Hp Pavilion a6600 User manual

HP A6600 Routers

Security

Configuration Guide

Abstract

This document describes the software features for the HP A Series products and guides you through the

software configuration procedures. These configuration guides also provide configuration examples to

help you apply software features to different network scenarios.

This documentation is intended for network planners, field technical support and servicing engineers,

and network administrators working with the HP A Series products.

Part number: 5998-1515

Software version: A6600-CMW520-R2603

Document version: 6PW101-20110630

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or use

of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

iii

Contents

Configuring AAA ························································································································································· 1

RADIUS······································································································································································2

HWTACACS·····························································································································································7

Domain-based user management ···························································································································9

AAA across MPLS L3VPNs··································································································································· 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

AAA configuration considerations and task list·········································································································· 14

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 21

Configuring HWTACACS schemes····················································································································· 33

Configuring AAA methods for ISP domains················································································································ 40

Configuration prerequisites ·································································································································· 40

Creating an ISP domain ······································································································································· 40

Configuring ISP domain attributes······················································································································· 41

Configuring AAA authentication methods for an ISP domain·········································································· 41

Configuring AAA authorization methods for an ISP domain ··········································································· 43

Configuring AAA accounting methods for an ISP domain ··············································································· 45

Tearing down user connections forcibly······················································································································ 47

Configuring a NAS ID-VLAN binding·························································································································· 47

Specifying the device ID used in stateful failover mode ···························································································· 48

Configuring a router as a RADIUS server ··················································································································· 48

RADIUS server functions configuration task list·································································································· 48

Configuring a RADIUS user·································································································································· 48

Specifying a RADIUS client ·································································································································· 49

Displaying and maintaining AAA ································································································································ 50

AAA configuration examples········································································································································ 50

Authentication/authorization for Telnet/SSH users by a RADIUS server························································ 50

Local authentication/authorization for Telnet/FTP users··················································································· 54

AAA for PPP users by an HWTACACS server ··································································································· 55

Level switching authentication for Telnet users by a RADIUS server································································ 57

AAA for portal users by a RADIUS server ·········································································································· 62

Troubleshooting AAA ···················································································································································· 70

Troubleshooting RADIUS ······································································································································ 70

Troubleshooting HWTACACS······························································································································ 71

802.1X fundamentals ················································································································································72

Architecture of 802.1X·················································································································································· 72

Controlled/uncontrolled port and authorized/unauthorized port············································································ 72

Control direction ···························································································································································· 73

EAP over LAN································································································································································· 73

EAPOL packet format············································································································································ 73

EAP packet format················································································································································· 74

EAP over RADIUS··························································································································································· 74

EAP-Message ························································································································································· 74

Message-Authenticator ········································································································································· 75

Initiating 802.1X authentication··································································································································· 75

802.1X client as the initiator ······························································································································· 75

Access device as the initiator······························································································································· 75

Authentication procedure·············································································································································· 76

EAP relay································································································································································ 76

EAP termination ····················································································································································· 78

Configuring 802.1X ··················································································································································79

HP implementation of 802.1X ······································································································································ 79

Access control methods ········································································································································ 79

Using 802.1X authentication with other features ······························································································ 79

802.1X configuration task list······························································································································ 82

Enabling 802.1X··················································································································································· 83

Specifying an EAP message handling method ·································································································· 83

Setting the port authorization state······················································································································ 84

Specifying an access control method·················································································································· 84

Setting the maximum number of concurrent 802.1X users on a port······························································ 85

Setting the maximum number of authentication request attempts ···································································· 85

Setting the 802.1X timers····································································································································· 85

Configuring the online user handshake function ······························································································· 87

Enabling the proxy detection function················································································································· 87

Enabling the multicast trigger function················································································································ 88

Enabling the unicast trigger function··················································································································· 88

Specifying a mandatory authentication domain on a port··············································································· 89

Enabling the quiet timer········································································································································ 89

Enabling the periodic online user re-authentication function············································································ 90

Configuring an 802.1X guest VLAN··················································································································· 90

Configuring an Auth-Fail VLAN ··························································································································· 91

Displaying and maintaining 802.1X ··························································································································· 92

