Hp A5830 series User manual

HP A5830 Switch Series

Security

Configuration Guide

Abstract

This document describes the software features for the HP A Series products and guides you through the

software configuration procedures. These configuration guides also provide configuration examples to

help you apply software features to different network scenarios.

This documentation is intended for network planners, field technical support and servicing engineers,

and network administrators working with the HP A Series products.

Part number: 5998-2067

Software version: Release 1109

Document version: 6W100-20110715

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or use

of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

iii

Contents

Configuring AAA ························································································································································· 1

RADIUS······································································································································································2

HWTACACS·····························································································································································7

Domain-based user management ···························································································································9

RADIUS server feature of the switch···················································································································· 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

AAA configuration considerations and task list·········································································································· 14

Configuring AAA schemes············································································································································ 16

Configuring local users········································································································································· 16

Configuring RADIUS schemes······························································································································ 20

Configuring HWTACACS schemes····················································································································· 31

Configuring AAA methods for ISP domains················································································································ 36

Configuration prerequisites ·································································································································· 36

Creating an ISP domain ······································································································································· 36

Configuring ISP domain attributes······················································································································· 37

Configuring AAA authentication methods for an ISP domain·········································································· 38

Configuring AAA authorization methods for an ISP domain ··········································································· 39

Configuring AAA accounting methods for an ISP domain ··············································································· 41

Tearing down user connections···································································································································· 42

Configuring a NAS ID-VLAN binding·························································································································· 42

Configuring a switch as a RADIUS server··················································································································· 43

RADIUS server functions configuration task list·································································································· 43

Configuring a RADIUS user·································································································································· 43

Specifying a RADIUS client ·································································································································· 44

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples········································································································································ 44

AAA for Telnet users by an HWTACACS server ······························································································· 44

AAA for Telnet users by separate servers··········································································································· 46

Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 47

AAA for 802.1X users by a RADIUS server······································································································· 50

Level switching authentication for Telnet users by an HWTACACS server····················································· 56

RADIUS authentication and authorization for Telnet users by a switch ·························································· 59

Troubleshooting AAA ···················································································································································· 61

Troubleshooting RADIUS ······································································································································ 61

Troubleshooting HWTACACS······························································································································ 62

802.1X fundamentals ················································································································································63

802.1X architecture······················································································································································· 63

Controlled/uncontrolled port and port authorization status······················································································ 63

802.1X-related protocols ·············································································································································· 64

Packet formats························································································································································ 64

EAP over RADIUS ·················································································································································· 65

Initiating 802.1X authentication··································································································································· 66

802.1X client as the initiator ······························································································································· 66

Access device as the initiator······························································································································· 66

802.1X authentication procedures ······························································································································ 66

A comparison of EAP relay and EAP termination······························································································ 67

EAP relay································································································································································ 67

EAP termination ····················································································································································· 70

Configuring 802.1X ··················································································································································71

HP implementation of 802.1X ······································································································································ 71

Access control methods ········································································································································ 71

Using 802.1X authentication with other features ······························································································ 71

802.1X configuration task list······························································································································ 74

Enabling 802.1X··················································································································································· 74

Enabling EAP relay or EAP termination ·············································································································· 75

Setting the port authorization state······················································································································ 75

Specifying an access control method·················································································································· 76

Setting the maximum number of concurrent 802.1X users on a port······························································ 76

Setting the maximum number of authentication request attempts ···································································· 77

Setting the 802.1X authentication timeout timers ······························································································ 77

Configuring the online user handshake function ······························································································· 78

Configuring the authentication trigger function ································································································· 78

Specifying a mandatory authentication domain on a port··············································································· 79

Configuring the quiet timer ·································································································································· 80

Enabling the periodic online user re-authentication function············································································ 80

Configuring an 802.1X guest VLAN··················································································································· 81

Configuring an Auth-Fail VLAN ··························································································································· 82

Specifying supported domain name delimiters·································································································· 83

Displaying and maintaining 802.1X ··························································································································· 83

