HP FlexFabric 5700 series User manual
HP FlexFabric 5700 Switch Series
Security
Configuration Guide
Part number: 5998-6696
Software version: Release 2416
Document version: 6W100-20150130
Legal and notice information
© Copyright 2015 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Configuring AAA ························································································································································· 1
Overview············································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
LDAP ··········································································································································································9
AAA implementation on the device····················································································································· 11
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 13
FIPS compliance ····························································································································································· 16
AAA configuration considerations and task list·········································································································· 16
Configuring AAA schemes············································································································································ 18
Configuring local users········································································································································· 18
Configuring RADIUS schemes······························································································································ 22
Configuring HWTACACS schemes····················································································································· 32
Configuring LDAP schemes ·································································································································· 38
Configuring AAA methods for ISP domains················································································································ 41
Configuration prerequisites ·································································································································· 42
Creating an ISP domain ······································································································································· 42
Configuring ISP domain attributes······················································································································· 42
Configuring authentication methods for an ISP domain ··················································································· 43
Configuring authorization methods for an ISP domain····················································································· 44
Configuring accounting methods for an ISP domain························································································· 45
Enabling the session-control feature ····························································································································· 46
Setting the maximum number of concurrent login users ···························································································· 47
Configuring a NAS-ID profile ······································································································································· 47
Displaying and maintaining AAA ································································································································ 48
AAA configuration examples········································································································································ 48
AAA for SSH users by an HWTACACS server·································································································· 48
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·························· 49
Authentication and authorization for SSH users by a RADIUS server ····························································· 51
Authentication for SSH users by an LDAP server ······························································································· 54
Troubleshooting RADIUS ··············································································································································· 59
RADIUS authentication failure······························································································································ 59
RADIUS packet delivery failure···························································································································· 59
RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60
Troubleshooting LDAP···················································································································································· 60
802.1X overview ·······················································································································································62
802.1X architecture······················································································································································· 62
Controlled/uncontrolled port and port authorization status······················································································ 62
802.1X-related protocols ·············································································································································· 63
Packet formats························································································································································ 63
EAP over RADIUS ·················································································································································· 64
802.1X authentication initiation··································································································································· 65
802.1X client as the initiator································································································································ 65
Access device as the initiator······························································································································· 65
802.1X authentication procedures ······························································································································ 66
Comparing EAP relay and EAP termination······································································································· 67
ii
EAP relay································································································································································ 67
EAP termination ····················································································································································· 69
Configuring 802.1X ··················································································································································71
Access control methods ················································································································································· 71
802.1X VLAN manipulation ········································································································································· 71
Authorization VLAN ·············································································································································· 71
Guest VLAN ··························································································································································· 73
Auth-Fail VLAN ······················································································································································ 74
Critical VLAN························································································································································· 76
Using 802.1X authentication with other features ······································································································· 77
ACL assignment ····················································································································································· 77
User profile assignment ········································································································································ 78
EAD assistant ························································································································································· 78
Configuration prerequisites··········································································································································· 79
802.1X configuration task list······································································································································· 79
Enabling 802.1X···························································································································································· 79
Enabling EAP relay or EAP termination ······················································································································· 80
Setting the port authorization state ······························································································································ 81
Specifying an access control method ·························································································································· 81
Setting the maximum number of concurrent 802.1X users on a port······································································· 81
Setting the maximum number of authentication request attempts ············································································· 82
Setting the 802.1X authentication timeout timers······································································································· 82
Configuring the online user handshake feature·········································································································· 83
Configuration guidelines ······································································································································ 83
Configuration procedure ······································································································································ 83
Configuring the authentication trigger feature············································································································ 83
Configuration guidelines ······································································································································ 84
Configuration procedure ······································································································································ 84
Specifying a mandatory authentication domain on a port························································································ 84
Configuring the quiet timer ··········································································································································· 85
Enabling the periodic online user reauthentication feature······················································································· 85
Configuring an 802.1X guest VLAN ··························································································································· 86
Configuration guidelines ······································································································································ 86
Configuration prerequisites ·································································································································· 86
Configuration procedure ······································································································································ 87
Configuring an 802.1X Auth-Fail VLAN······················································································································ 87
Configuration guidelines ······································································································································ 87
Configuration prerequisites ·································································································································· 87
Configuration procedure ······································································································································ 88
