HP 5920 User manual
HP 5920 & 5900 Switch Series
Security
Configuration Guide
Part number: 5998-5310a
Software version: Release 23xx
Document version: 6W101-20150320
Legal and notice information
© Copyright 2015 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Configuring AAA ························································································································································· 1
Overview············································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
LDAP ··········································································································································································9
AAA implementation on the device····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 14
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list·········································································································· 17
Configuring AAA schemes············································································································································ 18
Configuring local users········································································································································· 18
Configuring RADIUS schemes······························································································································ 22
Configuring HWTACACS schemes····················································································································· 32
Configuring LDAP schemes ·································································································································· 39
Configuring AAA methods for ISP domains················································································································ 42
Configuration prerequisites ·································································································································· 42
Creating an ISP domain ······································································································································· 42
Configuring ISP domain attributes······················································································································· 43
Configuring authentication methods for an ISP domain ··················································································· 43
Configuring authorization methods for an ISP domain····················································································· 44
Configuring accounting methods for an ISP domain························································································· 45
Enabling the session-control feature ····························································································································· 46
Setting the maximum number of concurrent login users ···························································································· 47
Displaying and maintaining AAA ································································································································ 47
AAA configuration examples········································································································································ 47
AAA for SSH users by an HWTACACS server·································································································· 47
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·························· 49
Authentication and authorization for SSH users by a RADIUS server ····························································· 51
Authentication for SSH users by an LDAP server ······························································································· 54
Troubleshooting RADIUS ··············································································································································· 59
RADIUS authentication failure······························································································································ 59
RADIUS packet delivery failure···························································································································· 59
RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60
Troubleshooting LDAP···················································································································································· 60
802.1X overview ·······················································································································································62
802.1X architecture······················································································································································· 62
Controlled/uncontrolled port and port authorization status······················································································ 62
802.1X-related protocols ·············································································································································· 63
Packet formats························································································································································ 63
EAP over RADIUS ·················································································································································· 64
802.1X authentication initiation··································································································································· 65
802.1X client as the initiator································································································································ 65
Access device as the initiator······························································································································· 65
802.1X authentication procedures ······························································································································ 66
Comparing EAP relay and EAP termination······································································································· 66
ii
EAP relay································································································································································ 67
EAP termination ····················································································································································· 68
Configuring 802.1X ··················································································································································70
HP implementation of 802.1X ······································································································································ 70
Configuration prerequisites··········································································································································· 70
802.1X configuration task list······································································································································· 70
Enabling 802.1X···························································································································································· 71
Enabling EAP relay or EAP termination ······················································································································· 71
Setting the port authorization state ······························································································································ 72
Specifying an access control method ·························································································································· 72
Setting the maximum number of concurrent 802.1X users on a port······································································· 72
Setting the maximum number of authentication request attempts ············································································· 73
Setting the 802.1X authentication timeout timers······································································································· 73
Configuring the online user handshake feature·········································································································· 74
Configuring the authentication trigger feature············································································································ 74
Configuration guidelines ······································································································································ 74
Configuration procedure ······································································································································ 74
Specifying a mandatory authentication domain on a port························································································ 75
Configuring the quiet timer ··········································································································································· 75
Enabling the periodic online user reauthentication feature······················································································· 76
Displaying and maintaining 802.1X ··························································································································· 76
802.1X authentication configuration example ··········································································································· 76
Network requirements··········································································································································· 76
Configuration procedure ······································································································································ 77
Verifying the configuration··································································································································· 78
Configuring MAC authentication······························································································································79
Overview········································································································································································· 79
User account policies············································································································································ 79
Authentication methods········································································································································· 79
Configuration prerequisites··········································································································································· 80
Configuration task list ···················································································································································· 80
Enabling MAC authentication ······································································································································ 80
Specifying a MAC authentication domain·················································································································· 81
Configuring the user account format···························································································································· 81
Configuring MAC authentication timers ······················································································································ 82
Setting the maximum number of concurrent MAC authentication users on a port·················································· 82
Configuring MAC authentication delay······················································································································· 83
