Hpe Flexnetwork hsr6600 User manual

HPE FlexNetwork HSR6600 Routers

Comware 7 Security Configuration Guide

Part number: 5200-3483

Software version: HSR6602-CMW710-R7607

Document version: 6W100-20170412

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® andAcrobat® are trademarks ofAdobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

Contents

Configuring AAA ··············································································1

Overview··································································································································1

RADIUS ····························································································································2

HWTACACS ······················································································································6

LDAP································································································································9

AAA implementation on the device························································································12

AAA for MPLS L3VPNs ······································································································14

Protocols and standards ·····································································································14

RADIUS attributes·············································································································14

FIPS compliance······················································································································17

AAA configuration considerations and task list ···············································································17

Configuring AAA schemes ·········································································································19

Configuring local users·······································································································19

Configuring RADIUS schemes ·····························································································26

Configuring HWTACACS schemes························································································36

Configuring LDAP schemes·································································································43

Configuring AAA methods for ISP domains····················································································47

Configuration prerequisites··································································································47

Creating an ISP domain······································································································47

Configuring ISP domain attributes·························································································48

Configuring authentication methods for an ISP domain······························································50

Configuring authorization methods for an ISP domain ·······························································52

Configuring accounting methods for an ISP domain··································································54

Configuring the RADIUS session-control feature·············································································56

Configuring the RADIUS DAS feature···························································································56

Changing the DSCP priority for RADIUS packets············································································57

Setting the maximum number of concurrent login users····································································57

Configuring a NAS-ID profile ······································································································58

Configuring the device ID···········································································································58

Displaying and maintaining AAA··································································································58

AAA configuration examples·······································································································59

Authentication and authorization for SSH users by a RADIUS server············································59

Local authentication and authorization for SSH users································································62

AAA for SSH users by an HWTACACS server·········································································63

Authentication for SSH users by an LDAP server ·····································································65

Authentication and authorization for SSL VPN users by an LDAP server·······································70

AAA for PPP users by an HWTACACS server·········································································75

Local guest configuration and management example································································76

Troubleshooting RADIUS···········································································································78

RADIUS authentication failure······························································································78

RADIUS packet delivery failure ····························································································79

RADIUS accounting error····································································································79

Troubleshooting HWTACACS·····································································································80

Troubleshooting LDAP··············································································································80

LDAP authentication failure ·································································································80

Configuring portal authentication ·······················································82

Overview································································································································82

Extended portal functions····································································································82

Portal system components ··································································································82

Portal system using the local portal Web server·······································································84

Interaction between portal system components········································································84

Portal authentication modes ································································································85

Portal support for EAP········································································································85

Portal authentication process·······························································································86

Portal filtering rules············································································································88

Restrictions and guidelines ········································································································88

Portal configuration task list········································································································89

Configuration prerequisites ········································································································90

Configuring a portal authentication server ·····················································································90

Configuring a portal Web server··································································································91

Enabling portal authentication·····································································································92

Configuration restrictions and guidelines ················································································93

Configuration procedure ·····································································································93

Specifying a portal Web server ···································································································93

Controlling portal user access·····································································································94

Configuring a portal-free rule ·······························································································94

Configuring an authentication source subnet···········································································95

Configuring an authentication destination subnet······································································96

Setting the maximum number of portal users···········································································97

Specifying a portal authentication domain···············································································97

Specifying a preauthentication domain···················································································98

Specifying a preauthentication IP address pool for portal users ···················································99

Enabling strict-checking on portal authorization information······················································ 100

Enabling portal authentication only for DHCP users································································ 100

Enabling outgoing packets filtering on a portal-enabled interface ··············································· 100

Configure support of dual stack for portal authentication·························································· 101

Configuring portal detection features·························································································· 101

Configuring online detection of portal users··········································································· 101

Configuring portal authentication server detection ·································································· 102

Configuring portal Web server detection··············································································· 103

Configuring portal user synchronization················································································ 104

Configuring the portal fail-permit feature ····················································································· 105

Configuring the BAS-IP or BAS-IPv6 attribute ·············································································· 105

Specifying a format for the NAS-Port-Id attribute··········································································· 106

Specifying the device ID·········································································································· 106

Enabling portal roaming··········································································································· 107

Logging out online portal users ································································································· 107

Disabling traffic accounting for portal users·················································································· 108

Configuring Web redirect········································································································· 108

Applying a NAS-ID profile to an interface ···················································································· 108

Configuring the local portal Web server feature ············································································ 109

Customizing authentication pages······················································································· 109

Configuring a local portal Web server ·················································································· 111

Enabling ARP or ND entry conversion for portal clients···························································· 112

Configuring HTTPS redirect ····································································································· 112

Configuring portal safe-redirect································································································· 113

Configuring the captive-bypass feature······················································································· 114

