Hpe Flexfabric 7900 series User manual

HPE FlexFabric 7900 Switch Series

Security

Configuration Guide

Part number: 5998-8250R

Software version: Release 213x

Document version: 6W101-20151113

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are trademarks of the Microsoft group of companies.

Adobe® andAcrobat® are trademarks ofAdobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

Contents

Configuring AAA ·····························································································1

Overview····························································································································································1

RADIUS······················································································································································2

HWTACACS···············································································································································6

AAA implementation on the device············································································································9

Protocols and standards ··························································································································10

RADIUS attributes····································································································································11

FIPS compliance··············································································································································14

AAA configuration considerations and task list································································································14

Configuring AAA schemes·······························································································································15

Configuring local users·····························································································································15

Configuring RADIUS schemes·················································································································18

Configuring HWTACACS schemes··········································································································27

Configuring AAA methods for ISP domains·····································································································33

Configuration prerequisites······················································································································33

Creating an ISP domain···························································································································33

Setting the ISP domain status··················································································································34

Configuring authentication methods for an ISP domain···········································································34

Configuring authorization methods for an ISP domain·············································································35

Configuring accounting methods for an ISP domain················································································36

Enabling the session-control feature················································································································37

Setting the maximum number of concurrent login users··················································································37

Displaying and maintaining AAA······················································································································37

AAA configuration examples····························································································································38

AAA for SSH users by an HWTACACS server························································································38

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·····················39

Authentication and authorization for SSH users by a RADIUS server·····················································41

Troubleshooting RADIUS·································································································································44

RADIUS authentication failure ·················································································································44

RADIUS packet delivery failure················································································································45

RADIUS accounting error·························································································································45

Troubleshooting HWTACACS··························································································································45

Configuring password control ·······································································46

Password setting······································································································································46

Password updating and expiration···········································································································47

User login control·····································································································································48

Password not displayed in any form ········································································································48

Logging ····················································································································································48

Password control configuration task list···········································································································49

Enabling password control·······························································································································49

Setting global password control parameters····································································································50

Setting user group password control parameters ····························································································51

Setting local user password control parameters······························································································51

Setting super password control parameters ····································································································52

Displaying and maintaining password control··································································································53

Password control configuration example ·········································································································53

Network requirements······························································································································53

Configuration procedure···························································································································54

Verifying the configuration························································································································55

Managing public keys ···················································································57

Creating a local key pair ··································································································································57

Configuration guidelines···························································································································57

Configuration procedure···························································································································58

Distributing a local host public key···················································································································58

Exporting a host public key in a specific format to a file···········································································59

Displaying a host public key in a specific format and saving it to a file····················································59

Displaying a host public key·····················································································································59

Destroying a local key pair·······························································································································60

Configuring a peer public key ··························································································································60

Importing a peer host public key from a public key file ············································································61

Entering a peer public key························································································································61

Displaying and maintaining public keys ···········································································································61

Examples of public key management ··············································································································61

Example for entering a peer public key····································································································61

Example for importing a public key from a public key file ········································································63

Configuring PKI·····························································································66

PKI terminology········································································································································66

PKI architecture········································································································································67

PKI operation ···········································································································································67

PKI applications ·······································································································································68

Support for MPLS L3VPN························································································································68

Feature and software version compatibility······································································································69

PKI configuration task list·································································································································69

Configuring a PKI entity ···································································································································69

Configuring a PKI domain································································································································70

Requesting a certificate ···································································································································72

Configuration guidelines···························································································································72

Configuring automatic certificate request·································································································73

Manually requesting a certificate··············································································································73

Aborting a certificate request ···························································································································74

Obtaining certificates ·······································································································································74

Configuration prerequisites······················································································································74

Configuration guidelines···························································································································74

Configuration procedure···························································································································75

Verifying PKI certificates··································································································································75

Verifying certificates with CRL checking··································································································75

Verifying certificates without CRL checking·····························································································76

Specifying the storage path for the certificates and CRLs···············································································76

Exporting certificates········································································································································77

Removing a certificate ·····································································································································77

Configuring a certificate-based access control policy······················································································78