802.1X configuration examples··································································································································· 92

802.1X authentication configuration example ·································································································· 92

802.1X with guest VLAN and VLAN assignment configuration example······················································· 94

802.1X with ACL assignment configuration example······················································································· 97

Configuring EAD fast deployment ····························································································································99

EAD fast deployment implementation ················································································································· 99

Configuring EAD fast deployment································································································································ 99

Configuration procedure ······································································································································ 99

Displaying and maintaining EAD fast deployment···································································································100

EAD fast deployment configuration example············································································································100

Troubleshooting EAD fast deployment·······················································································································103

Users cannot be correctly redirected·················································································································103

Configuring MAC authentication··························································································································· 104

User account policies··········································································································································104

Authentication approaches ································································································································104

MAC authentication timers·································································································································105

Using MAC authentication with other features·········································································································105

VLAN assignment ················································································································································105

ACL assignment ···················································································································································105

Configuration task list··················································································································································106

Basic configuration for MAC authentication·············································································································106

Specifying MAC authentication user domain ···········································································································107

Displaying and maintaining MAC authentication····································································································108

MAC authentication configuration examples············································································································108

Local MAC authentication configuration example ··························································································108

RADIUS-based MAC authentication configuration example ··········································································110

ACL assignment configuration example ···········································································································112

Configuring portal··················································································································································· 115

Extended portal functions ···································································································································115

Portal system components···································································································································115

Portal authentication modes ·······························································································································117

Portal support for EAP·········································································································································118

Layer 2 portal authentication process ···············································································································119

Layer 3 portal authentication process ···············································································································120

Portal stateful failover··········································································································································123

Portal authentication across VPNs·····················································································································125

Configuration prerequisites·········································································································································126

Specifying the portal server ········································································································································127

Specifying a portal server for Layer 3 portal authentication ··········································································127

Enabling portal authentication····································································································································127

Enabling Layer 3 portal authentication·············································································································128

Controlling access of portal users ······························································································································128

Configuring a portal-free rule ····························································································································128

Configuring an authentication source subnet···································································································129

Setting the maximum number of online portal users························································································130

Specifying the authentication domain for portal users····················································································130

Configuring RADIUS related attributes ······················································································································131

Specifying NAS-Port-Type for an interface ·······································································································131

Specifying a NAS ID profile for an interface···································································································131

Specifying the source IP address for outgoing portal packets ················································································132

Configuring portal stateful failover·····························································································································132

Specifying auto redirection URL for authenticated portal users ··············································································134

Configuring portal detection functions·······················································································································135

Configuring online Layer 3 portal user detection ····························································································135

Configuring the portal server detection function······························································································135

Configuring portal user information synchronization······················································································137

Logging off portal users···············································································································································138

Displaying and maintaining portal ····························································································································138

Portal configuration examples ····································································································································139

Configuring direct portal authentication···········································································································139

Configuring re-DHCP portal authentication······································································································144

Configuring cross-subnet portal authentication································································································146

Configuring direct portal authentication with extended functions ·································································148

Configuring re-DHCP portal authentication with extended functions ····························································150

Configuring cross-subnet portal authentication with extended functions·······················································152

Configuring portal stateful failover····················································································································154

Configuring portal server detection and portal user information synchronization·······································163

Cross-subnet portal authentication across VPNs ······························································································169

Troubleshooting portal·················································································································································171

Inconsistent keys on the access device and the portal server·········································································171

Incorrect server port number on the access device··························································································172

Configuring port security········································································································································ 173

Port security features ···········································································································································173

Port security modes ·············································································································································174

Support for guest VLAN and Auth-Fail VLAN···································································································176

Enabling port security··················································································································································177

Setting the maximum number of secure MAC addresses ························································································178

Setting the port security mode ····································································································································178

Configuring port security features ······························································································································179

Configuring NTK ·················································································································································179

Configuring intrusion protection ························································································································180

Enabling port security traps································································································································181

Configuring secure MAC addresses ··························································································································181

Ignoring authorization information from the RADIUS server ···················································································182

Displaying and maintaining port security··················································································································183

Port security configuration examples ·························································································································183

Configuring the autoLearn mode·······················································································································183

