Hp 5120 ei series User manual

HP A5120 EI Switch Series

Security

Configuration Guide

Abstract

This document describes the software features for the HP A Series products and guides you through the

software configuration procedures. These configuration guides also provide configuration examples to

help you apply software features to different network scenarios.

This documentation is intended for network planners, field technical support and servicing engineers, and

network administrators working with the HP A Series products.

Part number: 5998-1800

Software version: Release 2208

Document version: 5W100-20110530

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or use

of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

iii

Contents

AAA configuration··························································································································································· 1

AAA overview ···································································································································································1

RADIUS······································································································································································2

HWTACACS·····························································································································································7

Domain-based user management ···························································································································9

RADIUS server feature of the device ··················································································································· 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

AAA configuration considerations and task list·········································································································· 14

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 20

Configuring HWTACACS schemes····················································································································· 30

Configuring AAA methods for ISP domains················································································································ 36

Configuration prerequisites ·································································································································· 36

Creating an ISP domain ······································································································································· 36

Configuring ISP domain attributes······················································································································· 36

Configuring AAA authentication methods for an ISP domain·········································································· 37

Configuring AAA authorization methods for an ISP domain ··········································································· 39

Configuring AAA accounting methods for an ISP domain ··············································································· 40

Tearing down user connections forcibly······················································································································ 42

Configuring a network device as a RADIUS server ··································································································· 42

RADIUS server functions configuration task list·································································································· 42

Configuring a RADIUS user·································································································································· 42

Specifying a RADIUS client ·································································································································· 43

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples········································································································································ 44

AAA for Telnet users by an HWTACACS server ······························································································· 44

AAA for Telnet users by separate servers··········································································································· 45

Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47

AAA for 802.1X users by a RADIUS server······································································································· 50

Level switching authentication for Telnet users by an HWTACACS server····················································· 56

RADIUS authentication and authorization for Telnet users by a network device ··········································· 59

Troubleshooting AAA ···················································································································································· 61

Troubleshooting RADIUS ······································································································································ 61

Troubleshooting HWTACACS······························································································································ 62

802.1X fundamentals····················································································································································63

802.1X architecture······················································································································································· 63

Controlled/uncontrolled port and pot authorization status ······················································································· 63

802.1X-related protocols ·············································································································································· 64

Packet format ························································································································································· 64

EAP over RADIUS ·················································································································································· 66

Initiating 802.1X authentication··································································································································· 66

802.1X client as the initiator ······························································································································· 66

Access device as the initiator······························································································································· 66

802.1X authentication procedures ······························································································································ 67

A comparison of EAP relay and EAP termination······························································································ 67

EAP relay································································································································································ 68

EAP termination ····················································································································································· 69

802.1X configuration····················································································································································71

HP implementation of 802.1X ······································································································································ 71

Access control methods ········································································································································ 71

Using 802.1X authentication with other features ······························································································ 71

Configuring 802.1X ······················································································································································ 74

802.1X configuration task list······························································································································ 74

Enabling 802.1X··················································································································································· 75

Specifying EAP relay or EAP termination ··········································································································· 75

Setting the port authorization state······················································································································ 76

Specifying an access control method·················································································································· 77

Setting the maximum number of concurrent 802.1X users on a port······························································ 77

Setting the maximum number of authentication request attempts ···································································· 78

Setting the 802.1X authentication timeout timers ······························································································ 78

Configuring the online user handshake function ······························································································· 78

Configuring the authentication trigger function ································································································· 79

Specifying a mandatory authentication domain on a port··············································································· 80

Enabling the quiet timer········································································································································ 81

Enabling the periodic online user re-authentication function············································································ 81

Configuring an 802.1X guest VLAN··················································································································· 82

Configuring an Auth-Fail VLAN ··························································································································· 83

Displaying and maintaining 802.1X ··························································································································· 84

802.1X configuration examples··································································································································· 84

802.1X authentication configuration example ·································································································· 84

802.1X with guest VLAN and VLAN assignment configuration example······················································· 86

802.1X with ACL assignment configuration example······················································································· 89

EAD fast deployment configuration ·····························································································································91

EAD fast deployment overview····································································································································· 91