802.1X configuration examples··································································································································· 83

802.1X authentication configuration example ·································································································· 83

802.1X with guest VLAN and VLAN assignment configuration example······················································· 86

802.1X with ACL assignment configuration example······················································································· 89

Configuring EAD fast deployment ····························································································································91

EAD fast deployment implementation ················································································································· 91

Configuration procedure ······································································································································ 91

Displaying and maintaining EAD fast deployment····································································································· 92

EAD fast deployment configuration example·············································································································· 93

Troubleshooting EAD fast deployment························································································································· 95

Web browser users cannot be correctly redirected ·························································································· 95

Configuring MAC authentication······························································································································96

User account policies············································································································································ 96

Authentication approaches ·································································································································· 96

MAC authentication timers··································································································································· 97

Using MAC authentication with other features··········································································································· 97

VLAN assignment ·················································································································································· 97

ACL assignment ····················································································································································· 97

Guest VLAN ··························································································································································· 97

MAC authentication configuration task list ················································································································· 98

Basic configuration for MAC authentication··············································································································· 98

Specifying an authentication domain for MAC authentication users ······································································· 99

Configuring a MAC authentication guest VLAN ······································································································100

Displaying and maintaining MAC authentication····································································································101

MAC authentication configuration examples············································································································101

Local MAC authentication configuration example ··························································································101

RADIUS-based MAC authentication configuration example ··········································································103

ACL assignment configuration example ···········································································································105

Configuring port security········································································································································ 107

Port security features ···········································································································································107

Port security modes ·············································································································································107

Support for guest VLAN and Auth-Fail VLAN···································································································110

Port security configuration task list ·····························································································································110

Enabling port security··················································································································································111

Setting port security’s limit on the number of MAC addresses on a port ······························································111

Setting the port security mode ····································································································································112

Configuring port security features ······························································································································113

Configuring NTK ·················································································································································113

Configuring intrusion protection ························································································································113

Enabling port security traps································································································································114

Configuring secure MAC addresses ··························································································································114

Ignoring authorization information from the server··································································································115

Displaying and maintaining port security··················································································································116

Port security configuration examples ·························································································································116

Configuring the autoLearn mode·······················································································································116

Configuring the userLoginWithOUI mode ········································································································119

Configuring the macAddressElseUserLoginSecure mode················································································123

Troubleshooting port security······································································································································126

Cannot set the port security mode·····················································································································126

Cannot configure secure MAC addresses········································································································126

Cannot change port security mode when a user is online ·············································································126

Configuring password control································································································································ 128

Password control configuration task list·····················································································································130

Enabling password control·································································································································131

Setting global password control parameters····································································································131

Setting user group password control parameters ····························································································132

Setting local user password control parameters ······························································································133

Setting super password control parameters ·····································································································133

Setting a local user password in interactive mode··························································································134

Displaying and maintaining password control·········································································································134

Password control configuration example ··················································································································135

Configuring public keys·········································································································································· 138

Public key configuration task list ································································································································138

Configuring a local asymmetric key pair on the local device·················································································139

Creating a local asymmetric key pair···············································································································139

Displaying or exporting the local host public key ···························································································139

Destroying a local asymmetric key pair············································································································141

Specifying the peer public key on the local device ·································································································141

Displaying and maintaining public keys ···················································································································142

Public key configuration examples·····························································································································142

Manually specifying the peer public key on the local device ········································································142

Importing a public key from a public key file ··································································································144

Configuring PKI ······················································································································································· 147

PKI terms·······························································································································································147

PKI architecture····················································································································································148

PKI applications···················································································································································149

PKI operation ·······················································································································································149

PKI configuration task list ············································································································································149

Configuring an entity DN············································································································································150

Configuring a PKI domain ··········································································································································151

Submitting a PKI certificate request····························································································································153

Submitting a certificate request in auto mode··································································································153

Submitting a certificate request in manual mode·····························································································153

Retrieving a certificate manually ································································································································154

Configuring PKI certificate verification ······················································································································155

