HPE FlexNetwork MSR Series User manual
HPE FlexNetwork MSR Router Series
Comware 7 Security Configuration Guide
Part number: 5200-2403
Software version: MSR-CMW710-R0411
Document version: 6W101-20161114
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ··············································································1
Overview····································································································································1
RADIUS ······························································································································2
HWTACACS ························································································································6
LDAP··································································································································9
AAA implementation on the device ························································································· 12
AAA for MPLS L3VPNs ········································································································ 14
Protocols and standards······································································································· 14
RADIUS attributes··············································································································· 15
FIPS compliance························································································································ 17
AAA configuration considerations and task list················································································· 18
Configuring AAA schemes··········································································································· 19
Configuring local users········································································································· 19
Configuring RADIUS schemes······························································································· 26
Configuring HWTACACS schemes························································································· 36
Configuring LDAP schemes ·································································································· 42
Configuring AAA methods for ISP domains····················································································· 46
Configuration prerequisites···································································································· 47
Creating an ISP domain········································································································ 47
Configuring ISP domain attributes ·························································································· 48
Configuring authentication methods for an ISP domain·······························································50
Configuring authorization methods for an ISP domain ································································51
Configuring accounting methods for an ISP domain···································································53
Configuring the session-control feature ·························································································· 55
Configuring the RADIUS DAE server feature··················································································· 55
Changing the DSCP priority for RADIUS packets ············································································· 56
Setting the maximum number of concurrent login users·····································································56
Configuring and applying an ITA policy ·························································································· 57
Configuring a NAS-ID profile ········································································································ 58
Configuring the device ID ············································································································ 58
Displaying and maintaining AAA ··································································································· 58
AAA configuration examples ········································································································ 59
Authentication and authorization for SSH users by a RADIUS server ············································59
Local authentication and authorization for SSH users·································································62
AAA for SSH users by an HWTACACS server·········································································· 63
Authentication for SSH users by an LDAP server ······································································ 65
AAA for PPP users by an HWTACACS server ··········································································70
ITA configuration example for IPoE users ················································································ 71
Local guest configuration and management example ·································································75
Troubleshooting RADIUS ············································································································ 77
RADIUS authentication failure ······························································································· 77
RADIUS packet delivery failure······························································································ 77
RADIUS accounting error······································································································ 78
Troubleshooting HWTACACS······································································································· 78
Troubleshooting LDAP················································································································ 78
LDAP authentication failure··································································································· 78
802.1X overview ············································································80
802.1X architecture ···················································································································· 80
Controlled/uncontrolled port and port authorization status·································································· 80
802.1X-related protocols ············································································································· 81
Packet formats···················································································································· 81
EAP over RADIUS··············································································································· 82
802.1X authentication initiation ····································································································· 83
802.1X client as the initiator ·································································································· 83
Access device as the initiator································································································· 84
802.1X authentication procedures ································································································· 84
ii
Comparing EAP relay and EAP termination·············································································· 85
EAP relay ·························································································································· 85
EAP termination·················································································································· 87
Configuring 802.1X·········································································89
Access control methods ·············································································································· 89
802.1X VLAN manipulation·········································································································· 89
Authorization VLAN ············································································································· 89
Guest VLAN······················································································································· 91
Auth-Fail VLAN··················································································································· 92
Critical VLAN······················································································································ 92
Using 802.1X authentication with other features··············································································· 94
ACL assignment·················································································································· 94
EAD assistant····················································································································· 94
SmartOn···························································································································· 95
Compatibility information ············································································································· 96
Feature and hardware compatibility ························································································ 96
Command and hardware compatibility····················································································· 96
Configuration prerequisites ·········································································································· 96
802.1X configuration task list········································································································ 97
Enabling 802.1X ························································································································ 97
Enabling EAP relay or EAP termination·························································································· 97
Setting the port authorization state ································································································ 98
Specifying an access control method····························································································· 99
Setting the maximum number of concurrent 802.1X users on a port····················································· 99
Setting the maximum number of authentication request attempts ······················································ 100
Setting the 802.1X authentication timeout timers············································································ 100
Configuring online user handshake······························································································ 100
Configuration guidelines ····································································································· 101
Configuration procedure ····································································································· 101
Configuring the authentication trigger feature ················································································ 101
Configuration guidelines ····································································································· 102
Configuration procedure ····································································································· 102
Specifying a mandatory authentication domain on a port ································································· 102
Setting the quiet timer··············································································································· 103
Enabling the periodic online user reauthentication feature································································ 103
Configuring an 802.1X guest VLAN ····························································································· 104
Configuration guidelines ····································································································· 104
Configuration procedure ····································································································· 104
Configuring an 802.1X Auth-Fail VLAN························································································· 104
