Hp 5920 User manual

HP 5920 & 5900 Switch Series

Security

Configuration Guide

Part number: 5998-2898

Software version: Release2207

Document version: 6W100-20121130

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or use

of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

i

Contents

Configuring AAA ························································································································································· 1

Overview············································································································································································1

RADIUS······································································································································································2

HWTACACS ·····························································································································································7

LDAP ··········································································································································································9

AAA implementation on the device····················································································································· 11

AAA for MPLS L3VPNs ········································································································································· 13

Protocols and standards ······································································································································· 13

RADIUS attributes ·················································································································································· 13

AAA configuration considerations and task list·········································································································· 16

Configuring AAA schemes············································································································································ 17

Configuring local users········································································································································· 18

Configuring RADIUS schemes······························································································································ 21

Configuring HWTACACS schemes····················································································································· 29

Configuring LDAP schemes ·································································································································· 35

Configuring AAA methods for ISP domains················································································································ 38

Configuration prerequisites ·································································································································· 39

Creating an ISP domain ······································································································································· 39

Configuring ISP domain attributes······················································································································· 39

Configuring authentication methods for an ISP domain ··················································································· 40

Configuring authorization methods for an ISP domain····················································································· 41

Configuring accounting methods for an ISP domain························································································· 42

Displaying and maintaining AAA ································································································································ 43

AAA for SSH users by an HWTACACS server··········································································································· 43

Network requirements··········································································································································· 43

Configuration procedure ······································································································································ 44

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users··································· 45

Network requirements··········································································································································· 45

Configuration procedure ······································································································································ 45

Authentication and authorization for SSH users by a RADIUS server······································································ 46

Network requirements··········································································································································· 46

Configuration procedure ······································································································································ 47

Authentication for SSH users by an LDAP server········································································································ 50

Network requirements··········································································································································· 50

Configuration procedure ······································································································································ 50

Troubleshooting RADIUS ··············································································································································· 54

RADIUS authentication failure······························································································································ 54

RADIUS packet delivery failure···························································································································· 54

RADIUS accounting error ····································································································································· 55

Troubleshooting HWTACACS ······································································································································ 55

Troubleshooting LDAP···················································································································································· 55

802.1X overview ·······················································································································································57

802.1X architecture······················································································································································· 57

Controlled/uncontrolled port and port authorization status······················································································ 57

802.1X-related protocols ·············································································································································· 58

Packet formats························································································································································ 59

EAP over RADIUS ·················································································································································· 60

Initiating 802.1X authentication··································································································································· 60

ii

802.1X client as the initiator································································································································ 60

Access device as the initiator······························································································································· 61

802.1X authentication procedures ······························································································································ 61

A comparison of EAP relay and EAP termination······························································································ 61

EAP relay································································································································································ 62

EAP termination ····················································································································································· 63

Configuring 802.1X ··················································································································································65

HP implementation of 802.1X ······································································································································ 65

Configuration prerequisites··········································································································································· 65

802.1X configuration task list······································································································································· 65

Enabling 802.1X···························································································································································· 66

Enabling EAP relay or EAP termination······················································································································· 66

Setting the port authorization state ······························································································································ 67

Specifying an access control method ·························································································································· 67

Setting the maximum number of concurrent 802.1X users on a port······································································· 67

Setting the maximum number of authentication request attempts ············································································· 68

Setting the 802.1X authentication timeout timers······································································································· 68

Configuring the online user handshake function ········································································································ 69

Configuring the authentication trigger function ·········································································································· 69

Configuration guidelines ······································································································································ 69

Configuration procedure ······································································································································ 70

Specifying a mandatory authentication domain on a port························································································ 70

Configuring the quiet timer ··········································································································································· 70

Enabling the periodic online user re-authentication function····················································································· 71

Displaying and maintaining 802.1X ··························································································································· 71

802.1X authentication configuration example ··········································································································· 71

Network requirements··········································································································································· 71

Configuration procedure ······································································································································ 72

Verifying the configuration··································································································································· 73

Configuring MAC authentication······························································································································74

Overview········································································································································································· 74

User account policies············································································································································ 74

Authentication approaches ·································································································································· 74

Configuration prerequisites··········································································································································· 75

Configuration task list ···················································································································································· 75

