HP VSR1000 User manual
HP VSR1000 Virtual Services Router
Security
Configuration Guide
Part number: 5998-6033
Software version: VSR1000_HP-CMW710-R0202-X64
Document version: 6W100-20140418
Legal and notice information
© Copyright 2014 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Configuring AAA ························································································································································· 1
Overview············································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
LDAP ··········································································································································································9
AAA implementation on the device····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 14
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list·········································································································· 17
Configuring AAA schemes············································································································································ 18
Configuring local users········································································································································· 18
Configuring RADIUS schemes······························································································································ 23
Configuring HWTACACS schemes····················································································································· 33
Configuring LDAP schemes ·································································································································· 40
Configuring AAA methods for ISP domains················································································································ 43
Configuration prerequisites ·································································································································· 43
Creating an ISP domain ······································································································································· 43
Configuring ISP domain attributes······················································································································· 44
Configuring authentication methods for an ISP domain ··················································································· 45
Configuring authorization methods for an ISP domain····················································································· 46
Configuring accounting methods for an ISP domain························································································· 47
Enabling the session-control feature ····························································································································· 49
Configuring the RADIUS DAE server function ············································································································· 49
Changing the DSCP priority for RADIUS packets······································································································· 50
Setting the maximum number of concurrent login users ···························································································· 50
Displaying and maintaining AAA ································································································································ 50
AAA configuration examples········································································································································ 51
Authentication and authorization for SSH users by a RADIUS server ····························································· 51
Local authentication and authorization for SSH users······················································································· 54
AAA for SSH users by an HWTACACS server·································································································· 55
Authentication for SSH users by an LDAP server ······························································································· 57
Troubleshooting RADIUS ··············································································································································· 60
RADIUS authentication failure······························································································································ 60
RADIUS packet delivery failure···························································································································· 61
RADIUS accounting error ····································································································································· 61
Troubleshooting HWTACACS ······································································································································ 62
Troubleshooting LDAP···················································································································································· 62
Configuring portal authentication·····························································································································64
Overview········································································································································································· 64
Extended portal functions ····································································································································· 64
Portal system components····································································································································· 64
Interaction between portal system components·································································································· 66
Portal authentication modes ································································································································· 66
Portal authentication process ······························································································································· 67
Portal configuration task list ·········································································································································· 69
Configuration prerequisites··········································································································································· 69
ii
Configuring a portal authentication server·················································································································· 70
Configuring a portal Web server································································································································· 71
Enabling portal authentication on an interface··········································································································· 71
Configuration restrictions and guidelines ··········································································································· 71
Configuration procedure ······································································································································ 72
Referencing a portal Web server for an interface······································································································ 72
Controlling portal user access ······································································································································ 73
Configuring a portal-free rule······························································································································· 73
Configuring an authentication source subnet····································································································· 73
Configuring an authentication destination subnet ····························································································· 74
Setting the maximum number of portal users ····································································································· 75
Specifying a portal authentication domain ········································································································ 75
Configuring portal detection functions························································································································· 76
Configuring online detection of portal users ······································································································ 76
Configuring portal authentication server detection···························································································· 77
Configuring portal Web server detection··········································································································· 78
Configuring portal user synchronization············································································································· 79
Configuring the portal fail-permit function··················································································································· 80
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server···································· 80
Logging out portal users················································································································································ 81
Displaying and maintaining portal ······························································································································ 81
Portal configuration examples ······································································································································ 82
Configuring direct portal authentication············································································································· 82
Configuring re-DHCP portal authentication········································································································ 87
Configuring cross-subnet portal authentication ·································································································· 90
Configuring extended direct portal authentication···························································································· 93
Configuring extended re-DHCP portal authentication······················································································· 97
Configuring extended cross-subnet portal authentication ···············································································100
Configuring portal server detection and portal user synchronization ···························································104
Troubleshooting portal·················································································································································109
No portal authentication page is pushed for users ·························································································109
Cannot log out portal users on the access device ···························································································109
Cannot log out portal users on the RADIUS server··························································································110
Users logged out by the access device still exist on the portal authentication server··································110
Re-DHCP portal authenticated users cannot log in successfully······································································110
Configuring password control································································································································ 112
Overview·······································································································································································112
Password setting··················································································································································112
Password updating and expiration ···················································································································113
User login control ················································································································································114