Configuring CRL-checking-enabled PKI certificate verification ·······································································155

Configuring CRL-checking-disabled PKI certificate verification ······································································156

Destroying a local RSA key pair ································································································································156

Deleting a certificate····················································································································································156

Configuring an access control policy ························································································································157

Displaying and maintaining PKI·································································································································157

PKI configuration examples·········································································································································158

Requesting a certificate from a CA server running RSA Keon ·······································································158

Requesting a certificate from a CA server running Windows®2003 Server™············································161

Configuring a certificate attribute-based access control policy ·····································································164

Troubleshooting PKI ·····················································································································································166

Failed to retrieve a CA certificate······················································································································166

Failed to request a local certificate ···················································································································166

Failed to retrieve CRLs ········································································································································167

Configuring SSH2.0 ··············································································································································· 168

SSH operation ·····················································································································································168

Configuring the switch as an SSH server ··················································································································170

SSH server configuration task list ······················································································································170

Generating a DSA or RSA key pair ··················································································································171

Enabling the SSH server function ······················································································································171

Configuring the user interfaces for SSH clients································································································171

Configuring a client public key··························································································································172

Configuring an SSH user····································································································································173

Setting the SSH management parameters ········································································································174

Configuring the switch as an SSH client ···················································································································175

SSH client configuration task list························································································································175

Specifying a source ip address/interface for the SSH client··········································································175

Configuring whether first-time authentication is supported·············································································175

Establishing a connection between the SSH client and server·······································································176

Displaying and maintaining SSH ·······························································································································177

SSH server configuration examples ···························································································································177

When the switch acts as a server for password authentication ·····································································177

When the switch acts as a server for publickey authentication ·····································································179

SSH client configuration examples·····························································································································184

When the switch acts as client for password authentication··········································································184

When the switch acts as client for publickey authentication ··········································································187

Configuring SFTP····················································································································································· 190

Configuring the switch as an SFTP server ·················································································································190

Enabling the SFTP server ····································································································································190

Configuring the SFTP connection idle timeout period ·····················································································190

Configuring the switch as an SFTP client···················································································································191

Specifying a source IP address or interface for the SFTP client······································································191

Establishing a connection to the SFTP server····································································································191

Working with SFTP directories···························································································································191

Working with SFTP files······································································································································192

vii

Displaying help information ·······························································································································193

Terminating the connection to the remote SFTP server ····················································································193

SFTP client configuration example ·····························································································································193

SFTP server configuration example ····························································································································197

Configuring SSL······················································································································································· 200

SSL security mechanism ······································································································································200

SSL protocol stack ···············································································································································200

SSL configuration task list············································································································································201

Configuring an SSL server policy ·······························································································································201

SSL server policy configuration example··········································································································202

Configuring an SSL client policy ································································································································204

Displaying and maintaining SSL ································································································································205

Troubleshooting SSL·····················································································································································205

SSL handshake failure·········································································································································205

Configuring TCP attack protection························································································································· 207

Enabling the SYN Cookie feature ······························································································································207

Displaying and maintaining TCP attack protection··································································································207

Configuring IP source guard ·································································································································· 208

Static IP source guard binding entries ··············································································································208

Dynamic IP source guard binding entries·········································································································209

IP source guard configuration task list ·······················································································································209

Configuring the IPv4 source guard function··············································································································209

Configuring IPv4 source guard on a port·········································································································209

Configuring a static IPv4 source guard binding entry ····················································································210

Setting the maximum number of IPv4 source guard binding entries ·····························································211

Configuring the IPv6 source guard function··············································································································211

Configuring IPv6 source guard on a port·········································································································211

Configuring a static IPv6 source guard binding entry ····················································································212

Setting the maximum number of IPv6 source guard binding entries ·····························································213

Displaying and maintaining IP source guard············································································································213

IP source guard configuration examples ···················································································································214

Static IPv4 source guard binding entry configuration example ·····································································214

Dynamic IPv4 source guard binding by DHCP snooping configuration example ·······································216