Configuring the userLoginWithOUI mode ········································································································185

Configuring the macAddressElseUserLoginSecure mode················································································190

Troubleshooting port security······································································································································193

Cannot set the port security mode·····················································································································193

Cannot configure secure MAC addresses········································································································193

Cannot change port security mode when a user is online ·············································································194

Configuring user profiles ········································································································································ 195

Creating a user profile ················································································································································195

Creating a user profile········································································································································196

Configuring a user profile···········································································································································196

Enabling a user profile ················································································································································196

Displaying and maintaining user profile ···················································································································196

Configuring password control································································································································ 197

Configuring password control ····································································································································200

Enabling password control·································································································································200

Setting global password control parameters····································································································201

Setting user group password control parameters ····························································································202

Setting local user password control parameters ······························································································202

Setting super password control parameters ·····································································································203

Setting a local user password in interactive mode··························································································203

Displaying and maintaining password control·········································································································204

Password control configuration example ··················································································································204

Configuring RSH ····················································································································································· 207

RSH configuration example ········································································································································208

Configuring public keys·········································································································································· 211

Asymmetric key algorithm overview ··························································································································211

Basic concepts ·····················································································································································211

Key algorithm types ············································································································································211

Asymmetric key algorithm applications ············································································································212

vii

Configuring the local asymmetric key pair ···············································································································212

Creating a local asymmetric key pair···············································································································212

Displaying or exporting the local RSA or DSA host public key ·····································································212

Destroying an asymmetric key pair···················································································································213

Configuring a remote host's public key·····················································································································213

Displaying and maintaining public keys ···················································································································214

Public key configuration examples·····························································································································215

Configuring a remote host's public key manually ···························································································215

Importing a remote host's public key from a public key file···········································································216

Configuring PKI ······················································································································································· 219

PKI terms·······························································································································································219

PKI architecture····················································································································································220

PKI applications···················································································································································220

Operation·····························································································································································221

Configuring an entity DN············································································································································222

Configuring a PKI domain ··········································································································································223

Submitting a PKI certificate request····························································································································225

Submitting a certificate request in auto mode··································································································225

Submitting a certificate request in manual mode·····························································································225

Retrieving a certificate manually ································································································································226

Configuring PKI certificate verification ······················································································································227

Configuring CRL-checking-enabled PKI certificate verification ·······································································227

Configuring CRL-checking-disabled PKI certificate verification ······································································228

Destroying a local RSA or DSA key pair···················································································································228

Deleting a certificate····················································································································································229

Configuring an access control policy ························································································································229

Displaying and maintaining PKI·································································································································230

PKI configuration examples·········································································································································230

Requesting a certificate from a CA server running RSA Keon ·······································································230

Requesting a certificate from a CA server running Windows 2003 Server ·················································234

Applying RSA digital signature in IKE negotiation ··························································································237

Configuring a certificate attribute-based access control policy ·····································································240

Troubleshooting PKI ·····················································································································································241

Failed to retrieve a CA certificate······················································································································241

Failed to request a local certificate ···················································································································242

Failed to retrieve CRLs ········································································································································242

Configuring IPsec···················································································································································· 243

Implementation ····················································································································································243

IPsec tunnel interface···········································································································································245

IPsec for IPv6 routing protocols··························································································································247

IPsec RRI ·······························································································································································247

Configuring IPsec ·························································································································································248

Implementing ACL-based IPsec···································································································································248

Configuration task list ·········································································································································248

Configuring ACLs ················································································································································249

Configuring an IPsec proposal ··························································································································252

Configuring an IPsec policy ·······························································································································253

Applying an IPsec policy group to an interface·······························································································259

Enabling the encryption engine ·························································································································259

Enabling ACL checking of de-encapsulated IPsec packets ·············································································260

Configuring the IPsec anti-replay function ········································································································260

viii

Configuring packet information pre-extraction ································································································261

Enabling invalid SPI recovery ····························································································································261

Configuring IPsec RRI··········································································································································262

Implementing tunnel interface-based IPsec ················································································································263

Configuration task list ·········································································································································263

Configuring an IPsec profile·······························································································································264

Configuring an IPsec tunnel interface ···············································································································265

