HP 5500 HI Series User manual
HP 5500 HI Switch Series
Security
Configuration Guide
Part number: 5998-2383
Software version: Release 5203 and Release 5206
Document version: 6W102-20140228
Legal and notice information
© Copyright 2014 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Configuring AAA ························································································································································· 1
AAA overview ···································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
Domain-based user management ···························································································································9
RADIUS server feature of the switch···················································································································· 10
AAA for MPLS L3VPNs ········································································································································· 11
Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 12
FIPS compliance ····························································································································································· 15
AAA configuration considerations and task list·········································································································· 15
Configuring AAA schemes············································································································································ 16
Configuring local users········································································································································· 16
Configuring RADIUS schemes······························································································································ 21
Configuring HWTACACS schemes····················································································································· 34
Configuring AAA methods for ISP domains················································································································ 41
Configuration prerequisites ·································································································································· 41
Creating an ISP domain ······································································································································· 41
Configuring ISP domain attributes······················································································································· 41
Configuring AAA authentication methods for an ISP domain·········································································· 43
Configuring AAA authorization methods for an ISP domain ··········································································· 44
Configuring AAA accounting methods for an ISP domain ··············································································· 46
Tearing down user connections···································································································································· 47
Configuring a NAS ID-VLAN binding·························································································································· 47
Specifying the device ID used in stateful failover mode ···························································································· 48
Configuring a switch as a RADIUS server··················································································································· 48
RADIUS server functions configuration task list·································································································· 48
Configuring a RADIUS user·································································································································· 48
Specifying a RADIUS client ·································································································································· 49
Displaying and maintaining AAA ································································································································ 50
AAA configuration examples········································································································································ 50
AAA for Telnet users by an HWTACACS server ······························································································· 50
AAA for Telnet users by separate servers··········································································································· 51
Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 53
Level switching authentication for Telnet users by an HWTACACS server····················································· 56
RADIUS authentication and authorization for Telnet users by a switch··························································· 60
Troubleshooting AAA ···················································································································································· 62
Troubleshooting RADIUS······································································································································· 62
Troubleshooting HWTACACS······························································································································ 63
802.1X overview ·······················································································································································64
802.1X architecture······················································································································································· 64
Controlled/uncontrolled port and port authorization status······················································································ 64
802.1X-related protocols ·············································································································································· 65
Packet formats························································································································································ 65
EAP over RADIUS ·················································································································································· 67
Initiating 802.1X authentication··································································································································· 67
802.1X client as the initiator································································································································ 67
Access device as the initiator······························································································································· 67
ii
802.1X authentication procedures ······························································································································ 68
A comparison of EAP relay and EAP termination······························································································ 68
EAP relay································································································································································ 69
EAP termination ····················································································································································· 70
Configuring 802.1X ··················································································································································72
HP implementation of 802.1X ······································································································································ 72
Access control methods ········································································································································ 72
Using 802.1X authentication with other features ······························································································ 72
Configuration prerequisites··········································································································································· 77
802.1X configuration task list······································································································································· 78
Enabling 802.1X···························································································································································· 78
Configuration guidelines ······································································································································ 78
Configuration procedure ······································································································································ 79
Enabling EAP relay or EAP termination ······················································································································· 79
Setting the port authorization state ······························································································································ 80
Specifying an access control method ·························································································································· 80
Setting the maximum number of concurrent 802.1X users on a port······································································· 81
Setting the maximum number of authentication request attempts ············································································· 81
Setting the 802.1X authentication timeout timers······································································································· 82
Configuring the online user handshake function ········································································································ 82
Configuration guidelines ······································································································································ 82
Configuration procedure ······································································································································ 83
Configuring the authentication trigger function ·········································································································· 83
Configuration guidelines ······································································································································ 83
Configuration procedure ······································································································································ 84
Specifying a mandatory authentication domain on a port························································································ 84
Configuring the quiet timer ··········································································································································· 84
Enabling the periodic online user re-authentication function····················································································· 85
Configuration guidelines ······································································································································ 85
Configuration procedure ······································································································································ 85
Configuring a port to send EAPOL frames untagged································································································· 86
Setting the maximum number of 802.1X authentication attempts for MAC authentication users························· 86
Configuring a VLAN group··········································································································································· 86
Configuring an 802.1X guest VLAN ··························································································································· 87
Configuration guidelines ······································································································································ 87
Configuration prerequisites ·································································································································· 88
Configuration procedure ······································································································································ 88
Configuring an 802.1X Auth-Fail VLAN······················································································································ 88
Configuration guidelines ······································································································································ 88