EAD fast deployment implementation ················································································································· 91

Configuring EAD fast deployment································································································································ 91

Configuration procedure ······································································································································ 91

Displaying and maintaining EAD fast deployment····································································································· 92

EAD fast deployment configuration example·············································································································· 93

Troubleshooting EAD fast deployment························································································································· 95

Web browser users cannot be correctly redirected ·························································································· 95

MAC authentication configuration·······························································································································96

MAC authentication overview ······································································································································ 96

User account policies············································································································································ 96

Authentication approaches ·································································································································· 96

MAC authentication timers··································································································································· 97

Using MAC authentication with other features ··········································································································· 97

VLAN assignment·················································································································································· 97

ACL assignment····················································································································································· 97

Guest VLAN ··························································································································································· 97

MAC authentication configuration task list ················································································································· 98

Basic configuration for MAC authentication··············································································································· 98

Specifying an authentication domain for MAC authentication users ······································································· 99

Configuring a MAC authentication guest VLAN ······································································································100

Displaying and maintaining MAC authentication ····································································································101

MAC authentication configuration examples············································································································101

Local MAC authentication configuration example ··························································································101

RADIUS-based MAC authentication configuration example ··········································································103

ACL assignment configuration example ···········································································································105

Portal configuration ···················································································································································· 108

Portal overview·····························································································································································108

Introduction to portal···········································································································································108

Extended portal functions ···································································································································108

Portal system components···································································································································108

Portal system using the local portal server········································································································110

Portal authentication modes ·······························································································································111

Layer 2 portal authentication process ···············································································································111

Portal configuration task list ········································································································································112

Configuration prerequisites·········································································································································113

Specifying the local portal server for Layer 2 portal authentication······························································114

Configuring the local portal server ····························································································································114

Customizing authentication pages ····················································································································114

Configuring the local portal server····················································································································117

Enabling Layer 2 portal authentication······················································································································118

Controlling access of portal users ······························································································································119

Configuring a portal-free rule ····························································································································119

Setting the maximum number of online portal users························································································119

Specifying an authentication domain for portal users·····················································································120

Adding a web proxy server port number ·········································································································120

Enabling support for portal user moving ··········································································································121

Specifying the Auth-Fail VLAN for portal authentication ·························································································122

Specifying the auto redirection URL for authenticated portal users ········································································122

Configuring portal detection functions·······················································································································123

Logging off portal users···············································································································································123

Displaying and maintaining portal ····························································································································123

Portal configuration examples ····································································································································124

Configuring Layer 2 portal authentication········································································································124

Troubleshooting portal·················································································································································128

Inconsistent keys on the access device and the portal server·········································································128

Incorrect server port number on the access device ·························································································128

Triple authentication configuration ··························································································································· 130

Triple authentication overview····································································································································130

Triple authentication mechanism ·······················································································································130

Using triple authentication with other features·································································································131

Configuring triple authentication································································································································131

Triple authentication configuration examples ···········································································································132

Triple authentication basic function configuration example ···········································································132

Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············135

Port security configuration·········································································································································· 140

Port security overview··················································································································································140

Port security features ···········································································································································140

Port security modes ·············································································································································140

Support for guest VLAN and Auth-Fail VLAN···································································································143

Port security configuration task list ·····························································································································143

Enabling port security··················································································································································144

Setting the maximum number of secure MAC addresses ························································································144

Setting the port security mode ····································································································································145

Configuration prerequisites································································································································145

Configuring port security features ······························································································································146

Configuring NTK ·················································································································································146

Configuring intrusion protection ························································································································147

Configuring port security traps ··························································································································147

Configuring secure MAC addresses ··························································································································148

Ignoring authorization information from the server··································································································149

Displaying and maintaining port security··················································································································149

Port security configuration examples ·························································································································150

Configuring the autoLearn mode·······················································································································150

Configuring the userLoginWithOUI mode ········································································································152

Configuring the macAddressElseUserLoginSecure mode················································································156

Troubleshooting port security······································································································································159

Cannot set the port security mode·····················································································································159

Cannot configure secure MAC addresses········································································································160

Cannot change port security mode when a user is online ·············································································160

User profile configuration ·········································································································································· 161

User profile overview···················································································································································161