Enabling packet information pre-extraction on the IPsec tunnel interface·····················································268

Applying a QoS policy to an IPsec tunnel interface························································································268

Configuring IPsec for IPv6 routing protocols·············································································································269

Displaying and maintaining IPsec······························································································································269

IPsec configuration examples ·····································································································································270

Establishing an IPsec tunnel in manual mode example···················································································270

Establishing an IPsec tunnel through IKE negotiation example ······································································272

Configuring IPsec with IPsec tunnel interfaces example··················································································275

Configuring IPsec for RIPng example ················································································································279

Configuring IPsec RRI example ··························································································································283

Configuring IKE······················································································································································· 286

Security mechanism·············································································································································286

Functions·······························································································································································287

Relationship between IKE and IPsec··················································································································288

Configuring a name for the local security gateway·································································································289

Configuring an IKE proposal ······································································································································289

Configuring an IKE peer ·············································································································································290

Setting keepalive timers···············································································································································292

Setting the NAT keepalive timer·································································································································293

Configuring a DPD detector········································································································································293

Disabling next payload field check····························································································································293

Displaying and maintaining IKE·································································································································294

IKE configuration examples ········································································································································294

Main mode IKE with pre-shared key authentication configuration example ················································294

Aggressive mode IKE with NAT traversal configuration example ·································································299

Troubleshooting IKE ·····················································································································································303

Invalid user ID······················································································································································303

Proposal mismatch ··············································································································································303

Failure to establish an IPsec tunnel····················································································································304

ACL configuration error······································································································································304

Configuring SSH2.0 ··············································································································································· 305

SSH connection across VPNs·····························································································································308

Configuring the router as an SSH server···················································································································308

Configuration task list ·········································································································································308

Generating a DSA or RSA key pair ··················································································································309

Enabling the SSH server function ······················································································································309

Configuring user interfaces for SSH clients ······································································································310

Configuring a client public key··························································································································310

Configuring an SSH user····································································································································311

Setting SSH management parameters ··············································································································312

Configuring the router as an SSH client ····················································································································313

Configuration task list ·········································································································································313

Specifying a source IP address or interface for the SSH client ······································································313

Configuring first-time authentication support····································································································314

Establishing connection between the SSH client and server ··········································································315

Displaying and maintaining SSH ·······························································································································315

SSH server configuration examples ···························································································································316

Configuring the router to act as password authentication server ··································································316

Configuring the router to act as public key authentication server ·································································318

SSH client configuration examples·····························································································································323

Configuring router to act as password authentication client··········································································323

Configuring router to act as public key authentication client ·········································································326

Configuring SFTP····················································································································································· 329

Configuring the router as an SFTP server ··················································································································329

Enabling the SFTP server ····································································································································329

Configuring the SFTP connection idle timeout period ·····················································································330

Configuring the router an SFTP client ························································································································330

Specifying a source IP address or interface for the SFTP client······································································330

Establishing a connection to the SFTP server····································································································331

Working with SFTP directories···························································································································331

Working with SFTP files······································································································································332

Displaying help information ·······························································································································333

Terminating the remote SFTP server connection·······························································································333

SFTP client configuration example ·····························································································································333

SFTP server configuration example ····························································································································337

Configuring SSL······················································································································································· 340

SSL security mechanism ······································································································································340

SSL protocol stack ···············································································································································341

Configuring SSL server policy·····································································································································341

Configuring an SSL client policy ································································································································343

Displaying and maintaining SSL ································································································································343

Troubleshooting SSL·····················································································································································344

SSL handshake failure·········································································································································344

Configuring a firewall············································································································································· 345

Packet filtering firewall········································································································································345

ASPF ·····································································································································································346

Configuring a packet filtering firewall·······················································································································348

Configuration task list ·········································································································································348

Enabling the firewall function·····························································································································348

Configuring the firewall default filtering action ·······························································································349

Configuring packet filtering on an interface ····································································································349

Displaying and maintaining a packet filtering firewall ···················································································350

Packet filtering firewall configuration example································································································351

Configuring an ASPF ···················································································································································352

Configuration task list ·········································································································································352

Configuring an ASPF policy·······························································································································353