Configuration prerequisites ·································································································································· 89
Configuration procedure ······································································································································ 89
Configuring an 802.1X critical VLAN ························································································································· 89
Configuration guidelines ······································································································································ 89
Configuration prerequisites ·································································································································· 90
Configuration procedure ······································································································································ 90
Specifying supported domain name delimiters··········································································································· 90
Displaying and maintaining 802.1X ··························································································································· 91
802.1X authentication configuration example ··········································································································· 91
Network requirements··········································································································································· 91
Configuration procedure ······································································································································ 92
Verifying the configuration··································································································································· 93
802.1X with guest VLAN and VLAN assignment configuration example ······························································· 94
Network requirements··········································································································································· 94
Configuration procedure ······································································································································ 95
iii
Verifying the configuration··································································································································· 96
802.1X with ACL assignment configuration example ······························································································· 96
Network requirements··········································································································································· 96
Configuration procedure ······································································································································ 97
Verifying the configuration··································································································································· 97
Configuring EAD fast deployment ····························································································································99
Overview········································································································································································· 99
Free IP····································································································································································· 99
URL redirection······················································································································································· 99
Configuration prerequisites··········································································································································· 99
Configuring a free IP ····················································································································································· 99
Configuring the redirect URL·······································································································································100
Setting the EAD rule timer ···········································································································································100
Displaying and maintaining EAD fast deployment···································································································100
EAD fast deployment configuration example············································································································101
Network requirements·········································································································································101
Configuration procedure ····································································································································102
Verifying the configuration·································································································································102
Troubleshooting EAD fast deployment·······················································································································103
Web browser users cannot be correctly redirected ························································································103
Configuring MAC authentication··························································································································· 104
Overview·······································································································································································104
User account policies··········································································································································104
Authentication approaches ································································································································104
MAC authentication timers·································································································································105
Using MAC authentication with other features ·········································································································105
VLAN assignment ················································································································································105
ACL assignment ···················································································································································105
Guest VLAN ·························································································································································105
Critical VLAN·······················································································································································106
Configuration task list ··················································································································································106
Basic configuration for MAC authentication·············································································································106
Configuring MAC authentication globally········································································································107
Configuring MAC authentication on a port ·····································································································107
Specifying a MAC authentication domain················································································································108
Configuring a MAC authentication guest VLAN ······································································································108
Configuring a MAC authentication critical VLAN····································································································109
Configuring MAC authentication delay·····················································································································110
Enabling MAC authentication multi-VLAN mode······································································································110
Displaying and maintaining MAC authentication ····································································································111
MAC authentication configuration examples············································································································111
Local MAC authentication configuration example···························································································111
RADIUS-based MAC authentication configuration example···········································································113
ACL assignment configuration example············································································································115
Configuring portal authentication·························································································································· 118
Overview·······································································································································································118
Extended portal functions ···································································································································118
Portal system components···································································································································118
Portal system using the local portal server········································································································120
Portal authentication modes ·······························································································································121
Portal support for EAP·········································································································································122
Layer 2 portal authentication process ···············································································································123
Layer 3 portal authentication process ···············································································································124
iv
Portal stateful failover··········································································································································127
Portal authentication across VPNs·····················································································································129
Portal configuration task list ········································································································································129
Configuration prerequisites·········································································································································130
Specifying the portal server ········································································································································131
Specifying the local portal server for Layer 2 portal authentication······························································131
Specifying a portal server for Layer 3 portal authentication ··········································································132
Configuring the local portal server ····························································································································132
Customizing authentication pages ····················································································································132
Configuring the local portal server····················································································································135
Enabling portal authentication····································································································································136
Enabling Layer 2 portal authentication ·············································································································136
Enabling Layer 3 portal authentication ·············································································································136
Controlling access of portal users ······························································································································137
Configuring a portal-free rule·····························································································································137