Configuring an 802.1X critical VLAN ························································································································· 88
Configuration guidelines ······································································································································ 88
Configuration prerequisites ·································································································································· 88
Configuration procedure ······································································································································ 88
Specifying supported domain name delimiters··········································································································· 89
Configuring the EAD assistant feature ························································································································· 89
Displaying and maintaining 802.1X ··························································································································· 90
802.1X authentication configuration examples·········································································································· 90
Basic 802.1X authentication configuration example ························································································ 90
802.1X guest VLAN and authorization VLAN configuration example ··························································· 93
802.1X with ACL assignment configuration example······················································································· 95
802.1X with EAD assistant configuration example ··························································································· 97
Troubleshooting 802.1X EAD assistant for Web browser users·············································································100
iii
Configuring MAC authentication··························································································································· 101
Overview·······································································································································································101
User account policies··········································································································································101
Authentication methods·······································································································································101
VLAN assignment ················································································································································102
ACL assignment ···················································································································································104
User profile assignment ······································································································································104
Periodic MAC reauthentication··························································································································104
Configuration prerequisites·········································································································································104
Configuration task list ··················································································································································105
Enabling MAC authentication ····································································································································105
Specifying a MAC authentication domain················································································································106
Configuring the user account format··························································································································106
Setting MAC authentication timers·····························································································································107
Setting the maximum number of concurrent MAC authentication users on a port················································107
Enabling MAC authentication multi-VLAN mode on a port·····················································································108
Configuring MAC authentication delay·····················································································································108
Configuring a MAC authentication guest VLAN ······································································································109
Configuring a MAC authentication critical VLAN····································································································109
Configuring the keep-online feature···························································································································110
Displaying and maintaining MAC authentication ····································································································111
MAC authentication configuration examples············································································································111
Local MAC authentication configuration example···························································································111
RADIUS-based MAC authentication configuration example···········································································113
ACL assignment configuration example············································································································115
Configuring portal authentication·························································································································· 118
Overview·······································································································································································118
Extended portal functions ···································································································································118
Portal system components···································································································································118
Interaction between portal system components································································································120
Portal authentication modes ·······························································································································120
Portal authentication process ·····························································································································121
Portal configuration task list ········································································································································123
Configuration prerequisites·········································································································································123
Configuring a portal authentication server················································································································124
Configuring a portal Web server·······························································································································125
Enabling portal authentication on an interface·········································································································125
Configuration restrictions and guidelines ·········································································································125
Configuration procedure ····································································································································126
Referencing a portal Web server for an interface····································································································126
Controlling portal user access ····································································································································126
Configuring a portal-free rule·····························································································································126
Configuring an authentication source subnet···································································································127
Configuring an authentication destination subnet ···························································································128
Setting the maximum number of portal users ···································································································129
Specifying a portal authentication domain ······································································································129
Configuring portal detection features ························································································································130
Configuring online detection of portal users ····································································································130
Configuring portal authentication server detection··························································································131
Configuring portal Web server detection·········································································································132
Configuring portal user synchronization···········································································································133
Configuring the portal fail-permit feature ··················································································································134
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server··································134
Applying a NAS-ID profile to an interface················································································································135
iv
Enabling portal roaming ·············································································································································136
Logging out portal users··············································································································································136
Displaying and maintaining portal ····························································································································136
Portal configuration examples ····································································································································137
Configuring direct portal authentication···········································································································137
Configuring re-DHCP portal authentication······································································································145
Configuring cross-subnet portal authentication ································································································149
Configuring extended direct portal authentication··························································································152
Configuring extended re-DHCP portal authentication·····················································································155
Configuring extended cross-subnet portal authentication ···············································································159
Configuring portal server detection and portal user synchronization ···························································162
Troubleshooting portal·················································································································································170
No portal authentication page is pushed for users ·························································································170
Cannot log out portal users on the access device ···························································································170
Cannot log out portal users on the RADIUS server··························································································171
Users logged out by the access device still exist on the portal authentication server··································171
Re-DHCP portal authenticated users cannot log in successfully······································································172
Configuring port security········································································································································ 173
Overview·······································································································································································173