Enabling MAC authentication ······································································································································ 75

Specifying a MAC authentication domain·················································································································· 76

Configuring the user account format···························································································································· 76

Configuring MAC authentication timers ······················································································································ 76

Setting the maximum number of concurrent MAC authentication users on a port·················································· 77

Displaying and maintaining MAC authentication ······································································································ 77

Local MAC authentication configuration example ····································································································· 78

Network requirements··········································································································································· 78

Configuration procedure ······································································································································ 78

Verifying the configuration··································································································································· 79

RADIUS-based MAC authentication configuration example ····················································································· 79

Network requirements··········································································································································· 79

Configuration procedure ······································································································································ 80

Verifying the configuration··································································································································· 81

Configuring port security···········································································································································82

Overview········································································································································································· 82

Port security features ············································································································································· 82

Port security modes ··············································································································································· 82

iii

Configuration task list ···················································································································································· 85

Enabling port security ···················································································································································· 85

Setting port security's limit on the number of secure MAC addresses on a port ···················································· 86

Setting the port security mode ······································································································································ 86

Configuring port security features ································································································································ 87

Configuring NTK ··················································································································································· 87

Configuring intrusion protection ·························································································································· 88

Configuring secure MAC addresses ···························································································································· 88

Configuration prerequisites ·································································································································· 89

Configuration procedure ······································································································································ 89

Ignoring authorization information from the server···································································································· 90

Displaying and maintaining port security···················································································································· 90

autoLearn configuration example································································································································· 90

Network requirements··········································································································································· 90

Configuration procedure ······································································································································ 91

Verifying the configuration··································································································································· 91

userLoginWithOUI configuration example·················································································································· 92

Network requirements··········································································································································· 92

Configuration procedure ······································································································································ 93

Verifying the configuration··································································································································· 94

macAddressElseUserLoginSecure configuration example ························································································· 95

Network requirements··········································································································································· 95

Configuration procedure ······································································································································ 96

Verifying the configuration··································································································································· 96

Troubleshooting port security········································································································································ 98

Cannot set the port security mode······················································································································· 98

Cannot configure secure MAC addresses ·········································································································· 99

Configuring password control································································································································ 100

Overview·······································································································································································100

Password setting··················································································································································100

Password updating and expiration ···················································································································101

User login control ················································································································································102

Password not displayed in any form·················································································································102

Logging·································································································································································102

Password control configuration task list·····················································································································103

Enabling password control ·········································································································································103

Setting global password control parameters····································································································104

Setting user group password control parameters ····························································································104

Setting local user password control parameters ······························································································105

Setting super password control parameters ·····································································································106

Displaying and maintaining password control·········································································································106

Password control configuration example ··················································································································106

Managing public keys············································································································································ 109

Overview·······································································································································································109

Creating a local key pair ············································································································································109

Configuration guidelines ····································································································································109

Configuration procedure ····································································································································110

Distributing a local host public key ····························································································································110

Exporting a host public key in a specific format to a file················································································111

Displaying a host public key in a specific format and saving it to a file ······················································111

Displaying a host public key······························································································································111

Destroying a local key pair·········································································································································112

Configuring a peer public key····································································································································112

iv

Importing a peer host public key from a public key file··················································································112

Entering a peer public key ·································································································································113

Displaying and maintaining public keys ···················································································································113

Example for inputting a peer public key ···················································································································113

Example for importing a public key from a public key file ·····················································································115

Configuring PKI ······················································································································································· 118

Overview·······································································································································································118

PKI terminology····················································································································································118

PKI architecture····················································································································································119

PKI operation ·······················································································································································119

PKI applications ···················································································································································120

PKI across VPNs ··················································································································································120

PKI configuration task list ············································································································································120

Configuring a PKI entity ··············································································································································121

Configuring a PKI domain···········································································································································122

Requesting a certificate ···············································································································································124

Configuring automatic certificate request·········································································································125

Manually requesting a certificate ······················································································································125

Aborting a certificate request ·····································································································································126

Obtaining certificates ··················································································································································127

Configuration prerequisites ································································································································127

Configuration guidelines ····································································································································127

Configuration procedure ····································································································································127

Verifying PKI certificates··············································································································································128

Verifying certificates with CRL checking ···········································································································128

