Hpe Flexnetwork 10500 series User manual

HPE FlexNetwork 10500 Switch Series

Security Configuration Guide

art number: 5200-1910a

Software

version: 10500-CMW710-R7557P01

Document version: 6W101-20171020

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are trademarks of the Microsoft group of companies.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

Contents

Configuring AAA····························································································1

Overview····························································································································································1

RADIUS······················································································································································2

HWTACACS···············································································································································6

LDAP··························································································································································9

AAA implementation on the device··········································································································12

AAA for MPLS L3VPNs····························································································································14

RADIUS server feature of the device·······································································································14

Protocols and standards ··························································································································15

RADIUS attributes····································································································································15

FIPS compliance··············································································································································19

AAA configuration considerations and task list································································································20

Configuring AAA schemes·······························································································································21

Configuring local users·····························································································································21

Configuring RADIUS schemes·················································································································28

Configuring HWTACACS schemes··········································································································39

Configuring LDAP schemes·····················································································································46

Configuring AAA methods for ISP domains·····································································································50

Configuration prerequisites······················································································································50

Creating an ISP domain···························································································································51

Configuring ISP domain attributes ···········································································································51

Configuring authentication methods for an ISP domain···········································································53

Configuring authorization methods for an ISP domain·············································································54

Configuring accounting methods for an ISP domain················································································55

Configuring the RADIUS session-control feature·····························································································57

Configuring the RADIUS DAS feature··············································································································57

Changing the DSCP priority for RADIUS packets····························································································58

Configuring the RADIUS attribute translation feature ······················································································58

Setting the maximum number of concurrent login users··················································································60

Configuring a NAS-ID profile····························································································································60

Configuring the device ID·································································································································60

Configuring the RADIUS server feature···········································································································61

Restrictions and guidelines······················································································································61

Configuration task list·······························································································································61

Specifying RADIUS clients·······················································································································61

Activating the RADIUS server configuration ····························································································62

Displaying and maintaining RADIUS users and clients············································································62

Displaying and maintaining AAA······················································································································62

AAA configuration examples····························································································································62

AAA for SSH users by an HWTACACS server························································································62

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·····················64

Authentication and authorization for SSH users by a RADIUS server·····················································66

Authentication for SSH users by an LDAP server····················································································69

AAA for 802.1X users by a RADIUS server·····························································································72

Local guest configuration and management example··············································································76

Authentication and authorization of 802.1X users by the device as a RADIUS server····························78

Troubleshooting RADIUS·································································································································81

RADIUS authentication failure ·················································································································81

RADIUS packet delivery failure················································································································81

RADIUS accounting error·························································································································82

Troubleshooting HWTACACS··························································································································82

Troubleshooting LDAP·····································································································································82

LDAP authentication failure······················································································································82

802.1X overview··························································································84

802.1X architecture··········································································································································84

Controlled/uncontrolled port and port authorization status ··············································································84

802.1X-related protocols··································································································································85

Packet formats·········································································································································85

EAP over RADIUS ···································································································································86

802.1X authentication initiation························································································································87

802.1X client as the initiator·····················································································································87

Access device as the initiator···················································································································87

802.1X authentication procedures ···················································································································88

Comparing EAP relay and EAP termination·····························································································88

EAP relay·················································································································································89

EAP termination·······································································································································90

Configuring 802.1X······················································································92

Access control methods···································································································································92

802.1X VLAN manipulation······························································································································92

Authorization VLAN··································································································································92

Guest VLAN·············································································································································94

Auth-Fail VLAN ········································································································································96

Critical VLAN············································································································································97

Critical voice VLAN ··································································································································98

802.1X VSI manipulation··································································································································99

802.1X support for VXLANs·····················································································································99

Authorization VSI ···································································································································100

Guest VSI···············································································································································100

Auth-Fail VSI··········································································································································100

Critical VSI ·············································································································································101

Using 802.1X authentication with other features····························································································101

ACL assignment·····································································································································101

EAD assistant·········································································································································102