Port security features ···········································································································································173
Port security modes ·············································································································································173
Configuration task list ··················································································································································176
Enabling port security ··················································································································································177
Setting port security's limit on the number of secure MAC addresses on a port ··················································177
Setting the port security mode ····································································································································178
Configuring port security features ······························································································································179
Configuring NTK ·················································································································································179
Configuring intrusion protection ························································································································179
Configuring secure MAC addresses ··························································································································180
Configuration prerequisites ································································································································181
Configuration procedure ····································································································································181
Ignoring authorization information from the server··································································································182
Enabling MAC move ···················································································································································182
Applying NAS-ID profile to port security ···················································································································183
Enabling the authorization-fail-offline feature ···········································································································184
Displaying and maintaining port security··················································································································184
Port security configuration examples ·························································································································184
autoLearn configuration example ······················································································································184
userLoginWithOUI configuration example ·······································································································186
macAddressElseUserLoginSecure configuration example···············································································189
Troubleshooting port security······································································································································193
Cannot set the port security mode·····················································································································193
Cannot configure secure MAC addresses ········································································································193
Configuring password control································································································································ 194
Overview·······································································································································································194
Password setting··················································································································································194
Password updating and expiration ···················································································································195
User login control ················································································································································196
Password not displayed in any form·················································································································197
Logging·································································································································································197
FIPS compliance ···························································································································································197
Password control configuration task list·····················································································································197
Enabling password control ·········································································································································198
v
Setting global password control parameters ············································································································198
Setting user group password control parameters·····································································································199
Setting local user password control parameters·······································································································200
Setting super password control parameters ··············································································································201
Displaying and maintaining password control ·········································································································202
Password control configuration example ··················································································································202
Network requirements·········································································································································202
Configuration procedure ····································································································································203
Verifying the configuration·································································································································204
Managing public keys············································································································································ 206
Overview·······································································································································································206
FIPS compliance ···························································································································································206
Creating a local key pair ············································································································································207
Configuration guidelines ····································································································································207
Configuration procedure ····································································································································207
Distributing a local host public key ····························································································································208
Exporting a host public key································································································································208
Displaying a host public key······························································································································209
Destroying a local key pair·········································································································································209
Configuring a peer host public key····························································································································210
Importing a peer host public key from a public key file··················································································210
Entering a peer host public key ·························································································································210
Displaying and maintaining public keys ···················································································································211
Examples of public key management ························································································································211
Example for entering a peer host public key····································································································211
Example for importing a public key from a public key file·············································································213
Configuring PKI ······················································································································································· 216
Overview·······································································································································································216
PKI terminology····················································································································································216
PKI architecture····················································································································································217
PKI operation ·······················································································································································218
PKI applications ···················································································································································218
FIPS compliance ···························································································································································218
PKI configuration task list ············································································································································218
Configuring a PKI entity ··············································································································································219
Configuring a PKI domain···········································································································································220
Requesting a certificate ···············································································································································222
Configuration guidelines ····································································································································222
Configuring automatic certificate request·········································································································223
Manually requesting a certificate ······················································································································223
Aborting a certificate request ·····································································································································224
Obtaining certificates ··················································································································································224
Configuration prerequisites ································································································································224
Configuration guidelines ····································································································································225
Configuration procedure ····································································································································225
Verifying PKI certificates··············································································································································225
Verifying certificates with CRL checking ···········································································································226
Verifying certificates without CRL checking ······································································································226
Specifying the storage path for the certificates and CRLs ·······················································································227