Configuring an authentication source subnet···································································································138
Setting the maximum number of online portal users························································································139
Specifying an authentication domain for portal users·····················································································139
Configuring Layer 2 portal authentication to support Web proxy·································································140
Enabling support for portal user moving ··········································································································140
Specifying an Auth-Fail VLAN for portal authentication ··························································································141
Configuring RADIUS related attributes ······················································································································142
Specifying NAS-Port-Type for an interface ·······································································································142
Specifying a NAS ID profile for an interface ···································································································142
Specifying a source IP address for outgoing portal packets ···················································································143
Configuring portal stateful failover·····························································································································143
Specifying an auto redirection URL for authenticated portal users·········································································145
Configuring portal detection functions·······················································································································146
Configuring online Layer 2 portal user detection ····························································································146
Configuring the portal server detection function······························································································146
Configuring portal user information synchronization······················································································148
Logging off portal users···············································································································································148
Displaying and maintaining portal ····························································································································149
Portal configuration examples ····································································································································150
Configuring direct portal authentication···········································································································150
Configuring re-DHCP portal authentication······································································································154
Configuring cross-subnet portal authentication ································································································156
Configuring direct portal authentication with extended functions··································································158
Configuring re-DHCP portal authentication with extended functions ····························································160
Configuring cross-subnet portal authentication with extended functions·······················································162
Configuring portal stateful failover····················································································································164
Configuring portal server detection and portal user information synchronization·······································172
Cross-subnet portal authentication across VPNs ······························································································177
Configuring Layer 2 portal authentication········································································································179
Troubleshooting portal·················································································································································183
Inconsistent keys on the access device and the portal server·········································································183
Incorrect server port number on the access device··························································································183
Configuring triple authentication ··························································································································· 185
Overview·······································································································································································185
Triple authentication mechanism ·······················································································································185
Using triple authentication with other features ·································································································186
Configuring triple authentication································································································································186
Triple authentication configuration examples ···········································································································187
Triple authentication basic function configuration example ···········································································187
v
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············189
Configuring port security········································································································································ 195
Overview·······································································································································································195
Port security features ···········································································································································195
Port security modes ·············································································································································195
Working with guest VLAN and Auth-Fail VLAN ······························································································198
Configuration task list ··················································································································································198
Enabling port security ··················································································································································199
Setting port security's limit on the number of MAC addresses on a port·······························································199
Setting the port security mode ····································································································································200
Configuration prerequisites ································································································································200
Configuration procedure ····································································································································200
Configuring port security features ······························································································································201
Configuring NTK ·················································································································································201
Configuring intrusion protection ························································································································201
Enabling port security traps································································································································202
Configuring secure MAC addresses ··························································································································202
Configuration prerequisites ································································································································203
Configuration procedure ····································································································································203
Ignoring authorization information ····························································································································204
Displaying and maintaining port security··················································································································204
Port security configuration examples ·························································································································205
Configuring the autoLearn mode·······················································································································205
Configuring the userLoginWithOUI mode ········································································································207
Configuring the macAddressElseUserLoginSecure mode················································································212
Troubleshooting port security······································································································································214
Cannot set the port security mode·····················································································································214
Cannot configure secure MAC addresses ········································································································215
Cannot change port security mode when a user is online··············································································215
Configuring a user profile ······································································································································ 217
Overview·······································································································································································217
User profile configuration task list······························································································································217
Creating a user profile ················································································································································217
Applying a QoS policy ···············································································································································218
Enabling a user profile ················································································································································218
Displaying and maintaining user profiles··················································································································219
Configuring password control································································································································ 220
Overview·······································································································································································220
FIPS compliance ···························································································································································222
Password control configuration task list·····················································································································223
Configuring password control ····································································································································223
Enabling password control·································································································································223
Setting global password control parameters····································································································224
Setting user group password control parameters ····························································································225
Setting local user password control parameters ······························································································226
Setting super password control parameters ·····································································································227
Setting a local user password in interactive mode ··························································································227