Dynamic IPv4 source guard binding by DHCP relay configuration example ··············································217

Static IPv6 source guard binding entry configuration example ·····································································219

Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example···································219

Dynamic IPv6 source guard binding by ND snooping configuration example············································221

Troubleshooting IP source guard ································································································································222

Cannot configure static binding entries or dynamic binding function···························································222

Configuring ARP attack protection························································································································· 223

ARP attack protection configuration task list ·············································································································223

Configuring ARP defense against IP packet attacks·································································································224

Configuring ARP source suppression ················································································································224

Enabling ARP black hole routing ·······················································································································225

Displaying and maintaining ARP defense against IP packet attacks·····························································225

ARP defense against IP packet attack configuration example········································································225

Configuring ARP packet rate limit ······························································································································226

Configuring source MAC address-based ARP attack detection··············································································227

Displaying and maintaining source MAC address-based ARP attack detection··········································227

viii

Source MAC address-based ARP attack detection configuration example ··················································228

Configuring ARP packet source MAC address consistency check ·········································································229

Configuring ARP active acknowledgement ···············································································································229

Configuring ARP detection··········································································································································229

Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x

security entries ·····················································································································································230

Configuring ARP detection based on specified objects ··················································································231

Configuring ARP restricted forwarding ·············································································································232

Displaying and maintaining ARP detection ······································································································232

ARP detection configuration example 1 ···········································································································232

ARP detection configuration example 2 ···········································································································234

ARP restricted forwarding configuration example···························································································235

Configuring ARP automatic scanning and fixed ARP ······························································································237

Configuring ND attack defense ····························································································································· 239

Enabling source MAC consistency check for ND packets·······················································································240

Configuring the ND detection function······················································································································240

Configuring ND detection··································································································································241

Displaying and maintaining ND detection·······································································································241

ND detection configuration example·························································································································241

Configuring URPF···················································································································································· 244

URPF check modes ··············································································································································244

How URPF works ·················································································································································244

Network application ···········································································································································247

URPF configuration·······················································································································································247

URPF configuration examples ·····································································································································247

Support and other resources ·································································································································· 249

Contacting HP ······························································································································································249

Subscription service ············································································································································249

Related information······················································································································································249

Documents····························································································································································249

Websites ······························································································································································249

Conventions ··································································································································································250

Index ········································································································································································ 252

Configuring AAA

AAA provides a uniform framework for implementing network access management. It can provide the

following security functions:

•Authentication—Identifies users and determines whether a user is valid.

•Authorization—Grants different users different rights and controls their access to resources and

services. For example, a user who has successfully logged in to the switch can be granted read

and print permissions to the files on the switch.

•Accounting—Records all user network service usage information, including the service type, start

time, and traffic. The accounting function not only provides the information required for charging

but also allows for network security surveillance.

AAA usually uses a client/server model. The client runs on the NAS, which is also referred to as the

access device. The server maintains user information centrally. In an AAA network, a NAS is a server for

users but a client for the AAA servers. See Figure 1.

Figure 1 Network diagram for AAA

When a user tries to log in to the NAS, use network resources, or access other networks, the NAS

authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and

accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and a

remote server exchange user information between them.

In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose

different servers for different security functions. For example, use the HWTACACS server for

authentication and authorization, and use the RADIUS server for accounting.

You can choose the three security functions provided by AAA as required. For example, if your

company only wants employees to be authenticated before they access specific resources, you only

need to configure an authentication server. If network usage information is needed, you must also

configure an accounting server.

AAA can be implemented through multiple protocols. The switch supports using RADIUS and

HWTACACS. RADIUS is often used in practice.

RADIUS

RADIUS is a distributed information interaction protocol that uses a client/server model. It can protect

networks against unauthorized access and is often used in network environments where both high

security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port

1813 for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods,

RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS

provides access authentication and authorization services, and its accounting function collects and

records network resource usage information.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

designated RADIUS servers and acts on the responses (for example, it rejects or accepts user access

requests).

The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It listens to connection requests, authenticates

users, and returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary. See

Figure 2.