Excluding an attribute from portal protocol packets········································································ 115

Enabling portal logging············································································································ 115

Configuring portal support for third-party authentication·································································· 116

Editing buttons and pages for third-party authentication··························································· 116

Configuring a third-party authentication server······································································· 117

Specifying an authentication domain for third-party authentication ············································· 118

Configuring portal temporary pass····························································································· 119

Configure the portal authentication monitoring feature···································································· 119

Displaying and maintaining portal······························································································ 120

Portal configuration examples··································································································· 122

Configuring direct portal authentication ················································································ 122

Configuring re-DHCP portal authentication············································································ 127

Configuring cross-subnet portal authentication······································································· 131

Configuring extended direct portal authentication ··································································· 134

Configuring extended re-DHCP portal authentication ······························································ 137

Configuring extended cross-subnet portal authentication ························································· 141

Configuring portal server detection and portal user synchronization ··········································· 145

Configuring cross-subnet portal authentication for MPLS L3VPNs ············································· 151

Configuring direct portal authentication with a preauthentication domain ····································· 153

Configuring re-DHCP portal authentication with a preauthentication domain································· 155

Configuring direct portal authentication using the local portal Web server···································· 157

iii

Troubleshooting portal ············································································································ 160

No portal authentication page is pushed for users ·································································· 160

Cannot log out portal users on the access device··································································· 160

Cannot log out portal users on the RADIUS server ································································· 161

Users logged out by the access device still exist on the portal authentication server ······················ 161

Re-DHCP portal authenticated users cannot log in successfully ················································ 162

Configuring user profiles································································ 163

Overview······························································································································ 163

Configuration restrictions and guidelines····················································································· 163

Configuring a user profile········································································································· 163

Displaying and maintaining user profiles ····················································································· 164

Configuring password control·························································· 165

Overview······························································································································ 165

Password setting············································································································· 165

Password updating and expiration ······················································································ 166

User login control ············································································································ 167

Password not displayed in any form ···················································································· 167

Logging························································································································· 167

FIPS compliance···················································································································· 168

Password control configuration task list ······················································································ 168

Enabling password control······································································································· 168

Setting global password control parameters················································································· 169

Setting user group password control parameters ·········································································· 170

Setting local user password control parameters············································································ 171

Setting super password control parameters ················································································· 171

Displaying and maintaining password control··············································································· 172

Password control configuration example····················································································· 172

Network requirements ······································································································ 172

Configuration procedure ··································································································· 173

Verifying the configuration································································································· 174

Configuring keychains··································································· 176

Overview······························································································································ 176

Configuration procedure·········································································································· 176

Displaying and maintaining keychain·························································································· 176

Keychain configuration example································································································ 177

Network requirements ······································································································ 177

Configuration procedure ··································································································· 177

Verifying the configuration································································································· 178

Managing public keys···································································· 182

Overview······························································································································ 182

FIPS compliance···················································································································· 182

Public key configuration task list································································································ 182

Creating a local key pair·········································································································· 183

Distributing a local host public key····························································································· 184

Exporting a host public key································································································ 184

Displaying a host public key······························································································· 185

Destroying a local key pair······································································································· 185

Configuring a peer host public key····························································································· 185

Importing a peer host public key from a public key file ····························································· 186

Entering a peer host public key ·························································································· 186

Displaying and maintaining public keys······················································································· 186

Examples of public key management ························································································· 187

Example for entering a peer host public key·········································································· 187

Example for importing a public key from a public key file·························································· 189

Configuring PKI ··········································································· 192

Overview······························································································································ 192

PKI terminology ·············································································································· 192

PKI architecture ·············································································································· 193

PKI operation ················································································································· 193

PKI applications·············································································································· 194

Support for MPLS L3VPN ································································································· 194

FIPS compliance···················································································································· 195

PKI configuration task list········································································································· 195

Configuring a PKI entity··········································································································· 195

Configuring a PKI domain········································································································ 196

Requesting a certificate··········································································································· 198

Configuration guidelines ··································································································· 199

Configuring automatic certificate request·············································································· 199

Manually requesting a certificate························································································· 200

Aborting a certificate request···································································································· 200

Obtaining certificates ·············································································································· 201

Configuration prerequisites································································································ 201

Configuration guidelines ··································································································· 201

Configuration procedure ··································································································· 201

Verifying PKI certificates·········································································································· 202

Verifying certificates with CRL checking ··············································································· 202

Verifying certificates without CRL checking··········································································· 203

Specifying the storage path for the certificates and CRLs ······························································· 203

Exporting certificates ·············································································································· 204

Removing a certificate············································································································· 204

Configuring a certificate-based access control policy ····································································· 205

Displaying and maintaining PKI································································································· 206

PKI configuration examples······································································································ 206