Password not displayed in any form·················································································································114
Logging·································································································································································114
FIPS compliance ···························································································································································115
Password control configuration task list·····················································································································115
Enabling password control ·········································································································································115
Setting global password control parameters ············································································································116
Setting user group password control parameters·····································································································117
Setting local user password control parameters·······································································································118
Setting super password control parameters ··············································································································119
Displaying and maintaining password control ·········································································································119
Password control configuration example ··················································································································120
Network requirements·········································································································································120
Configuration procedure ····································································································································120
Verifying the configuration·································································································································121
iii
Managing public keys············································································································································ 123
Overview·······································································································································································123
FIPS compliance ···························································································································································123
Creating a local key pair ············································································································································123
Configuration guidelines ····································································································································123
Configuration procedure ····································································································································124
Distributing a local host public key ····························································································································125
Exporting a host public key in a specific format to a file················································································125
Displaying a host public key in a specific format and saving it to a file ······················································125
Displaying a host public key······························································································································126
Destroying a local key pair·········································································································································126
Configuring a peer public key····································································································································126
Importing a peer host public key from a public key file··················································································127
Entering a peer public key ·································································································································127
Displaying and maintaining public keys ···················································································································127
Examples of public key management ························································································································128
Example for entering a peer public key············································································································128
Example for importing a public key from a public key file·············································································130
Configuring PKI ······················································································································································· 133
Overview·······································································································································································133
PKI terminology····················································································································································133
PKI architecture····················································································································································134
PKI operation ·······················································································································································134
PKI applications ···················································································································································135
Support for MPLS L3VPN····································································································································135
FIPS compliance ···························································································································································136
PKI configuration task list ············································································································································136
Configuring a PKI entity ··············································································································································136
Configuring a PKI domain···········································································································································137
Requesting a certificate ···············································································································································139
Configuring automatic certificate request·········································································································139
Manually requesting a certificate ······················································································································140
Aborting a certificate request ·····································································································································141
Obtaining certificates ··················································································································································142
Configuration prerequisites ································································································································142
Configuration guidelines ····································································································································142
Configuration procedure ····································································································································142
Verifying PKI certificates··············································································································································143
Verifying certificates with CRL checking ···········································································································143
Verifying certificates without CRL checking ······································································································144
Specifying the storage path for the certificates and CRLs ·······················································································144
Exporting certificates ···················································································································································145
Removing a certificate ·················································································································································145
Configuring a certificate access control policy·········································································································146
Displaying and maintaining PKI ·································································································································147
PKI configuration examples·········································································································································147
Certificate request from an RSA Keon CA server ····························································································148
Certificate request from a Windows 2003 CA server ····················································································150
Certificate request from an OpenCA server·····································································································153
IKE negotiation with RSA digital signature from a Windows 2003 CA server············································157
Certificate import and export configuration example ·····················································································159
Troubleshooting PKI configuration······························································································································164
Failed to obtain the CA certificate·····················································································································165
Failed to obtain local certificates·······················································································································165
iv
Failed to request local certificates ·····················································································································166
Failed to obtain CRLs ··········································································································································167
Failed to import the CA certificate·····················································································································167
Failed to import a local certificate·····················································································································168
Failed to export certificates ································································································································168
Failed to set the storage path·····························································································································169
Configuring IPsec ···················································································································································· 170
Overview·······································································································································································170
Security protocols and encapsulation modes···································································································170
Security association·············································································································································172
Authentication and encryption···························································································································172
IPsec implementation···········································································································································173
IPsec RRI································································································································································174