Exporting certificates ···················································································································································227
Removing a certificate ·················································································································································228
Configuring a certificate-based access control policy ·····························································································228
Displaying and maintaining PKI ·································································································································229
vi
PKI configuration examples·········································································································································230
Requesting a certificate from an RSA Keon CA server····················································································230
Requesting a certificate from a Windows Server 2003 CA server ·······························································233
Requesting a certificate from an OpenCA server ····························································································236
Certificate import and export configuration example ·····················································································240
Troubleshooting PKI configuration······························································································································245
Failed to obtain the CA certificate·····················································································································245
Failed to obtain local certificates·······················································································································245
Failed to request local certificates ·····················································································································246
Failed to obtain CRLs ··········································································································································247
Failed to import the CA certificate·····················································································································248
Failed to import a local certificate·····················································································································248
Failed to export certificates ································································································································249
Failed to set the storage path·····························································································································249
Configuring IPsec ···················································································································································· 250
Overview·······································································································································································250
Security protocols and encapsulation modes···································································································251
Security association·············································································································································252
Authentication and encryption···························································································································253
IPsec implementation···········································································································································253
Protocols and standards ·····································································································································254
FIPS compliance ···························································································································································254
IPsec tunnel establishment ···········································································································································254
Implementing ACL-based IPsec ···································································································································255
Feature restrictions and guidelines ····················································································································255
ACL-based IPsec configuration task list ·············································································································255
Configuring an ACL ············································································································································256
Configuring an IPsec transform set····················································································································257
Configuring a manual IPsec policy····················································································································258
Configuring an IKE-based IPsec policy ·············································································································260
Applying an IPsec policy to an interface ··········································································································264
Enabling ACL checking for de-encapsulated packets······················································································264
Configuring the IPsec anti-replay function ········································································································265
Configuring IPsec anti-replay redundancy········································································································266
Binding a source interface to an IPsec policy ··································································································266
Enabling QoS pre-classify ··································································································································267
Enabling logging of IPsec packets·····················································································································268
Configuring the DF bit of IPsec packets ············································································································268
Configuring IPsec for IPv6 routing protocols·············································································································269
Configuration task list ·········································································································································269
Configuring a manual IPsec profile···················································································································269
Configuring SNMP notifications for IPsec ·················································································································270
Displaying and maintaining IPsec ······························································································································271
IPsec configuration examples······································································································································272
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································272
Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································274
Configuring IPsec for RIPng································································································································277
Configuring IKE······················································································································································· 281
Overview·······································································································································································281
IKE negotiation process ······································································································································281
IKE security mechanism·······································································································································282
Protocols and standards ·····································································································································283
FIPS compliance ···························································································································································283
vii
IKE configuration prerequisites ···································································································································283
IKE configuration task list ············································································································································283
Configuring an IKE profile ··········································································································································284
Configuring an IKE proposal ······································································································································286
Configuring an IKE keychain······································································································································287
Configuring the global identity information ··············································································································288
Configuring the IKE keepalive function······················································································································289
Configuring the IKE NAT keepalive function ············································································································289
Configuring IKE DPD····················································································································································290
Enabling invalid SPI recovery ·····································································································································291
Setting the maximum number of IKE SAs···················································································································291
Configuring SNMP notifications for IKE ····················································································································291
Displaying and maintaining IKE·································································································································292
IKE configuration examples ········································································································································292
Main mode IKE with pre-shared key authentication configuration example ················································292
Verifying the configuration·································································································································295
Troubleshooting IKE ·····················································································································································295
IKE negotiation failed because no matching IKE proposals were found·······················································295
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly·····················296
IPsec SA negotiation failed because no matching IPsec transform sets were found····································296
IPsec SA negotiation failed due to invalid identity information······································································297
Configuring SSH ····················································································································································· 300
Overview·······································································································································································300
How SSH works···················································································································································300
SSH authentication methods·······························································································································301
FIPS compliance ···························································································································································302
Configuring the device as an SSH server··················································································································303
SSH server configuration task list ······················································································································303