Applying an ASPF policy to an interface··········································································································353

Configuring port mapping ·································································································································353

Displaying and maintaining ASPF·····················································································································354

ASPF configuration example······························································································································354

Configuring ALG····················································································································································· 356

Enabling ALG ·······························································································································································358

ALG configuration examples ······································································································································358

FTP ALG configuration example ························································································································358

SIP/H.323 ALG configuration example ···········································································································359

NBT ALG configuration example·······················································································································360

Configuring session management·························································································································· 361

Session management principle··························································································································361

Setting protocol state-based session aging times·····························································································362

Configuring application layer protocol type-based session aging times ······················································363

Configuring session early aging························································································································363

Setting the maximum number of sessions allowed to be established ····························································364

Enabling checksum verification··························································································································364

Specifying the persistent session rule ················································································································365

Clearing sessions manually································································································································365

Configuring session logging ·······································································································································365

Enabling session logging····································································································································365

Setting session logging thresholds·····················································································································366

Configuring session log export··························································································································366

Displaying and maintaining session management···································································································368

Configuring connection limit ·································································································································· 370

Creating a connection limit policy ·····························································································································370

Configuring the connection limit policy·····················································································································370

Configuring an IP address-based connection limit rule···················································································370

Applying the connection limit policy··························································································································371

Displaying and maintaining connection limiting ······································································································371

Connection limit configuration example····················································································································371

Troubleshooting connection limiting···························································································································373

Connection limit rules with overlapping segments···························································································373

Connection limit rules with overlapping protocol types ··················································································373

Configuring web filtering ······································································································································· 374

URL address filtering ···········································································································································374

IP address-supported URL address filtering·······································································································374

URL parameter filtering ·······································································································································375

Java blocking·······················································································································································375

ActiveX blocking··················································································································································376

Configuring URL address filtering······················································································································376

Configuring IP address-supported URL address filtering ·················································································377

Configuring URL parameter filtering··················································································································377

Configuring Java blocking ·································································································································378

Configuring ActiveX blocking ····························································································································378

Displaying and maintaining web filtering ·················································································································379

Web filtering configuration examples ·······················································································································379

URL address filtering configuration example····································································································379

URL parameter filtering configuration example································································································381

Java blocking configuration example ···············································································································382

Troubleshooting web filtering ·····································································································································383

Failure to add filtering entry or suffix keyword due to upper limit·································································383

Invalid characters are present in the configured parameter···········································································383

Invalid use of wildcard ·······································································································································384

Invalid blocking suffix ·········································································································································385

ACL configuration failed·····································································································································385

Unable to access the HTTP server by IP address ·····························································································385

Configuring attack detection and protection ········································································································ 386

Types of network attacks the device can defend against ···············································································386

Blacklist function ··················································································································································388

Traffic statistics function ······································································································································388

TCP proxy·····························································································································································389

Configuring attack protection functions for an interface ·························································································392

Creating an attack protection policy·················································································································392

Configuring an attack protection policy ···········································································································392

Applying an attack protection policy to an interface······················································································396

Configuring TCP proxy················································································································································396

Configuring the blacklist function·······························································································································396

Enabling traffic statistics on an interface···················································································································397

Displaying and maintaining attack detection and protection ·················································································398

Attack detection and protection configuration examples ························································································399

Configuring attack protection functions on interfaces ·····················································································399

Configuring the blacklist function ······················································································································400

Configuring traffic statistics ································································································································401

Configuring TCP proxy ·······································································································································403

Configuring TCP and ICMP attack protection······································································································· 405

Enabling the SYN cookie feature ·······························································································································405

Enabling Naptha attack protection····························································································································406

Displaying and maintaining TCP and ICMP attack protection················································································406

Configuring IP source guard ·································································································································· 407

Binding entry types··············································································································································407

Configuring IPv4 source guard binding ····················································································································408

Configuring a static IPv4 source guard binding entry ····················································································408

Configuring the dynamic IPv4 source guard binding function·······································································409

Displaying and maintaining IP source guard············································································································409

IP source guard configuration examples ···················································································································410

Static IPv4 source guard binding entry configuration example ·····································································410

Dynamic IPv4 source guard binding by DHCP snooping configuration example ·······································411