Requesting a certificate from an RSA Keon CA server ···························································· 206

Requesting a certificate from a Windows Server 2003 CA server··············································· 209

Requesting a certificate from an OpenCA server···································································· 212

IKE negotiation with RSA digital signature from a Windows Server 2003 CA server······················· 215

Certificate import and export configuration example································································ 218

Troubleshooting PKI configuration····························································································· 223

Failed to obtain the CA certificate ······················································································· 223

Failed to obtain local certificates························································································· 224

Failed to request local certificates ······················································································· 224

Failed to obtain CRLs······································································································· 225

Failed to import the CA certificate ······················································································· 226

Failed to import a local certificate························································································ 226

Failed to export certificates································································································ 227

Failed to set the storage path····························································································· 227

Configuring IPsec········································································· 229

Overview······························································································································ 229

Security protocols and encapsulation modes········································································· 229

Security association········································································································· 231

Authentication and encryption ···························································································· 231

IPsec implementation······································································································· 232

IPsec RRI······················································································································ 234

Protocols and standards ··································································································· 235

FIPS compliance···················································································································· 235

IPsec tunnel establishment ······································································································ 236

Implementing ACL-based IPsec································································································ 236

Configuring an ACL ········································································································· 237

Configuring an IPsec transform set ····················································································· 240

Configuring a manual IPsec policy ······················································································ 242

Configuring an IKE-based IPsec policy················································································· 244

Applying an IPsec policy to an interface ··············································································· 248

Enabling ACL checking for de-encapsulated packets ······························································ 249

Configuring IPsec anti-replay ····························································································· 249

Configuring IPsec anti-replay redundancy············································································· 250

Binding a source interface to an IPsec policy········································································· 250

Enabling QoS pre-classify ································································································· 251

Enabling logging for IPsec packets······················································································ 252

Configuring the DF bit of IPsec packets················································································ 252

Configuring IPsec RRI······································································································ 253

Configuring IPsec for IPv6 routing protocols ················································································ 254

Configuration task list······································································································· 254

Configuring a manual IPsec profile······················································································ 254

Configuring IPsec for tunnels···································································································· 255

Configuration task list······································································································· 255

Configuring an IKE-based IPsec profile················································································ 256

Applying an IKE-based IPsec profile to a tunnel interface························································· 257

Configuring SNMP notifications for IPsec···················································································· 257

Configuring IPsec fragmentation ······························································································· 258

Setting the maximum number of IPsec tunnels············································································· 258

Enabling logging for IPsec negotiation························································································ 258

Displaying and maintaining IPsec······························································································ 259

IPsec configuration examples··································································································· 259

Configuring a manual mode IPsec tunnel for IPv4 packets ······················································· 259

Configuring an IKE-based IPsec tunnel for IPv4 packets·························································· 262

Configuring an IKE-based IPsec tunnel for IPv6 packets·························································· 266

Configuring IPsec for RIPng ······························································································ 270

Configuring IPsec RRI······································································································ 273

Configuring IKE ··········································································· 278

Overview······························································································································ 278

IKE negotiation process···································································································· 278

IKE security mechanism ··································································································· 280

Protocols and standards ··································································································· 280

FIPS compliance···················································································································· 281

IKE configuration prerequisites ································································································· 281

IKE configuration task list········································································································· 281

Configuring an IKE profile········································································································ 281

Configuring an IKE proposal····································································································· 284

Configuring an IKE keychain ···································································································· 285

Configuring the global identity information ··················································································· 286

Configuring the IKE keepalive feature························································································· 287

Configuring the IKE NAT keepalive feature·················································································· 287

Configuring IKE DPD·············································································································· 287

Enabling invalid SPI recovery ··································································································· 288

Setting the maximum number of IKE SAs···················································································· 289

Configuring an IKE IPv4 address pool ························································································ 289

Configuring SNMP notifications for IKE······················································································· 289

Enabling logging for IKE negotiation··························································································· 290

Displaying and maintaining IKE································································································· 290

IKE configuration examples······································································································ 291

Main mode IKE with pre-shared key authentication configuration example··································· 291

Aggressive mode with RSA signature authentication configuration example································· 295

Aggressive mode with NAT traversal configuration example ····················································· 302

IKE remote extended authentication configuration example······················································ 306

IKE local extended authentication and address pool authorization configuration example ··············· 309

Troubleshooting IKE··············································································································· 313

IKE negotiation failed because no matching IKE proposals were found······································· 313

IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 314

IPsec SA negotiation failed because no matching IPsec transform sets were found······················· 315

IPsec SA negotiation failed due to invalid identity information ··················································· 315

Configuring IKEv2 ········································································ 318

Overview······························································································································ 318

IKEv2 negotiation process································································································· 318

New features in IKEv2······································································································ 319

Protocols and standards ··································································································· 319