User profile configuration task list······························································································································161

Creating a user profile ················································································································································161

Creating a user profile········································································································································161

Configuring a user profile···········································································································································162

Enabling a user profile ················································································································································162

Displaying and maintaining user profile ···················································································································163

Password control configuration································································································································· 164

Password control overview ·········································································································································164

Password control configuration task list·····················································································································166

Configuring password control ····································································································································167

Enabling password control·································································································································167

Setting global password control parameters····································································································167

Setting user group password control parameters ····························································································168

Setting local user password control parameters ······························································································169

Setting super password control parameters ·····································································································170

Setting a local user password in interactive mode··························································································170

Displaying and maintaining password control ·········································································································170

Password control configuration example ··················································································································171

HABP configuration ···················································································································································· 174

HABP overview·····························································································································································174

Configuring HABP························································································································································175

Configuring the HABP server ·····························································································································175

Configuring an HABP client ·······························································································································175

Displaying and maintaining HABP·····························································································································176

HABP configuration example······································································································································176

Network requirements·········································································································································176

Public key configuration············································································································································· 179

Asymmetric key algorithm overview ··························································································································179

Basic concepts ·····················································································································································179

vii

Key algorithm types ············································································································································179

Asymmetric key algorithm applications ············································································································179

Configuring the local asymmetric key pair ···············································································································180

Creating an asymmetric key pair ······················································································································180

Displaying or exporting the local RSA or DSA host public key ·····································································180

Destroying an asymmetric key pair···················································································································181

Configuring a peer public key····································································································································181

Displaying and maintaining public keys ···················································································································182

Public key configuration examples·····························································································································182

Configuring a peer public key manually ··········································································································182

Importing a peer public key from a public key file··························································································184

PKI configuration························································································································································· 187

PKI overview ·································································································································································187

PKI terms·······························································································································································187

PKI architecture····················································································································································188

PKI applications···················································································································································188

How does PKI work·············································································································································189

PKI configuration task list ············································································································································189

Configuring an entity DN············································································································································190

Configuring a PKI domain ··········································································································································191

Submitting a PKI certificate request····························································································································192

Submitting a certificate request in auto mode··································································································193

Submitting a certificate request in manual mode·····························································································193

Retrieving a certificate manually ································································································································194

Configuring PKI certificate verification ······················································································································195

Destroying a local RSA key pair ································································································································196

Deleting a certificate····················································································································································196

Configuring an access control policy ························································································································197

Displaying and maintaining PKI ·································································································································197

PKI configuration examples·········································································································································198

Requesting a certificate from a CA running RSA Keon···················································································198

Requesting a certificate from a CA running Windows 2003 Server ····························································201

Configuring a certificate attribute-based access control policy ·····································································204

Troubleshooting PKI ·····················································································································································206

Failed to retrieve a CA certificate ·····················································································································206

Failed to request a local certificate ···················································································································206

Failed to retrieve CRLs ········································································································································207

SSH2.0 configuration················································································································································· 208

SSH2.0 overview ·························································································································································208

Introduction to SSH2.0 ·······································································································································208

How does SSH work···········································································································································208

Configuring the device as an SSH server ·················································································································210

SSH server configuration task list ······················································································································210

Generating a DSA or RSA key pair ··················································································································211

Enabling the SSH server function ······················································································································211

Configuring the user interfaces for SSH clients································································································212

Configuring a client public key··························································································································212

Configuring an SSH user····································································································································213

Setting the SSH management parameters ········································································································214

Configuring the device as an SSH client···················································································································215

SSH client configuration task list························································································································215

Specifying a source IP address/interface for the SSH client ··········································································215

Configuring whether first-time authentication is supported·············································································216

Establishing a connection between the SSH client and server ·······································································217

viii

Displaying and maintaining SSH ·······························································································································217

SSH server configuration examples ···························································································································218

When switch acts as server for password authentication···············································································218

When switch acts as server for publickey authentication ···············································································220

SSH client configuration examples·····························································································································225

When switch acts as client for password authentication ················································································225

When switch acts as client for publickey authentication ················································································228

SFTP configuration ······················································································································································ 231

SFTP overview·······························································································································································231