Configuration guidelines ····································································································· 104
Configuration procedure ····································································································· 104
Configuring an 802.1X critical VLAN···························································································· 105
Configuration guidelines ····································································································· 105
Configuration procedure ····································································································· 105
Specifying supported domain name delimiters··············································································· 105
Configuring the EAD assistant feature·························································································· 106
Configuring 802.1X SmartOn······································································································ 106
Displaying and maintaining 802.1X······························································································ 107
802.1X authentication configuration examples··············································································· 108
Basic 802.1X authentication configuration example ································································· 108
802.1X guest VLAN and authorization VLAN configuration example············································ 110
802.1X with ACL assignment configuration example ································································ 112
802.1X with EAD assistant configuration example (with DHCP relay agent)·································· 114
802.1X with EAD assistant configuration example (with DHCP server) ········································ 117
802.1X SmartOn configuration example················································································· 119
Troubleshooting 802.1X ············································································································ 120
EAD assistant for Web browser users ··················································································· 120
Configuring MAC authentication ······················································ 122
Overview································································································································ 122
User account policies········································································································· 122
iii
Authentication methods······································································································ 122
VLAN assignment·············································································································· 123
ACL assignment················································································································ 123
Periodic MAC reauthentication····························································································· 124
Compatibility information ··········································································································· 124
Feature and hardware compatibility ······················································································ 124
Command and hardware compatibility··················································································· 124
Configuration prerequisites ········································································································ 125
Configuration task list················································································································ 125
Enabling MAC authentication ····································································································· 125
Specifying a MAC authentication domain······················································································ 126
Configuring the user account format ···························································································· 126
Configuring MAC authentication timers························································································· 127
Setting the maximum number of concurrent MAC authentication users on a port·································· 127
Configuring MAC authentication delay·························································································· 128
Enabling MAC authentication multi-VLAN mode on a port································································ 128
Configuring the keep-online feature····························································································· 129
Including user IP addresses in MAC authentication requests···························································· 129
Displaying and maintaining MAC authentication············································································· 130
MAC authentication configuration examples·················································································· 130
Local MAC authentication configuration example····································································· 130
RADIUS-based MAC authentication configuration example······················································· 132
ACL assignment configuration example················································································· 134
Configuring portal authentication ····················································· 137
Overview································································································································ 137
Extended portal functions···································································································· 137
Portal system components·································································································· 137
Portal system using the local portal Web server ······································································ 139
Interaction between portal system components······································································· 139
Portal authentication modes ································································································ 140
Portal support for EAP········································································································ 141
Portal authentication process······························································································· 141
Portal packet filtering rules·································································································· 143
BYOD support ·················································································································· 144
MAC-based quick portal authentication·················································································· 144
Compatibility information ··········································································································· 145
Feature and hardware compatibility ······················································································ 145
Command and hardware compatibility··················································································· 145
Portal configuration task list ······································································································· 146
Configuration prerequisites ········································································································ 147
Configuring a portal authentication server····················································································· 147
Configuring a portal Web server·································································································· 148
Enabling portal authentication····································································································· 149
Configuration restrictions and guidelines················································································ 150
Configuration procedure ····································································································· 150
Specifying a portal Web server ··································································································· 151
Controlling portal user access····································································································· 152
Configuring a portal-free rule······························································································· 152
Configuring an authentication source subnet ·········································································· 153
Configuring an authentication destination subnet····································································· 154
Setting the maximum number of portal users·········································································· 154
Specifying a portal authentication domain ·············································································· 155
Specifying a preauthentication domain ·················································································· 156
Specifying a preauthentication IP address pool for portal users·················································· 157
Enabling strict-checking on portal authorization information······················································· 158
Enabling portal authentication only for DHCP users ································································· 159
Enabling outgoing packets filtering on a portal-enabled interface················································ 159
Configuring portal detection features···························································································· 160
Configuring online detection of portal users············································································ 160
Configuring portal authentication server detection···································································· 161
Configuring portal Web server detection ················································································ 162
iv
Configuring portal user synchronization················································································· 163
Configuring the portal fail-permit feature······················································································· 163
Configuring BAS-IP for portal packets sent to the portal authentication server ····································· 164
Specifying a format for the NAS-Port-ID attribute ··········································································· 165
Specifying the device ID············································································································ 166
Enabling portal roaming ············································································································ 166
Logging out online portal users··································································································· 166
Disabling traffic accounting for portal users ··················································································· 167
Configuring Web redirect··········································································································· 167
Applying a NAS-ID profile to an interface······················································································ 168
Configuring the local portal Web server feature·············································································· 169
Customizing authentication pages ························································································ 169
Configuring a local portal Web server···················································································· 171
Enabling validity check on wireless clients·············································································· 172
Automatically logging out wireless portal users ······································································· 173
Enabling ARP or ND entry conversion for portal clients····························································· 173
Configuring HTTPS redirect ······································································································· 174