Redirect URL assignment······················································································································103

802.1X configuration restrictions and guidelines····························································································103

Configuration prerequisites····························································································································103

802.1X configuration task list·························································································································104

Enabling 802.1X·············································································································································104

Enabling EAP relay or EAP termination·········································································································105

Setting the port authorization state ················································································································106

Specifying an access control method·············································································································106

Setting the maximum number of concurrent 802.1X users on a port·····························································106

Setting the maximum number of authentication request attempts·································································107

Setting the 802.1X authentication timeout timers ··························································································107

Configuring online user handshake················································································································108

Configuration restrictions and guidelines·······························································································108

Configuration procedure·························································································································108

Configuring the authentication trigger feature································································································109

Configuration restrictions and guidelines·······························································································109

Configuration procedure·························································································································109

Specifying a mandatory authentication domain on a port··············································································109

Setting the quiet timer····································································································································110

Configuring 802.1X reauthentication··············································································································110

Configuration restrictions and guidelines·······························································································110

Configuring 802.1X periodic reauthentication························································································111

Configuring 802.1X manual reauthentication·························································································111

Enabling the keep-online feature ···········································································································111

Configuring an 802.1X guest VLAN···············································································································112

Configuration restrictions and guidelines·······························································································112

Configuration prerequisites····················································································································112

Configuration procedure·························································································································113

Enabling 802.1X guest VLAN assignment delay····························································································113

Configuring an 802.1X Auth-Fail VLAN··········································································································114

Configuration restrictions and guidelines·······························································································114

Configuration prerequisites····················································································································114

Configuration procedure·························································································································114

iii

Configuring an 802.1X critical VLAN··············································································································115

Configuration restrictions and guidelines·······························································································115

Configuration prerequisites····················································································································115

Configuration procedure·························································································································115

Enabling the 802.1X critical voice VLAN········································································································116

Configuration restrictions and guidelines·······························································································116

Configuration prerequisites····················································································································116

Configuration procedure·························································································································116

Configuring an 802.1X guest VSI···················································································································116

Configuration procedure·························································································································117

Enabling 802.1X guest VSI assignment delay·······························································································117

Configuring an 802.1X Auth-Fail VSI·············································································································118

Configuration restrictions and guidelines·······························································································118

Configuration prerequisites····················································································································118

Configuration procedure·························································································································118

Configuring an 802.1X critical VSI ·················································································································118

Configuration procedure·························································································································119

Specifying supported domain name delimiters ······························································································119

Enabling 802.1X user IP freezing···················································································································119

Sending 802.1X protocol packets out of a port without VLAN tags ·······························································120

Setting the maximum number of 802.1X authentication attempts for MAC authenticated users···················120

Configuring 802.1X MAC address binding·····································································································121

Configuration restrictions and guidelines·······························································································121

Configuration procedure·························································································································121

Configuring the EAD assistant feature···········································································································122

Enabling logging for 802.1X users·················································································································123

Configuration restrictions and guidelines·······························································································123

Configuration procedure·························································································································123

Displaying and maintaining 802.1X················································································································123

802.1X authentication configuration examples ······························································································124

Basic 802.1X authentication configuration example ··············································································124

802.1X guest VLAN and authorization VLAN configuration example ····················································126

802.1X with ACL assignment configuration example·············································································128

802.1X guest VSI and authorization VSI configuration example····························································130

802.1X with EAD assistant configuration example (with DHCP relay agent)·········································132

802.1X with EAD assistant configuration example (with DHCP server)·················································134

Troubleshooting 802.1X·································································································································137

EAD assistant URL redirection failure····································································································137

Configuring MAC authentication ································································138

User account policies·····························································································································138

Authentication methods··························································································································138

VLAN assignment ··········································································································································139

Authorization VLAN································································································································139

Guest VLAN···········································································································································140

VSI manipulation············································································································································141

MAC authentication support for VXLANs·······························································································141

Authorization VSI ···································································································································141

ACL assignment·············································································································································143

Redirect URL assignment······························································································································143