Displaying and maintaining PKI ·······················································································································79

PKI configuration examples ·····························································································································79

Requesting a certificate from an RSA Keon CA server············································································79

Requesting a certificate from a Windows Server 2003 CA server···························································82

Requesting a certificate from an OpenCA server·····················································································85

Certificate import and export configuration example················································································88

Troubleshooting PKI configuration···················································································································93

Failed to obtain the CA certificate············································································································94

Failed to obtain local certificates··············································································································94

Failed to request local certificates············································································································95

Failed to obtain CRLs·······························································································································95

Failed to import the CA certificate············································································································96

Failed to import a local certificate·············································································································97

Failed to export certificates······················································································································97

Failed to set the storage path···················································································································98

Configuring SSL····························································································99

SSL security services·······························································································································99

iii

SSL protocol stack···································································································································99

Feature and software version compatibility····································································································100

SSL configuration task list······························································································································100

Configuring an SSL server policy···················································································································100

Configuring an SSL client policy ····················································································································102

Displaying and maintaining SSL ····················································································································103

Configuring IPsec························································································104

Security protocols and encapsulation modes·························································································104

Security association·······························································································································106

Authentication and encryption················································································································106

IPsec implementation·····························································································································107

Protocols and standards ························································································································107

IPsec tunnel establishment····························································································································108

Implementing ACL-based IPsec ····················································································································108

Feature restrictions and guidelines········································································································108

ACL-based IPsec configuration task list·································································································108

Configuring an ACL································································································································109

Configuring an IPsec transform set········································································································110

Configuring a manual IPsec policy·········································································································111

Configuring an IKE-based IPsec policy··································································································112

Applying an IPsec policy to an interface ································································································114

Enabling ACL checking for de-encapsulated packets············································································115

Configuring the IPsec anti-replay function ·····························································································115

Binding a source interface to an IPsec policy ························································································116

Enabling QoS pre-classify······················································································································116

Enabling logging of IPsec packets·········································································································117

Configuring the DF bit of IPsec packets·································································································117

Configuring SNMP notifications for IPsec······································································································118

Displaying and maintaining IPsec··················································································································118

IPsec configuration examples························································································································119

Configuring a manual mode IPsec tunnel for IPv4 packets ···································································119

Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································121

Configuring IKE···························································································125

IKE negotiation process·························································································································125

IKE security mechanism·························································································································126

Protocols and standards ························································································································127

IKE configuration prerequisites······················································································································127

IKE configuration task list·······························································································································127

Configuring an IKE profile······························································································································128

Configuring an IKE proposal··························································································································129

Configuring an IKE keychain··························································································································131

Configuring the global identity information·····································································································131

Configuring the IKE keepalive function··········································································································132

Configuring the IKE NAT keepalive function··································································································132

Configuring IKE DPD ·····································································································································133

Enabling invalid SPI recovery ························································································································133

Setting the maximum number of IKE SAs······································································································134

Configuring SNMP notifications for IKE ·········································································································134

Displaying and maintaining IKE ·····················································································································135

Main mode IKE with pre-shared key authentication configuration example ··················································135

Network requirements····························································································································135

Configuration procedure·························································································································135

Verifying the configuration······················································································································138

Troubleshooting IKE ······································································································································138

IKE negotiation failed because no matching IKE proposals were found················································138

IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly···············138

IPsec SA negotiation failed because no matching IPsec transform sets were found ····························139

IPsec SA negotiation failed due to invalid identity information·······························································140

Configuring SSH·························································································143

How SSH works·····································································································································143

SSH authentication methods··················································································································144

Configuring the device as an SSH server······································································································145

SSH server configuration task list··········································································································145

Generating local DSA or RSA key pairs·································································································146

Enabling the Stelnet server····················································································································147

Enabling the SFTP server······················································································································147

Enabling the SCP server························································································································147

Configuring NETCONF over SSH··········································································································147

Configuring user lines for SSH login······································································································148

Configuring a client's host public key·····································································································148

Configuring an SSH user ·······················································································································149

Configuring the SSH management parameters·····················································································150