Protocols and standards ·····································································································································175
FIPS compliance ···························································································································································175
IPsec tunnel establishment ···········································································································································176
Implementing ACL-based IPsec ···································································································································176
Configuring an ACL ············································································································································177
Configuring an IPsec transform set····················································································································179
Configuring a manual IPsec policy····················································································································181
Configuring an IKE-based IPsec policy ·············································································································183
Applying an IPsec policy to an interface ··········································································································187
Enabling ACL checking for de-encapsulated packets······················································································187
Configuring the IPsec anti-replay function ········································································································188
Binding a source interface to an IPsec policy ··································································································188
Enabling QoS pre-classify ··································································································································189
Enabling logging of IPsec packets·····················································································································190
Configuring the DF bit of IPsec packets ············································································································190
Configuring IPsec RRI··········································································································································191
Configuring IPsec for IPv6 routing protocols·············································································································192
Configuration task list ·········································································································································192
Configuring a manual IPsec profile···················································································································192
Configuring SNMP notifications for IPsec ·················································································································193
Displaying and maintaining IPsec ······························································································································194
IPsec configuration examples······································································································································195
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································195
Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································198
Configuring an IKE-based IPsec tunnel for IPv6 packets ·················································································201
Configuring IPsec for RIPng································································································································205
Configuring IPsec RRI··········································································································································208
Configuring IKE······················································································································································· 213
Overview·······································································································································································213
IKE negotiation process ······································································································································213
IKE security mechanism·······································································································································214
Protocols and standards ·····································································································································215
FIPS compliance ···························································································································································215
IKE configuration prerequisites ···································································································································215
IKE configuration task list ············································································································································215
Configuring an IKE profile ··········································································································································216
Configuring an IKE proposal ······································································································································218
Configuring an IKE keychain······································································································································219
Configuring the global identity information ··············································································································220
Configuring the IKE keepalive function······················································································································221
v
Configuring the IKE NAT keepalive function ············································································································221
Configuring IKE DPD····················································································································································222
Enabling invalid SPI recovery ·····································································································································223
Setting the maximum number of IKE SAs···················································································································223
Configuring SNMP notifications for IKE ····················································································································223
Displaying and maintaining IKE·································································································································224
IKE configuration examples ········································································································································224
Main mode IKE with pre-shared key authentication configuration example ················································224
Aggressive mode with RSA signature authentication configuration example ··············································229
Aggressive mode with NAT traversal configuration example········································································236
Troubleshooting IKE ·····················································································································································240
IKE negotiation failed because no matching IKE proposals were found·······················································240
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly·····················240
IPsec SA negotiation failed because no matching IPsec transform sets were found····································241
IPsec SA negotiation failed due to invalid identity information······································································242
Configuring SSH ····················································································································································· 245
Overview·······································································································································································245
How SSH works···················································································································································245
SSH authentication methods·······························································································································246
FIPS compliance ···························································································································································247
Configuring the device as an SSH server··················································································································247
SSH server configuration task list ······················································································································247
Generating local DSA or RSA key pairs···········································································································248
Enabling the SSH server function·······················································································································249
Enabling the SFTP server function······················································································································249
Configuring the user lines for SSH clients·········································································································249
Configuring a client's host public key···············································································································250
Configuring an SSH user····································································································································251
Setting the SSH management parameters ········································································································252
Configuring the device as an Stelnet client···············································································································253
Stelnet client configuration task list····················································································································253
Specifying a source IP address for SSH packets ·····························································································254
Establishing a connection to an Stelnet server ·································································································254
Configuring the device as an SFTP client ··················································································································256
SFTP client configuration task list·······················································································································256
Specifying a source IP address for SFTP packets·····························································································256
Establishing a connection to an SFTP server ····································································································256
Working with SFTP directories···························································································································258
Working with SFTP files······································································································································258
Displaying help information ·······························································································································258
Terminating the connection with the SFTP server ·····························································································259
Configuring the device as an SCP client ···················································································································259
Displaying and maintaining SSH ·······························································································································261
Stelnet configuration examples···································································································································261
Password authentication enabled Stelnet server configuration example ······················································261