Displaying and maintaining MAC authentication ······································································································ 83
MAC authentication configuration examples·············································································································· 84
Local MAC authentication configuration example····························································································· 84
RADIUS-based MAC authentication configuration example············································································· 85
Configuring portal authentication·····························································································································88
Overview········································································································································································· 88
Extended portal functions ····································································································································· 88
Portal system components····································································································································· 89
Interaction between portal system components·································································································· 90
Portal authentication modes ································································································································· 90
Portal authentication process ······························································································································· 91
Portal configuration task list ·········································································································································· 93
Configuration prerequisites··········································································································································· 94
Configuring a portal authentication server·················································································································· 94
Configuring a portal Web server································································································································· 95
Enabling portal authentication on an interface··········································································································· 95
iii
Configuration restrictions and guidelines ··········································································································· 96
Configuration procedure ······································································································································ 96
Referencing a portal Web server for an interface······································································································ 96
Controlling portal user access ······································································································································ 97
Configuring a portal-free rule······························································································································· 97
Configuring an authentication source subnet····································································································· 98
Configuring an authentication destination subnet ····························································································· 99
Setting the maximum number of portal users ···································································································100
Specifying a portal authentication domain ······································································································100
Configuring portal detection functions·······················································································································101
Configuring online detection of portal users ····································································································101
Configuring portal authentication server detection··························································································102
Configuring portal Web server detection·········································································································103
Configuring portal user synchronization···········································································································103
Configuring the portal fail-permit function·················································································································104
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server··································105
Enabling portal roaming ·············································································································································106
Logging out portal users··············································································································································106
Displaying and maintaining portal ····························································································································106
Portal configuration examples ····································································································································107
Configuring direct portal authentication···········································································································107
Configuring re-DHCP portal authentication······································································································115
Configuring cross-subnet portal authentication ································································································119
Configuring extended direct portal authentication··························································································122
Configuring extended re-DHCP portal authentication·····················································································125
Configuring extended cross-subnet portal authentication ···············································································128
Configuring portal server detection and portal user synchronization ···························································132
Configuring cross-subnet portal authentication for MPLS L3VPNs ·································································140
Troubleshooting portal·················································································································································142
No portal authentication page is pushed for users ·························································································142
Cannot log out portal users on the access device ···························································································142
Cannot log out portal users on the RADIUS server··························································································143
Users logged out by the access device still exist on the portal authentication server··································143
Re-DHCP portal authenticated users cannot log in successfully······································································144
Configuring port security········································································································································ 145
Overview·······································································································································································145
Port security features ···········································································································································145
Port security modes ·············································································································································145
Configuration task list ··················································································································································148
Enabling port security ··················································································································································149
Setting port security's limit on the number of secure MAC addresses on a port ··················································149
Setting the port security mode ····································································································································150
Configuring port security features ······························································································································151
Configuring NTK ·················································································································································151
Configuring intrusion protection ························································································································151
Configuring secure MAC addresses ··························································································································152
Configuration prerequisites ································································································································153
Configuration procedure ····································································································································153
Ignoring authorization information from the server··································································································153
Enabling MAC move ···················································································································································154
Displaying and maintaining port security··················································································································154
Port security configuration examples ·························································································································155
autoLearn configuration example ······················································································································155
userLoginWithOUI configuration example ·······································································································156
iv
macAddressElseUserLoginSecure configuration example···············································································159
Troubleshooting port security······································································································································162
Cannot set the port security mode·····················································································································162
Cannot configure secure MAC addresses ········································································································163
Configuring password control································································································································ 164
Overview·······································································································································································164
Password setting··················································································································································164
Password updating and expiration ···················································································································165
User login control ················································································································································166
Password not displayed in any form·················································································································166
Logging·································································································································································167