Configuring MAC-based quick portal authentication········································································ 174
Configuring a remote MAC binding server·············································································· 174
Configuring a local MAC binding server················································································· 175
Specifying a MAC binding server on an interface····································································· 176
Specifying a MAC binding server on a service template···························································· 176
Configuring NAS-Port-Type········································································································ 176
Configuring portal safe-redirect··································································································· 177
Setting the interval at which an AP reports traffic statistics to the AC·················································· 179
Excluding an attribute from portal protocol packets········································································· 179
Enabling portal logging·············································································································· 179
Configuring portal support for third-party authentication··································································· 180
Editing buttons and pages for third-party authentication···························································· 180
Configuring a third-party authentication server········································································ 181
Specifying an authentication domain for third-party authentication ·············································· 182
Configuring portal temporary pass······························································································· 182
Displaying and maintaining portal································································································ 183
Portal configuration examples (wired application)··········································································· 185
Configuring direct portal authentication·················································································· 185
Configuring re-DHCP portal authentication············································································· 194
Configuring cross-subnet portal authentication········································································ 198
Configuring extended direct portal authentication ···································································· 201
Configuring extended re-DHCP portal authentication ······························································· 204
Configuring extended cross-subnet portal authentication ·························································· 208
Configuring portal server detection and portal user synchronization ············································ 212
Configuring cross-subnet portal authentication for MPLS L3VPNs ·············································· 221
Configuring direct portal authentication with a preauthentication domain······································ 223
Configuring re-DHCP portal authentication with a preauthentication domain································· 225
Configuring direct portal authentication using the local portal Web server····································· 228
Portal configuration examples (wireless application) ······································································· 231
Configuring direct portal authentication·················································································· 231
Verifying the configuration··································································································· 239
Configuring MAC-based quick portal authentication································································· 240
Troubleshooting portal ·············································································································· 248
No portal authentication page is pushed for users···································································· 248
Cannot log out portal users on the access device···································································· 248
Cannot log out portal users on the RADIUS server ·································································· 249
Users logged out by the access device still exist on the portal authentication server······················· 249
Re-DHCP portal authenticated users cannot log in successfully ················································· 249
Configuring port security································································ 251
Overview································································································································ 251
Port security features········································································································· 251
Port security modes··········································································································· 252
Feature and hardware compatibility····························································································· 254
Configuration task list················································································································ 254
v
Enabling port security ··············································································································· 255
Setting port security's limit on the number of secure MAC addresses on a port ···································· 255
Setting the port security mode ···································································································· 256
Configuring port security features································································································ 257
Configuring NTK ··············································································································· 257
Configuring intrusion protection···························································································· 258
Configuring secure MAC addresses····························································································· 258
Configuration prerequisites·································································································· 259
Configuration procedure ····································································································· 259
Ignoring authorization information from the server·········································································· 260
Enabling MAC move················································································································· 260
Enabling the authorization-fail-offline feature················································································· 261
Applying a NAS-ID profile to port security ····················································································· 261
Enabling SNMP notifications for port security ················································································ 262
Displaying and maintaining port security······················································································· 262
Port security configuration examples···························································································· 262
autoLearn configuration example·························································································· 262
userLoginWithOUI configuration example ·············································································· 265
macAddressElseUserLoginSecure configuration example························································· 268
Troubleshooting port security ····································································································· 272
Cannot set the port security mode ························································································ 272
Cannot configure secure MAC addresses ·············································································· 272
Configuring user profiles································································ 273
Overview································································································································ 273
Command and hardware compatibility·························································································· 273
Configuration restrictions and guidelines ······················································································ 273
Configuring a user profile··········································································································· 273
Displaying and maintaining user profiles······················································································· 274
Configuring password control·························································· 275
Overview································································································································ 275
Password setting··············································································································· 275
Password updating and expiration························································································ 276
User login control ·············································································································· 277
Password not displayed in any form······················································································ 277
Logging··························································································································· 277
FIPS compliance······················································································································ 278
Password control configuration task list························································································ 278
Enabling password control········································································································· 278
Setting global password control parameters·················································································· 279
Setting user group password control parameters············································································ 280
Setting local user password control parameters ············································································· 281
Setting super password control parameters··················································································· 281
Displaying and maintaining password control ················································································ 282
Password control configuration example······················································································· 282
Network requirements········································································································ 282
Configuration procedure ····································································································· 283
Verifying the configuration··································································································· 284
Configuring keychains··································································· 286
Overview································································································································ 286
Configuration procedure············································································································ 286
Displaying and maintaining keychain ··························································································· 286
Keychain configuration example ································································································· 287
Network requirements········································································································ 287
Configuration procedure ····································································································· 287
Verifying the configuration··································································································· 288