Configuring the device as an SFTP server·················································································································231

Enabling the SFTP server ····································································································································231

Configuring the SFTP connection idle timeout period ·····················································································231

Configuring the device an SFTP client ·······················································································································232

Specifying a source IP address or interface for the SFTP client······································································232

Establishing a connection to the SFTP server····································································································232

Working with SFTP directories···························································································································233

Working with SFTP files······································································································································233

Displaying help information ·······························································································································234

Terminating the connection to the remote SFTP server ····················································································234

SFTP client configuration example ·····························································································································235

SFTP server configuration example ····························································································································238

SSL configuration ························································································································································ 241

SSL overview·································································································································································241

SSL security mechanism ······································································································································241

SSL protocol stack ···············································································································································242

SSL configuration task list············································································································································242

Configuring an SSL server policy ·······························································································································242

SSL server policy configuration example··········································································································243

Configuring an SSL client policy ································································································································245

Displaying and maintaining SSL ································································································································246

Troubleshooting SSL·····················································································································································246

SSL handshake failure·········································································································································246

TCP attack protection configuration·························································································································· 248

TCP attack protection overview ··································································································································248

Enabling the SYN cookie feature ·······························································································································248

Displaying and maintaining TCP attack protection··································································································248

IP source guard configuration ··································································································································· 249

IP source guard overview············································································································································249

Introduction to IP source guard··························································································································249

IP source guard binding ·····································································································································249

Configuring IPv4 source guard binding ····················································································································251

Configuring a static IPv4 source guard binding entry ····················································································252

Configuring the dynamic IPv4 source guard binding function·······································································252

Configuring IPv6 source guard binding ····················································································································253

Configuring a static IPv6 source guard binding entry ····················································································253

Configuring the dynamic IPv6 source guard binding function·······································································254

Displaying and maintaining IP source guard············································································································255

IP source guard configuration examples ···················································································································256

Static IPv4 source guard binding entry configuration example ·····································································256

Global static binding excluded port configuration example ··········································································257

Dynamic IPv4 source guard binding by DHCP snooping configuration example ·······································259

Dynamic IPv4 source guard binding by DHCP relay configuration example ··············································260

Static IPv6 source guard binding entry configuration example ·····································································261

Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example···································262

Dynamic IPv6 source guard binding by ND snooping configuration example ···········································263

Troubleshooting IP source guard ································································································································264

Neither static binding entries nor the dynamic binding function can be configured ··································264

ARP attack protection configuration ························································································································· 265

ARP attack protection overview··································································································································265

ARP attack protection configuration task list ·············································································································265

Configuring ARP defense against IP packet attacks·································································································266

Introduction ··························································································································································266

Configuring ARP source suppression ················································································································266

Enabling ARP black hole routing·······················································································································267

Displaying and maintaining ARP defense against IP packet attacks·····························································267

Configuring ARP packet rate limit ······························································································································267

Configuring ARP packet rate limit ·····················································································································267

Configuring source MAC address based ARP attack detection ·············································································268

Displaying and maintaining source MAC address based ARP attack detection ·········································269

Configuring ARP packet source MAC address consistency check ·········································································269

Configuring ARP active acknowledgement ···············································································································270

Configuring ARP detection··········································································································································270

Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X

security entries/OUI MAC addresses ···············································································································271

Configuring ARP detection based on specified objects ··················································································272

Configuring ARP restricted forwarding ·············································································································273

Displaying and maintaining ARP detection ······································································································273

ARP detection configuration example I ·············································································································273

ARP detection configuration example II ············································································································275

ARP restricted forwarding configuration example ···························································································276

Configuring ARP automatic scanning and fixed ARP ······························································································278

Configuring ARP gateway protection ························································································································279

ARP gateway protection configuration example······························································································280

Configuring ARP filtering·············································································································································280

ARP filtering configuration example··················································································································281

ND attack defense configuration ······························································································································ 283

Introduction to ND attack defense······························································································································283

Enabling source MAC consistency check for ND packets·······················································································284

Configuring the ND detection function······················································································································284

Introduction to ND detection ······························································································································284

Configuring ND detection ··································································································································285

Displaying and maintaining ND detection·······································································································285

ND detection configuration example·························································································································286

Support and other resources ····································································································································· 288

Contacting HP ······························································································································································288

Subscription service ············································································································································288

Related information······················································································································································288

Documents····························································································································································288

Websites ······························································································································································288

Conventions ··································································································································································289

Index············································································································································································· 291

AAA configuration

AAA overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. It provides the following security functions:

Authentication—Identifies users and determines whether a user is valid.