FIPS compliance ···························································································································································167
Password control configuration task list·····················································································································167
Enabling password control ·········································································································································167
Setting global password control parameters ············································································································168
Setting user group password control parameters·····································································································169
Setting local user password control parameters·······································································································170
Setting super password control parameters ··············································································································171
Displaying and maintaining password control ·········································································································171
Password control configuration example ··················································································································172
Network requirements·········································································································································172
Configuration procedure ····································································································································172
Verifying the configuration·································································································································173
Managing public keys············································································································································ 175
Overview·······································································································································································175
FIPS compliance ···························································································································································175
Creating a local key pair ············································································································································176
Configuration guidelines ····································································································································176
Configuration procedure ····································································································································177
Distributing a local host public key ····························································································································177
Exporting a host public key to a file··················································································································177
Exporting a host public key and saving it to a file ··························································································178
Displaying a host public key······························································································································178
Destroying a local key pair·········································································································································179
Configuring a peer host public key····························································································································179
Importing a peer host public key from a public key file··················································································180
Entering a peer host public key ·························································································································180
Displaying and maintaining public keys ···················································································································180
Examples of public key management ························································································································180
Example for entering a peer host public key····································································································180
Example for importing a public key from a public key file·············································································182
Configuring PKI ······················································································································································· 185
Overview·······································································································································································185
PKI terminology····················································································································································185
PKI architecture····················································································································································186
PKI operation ·······················································································································································186
PKI applications ···················································································································································187
Support for MPLS L3VPN····································································································································187
FIPS compliance ···························································································································································188
PKI configuration task list ············································································································································188
Configuring a PKI entity ··············································································································································188
Configuring a PKI domain···········································································································································189
Requesting a certificate ···············································································································································192
v
Configuration guidelines ····································································································································192
Configuring automatic certificate request·········································································································192
Manually requesting a certificate ······················································································································193
Aborting a certificate request ·····································································································································194
Obtaining certificates ··················································································································································194
Configuration prerequisites ································································································································194
Configuration guidelines ····································································································································194
Configuration procedure ····································································································································195
Verifying PKI certificates··············································································································································195
Verifying certificates with CRL checking ···········································································································195
Verifying certificates without CRL checking ······································································································196
Specifying the storage path for the certificates and CRLs ·······················································································196
Exporting certificates ···················································································································································197
Removing a certificate ·················································································································································197
Configuring a certificate access control policy·········································································································198
Displaying and maintaining PKI ·································································································································199
PKI configuration examples·········································································································································199
Requesting a certificate from an RSA Keon CA server····················································································200
Requesting a certificate from a Windows Server 2003 CA server ·······························································202
Requesting a certificate from an OpenCA server ····························································································206
Certificate import and export configuration example ·····················································································209
Troubleshooting PKI configuration······························································································································214
Failed to obtain the CA certificate·····················································································································214
Failed to obtain local certificates·······················································································································215
Failed to request local certificates ·····················································································································216
Failed to obtain CRLs ··········································································································································216
Failed to import the CA certificate·····················································································································217
Failed to import a local certificate·····················································································································217
Failed to export certificates ································································································································218
Failed to set the storage path·····························································································································218
Configuring IPsec ···················································································································································· 220
Overview·······································································································································································220
Security protocols and encapsulation modes···································································································221
Security association·············································································································································222
Authentication and encryption···························································································································223
IPsec implementation···········································································································································223