Configuring the device as an Stelnet client····································································································151

Stelnet client configuration task list········································································································151

Specifying a source IP address for SSH packets···················································································151

Establishing a connection to an Stelnet server······················································································152

Configuring the device as an SFTP client······································································································153

SFTP client configuration task list··········································································································153

Specifying the source IP address for SFTP packets··············································································153

Establishing a connection to an SFTP server························································································153

Working with SFTP directories···············································································································154

Working with SFTP files·························································································································154

Displaying help information····················································································································155

Terminating the connection with the SFTP server·················································································155

Configuring the device as an SCP client········································································································155

Displaying and maintaining SSH····················································································································156

Stelnet configuration examples······················································································································156

Password authentication enabled Stelnet server configuration example···············································157

Publickey authentication enabled Stelnet server configuration example···············································159

Password authentication enabled Stelnet client configuration example ················································165

Publickey authentication enabled Stelnet client configuration example·················································168

SFTP configuration examples························································································································170

Password authentication enabled SFTP server configuration example·················································170

Publickey authentication enabled SFTP client configuration example···················································172

SCP file transfer with password authentication······························································································175

Network requirements····························································································································176

Configuration procedure·························································································································176

Configuring IP source guard·······································································178

Static IPSG bindings······························································································································178

Dynamic IPSG bindings·························································································································179

IPSG configuration task list····························································································································179

Configuring the IPv4SG feature·····················································································································179

Enabling IPv4SG on an interface···········································································································179

Configuring a static IPv4SG binding ······································································································180

Displaying and maintaining IPSG ··················································································································181

IPSG configuration examples ························································································································181

Static IPv4SG configuration example·····································································································181

Dynamic IPv4SG using DHCP snooping configuration example···························································182

Dynamic IPv4SG using DHCP relay configuration example··································································183

Configuring ARP attack protection······························································185

ARP attack protection configuration task list··································································································185

Configuring unresolvable IP attack protection ·······························································································185

Configuring ARP source suppression····································································································186

Configuring ARP blackhole routing········································································································186

Displaying and maintaining unresolvable IP attack protection·······························································186

Configuration example···························································································································187

Configuring ARP packet rate limit··················································································································188

Configuration guidelines·························································································································188

Configuration procedure·························································································································188

Configuring source MAC-based ARP attack detection ··················································································189

Configuration procedure·························································································································189

Displaying and maintaining source MAC-based ARP attack detection··················································189

Configuration example···························································································································190

Configuring ARP packet source MAC consistency check··············································································191

Configuring ARP active acknowledgement····································································································191

Configuring authorized ARP ··························································································································192

Configuration procedure·························································································································192

Configuring ARP detection·····························································································································192

Configuring user validity check ··············································································································192

Configuring ARP packet validity check ··································································································193

Configuring ARP restricted forwarding···································································································194

Enabling ARP detection logging·············································································································194

Displaying and maintaining ARP detection····························································································195

User validity check and ARP packet validity check configuration example············································195

Configuring ARP scanning and fixed ARP·····································································································196

Configuration restrictions and guidelines·······························································································197

Configuration procedure·························································································································197

Configuring ARP gateway protection·············································································································197

Configuration guidelines·························································································································197

Configuration procedure·························································································································198

Configuration example···························································································································198

Configuring ARP filtering································································································································199

Configuration guidelines·························································································································199

Configuration procedure·························································································································199

Configuration example···························································································································199

Configuring uRPF ·······················································································201

uRPF check modes································································································································201

uRPF operation······································································································································201

Network application································································································································204

Configuring uRPF ··········································································································································204

Displaying and maintaining uRPF··················································································································204

uRPF configuration example··························································································································205

Configuring FIPS·························································································206

Configuration restrictions and guidelines·······································································································206

Configuring FIPS mode··································································································································207

Entering FIPS mode·······························································································································207

Configuration changes in FIPS mode ····································································································208

Exiting FIPS mode ·································································································································208

FIPS self-tests················································································································································209

Power-up self-tests ································································································································209

Conditional self-tests······························································································································210

Triggering self-tests································································································································210

Displaying and maintaining FIPS···················································································································210