IKEv2 configuration task list ····································································································· 319

Configuring an IKEv2 profile····································································································· 320

Configuring an IKEv2 policy ····································································································· 323

Configuring an IKEv2 proposal·································································································· 324

Configuring an IKEv2 keychain ································································································· 325

Configure global IKEv2 parameters···························································································· 326

Enabling the cookie challenging feature ··············································································· 326

Configuring the IKEv2 DPD feature ····················································································· 326

Configuring the IKEv2 NAT keepalive feature········································································ 327

Configuring IKEv2 address pools························································································ 327

Displaying and maintaining IKEv2······························································································ 327

IKEv2 configuration examples··································································································· 328

IKEv2 with pre-shared key authentication configuration example ··············································· 328

IKEv2 with RSA signature authentication configuration example················································ 333

IKEv2 with NAT traversal configuration example ···································································· 341

Troubleshooting IKEv2············································································································ 346

IKEv2 negotiation failed because no matching IKEv2 proposals were found································· 346

IPsec SA negotiation failed because no matching IPsec transform sets were found······················· 346

IPsec tunnel establishment failed························································································ 347

Configuring group domain VPN······················································· 348

Overview······························································································································ 348

Group domain VPN structure ····························································································· 348

Group domain VPN establishment ······················································································ 349

Protocols and standards ··································································································· 350

FIPS compliance···················································································································· 351

Configuration restrictions and guidelines····················································································· 351

Configuring a GDOI GM ·········································································································· 351

GDOI GM configuration task list ························································································· 351

Configuring a GDOI GM group ··························································································· 351

Configuring a GDOI IPsec policy ························································································ 353

Applying a GDOI IPsec policy to an interface········································································· 354

Displaying and maintaining GDOI GM·················································································· 354

Group domain VPN configuration example ·················································································· 355

Network requirements ······································································································ 355

Configuration prerequisites and guidelines············································································ 356

Configuration procedure ··································································································· 356

Verifying the configuration································································································· 365

Configuring SSH·········································································· 372

Overview······························································································································ 372

How SSH works·············································································································· 372

SSH authentication methods······························································································ 373

FIPS compliance···················································································································· 374

Configuring the device as an SSH server···················································································· 374

SSH server configuration task list ······················································································· 374

Generating local key pairs································································································· 375

Specifying the SSH service port ························································································· 376

Enabling the Stelnet server································································································ 376

Enabling the SFTP server ································································································· 376

Enabling the SCP server··································································································· 377

Enabling NETCONF over SSH··························································································· 377

Configuring the user lines for SSH login ··············································································· 377

Configuring a client's host public key ··················································································· 378

Configuring an SSH user ·································································································· 379

Configuring the SSH management parameters······································································ 380

Configuring the device as an Stelnet client ·················································································· 381

Stelnet client configuration task list······················································································ 381

Generating local key pairs································································································· 381

Specifying the source IP address for SSH packets ································································· 382

Establishing a connection to an Stelnet server······································································· 382

Configuring the device as an SFTP client···················································································· 384

SFTP client configuration task list ······················································································· 384

Generating local key pairs································································································· 384

vii

Specifying the source IP address for SFTP packets································································ 384

Establishing a connection to an SFTP server········································································· 385

Working with SFTP directories ··························································································· 386

Working with SFTP files···································································································· 387

Displaying help information································································································ 387

Terminating the connection with the SFTP server··································································· 387

Configuring the device as an SCP client ····················································································· 387

SCP client configuration task list························································································· 387

Generating local key pairs································································································· 388

Establishing a connection to an SCP server·········································································· 388

Specifying algorithms for SSH2································································································· 390

Specifying key exchange algorithms for SSH2······································································· 390

Specifying public key algorithms for SSH2············································································ 391

Specifying encryption algorithms for SSH2············································································ 391

Specifying MAC algorithms for SSH2··················································································· 392

Displaying and maintaining SSH ······························································································· 392

Stelnet configuration examples ································································································· 392

Configuring the device as an Stelnet server (password authentication) ······································· 393

Configuring the device as an Stelnet server (publickey authentication)········································ 395

Configuring the device as an Stelnet client (password authentication)········································· 401

Configuring the device as an Stelnet client (publickey authentication)········································· 404

SFTP configuration examples··································································································· 407

Configuring the device as an SFTP server (password authentication)········································· 407

Configuring the device as an SFTP client (publickey authentication)··········································· 409

Configuring SCP with password authentication············································································· 412

Network requirements ······································································································ 412

Configuration procedure ··································································································· 413

Configuring NETCONF over SSH with password authentication······················································· 414

Network requirements ······································································································ 414

Configuration procedure ··································································································· 415

Verifying the configuration································································································· 416

Configuring SSL··········································································· 419

Overview······························································································································ 419

SSL security services······································································································· 419