Publickey authentication enabled Stelnet server configuration example·······················································263
Password authentication enabled Stelnet client configuration example························································269
Publickey authentication enabled Stelnet client configuration example························································272
SFTP configuration examples ······································································································································274
Password authentication enabled SFTP server configuration example··························································274
Publickey authentication enabled SFTP client configuration example ···························································276
SCP file transfer with password authentication·········································································································279
vi
Configuring SSL······················································································································································· 282
Overview·······································································································································································282
SSL security mechanism ······································································································································282
SSL protocol stack ···············································································································································282
FIPS compliance ···························································································································································283
SSL configuration task list············································································································································283
Configuring an SSL server policy ·······························································································································283
Configuring an SSL client policy ································································································································285
Displaying and maintaining SSL·································································································································286
Configuring ASPF···················································································································································· 287
Overview·······································································································································································287
ASPF basic concepts ···········································································································································287
ASPF inspections··················································································································································288
ASPF configuration task list·········································································································································290
Configuring an ASPF policy········································································································································290
Applying an ASPF policy to an interface ··················································································································290
Displaying and maintaining ASPF······························································································································291
ASPF configuration examples ·····································································································································291
ASPF FTP application inspection configuration example ················································································291
ASPF TCP application inspection configuration example ···············································································293
ASPF H.323 application inspection configuration example ··········································································294
Configuring APR······················································································································································ 296
Overview·······································································································································································296
PBAR ·····································································································································································296
Group-based application recognition ···············································································································296
Configuring PBAR ························································································································································297
Configuring application groups ·································································································································297
Enabling application statistics on an interface ·········································································································298
Displaying and maintaining APR································································································································299
APR configuration example·········································································································································299
Network requirements·········································································································································299
Configuration procedure ····································································································································299
Verifying the configuration·································································································································300
Managing sessions ················································································································································· 301
Overview·······································································································································································301
Session management operation·························································································································301
Session management functions ··························································································································301
Session management task list ·····································································································································302
Setting the session aging time for different protocol states ·····················································································302
Setting the session aging time for different application layer protocols ································································303
Specifying persistent sessions ·····································································································································304
Configuring session logging ·······································································································································304
Displaying and maintaining session management···································································································305
Configuring connection limits································································································································· 307
Connection limit configuration task list ······················································································································307
Creating a connection limit policy ·····························································································································307
Configuring the connection limit policy ·····················································································································308
Applying the connection limit policy··························································································································308
Displaying and maintaining connection limits ··········································································································309
Connection limit configuration example····················································································································310
Troubleshooting connection limits ACLs in the connection limit rules with overlapping segments······················312
vii
Configuring ARP attack protection························································································································· 313
ARP attack protection configuration task list ·············································································································313
Configuring ARP source suppression ·························································································································313
Displaying and maintaining ARP source suppression ·····················································································314
Configuration example ·······································································································································314
Configuring source MAC-based ARP attack detection ····························································································315
Configuration procedure ····································································································································315
Displaying and maintaining source MAC-based ARP attack detection·························································316
Configuration example ·······································································································································316
Configuring ARP packet source MAC consistency check························································································317
Configuring ARP active acknowledgement ···············································································································317
Configuring authorized ARP ·······································································································································318
Configuration procedure ····································································································································318
Configuration example (on a DHCP server)·····································································································318
Configuration example (on a DHCP relay agent)····························································································319
Configuring ARP automatic scanning and fixed ARP·······························································································321
Configuration guidelines ····································································································································321
Configuration procedure ····································································································································321
Configuring uRPF····················································································································································· 322
Overview·······································································································································································322
uRPF check modes ···············································································································································322
Features ································································································································································322
uRPF operation·····················································································································································323
Network application ···········································································································································326