Figure 2 RADIUS server components

•Users—Stores user information, such as usernames, passwords, applied protocols, and IP

addresses.

•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary—Stores RADIUS protocol attributes and their values.

Security and authentication mechanisms

RADIUS uses a shared key that is never transmitted over the network to authenticate information

exchanged between a RADIUS client and the RADIUS server. This enhances information exchange

security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS

encrypts passwords before transmitting them.

A RADIUS server supports multiple user authentication methods, such as PAP and CHAP of the PPP

protocol. A RADIUS server can also act as the client of another AAA server to provide authentication

proxy services.

Basic RADIUS message exchange process

Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS message exchange process

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

7) Accounting-Request (stop)

8) Accounting-Response

9) Notification of access termination

Host

6) The host accesses the resources

RADIUS operates in the following manner:

1. The host initiates a connection request that carries the user’s username and password to the

RADIUS client.

2. Having received the username and password, the RADIUS client sends an authentication request

(Access-Request) to the RADIUS server, with the user password encrypted by using the MD5

algorithm and the shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds, the

server sends back an Access-Accept message containing the user’s authorization information. If the

authentication fails, the server returns an Access-Reject message.

4. The RADIUS client permits or denies the user according to the returned authentication result. If it

permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection, and the RADIUS client sends a

stop-accounting request (Accounting-Request) to the RADIUS server.

8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting

for the user.

9. The user stops access to network resources.

RADIUS packet format

RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS

server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism,

the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet

format.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

1. The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible

values and their meanings.

Table 1 Main values of the Code field

Code Packet type Description

1 Access-Request

From the client to the server. A packet of this type carries user

information for the server to authenticate the user. It must

contain the User-Name attribute and can optionally contain the

attributes of NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

From the server to the client. If all attribute values carried in the

Access-Request are acceptable, the authentication succeeds,

and the server sends an Access-Accept response.

3 Access-Reject

From the server to the client. If any attribute value carried in

the Access-Request is unacceptable, the authentication fails,

and the server sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type carries user

information for the server to start or stop accounting for the

user. The Acct-Status-Type attribute in the packet indicates

whether to start or stop accounting.

5 Accounting-Response

From the server to the client. The server sends a packet of this

type to notify the client that it has received the Accounting-

Request and has successfully recorded the accounting

information.

2. The Identifier field (1 byte long) is used to match request and response packets and to detect

duplicate request packets. Request and response packets of the same type have the same identifier.

3. The Length field (2 bytes long) indicates the length of the entire packet, including the Code,

Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered

padding and are ignored at the receiver. If the length of a received packet is less than this length,

the packet is dropped. The value of this field ranges from 20 to 4096.

4. The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and

to encrypt user passwords. There are two types of authenticators: request authenticator and

response authenticator.

5. The Attributes field, variable in length, carries the specific authentication, authorization, and

accounting information that defines the configuration details of the request or response. This field

may contain multiple attributes, each with these sub-fields: Type, Length, and Value.

•Type (1 byte long) indicates the type of the attribute. It ranges from 1 to 255. See Table 2 for

commonly used RADIUS attributes, which are defined in RFC 2865, RFC 2866, RFC 2867, and

RFC 2868. For more information about commonly used standard RADIUS attributes, see

"Commonly used standard RADIUS attributes."

•Length(1 byte long) indicates the length of the attribute in bytes, including the Type, Length, and

Value fields.

•Value (up to 253 bytes) is the value of the attribute. Its format and content depend on the Type and

Length fields.

Table 2 Commonly used RADIUS attributes

Number Attribute Number Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

Number Attribute Number Attribute

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific), an attribute defined

by RFC 2865, allows a vender to define extended attributes to implement functions that the standard

RADIUS protocol does not provide.

A vendor can encapsulate multiple sub-attributes in the TLV format in RADIUS packets for extension of

applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists of the following

parts:

•Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes

contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS

sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."

•Vendor-Type—Indicates the type of the sub-attribute.