FIPS configuration examples·························································································································211

Entering FIPS mode through automatic reboot······················································································211

Entering FIPS mode through manual reboot··························································································212

Exiting FIPS mode through automatic reboot ························································································213

Exiting FIPS mode through manual reboot····························································································214

Configuring attack detection and prevention···············································215

Enabling TCP fragment attack prevention ·····································································································215

Document conventions and icons·······························································216

Conventions···················································································································································216

Network topology icons··································································································································217

Support and other resources ······································································218

Accessing Hewlett Packard Enterprise Support ····························································································218

Accessing updates·········································································································································218

Websites ················································································································································219

Customer self repair·······························································································································219

Remote support······································································································································219

Documentation feedback ·······················································································································219

Index···········································································································220

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. This feature specifies the following security functions:

•Authentication—Identifies users and verifies their validity.

•Authorization—Grants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and

prevent guests from accessing files on the device.

•Accounting—Records network usage details of users, including the service type, start time,

and traffic. This function enables time-based and traffic-based charging and user behavior

auditing.

AAA uses a client/server model. The client runs on the access device, or the network access server

(NAS), which authenticates user identities and controls user access. The server maintains user

information centrally. See Figure 1.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS.

The NAS transparently passes the user information toAAA servers and waits for the authentication,

authorization, and accounting result. Based on the result, the NAS determines whether to permit or

deny the access request.

AAAhas various implementations, including RADIUSand HWTACACS. RADIUS is most often used.

The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different

servers to implement different security functions. For example, you can use the HWTACACS server

for authentication and authorization, and use the RADIUS server for accounting.

You can choose the security functions provided by AAA as needed. For example, if your company

wants employees to be authenticated before they access specific resources, you would deploy an

authentication server. If network usage information is needed, you would also configure an

accounting server.

The device performs dynamic password authentication.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction

protocol that uses a client/server model. The protocol can protect networks against unauthorized

access and is often used in network environments that require both high security and remote user

access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812

for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support

additional access methods, such as Ethernet andADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains

information related to user authentication and network service access.

The RADIUS server operates using the following process:

1. Receives authentication, authorization, and accounting requests from RADIUS clients.

2. Performs user authentication, authorization, or accounting.

3. Returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication

proxy services.

The RADIUS server maintains the following databases:

•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP

addresses.

•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•Dictionary—Stores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys,

which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called

Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,

and some other information. The receiver of the packetverifies the signature and accepts the packet

only when the signature is correct. This mechanism ensures the security of information exchanged

between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses the following workflow:

1. The host sends a connection request that includes the user's username and password to the

RADIUS client.

2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.

The request includes the user's password, which has been processed by the MD5 algorithm

and shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds,

the server sends back an Access-Accept packet that contains the user's authorization

information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result

permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)

packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the

RADIUS server.

9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting

for the user.

10. The RADIUS client notifies the user of the termination.

RADIUS packet format

RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure

smooth packet exchange between the RADIUS server and the client. These mechanisms include the

timer mechanism, the retransmission mechanism, and the backup server mechanism.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main

values and their meanings.

Table 1 Main values of the Code field

Cod

e Packet type Description

1 Access-Request

From the client to the server. A packet of this type includes user information

for the server to authenticate the user. It must contain the User-Name

attribute and can optionally contain the attributes of NAS-IP-Address,

User-Password, and NAS-Port.

2 Access-Accept From the server to the client. If all attribute values included in the

Access-Request are acceptable, the authentication succeeds, and the

server sends an Access-Accept response.

3 Access-Reject From the server to the client. If any attribute value included in the

Access-Request is unacceptable, the authentication fails, and the server

sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type includes user information

for the server to start or stop accounting for the user. The Acct-Status-Type

attribute in the packet indicates whether to start or stop accounting.

5 Accounting-Respons

From the server to the client. The server sends a packet of this type to

notify the client that it has received the Accounting-Request and has

successfully recorded the accounting information.

•The Identifier field (1 byte long) is used to match response packets with request packets and to

detect duplicate request packets. The request and response packets of the same exchange

process for the same purpose (such as authentication or accounting) have the same identifier.