Protocols and standards ·····································································································································224
IPsec tunnel establishment ···········································································································································224
Implementing ACL-based IPsec ···································································································································225
Feature restrictions and guidelines ····················································································································225
ACL-based IPsec configuration task list ·············································································································225
Configuring an ACL ············································································································································226
Configuring an IPsec transform set····················································································································227
Configuring a manual IPsec policy····················································································································228
Configuring an IKE-based IPsec policy ·············································································································230
Applying an IPsec policy to an interface ··········································································································234
Enabling ACL checking for de-encapsulated packets······················································································234
Configuring the IPsec anti-replay function ········································································································235
Binding a source interface to an IPsec policy ··································································································236
Enabling QoS pre-classify ··································································································································236
Enabling logging of IPsec packets·····················································································································237
Configuring the DF bit of IPsec packets ············································································································237
Configuring IPsec for IPv6 routing protocols·············································································································238
Configuration task list ·········································································································································238
vi
Configuring a manual IPsec profile···················································································································238
Configuring SNMP notifications for IPsec ·················································································································240
Displaying and maintaining IPsec ······························································································································240
IPsec configuration examples······································································································································241
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································241
Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································243
Configuring IPsec for RIPng································································································································246
Configuring IKE······················································································································································· 250
Overview·······································································································································································250
IKE negotiation process ······································································································································250
IKE security mechanism·······································································································································251
Protocols and standards ·····································································································································252
FIPS compliance ···························································································································································252
IKE configuration prerequisites ···································································································································252
IKE configuration task list ············································································································································252
Configuring an IKE profile ··········································································································································253
Configuring an IKE proposal ······································································································································255
Configuring an IKE keychain······································································································································256
Configuring the global identity information ··············································································································257
Configuring the IKE keepalive function······················································································································258
Configuring the IKE NAT keepalive function ············································································································259
Configuring IKE DPD····················································································································································259
Enabling invalid SPI recovery ·····································································································································260
Setting the maximum number of IKE SAs···················································································································260
Configuring SNMP notifications for IKE ····················································································································261
Displaying and maintaining IKE·································································································································261
IKE configuration examples ········································································································································262
Main mode IKE with pre-shared key authentication configuration example ················································262
Verifying the configuration·································································································································264
Troubleshooting IKE ·····················································································································································264
IKE negotiation failed because no matching IKE proposals were found·······················································264
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly·····················265
IPsec SA negotiation failed because no matching IPsec transform sets were found····································266
IPsec SA negotiation failed due to invalid identity information······································································266
Configuring SSH ····················································································································································· 269
Overview·······································································································································································269
How SSH works···················································································································································269
SSH authentication methods·······························································································································270
FIPS compliance ···························································································································································271
Configuring the device as an SSH server··················································································································272
SSH server configuration task list ······················································································································272
Generating local key pairs·································································································································272
Enabling the SSH server function·······················································································································273
Enabling the SFTP server function······················································································································274
Configuring NETCONF over SSH ·····················································································································274
Configuring the user lines for SSH login···········································································································274
Configuring a client's host public key···············································································································275
Configuring an SSH user····································································································································276
Setting the SSH management parameters ········································································································277
Configuring the device as an Stelnet client···············································································································278
Stelnet client configuration task list····················································································································278
Specifying the source IP address for SSH packets···························································································279
Establishing a connection to an Stelnet server ·································································································279
vii
Configuring the device as an SFTP client ··················································································································281
SFTP client configuration task list·······················································································································281
Specifying the source IP address for SFTP packets··························································································281
Establishing a connection to an SFTP server ····································································································281
Working with SFTP directories···························································································································283
Working with SFTP files······································································································································283
Displaying help information ·······························································································································283
Terminating the connection with the SFTP server ·····························································································284
Configuring the device as an SCP client ···················································································································284