Displaying and maintaining password control ·········································································································227
Password control configuration example ··················································································································228
Configuring HABP··················································································································································· 231
Overview·······································································································································································231
Configuring HABP························································································································································232
vi
Configuring the HABP server ·····························································································································232
Configuring an HABP client ·······························································································································232
Displaying and maintaining HABP·····························································································································233
HABP configuration example······································································································································233
Managing public keys············································································································································ 236
Overview·······································································································································································236
FIPS compliance ···························································································································································236
Configuration task list ··················································································································································237
Creating a local asymmetric key pair························································································································237
Displaying or exporting the local host public key ····································································································238
Destroying a local asymmetric key pair ····················································································································239
Specifying the peer public key on the local device··································································································239
Displaying and maintaining public keys ···················································································································240
Public key configuration examples·····························································································································241
Manually specifying the peer public key on the local device ········································································241
Importing a peer public key from a public key file··························································································243
Configuring PKI ······················································································································································· 246
Overview·······································································································································································246
PKI terms·······························································································································································246
PKI architecture····················································································································································247
PKI operation ·······················································································································································247
PKI applications ···················································································································································248
PKI configuration task list ············································································································································248
Configuring an entity DN············································································································································249
Configuring a PKI domain···········································································································································250
Configuration guidelines ····································································································································251
Configuration procedure ····································································································································251
Submitting a PKI certificate request····························································································································251
Submitting a certificate request in auto mode··································································································252
Submitting a certificate request in manual mode·····························································································252
Retrieving a certificate manually ································································································································253
Configuration guidelines ····································································································································253
Configuration procedure ····································································································································254
Configuring PKI certificate verification ······················································································································254
Configuration guidelines ····································································································································254
Configuring CRL-checking-enabled PKI certificate verification ·······································································254
Configuring CRL-checking-disabled PKI certificate verification ······································································255
Destroying a local RSA key pair ································································································································255
Deleting a certificate····················································································································································256
Configuring an access control policy ························································································································256
Displaying and maintaining PKI ·································································································································256
PKI configuration examples·········································································································································257
Certificate request from an RSA Keon CA server ····························································································257
Certificate request from a Windows 2003 CA server ····················································································260
Certificate attribute access control policy configuration example ·································································263
Troubleshooting PKI ·····················································································································································265
Failed to retrieve a CA certificate······················································································································265
Failed to request a local certificate ···················································································································265
Failed to retrieve CRLs ········································································································································266
Configuring IPsec ···················································································································································· 267
Overview·······································································································································································267
Basic concepts ·····················································································································································267
IPsec for IPv6 routing protocols··························································································································270
vii
Protocols and standards ·····································································································································270
FIPS compliance ···························································································································································270
Configuring IPsec ·························································································································································270
Implementing ACL-based IPsec ···································································································································270
Feature Restrictions··············································································································································270
ACL-based IPsec configuration task list ·············································································································271
Configuring ACLs ················································································································································271
Configuring an IPsec proposal ··························································································································273
Configuring an IPsec policy ·······························································································································274
Applying an IPsec policy group to an interface·······························································································278
Configuring the IPsec session idle timeout········································································································278
Enabling ACL checking of de-encapsulated IPsec packets ·············································································279
Configuring the IPsec anti-replay function ········································································································279
Configuring packet information pre-extraction ································································································280
Configuring IPsec for IPv6 routing protocols·············································································································280
Displaying and maintaining IPsec ······························································································································281
IPsec configuration examples······································································································································281
IKE-based IPsec tunnel for IPv4 packets configuration example·····································································281
IPsec for RIPng configuration example··············································································································284
Configuring IKE······················································································································································· 288
FIPS compliance ···························································································································································288
Overview·······································································································································································288
IKE security mechanism·······································································································································288
IKE operation ·······················································································································································289
IKE functions·························································································································································289