•Vendor-Length—Indicates the length of the sub-attribute.

•Vendor-Data—Indicates the contents of the sub-attribute.

Figure 5 Segment of a RADIUS packet containing an extended attribute

HWTACACS

HWTACACS is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it

uses a client/server model for information exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP users, VPDN users, and terminal users. In a typical

HWTACACS scenario, some terminal users must log in to the NAS for operations. Working as the

HWTACACS client, the NAS sends the usernames and passwords of the users to the HWTACACS sever

for authentication. After passing authentication and being authorized, the users log in to the switch and

perform operations, and the HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They

have many features in common, such as using a client/server model, using shared keys for user

information security, and providing flexibility and extensibility. Table 3 lists their differences.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, providing more reliable network

transmission. Uses UDP, providing higher transport efficiency.

Encrypts the entire packet except for the

HWTACACS header.

Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated, and authorization

is independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple, and the authorization

process is combined with the authentication process.

Supports authorization of configuration commands.

The commands that a user can use are determined

by both the user level and the AAA authorization. A

user can use only commands that are at, or lower

than, the user level and authorized by the

HWTACACS server.

Does not support authorization of configuration

commands. The commands that a user can use are

solely determined by the level of the user. A user can

use all commands at, or lower than, the user level.

Basic HWTACACS message exchange process

The following example describes how HWTACACS performs user authentication, authorization, and

accounting for a Telnet user. See Figure 6.

Figure 6 Basic HWTACACS message exchange process for a Telnet user

Host HWTACACS client HWTACACS server

1) The user logs in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user inputs the username

6) Authentication continuance packet with the

username

7) Authentication response requesting the login

password

8) Request for password

9) The user inputs the password

11) Authentication response indicating successful

authentication

12) User authorization request packet

13) Authorization response indicating successful

authorization

14) The user logs in successfully

15) Start-accounting request

16) Accounting response indicating the start of

accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Authentication continuance packet with the

The process is as follows:

1. A Telnet user sends an access request to the HWTACACS client.

2. After receiving the request, the HWTACACS client sends a start-authentication packet to the

HWTACACS server.

3. The HWTACACS server sends back an authentication response to request the username.

4. After receiving the response, the HWTACACS client asks the user for the username.

5. The user enters the username.

6. After receiving the username, the HWTACACS client sends the server a continue-authentication

packet that carries the username.

7. The HWTACACS server sends back an authentication response, requesting the login password.

8. After receiving the response, the HWTACACS client asks the user for the login password.

9. The user enters the password.

10. After receiving the login password, the HWTACACS client sends the HWTACACS server a

continue-authentication packet that carries the login password.

11. The HWTACACS server sends back an authentication response to indicate that the user has passed

authentication.

12. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

13. The HWTACACS server sends back the authorization response, indicating that the user is now

authorized.

14. Knowing that the user is now authorized, the HWTACACS client pushes its configuration interface

to the user.

15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

16. The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request.

17. The user logs off.

18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19. The HWTACACS server sends back a stop-accounting response, indicating that the stop-accounting

request has been received.

Domain-based user management

A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A

NAS determines the ISP domain that a user belongs to by the username entered by the user at login, as

shown in Figure 7.

Figure 7 Determine the ISP domain of a user by the username

The authentication, authorization, and accounting of a user depends on the AAA methods configured for

the domain to which the user belongs If no specific AAA methods are configured for the domain, the

default methods are used. By default, a domain uses local authentication, local authorization, and local

accounting.

AAA allows you to manage users based on their access types:

•LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access the

network.

•Login users—Users who want to log in to the switch, including SSH users, Telnet users, Web users,

FTP users, and terminal users.

In addition, AAA provides the following services for login users to enhance switch security:

•Command authorization—Enables the NAS to defer to the authorization server to determine

whether a command entered by a login user is permitted for the user, ensuring that login users

execute only commands they are authorized to execute. For more information about command

authorization, see Fundamentals Configuration Guide.