Dynamic IPv4 source guard binding by DHCP relay configuration example ··············································413

Troubleshooting IP source guard ································································································································414

Binding entries and function cannot be configured·························································································414

Configuring ARP attack protection························································································································· 415

Configuring ARP defense against IP packet attacks·································································································416

Configuring ARP source suppression ················································································································416

Enabling ARP black hole routing ·······················································································································416

Displaying and maintaining ARP defense against IP packet attacks·····························································416

ARP defense against IP packet attack configuration example········································································417

Configuring ARP packet rate limit ······························································································································418

Configuring ARP packet source MAC address consistency check ·········································································418

Configuring ARP active acknowledgement ···············································································································419

Configuring authorized ARP ·······································································································································419

xii

Authorized ARP on DHCP server configuration example ···············································································420

Authorized ARP on DHCP relay agent configuration example ······································································421

Configuring ARP detection··········································································································································423

Configuring ARP detection based on specified objects ··················································································423

Enabling ARP detection based on static IP source guard binding entries/DHCP snooping

entries/802.1x security entries/OUI MAC addresses····················································································424

Configuring ARP restricted forwarding ·············································································································425

Displaying and maintaining ARP detection ······································································································426

ARP detection with DHCP snooping configuration example ··········································································426

ARP detection with 802.1X support configuration example ··········································································428

ARP restricted forwarding configuration example···························································································429

Configuring ARP automatic scanning and fixed ARP ······························································································431

Configuring ARP gateway protection ························································································································432

ARP gateway protection configuration example······························································································432

Configuring ARP filtering·············································································································································433

ARP filtering configuration example··················································································································434

Configuring ND attack defense ····························································································································· 435

Enabling source MAC consistency check for ND packets·······················································································436

Configuring URPF···················································································································································· 437

How URPF works ·················································································································································437

Configuration procedure·············································································································································438

URPF configuration examples ·····································································································································438

Configuring FIPS ····················································································································································· 440

Configuration procedure·············································································································································440

Prerequisites ·························································································································································440

Enabling FIPS mode ············································································································································440

Settings changed by enabling FIPS mode ········································································································440

Self-tests·········································································································································································441

Power-up self-tests················································································································································441

Conditional self-tests············································································································································442

Triggered self-test·················································································································································442

Displaying and maintaining FIPS ·······························································································································442

Support and other resources ·································································································································· 443

Contacting HP ······························································································································································443

Subscription service ············································································································································443

Related information······················································································································································443

Documents····························································································································································443

Websites ······························································································································································443

Conventions ··································································································································································444

Index ········································································································································································ 446

Configuring AAA

AAA provides a uniform framework for implementing network access management. It provides the

following security functions:

•Authentication—Identifies users and determines whether a user is valid.

•Authorization—Grants different users different rights and controls their access to resources and

services. For example, a user who has successfully logged in to the router can be granted read and

print permissions to the files on the router.

•Accounting—Records all network service usage information of users, including the service type,

start time, and traffic. The accounting function not only provides the information required for

charging but also allows for network security surveillance.

AAA usually uses a client/server model. The client runs on the NAS, and the server maintains user

information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers,

as shown in Figure 1.

Figure 1 Network diagram for AAA

When a user tries to log in to the NAS, use network resources, or access other networks, the NAS

authenticates the user. The NAS can transparently pass the user's authentication, authorization, and

accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and a

remote server exchange user information between them.

In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. Choose different

servers for different security functions. For example, use the HWTACACS server for authentication and

authorization, and use the RADIUS server for accounting.

Use AAA to provide only one or two security functions, if desired. For example, if your company only

wants employees to be authenticated before they access specific resources, you only have to configure

an authentication server. If network usage information is expected to be recorded, you also have to

configure an accounting server.

AAA can be implemented through multiple protocols. The router supports using RADIUS and

HWTACACS. RADIUS is often used in practice.

RADIUS

RADIUS is a distributed information interaction protocol that uses a client/server model. It can protect

networks against unauthorized access and is often used in network environments where both high

security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port

1813 for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.

RADIUS provides access authentication and authorization services, and its accounting function collects

and records network resource usage information.