General guidelines and restrictions················································································································144

Configuration task list·····································································································································145

Enabling MAC authentication·························································································································145

Specifying a MAC authentication domain ······································································································146

Configuring the user account format··············································································································146

Configuring MAC authentication timers··········································································································147

Setting the maximum number of concurrent MAC authentication users on a port·········································147

Enabling MAC authentication multi-VLAN mode on a port ············································································147

Configuring MAC authentication delay···········································································································148

Enabling parallel processing of MAC authentication and 802.1X authentication···········································148

Configuration restrictions and guidelines·······························································································149

Configuration procedure·························································································································149

Configuring a MAC authentication guest VLAN·····························································································149

Configuration prerequisites····················································································································149

Configuration restrictions and guidelines·······························································································150

Configuration procedure·························································································································150

Configuring a MAC authentication critical VLAN····························································································150

Enabling the MAC authentication critical voice VLAN····················································································151

Configuration prerequisites····················································································································151

Configuration procedure·························································································································152

Configuring a MAC authentication guest VSI·································································································152

Configuration restrictions and guidelines·······························································································152

Configuration prerequisites····················································································································152

Configuring a MAC authentication critical VSI ·······························································································153

Configuration restrictions and guidelines·······························································································153

Configuration prerequisites····················································································································153

Configuration procedure·························································································································153

Configuring periodic MAC reauthentication····································································································153

Configuration restrictions and guidelines·······························································································154

Configuration procedure·························································································································154

Including user IP addresses in MAC authentication requests········································································155

Enabling MAC authentication offline detection ······························································································156

Enabling logging for MAC authentication users·····························································································156

Configuration restrictions and guidelines·······························································································156

Configuration procedure·························································································································156

Displaying and maintaining MAC authentication····························································································156

MAC authentication configuration examples··································································································157

Local MAC authentication configuration example··················································································157

RADIUS-based MAC authentication configuration example··································································159

ACL assignment configuration example·································································································161

MAC authentication authorization VSI assignment configuration example············································164

Configuring portal authentication ·······························································167

Extended portal functions·······················································································································167

Portal system components·····················································································································167

Portal system using the local portal Web server····················································································169

Interaction between portal system components·····················································································169

Portal authentication modes···················································································································170

Portal support for EAP ···························································································································170

Portal authentication process·················································································································171

Portal filtering rules ································································································································173

MAC-based quick portal authentication ·································································································173

Portal configuration task list···························································································································174

Configuring a portal authentication server ·····································································································175

Configuring a portal Web server ····················································································································176

Enabling portal authentication························································································································177

Configuration restrictions and guidelines·······························································································177

Configuration procedure·························································································································178

Specifying a portal Web server······················································································································178

Controlling portal user access························································································································179

Configuring a portal-free rule ·················································································································179

Configuring an authentication source subnet·························································································180

Configuring an authentication destination subnet··················································································181

Setting the maximum number of portal users ························································································181

Specifying a portal authentication domain ·····························································································182

Specifying a preauthentication domain··································································································183

Specifying a preauthentication IP address pool for portal users····························································184

Configuring support of Web proxy for portal authentication···································································184

Enabling strict-checking on portal authorization information··································································185

Allowing only users with DHCP-assigned IP addresses to pass portal authentication··························186

Enabling outgoing packets filtering on a portal-enabled interface··························································186

Configuring portal detection features·············································································································186

Configuring online detection of portal users···························································································186

Configuring portal authentication server detection·················································································187

Configuring portal Web server detection································································································188

Configuring portal user synchronization·································································································189

Configuring the portal fail-permit feature········································································································190

Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server···························190

Enabling portal roaming·································································································································191

Specifying a format for the NAS-Port-Id attribute···························································································192

Logging out online portal users······················································································································192

Configuring Web redirect ·······························································································································192

Applying a NAS-ID profile to an interface ······································································································193

Configuring the local portal Web server feature·····························································································193

Customizing authentication pages·········································································································194

Configuring a local portal Web server····································································································196