Configuring uRPF··························································································································································326
Displaying and maintaining uRPF ······························································································································327
uRPF configuration example········································································································································327
Configuring IPv6 uRPF ············································································································································ 329
Overview·······································································································································································329
IPv6 uRPF check modes·······································································································································329
Features ································································································································································329
IPv6 uRPF operation ············································································································································330
Network application ···········································································································································332
Configuring IPv6 uRPF ·················································································································································333
Displaying and maintaining IPv6 uRPF······················································································································333
IPv6 uRPF configuration example ·······························································································································334
Configuring crypto engines···································································································································· 335
Overview·······································································································································································335
Displaying and maintaining crypto engines ·············································································································335
Configuring FIPS······················································································································································ 336
Overview·······································································································································································336
Configuration restrictions and guidelines··················································································································336
Configuring FIPS mode················································································································································337
Entering FIPS mode ·············································································································································337
Configuration changes in FIPS mode ················································································································338
Exiting FIPS mode················································································································································338
FIPS self-tests ·································································································································································339
Power-up self-tests················································································································································340
Conditional self-tests············································································································································340
Triggering self-tests ··············································································································································340
Displaying and maintaining FIPS ·······························································································································341
FIPS configuration examples·······································································································································341
viii
Entering FIPS mode through automatic reboot·································································································341
Entering FIPS mode through manual reboot·····································································································342
Exiting FIPS mode through automatic reboot ···································································································343
Exiting FIPS mode through manual reboot ·······································································································344
Support and other resources ·································································································································· 346
Contacting HP ······························································································································································346
Subscription service ············································································································································346
Related information······················································································································································346
Documents····························································································································································346
Websites·······························································································································································346
Conventions ··································································································································································347
Index ········································································································································································ 349
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the user's access to resources
and services. For example, you can permit office users to read and print files and prevent guests
from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server (NAS),
which authenticates user identities and controls user access. The server maintains user information
centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The
NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny
the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often
used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company wants
employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an accounting
server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. The protocol can protect networks against unauthorized access and is often
used in network environments that require both high security and remote user access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for
authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support additional
access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy
services.
The RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server databases
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys, which
are pre-configured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.
This field includes a signature generated by using the MD5 algorithm, the shared key, and some other
information. The receiver of the packet verifies the signature and accepts the packet only when the
signature is correct. This mechanism ensures the security of information exchanged between the RADIUS
client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server. The
request includes the user's password, which has been processed by the MD5 algorithm and
shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept packet that contains the user's authorization information. If
the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to
the RADIUS server.
5. The RADIUS server returns an acknowledgement (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the RADIUS
server.
4
9. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for
the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth
packet exchange between the RADIUS server and the client. These mechanisms include the timer
mechanism, the retransmission mechanism, and the backup server mechanism.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values
and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or stop
accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to detect
duplicate request packets. The request and response packets of the same exchange process for the
same purpose (such as authentication or accounting) have the same identifier.
5
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code,
Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered
padding and are ignored by the receiver. If the length of a received packet is less than this length,
the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and
to encrypt user passwords. There are two types of authenticators: request authenticator and
response authenticator.
•The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with three sub-fields:
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value sub-fields.
{Value—Value of the attribute. Its format and content depend on the Type sub-field.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
6
No. Attribute No.
Attribute
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a
vendor to define extended attributes. The extended attributes implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a sub-attribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a code
compliant to RFC 1700. The vendor ID of HP is 25506.
•Vendor-Type—Type of the sub-attribute.
•Vendor-Length—Length of the sub-attribute.
•Vendor-Data—Contents of the sub-attribute.
For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS
sub-attributes."
7
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for
information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the
NAS sends users' usernames and passwords to the HWTACACS sever for authentication. After passing
authentication and obtaining authorized rights, a user logs in to the device and performs operations. The
HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model, using
shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the primary
differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication process.
Supports authorization of configuration commands.
Access to commands depends on both the user's roles
and authorization. A user can use only commands that
are permitted by the user roles and authorized by the
HWTACACS server.
Does not support authorization of configuration
commands. Access to commands solely depends on
the user's roles. For more information about user roles,
see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a
Telnet user.
8
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
HWTACACS operates using the following workflow:
1. A Telnet user sends an access request to the HWTACACS client.
2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
receives the request.
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user enters the username.
6. After receiving the username from the user, the HWTACACS client sends the server a
continue-authentication packet that includes the username.
7. The HWTACACS server sends back an authentication response to request the login password.
8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.
Host HWTACACS client HWTACACS server
1) The user tries to log in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user enters the username
6) Continue-authentication packet with the username
7) Authentication response requesting the password
8) Request for password
9) The user enters the password
11) Response indicating successful authentication
12) User authorization request packet
13) Response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) Continue-authentication packet with the password
9
9. The user enters the password.
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11. If the authentication succeeds, the HWTACACS server sends back an authentication response to
indicate that the user has passed authentication.