Managing public keys···································································· 292
Overview································································································································ 292
FIPS compliance······················································································································ 292
vi
Creating a local key pair············································································································ 292
Distributing a local host public key······························································································· 294
Exporting a host public key·································································································· 294
Displaying a host public key ································································································ 294
Destroying a local key pair········································································································· 295
Configuring a peer host public key······························································································· 295
Importing a peer host public key from a public key file ······························································ 295
Entering a peer host public key···························································································· 296
Displaying and maintaining public keys ························································································ 296
Examples of public key management··························································································· 296
Example for entering a peer host public key ··········································································· 296
Example for importing a public key from a public key file··························································· 298
Configuring PKI ··········································································· 301
Overview································································································································ 301
PKI terminology ················································································································ 301
PKI architecture ················································································································ 302
PKI operation ··················································································································· 302
PKI applications················································································································ 303
Support for MPLS L3VPN ··································································································· 303
FIPS compliance······················································································································ 304
PKI configuration task list ·········································································································· 304
Configuring a PKI entity············································································································· 304
Configuring a PKI domain·········································································································· 305
Requesting a certificate············································································································· 307
Configuration guidelines ····································································································· 308
Configuring automatic certificate request ··············································································· 308
Manually requesting a certificate ·························································································· 309
Aborting a certificate request······································································································ 309
Obtaining certificates ················································································································ 309
Configuration prerequisites·································································································· 310
Configuration guidelines ····································································································· 310
Configuration procedure ····································································································· 310
Verifying PKI certificates············································································································ 311
Verifying certificates with CRL checking················································································· 311
Verifying certificates without CRL checking ············································································ 312
Specifying the storage path for the certificates and CRLs ································································ 312
Exporting certificates ················································································································ 312
Removing a certificate··············································································································· 313
Configuring a certificate-based access control policy ······································································ 314
Displaying and maintaining PKI ·································································································· 315
PKI configuration examples········································································································ 315
Requesting a certificate from an RSA Keon CA server ····························································· 315
Requesting a certificate from a Windows Server 2003 CA server················································ 318
Requesting a certificate from an OpenCA server····································································· 321
IKE negotiation with RSA digital signature from a Windows Server 2003 CA server ······················· 324
Certificate-based access control policy configuration example ··················································· 327
Certificate import and export configuration example································································· 328
Troubleshooting PKI configuration······························································································· 334
Failed to obtain the CA certificate························································································· 334
Failed to obtain local certificates··························································································· 334
Failed to request local certificates························································································· 335
Failed to obtain CRLs········································································································· 336
Failed to import the CA certificate························································································· 336
Failed to import a local certificate ························································································· 337
Failed to export certificates·································································································· 337
Failed to set the storage path ······························································································ 338
Configuring IPsec········································································· 339
Overview································································································································ 339
Security protocols and encapsulation modes·········································································· 339
Security association··········································································································· 341
vii
Authentication and encryption······························································································ 341
IPsec implementation········································································································· 342
IPsec RRI ························································································································ 344
Protocols and standards····································································································· 345
FIPS compliance······················································································································ 345
IPsec tunnel establishment ········································································································ 345
Implementing ACL-based IPsec·································································································· 346
Configuring an ACL ··········································································································· 347
Configuring an IPsec transform set······················································································· 350
Configuring a manual IPsec policy························································································ 352
Configuring an IKE-based IPsec policy·················································································· 354
Applying an IPsec policy to an interface················································································· 357
Enabling ACL checking for de-encapsulated packets ······························································· 358
Configuring IPsec anti-replay······························································································· 358
Configuring IPsec anti-replay redundancy·············································································· 359
Binding a source interface to an IPsec policy·········································································· 360
Enabling QoS pre-classify··································································································· 360
Enabling logging of IPsec packets ························································································ 361
Configuring the DF bit of IPsec packets················································································· 361
Configuring IPsec RRI········································································································ 362
Configuring IPsec for IPv6 routing protocols·················································································· 363
Configuration task list········································································································· 363
Configuring a manual IPsec profile ······················································································· 363
Configuring IPsec for tunnels······································································································ 365
Configuration task list········································································································· 365
Configuring an IKE-based IPsec profile ················································································· 365
Applying an IKE-based IPsec profile to a tunnel interface·························································· 366
Configuring SNMP notifications for IPsec······················································································ 367
Configuring IPsec fragmentation································································································· 367
Setting the maximum number of IPsec tunnels ·············································································· 368
Enabling logging for IPsec negotiation·························································································· 368
Displaying and maintaining IPsec································································································ 368
IPsec configuration examples····································································································· 369
Configuring a manual mode IPsec tunnel for IPv4 packets························································ 369