Verifying certificates without CRL checking ······································································································129

Specifying the storage path for the certificates and CRLs ·······················································································129

Exporting certificates ···················································································································································129

Removing a certificate ·················································································································································130

Configuring a certificate access control policy·········································································································131

Displaying and maintaining PKI ·································································································································132

PKI configuration examples·········································································································································132

Certificate request from an RSA Keon CA server ····························································································132

Certificate request from a Windows 2003 CA server····················································································135

Certificate request from an OpenCA server·····································································································138

Certificate import and export configuration example ·····················································································141

Troubleshooting PKI configuration······························································································································146

Failed to obtain the CA certificate·····················································································································147

Failed to obtain local certificates·······················································································································147

Failed to request local certificates ·····················································································································148

Failed to obtain CRLs ··········································································································································149

Failed to import the CA certificate·····················································································································149

Failed to import a local certificate·····················································································································150

Failed to export certificates ································································································································150

Failed to set the storage path·····························································································································151

Configuring SSH ····················································································································································· 152

Overview·······································································································································································152

How SSH works···················································································································································152

SSH authentication methods·······························································································································153

Configuring the device as an SSH server··················································································································154

SSH server configuration task list ······················································································································154

Generating local DSA or RSA key pairs···········································································································154

Enabling the SSH server function·······················································································································155

v

Enabling the SFTP server function······················································································································155

Configuring the user interfaces for SSH clients································································································155

Configuring a client's host public key···············································································································156

Configuring an SSH user····································································································································157

Setting the SSH management parameters ········································································································158

Configuring the device as an Stelnet client···············································································································159

Stelnet client configuration task list····················································································································159

Specifying a source IP address or source interface for the Stelnet client ······················································159

Establishing a connection to an Stelnet server ·································································································160

Configuring the device as an SFTP client ··················································································································161

SFTP client configuration task list·······················································································································161

Specifying a source IP address or source interface for the SFTP client ·························································161

Establishing a connection to an SFTP server ····································································································162

Working with SFTP directories···························································································································163

Working with SFTP files······································································································································163

Displaying help information ·······························································································································164

Terminating the connection with the SFTP server ·····························································································164

Configuring the device as an SCP client ···················································································································164

Displaying and maintaining SSH ······················································································································165

Stelnet configuration examples···································································································································166

Password authentication enabled Stelnet server configuration example ······················································166

Publickey authentication enabled Stelnet server configuration example·······················································168

Password authentication enabled Stelnet client configuration example························································174

Publickey authentication enabled Stelnet client configuration example························································177

SFTP configuration examples······································································································································179

Password authentication enabled SFTP server configuration example··························································179

Publickey authentication enabled SFTP client configuration example ···························································181

SCP file transfer with password authentication·········································································································184

Network requirements·········································································································································184

Configuration procedure ····································································································································185

Configuring SSL······················································································································································· 187

Overview·······································································································································································187

SSL security mechanism ······································································································································187

SSL protocol stack ···············································································································································187

SSL configuration task list············································································································································188

Configuring an SSL server policy ·······························································································································188

Configuring an SSL client policy ································································································································189

Displaying and maintaining SSL·································································································································190

Configuring IP source guard ·································································································································· 191

Overview·······································································································································································191

Static IP source guard entries·····························································································································191

Dynamic IPv4 source binding entries················································································································192

IP source guard configuration task list ·······················································································································192

Configuring the IPv4 source guard function··············································································································192

Enabling IPv4 source guard on an interface····································································································192

Configuring a static IPv4 source guard entry on an interface········································································193

Configuring the IPv6 source guard function··············································································································194

Enabling IPv6 source guard on an interface····································································································194

Configuring a static IPv6 source guard entry on an interface········································································194

Displaying and maintaining IP source guard············································································································194

Static IPv4 source guard configuration example ······································································································195

Dynamic IPv4 source guard using DHCP snooping configuration example··························································197

Dynamic IPv4 source guard using DHCP relay configuration example·································································198

vi

Static IPv6 source guard configuration example ······································································································199

Configuring ARP attack protection························································································································· 200

ARP attack protection configuration task list ·············································································································200

Configuring unresolvable IP attack protection ··········································································································200

Configuring ARP source suppression ················································································································201

Enabling ARP black hole routing ·······················································································································201