12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13. If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.
14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
LDAP
The Lightweight Directory Access Protocol (LDAP) provides standard multi-platform directory service.
LDAP was developed on the basis of the X.500 protocol. It improves the following functions of X.500:
•Read/write interactive access
•Browse
•Search
LDAP is suitable for storing data that does not often change. The protocol is used to store user information.
For example, LDAP server software Active Directory Server is used in Microsoft Windows operating
systems. The software stores the user information and user group information for user login authentication
and authorization. The device does not support LDAP authorization in this release.
LDAP directory service
LDAP uses directories to maintain the organization information, personnel information, and resource
information. The directories are organized in a tree structure and include entries. An entry is a set of
attributes with distinguished names (DNs). The attributes are used to store information such as usernames,
passwords, emails, computer names, and phone numbers.
LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly
used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun
ONE Directory Server.
LDAP authentication and authorization
AAA can use LDAP to provide authentication and authorization services for users. LDAP defines a set of
operations to implement its functions. The main operations for authentication and authorization are the
bind operation and search operation:
•The bind operation allows an LDAP client to perform the following tasks:
{Establish a connection with the LDAP server.
10
{Obtain the access rights to the LDAP server.
{Check the validity of user information.
•The search operation constructs search conditions and obtains the directory resource information of
the LDAP server.
In LDAP authentication, the client completes the following tasks:
1. Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created,
the client establishes a connection to the server and obtains the right to search.
2. Constructs search conditions by using the username in the authentication information of a user. The
specified root directory of the server is searched and a user DN list is generated.
3. Binds with the LDAP server by using each user DN and password. If a binding is created, the user
is considered legal.
In LDAP authorization, the client performs the same tasks as in LDAP authentication. When the client
constructs search conditions, it obtains both authorization information and the user DN list.
•If the authorization information meets the authorization requirements, the authorization process
ends.
•If the authorization information does not meet the authorization requirements, the client sends an
administrator bind request to the LDAP server. This operation obtains the right to search for
authorization information about users on the user DN list.
Basic LDAP packet exchange process
The following example illustrates the basic packet exchange process during LDAP authentication and
authorization for a Telnet user.
Figure 7 Basic packet exchange process for LDAP authentication of a Telnet user
The basic packet exchange process is as follows:
1. A Telnet user initiates a connection request and sends the username and password to the LDAP
client.
3) Administrator bind request
4) Bind response
5) User DN search request
6) Search response
7) User DN bind request
8) Bind response
Host LDAP client LDAP server
9) Authorization
10) The user logs in successfully
1) The user logs in by Telnet
2) Establish a TCP connection
Other manuals for VSR1000
5
Table of contents
Other HP Network Router manuals
HP
HP 6400/8400 User manual
HP
HP 6125XLG User manual
HP
HP PS1810-8G User manual
HP
HP StorageWorks MPX200 User manual
HP
HP 5800 User instructions
HP
HP N1200 - StorageWorks Network Storage Router User manual
HP
HP HP 2530 User manual
HP
HP FlexNetwork HSR6800 User manual
HP
HP FlexNetwork MSR 954 User manual
HP
HP 3600 v2 Series User manual
HP
HP StorageWorks MPX200 User manual
HP
HP 5900 User manual
HP
HP StorageWorks M2402 User manual
HP
HP Compaq Presario,Presario 650 User manual
HP
HP A5120 EI Series Installation manual
HP
HP MSR SERIES User manual
HP
HP VSR1000 User manual
HP
HP Officejet Pro 7500 Series Installation manual
HP
HP 5120 SI Series User manual
HP
HP StorageWorks SR2122 User manual
Popular Network Router manuals by other brands
Linksys
Linksys Instant PowerLine PLEBR10 Brochure & specs
Rane
Rane MONGOOSE installation manual
DEC
DEC DECserver 200 Hardware installation
NETGEAR
NETGEAR MR814 - 802.11b Cable/DSL Wireless Router installation guide
Iskratel
Iskratel SI2000 Ganymede 822+ user guide
Billion
Billion BiPAC 8700VAX(L)-1600 user manual