•Command accounting—Allows the accounting server to record all commands executed on the

switch or all authorized commands successfully executed. For more information about command

accounting, see Fundamentals Configuration Guide.

•Level switching authentication—Allows the authentication server to authenticate users who perform

privilege level switching. As long as they pass level switching authentication, users can switch their

user privilege levels without logging out and disconnecting current connections. For more

information about user privilege level switching, see Fundamentals Configuration Guide.

You can configure different authentication, authorization, and accounting methods for different users in

a domain. See "Configuring AAA methods for ISP domains."

RADIUS server feature of the switch

Generally, the RADIUS server runs on a computer or workstation, and the RADIUS client runs on a NAS.

A network device that supports the RADIUS server feature can also serve as the RADIUS server. It works

with RADIUS clients to implement user authentication, authorization, and accounting. As shown in Figure

8, the RADIUS server and client can reside on the same switch or different switches.

Using a network device as the RADIUS server simplifies networking and reduces deployment costs.

Figure 8 Devices functioning as a RADIUS server

A network device serving as the RADIUS server can provide the following functions:

•User information management—Supports creating, modifying, and deleting user information,

including the username, password, authority, lifetime, and user description.

•RADIUS client information management—Supports creating and deleting RADIUS clients, which are

identified by IP addresses and configured with attributes such as a shared key. After being

configured with a managed client range, the RADIUS server processes only the RADIUS packets

from the clients within the management range. A shared key is used to ensure secure

communication between a RADIUS client and the RADIUS server.

•RADIUS authentication and authorization—RADIUS accounting is not supported.

Upon receiving a RADIUS packet, a device working as the RADIUS server checks whether the sending

client is under its management. If it is, the RADIUS server verifies the packet validity by using the shared

key and then checks whether there is an account with the username, whether the password is correct,

and whether the user attributes meet the requirements defined on the RADIUS server (for example,

whether the account has expired). Then, the RADIUS server assigns the corresponding authority to the

client if the authentication succeeds, or it denies the client if the authentication fails.

A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication

requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure

to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as

the RADIUS server.

Protocols and standards

The following protocols and standards are related to AAA, RADIUS, and HWTACACS:

•RFC 2865, Remote Authentication Dial In User Service (RADIUS)

•RFC 2866, RADIUS Accounting

•RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support

•RFC 2868, RADIUS Attributes for Tunnel Protocol Support

•RFC 2869, RADIUS Extensions

•RFC 1492, An Access Control Protocol, Sometimes Called TACACS

RADIUS attributes

Commonly used standard RADIUS attributes

Number Attribute Descri

tion

1 User-Name Name of the user to be authenticated.

2 User-Password

User password for PAP authentication, present only in Access-Request

packets in PAP authentication mode.

3 CHAP-Password

Digest of the user password for CHAP authentication, present only in

Access-Request packets in CHAP authentication mode.

4 NAS-IP-Address

IP address for the server to identify a client. Usually, a client is

identified by the IP address of the access interface on the NAS,

namely, the NAS IP address. This attribute is present in only Access-

Request packets.

5 NAS-Port Physical port of the NAS that the user accesses.

6 Service-Type

Type of service that the user has requested or type of service to be

provided.

7 Framed-Protocol Encapsulation protocol for framed access.

8 Framed-IP-Address IP address assigned to the user.

11 Filter-ID Name of the filter list.

12 Framed-MTU

MTU for the data link between the user and NAS. For example, with

802.1X EAP authentication, NAS uses this attribute to notify the server

of the MTU for EAP packets to avoid oversized EAP packets.

14 Login-IP-Host IP address of the NAS interface that the user accesses.

Number Attribute Descri

tion

15 Login-Service Type of the service that the user uses for login.

18 Reply-Message

Text to be displayed to the user, which can be used by the server to

indicate, for example, the reason of the authentication failure.

26 Vendor-Specific

Vendor specific attribute. A packet can contain one or more such

proprietary attributes, each of which can contain one or more sub-

attributes.

27 Session-Timeout

Maximum duration of service to be provided to the user before

termination of the session.