Configuring the Rule ARP or ND entry feature for portal clients····································································196

Configuring HTTPS redirect···························································································································197

Configuring MAC-based quick portal authentication······················································································197

Configuring a MAC binding server·········································································································197

Specifying a MAC binding server on an interface··················································································198

Enabling logging for user logins and logouts ·································································································199

Displaying and maintaining portal··················································································································199

Portal configuration examples························································································································200

Configuring direct portal authentication··································································································200

Configuring re-DHCP portal authentication····························································································205

Configuring cross-subnet portal authentication······················································································209

Configuring extended direct portal authentication··················································································212

Configuring extended re-DHCP portal authentication············································································215

Configuring extended cross-subnet portal authentication······································································219

Configuring portal server detection and portal user synchronization·····················································223

Configuring cross-subnet portal authentication for MPLS L3VPNs························································228

Configuring direct portal authentication with a preauthentication domain··············································230

Configuring re-DHCP portal authentication with a preauthentication domain········································232

Configuring direct portal authentication using local portal Web server··················································234

Troubleshooting portal ···································································································································237

No portal authentication page is pushed for users·················································································237

Cannot log out portal users on the access device ·················································································238

Cannot log out portal users on the RADIUS server ···············································································238

Users logged out by the access device still exist on the portal authentication server····························238

Re-DHCP portal authenticated users cannot log in successfully···························································239

Configuring port security············································································240

Port security features·····························································································································240

Port security modes ·······························································································································240

General guidelines and restrictions················································································································243

Enabling port security·····································································································································244

Setting port security's limit on the number of secure MAC addresses on a port············································244

Setting the port security mode ·······················································································································245

Configuring port security features··················································································································246

Configuring NTK·····································································································································246

Configuring intrusion protection ·············································································································247

Configuring secure MAC addresses ··············································································································248

Configuration prerequisites····················································································································248

Configuration procedure·························································································································249

Setting port security's limit on the number of MAC addresses for specific VLANs on a port·························249

Configuration restrictions and guidelines·······························································································250

Configuration procedure·························································································································250

Ignoring authorization information from the server·························································································250

Enabling MAC move ······································································································································250

Enabling the authorization-fail-offline feature·································································································251

Configuration prerequisites····················································································································251

Configuration procedure·························································································································251

Enabling open authentication mode···············································································································251

Configuration restrictions and guidelines·······························································································252

Configuration procedure·························································································································252

Configuring free VLANs for port security········································································································252

Applying a NAS-ID profile to port security······································································································253

Enabling SNMP notifications for port security································································································253

Enabling logging for port security users·········································································································254

Configuration restrictions and guidelines·······························································································254

Configuration procedure·························································································································254

Displaying and maintaining port security········································································································254

Port security configuration examples·············································································································255

autoLearn configuration example···········································································································255

userLoginWithOUI configuration example······························································································257

macAddressElseUserLoginSecure configuration example····································································259

Troubleshooting port security·························································································································263

Cannot set the port security mode·········································································································263

Cannot configure secure MAC addresses ·····························································································264

Configuring password control ····································································265

Password setting····································································································································265

Password updating and expiration·········································································································266

User login control···································································································································267

Password not displayed in any form ······································································································268

Logging ··················································································································································268

Password control configuration task list·········································································································268

Enabling password control·····························································································································269

Setting global password control parameters··································································································269

Setting user group password control parameters ··························································································270

Setting local user password control parameters····························································································271

Setting super password control parameters···································································································272

Displaying and maintaining password control································································································273

Password control configuration example ·······································································································273

Network requirements····························································································································273

Configuration procedure·························································································································274

Verifying the configuration······················································································································275

Configuring keychains ···············································································276

Configuration procedure·································································································································276

vii

Displaying and maintaining keychain·············································································································277

Keychain configuration example····················································································································277

Network requirements····························································································································277

Configuration procedure·························································································································278

Verifying the configuration······················································································································279

Managing public keys················································································283

Creating a local key pair·································································································································283