Displaying and maintaining SSH ·······························································································································286
Stelnet configuration examples···································································································································286
Password authentication enabled Stelnet server configuration example ······················································286
Publickey authentication enabled Stelnet server configuration example·······················································289
Password authentication enabled Stelnet client configuration example························································294
Publickey authentication enabled Stelnet client configuration example························································297
SFTP configuration examples ······································································································································299
Password authentication enabled SFTP server configuration example··························································299
Publickey authentication enabled SFTP client configuration example ···························································301
SCP configuration examples·······································································································································304
SCP file transfer with password authentication································································································305
NETCONF over SSH configuration example with password authentication ························································306
Network requirements·········································································································································306
Configuration procedure ····································································································································307
Verifying the configuration·································································································································308
Configuring SSL······················································································································································· 309
Overview·······································································································································································309
SSL security services············································································································································309
SSL protocol stack ···············································································································································309
FIPS compliance ···························································································································································310
SSL configuration task list············································································································································310
Configuring an SSL server policy ·······························································································································310
Configuring an SSL client policy ································································································································312
Displaying and maintaining SSL·································································································································313
Configuring IP source guard ·································································································································· 314
Overview·······································································································································································314
Static IP source guard binding entries···············································································································315
Dynamic IP source guard binding entries·········································································································315
IP source guard configuration task list ·······················································································································316
Configuring the IPv4 source guard function··············································································································316
Enabling IPv4 source guard on an interface····································································································316
Configuring a static IPv4 source guard binding entry·····················································································317
Configuring the IPv6 source guard function··············································································································318
Enabling IPv6 source guard on an interface····································································································318
Configuring a static IPv6 source guard binding entry·····················································································319
Displaying and maintaining IP source guard············································································································319
IP source guard configuration examples ···················································································································320
Static IPv4 source guard configuration example ·····························································································320
Dynamic IPv4 source guard using DHCP snooping configuration example·················································322
Dynamic IPv4 source guard using DHCP relay configuration example ························································323
Static IPv6 source guard configuration example ·····························································································324
Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································324
Configuring ARP attack protection························································································································· 326
ARP attack protection configuration task list ·············································································································326
viii
Configuring unresolvable IP attack protection ··········································································································326
Configuring ARP source suppression ················································································································327
Configuring ARP blackhole routing ···················································································································327
Displaying and maintaining unresolvable IP attack protection ······································································328
Configuration example ·······································································································································328
Configuring ARP packet rate limit ······························································································································329
Configuration guidelines ····································································································································329
Configuration procedure ····································································································································329
Configuring source MAC-based ARP attack detection ····························································································330
Configuration procedure ····································································································································330
Displaying and maintaining source MAC-based ARP attack detection·························································331
Configuration example ·······································································································································331
Configuring ARP packet source MAC consistency check························································································332
Configuring ARP active acknowledgement ···············································································································332
Configuring authorized ARP ·······································································································································333
Configuration procedure ····································································································································333
Configuration example (on a DHCP server)·····································································································333
Configuration example (on a DHCP relay agent)····························································································334
Configuring ARP detection··········································································································································336
Configuring user validity check ·························································································································336
Configuring ARP packet validity check·············································································································337
Configuring ARP restricted forwarding ·············································································································338
Displaying and maintaining ARP detection ······································································································338
User validity check and ARP packet validity check configuration example··················································339
Configuring ARP scanning and fixed ARP ················································································································340
Configuration restrictions and guidelines ·········································································································340
Configuration procedure ····································································································································341
Configuring ARP gateway protection ························································································································341
Configuration guidelines ····································································································································341
Configuration procedure ····································································································································341
Configuration example ·······································································································································342
Configuring ARP filtering·············································································································································342
Configuration guidelines ····································································································································343
Configuration procedure ····································································································································343
Configuration example ·······································································································································343
Configuring MFF ····················································································································································· 345
Overview·······································································································································································345
Basic concepts ·····················································································································································346