SSL protocol stack··········································································································· 419

FIPS compliance···················································································································· 420

SSL configuration task list········································································································ 420

Configuring an SSL server policy······························································································· 420

Configuring an SSL client policy································································································ 422

Displaying and maintaining SSL································································································ 423

Configuring SSL VPN···································································· 424

Overview······························································································································ 424

SSL VPN operating mechanism ························································································· 424

SSL VPN networking modes······························································································ 425

SSL VPN access modes··································································································· 426

Resource access control··································································································· 429

VRF-aware SSL VPN······································································································· 430

Restrictions and guidelines: SSL VPN configuration ······································································ 431

SSL VPN configuration task list································································································· 431

Configuring an SSL VPN gateway ····························································································· 432

Configuring an SSL VPN context······························································································· 433

Configuring an SSL VPN policy group ························································································ 434

Configuring a URI ACL············································································································ 434

Configuring Web access service resources ················································································· 435

Creating Web access service resources··············································································· 435

Configuring a file policy····································································································· 436

Configuring TCP access service resources·················································································· 436

Configuring IP access service resources····················································································· 437

Specifying an EMO server for mobile clients················································································ 439

Specifying a message server for mobile clients ············································································ 439

viii

Configuring SSL VPN access control ························································································· 439

About SSL VPN access control ·························································································· 439

Restrictions and guidelines································································································ 441

Procedure······················································································································ 441

Configuring VRF-aware SSL VPN ····························································································· 442

Associating an SSL VPN context with a VPN instance····························································· 442

Specifying a VPN instance for an SSL VPN gateway ······························································ 442

Configuring HTTP redirection ··································································································· 443

Customizing SSL VPN webpages······························································································ 443

Configuring SSL VPN user control····························································································· 443

Enabling SSL VPN logging······································································································· 444

Enabling IMC SMS message authentication ················································································ 444

Displaying and maintaining SSL VPN························································································· 445

SSL VPN configuration examples······························································································ 445

Web access configuration example ····················································································· 445

TCP access configuration example ····················································································· 450

IP access configuration example ························································································ 455

Configuring ASPF ········································································ 459

Overview······························································································································ 459

ASPF basic concepts······································································································· 459

ASPF inspections············································································································ 460

ASPF configuration restrictions and guidelines············································································· 462

ASPF configuration task list······································································································ 462

Configuring an ASPF policy······································································································ 462

About ASPF inspection for application layer protocols····························································· 462

Procedure······················································································································ 462

Applying an ASPF policy to an interface······················································································ 463

Applying an ASPF policy to a zone pair ······················································································ 463

Enabling ICMP error message sending for packet dropping by security policies applied to zone pairs······ 464

Displaying and maintaining ASPF······························································································ 464

ASPF configuration examples··································································································· 465

ASPF FTP application inspection configuration example·························································· 465

ASPF TCP application inspection configuration example ························································· 466

ASPF H.323 application inspection configuration example ······················································· 467

ASPF application to a zone pair configuration example···························································· 469

Configuring APR·········································································· 471

Overview······························································································································ 471

PBAR ··························································································································· 471

NBAR ··························································································································· 471

Application group ············································································································ 471

APR signature database management················································································· 472

APR configuration task list ······································································································· 472

Configuring PBAR·················································································································· 473

Configuring a user-defined NBAR rule························································································ 473

Configuring application groups·································································································· 474

Enabling application statistics on an interface ·············································································· 475

Managing the APR signature database······················································································· 475

Scheduling an automatic update for the APR signature database ·············································· 476

Triggering an automatic update for the APR signature database················································ 476

Performing a manual update for the APR signature database ··················································· 477

Rolling back the APR signature database············································································· 477

Displaying and maintaining APR ······························································································· 477

APR configuration examples ···································································································· 478

PBAR configuration example ····························································································· 478

NBAR configuration example ····························································································· 479

Managing sessions······································································· 481

Overview······························································································································ 481

Session management operation ························································································· 481

Session management functions·························································································· 482

Session management task list ·································································································· 482

Setting the session aging time for different protocol states······························································ 482

Setting the session aging time for different application layer protocols or applications··························· 483

Specifying persistent sessions·································································································· 484

Enabling session statistics collection for software fast forwarding····················································· 485

Enabling top session statistics ·································································································· 485

Specifying the loose mode for session state machine ···································································· 486

Configuring session logging ····································································································· 486

Displaying and maintaining session management ········································································· 487

Configuring connection limits·························································· 491

Overview······························································································································ 491

Connection limit configuration task list························································································ 491

Creating a connection limit policy ······························································································ 491

Configuring the connection limit policy························································································ 492

Applying the connection limit policy···························································································· 493

Displaying and maintaining connection limits ··············································································· 494

Connection limit configuration example······················································································· 494