Displaying and maintaining unresolvable IP attack protection ······································································201

Configuration example ·······································································································································201

Configuring ARP packet rate limit ······························································································································202

Configuration guidelines ····································································································································203

Configuration procedure ····································································································································203

Configuring source MAC based ARP attack detection····························································································203

Configuration procedure ····································································································································203

Displaying and maintaining source MAC address based ARP attack detection··········································204

Configuration example ·······································································································································204

Configuring ARP packet source MAC consistency check························································································206

Configuring ARP active acknowledgement ···············································································································206

Configuring ARP detection··········································································································································206

Configuring user validity check ·························································································································206

Configuring ARP packet validity check·············································································································207

Configuring ARP restricted forwarding ·············································································································208

Displaying and maintaining ARP detection ······································································································208

User validity check and ARP packet validity check configuration example··················································209

Configuring ARP automatic scanning and fixed ARP·······························································································210

Configuration guidelines ····································································································································210

Configuration procedure ····································································································································210

Configuring ARP gateway protection ························································································································211

Configuration guidelines ····································································································································211

Configuration procedure ····································································································································211

Configuration example ·······································································································································211

Configuring ARP filtering·············································································································································212

Configuration guidelines ····································································································································212

Configuration procedure ····································································································································212

Configuration example ·······································································································································213

Configuring uRPF····················································································································································· 214

Overview·······································································································································································214

uRPF check modes ···············································································································································214

uRPF operation·····················································································································································214

Network application ···········································································································································217

Configuring uRPF··························································································································································217

Displaying and maintaining uRPF ······························································································································217

uRPF configuration example········································································································································218

Support and other resources ·································································································································· 219

Contacting HP ······························································································································································219

Subscription service ············································································································································219

Related information······················································································································································219

Documents····························································································································································219

Websites·······························································································································································219

Conventions ··································································································································································220

Index ········································································································································································ 222

1

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. It specifies the following security functions:

•Authentication—Identifies users and verifies their validity.

•Authorization—Grants different users different rights and controls their access to resources and

services. For example, you can use this function to grant a user who has successfully logged in to the

device read and print permissions to the files on the device, and prevent a guest from reading or

printing the files.

•Accounting—Records network usage details of users, including the service type, start time, and

traffic. This function enables time-based and traffic-based charging and user behavior auditing.

AAA usually uses a client/server model. The client runs on the access device, or the network access

server (NAS), which authenticates user identities and controls user access. The server maintains user

information centrally. See Figure 1.

Figure 1 AAA network diagram

A user who wants to access networks or resources beyond the NAS sends its identity information to the

NAS, which transparently passes the user information to the servers. The servers perform user

authentication, authorization, and accounting and return the result to the NAS. Based on the result, the

NAS determines whether to permit or deny the access request.

AAA has various implementations, including RADIUS, HWTACACS, and LDAP, of which RADIUS is most

often used.

The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different

servers to implement different security functions. For example, you can use the HWTACACS server for

authentication and authorization, and use the RADIUS server for accounting.

You can choose the three security functions provided by AAA as needed. For example, if your company

only wants employees to be authenticated before they access specific resources, you only need to deploy

an authentication server. If network usage information is needed, you must also configure an accounting

server.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

2

The device performs dynamic password authentication.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that

uses a client/server model. It can protect networks against unauthorized access and is often used in

network environments that require both high security and remote user access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for

authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, such as Ethernet and ADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It receives authentication, authorization, and

accounting requests from RADIUS clients, performs user authentication, authorization, or accounting,

and returns user access control information (for example, rejecting or accepting the user access request)

to the clients. In addition, the RADIUS server can act as the client of another RADIUS server to provide

authentication proxy services.

The RADIUS server maintains the following databases: Users, Clients, and Dictionary.

Figure 2 RADIUS server databases

•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP

addresses.

•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary—Stores RADIUS protocol attributes and their values.

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys, which

are pre-configured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.

This field carries a signature generated by using the MD5 algorithm, the shared key, and some other

information. The receiver of the packet verifies the signature and accepts the packet only when the

signature is correct. This mechanism ensures the security of information exchanged between the RADIUS

client and server.

The shared keys are also used to encrypt user passwords carried in RADIUS packets.