•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the

Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are

considered padding and are ignored by the receiver. If the length of a received packet is less

than this length, the packet is dropped.

•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS

server and to encrypt user passwords. There are two types of authenticators: request

authenticator and response authenticator.

•The Attributes field (variable in length) includes authentication, authorization, and accounting

information. This field can contain multiple attributes, each with the following subfields:

{Type—Type of the attribute.

{Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.

{Value—Value of the attribute. Its format and content depend on the Type subfield.

Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC

2868. For more information, see "Commonly used standard RADIUS attributes."

Table 2 Commonly used RADIUS attributes

No. Attribute No. Attribute

1 User-Name 45 Acct-Authentic

2 User-Password 46 Acct-Session-Time

3 CHAP-Password 47 Acct-Input-Packets

4 NAS-IP-Address 48 Acct-Output-Packets

5 NAS-Port 49 Acct-Terminate-Cause

6 Service-Type 50 Acct-Multi-Session-Id

7 Framed-Protocol 51 Acct-Link-Count

8 Framed-IP-Address 52 Acct-Input-Gigawords

9 Framed-IP-Netmask 53 Acct-Output-Gigawords

10 Framed-Routing 54 (unassigned)

11 Filter-ID 55 Event-Timestamp

12 Framed-MTU 56-59 (unassigned)

13 Framed-Compression 60 CHAP-Challenge

14 Login-IP-Host 61 NAS-Port-Type

15 Login-Service 62 Port-Limit

16 Login-TCP-Port 63 Login-LAT-Port

17 (unassigned) 64 Tunnel-Type

18 Reply-Message 65 Tunnel-Medium-Type

19 Callback-Number 66 Tunnel-Client-Endpoint

20 Callback-ID 67 Tunnel-Server-Endpoint

21 (unassigned) 68 Acct-Tunnel-Connection

22 Framed-Route 69 Tunnel-Password

23 Framed-IPX-Network 70 ARAP-Password

24 State 71 ARAP-Features

25 Class 72 ARAP-Zone-Access

26 Vendor-Specific 73 ARAP-Security

27 Session-Timeout 74 ARAP-Security-Data

28 Idle-Timeout 75 Password-Retry

29 Termination-Action 76 Prompt

30 Called-Station-Id 77 Connect-Info

31 Calling-Station-Id 78 Configuration-Token

32 NAS-Identifier 79 EAP-Message

No. Attribute No. Attribute

33 Proxy-State 80 Message-Authenticator

34 Login-LAT-Service 81 Tunnel-Private-Group-id

35 Login-LAT-Node 82 Tunnel-Assignment-id

36 Login-LAT-Group 83 Tunnel-Preference

37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response

38 Framed-AppleTalk-Network 85 Acct-Interim-Interval

39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost

40 Acct-Status-Type 87 NAS-Port-Id

41 Acct-Delay-Time 88 Framed-Pool

42 Acct-Input-Octets 89 (unassigned)

43 Acct-Output-Octets 90 Tunnel-Client-Auth-id

44 Acct-Session-Id 91 Tunnel-Server-Auth-id

Extended RADIUS attributes

The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)

allows a vendor to define extended attributes. The extended attributes implement functions that the

standard RADIUS protocol does not provide.

Avendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended

functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following

parts:

•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a

code compliant to RFC 1700.

•Vendor-Type—Type of the subattribute.

•Vendor-Length—Length of the subattribute.

•Vendor-Data—Contents of the subattribute.

For more information about the proprietary RADIUS subattributes of HPE, see "HPE proprietary

RADIUS subattributes."

Figure 5 Format of attribute 26

HWTACACS

HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security

protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server

model for information exchange between the NAS and the HWTACACS server.

HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical

HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,

the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After

passing authentication and obtaining authorized rights, a user logs in to the device and performs

operations. The HWTACACS server records the operations that each user performs.

Differences between HWTACACS and RADIUS

HWTACACS and RADIUS have many features in common, such as using a client/server model,

using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the

primary differences between HWTACACS and RADIUS.