Relationship between IKE and IPsec··················································································································290
Protocols and standards ·····································································································································290
IKE configuration task list ············································································································································290
Configuring a name for the local security gateway·································································································291
Configuring an IKE proposal ······································································································································291
Configuring an IKE peer··············································································································································292
Setting keepalive timers···············································································································································294
Setting the NAT keepalive timer·································································································································294
Configuring a DPD detector········································································································································295
Disabling next payload field checking ······················································································································295
Displaying and maintaining IKE·································································································································296
IKE configuration example ··········································································································································296
Troubleshooting IKE ·····················································································································································299
Invalid user ID······················································································································································299
Proposal mismatch ··············································································································································299
Failing to establish an IPsec tunnel····················································································································300
ACL configuration error ······································································································································300
Configuring SSH2.0 ··············································································································································· 301
Overview·······································································································································································301
SSH operation ·····················································································································································301
SSH connection across VPNs·····························································································································303
FIPS compliance ···························································································································································304
Configuring the switch as an SSH server ··················································································································304
SSH server configuration task list ······················································································································304
Generating DSA or RSA key pairs ····················································································································304
Enabling the SSH server function·······················································································································305
Configuring the user interfaces for SSH clients································································································305
Configuring a client public key··························································································································306
viii
Configuring an SSH user····································································································································307
Setting the SSH management parameters ········································································································308
Setting the DSCP value for packets sent by the SSH server············································································309
Configuring the switch as an SSH client ···················································································································309
SSH client configuration task list························································································································309
Specifying a source IP address/interface for the SSH client ··········································································310
Configuring whether first-time authentication is supported·············································································310
Establishing a connection between the SSH client and server ·······································································311
Setting the DSCP value for packets sent by the SSH client·············································································312
Displaying and maintaining SSH ·······························································································································312
SSH server configuration examples ···························································································································313
When the switch acts as a server for password authentication ·····································································313
When the switch acts as a server for publickey authentication ·····································································315
SSH client configuration examples·····························································································································320
When switch acts as client for password authentication ················································································320
When switch acts as client for publickey authentication ················································································323
Configuring SFTP····················································································································································· 326
Overview·······································································································································································326
FIPS compliance ···························································································································································326
Configuring the switch as an SFTP server ·················································································································326
Enabling the SFTP server ····································································································································326
Configuring the SFTP connection idle timeout period ·····················································································327
Configuring the switch as an SFTP client···················································································································327
Specifying a source IP address or interface for the SFTP client······································································327
Establishing a connection to the SFTP server····································································································327
Working with SFTP directories···························································································································328
Working with SFTP files······································································································································329
Displaying help information ·······························································································································330
Terminating the connection to the remote SFTP server ····················································································330
Setting the DSCP value for packets sent by the SFTP client ············································································330
SFTP client configuration example ·····························································································································331
SFTP server configuration example ····························································································································334
Configuring SCP······················································································································································ 337
Overview·······································································································································································337
FIPS compliance ···························································································································································337
Configuring the switch as an SCP server ··················································································································337
Configuring the switch as the SCP client···················································································································338
SCP client configuration example······················································································································339
SCP server configuration example ····················································································································340
Configuring SSL······················································································································································· 342
Overview·······································································································································································342
SSL security mechanism ······································································································································342
SSL protocol stack ···············································································································································342
FIPS compliance ···························································································································································343
Configuration task list ··················································································································································343
Configuring an SSL server policy ·······························································································································343
SSL server policy configuration example ··········································································································345
Configuring an SSL client policy ································································································································347
Displaying and maintaining SSL·································································································································347
Troubleshooting SSL·····················································································································································348
Configuring TCP attack protection························································································································· 349
Overview·······································································································································································349
ix
Enabling the SYN Cookie feature ······························································································································349
Displaying and maintaining TCP attack protection ··································································································349
Configuring IP source guard ·································································································································· 351