User authentication mechanisms

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

3

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS operates in the following manner:

1. The host sends a connection request that carries the user's username and password to the RADIUS

client.

2. The RADIUS client encrypts the user password by using the MD5 algorithm, the shared key, and

some other information, encapsulates the username and the encrypted password to an

authentication request (Access-Request), and sends the request to the RADIUS server.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, the

server sends back an Access-Accept packet that contains the user's authorization information. If

the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If it permits the

user, it sends a start-accounting request (Accounting-Request) packet to the RADIUS server.

5. The RADIUS server returns an acknowledgement (Accounting-Response) packet and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the RADIUS

server.

9. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for

the user.

10. The RADIUS client notifies the user of the termination.

4

RADIUS packet format

RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server

and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission

mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values

and their meanings.

Table 1 Main values of the Code field

Code Packet t

yp

e Descri

p

tion

1 Access-Request

From the client to the server. A packet of this type carries user information for

the server to authenticate the user. It must contain the User-Name attribute

and can optionally contain the attributes of NAS-IP-Address, User-Password,

and NAS-Port.

2 Access-Accept

From the server to the client. If all attribute values carried in the

Access-Request are acceptable, the authentication succeeds, and the server

sends an Access-Accept response.

3 Access-Reject

From the server to the client. If any attribute value carried in the

Access-Request is unacceptable, the authentication fails, and the server sends

an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type carries user information for

the server to start or stop accounting for the user. The Acct-Status-Type

attribute in the packet indicates whether to start or stop accounting.

5 Accounting-Response

From the server to the client. The server sends a packet of this type to notify the

client that it has received the Accounting-Request and has successfully

recorded the accounting information.

•The Identifier field (1 byte long) is used to match response packets with request packets and to detect

duplicate request packets. The request and response packets of the same exchange process for the

same purpose (such as authentication or accounting) have the same identifier.

•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code,

Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered

padding and are ignored at the receiver. If the length of a received packet is less than this length,

the packet is dropped.

5

•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and

to encrypt user passwords. There are two types of authenticators: request authenticator and

response authenticator.

•The Attributes field (variable in length) carries specific authentication, authorization, and

accounting information. This field can contain multiple attributes, each with three sub-fields:

{Type—Type of the attribute.

{Length—Length of the attribute in bytes, including the Type, Length, and Value sub-fields.

{Value—Value of the attribute. Its format and content depend on the Type sub-field.

Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC

2868. For more information, see "Commonly used standard RADIUS attributes."

Table 2 Commonly used RADIUS attributes

No. Attribute No.

Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

6

No. Attribute No.

Attribute

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined

in RFC 2865, allows a vendor to define extended attributes to implement functions that the standard

RADIUS protocol does not provide.

A vendor can encapsulate multiple sub-attributes in the TLV format in attribute 26 to provide extended

functions. As shown in Figure 5, a sub-attribute encapsulated in attribute 26 consists of the following

parts:

•Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code

compliant to RFC 1700.

•Vendor-Type—Type of the sub-attribute.

•Vendor-Length—Length of the sub-attribute.

•Vendor-Data—Contents of the sub-attribute.

For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS

sub-attributes."

7

Figure 5 Format of attribute 26

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol

based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information

exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical

HWTACACS scenario, some terminal users need to log in to the NAS for operations. Working as the

HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS sever for

authentication. After passing authentication and getting authorized rights, a user logs in to the device

and performs operations. The HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS have many features in common, such as using a client/server model, using

shared keys for data encryption, and providing flexibility and scalability. Table 3 lists their primary

differences.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, providing more reliable network

transmission. Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the HWTACACS

header.

Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated and authorization is

independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization

process is combined with the authentication process.

Supports authorization of configuration commands.

Commands a user can use depend on both the user's

roles and authorization. A user can use only

commands that are permitted by the user roles and

authorized by the HWTACACS server.

Does not support authorization of configuration

commands. Commands a user can use solely depend

on the user's roles. For more information about user

roles, see the chapter on RBAC in Fundamentals

Configuration Guide.

Basic HWTACACS packet exchange process

Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a

Telnet user.

8

Figure 6 Basic HWTACACS packet exchange process for a Telnet user

HWTACACS operates in the following manner:

1. A Telnet user sends an access request to the HWTACACS client.

2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the

HWTACACS server.