Table 3 Primary differences between HWTACACS and RADIUS

HWTACACS RADIUS

Uses TCP, which provides reliable network

transmission. Uses UDP, which provides high transport efficiency.

Encrypts the entire packet except for the

HWTACACS header. Encrypts only the user password field in an

authentication packet.

Protocol packets are complicated and authorization

is independent of authentication. Authentication and

authorization can be deployed on different

HWTACACS servers.

Protocol packets are simple and the authorization

process is combined with the authentication

process.

Supports authorization of configuration commands.

Access to commands depends on both the user's

roles and authorization. A user can use only

commands that are permitted by the user roles and

authorized by the HWTACACS server.

Does not support authorization of configuration

commands. Access to commands solely depends on

the user's roles. For more information about user

roles, see Fundamentals Configuration Guide.

Basic HWTACACS packet exchange process

Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for

a Telnet user.

Figure 6 Basic HWTACACS packet exchange process for a Telnet user

HWTACACS operates using the following workflow:

1. A Telnet user sends an access request to the HWTACACS client.

2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it

receives the request.

3. The HWTACACS server sends back an authentication response to request the username.

4. Upon receiving the response, the HWTACACS client asks the user for the username.

5. The user enters the username.

6. After receiving the username from the user, the HWTACACS client sends the server a

continue-authentication packet that includes the username.

7. The HWTACACS server sends back an authentication response to request the login password.

8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.

9. The user enters the password.

Host HWTACACS client HWTACACS server

1) The user tries to log in

2) Start-authentication packet

3) Authentication response requesting the username

4) Request for username

5) The user enters the username

6) Continue-authentication packet with the username

7) Authentication response requesting the password

8) Request for password

9) The user enters the password

11) Response indicating successful authentication

12) User authorization request packet

13) Response indicating successful authorization

14) The user logs in successfully

15) Start-accounting request

16) Response indicating the start of accounting

17) The user logs off

18) Stop-accounting request

19) Stop-accounting response

10) Continue-authentication packet with the password

10. After receiving the login password, the HWTACACS client sends the HWTACACS server a

continue-authentication packet that includes the login password.

11. If the authentication succeeds, the HWTACACS server sends back an authentication response

to indicate that the user has passed authentication.

12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.

13. If the authorization succeeds, the HWTACACS server sends back an authorization response,

indicating that the user is now authorized.

14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and

permits the user to log in.

15. The HWTACACS client sends a start-accounting request to the HWTACACS server.

16. The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request.

17. The user logs off.

18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19. The HWTACACS server sends back a stop-accounting response, indicating that the

stop-accounting request has been received.

AAA implementation on the device

This section describes AAA user management and methods.

User management based on ISP domains and user access types

AAA manages users based on the users' ISP domains and access types.

On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a

user belongs based on the username entered by the user at login.

Figure 7 Determining the ISP domain for a user by username



AAAmanages users in the same ISP domain based on the users' access types. The device supports

AAA for login users. Login users include SSH, Telnet, FTP, and terminal users who log in to the

device. Terminal users can access through a console port.

AAA methods

AAA supports configuring different authentication, authorization, and accounting methods for

different types of users in an ISP domain. The NAS determines the ISPdomain and access type of a

user, and uses the methods configured for the access type in the domain to control the user's

access.

AAA also supports configuring a set of default methods for an ISP domain. These default methods

are applied to users for whom noAAA methods are configured.

The device supports the following authentication methods:

•No authentication—This method trusts all users and does not perform authentication. For

security purposes, do not use this method.

•Local authentication—The NAS authenticates users by itself, based on the locally configured

user information including the usernames, passwords, and attributes. Local authentication

allows high speed and low cost, but the amount of information that can be stored is limited by

the size of the storage space.

•Remote authentication—The NAS works with a RADIUS or HWTACACS server to

authenticate users. The server manages user information in a centralized manner. Remote

authentication provides high capacity, reliable, and centralized authentication services for

multiple NASs. You can configure backup methods to be used when the remote server is not

available.