Generating local key pairs·································································································································303
Enabling the Stelnet server ·································································································································304
Enabling the SFTP server ····································································································································304
Enabling the SCP server ·····································································································································305
Configuring NETCONF over SSH ·····················································································································305
Configuring user lines for SSH login·················································································································305
Configuring a client's host public key···············································································································306
Configuring an SSH user····································································································································307
Configuring the SSH management parameters ·······························································································308
Configuring the device as an Stelnet client···············································································································310
Stelnet client configuration task list····················································································································310
Specifying the source IP address for SSH packets···························································································310
Establishing a connection to an Stelnet server ·································································································310
Configuring the device as an SFTP client ··················································································································312
SFTP client configuration task list·······················································································································312
Specifying the source IP address for SFTP packets··························································································312
Establishing a connection to an SFTP server ····································································································312
Working with SFTP directories···························································································································314
Working with SFTP files······································································································································314
Displaying help information ·······························································································································314
Terminating the connection with the SFTP server ·····························································································315
Configuring the device as an SCP client ···················································································································315
Displaying and maintaining SSH ·······························································································································317
Stelnet configuration examples···································································································································317
Password authentication enabled Stelnet server configuration example ······················································317
Publickey authentication enabled Stelnet server configuration example·······················································320
viii
Password authentication enabled Stelnet client configuration example························································325
Publickey authentication enabled Stelnet client configuration example························································329
SFTP configuration examples ······································································································································331
Password authentication enabled SFTP server configuration example··························································331
Publickey authentication enabled SFTP client configuration example ···························································334
SCP file transfer with password authentication·········································································································337
Network requirements·········································································································································337
Configuration procedure ····································································································································337
NETCONF over SSH configuration example with password authentication ························································339
Network requirements·········································································································································339
Configuration procedure ····································································································································339
Verifying the configuration·································································································································341
Configuring SSL······················································································································································· 342
Overview·······································································································································································342
SSL security services············································································································································342
SSL protocol stack ···············································································································································342
FIPS compliance ···························································································································································343
SSL configuration task list············································································································································343
Configuring an SSL server policy ·······························································································································343
Configuring an SSL client policy ································································································································344
Displaying and maintaining SSL·································································································································345
Configuring IP source guard ·································································································································· 346
Overview·······································································································································································346
Static IPSG bindings············································································································································347
Dynamic IPSG bindings······································································································································347
IPSG configuration task list ·········································································································································348
Configuring the IPv4SG feature··································································································································348
Enabling IPv4SG on an interface ······················································································································348
Configuring a static IPv4SG binding ················································································································349
Configuring the IPv6SG feature··································································································································349
Enabling IPv6SG on an interface ······················································································································349
Configuring a static IPv6SG binding ················································································································350
Displaying and maintaining IPSG ······························································································································350
IPSG configuration examples······································································································································351
Static IPv4SG configuration example················································································································351
Dynamic IPv4SG using DHCP snooping configuration example ···································································352
Dynamic IPv4SG using DHCP relay configuration example ··········································································353
Static IPv6SG configuration example················································································································354
Dynamic IPv6SG using DHCPv6 snooping configuration example·······························································355
Configuring ARP attack protection························································································································· 357
ARP attack protection configuration task list ·············································································································357
Configuring unresolvable IP attack protection ··········································································································357
Configuring ARP source suppression ················································································································358
Configuring ARP blackhole routing ···················································································································358
Displaying and maintaining unresolvable IP attack protection ······································································358
Configuration example ·······································································································································359
Configuring ARP packet rate limit ······························································································································360
Configuration guidelines ····································································································································360
Configuration procedure ····································································································································360
Configuring source MAC-based ARP attack detection ····························································································361
Configuration procedure ····································································································································361
Displaying and maintaining source MAC-based ARP attack detection·························································361
Configuration example ·······································································································································362
ix
Configuring ARP packet source MAC consistency check························································································363
Configuring ARP active acknowledgement ···············································································································363
Configuring authorized ARP ·······································································································································364
Configuration procedure ····································································································································364
Configuring ARP detection··········································································································································364
Configuring user validity check ·························································································································364