Authorization—Grants different users different rights and controls their access to resources and

services. For example, a user who has successfully logged in to the device can be granted read and

print permissions to the files on the device.

Accounting—Records all user network service usage information, including the service type, start

time, and traffic. The accounting function not only provides the information required for charging,

but also allows for network security surveillance.

AAA usually uses a client/server model. The client runs on the network access server (NAS) and the

server maintains user information centrally. In an AAA network, a NAS is a server for users but a client

for the AAA servers, as shown in Figure 1.

Figure 1 Network diagram for AAA

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

When a user tries to log in to the NAS, use network resources, or access other networks, the NAS

authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and

accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and a

remote server exchange user information between them.

In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose

different servers for different security functions. For example, you can use the HWTACACS server for

authentication and authorization, and the RADIUS server for accounting.

You can choose the three security functions provided by AAA as required. For example, if your company

only wants employees to be authenticated before they access specific resources, you only need to

configure an authentication server. If network usage information is needed, you must also configure an

accounting server.

AAA can be implemented through multiple protocols. The device supports using RADIUS and

HWTACACS for AAA. RADIUS is often used in practice.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that

uses a client/server model. RADIUS can protect networks against unauthorized access and is often used

in network environments where both high security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813

for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.

RADIUS provides access authentication and authorization services, and its accounting function collects

and records network resource usage information.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

designated RADIUS servers and acts on the responses (for example, rejects or accepts user access

requests).

The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It listens to connection requests, authenticates

users, and returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary

Figure 2 RADIUS server components

RADIUS servers

Users Clients Dictionary

Users—Stores user information, such as usernames, passwords, applied protocols, and IP addresses.

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

Dictionary—Stores RADIUS protocol attributes and their values.

Security and authentication mechanisms

Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared

key, which is never transmitted over the network. This enhances information exchange security. In

addition, to prevent user passwords from being intercepted in non-secure networks, RADIUS encrypts

passwords before transmitting them.

A RADIUS server supports multiple user authentication methods, such as the Password Authentication

Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS

server can act as the client of another AAA server to provide authentication proxy services.

RADIUS basic message exchange process

Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

Figure 3 RADIUS basic message exchange process

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

7) Accounting-Request (stop)

8) Accounting-Response

9) Notification of access termination

Host

6) The host accesses the resources

RADIUS operates in the following manner:

1. The host initiates a connection request carrying the username and password to the RADIUS client.

2. Having received the username and password, the RADIUS client sends an authentication request

(Access-Request) to the RADIUS server, with the user password encrypted by using the Message-

Digest 5 (MD5) algorithm and the shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, it

sends back an Access-Accept message containing the user’s authorization information. If the

authentication fails, it returns an Access-Reject message.

4. The RADIUS client permits or denies the user according to the returned authentication result. If it

permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a

stop-accounting request (Accounting-Request) to the RADIUS server.

8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting

for the user.

9. The user stops access to network resources.

RADIUS packet format

RADIUS uses UDP to transmit messages. It ensures smooth message exchange between the RADIUS server

and the client through a series of mechanisms, including the timer management mechanism, the

retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.

Figure 4 RADIUS packet format

Code

Attribute

Identifier

Length

Authenticator (16bytes)

7 15 31

Descriptions of the fields are as follows:

1. The Code field (1 byte long) indicates the type of the RADIUS packet.

Table 1 Main values of the Code field

Code

Packet type

Description

Access-Request

From the client to the server. A packet of this type carries user

information for the server to authenticate the user. It must

contain the User-Name attribute and can optionally contain the

attributes of NAS-IP-Address, User-Password, and NAS-Port.

Access-Accept

From the server to the client. If all the attribute values carried in

the Access-Request are acceptable, the authentication

succeeds, and the server sends an Access-Accept response.