Client/server model

The RADIUS client runs on the NASes located throughout the network. It passes user information to

designated RADIUS servers and acts on the responses (for example, it rejects or accepts user access

requests).

The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It listens to connection requests, authenticates

users, and returns user access control information to the clients (for example, by rejecting or accepting

the user access request).

In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary, as

shown in Figure 2.

Figure 2 RADIUS server components

•Users—Stores user information such as the usernames, passwords, applied protocols, and IP

addresses.

•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary—Stores RADIUS protocol attributes and their values.

Security and authentication mechanisms

Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared

key, which is never transmitted over the network. This enhances information exchange security. In

addition, to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts

passwords before transmitting them.

A RADIUS server supports multiple user authentication methods, such as PAP and CHAP of PPP.

Moreover, a RADIUS server can act as the client of another AAA server to provide authentication proxy

services.

RADIUS basic message exchange process

Figure 3 illustrates the interaction between the host, the RADIUS client, and the RADIUS server.

Figure 3 RADIUS basic message exchange process

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

7) Accounting-Request (stop)

8) Accounting-Response

9) Notification of access termination

Host

6) The host accesses the resources

RADIUS operates as follows:

1. The host initiates a connection request that carries the user's username and password to the

RADIUS client.

2. Having received the username and password, the RADIUS client sends an authentication request

(Access-Request) to the RADIUS server, with the user password encrypted by using the MD5

algorithm and the shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, the

server sends back an Access-Accept message containing the user's authorization information. If the

authentication fails, the server returns an Access-Reject message.

4. The RADIUS client permits or denies the user according to the returned authentication result. If the

RADIUS client permits the user, it sends a start-accounting request (Accounting-Request) to the

RADIUS server.

5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection, and the RADIUS client sends a

stop-accounting request (Accounting-Request) to the RADIUS server.

8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting

for the user.

9. The user stops access to network resources.

RADIUS packet format

RADIUS uses UDP to transmit messages. It ensures smooth message exchange between the RADIUS

server and the client through a series of mechanisms, including the timer management mechanism, the

retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet

format.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

1. The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible

values and their meanings.

Table 1 Main values of the Code field

Code Packet t

e Descri

tion

1 Access-Request

From the client to the server. A packet of this type carries user

information for the server to authenticate the user. It must

contain the User-Name attribute and can optionally contain the

attributes of NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

From the server to the client. If all the attribute values carried in

the Access-Request are acceptable, the authentication

succeeds, and the server sends an Access-Accept response.

3 Access-Reject

From the server to the client. If any attribute value carried in

the Access-Request is unacceptable, the authentication fails,

and the server sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type carries user

information for the server to start or stop accounting for the

user. The Acct-Status-Type attribute in the packet indicates

whether to start or stop accounting.

5 Accounting-Response

From the server to the client. The server sends a packet of this

type to notify the client that it has received the Accounting-

Request and has correctly recorded the accounting

information.

2. The Identifier field (1 byte long) is used to match request packets and response packets and to

detect duplicate request packets. Request and response packets of the same type have the same

identifier.

3. The Length field (2 byte long) indicates the length of the entire packet, including the Code,

Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered

padding and are neglected upon reception. If the length of a received packet is less than this

length, the packet is dropped. The value of this field ranges from 20 to 4096.

4. The Authenticator field (16 byte long) is used to authenticate replies from the RADIUS server and to

encrypt user passwords. There are two types of authenticators: request authenticator and response

authenticator.

5. The Attributes field, variable in length, carries the specific authentication, authorization, and

accounting information that defines the configuration details of the request or response. This field

may contain multiple attributes, each with three sub-fields: Type, Length, and Value.

{Type (1 byte long): Indicates the type of the attribute. It ranges from 1 to 255. Commonly used

attributes for RADIUS authentication, authorization, and accounting are listed in Table 2.

{Length (1 byte long): Indicates the length of the attribute in bytes, including the Type, Length,

and Value fields.

{Value (up to 253 bytes): Value of the attribute. Its format and content depend on the Type and

Length fields.

