HPE FlexFabric 5940 SERIES User manual
HPE FlexFabric 5940 Switch Series
Security Configuration Guide
Part number: 5200-1030a
Software version: Release 2508 and later verison
Document version: 6W101-20161101
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® andAcrobat® are trademarks ofAdobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ·····························································································1
Overview····························································································································································1
RADIUS······················································································································································2
HWTACACS···············································································································································6
LDAP··························································································································································9
AAA implementation on the device··········································································································12
AAA for MPLS L3VPNs····························································································································14
Protocols and standards ··························································································································14
RADIUS attributes····································································································································14
FIPS compliance··············································································································································19
AAA configuration considerations and task list································································································19
Configuring AAA schemes·······························································································································20
Configuring local users·····························································································································20
Configuring RADIUS schemes·················································································································24
Configuring HWTACACS schemes··········································································································36
Configuring LDAP schemes·····················································································································42
Configuring AAA methods for ISP domains·····································································································46
Configuration prerequisites······················································································································47
Creating an ISP domain···························································································································47
Configuring ISP domain attributes ···········································································································48
Configuring authentication methods for an ISP domain···········································································49
Configuring authorization methods for an ISP domain·············································································50
Configuring accounting methods for an ISP domain················································································51
Configuring the RADIUS session-control feature·····························································································53
Configuring the RADIUS DAE server feature ··································································································53
Changing the DSCP priority for RADIUS packets····························································································54
Configuring the RADIUS attribute translation feature ······················································································54
Setting the maximum number of concurrent login users··················································································56
Configuring a NAS-ID profile····························································································································56
Configuring the device ID·································································································································57
Displaying and maintaining AAA······················································································································57
AAA configuration examples····························································································································57
AAA for SSH users by an HWTACACS server························································································57
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·····················59
Authentication and authorization for SSH users by a RADIUS server·····················································60
Authentication for SSH users by an LDAP server····················································································64
Troubleshooting RADIUS·································································································································68
RADIUS authentication failure ·················································································································68
RADIUS packet delivery failure················································································································68
RADIUS accounting error·························································································································69
Troubleshooting HWTACACS··························································································································69
Troubleshooting LDAP·····································································································································69
LDAP authentication failure······················································································································69
802.1X overview ···························································································71
802.1X architecture··········································································································································71
Controlled/uncontrolled port and port authorization status ··············································································71
802.1X-related protocols··································································································································72
Packet formats·········································································································································72
EAP over RADIUS ···································································································································73
802.1X authentication initiation························································································································74
802.1X client as the initiator·····················································································································74
Access device as the initiator···················································································································74
802.1X authentication procedures ···················································································································75
Comparing EAP relay and EAP termination·····························································································75
EAP relay·················································································································································76
EAP termination·······································································································································77
ii
Configuring 802.1X·······················································································79
Access control methods···································································································································79
802.1X VLAN manipulation······························································································································79
Authorization VLAN··································································································································79
Guest VLAN·············································································································································81
Auth-Fail VLAN ········································································································································82
Critical VLAN············································································································································83
Critical voice VLAN ··································································································································85
Using 802.1X authentication with other features ·····························································································86
ACL assignment·······································································································································86
User profile assignment ···························································································································86
EAD assistant···········································································································································86
Redirect URL assignment························································································································87
Configuration prerequisites······························································································································87
802.1X configuration task list···························································································································87
Enabling 802.1X···············································································································································88
Enabling EAP relay or EAP termination···········································································································88
Setting the port authorization state ··················································································································89
Specifying an access control method ··············································································································89
Setting the maximum number of concurrent 802.1X users on a port·······························································90
Setting the maximum number of authentication request attempts···································································90
Setting the 802.1X authentication timeout timers ····························································································90
Configuring online user handshake ·················································································································91