MFF operation modes·········································································································································347
MFF working mechanism····································································································································347
Protocols and standards ·····································································································································347
Configuring MFF ··························································································································································347
Enabling MFF·······················································································································································347
Configuring a network port································································································································348
Enabling periodic gateway probe ····················································································································348
Specifying the IP addresses of servers ··············································································································348
Displaying and maintaining MFF ·······························································································································349
MFF configuration examples·······································································································································349
Manual-mode MFF configuration example in a tree network·········································································349
Manual-mode MFF configuration example in a ring network ········································································351
Configuring uRPF····················································································································································· 353
Overview·······································································································································································353
uRPF check modes ···············································································································································353
ix
uRPF operation·····················································································································································353
Network application ···········································································································································356
Configuring uRPF··························································································································································356
Displaying and maintaining uRPF ······························································································································357
uRPF configuration example········································································································································357
Configuring crypto engines···································································································································· 358
Overview·······································································································································································358
Displaying and maintaining crypto engines ·············································································································358
Configuring FIPS······················································································································································ 359
Overview·······································································································································································359
Configuration restrictions and guidelines··················································································································359
Configuring FIPS mode················································································································································360
Entering FIPS mode ·············································································································································360
Configuration changes in FIPS mode ················································································································361
Exiting FIPS mode················································································································································362
FIPS self-tests ·································································································································································363
Power-up self-tests················································································································································363
Conditional self-tests············································································································································364
Triggering self-tests ··············································································································································365
Displaying and maintaining FIPS ·······························································································································365
FIPS configuration examples·······································································································································365
Entering FIPS mode through automatic reboot·································································································365
Entering FIPS mode through manual reboot·····································································································366
Exiting FIPS mode through automatic reboot ···································································································368
Exiting FIPS mode through manual reboot ·······································································································368
Configuring attack detection and prevention········································································································ 370
Overview·······································································································································································370
Configuring TCP fragment attack prevention············································································································370
Index ········································································································································································ 371
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. AAA specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, you can use this function to grant a user who has successfully logged in to the
device read and print permissions to the files on the device, and prevent a guest from reading or
printing the files.
•Accounting—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.
Typically, AAA uses a client/server model. The client runs on the access device, or the network access
server (NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
A user who wants to access networks or resources beyond the NAS sends its identity information to the
NAS, which transparently passes the user information to the servers. The servers perform user
authentication, authorization, and accounting and return the result to the NAS. Based on the result, the
NAS determines whether to permit or deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often
used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company wants
employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an accounting
server.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments that require both high security and remote user access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for
authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support additional
access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It receives authentication, authorization, and
accounting requests from RADIUS clients, performs user authentication, authorization, or accounting,
and returns user access control information (for example, rejecting or accepting the user access request)
to the clients. In addition, the RADIUS server can act as the client of another RADIUS server to provide
authentication proxy services.
The RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server databases
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys, which
are pre-configured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.
This field includes a signature generated by using the MD5 algorithm, the shared key, and some other
information. The receiver of the packet verifies the signature and accepts the packet only when the
signature is correct. This mechanism ensures the security of information exchanged between the RADIUS
client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server. The
request includes the user's password, which has been processed by the MD5 algorithm and
shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept packet that contains the user's authorization information. If
the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to
the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the RADIUS
server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting for
the user.
10. The RADIUS client notifies the user of the termination.
4
RADIUS packet format
RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server
and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission
mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values
and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or stop
accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to detect
duplicate request packets. The request and response packets of the same exchange process for the
same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code,
Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered
padding and are ignored by the receiver. If the length of a received packet is less than this length,
the packet is dropped.
5
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and
to encrypt user passwords. There are two types of authenticators: request authenticator and
response authenticator.
•The Attributes field (variable in length) includes specific authentication, authorization, and
accounting information. This field can contain multiple attributes, each with three sub-fields:
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value sub-fields.
{Value—Value of the attribute. Its format and content depend on the Type sub-field.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
6
No. Attribute No.
Attribute
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined
in RFC 2865, allows a vendor to define extended attributes to implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a sub-attribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code
compliant to RFC 1700.
•Vendor-Type—Type of the sub-attribute.
•Vendor-Length—Length of the sub-attribute.
•Vendor-Data—Contents of the sub-attribute.
For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS
sub-attributes."
7
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for
information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the
NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing
authentication and obtaining authorized rights, a user logs in to the device and performs operations. The
HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model, using
shared keys for data encryption, and providing flexibility and scalability. Table 3 lists their primary
differences.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication process.
Supports authorization of configuration commands.
Access to commands depends on both the user's roles
and authorization. A user can use only commands that
are permitted by the user roles and authorized by the
HWTACACS server.