Troubleshooting connection limits······························································································ 496

ACLs in the connection limit rules with overlapping segments ··················································· 496

Configuring object groups ······························································ 498

Overview······························································································································ 498

Configuring an IPv4 address object group ··················································································· 498

Configuring an IPv6 address object group ··················································································· 498

Configuring a port object group································································································· 499

Configuring a service object group····························································································· 499

Renaming an object group······································································································· 500

Displaying and maintaining object groups···················································································· 500

Configuring object policies ····························································· 501

Overview······························································································································ 501

Object policy rules·················································································································· 501

Rule numbering ·············································································································· 501

Rule match order············································································································· 501

Object policy configuration task list ···························································································· 501

Configuration prerequisites ······································································································ 502

Creating object policies ··········································································································· 502

Creating an IPv4 object policy···························································································· 502

Creating an IPv6 object policy···························································································· 502

Configuring object policy rules ·································································································· 502

Configuring an IPv4 object policy rule ·················································································· 502

Configuring an IPv6 object policy rule ·················································································· 503

Applying object policies to zone pairs························································································· 504

Changing the rule match order·································································································· 505

Enabling rule matching acceleration··························································································· 505

Displaying and maintaining object policies··················································································· 505

Object policy configuration example··························································································· 506

Network requirements ······································································································ 506

Configuration procedure ··································································································· 506

Verifying the configuration································································································· 508

Configuring attack detection and prevention······································· 509

Overview······························································································································ 509

Attacks that the device can prevent···························································································· 509

Single-packet attacks······································································································· 509

Scanning attacks············································································································· 510

Flood attacks·················································································································· 511

TCP fragment attack········································································································ 512

Login dictionary attack······································································································ 512

Whitelist······························································································································· 512

Address object group whitelist···························································································· 512

Client verification ··················································································································· 512

TCP client verification······································································································· 512

DNS client verification ······································································································ 515

HTTP client verification····································································································· 515

Attack detection and prevention configuration task list···································································· 516

Configuring an attack defense policy·························································································· 517

Creating an attack defense policy ······················································································· 517

Configuring a single-packet attack defense policy··································································· 517

Configuring a scanning attack defense policy ········································································ 519

Configuring a flood attack defense policy·············································································· 519

Configuring attack detection exemption················································································ 524

Applying an attack defense policy to an interface ··································································· 524

Applying an attack defense policy to the device ····································································· 525

Applying an attack defense policy to a security zone······························································· 525

Enabling log non-aggregation for single-packet attack events ··················································· 526

Configuring TCP fragment attack prevention················································································ 526

Enabling the top attack statistics ranking feature··········································································· 526

Configuring TCP client verification····························································································· 527

Configuring DNS client verification····························································································· 527

Configuring HTTP client verification ··························································································· 528

Configuring the address object group whitelist·············································································· 529

Enabling the login delay ·········································································································· 529

Displaying and maintaining attack detection and prevention···························································· 530

Attack detection and prevention configuration examples································································· 534

Address object group whitelist configuration example······························································ 534

Interface-based TCP client verification configuration example··················································· 535

Security zone-based TCP client verification configuration example ············································ 536

Interface-based DNS client verification configuration example··················································· 537

Security zone-based DNS client verification configuration example ············································ 538

Interface-based HTTP client verification configuration example ················································· 540

Security zone-based HTTP client verification configuration example··········································· 541

Configuring ARP attack protection ··················································· 543

ARP attack protection configuration task list ················································································ 543

Configuring unresolvable IP attack protection··············································································· 543

Configuring ARP source suppression··················································································· 544

Configuring ARP blackhole routing······················································································ 544

Displaying and maintaining unresolvable IP attack protection···················································· 544

Configuration example······································································································ 545

Configuring ARP packet rate limit······························································································ 545

Configuration guidelines ··································································································· 546

Configuration procedure ··································································································· 546

Configuring source MAC-based ARP attack detection···································································· 546

Configuration procedure ··································································································· 547

Displaying and maintaining source MAC-based ARP attack detection········································· 547

Configuration example······································································································ 548

Configuring ARP packet source MAC consistency check································································ 549

Configuring ARP active acknowledgement ·················································································· 549

Configuring authorized ARP····································································································· 549

Configuration procedure ··································································································· 549

Configuration example (on a DHCP server)··········································································· 550

Configuration example (on a DHCP relay agent)···································································· 551

Configuring ARP scanning and fixed ARP ··················································································· 552

Configuration restrictions and guidelines ·············································································· 552

Configuration procedure ··································································································· 553

Configuring ND attack defense························································ 554

Overview······························································································································ 554

Configuring source MAC consistency check for ND messages························································· 554

Configuring uRPF········································································· 555

Overview······························································································································ 555

uRPF check modes ········································································································· 555