Access-Reject

From the server to the client. If any attribute value carried in

the Access-Request is unacceptable, the authentication fails

and the server sends an Access-Reject response.

Accounting-Request

From the client to the server. A packet of this type carries user

information for the server to start or stop accounting for the

user. The Acct-Status-Type attribute in the packet indicates

whether to start or stop accounting.

Accounting-Response

From the server to the client. The server sends a packet of this

type to notify the client that it has received the Accounting-

Request and has correctly recorded the accounting

information.

2. The Identifier field (1 byte long) is used to match request and response packets and to detect

retransmitted request packets. Request and response packets of the same type have the same

identifier.

3. The Length field (2 bytes long) indicates the length of the entire packet, including the Code,

Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered

padding and are neglected upon reception. If the length of a received packet is less than this

length, the packet is dropped. The value of this field is in the range 20 to 4096.

4. The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to

encrypt user passwords. There are two types of authenticators: request authenticator and response

authenticator.

5. The Attribute field, with a variable length, carries the specific authentication, authorization, and

accounting information that defines the configuration details of the request or response. This field

contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value.

Type (1 byte long)—Indicates the type of the attribute. It is in the range 1 to 255. See Table 2 for

commonly used attributes for RADIUS authentication, authorization and accounting, which are

defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information about commonly

used standard RADIUS attributes, see ―Commonly used standard RADIUS attributes.―

Length (1 byte long)—Indicates the length of the attribute in bytes, including the Type, Length, and

Value fields.

Value (up to 253 bytes)—Value of the attribute. Its format and content depend on the Type and

Length fields.

Table 2 RADIUS attributes

No.

Attribute

No.

Attribute

User-Name

Acct-Authentic

User-Password

Acct-Session-Time

CHAP-Password

Acct-Input-Packets

NAS-IP-Address

Acct-Output-Packets

NAS-Port

Acct-Terminate-Cause

Service-Type

Acct-Multi-Session-Id

Framed-Protocol

Acct-Link-Count

Framed-IP-Address

Acct-Input-Gigawords

Framed-IP-Netmask

Acct-Output-Gigawords

Framed-Routing

(unassigned)

Filter-ID

Event-Timestamp

Framed-MTU

56-59

(unassigned)

Framed-Compression

CHAP-Challenge

NAS-Port-Type

Port-Limit

(unassigned)

Tunnel-Type

Reply-Message

Tunnel-Medium-Type

Callback-Number

Tunnel-Client-Endpoint

Callback-ID

Tunnel-Server-Endpoint

(unassigned)

Acct-Tunnel-Connection

Framed-Route

Tunnel-Password

Framed-IPX-Network

ARAP-Password

State

ARAP-Features

Class

ARAP-Zone-Access

Vendor-Specific

ARAP-Security

No.

Attribute

No.

Attribute

Session-Timeout

ARAP-Security-Data

Idle-Timeout

Password-Retry

Termination-Action

Prompt

Called-Station-Id

Connect-Info

Calling-Station-Id

Configuration-Token

NAS-Identifier

EAP-Message

Proxy-State

Message-Authenticator

Tunnel-Private-Group-id

Tunnel-Assignment-id

Tunnel-Preference

Framed-AppleTalk-Link

ARAP-Challenge-Response

Framed-AppleTalk-Network

Acct-Interim-Interval

Framed-AppleTalk-Zone

Acct-Tunnel-Packets-Lost

Acct-Status-Type

NAS-Port-Id

Acct-Delay-Time

Framed-Pool

Acct-Input-Octets

(unassigned)

Acct-Output-Octets

Tunnel-Client-Auth-id

Acct-Session-Id

Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865

allows a vender to define extended attributes to implement functions that the standard RADIUS protocol

does not provide.

A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension

in applications. As shown in Figure 5, a sub-attribute that can be encapsulated in Attribute 26 consists of

the following parts:

Vendor-ID (4 bytes long)—Indicates the ID of the vendor. Its most significant byte is 0; the other three

bytes contains a code that is compliant to RFC 1700. For more information about the proprietary

RADIUS sub-attributes of HP, see ―HP proprietary RADIUS sub-attributes.―

Vendor-Type—Indicates the type of the sub-attribute.