Configuration guidelines···························································································································91
Configuration procedure···························································································································91
Configuring the authentication trigger feature··································································································92
Configuration guidelines···························································································································92
Configuration procedure···························································································································92
Specifying a mandatory authentication domain on a port················································································92
Setting the quiet timer······································································································································93
Configuring 802.1X reauthentication················································································································93
Overview··················································································································································93
Configuration restrictions and guidelines·································································································94
Configuring 802.1X periodic reauthentication··························································································94
Configuring 802.1X manual reauthentication···························································································94
Enabling the keep-online feature ·············································································································95
Configuring an 802.1X guest VLAN·················································································································95
Configuration guidelines···························································································································95
Configuration prerequisites······················································································································96
Configuration procedure···························································································································96
Enabling 802.1X guest VLAN assignment delay ·····························································································96
Configuring an 802.1X Auth-Fail VLAN ···········································································································97
Configuration guidelines···························································································································97
Configuration prerequisites······················································································································97
Configuration procedure···························································································································98
Configuring an 802.1X critical VLAN················································································································98
Configuration guidelines···························································································································98
Configuration prerequisites······················································································································98
Configuration procedure···························································································································98
Enabling the 802.1X critical voice VLAN··········································································································99
Configuration restrictions and guidelines·································································································99
Configuration prerequisites······················································································································99
Configuration procedure···························································································································99
Specifying supported domain name delimiters ································································································99
Enabling 802.1X user IP freezing ··················································································································100
Sending 802.1X protocol packets out of a port without VLAN tags ·······························································100
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users···················101
Configuring the EAD assistant feature···········································································································101
Displaying and maintaining 802.1X················································································································102
802.1X authentication configuration examples ······························································································102
Basic 802.1X authentication configuration example ··············································································102
iii
802.1X guest VLAN and authorization VLAN configuration example ····················································104
802.1X with ACL assignment configuration example·············································································107
802.1X with EAD assistant configuration example (with DHCP relay agent)·········································108
802.1X with EAD assistant configuration example (with DHCP server)·················································111
Troubleshooting 802.1X·································································································································113
EAD assistant URL redirection failure····································································································113
Configuring MAC authentication ·································································115
Overview························································································································································115
User account policies·····························································································································115
Authentication methods··························································································································115
VLAN assignment ··································································································································116
ACL assignment·····································································································································118
User profile assignment ·························································································································118
Redirect URL assignment······················································································································119
Configuration prerequisites····························································································································119
Configuration task list·····································································································································119
Enabling MAC authentication·························································································································119
Specifying a MAC authentication domain ······································································································120
Configuring the user account format··············································································································120
Configuring MAC authentication timers ·········································································································121
Setting the maximum number of concurrent MAC authentication users on a port·········································121
Enabling MAC authentication multi-VLAN mode on a port ············································································122
Configuring MAC authentication delay···········································································································122
Enabling parallel processing of MAC authentication and 802.1X authentication···········································123
Configuration restrictions and guidelines·······························································································123
Configuration procedure·························································································································123
Configuring a MAC authentication guest VLAN·····························································································124
Configuring a MAC authentication critical VLAN····························································································125
Enabling the MAC authentication critical voice VLAN····················································································125
Configuration prerequisites····················································································································125
Configuration procedure·························································································································126
Configuring periodic MAC reauthentication ···································································································126
Overview················································································································································126
Configuration restrictions and guidelines·······························································································126
Configuration procedure·························································································································127
Enabling MAC authentication offline detection ······························································································127
Displaying and maintaining MAC authentication····························································································128
MAC authentication configuration examples··································································································128
Local MAC authentication configuration example··················································································128
RADIUS-based MAC authentication configuration example··································································130
ACL assignment configuration example·································································································132
Configuring portal authentication ································································136
Overview························································································································································136
Extended portal functions·······················································································································136
Portal system components·····················································································································136