28 Idle-Timeout Maximum idle time permitted for the user before termination of the

session.

31 Calling-Station-Id

User identification that the NAS sends to the server. For the LAN

access service provided by an HP device, this attribute carries the

MAC address of the user in the format HHHH-HHHH-HHHH.

32 NAS-Identifier Identification that the NAS uses for indicating itself.

40 Acct-Status-Type

Type of the Accounting-Request packet:

•1—Start

•2—Stop

•3—Interium-Update

•4—Reset-Charge

•7—Accounting-On (Defined in 3GPP, the 3rd Generation

Partnership Project)

•8—Accounting-Off (Defined in 3GPP)

•9 to 14—Reserved for tunnel accounting

•15—Reserved for failed

45 Acct-Authentic

Authentication method used by the user:

•1—RADIUS

•2—Local

•3—Remote

60 CHAP-Challenge

CHAP challenge generated by the NAS for MD5 calculation during

CHAP authentication.

61 NAS-Port-Type

Type of the physical port of the NAS that is authenticating the user:

•15—Ethernet

•16—Any type of ADSL

•17—Cable (with cable for cable TV)

•201—VLAN

•202—ATM

If the port is an ATM or Ethernet port and VLANs are implemented on

it, the value of this attribute is 201.

79 EAP-Message

Used for encapsulating EAP packets to allow the NAS to authenticate

dial-in users via EAP without having to understand the EAP protocol.

80 Message-

Authenticator

Used for authentication and checking of authentication packets to

prevent spoofing Access-Requests. This attribute is used when RADIUS

supports EAP authentication.

Other manuals for A5830 Series

Table of contents

Other HP Switch manuals

HP ProCurve 6600-48G-4XG Assembly instructions

HP storageworks 2/32 User manual

HP ProCurve Series 2810 User manual

HP ProCurve 1600M Manual

HP StorageWorks T5527A User manual

HP ProCurve 6120G/XG User manual

HP StorageWorks Edge Switch 2/32 User manual

HP GbE2c - Blc Layer 2/3 Fiber SFP Option Operating manual

HP 6125G Installation manual

HP Class MMS and MRS User manual

HP FlexFabric 5700 series User manual

HP 316095-B21 - StorageWorks Edge Switch 2/24 Technical manual

HP 1920 Gigabit Ethernet Switch Series User manual

HP 1810 series User instructions

HP A3100-8 v2 SI Installation manual

HP 10GB ETHERNET BL-C SWITCH BMD00022 Operating manual

HP Officejet Pro 7500 Series User manual

HP 10500 series User manual

HP HPE 5140 Assembly instructions

HP FlexFabric 5700 series User manual

HP HP ProCurve Series 6600 Installation guide

HP 12500 Series User manual

HP A5500 HI Series User manual

HP ProCurve 6600-24G-4XG Assembly instructions

Popular Switch manuals by other brands

Phybridge

Phybridge NVT PoLRE Series user guide

B.E.G.

B.E.G. WAVE-PIR-120/277-N installation instructions

Wisi

Wisi DY 94....98 operating instructions

ISON

ISON IS-DG305 Quick installation guide

SWiiD

SWiiD SwiidInter Installation and user guide

Edimax

Edimax EK-PS2C user manual

Belkin

Belkin 4x4 USB Peripheral Switch user manual

BEL

BEL MS64-F Installation and user guide

Linksys

Linksys SRW2024 Product data

SkyLink

SkyLink SW-318 user manual

Lutron Electronics

Lutron Electronics Switch user manual

Nematron

Nematron NF541S Series user manual

D-Link

D-Link DES-7000 Series user manual

SWEEX

SWEEX SW128 manual

Cisco

Cisco Catalyst 3120 Software guide

3Com

3Com Switch 5500G-EI PWR 48-Port Command reference guide

Inline

Inline 33293I user manual

Vivitek

Vivitek NovoConnect NC-X500 quick start guide

HP A5830 Series User manual

Popular Switch manuals by other brands