Overview·······································································································································································351
Static IP source guard entries·····························································································································351
Dynamic IP source guard binding entries·········································································································352
Configuration task list ··················································································································································352
Configuring the IPv4 source guard function··············································································································353
Configuring IPv4 source guard on a port·········································································································353
Configuring a static IPv4 source guard entry···································································································354
Setting the maximum number of IPv4 source guard binding entries ·····························································355
Configuring the IPv6 source guard function··············································································································356
Configuring IPv6 source guard on a port·········································································································356
Configuring a static IPv6 source guard entry···································································································357
Setting the maximum number of IPv6 source guard entries············································································358
Displaying and maintaining IP source guard············································································································358
IP source guard configuration examples ···················································································································359
Static IPv4 source guard configuration example ·····························································································359
Dynamic IPv4 source guard using DHCP snooping configuration example·················································361
Dynamic IPv4 source guard using DHCP relay configuration example ························································362
Static IPv6 source guard configuration example ·····························································································363
Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································364
Dynamic IPv6 source guard using ND snooping configuration example ·····················································365
Global static IP source guard configuration example ·····················································································366
Troubleshooting IP source guard ································································································································368
Configuring ARP attack protection························································································································· 369
Overview·······································································································································································369
ARP attack protection configuration task list ·············································································································369
Configuring ARP defense against IP packet attacks·································································································370
Configuring ARP source suppression ················································································································370
Enabling ARP black hole routing ·······················································································································371
Displaying and maintaining ARP defense against IP packet attacks·····························································371
Configuration example ·······································································································································371
Configuring ARP packet rate limit ······························································································································372
Introduction ··························································································································································372
Configuration procedure ····································································································································372
Configuring source MAC address based ARP attack detection ·············································································373
Configuration procedure ····································································································································373
Displaying and maintaining source MAC address based ARP attack detection··········································374
Configuration example ·······································································································································374
Configuring ARP packet source MAC address consistency check ·········································································376
Introduction ··························································································································································376
Configuration procedure ····································································································································376
Configuring ARP active acknowledgement ···············································································································376
Introduction ··························································································································································376
Configuration procedure ····································································································································376
Configuring ARP detection··········································································································································377
Introduction ··························································································································································377
Configuring user validity check ·························································································································377
Configuring ARP packet validity check·············································································································378
Configuring ARP restricted forwarding ·············································································································379
Configuring the ARP detection logging function······························································································379
Displaying and maintaining ARP detection ······································································································380
x
User validity check configuration example·······································································································380
User validity check and ARP packet validity check configuration example··················································381
ARP restricted forwarding configuration example ···························································································383
Configuring ARP automatic scanning and fixed ARP·······························································································384
Configuration guidelines ····································································································································385
Configuration procedure ····································································································································385
Configuring ARP gateway protection ························································································································385
Configuration guidelines ····································································································································385
Configuration procedure ····································································································································386
Configuration example ·······································································································································386
Configuring ARP filtering·············································································································································387
Configuration guidelines ····································································································································387
Configuration procedure ····································································································································387
Configuration example ·······································································································································387
Configuring ND attack defense ····························································································································· 389
Overview·······································································································································································389
Enabling source MAC consistency check for ND packets·······················································································390
Configuring the ND detection function······················································································································390
Introduction to ND detection ······························································································································390
Configuration guidelines ····································································································································391
Configuration procedure ····································································································································391
Displaying and maintaining ND detection ·······································································································391
ND detection configuration example·························································································································392
Network requirements·········································································································································392
Configuration procedure ····································································································································392
Configuring URPF···················································································································································· 394
Overview·······································································································································································394
URPF check modes ··············································································································································394
How URPF works ·················································································································································394
Network application ···········································································································································397
Configuring URPF·························································································································································397
URPF configuration example·······································································································································397
Configuring MFF ····················································································································································· 399
Overview·······································································································································································399
Basic concepts ·····················································································································································400