Portal system using the local portal Web server····················································································138
Interaction between portal system components·····················································································138
Portal authentication modes···················································································································139
Portal support for EAP ···························································································································139
Portal authentication process·················································································································140
Portal packet filtering rules·····················································································································142
MAC-based quick portal authentication ·································································································142
Portal configuration task list···························································································································143
Configuration prerequisites····························································································································144
Configuring a portal authentication server ·····································································································144
Configuring a portal Web server ····················································································································145
Enabling portal authentication························································································································146
Configuration restrictions and guidelines·······························································································146
Configuration procedure·························································································································147
Specifying a portal Web server······················································································································147
iv
Controlling portal user access························································································································148
Configuring a portal-free rule ·················································································································148
Configuring an authentication source subnet·························································································149
Configuring an authentication destination subnet··················································································150
Setting the maximum number of portal users ························································································150
Specifying a portal authentication domain ·····························································································151
Specifying a preauthentication domain··································································································152
Specifying a preauthentication IP address pool for portal users····························································152
Enabling strict-checking on portal authorization information··································································153
Enabling portal authentication only for DHCP users··············································································154
Enabling outgoing packets filtering on a portal-enabled interface··························································154
Configuring portal detection features·············································································································154
Configuring online detection of portal users···························································································154
Configuring portal authentication server detection·················································································155
Configuring portal Web server detection································································································156
Configuring portal user synchronization·································································································157
Configuring the portal fail-permit feature········································································································158
Configuring BAS-IP for portal packets sent to the portal authentication server·············································158
Enabling portal roaming·································································································································159
Specifying a format for the NAS-Port-ID attribute··························································································160
Specifying the device ID ································································································································160
Logging out online portal users······················································································································160
Configuring Web redirect ·······························································································································161
Applying a NAS-ID profile to an interface ······································································································161
Configuring the local portal Web server feature·····························································································162
Customizing authentication pages·········································································································162
Configuring a local portal Web server····································································································164
Enabling ARP or ND entry conversion for portal clients ················································································165
Configuring MAC-based quick portal authentication······················································································165
Configuring a MAC binding server·········································································································165
Specifying a MAC binding server on an interface··················································································166
Enabling logging for user logins and logouts ·································································································167
Displaying and maintaining portal··················································································································167
Portal configuration examples························································································································168
Configuring direct portal authentication··································································································168
Configuring re-DHCP portal authentication····························································································176
Configuring cross-subnet portal authentication······················································································179
Configuring extended direct portal authentication··················································································183
Configuring extended re-DHCP portal authentication············································································186
Configuring extended cross-subnet portal authentication······································································190
Configuring portal server detection and portal user synchronization·····················································193
Configuring direct portal authentication with a preauthentication domain··············································201
Configuring re-DHCP portal authentication with a preauthentication domain········································203
Configuring direct portal authentication using local portal Web server··················································205
Troubleshooting portal ···································································································································208
No portal authentication page is pushed for users·················································································208
Cannot log out portal users on the access device ·················································································209
Cannot log out portal users on the RADIUS server ···············································································209
Users logged out by the access device still exist on the portal authentication server····························209
Re-DHCP portal authenticated users cannot log in successfully···························································210
Configuring port security·············································································211
Overview························································································································································211
Port security features·····························································································································211
Port security modes ·······························································································································211
Configuration task list·····································································································································214
Enabling port security ····································································································································214
Setting port security's limit on the number of secure MAC addresses on a port············································215
Setting the port security mode ·······················································································································216
Configuring port security features··················································································································217
Configuring NTK·····································································································································217
Configuring intrusion protection ·············································································································218
v
Configuring secure MAC addresses ··············································································································218
Configuration prerequisites····················································································································219
Configuration procedure·························································································································219
Ignoring authorization information from the server ························································································220
Enabling MAC move ······································································································································220
Enabling the authorization-fail-offline feature·································································································221
Applying a NAS-ID profile to port security······································································································221
Enabling SNMP notifications for port security································································································222