Does not support authorization of configuration
commands. Access to commands solely depends on
the user's roles. For more information about user roles,
see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a
Telnet user.
8
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
HWTACACS operates using in the following workflow:
1. A Telnet user sends an access request to the HWTACACS client.
2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
receives the request.
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user enters the username.
6. After receiving the username from the user, the HWTACACS client sends the server a
continue-authentication packet that includes the username.
7. The HWTACACS server sends back an authentication response to request the login password.
8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.
Host HWTACACS client HWTACACS server
1) The user tries to log in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user enters the username
6) Continue-authentication packet with the username
7) Authentication response requesting the password
8) Request for password
9) The user enters the password
11) Response indicating successful authentication
12) User authorization request packet
13) Response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) Continue-authentication packet with the password
9
9. The user enters the password.
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11. If the authentication succeeds, the HWTACACS server sends back an authentication response to
indicate that the user has passed authentication.
12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13. If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.
14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
LDAP
The Lightweight Directory Access Protocol (LDAP) provides standard multi-platform directory service.
LDAP was developed on the basis of the X.500 protocol, and improves the read/write interactive access,
browse, and search functions of X.500. It is suitable for storing data that does not often change.
LDAP is typically used to store user information. For example, LDAP server software Active Directory
Server is used in Microsoft Windows operating systems to store the user information and user group
information for user login authentication and authorization.
LDAP directory service
LDAP uses directories to maintain the organization information, personnel information, and resource
information. The directories are organized in a tree structure and include entries. An entry is a set of
attributes with distinguished names (DNs). The attributes are used to store information such as usernames,
passwords, emails, computer names, and phone numbers.
LDAP uses a client/server model, and all directory information is stored in the LDAP server. Commonly
used LDAP server products include Microsoft Active Directory Server, IBM Tivoli Directory Server, and Sun
ONE Directory Server.
LDAP authentication and authorization
AAA can use LDAP to provide user authentication and authorization services. LDAP defines a set of
operations to implement its functions. The main operations for authentication and authorization are the
bind operation and search operation:
•The bind operation allows an LDAP client to perform the following operations:
{Establish a connection with the LDAP server.
{Obtain the access rights to the LDAP server.
{Check the validity of user information.
Other manuals for 5920
18
This manual suits for next models
1
Table of contents
Other HP Switch manuals
HP
HP ProCurve 3500yl-48G-PWR User manual
HP
HP ProCurve 8200zl User manual
HP
HP 316095-B21 - StorageWorks Edge Switch 2/24 Instruction Manual
HP
HP 5830 series User manual
HP
HP FlexFabric 5980 48SFP+6QSFP28 User manual
HP
HP FlexFabric 5950 Series User manual
HP
HP 378927-B21 User instructions
HP
HP 316095-B21 - StorageWorks Edge Switch 2/24 User manual
HP
HP StorageWorks 2/64 - Core Switch User manual
HP
HP 12500 Series User manual
HP
HP StoreFabric SN4000B Programming manual
HP
HP HP 830 Series Installation manual
HP
HP 5920 User manual
HP
HP 5810-48G User instructions
HP
HP 3100 v2 Series User manual
HP
HP J4902A User manual
HP
HP ProCurve J8763A Manual
HP
HP StorageWorks SN6000 User manual
HP
HP StorageWorks 2/16 - SAN Switch Instruction Manual
HP
HP ProCurve 2520-24-PoE User manual
Popular Switch manuals by other brands
Endress+Hauser
Endress+Hauser Nivotester FTL 375 N 3 Series manual
Exprezo
Exprezo EZ-108 user manual
AVGear
AVGear AVG-CSK-HD44 user manual
SMC Networks
SMC Networks Tiger Switch 10/100 SMC6704M Specifications
Topgreener
Topgreener TGWF500D installation instructions
Topworx
Topworx DXR-GO Installation, operation & maintenance manual