Table 2 RADIUS attributes

No. Attribute No. Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

No. Attribute No. Attribute

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

NOTE:

•The attribute types listed in Table 2 are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

•For more information about commonly used standard RADIUS attributes, see "Commonly used

standard RADIUS attributes."

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined

by RFC 2865, allows a vendor to define extended attributes to implement functions that the standard

RADIUS protocol does not provide.

A vendor can encapsulate multiple sub-attributes in the TLV format in RADIUS packets for extension of

applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists of the following

parts:

•Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes

contains a code that is compliant with RFC 1700. The vendor ID of HP is 25506. For more

information about HP proprietary RADIUS sub-attributes, see "Proprietary RADIUS sub-attributes of

HP."

•Vendor-Type—Indicates the type of the sub-attribute.

•Vendor-Length—Indicates the length of the sub-attribute.

•Vendor-Data—Indicates the contents of the sub-attribute.

Figure 5 Segment of a RADIUS packet containing an extended attribute

HWTACACS

HWTACACS is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it

uses a client/server model for information exchange between the NAS and the HWTACACS server.

HWTACACS mainly provides AAA services for PPP users, VPDN users, and terminal users. In a typical

HWTACACS application, some terminal users have to log in to the NAS for operations. Working as the

HWTACACS client, the NAS sends the username and password of a user to the HWTACACS sever for

authentication. After passing authentication and being authorized, the user logs in to the router and

performs operations, and the HWTACACS server records the operations that the user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They

have many features in common, like using a client/server model, using shared keys for user information

security, and providing flexibility and extensibility. HWTACACS and RADIUS do have differences, as

listed in Table 3.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, providing more reliable network

transmission. Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the

HWTACACS header.

Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated, and authorization

is independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple, and the authorization

process is combined with the authentication process.

Supports authorization of configuration commands.

The commands that a user can use depend on both

the user level and AAA authorization. A user can

only use commands that are at, or lower than, the

user level and are authorized by the HWTACACS

server.

Does not support authorization of configuration

commands. The commands that a user can use

depend on the level of the user. A user can use all

the commands at, or lower than, the user level.

HWTACACS basic message exchange process

The following takes a Telnet user as an example to describe how HWTACACS performs user

authentication, authorization, and accounting.

Figure 6 HWTACACS basic message exchange process for a Telnet user

Host HWTACACS client HWTACACS server

1) The user logs in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user inputs the username

6) Authentication continuance packet with the

username

7) Authentication response requesting the login

password

8) Request for password

9) The user inputs the password

11) Authentication response indicating successful

authentication

12) User authorization request packet

13) Authorization response indicating successful

authorization

14) The user logs in successfully

15) Start-accounting request

16) Accounting response indicating the start of

accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Authentication continuance packet with the

The process is as follows:

1. A Telnet user sends an access request to the HWTACACS client.

2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the

HWTACACS server.

3. The HWTACACS server sends back an authentication response to request the username.

4. Upon receiving the response, the HWTACACS client asks the user for the username.

5. The user enters the username.

Other manuals for Pavilion a6600

Table of contents

Other HP Network Router manuals

Popular Network Router manuals by other brands

Cisco

Cisco 826 quick start guide

D-Link

D-Link DWM-312W Quick installation guide

Cisco

Cisco SGE2000 Administration guide

PacketFront

PacketFront CPS 200 installation guide

Mitsubishi Electric

Mitsubishi Electric AT-50A installation guide

NETGEAR

NETGEAR DG834GVv2 - ADSL2+ Modem And Wireless Router Reference manual

Siemens

Siemens RUGGEDCOM RX1100P installation guide

Intellinet

Intellinet 560405 user manual

NETGEAR

NETGEAR Nighthawk AX6 user manual

Seriallink

Seriallink SLK-R602 Series manual

H3C

H3C WA6126 manual

NETGEAR

NETGEAR RT311 Release notes

Linksys

Linksys E900 user guide

Draytek

Draytek Vigor2910 Series user guide

Centro

Centro PoE-2010-8E quick start guide

D-Link

D-Link DSL-2641B - Wireless G Router user manual

PHICOMM

PHICOMM FD-221 user manual

D-Link

D-Link DIR-516 user manual

HP Pavilion a6600 User manual

Popular Network Router manuals by other brands