Vendor-Length—Indicates the length of the sub-attribute.

Vendor-Data—Indicates the contents of the sub-attribute.

Figure 5 Segment of a RADIUS packet containing an extended attribute

Type Length

Vendor-ID

7 15 31

Vendor-ID (continued) Vendor-Type Vendor-Length

Vendor-Data

(Specified attribute value……)

……

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol

based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange

between the NAS and the HWTACACS server.

HWTACACS mainly provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up

Network (VPDN) users, and terminal users. In a typical HWTACACS application, some terminal users

need to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the

username and password of a user to the HWTACACS sever for authentication. After passing

authentication and being authorized, the user logs in to the device and performs operations, and the

HWTACACS server records the operations that the user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They have

many features in common, like using a client/server model, using shared keys for user information

security, and providing flexibility and extensibility. Table 3 lists their differences.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS

RADIUS

Uses TCP, providing more reliable network

transmission.

Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the

HWTACACS header.

Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated and authorization

is independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization

process is combined with the authentication process.

Supports authorization of configuration commands.

Which commands a user can use depends on both

the user level and AAA authorization. A user can

use only commands that are not only of, or lower

than, the user level but also authorized by the

HWTACACS server.

Does not support authorization of configuration

commands. Which commands a user can use

depends on the level of the user and a user can use

all the commands of, or lower than, the user level.

HWTACACS basic message exchange process

The following takes a Telnet user as an example to describe how HWTACACS performs user

authentication, authorization, and accounting.

Figure 6 HWTACACS basic message exchange process for a Telnet user

Host HWTACACS client HWTACACS server

1) The user logs in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user inputs the username

6) Authentication continuance packet with the

username

7) Authentication response requesting the login

password

8) Request for password

9) The user inputs the password

11) Authentication response indicating successful

authentication

12) User authorization request packet

13) Authorization response indicating successful

authorization

14) The user logs in successfully

15) Start-accounting request

16) Accounting response indicating the start of

accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Authentication continuance packet with the

Here is the process:

1. A Telnet user sends an access request to the HWTACACS client.

2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the

HWTACACS server.

3. The HWTACACS server sends back an authentication response to request the username.

4. Upon receiving the response, the HWTACACS client asks the user for the username.

5. The user inputs the username.

6. After receiving the username, the HWTACACS client sends the server a continue-authentication

packet that carries the username.

7. The HWTACACS server sends back an authentication response, requesting the login password.

8. Upon receipt of the response, the HWTACACS client asks the user for the login password.

9. The user inputs the password.

10. After receiving the login password, the HWTACACS client sends the HWTACACS server a

continue-authentication packet that carries the login password.

11. The HWTACACS server sends back an authentication response to indicate that the user has passed

authentication.

12. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

13. The HWTACACS server sends back the authorization response, indicating that the user is now

authorized.

14. Knowing that the user is now authorized, the HWTACACS client pushes its configuration interface

to the user.

15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

16. The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request.

17. The user logs off.

18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19. The HWTACACS server sends back a stop-accounting response, indicating that the stop-accounting

request has been received.

Domain-based user management

A NAS manages users based on Internet service provider (ISP) domains. On a NAS, each user belongs

to one ISP domain. A NAS determines the ISP domain a user belongs to by the username entered by the

user at login, as shown in Figure 7.

Figure 7 Determine the ISP domain of a user by the username

Username carries

@domain-name?

A user enters the username in

the form of

userid@domain-name

or userid

Use domain domain-name

to authenticate the user

Use the default domain to

authenticate the user

Yes

NAS

The authentication, authorization, and accounting of a user depends on the AAA methods configured for

the domain that the user belongs to. If no specific AAA methods are configured for the domain, the

default methods are used. By default, a domain uses local authentication, local authorization, and local

accounting.

The AAA feature allows you to manage users based on their access types:

LAN users—Users on a LAN who must pass 802.1X authentication or MAC address authentication

to access the network.

Login users—Users who want to log in to the device, including SSH users, Telnet users, FTP users,

and terminal service users.

Portal users—Users who must pass portal authentication to access the network.