Displaying and maintaining port security ·······································································································222
Port security configuration examples·············································································································222
autoLearn configuration example···········································································································222
userLoginWithOUI configuration example······························································································225
macAddressElseUserLoginSecure configuration example····································································227
Troubleshooting port security·························································································································231
Cannot set the port security mode·········································································································231
Cannot configure secure MAC addresses ·····························································································231
Configuring user profiles·············································································233
Overview························································································································································233
User profile configuration task list··················································································································233
Configuration restrictions and guidelines·······································································································233
Configuring a user profile·······························································································································233
Displaying and maintaining user profiles ·······································································································234
User profile configuration example ················································································································234
Network requirements····························································································································234
Configuration procedure·························································································································234
Verifying the configuration······················································································································237
Configuring password control ·····································································239
Overview························································································································································239
Password setting····································································································································239
Password updating and expiration·········································································································240
User login control···································································································································241
Password not displayed in any form ······································································································242
Logging ··················································································································································242
FIPS compliance············································································································································242
Password control configuration task list·········································································································242
Enabling password control·····························································································································243
Setting global password control parameters··································································································243
Setting user group password control parameters ··························································································244
Setting local user password control parameters····························································································245
Setting super password control parameters ··································································································246
Displaying and maintaining password control································································································246
Password control configuration example ·······································································································247
Network requirements····························································································································247
Configuration procedure·························································································································247
Verifying the configuration······················································································································249
Configuring keychains·················································································250
Overview························································································································································250
Configuration procedure ································································································································250
Displaying and maintaining keychain·············································································································251
Keychain configuration example····················································································································251
Network requirements····························································································································251
Configuration procedure·························································································································251
Verifying the configuration······················································································································253
Managing public keys ·················································································256
Overview························································································································································256
FIPS compliance············································································································································256
Creating a local key pair ································································································································256
Distributing a local host public key·················································································································258
vi
Exporting a host public key····················································································································258
Displaying a host public key···················································································································258
Destroying a local key pair·····························································································································259
Configuring a peer host public key·················································································································259
Importing a peer host public key from a public key file ··········································································259
Entering a peer host public key··············································································································260
Displaying and maintaining public keys ·········································································································260
Examples of public key management ············································································································260
Example for entering a peer host public key··························································································260
Example for importing a public key from a public key file ······································································262
Configuring PKI···························································································265
Overview························································································································································265
PKI terminology······································································································································265
PKI architecture······································································································································266
PKI operation ·········································································································································266
PKI applications ·····································································································································267
FIPS compliance············································································································································267
PKI configuration task list·······························································································································267
Configuring a PKI entity ·································································································································268
Configuring a PKI domain······························································································································268
Requesting a certificate ·································································································································270
Configuration guidelines·························································································································271
Configuring automatic certificate request·······························································································271
Manually requesting a certificate············································································································272
Aborting a certificate request ·························································································································272
Obtaining certificates ·····································································································································272
Configuration prerequisites····················································································································273
Configuration guidelines·························································································································273
Configuration procedure·························································································································273
Verifying PKI certificates································································································································274
Verifying certificates with CRL checking································································································274