Configuring ARP packet validity check·············································································································365
Configuring ARP restricted forwarding ·············································································································366
Displaying and maintaining ARP detection ······································································································366
User validity check and ARP packet validity check configuration example··················································367
ARP restricted forwarding configuration example ···························································································368
Configuring ARP scanning and fixed ARP ················································································································370
Configuration restrictions and guidelines ·········································································································370
Configuration procedure ····································································································································371
Configuring ARP gateway protection ························································································································371
Configuration guidelines ····································································································································371
Configuration procedure ····································································································································371
Configuration example ·······································································································································372
Configuring ARP filtering·············································································································································372
Configuration guidelines ····································································································································373
Configuration procedure ····································································································································373
Configuration example ·······································································································································373
Configuring MFF ····················································································································································· 375
Overview·······································································································································································375
Basic concepts ·····················································································································································376
MFF operation modes·········································································································································376
MFF working mechanism····································································································································377
Protocols and standards ·····································································································································377
Configuring MFF ··························································································································································377
Enabling MFF·······················································································································································377
Configuring a network port································································································································377
Enabling periodic gateway probe ····················································································································378
Specifying the IP addresses of servers ··············································································································378
Displaying and maintaining MFF ·······························································································································379
MFF configuration examples·······································································································································379
Manual-mode MFF configuration example in a tree network·········································································379
Manual-mode MFF configuration example in a ring network ········································································380
Configuring crypto engines···································································································································· 383
Overview·······································································································································································383
Displaying and maintaining crypto engines ·············································································································383
Configuring FIPS······················································································································································ 384
Overview·······································································································································································384
Configuration restrictions and guidelines··················································································································384
Configuring FIPS mode················································································································································385
Entering FIPS mode ·············································································································································385
Configuration changes in FIPS mode ················································································································386
Exiting FIPS mode················································································································································387
FIPS self-tests ·································································································································································388
Power-up self-tests················································································································································388
Conditional self-tests············································································································································389
Triggering self-tests ··············································································································································389
Displaying and maintaining FIPS ·······························································································································389
FIPS configuration examples·······································································································································390
x
Entering FIPS mode through automatic reboot·································································································390
Entering FIPS mode through manual reboot·····································································································391
Exiting FIPS mode through automatic reboot ···································································································392
Exiting FIPS mode through manual reboot ·······································································································393
Configuring user profiles ········································································································································ 395
Overview·······································································································································································395
Configuration task list ··················································································································································395
Configuration restrictions and guidelines··················································································································395
Creating a user profile ················································································································································395
Configuring parameters for a user profile·················································································································396
Configuring QoS parameters for traffic management ····················································································396
Displaying and maintaining user profiles··················································································································396
User profile configuration examples ··························································································································396
Local 802.1X authentication/authorization with QoS policy configuration example·································396
Configuring attack detection and prevention········································································································ 401
Overview·······································································································································································401
Configuring TCP fragment attack prevention············································································································401
Configuring ND attack defense ····························································································································· 402
Overview·······································································································································································402
Configuring source MAC consistency check for ND packets ·················································································402
Support and other resources ·································································································································· 403
Contacting HP ······························································································································································403
Subscription service ············································································································································403
Related information······················································································································································403
Documents····························································································································································403
Websites·······························································································································································403
Conventions ··································································································································································404
Index ········································································································································································ 406
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the users' access to resources
and services. For example, you can permit office users to read and print files and prevent guests
from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server (NAS),
which authenticates user identities and controls user access. The server maintains user information
centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The
NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny
the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often
used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company wants
employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an accounting
server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. The protocol can protect networks against unauthorized access and is often
used in network environments that require both high security and remote user access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for
authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support additional
access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication proxy
services.
The RADIUS server maintains the following databases:
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys, which
are preconfigured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.
