does not support authorization of configuration
commands. Access to commands solely depends on
the user's roles. For more information about user roles,
see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a
Telnet user.
8
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
HWTACACS operates using in the following workflow:
1. A Telnet user sends an access request to the HWTACACS client.
2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
receives the request.
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user enters the username.
6. After receiving the username from the user, the HWTACACS client sends the server a
continue-authentication packet that includes the username.
7. The HWTACACS server sends back an authentication response to request the login password.
8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.
Host HWTACACS client HWTACACS server
1) The user tries to log in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user enters the username
6) Continue-authentication packet with the username
7) Authentication response requesting the password
8) Request for password
9) The user enters the password
11) Response indicating successful authentication
12) User authorization request packet
13) Response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) Continue-authentication packet with the password
9
9. The user enters the password.
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11. If the authentication succeeds, the HWTACACS server sends back an authentication response to
indicate that the user has passed authentication.
12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13. If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.
14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
AAA implementation on the device
This section describes AAA user management and methods.
User management based on ISP domains and user access types
AAA manages users based on their ISP domains and access types.
On a NAS, each user belongs to one ISP domain. Typically, a NAS determines the ISP domain a user
belongs to by the username entered by the user at login.
Figure 7 Determining the ISP domain for a user by the username
AAA manages users in the same ISP domain based on their access types. The device supports the
following user access types:
•LAN—LAN users must pass 802.1X or MAC authentication to get online.
•Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal
users can access through a console, AUX, or async port.
•Portal—Portal users must pass portal authentication to access the network.
Other manuals for MSR2000 Series
3
This manual suits for next models
2
Table of contents
Other HP Network Router manuals
HP
HP 5820X Series User manual
HP
HP MSR2000 Series User manual
HP
HP MSR4080 User manual
HP
HP VSR1000 User manual
HP
HP StorageWorks M2402 User manual
HP
HP HP 2530 User manual
HP
HP MSR930 Series Assembly instructions
HP
HP 6125XLG User manual
HP
HP FlexNetwork HSR6800 Installation manual
HP
HP 3600 v2 Series User manual
HP
HP MSR930 Series Assembly instructions
HP
HP HP ProCurve Series 6600 User manual
HP
HP StorageWorks MPX200 Programming manual
HP
HP J3138A User manual
HP
HP A5830 Series User manual
HP
HP StorageWorks 6100 - Enterprise Virtual Array User manual
HP
HP Pavilion a6600 User manual
HP
HP 5900 Installation manual
HP
HP 2100 ER User manual
HP
HP 6602 User instructions
Popular Network Router manuals by other brands
RF-Link
RF-Link XL-2000/H Installation and operating instructions
rtd
rtd IDAN-ID5915 user manual
VIA Technologies
VIA Technologies VIA16 installation guide
Niveo
Niveo NGS24TP Quick installation guide
Multitech
Multitech MultiConnect rCell 100 Series user guide
Lütze
Lütze LEOS-FM-ETH-SW-WR-LUE operating instructions