Verifying certificates without CRL checking···························································································275
Specifying the storage path for the certificates and CRLs·············································································275
Exporting certificates······································································································································276
Removing a certificate ···································································································································276
Configuring a certificate-based access control policy····················································································277
Displaying and maintaining PKI ·····················································································································278
PKI configuration examples ···························································································································278
Requesting a certificate from an RSA Keon CA server··········································································278
Requesting a certificate from a Windows Server 2003 CA server·························································281
Requesting a certificate from an OpenCA server···················································································284
Certificate-based access control policy configuration example······························································287
Certificate import and export configuration example··············································································289
Troubleshooting PKI configuration·················································································································294
Failed to obtain the CA certificate··········································································································294
Failed to obtain local certificates············································································································295
Failed to request local certificates··········································································································295
Failed to obtain CRLs·····························································································································296
Failed to import the CA certificate··········································································································297
Failed to import a local certificate···········································································································297
Failed to export certificates····················································································································298
Failed to set the storage path·················································································································298
Configuring IPsec························································································299
Overview························································································································································299
Security protocols and encapsulation modes·························································································299
Security association·······························································································································301
Authentication and encryption················································································································301
IPsec implementation·····························································································································302
Protocols and standards ························································································································303
FIPS compliance············································································································································303
vii
IPsec tunnel establishment····························································································································303
Implementing ACL-based IPsec ····················································································································303
Configuring an ACL································································································································304
Configuring an IPsec transform set········································································································305
Configuring a manual IPsec policy·········································································································307
Configuring an IKE-based IPsec policy··································································································308
Applying an IPsec policy to an interface ································································································312
Enabling ACL checking for de-encapsulated packets············································································312
Configuring IPsec anti-replay·················································································································313
Configuring IPsec anti-replay redundancy·····························································································313
Binding a source interface to an IPsec policy ························································································314
Enabling QoS pre-classify······················································································································315
Enabling logging of IPsec packets·········································································································315
Configuring the DF bit of IPsec packets·································································································315
Configuring IPsec for IPv6 routing protocols··································································································316
Configuration task list·····························································································································316
Configuring a manual IPsec profile········································································································317
Configuring SNMP notifications for IPsec······································································································318
Configuring IPsec fragmentation····················································································································318
Setting the maximum number of IPsec tunnels ·····························································································319
Displaying and maintaining IPsec··················································································································319
IPsec configuration examples························································································································320
Configuring a manual mode IPsec tunnel for IPv4 packets ···································································320
Configuring IPsec for RIPng···················································································································322
Configuring IKE···························································································326
Overview························································································································································326
IKE negotiation process·························································································································326
IKE security mechanism·························································································································327
Protocols and standards ························································································································328
FIPS compliance············································································································································328
IKE configuration prerequisites······················································································································328
IKE configuration task list·······························································································································328
Configuring an IKE profile······························································································································329
Configuring an IKE proposal··························································································································331
Configuring an IKE keychain··························································································································332
Configuring the global identity information·····································································································333
Configuring the IKE keepalive feature ···········································································································333
Configuring the IKE NAT keepalive feature···································································································334
Configuring IKE DPD ·····································································································································334
Enabling invalid SPI recovery ························································································································335
Setting the maximum number of IKE SAs······································································································335
Configuring SNMP notifications for IKE ·········································································································336
Displaying and maintaining IKE ·····················································································································336
IKE configuration examples ···························································································································337
Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································337
Main mode IKE with pre-shared key authentication configuration example···········································339
Troubleshooting IKE ······································································································································342
IKE negotiation failed because no matching IKE proposals were found················································342
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly··················343
IPsec SA negotiation failed because no matching IPsec transform sets were found ····························343
IPsec SA negotiation failed due to invalid identity information·······························································344
Configuring IKEv2·······················································································347
Overview························································································································································347
IKEv2 negotiation process ·····················································································································347