Operation modes ················································································································································400
Working mechanism···········································································································································401
Protocols and standards ·····································································································································401
Configuring MFF ··························································································································································401
Configuration prerequisites ································································································································401
Enabling MFF·······················································································································································402
Configuring a network port································································································································402
Enabling periodic gateway probe ····················································································································402
Specifying the IP addresses of servers ··············································································································402
Displaying and maintaining MFF ·······························································································································403
MFF configuration examples·······································································································································403
Auto-mode MFF configuration example in a tree network··············································································403
Auto-mode MFF configuration example in a ring network ·············································································405
Manual-mode MFF configuration example in a tree network·········································································407
Manual-mode MFF configuration example in a ring network ········································································408
Configuring SAVI ···················································································································································· 410
Overview·······································································································································································410
xi
Configuring global SAVI ·············································································································································410
SAVI configuration in DHCPv6-only address assignment scenario ········································································411
Network requirements·········································································································································411
Configuration considerations ·····························································································································411
Packet check principles·······································································································································412
Configuration procedure ····································································································································412
SAVI configuration in SLAAC-only address assignment scenario···········································································413
Network requirements·········································································································································413
Configuration considerations ·····························································································································413
Packet check principles·······································································································································414
Configuration procedure ····································································································································414
SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································415
Network requirements·········································································································································415
Configuration considerations ·····························································································································415
Packet check principles·······································································································································416
Configuration procedure ····································································································································416
Configuring blacklist··············································································································································· 418
Overview·······································································································································································418
Configuring the blacklist feature·································································································································418
Displaying and maintaining the blacklist ··················································································································418
Blacklist configuration example··································································································································419
Network requirements·········································································································································419
Configuration procedure ····································································································································419
Verifying the configuration·································································································································419
Configuring FIPS······················································································································································ 421
Overview·······································································································································································421
FIPS self-tests ·································································································································································421
Power-up self-test ·················································································································································421
Conditional self-tests············································································································································421
Triggering a self-test ············································································································································421
Configuration procedure·············································································································································422
Enabling the FIPS mode······································································································································422
Triggering a self-test ············································································································································423
Displaying and maintaining FIPS ·······························································································································423
FIPS configuration example·········································································································································423
Network requirements·········································································································································423
Configuration procedure ····································································································································423
Verifying the configuration·································································································································424
Support and other resources ·································································································································· 426
Contacting HP ······························································································································································426
Subscription service ············································································································································426
Related information······················································································································································426
Documents····························································································································································426
Websites·······························································································································································426
Conventions ··································································································································································427
Index ········································································································································································ 429
1
Configuring AAA
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It can provide the following security functions:
•Authentication—Identifies users and determines whether a user is valid.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the switch can be granted read and
print permissions to the files on the switch.
•Accounting—Records all user network service usage information, including the service type, start
time, and traffic. The accounting function not only provides the information required for charging,
but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS), which is
also referred to as the access device. The server maintains user information centrally. In an AAA network,
a NAS is a server for users but a client for the AAA servers. See Figure 1.
Figure 1 Network diagram
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS
authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and
a remote server exchange user information between them.
In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose
different servers for different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and the RADIUS server for accounting.
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, configure an
authentication server. If network usage information is needed, you must also configure an accounting
server.
AAA can be implemented through multiple protocols. The switch supports using RADIUS and
HWTACACS. RADIUS is often used in practice.
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS
provides access authentication and authorization services, and its accounting function collects and
records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server components
•Users—Stores user information, such as usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
A RADIUS client and the RADIUS server use the shared key to authenticate RADIUS packets and encrypt
user passwords that are exchanged between them. The keys are never transmitted over the network. This
security mechanism improves the security of RADIUS communication and prevents user passwords from
being intercepted on insecure networks.
A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the
client of another AAA server to provide authentication proxy services.
Basic RADIUS message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
RADIUS servers
Users Clients Dictionary
3
Figure 3 Basic RADIUS message exchange process
RADIUS operates in the following manner:
1. The host initiates a connection request that carries the user’s username and password to the
RADIUS client.
2. Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the
Message-Digest 5 (MD5) algorithm and the shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept message containing the user’s authorization information. If
the authentication fails, the server returns an Access-Reject message.
4. The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops
accounting for the user.
RADIUS packet format
RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS
server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism,
the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet
format.