This field includes a signature generated by using the MD5 algorithm, the shared key, and some other
information. The receiver of the packet verifies the signature and accepts the packet only when the
signature is correct. This mechanism ensures the security of information exchanged between the RADIUS
client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server. The
request includes the user's password, which has been processed by the MD5 algorithm and
shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept packet that contains the user's authorization information. If
the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) packet to
the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the RADIUS
server.
4
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting for
the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure smooth
packet exchange between the RADIUS server and the client. These mechanisms include the timer
mechanism, the retransmission mechanism, and the backup server mechanism.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values
and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or stop
accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to detect
duplicate request packets. The request and response packets of the same exchange process for the
same purpose (such as authentication or accounting) have the same identifier.
5
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code,
Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered
padding and are ignored by the receiver. If the length of a received packet is less than this length,
the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and
to encrypt user passwords. There are two types of authenticators: request authenticator and
response authenticator.
•The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
{Value—Value of the attribute. Its format and content depend on the Type subfield.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
6
No. Attribute No.
Attribute
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a
vendor to define extended attributes. The extended attributes implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a sub-attribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a code
compliant to RFC 1700.
•Vendor-Type—Type of the sub-attribute.
•Vendor-Length—Length of the sub-attribute.
•Vendor-Data—Contents of the sub-attribute.
For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS
sub-attributes."
7
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for
information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the
NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing
authentication and obtaining authorized rights, a user logs in to the device and performs operations. The
HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model, using
shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the primary
differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the HWTACACS
header.
Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization is
independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication process.
Supports authorization of configuration commands.
Access to commands depends on both the user's roles
and authorization. A user can use only commands that
are permitted by the user roles and authorized by the
HWTACACS server.
Does not support authorization of configuration
commands. Access to commands solely depends on
the user's roles. For more information about user roles,
see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for a
Telnet user.
8
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
HWTACACS operates using the following workflow:
1. A Telnet user sends an access request to the HWTACACS client.
2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
receives the request.
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user enters the username.
6. After receiving the username from the user, the HWTACACS client sends the server a
continue-authentication packet that includes the username.
7. The HWTACACS server sends back an authentication response to request the login password.
8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.
Host HWTACACS client HWTACACS server
1) The user tries to log in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user enters the username
6) Continue-authentication packet with the username
7) Authentication response requesting the password
8) Request for password
9) The user enters the password
11) Response indicating successful authentication
12) User authorization request packet
13) Response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) Continue-authentication packet with the password
Other manuals for FlexFabric 5700 series
4
Table of contents
Other HP Switch manuals
HP
HP A7500 Series User manual
HP
HP Cisco MDS 9216 - Fabric Switch User manual
HP
HP 6125XLG User manual
HP
HP A7533A - Brocade 4Gb SAN Switch Base Service manual
HP
HP 5130 EI Switch Series User manual
HP
HP FlexFabric 5950 Series User manual
HP
HP 262586-B21 - IP Console Switch 3x1x16 KVM User instructions
HP
HP S7500E Instruction Manual
HP
HP HPE 5140 Assembly instructions
HP
HP A7340A - Surestore FC 1Gb/2Gb Switch 16B User manual
HP
HP J9311A Assembly instructions
HP
HP McDATA 4Gb SAN Switch User manual
HP
HP Aruba Instant On 1930 Assembly instructions
HP
HP FlexFabric 7900 Series Installation manual
HP
HP A7340A - Surestore FC 1Gb/2Gb Switch 16B Installation and operating manual
HP
HP SN8000B User manual
HP
HP 1405-16 Specification sheet
HP
HP 489183-B21 - InfiniBand DDR Switch User manual
HP
HP 6125XLG Installation manual
HP
HP 1810-24G User manual
Popular Switch manuals by other brands
Moeller
Moeller +ATEX-I1 installation instructions
Mine Site Technologies
Mine Site Technologies NS40 I.S. user manual
ADTRAN
ADTRAN NetVanta 1524ST Specification sheet
GarrettCom
GarrettCom Ethernet Networks and Web Management brochure
Comnet
Comnet CNFE4SMSPOE Installation and operation manual
RDL
RDL RACK-UP Series quick start guide