New features in IKEv2····························································································································348
Protocols and standards ························································································································348
IKEv2 configuration task list···························································································································348
Configuring an IKEv2 profile ··························································································································349
Configuring an IKEv2 policy···························································································································352
Configuring an IKEv2 proposal ······················································································································352
viii
Configuring an IKEv2 keychain······················································································································354
Configure global IKEv2 parameters···············································································································355
Enabling the cookie challenging feature ································································································355
Configuring the IKEv2 DPD feature ·······································································································355
Configuring the IKEv2 NAT keepalive feature························································································355
Displaying and maintaining IKEv2 ·················································································································356
Troubleshooting IKEv2···································································································································356
IKEv2 negotiation failed because no matching IKEv2 proposals were found········································356
IPsec SA negotiation failed because no matching IPsec transform sets were found ····························357
IPsec tunnel establishment failed···········································································································357
Configuring SSH·························································································358
Overview························································································································································358
How SSH works·····································································································································358
SSH authentication methods··················································································································359
SSH support for Suite B·························································································································360
FIPS compliance············································································································································360
Configuring the device as an SSH server······································································································361
SSH server configuration task list··········································································································361
Generating local key pairs······················································································································361
Enabling the Stelnet server····················································································································362
Enabling the SFTP server······················································································································362
Enabling the SCP server························································································································363
Enabling NETCONF over SSH ··············································································································363
Configuring the user lines for SSH login································································································363
Configuring a client's host public key·····································································································364
Configuring an SSH user ·······················································································································365
Configuring the SSH management parameters·····················································································366
Specifying a PKI domain for the SSH server ·························································································367
Configuring the device as an Stelnet client····································································································367
Stelnet client configuration task list········································································································367
Generating local key pairs······················································································································368
Specifying the source IP address for SSH packets················································································368
Establishing a connection to an Stelnet server······················································································368
Establishing a connection to an Stelnet server based on Suite B··························································370
Configuring the device as an SFTP client······································································································371
SFTP client configuration task list··········································································································371
Generating local key pairs······················································································································371
Specifying the source IP address for SFTP packets··············································································372
Establishing a connection to an SFTP server························································································372
Establishing a connection to an SFTP server based on Suite B····························································374
Working with SFTP directories···············································································································374
Working with SFTP files·························································································································375
Displaying help information····················································································································375
Terminating the connection with the SFTP server·················································································375
Configuring the device as an SCP client········································································································376
SCP client configuration task list············································································································376
Generating local key pairs······················································································································376
Establishing a connection to an SCP server··························································································376
Establishing a connection to an SCP server based on Suite B······························································378
Specifying algorithms for SSH2 ·····················································································································379
Specifying key exchange algorithms for SSH2······················································································379
Specifying public key algorithms for SSH2 ····························································································379
Specifying encryption algorithms for SSH2····························································································380
Specifying MAC algorithms for SSH2 ····································································································380
Displaying and maintaining SSH····················································································································380
Stelnet configuration examples······················································································································381
Password authentication enabled Stelnet server configuration example···············································381
Publickey authentication enabled Stelnet server configuration example···············································383
Password authentication enabled Stelnet client configuration example ················································389
Publickey authentication enabled Stelnet client configuration example·················································392
Stelnet configuration example based on 128-bit Suite B algorithms······················································394
ix
SFTP configuration examples························································································································398
Password authentication enabled SFTP server configuration example·················································398
Publickey authentication enabled SFTP client configuration example···················································401
SFTP configuration example based on 192-bit Suite B algorithms························································404
SCP configuration examples··························································································································408
SCP configuration example with password authentication ····································································408
SCP configuration example based on Suite B algorithms······································································409
NETCONF over SSH configuration example with password authentication··················································416
Network requirements····························································································································416
Verifying the configuration······················································································································418
Configuring SSL··························································································419
Overview························································································································································419
SSL security services·····························································································································419
SSL protocol stack·································································································································419
FIPS compliance············································································································································420
SSL configuration task list······························································································································420
Configuring an SSL server policy···················································································································420