The device supports the following authorization methods:

•No authorization—The NAS performs no authorization exchange. After passing

authentication, users can access the network, except FTP, SFTP, and SCP users. When an FTP,

SFTP, or SCP user passes authentication, the working directory is set to the root directory of the

NAS, but the user cannot access this directory.

•Local authorization—The NAS performs authorization according to the user attributes locally

configured for users.

•Remote authorization—The NAS works with a RADIUS or HWTACACS server to authorize

users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can

work only after RADIUS authentication is successful, and the authorization information is

included in theAccess-Accept packet. HWTACACS authorization is separate from

HWTACACS authentication, and the authorization information is included in the authorization

response after successful authentication. You can configure backup methods to be used when

the remote server is not available.

The device supports the following accounting methods:

•No accounting—The NAS does not perform accounting for the users.

•Local accounting—Local accounting is implemented on the NAS. It counts and controls the

number of concurrent users who use the same local user account, but does not provide

statistics for charging.

•Remote accounting—The NAS works with a RADIUS server or HWTACACS server for

accounting. You can configure backup methods to be used when the remote server is not

available.

In addition, the device provides the following login services to enhance device security:

•Command authorization—Enables the NAS to let the authorization server determine whether

a command entered by a login user is permitted. Login users can execute only commands

permitted by the authorization server. For more information about command authorization, see

Fundamentals Configuration Guide.

•Command accounting—When command authorization is disabled, command accounting

enables the accounting server to record all valid commands executed on the device. When

command authorization is enabled, command accounting enables the accounting server to

record all authorized commands. For more information about command accounting, see

Fundamentals Configuration Guide.

•User role authentication—Authenticates each user who wants to obtain a temporary user role

without logging out or getting disconnected. For more information about temporary user role

authorization, see Fundamentals Configuration Guide.

Protocols and standards

•RFC 2865, Remote Authentication Dial In User Service (RADIUS)

•RFC 2866, RADIUS Accounting

•RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support

•RFC 2868, RADIUS Attributes for Tunnel Protocol Support

•RFC 2869, RADIUS Extensions

•RFC 1492, An Access Control Protocol, Sometimes Called TACACS

RADIUS attributes

Commonly used standard RADIUS attributes

No. Attribute Description

1 User-Name Name of the user to be authenticated.

2 User-Password User password for PAP authentication, only present in Access-Request

packets when PAP authentication is used.

3 CHAP-Password Digest of the user password for CHAP authentication, only present in

Access-Request packets when CHAP authentication is used.

4 NAS-IP-Address IP address for the server to use to identify the client. Typically, a client is

identified by the IP address of its access interface. This attribute is only

present in Access-Request packets.

5 NAS-Port Physical port of the NAS that the user accesses.

6 Service-Type Type of service that the user has requested or type of service to be

provided.

7 Framed-Protocol Encapsulation protocol for framed access.

8 Framed-IP-Address IP address assigned to the user.

11 Filter-ID Name of the filter list.

12 Framed-MTU MTU for the data link between the user and NAS. For example, this

attribute can be used to define the maximum size of EAP packets allowed

to be processed in 802.1X EAP authentication.

14 Login-IP-Host IP address of the NAS interface that the user accesses.

15 Login-Service Type of the service that the user uses for login.

18 Reply-Message Text to be displayed to the user, which can be used by the server to

communicate information, for example, the reason of the authentication

failure.

26 Vendor-Specific Vendor-specific proprietary attribute. A packet can contain one or more

proprietary attributes, each of which can contain one or more

subattributes.

27 Session-Timeout Maximum service duration for the user before termination of the session.

28 Idle-Timeout Maximum idle time permitted for the user before termination of the

session.

31 Calling-Station-Id User identification that the NAS sends to the server. For the LAN access

service provided by an HPE device, this attribute includes the MAC

address of the user in the format HHHH-HHHH-HHHH.

32 NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.

40 Acct-Status-Type

Type of the Accounting-Request packet. Possible values include:

•1—Start.

•2—Stop.

•3—Interim-Update.

•4—Reset-Charge.

No. Attribute Description

•7—Accounting-On. (Defined in the 3rd Generation Partnership

Project.)