3. The HWTACACS server sends back an authentication response to request the username.

4. Upon receiving the response, the HWTACACS client asks the user for the username.

5. The user enters the username.

6. After receiving the username from the user, the HWTACACS client sends the server a

continue-authentication packet that carries the username.

7. The HWTACACS server sends back an authentication response, requesting the login password.

8. Upon receipt of the response, the HWTACACS client asks the user for the login password.

Host HWTACACS client HWTACACS server

1) The user tries to log in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user enters the username

6) Continue-authentication packet with the username

7) Authentication response requesting the password

8) Request for password

9) The user enters the password

11) Response indicating successful authentication

12) User authorization request packet

13) Response indicating successful authorization

14) The user logs in successfully

15) Start-accounting request

16) Response indicating the start of accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Continue-authentication packet with the password

9

9. The user enters the password.

10. After receiving the login password, the HWTACACS client sends the HWTACACS server a

continue-authentication packet that carries the login password.

11. If the authentication succeeds, the HWTACACS server sends back an authentication response to

indicate that the user has passed authentication.

12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.

13. If the authorization succeeds, the HWTACACS server sends back an authorization response,

indicating that the user is now authorized.

14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and

permits the user to log in.

15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

16. The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request.

17. The user logs off.

18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19. The HWTACACS server sends back a stop-accounting response, indicating that the

stop-accounting request has been received.

LDAP

The Lightweight Directory Access Protocol (LDAP) provides standard multi-platform directory service. It is

developed on the basis of the X.500 protocol, and improves the read/write interactive access, browse,

and search functions of X.500. It is suitable for storing data that does not often change.

LDAP is typically used to store user information. For example, LDAP server software Active Directory

Server is used in Microsoft Windows operating systems to store the user information and user group

information for user login authentication and authorization.

LDAP directory service

LDAP uses directories to maintain the organization information, personnel information, and resource

information. The directories are organized in a tree structure and comprise entries. An entry is a set of

attributes with distinguished names (DNs). The attributes are used to store information such as usernames,

passwords, emails, computer names, and phone numbers.

LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly

used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun

ONE Directory Server.

LDAP authentication and authorization

AAA can use LDAP to provide user authentication and authorization services. LDAP defines a set of

operations to implement its functions. The main operations for authentication and authorization are the

bind operation and search operation:

•The bind operation allows an LDAP client to establish a connection with the LDAP server, obtain the

access rights to the LDAP server, and check the validity of user information.

•The search operation constructs search conditions and obtains the directory resource information of

the LDAP server.

The basic LDAP authentication process is as follows:

10

1. An LDAP client uses the LDAP server administrator DN to bind with the LDAP server, establishes a

connection to the server, and obtains the search rights.

2. The LDAP client uses the username in the authentication information of a user to construct search

conditions, searches for the user in the specified root directory of the server, and obtains a user DN

list.

3. The LDAP client uses each user DN in the obtained user DN list and the user's password to bind

with the LDAP server. If a binding succeeds, the user is a legal user.

The LDAP authorization process is similar to the LDAP authentication process. The difference is that the

client gets the authorization information as well as the user DN list at step 2. If the authorization

information satisfies the authorization need, the authorization process ends. Otherwise, the client uses

the LDAP server administrator DN to bind with the LDAP server again, constructs search conditions by

using the user DN list, and searches for other required authorization information.

Basic LDAP packet exchange process

The following example illustrates how the basic packet exchange process goes on during LDAP

authentication and authorization for a Telnet user.

Figure 7 Basic packet exchange process for LDAP authentication of a Telnet user

The basic packet exchange process is as follows:

1. A Telnet user initiates a connection request and sends the username and password to the LDAP

client.

2. Upon receiving the request, the LDAP client establishes a TCP connection with the LDAP server.

3. The LDAP client uses the administrator DN and password to send an administrator bind request to

the LDAP server to obtain the search right.

4. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an

acknowledgement to the LDAP client.

5. The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP

server.

3) Administrator bind request

4) Bind response

5) User DN search request

6) Search response

7) User DN bind request

8) Bind response

Host LDAP client LDAP server

9) Authorization

10) The user logs in successfully

1) The user logs in by Telnet

2) Establish a TCP connection

11

6. After receiving the request, the LDAP server searches for the user DN by the base DN, search

scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the

LDAP client of the successful search. There might be one or more user DNs found.