Configuring an SSL client policy ····················································································································422
Displaying and maintaining SSL ····················································································································424
Configuring attack detection and prevention···············································425
Overview························································································································································425
Attacks that the device can prevent···············································································································425
Single-packet attacks·····························································································································425
Scanning attacks····································································································································426
Flood attacks··········································································································································427
TCP fragment attack······························································································································428
Login dictionary attack ···························································································································428
Attack detection and prevention configuration task list··················································································428
Configuring an attack defense policy·············································································································429
Creating an attack defense policy··········································································································429
Configuring a single-packet attack defense policy·················································································429
Configuring a scanning attack defense policy························································································430
Configuring a flood attack defense policy ······························································································431
Configuring attack detection exemption·································································································435
Applying an attack defense policy to the device ····················································································435
Enabling log non-aggregation for single-packet attack events·······························································436
Configuring TCP fragment attack prevention·································································································436
Enabling the login delay·································································································································437
Displaying and maintaining attack detection and prevention·········································································437
Attack detection and prevention configuration examples···············································································438
Attack defense policy device application configuration example ···························································438
Configuring TCP attack prevention·····························································442
Overview························································································································································442
Configuring Naptha attack prevention············································································································442
Configuring IP source guard·······································································443
Overview························································································································································443
Static IPSG bindings······························································································································443
Dynamic IPSG bindings·························································································································444
IPSG configuration task list····························································································································444
Configuring the IPv4SG feature·····················································································································445
Enabling IPv4SG on an interface···········································································································445
Configuring a static IPv4SG binding ······································································································445
Configuring the IPv6SG feature·····················································································································446
Enabling IPv6SG on an interface···········································································································446
Configuring a static IPv6SG binding ······································································································447
Displaying and maintaining IPSG ··················································································································447
IPSG configuration examples ························································································································448
Static IPv4SG configuration example·····································································································448
x
Dynamic IPv4SG using DHCP snooping configuration example···························································449
Dynamic IPv4SG using DHCP relay agent configuration example························································450
Static IPv6SG configuration example·····································································································451
Dynamic IPv6SG using DHCPv6 snooping configuration example ·······················································452
Dynamic IPv6SG using DHCPv6 relay agent configuration example····················································453
Configuring ARP attack protection······························································455
ARP attack protection configuration task list··································································································455
Configuring unresolvable IP attack protection ·······························································································455
Configuring ARP source suppression····································································································456
Configuring ARP blackhole routing········································································································456
Displaying and maintaining unresolvable IP attack protection·······························································456
Configuration example···························································································································457
Configuring ARP packet rate limit··················································································································457
Configuration guidelines·························································································································458
Configuration procedure·························································································································458
Configuring source MAC-based ARP attack detection ··················································································458
Configuration procedure·························································································································459
Displaying and maintaining source MAC-based ARP attack detection··················································459
Configuration example···························································································································460
Configuring ARP packet source MAC consistency check··············································································461
Configuring ARP active acknowledgement····································································································461
Configuring authorized ARP ··························································································································461
Configuration procedure·························································································································462
Configuration example (on a DHCP server)···························································································462
Configuration example (on a DHCP relay agent)···················································································463
Configuring ARP attack detection··················································································································464
Configuring user validity check ··············································································································465
Configuring ARP packet validity check ··································································································466
Configuring ARP restricted forwarding···································································································466
Enabling ARP attack detection logging··································································································467
Displaying and maintaining ARP attack detection··················································································467
User validity check configuration example·····························································································467
User validity check and ARP packet validity check configuration example············································469
ARP restricted forwarding configuration example··················································································470
Configuring ARP scanning and fixed ARP·····································································································472
Configuration restrictions and guidelines·······························································································472
Configuration procedure·························································································································472
Configuring ARP gateway protection·············································································································472
Configuration guidelines·························································································································473
Configuration procedure·························································································································473
Configuration example···························································································································473
Configuring ARP filtering································································································································474
Configuration guidelines·························································································································474