•8—Accounting-Off. (Defined in the 3rd Generation Partnership

Project.)

•9 to 14—Reserved for tunnel accounting.

•15—Reserved for failed.

45 Acct-Authentic

Authentication method used by the user. Possible values include:

•1—RADIUS.

•2—Local.

•3—Remote.

60 CHAP-Challenge CHAP challenge generated by the NAS for MD5 calculation during CHAP

authentication.

61 NAS-Port-Type

Type of the physical port of the NAS that is authenticating the user.

Possible values include:

•15—Ethernet.

•16—Any type of ADSL.

•17—Cable. (With cable for cable TV.)

•19—WLAN-IEEE 802.11.

•201—VLAN.

•202—ATM.

If the port is an ATM or Ethernet one and VLANs are implemented on it,

the value of this attribute is 201.

79 EAP-Message Used to encapsulate EAP packets to allow RADIUS to support EAP

authentication.

80 Message-Authenticato

Used for authentication and verification of authentication packets to

prevent spoofing Access-Requests. This attribute is present when EAP

authentication is used.

87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user.

HPE proprietary RADIUS subattributes

No. Subattribute Description

1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps.

3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps.

4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps.

5 Output-Average-Rate Average rate in the direction from the NAS to the user, in bps.

6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps.

15 Remanent_Volume Total remaining available traffic for the connection, in different units for

different server types.

20 Command

Operation for the session, used for session control. Possible values

include:

•1—Trigger-Request.

•2—Terminate-Request.

•3—SetPolicy.

•4—Result.

•5—PortalClear.

Other manuals for FlexFabric 7900 Series

Table of contents

Other HPE Switch manuals

HPE

HPE FlexFabric 5710 Series Instruction Manual

HPE

HPE FlexNetwork 5510 HI Series User manual

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE 5945 Installation instructions

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE FlexFabric 5930 Series Installation manual

HPE

HPE Aruba 6300M Assembly instructions

HPE

HPE Aruba Networking CX 6200 Series User manual

HPE

HPE OfficeConnect 1910 Series Safety guide

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE FlexFabric 12900 Installation manual

HPE

HPE OfficeConnect 1850 Series User manual

HPE

HPE 5800 Series User manual

HPE

HPE Aruba Instant On 1830 48G 4SFP Assembly instructions

HPE

HPE 5920 series Installation manual

HPE

HPE FlexFabric 5950 Series Installation manual

HPE

HPE FlexNetwork 5130 HI SERIES Installation manual

HPE

HPE Aruba 6200F Assembly instructions

HPE

HPE FlexNetwork 7500 Switch User manual

HPE

HPE FlexFabric 5940 SERIES User manual

HPE

HPE Aruba Instant On 1960 Assembly instructions

HPE

HPE JH390A User manual

HPE

HPE Altoline 6822 48XG 6QSFP28 x86 ONIE Assembly instructions

HPE

HPE FlexFabric 12900E User manual

Popular Switch manuals by other brands

Edimax

Edimax EK-082C Specifications

GE GEH-4763 installation instructions

Projoy Electric

Projoy Electric PEDH Series user manual

Lutron Electronics

Lutron Electronics Stanza SZ-1SD installation instructions

Leader

Leader LVB440 user manual

steute

steute Ex ZS 80-3G Mounting and wiring instructions

Parasound

Parasound Zhd owner's guide

Eaton

Eaton GHG 273 operating instructions

DeviceWell

DeviceWell HDS6112 user manual

LevelOne

LevelOne IGP-1061 Quick installation guide

Equinox Systems

Equinox Systems ESP-2 MI Installation and user guide

MikroTik

MikroTik RB2011iL-IN manual

Dell

Dell PowerEdge KVM 1081AD user guide

Vantage Controls

Vantage Controls MPER-2 Installation

logika

logika WL-ZCSENPB-S0410-01 product manual

Aluratek

Aluratek AUS0202 product reference card

OfficeSource

OfficeSource OSF9500 Assembly instructions

HP HP 5120 series Configuration guide

HPE FlexFabric 7900 Series User manual

Popular Switch manuals by other brands