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible
values and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type carries user
information for the server to authenticate the user. It must contain
the User-Name attribute and can optionally contain the attributes
of NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all the attribute values carried in
the Access-Request are acceptable, the authentication succeeds,
and the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value carried in the
Access-Request is unacceptable, the authentication fails and the
server sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type carries user
information for the server to start or stop accounting for the user.
The Acct-Status-Type attribute in the packet indicates whether to
start or stop accounting.
5 Accounting-Response
From the server to the client. The server sends a packet of this
type to notify the client that it has received the
Accounting-Request and has successfully recorded the
accounting information.
•The Identifier field (1 byte long) is used to match request and response packets and to detect
duplicate request packets. Request and response packets of the same type have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet, including the Code,
Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered
padding and are ignored at the receiver. If the length of a received packet is less than this length,
the packet is dropped. The value of this field is in the range of 20 to 4096.
•The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to
encrypt user passwords. There are two types of authenticators: request authenticator and response
authenticator.
5
•The Attributes field (variable in length) carries the specific authentication, authorization, and
accounting information that defines the configuration details of the request or response. This field
may contain multiple attributes, each with three sub-fields:
{Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS
attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list
of the attributes. For more information about commonly used standard RADIUS attributes, see
"Commonly used standard RADIUS attributes."
{Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value
fields.
{Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and
Length fields.
Table 2 Commonly used RADIUS attributes
No. Attribute No. Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
6
No. Attribute No. Attribute
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined
by RFC 2865, allows a vendor to define extended attributes to implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the type-length-value (TLV) format in RADIUS packets
for extension of applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists
of the following parts:
•Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes
contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS
sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."
•Vendor-Type—Indicates the type of the sub-attribute.
•Vendor-Length—Indicates the length of the sub-attribute.
•Vendor-Data—Indicates the contents of the sub-attribute.
7
Figure 5 Segment of a RADIUS packet containing an extended attribute
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information
exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up
Network (VPDN) users, and terminal users. In a typical HWTACACS scenario, some terminal users log
in to the NAS for operations. Working as the HWTACACS client, the NAS sends the usernames and
passwords of the users to the HWTACACS sever for authentication. After passing authentication and
being authorized, the users log in to the switch and performs operations, and the HWTACACS server
records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They
have many features in common, such as using a client/server model, using shared keys for user
information security, and providing flexibility and extensibility.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, providing more reliable network
transmission. Uses UDP, providing higher transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication process.
Supports authorization of configuration commands.
Which commands a user can use depends on both the
user level and the AAA authorization. A user can use
only commands that are at, or lower than, the user
level and authorized by the HWTACACS server.
Does not support authorization of configuration
commands. Which commands a user can use solely
depends on the level of the user. A user can use all the
commands at, or lower than, the user level.
Basic HWTACACS message exchange process
The following example describes how HWTACACS performs user authentication, authorization, and
accounting for a Telnet user.
Type Length
0
Vendor-ID
715 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……
Other manuals for 5500 HI Series
3
Table of contents
Other HP Switch manuals
HP
HP J4111A Quick start guide
HP
HP ProCurve 1400-24G User manual
HP
HP ProCurv J8768A Manual
HP
HP A3100-8 v2 EI User manual
HP
HP HP E1368A/69A/70A User manual
HP
HP ProCurve 5372xl User manual
HP
HP 1410-24-R User manual
HP
HP StorageWorks 8B - FC Entry Switch User manual
HP
HP 5120-24G EI TAA User manual
HP
HP AdvanceStack Switch 2000 User manual
HP
HP 6125G Instruction Manual
HP
HP aruba 6300M Owner's manual
HP
HP StorageWorks 2/16-EL User instructions
HP
HP A3724A - SureStore E Hub S10 User manual
HP
HP SN8000B User manual
HP
HP FlexFabric 5940 User manual
HP
HP ProCurve 6120G/XG User manual
HP
HP 5920 User manual
HP
HP JD318B Assembly instructions
HP
HP Procurve 2524 Instruction Manual