Configuration procedure·························································································································474
Configuration example···························································································································474
Configuring ARP sender IP address checking·······························································································475
Configuring ND attack defense···································································477
Overview························································································································································477
ND attack defense configuration task list·······································································································477
Enabling source MAC consistency check for ND messages ·········································································477
Configuring ND attack detection ····················································································································478
About ND attack detection ·····················································································································478
Configuration guidelines·························································································································479
Configuration procedure·························································································································479
Displaying and maintaining ND attack detection····················································································479
ND attack detection configuration example····························································································479
Configuring RA guard ····································································································································481
About RA guard······································································································································481
Specifying the role of the attached device ·····························································································481
Configuring an RA guard policy ·············································································································482
xi
Enabling the RA guard logging feature··································································································482
Displaying and maintaining RA guard····································································································483
RA guard configuration example············································································································483
Configuring uRPF ·······················································································486
Overview························································································································································486
uRPF check modes································································································································486
uRPF operation······································································································································486
Network application································································································································489
Enabling uRPF···············································································································································489
Displaying and maintaining uRPF··················································································································489
Global uRPF configuration example ··············································································································490
Network requirements····························································································································490
Configuration procedure·························································································································490
Configuring crypto engines·········································································491
Overview························································································································································491
Displaying and maintaining crypto engines····································································································491
Configuring FIPS·························································································492
Overview························································································································································492
Configuration restrictions and guidelines·······································································································492
Configuring FIPS mode··································································································································493
Entering FIPS mode·······························································································································493
Configuration changes in FIPS mode ····································································································494
Exiting FIPS mode ·································································································································495
FIPS self-tests················································································································································495
Power-up self-tests ································································································································496
Conditional self-tests······························································································································496
Triggering self-tests································································································································497
Displaying and maintaining FIPS···················································································································497
FIPS configuration examples·························································································································497
Entering FIPS mode through automatic reboot······················································································497
Entering FIPS mode through manual reboot··························································································498
Exiting FIPS mode through automatic reboot ························································································500
Exiting FIPS mode through manual reboot····························································································500
Document conventions and icons·······························································502
Conventions···················································································································································502
Network topology icons··································································································································503
Support and other resources ······································································504
Accessing Hewlett Packard Enterprise Support ····························································································504
Accessing updates·········································································································································504
Websites ················································································································································505
Customer self repair·······························································································································505
Remote support······································································································································505
Documentation feedback ·······················································································································505
Index···········································································································507
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information toAAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet andADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packetverifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
{Value—Value of the attribute. Its format and content depend on the Type subfield.
5
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No. Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-ID
6
No. Attribute No. Attribute
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)
allows a vendor to define extended attributes. The extended attributes can implement functions that
the standard RADIUS protocol does not provide.
Avendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
•Vendor-Type—Type of the subattribute.
•Vendor-Length—Length of the subattribute.
•Vendor-Data—Contents of the subattribute.
The device supports RADIUS subattributes with a vendor ID of 25506. For more information, see
"Proprietary RADIUS subattributes (vendor ID 25506)."
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server
model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,
the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After
7
passing authentication and obtaining authorized rights, a user logs in to the device and performs
operations. The HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model,
using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the
primary differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the
HWTACACS header. Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization
is independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication
process.
Supports authorization of configuration commands.
Access to commands depends on both the user's
roles and authorization. A user can use only
commands that are permitted by the user roles and
authorized by the HWTACACS server.
Does not support authorization of configuration
commands. Access to commands solely depends on
the user's roles. For more information about user
roles, see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for
a Telnet user.
Other manuals for FlexFabric 5940 SERIES
5
Table of contents
Other HPE Switch manuals
HPE
HPE FlexFabric 5940 SERIES User manual
HPE
HPE FlexNetwork 10500 SERIES User manual
HPE
HPE 8325 Series Owner's manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE OfficeConnect 1920S Series User manual
HPE
HPE FlexFabric 5710 Series User manual
HPE
HPE LSWM1FANSC User manual
HPE
HPE Aruba Instant On 1960 24G 20p Class4 4p Class6 PoE 2XGT 2SFP+ 370W... Assembly instructions
HPE
HPE FlexNetwork 10500 SERIES User manual
HPE
HPE FlexFabric 5940 SERIES Installation manual
HPE
HPE 5800 Series User manual
HPE
HPE Aruba Networking CX 6200 Series User manual
HPE
HPE Aruba 6200F Assembly instructions
HPE
HPE H3C S9500 Series User manual
HPE
HPE SN6000B Operating and maintenance manual
HPE
HPE FlexFabric 5930 Series Installation manual
HPE
HPE FlexFabric 7900 Series Installation manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE FlexNetwork 7500 Series User manual
HPE
HPE FlexNetwork 7500 Series User manual