Configuring an IKE-based IPsec tunnel for IPv4 packets··························································· 372
Configuring an IKE-based IPsec tunnel for IPv6 packets··························································· 376
Configuring IPsec for RIPng································································································ 379
Configuring IPsec RRI········································································································ 382
Configuring IPsec tunnel interface-based IPsec for IPv4 packets················································ 386
Configuring IKE ··········································································· 391
Overview································································································································ 391
IKE negotiation process······································································································ 391
IKE security mechanism ····································································································· 392
Protocols and standards····································································································· 393
FIPS compliance······················································································································ 393
IKE configuration prerequisites ··································································································· 393
IKE configuration task list ·········································································································· 393
Configuring an IKE profile·········································································································· 394
Configuring an IKE proposal······································································································· 396
Configuring an IKE keychain ······································································································ 397
Configuring the global identity information····················································································· 398
Configuring the IKE keepalive feature ·························································································· 399
Configuring the IKE NAT keepalive feature ··················································································· 399
Configuring IKE DPD················································································································ 400
Enabling invalid SPI recovery····································································································· 400
Setting the maximum number of IKE SAs ····················································································· 401
Configuring an IKE IPv4 address pool·························································································· 401
Configuring SNMP notifications for IKE ························································································ 402
Enabling logging for IKE negotiation ···························································································· 402
Displaying and maintaining IKE ·································································································· 402
IKE configuration examples········································································································ 403
viii
Main mode IKE with pre-shared key authentication configuration example ··································· 403
Aggressive mode with RSA signature authentication configuration example ································· 407
Aggressive mode with NAT traversal configuration example······················································ 414
IKE remote extended authentication configuration example······················································· 419
IKE local extended authentication and address pool authorization configuration example················ 422
Troubleshooting IKE················································································································· 426
IKE negotiation failed because no matching IKE proposals were found········································ 426
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly··············· 426
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 427
IPsec SA negotiation failed due to invalid identity information ···················································· 427
Configuring IKEv2 ········································································ 431
Overview································································································································ 431
IKEv2 negotiation process··································································································· 431
New features in IKEv2········································································································ 432
Protocols and standards····································································································· 432
IKEv2 configuration task list ······································································································· 432
Configuring an IKEv2 profile······································································································· 433
Configuring an IKEv2 policy ······································································································· 436
Configuring an IKEv2 proposal ··································································································· 437
Configuring an IKEv2 keychain··································································································· 438
Configure global IKEv2 parameters ····························································································· 439
Enabling the cookie challenging feature················································································· 439
Configuring the IKEv2 DPD feature······················································································· 439
Configuring the IKEv2 NAT keepalive feature ········································································· 440
Configuring IKEv2 address pools·························································································· 440
Displaying and maintaining IKEv2 ······························································································· 440
IKEv2 configuration examples ···································································································· 441
IKEv2 with pre-shared key authentication configuration example················································ 441
IKEv2 with RSA signature authentication configuration example················································· 446
IKEv2 with NAT traversal configuration example ····································································· 454
Troubleshooting IKEv2·············································································································· 458
IKEv2 negotiation failed because no matching IKEv2 proposals were found································· 458
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 459
IPsec tunnel establishment failed ························································································· 459
Configuring SSH·········································································· 460
Overview································································································································ 460
How SSH works················································································································ 460
SSH authentication methods ······························································································· 461
FIPS compliance······················································································································ 462
Configuring the device as an SSH server······················································································ 462
SSH server configuration task list························································································· 462
Generating local key pairs··································································································· 463
Enabling the Stelnet server ································································································· 464
Enabling the SFTP server··································································································· 464
Enabling the SCP server····································································································· 464
Enabling NETCONF over SSH····························································································· 464
Configuring the user lines for SSH login················································································· 465
Configuring a client's host public key····················································································· 465
Configuring an SSH user ···································································································· 466
Configuring the SSH management parameters ······································································· 468
Configuring the device as an Stelnet client···················································································· 469
Stelnet client configuration task list ······················································································· 469
Generating local key pairs··································································································· 469
Specifying the source IP address for SSH packets··································································· 469
Establishing a connection to an Stelnet server········································································ 470
Configuring the device as an SFTP client ····················································································· 472
SFTP client configuration task list························································································· 472
Generating local key pairs··································································································· 472
Specifying the source IP address for SFTP packets································································· 472
Establishing a connection to an SFTP server·········································································· 473
ix
Working with SFTP directories····························································································· 474
Working with SFTP files······································································································ 475
Displaying help information ································································································· 475
Terminating the connection with the SFTP server···································································· 475
Configuring the device as an SCP client······················································································· 475
SCP client configuration task list ·························································································· 475
Generating local key pairs··································································································· 476
Establishing a connection to an SCP server ··········································································· 476
Specifying algorithms for SSH2··································································································· 478
Specifying key exchange algorithms for SSH2········································································ 478
Specifying public key algorithms for SSH2 ············································································· 479
Specifying encryption algorithms for SSH2············································································· 479
Specifying MAC algorithms for SSH2 ···················································································· 480