Features························································································································ 555

uRPF operation··············································································································· 556

Network application ········································································································· 559

Enabling uRPF······················································································································ 559

Displaying and maintaining uRPF······························································································ 560

uRPF configuration examples··································································································· 560

uRPF configuration example for interfaces············································································ 560

uRPF configuration example for security zones······································································ 561

Configuring IPv6 uRPF·································································· 563

Overview······························································································································ 563

IPv6 uRPF check modes··································································································· 563

Features························································································································ 563

IPv6 uRPF operation········································································································ 564

Network application ········································································································· 565

Enabling IPv6 uRPF ··············································································································· 566

Displaying and maintaining IPv6 uRPF······················································································· 566

IPv6 uRPF configuration examples···························································································· 567

IPv6 uRPF configuration example for interfaces····································································· 567

IPv6 uRPF configuration example for security zones······························································· 568

Configuring crypto engines····························································· 569

Overview······························································································································ 569

Displaying and maintaining crypto engines·················································································· 569

Configuring FIPS·········································································· 570

Overview······························································································································ 570

Configuration restrictions and guidelines····················································································· 570

Configuring FIPS mode··········································································································· 571

Entering FIPS mode········································································································· 571

Configuration changes in FIPS mode··················································································· 572

Exiting FIPS mode··········································································································· 573

FIPS self-tests······················································································································· 574

Power-up self-tests·········································································································· 574

Conditional self-tests········································································································ 574

Triggering self-tests ········································································································· 575

Displaying and maintaining FIPS······························································································· 575

FIPS configuration examples···································································································· 575

Entering FIPS mode through automatic reboot······································································· 575

Entering FIPS mode through manual reboot·········································································· 576

Exiting FIPS mode through automatic reboot········································································· 578

Exiting FIPS mode through manual reboot············································································ 578

Configuring SMA·········································································· 580

Overview······························································································································ 580

SMA components············································································································ 580

SMA processes for packets ······························································································· 581

SMA configuration procedure ··································································································· 581

Displaying and maintaining SMA······························································································· 582

SMA configuration example······································································································ 582

Document conventions and icons ···················································· 585

Conventions ························································································································· 585

Network topology icons ··········································································································· 586

Support and other resources ·························································· 587

Accessing Hewlett Packard Enterprise Support ············································································ 587

Accessing updates················································································································· 587

Websites ······················································································································· 588

Customer self repair········································································································· 588

Remote support ·············································································································· 588

xii

Documentation feedback ·································································································· 588

Index························································································· 590

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. This feature specifies the following security functions:

•Authentication—Identifies users and verifies their validity.

•Authorization—Grants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and

prevent guests from accessing files on the device.

•Accounting—Records network usage details of users, including the service type, start time,

and traffic. This function enables time-based and traffic-based charging and user behavior

auditing.

AAA uses a client/server model. The client runs on the access device, or the network access server

(NAS), which authenticates user identities and controls user access. The server maintains user

information centrally. See Figure 1.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS.

The NAS transparently passes the user information toAAA servers and waits for the authentication,

authorization, and accounting result. Based on the result, the NAS determines whether to permit or

deny the access request.

AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most

often used.

The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different

servers to implement different security functions. For example, you can use the HWTACACS server

for authentication and authorization, and use the RADIUS server for accounting.

You can choose the security functions provided by AAA as needed. For example, if your company

wants employees to be authenticated before they access specific resources, you would deploy an

authentication server. If network usage information is needed, you would also configure an

accounting server.

The device performs dynamic password authentication.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction

protocol that uses a client/server model. The protocol can protect networks against unauthorized

access and is often used in network environments that require both high security and remote user

access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812

for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support

additional access methods, such as Ethernet andADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains

information related to user authentication and network service access.

The RADIUS server operates using the following process:

1. Receives authentication, authorization, and accounting requests from RADIUS clients.

2. Performs user authentication, authorization, or accounting.

3. Returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication

proxy services.

The RADIUS server maintains the following databases:

•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP

addresses.

•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary—Stores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys,

which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called

Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,

and some other information. The receiver of the packetverifies the signature and accepts the packet

only when the signature is correct. This mechanism ensures the security of information exchanged

between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses in the following workflow:

1. The host sends a connection request that includes the user's username and password to the

RADIUS client.

2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.

The request includes the user's password, which has been processed by the MD5 algorithm

and shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds,

the server sends back an Access-Accept packet that contains the user's authorization

information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result

permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)

packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the

RADIUS server.

9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting

for the user.

10. The RADIUS client notifies the user of the termination.

RADIUS packet format

RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure

smooth packet exchange between the RADIUS server and the client. These mechanisms include the

timer mechanism, the retransmission mechanism, and the backup server mechanism.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main

values and their meanings.