7. The LDAP client uses the obtained user DN and the entered user password as parameters to send

a user DN bind request to the LDAP server, which checks whether the user password is correct.

8. The LDAP server processes the request, and sends a response to notify the LDAP client of the bind

operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the

parameter to send a user DN bind request to the LDAP server. This process goes on until a DN is

bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client

notifies the user of the login failure and denies the user's access request.

9. The LDAP client and server perform authorization exchanges. If another scheme, for example, an

HWTACACS scheme, is expected for authorization, the LDAP client exchanges authorization

packets with the HWTACACS authorization server instead.

10. After successful authorization, the LDAP client notifies the user of the successful login.

AAA implementation on the device

This section describes AAA user management and methods.

User management based on ISP domains and user access types

AAA manages users based on their ISP domains and access types.

On a NAS, each user belongs to one ISP domain. Normally, a NAS determines the ISP domain a user

belongs to by the username entered by the user at login.

Figure 8 Determining the ISP domain for a user by the username

Digital

switching

equipment

F0

Transmit

Receive

Digital

switching

equipment

F0

Receive

Transmit

Reference clock rate

F0 Reference clock rate

F0

AAA manages users in the same ISP domain based on their access types. The device supports the

following user access types:

•LAN—LAN users must pass 802.1X or MAC address authentication to get online.

•Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal

users can access through a console port.

AAA methods

AAA supports configuring different authentication, authorization, and accounting methods for different

types of users in an ISP domain. The NAS determines the ISP domain and access type of a user, and uses

the methods configured for the access type in the domain to control the user's access.

12

AAA also supports configuring a set of default methods for an ISP domain. These default methods are

used for users for whom no specific AAA methods are configured.

The device supports the following authentication methods:

•No authentication—All users are trusted and no authentication is performed. Generally, do not use

this method.

•Local authentication—The NAS authenticates users by itself, based on the locally configured user

information including the usernames, passwords, and attributes. Local authentication allows high

speed and low cost, but the amount of information that can be stored is limited by the size of the

storage space.

•Remote authentication—The NAS cooperates with a RADIUS, HWTACACS, or LDAP server to

authenticate users. Remote authentication provides centralized information management, high

capacity, high reliability, and support for centralized authentication service for multiple NASs. You

can configure backup methods to be used when the remote server is not available.

The device supports the following authorization methods:

•No authorization—The NAS performs no authorization exchange. After passing authentication,

non-login users can access the network, FTP users can access the root directory of the NAS, and

other login users obtain only the default user role.

•Local authorization—The NAS performs authorization according to the user attributes locally

configured for users.

•Remote authorization—The NAS cooperates with a RADIUS, HWTACACS, or LDAP server to

authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization

can work only after RADIUS authentication is successful, and the authorization information is

carried in the Access-Accept packet. HWTACACS authorization is separate from HWTACACS

authentication, and the authorization information is carried in the authorization response after

successful authentication. You can configure backup methods to be used when the remote server is

not available.

The device supports the following accounting methods:

•No accounting—The NAS does not perform accounting for the users.

•Local accounting—Local accounting is implemented on the NAS. It counts and controls the number

of concurrent users who use the same local user account, but does not provide statistics for

charging.

•Remote accounting—The NAS works with a RADIUS server or HWTACACS server for accounting.

You can configure backup methods to be used when the remote server is not available.

In addition, the device provides the following services for login users to enhance device security:

•Command authorization—Enables the NAS to defer to the authorization server to determine

whether a command entered by a login user is permitted, and allows login users to execute only

authorized commands. For more information about command authorization, see Fundamentals

Configuration Guide.

•Command accounting—When command authorization is disabled, command accounting enables

the accounting server to record all valid commands executed on the device. When command

authorization is enabled, command accounting enables the accounting server to record all

authorized commands. For more information about command accounting, see Fundamentals

Configuration Guide.

•User role switching authentication—Authenticates each user who wants to switch to another user

role without logging out or getting disconnected. For more information about user role switching,

see Fundamentals Configuration Guide.

HP 5920 User manual

Popular Switch manuals by other brands