Configuring SSH redirect··········································································································· 480
SSH redirect overview········································································································ 480
Feature and hardware compatibility ······················································································ 481
Configuration restrictions and guidelines················································································ 481
Configuration prerequisites·································································································· 481
Configuration procedure ····································································································· 482
Displaying and maintaining SSH································································································· 483
Stelnet configuration examples··································································································· 483
Password authentication enabled Stelnet server configuration example······································· 484
Publickey authentication enabled Stelnet server configuration example······································· 486
Password authentication enabled Stelnet client configuration example········································ 492
Publickey authentication enabled Stelnet client configuration example ········································ 495
SFTP configuration examples····································································································· 497
Password authentication enabled SFTP server configuration example ········································ 497
Publickey authentication enabled SFTP client configuration example ·········································· 500
SCP configuration example········································································································ 503
Network requirements········································································································ 503
Configuration procedure ····································································································· 503
NETCONF over SSH configuration example ················································································· 505
Network requirements········································································································ 505
Configuration procedure ····································································································· 505
Verifying the configuration··································································································· 506
Configuring SSL··········································································· 507
Overview································································································································ 507
SSL security services········································································································· 507
SSL protocol stack············································································································· 507
FIPS compliance······················································································································ 508
SSL configuration task list·········································································································· 508
Configuring an SSL server policy ································································································ 508
Configuring an SSL client policy·································································································· 510
Displaying and maintaining SSL·································································································· 511
SSL server policy configuration example ······················································································ 511
Configuring ASPF ········································································ 514
Overview································································································································ 514
ASPF basic concepts········································································································· 514
ASPF inspections·············································································································· 515
Command and hardware compatibility·························································································· 517
ASPF configuration task list ······································································································· 517
Configuring an ASPF policy ······································································································· 517
Applying an ASPF policy to an interface ······················································································· 518
Applying an ASPF policy to a zone pair························································································ 519
Enabling ICMP error message sending for packet dropping by security policies applied to zone pairs······ 519
Displaying and maintaining ASPF ······························································································· 520
ASPF configuration examples····································································································· 520
ASPF FTP application inspection configuration example··························································· 520
ASPF TCP application inspection configuration example ·························································· 521
ASPF H.323 application inspection configuration example ························································ 523
x
ASPF application to a zone pair configuration example····························································· 524
Configuring APR·········································································· 527
Overview································································································································ 527
PBAR······························································································································ 527
NBAR ····························································································································· 527
Application group ·············································································································· 527
APR signature database management ·················································································· 528
Command and hardware compatibility·························································································· 528
Licensing requirements ············································································································· 529
APR configuration task list········································································································· 529
Configuring PBAR···················································································································· 529
Configuring a user-defined NBAR rule·························································································· 530
Configuring application groups ··································································································· 531
Enabling application statistics on an interface················································································ 531
Managing the APR signature database ························································································ 532
Scheduling an automatic update for the APR signature database··············································· 532
Triggering an automatic update for the APR signature database ················································ 533
Performing a manual update for the APR signature database···················································· 533
Rolling back the APR signature database ·············································································· 534
Displaying and maintaining APR································································································· 534
APR configuration examples ······································································································ 535
PBAR configuration example······························································································· 535
NBAR configuration example······························································································· 536
Managing sessions······································································· 538
Overview································································································································ 538
Session management operation··························································································· 538
Session management functions ··························································································· 539
Command and hardware compatibility·························································································· 539
Session management task list ···································································································· 539
Setting the session aging time for different protocol states······························································· 540
Setting the session aging time for different application layer protocols or applications ··························· 540
Specifying persistent sessions···································································································· 542
Enabling session statistics collection···························································································· 542
Specifying the loose mode for session state machine······································································ 542
Configuring session logging ······································································································· 543
Displaying and maintaining session management ·········································································· 544
Configuring connection limits ·························································· 549
Overview································································································································ 549
Command and hardware compatibility·························································································· 549
Configuration task list················································································································ 549
Creating a connection limit policy································································································ 550
Configuring the connection limit policy·························································································· 550
Applying the connection limit policy ····························································································· 551
Displaying and maintaining connection limits················································································· 552
Connection limit configuration example ························································································ 553
Network requirements········································································································ 553
Configuration procedure ····································································································· 554
Verifying the configuration··································································································· 554
Troubleshooting connection limits ······························································································· 555
ACLs in the connection limit rules with overlapping segments···················································· 555
Configuring object groups ······························································ 556
Overview································································································································ 556