Table 1 Main values of the Code field

Code Packet type Description

1 Access-Request

From the client to the server. A packet of this type includes user

information for the server to authenticate the user. It must contain the

User-Name attribute and can optionally contain the attributes of

NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

From the server to the client. If all attribute values included in the

Access-Request are acceptable, the authentication succeeds, and

the server sends an Access-Accept response.

3 Access-Reject

From the server to the client. If any attribute value included in the

Access-Request is unacceptable, the authentication fails, and the

server sends an Access-Reject response.

4 Accounting-Reques

From the client to the server. A packet of this type includes user

information for the server to start or stop accounting for the user. The

Acct-Status-Type attribute in the packet indicates whether to start or

stop accounting.

5 Accounting-Respon

From the server to the client. The server sends a packet of this type to

notify the client that it has received the Accounting-Request and has

successfully recorded the accounting information.

•The Identifier field (1 byte long) is used to match response packets with request packets and to

detect duplicate request packets. The request and response packets of the same exchange

process for the same purpose (such as authentication or accounting) have the same identifier.

•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the

Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are

considered padding and are ignored by the receiver. If the length of a received packet is less

than this length, the packet is dropped.

•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS

server and to encrypt user passwords. There are two types of authenticators: request

authenticator and response authenticator.

•The Attributes field (variable in length) includes authentication, authorization, and accounting

information. This field can contain multiple attributes, each with the following subfields:

{Type—Type of the attribute.

{Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.

{Value—Value of the attribute. Its format and content depend on the Type subfield.

Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC

2868. For more information, see "Commonly used standard RADIUS attributes."

Table 2 Commonly used RADIUS attributes

No. Attribute No. Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-ID

No. Attribute No. Attribute

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)

allows a vendor to define extended attributes. The extended attributes can implement functions that

the standard RADIUS protocol does not provide.

Avendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended

functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following

parts:

•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a

code compliant to RFC 1700.

•Vendor-Type—Type of the subattribute.

•Vendor-Length—Length of the subattribute.

•Vendor-Data—Contents of the subattribute.

The device supports RADIUS subattributes with a vendor ID of 25506. For more information, see

"RADIUS subattributes (vendor ID 25506)."

Figure 5 Format of attribute 26

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security

protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server

model for information exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical

HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,

the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After

Other manuals for FlexNetwork HSR6600

Table of contents

Other HPE Network Router manuals

HPE

HPE FlexNetwork HSR6800 series User manual

HPE

HPE FlexNetwork 5130 EI Series User manual

HPE

HPE FlexFabric 7900 Series Installation manual

HPE

HPE FlexNetwork HSR6800 series Installation manual

HPE

HPE FlexFabric 7900 Series User manual

HPE

HPE FlexNetwork MSR954 Installation manual

HPE

HPE FlexNetwork MSR Series Installation manual

HPE

HPE Aruba 2930F 24G User manual

HPE

HPE FlexNetwork 5510 HI Series User manual

HPE

HPE FlexNetwork HSR6800 series Installation manual

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE FlexNetwork MSR Series User manual

HPE

HPE FlexNetwork MSR954 User manual

HPE

HPE FlexNetwork MSR Series User manual

HPE

HPE FlexNetwork VSR1000 User manual

HPE

HPE FlexNetwork MSR2004-48 User manual

HPE

HPE FlexNetwork 6604 User manual

HPE

HPE 2530 User manual

HPE

HPE FlexNetwork MSR Series User manual

HPE

HPE FlexNetwork HSR6800 series User manual

HPE

HPE FlexFabric 7900 Series User manual

HPE

HPE MSR1000 User manual

HPE

HPE FlexNetwork HSR6600 User manual

HPE

HPE 6127XLG User manual

Popular Network Router manuals by other brands

Digitus

Digitus DN-95323 manual

P1 MF-230 Configuration guide

Engage Communication

Engage Communication IP-Tube E2 user guide

DeWalt

DeWalt DCW600 manual

LOYTEC

LOYTEC LIP-ME20X user manual

ATTO Technology

ATTO Technology 1500D/E Installation and operation manual

Asus

Asus RT-AC68W quick start guide

Juniper

Juniper MX204 quick start

Juniper

Juniper J4350 Getting started guide

D-Link

D-Link DSL-G2452GR-5G Quick installation guide

Cabletron Systems

Cabletron Systems SSR 2000 quick start guide

NETGEAR

NETGEAR RP614 - Web Safe Router datasheet

Positron

Positron G1002-C Quick installation guide

H3C

H3C SR6600 Series Faq

Allied Telesis

Allied Telesis AT-8000GS/48 Product information

3Com

3Com 3CNJ205 user guide

SEIKAKU TECHNICAL GROUP

SEIKAKU TECHNICAL GROUP RIO200 user manual

Cisco

Cisco RPM-XF user manual