For a user who has logged in to the device, AAA provides the following services to enhance device

security:

Command authorization—Enables the NAS to defer to the authorization server to determine whether

a command entered by a login user is permitted for the user, ensuring that login users execute only

commands they are authorized to execute. For more information about command authorization, see

the Fundamentals Configuration Guide.

Command accounting—Allows the accounting server to record all commands executed on the

device or all authorized commands successfully executed. For more information about command

accounting, see the Fundamentals Configuration Guide.

Level switching authentication—Allows the authentication server to authenticate users performing

privilege level switching. As long as passing level switching authentication, users can switch their

user privilege levels, without logging out and disconnecting current connections. For more

information about user privilege level switching, see the Fundamentals Configuration Guide.

You can configure different authentication, authorization, and accounting methods for different users in a

domain. See ―Configuring AAA methods for ISP domains.―

RADIUS server feature of the device

Generally, the RADIUS server runs on a computer or workstation, and the RADIUS client runs on a NAS

device. A network device that supports the RADIUS server feature can also serve as the RADIUS server,

working with RADIUS clients to implement user authentication, authorization, and accounting. As shown

in Figure 8, the RADIUS server and client can reside on the same device or different devices.

Using a network device as the RADIUS server simplifies networking and reduces deployment costs. This

implementation is usually deployed on networks by using the clustering feature. In such a scenario,

configure the RADIUS server feature on a management device at the distribution layer, so that the device

functions as a RADIUS server to cooperate with cluster member switches at the access layer to provide

user authentication and authorization services.

Figure 8 Devices functioning as a RADIUS server

NAS

RADIUS server

RADIUS serverNAS/

IP network

A network device serving as the RADIUS server can provide the following functions:

User information management—Supports creating, modifying, and deleting user information,

including the username, password, authority, lifetime, and user description.

RADIUS client information management—Supports creating, and deleting RADIUS clients, which are

identified by IP addresses and configured with attributes such as a shared key. After being

configured with a managed client range, the RADIUS server processes only the RADIUS packets

Other manuals for 5120 EI Series

Table of contents

Other HP Switch manuals

HP E2620 User manual

HP J3245A Operator's manual

HP HPE 5140 Assembly instructions

HP A5500 SI Switch Series User manual

HP ProCurve 6120G/XG User manual

HP 1810 series User manual

HP StorageWorks 7110 - Virtual Array User manual

HP SN3000B User manual

HP J3188A Installation and operating manual

HP 1410 series User manual

HP Aruba CX 10000-48Y6C Installation instructions

HP StorageWorks 2/140 - Director Switch Instruction Manual

HP StorageWorks 8/24 User manual

HP E4510-48G Operating manual

HP ProCurve 4202vl-72 User manual

HP JC106A User manual

HP V1905 Series User manual

HP 8/20q User manual

HP A7533A - Brocade 4Gb SAN Switch Base Service manual

HP 6125G User manual

HP A9512 Assembly instructions

HP Aruba 4100i Installation instructions

HP StorageWorks Edge Switch 2/24 Quick start guide

HP ProCurve J8708A Manual

Popular Switch manuals by other brands

Dwyer Instruments

Dwyer Instruments P2 Series manual

MikroTik

MikroTik CRS354-48P-4S+2Q+RM quick start guide

Xyplex

Xyplex Network 9000 Installing

Lindy

Lindy 39405 user manual

Digitus

Digitus DS-11900 user manual

Dungs

Dungs GW A4 Series manual

Equip

Equip 332704 manual

3Com

3Com 3C17539 installation guide

Revox

Revox M300 instruction manual

ATEN

ATEN Master View CS-1708 user manual

Luxul

Luxul XFS-1084P Quick install guide

IOGear

IOGear GCS1602CC quick start guide

Endress+Hauser

Endress+Hauser Nivotester FTL 375 N 3 Series manual

Exprezo

Exprezo EZ-108 user manual

AVGear

AVGear AVG-CSK-HD44 user manual

SMC Networks

SMC Networks Tiger Switch 10/100 SMC6704M Specifications

Topgreener

Topgreener TGWF500D installation instructions

Topworx

Topworx DXR-GO Installation, operation & maintenance manual

HP 5120 EI Series User manual

Popular Switch manuals by other brands