Configuring an IPv4 address object group····················································································· 556
Configuring an IPv6 address object group····················································································· 556
Configuring a port object group··································································································· 557
Configuring a service object group ······························································································ 557
Displaying and maintaining object groups····················································································· 557
xi
Configuring object policies ····························································· 559
Overview································································································································ 559
Object policy rules···················································································································· 559
Rule numbering ················································································································ 559
Rule match order··············································································································· 559
Rule description················································································································ 559
Command and hardware compatibility·························································································· 559
Object policy configuration task list······························································································ 560
Configuration prerequisites ········································································································ 560
Creating object policies ············································································································· 560
Creating an IPv4 object policy······························································································ 560
Creating an IPv6 object policy······························································································ 560
Configuring object policy rules···································································································· 561
Configuring an IPv4 object policy rule···················································································· 561
Configuring an IPv6 object policy rule···················································································· 561
Applying object policies to zone pairs··························································································· 562
Changing the rule match order···································································································· 563
Enabling rule matching acceleration ···························································································· 563
Displaying and maintaining object policies ···················································································· 564
Object policy configuration example····························································································· 564
Network requirements········································································································ 564
Configuration procedure ····································································································· 565
Verifying the configuration··································································································· 567
Configuring attack detection and prevention······································· 568
Overview································································································································ 568
Command and hardware compatibility·························································································· 568
Attacks that the device can prevent ····························································································· 568
Single-packet attacks········································································································· 568
Scanning attacks··············································································································· 570
Flood attacks···················································································································· 570
Login dictionary attack········································································································ 571
Blacklist ································································································································· 571
IP blacklist ······················································································································· 571
User blacklist···················································································································· 571
Address object group blacklist ····························································································· 572
Whitelist ································································································································· 572
Address object group whitelist ····························································································· 572
Client verification ····················································································································· 572
TCP client verification ········································································································ 572
DNS client verification········································································································ 574
HTTP client verification······································································································· 575
Attack detection and prevention configuration task list····································································· 576
Configuring an attack defense policy···························································································· 577
Creating an attack defense policy························································································· 577
Configuring a single-packet attack defense policy···································································· 577
Configuring a scanning attack defense policy ········································································· 579
Configuring a flood attack defense policy··············································································· 579
Configuring attack detection exemption ················································································· 584
Applying an attack defense policy to an interface····································································· 585
Applying an attack defense policy to the device······································································· 585
Enabling log non-aggregation for single-packet attack events···················································· 586
Configuring TCP client verification······························································································· 586
Configuring DNS client verification ······························································································ 587
Configuring HTTP client verification····························································································· 588
Configuring the IP blacklist········································································································· 588
Configuring the user blacklist······································································································ 589
Configuring the address object group blacklist··············································································· 590
Configuring the address object group whitelist··············································································· 590
Enabling the login delay ············································································································ 591
Displaying and maintaining attack detection and prevention····························································· 591
xii
Attack detection and prevention configuration examples·································································· 595
Interface-based attack detection and prevention configuration example······································· 595
IP blacklist configuration example························································································· 599
User blacklist configuration example ····················································································· 599
Address object group blacklist configuration example······························································· 600
Address object group whitelist configuration example······························································· 601
Interface-based TCP client verification configuration example···················································· 602
Interface-based DNS client verification configuration example ··················································· 603
Interface-based HTTP client verification configuration example·················································· 604
Configuring IP source guard ··························································· 606
Overview································································································································ 606
Static IPSG bindings·········································································································· 606
Dynamic IPSG bindings······································································································ 607
Command and hardware compatibility·························································································· 608
IPSG configuration task list········································································································ 608
Configuring the IPv4SG feature ·································································································· 608
Enabling IPv4SG on an interface·························································································· 608
Configuring a static IPv4SG binding······················································································ 609
Configuring the IPv6SG feature ·································································································· 609
Enabling IPv6SG on an interface·························································································· 609
Configuring a static IPv6SG binding······················································································ 610
Displaying and maintaining IPSG································································································ 610
IPSG configuration examples ····································································································· 611
Static IPv4SG configuration example ···················································································· 611
Dynamic IPv4SG using DHCP snooping configuration example ················································· 612
Static IPv6SG configuration example ···················································································· 613
Dynamic IPv6SG using DHCPv6 snooping configuration example·············································· 614
Configuring ARP attack protection ··················································· 616
Command and hardware compatibility·························································································· 616
ARP attack protection configuration task list·················································································· 616
Configuring unresolvable IP attack protection················································································ 617
Configuring ARP source suppression···················································································· 617
Configuring ARP blackhole routing ······················································································· 617
Displaying and maintaining unresolvable IP attack protection ···················································· 618
Configuration example ······································································································· 618
Configuring source MAC-based ARP attack detection····································································· 619
Configuration procedure ····································································································· 619
Displaying and maintaining source MAC-based ARP attack detection ········································· 619
Configuration example ······································································································· 620
Configuring ARP packet source MAC consistency check································································· 621
Configuring ARP active acknowledgement···················································································· 621
Configuring authorized ARP······································································································· 622
Configuration procedure ····································································································· 622
Configuration example (on a DHCP server)············································································ 622
Configuration example (on a DHCP relay agent) ····································································· 623
Configuring ARP attack detection································································································ 624
Configuring user validity check····························································································· 625
Configuring ARP packet validity check ·················································································· 626
Configuring ARP restricted forwarding··················································································· 627
Displaying and maintaining ARP attack detection ···································································· 627
User validity check and ARP packet validity check configuration example···································· 627
ARP restricted forwarding configuration example····································································· 629
Configuring ARP scanning and fixed ARP····················································································· 630
Configuration restrictions and guidelines················································································ 631
Configuration procedure ····································································································· 631
Configuring ARP gateway protection···························································································· 631
Configuration guidelines ····································································································· 631
Configuration procedure ····································································································· 632
Configuration example ······································································································· 632
Configuring ARP filtering ··········································································································· 633
xiii
Configuration guidelines ····································································································· 633
Configuration procedure ····································································································· 633
Configuration example ······································································································· 633
Configuring uRPF········································································· 635
Overview································································································································ 635
uRPF check modes ··········································································································· 635
Features·························································································································· 635
uRPF operation················································································································· 636
Network application ··········································································································· 639
Command and hardware compatibility·························································································· 639
Enabling uRPF ························································································································ 639
Displaying and maintaining uRPF································································································ 640
uRPF configuration example for interfaces···················································································· 640
Configuring IPv6 uRPF·································································· 642
Overview································································································································ 642
IPv6 uRPF check modes ···································································································· 642
Features·························································································································· 642
IPv6 uRPF operation·········································································································· 643
Network application ··········································································································· 645
Command and hardware compatibility·························································································· 645
Enabling IPv6 uRPF ················································································································· 645
Displaying and maintaining IPv6 uRPF························································································· 646
IPv6 uRPF configuration example for interfaces············································································· 646
Configuring crypto engines····························································· 648
Overview································································································································ 648
Command and hardware compatibility·························································································· 648
Displaying and maintaining crypto engines···················································································· 648
Configuring FIPS·········································································· 650
Overview································································································································ 650
Configuration restrictions and guidelines ······················································································ 650
Configuring FIPS mode············································································································· 651
Entering FIPS mode ·········································································································· 651
Configuration changes in FIPS mode···················································································· 652
Exiting FIPS mode············································································································· 653
FIPS self-tests························································································································· 653
Power-up self-tests············································································································ 654
Conditional self-tests·········································································································· 654
Triggering self-tests ··········································································································· 654
Displaying and maintaining FIPS································································································· 655
FIPS configuration examples······································································································ 655
Entering FIPS mode through automatic reboot········································································ 655
Entering FIPS mode through manual reboot··········································································· 656
Exiting FIPS mode through automatic reboot·········································································· 657
Exiting FIPS mode through manual reboot ············································································· 658
Document conventions and icons ···················································· 660
Conventions···························································································································· 660
Network topology icons ············································································································· 661
Support and other resources··························································· 662
Accessing Hewlett Packard Enterprise Support·············································································· 662
Accessing updates··················································································································· 662
Websites ························································································································· 663
Customer self repair ·········································································································· 663
Remote support ················································································································ 663
Documentation feedback ···································································································· 663
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•
Authentication—Identifies users and verifies their validity.
•
Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•
Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAAservers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
RADIUS servers
Users Clients Dictionary
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•
The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code
Packet type
Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. Itmust contain the
User-
Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Reque
st
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respo
nse
From the server to the client. The serversends a packetof this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•
The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•
The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•
The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
Type—Type of the attribute.
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
Other manuals for FlexNetwork MSR Series
7
Table of contents
Other HPE Network Router manuals
HPE
HPE FlexNetwork HSR6800 series User manual
HPE
HPE FlexNetwork VSR1000 User manual
HPE
HPE FlexNetwork MSR2004-48 User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexFabric 7900 Series Installation manual
HPE
HPE FlexNetwork 6600 Installation manual
HPE
HPE FlexNetwork MSR954 Installation manual
HPE
HPE FlexFabric 7900 Series User manual
HPE
HPE FlexNetwork 5130 HI SERIES User manual
HPE
HPE FlexNetwork 10500 SERIES User manual
HPE
HPE SN2700M Instructions for use
HPE
HPE FlexNetwork HSR6800 series User manual
HPE
HPE FlexNetwork HSR6600 User manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexNetwork MSR3012 Installation manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE MSR1000 User manual
Popular Network Router manuals by other brands
TP-Link
TP-Link TD-W8101G Quick installation guide
Nokia
Nokia G-240W-C quick start guide
Teldat
Teldat M2 installation manual
MikroTik
MikroTik RouterBOARD 751U-2HnD Quick setup guide and warranty information
ZyXEL Communications
ZyXEL Communications ZyAIR G-3000H Firmware release notes
Bkav
Bkav QCS605 user manual