Distributing a local host public key·················································································································285

Exporting a host public key····················································································································285

Displaying a host public key···················································································································285

Destroying a local key pair·····························································································································286

Configuring a peer host public key·················································································································286

Importing a peer host public key from a public key file ··········································································286

Entering a peer host public key··············································································································287

Displaying and maintaining public keys ·········································································································287

Examples of public key management ············································································································287

Example for entering a peer host public key··························································································287

Example for importing a public key from a public key file ······································································289

Configuring PKI ·························································································292

PKI terminology······································································································································292

PKI architecture······································································································································293

PKI operation ·········································································································································293

PKI applications ·····································································································································294

Support for MPLS L3VPN······················································································································294

PKI configuration task list·······························································································································295

Configuring a PKI entity ·································································································································295

Configuring a PKI domain······························································································································296

Requesting a certificate··································································································································298

Configuration guidelines·························································································································298

Configuring automatic certificate request·······························································································299

Manually requesting a certificate············································································································299

Aborting a certificate request ·························································································································300

Obtaining certificates······································································································································300

Configuration prerequisites····················································································································300

Configuration guidelines·························································································································301

Configuration procedure·························································································································301

Verifying PKI certificates································································································································301

Verifying certificates with CRL checking································································································302

Verifying certificates without CRL checking···························································································302

Specifying the storage path for the certificates and CRLs·············································································303

Exporting certificates······································································································································303

Removing a certificate····································································································································304

Configuring a certificate-based access control policy····················································································304

Displaying and maintaining PKI ·····················································································································305

PKI configuration examples ···························································································································306

Requesting a certificate from an RSA Keon CA server··········································································306

Requesting a certificate from a Windows Server 2003 CA server·························································309

Requesting a certificate from an OpenCA server···················································································312

IKE negotiation with RSA digital signature from a Windows Server 2003 CA server ····························315

Certificate-based access control policy configuration example······························································318

Certificate import and export configuration example··············································································319

Troubleshooting PKI configuration·················································································································325

Failed to obtain the CA certificate··········································································································325

Failed to obtain local certificates············································································································325

Failed to request local certificates··········································································································326

Failed to obtain CRLs·····························································································································327

viii

Failed to import the CA certificate··········································································································327

Failed to import a local certificate···········································································································328

Failed to export certificates····················································································································328

Failed to set the storage path·················································································································329

Configuring IPsec ······················································································330

Security protocols and encapsulation modes·························································································330

Security association·······························································································································332

Authentication and encryption················································································································332

IPsec implementation·····························································································································333

IPsec RRI···············································································································································334

Protocols and standards ························································································································335

IPsec tunnel establishment····························································································································335

Implementing ACL-based IPsec·····················································································································335

Feature restrictions and guidelines········································································································335

ACL-based IPsec configuration task list·································································································335

Configuring an ACL································································································································336

Configuring an IPsec transform set········································································································337

Configuring a manual IPsec policy·········································································································339

Configuring an IKE-based IPsec policy··································································································341

Applying an IPsec policy to an interface ································································································344

Enabling ACL checking for de-encapsulated packets············································································345

Configuring IPsec anti-replay·················································································································345

Configuring IPsec anti-replay redundancy·····························································································346

Binding a source interface to an IPsec policy ························································································346

Enabling QoS pre-classify······················································································································347

Enabling logging of IPsec packets·········································································································348

Configuring the DF bit of IPsec packets·································································································348

Configuring IPsec RRI····························································································································349

Configuring IPsec for IPv6 routing protocols··································································································350

Configuration task list·····························································································································350

Configuring a manual IPsec profile········································································································350

Configuring SNMP notifications for IPsec······································································································351

Configuring IPsec fragmentation····················································································································352

Setting the maximum number of IPsec tunnels ·····························································································352

Displaying and maintaining IPsec··················································································································352

IPsec configuration examples························································································································353

Configuring IPsec for RIPng···················································································································353

Configuring IKE ·························································································357

IKE negotiation process·························································································································357

IKE security mechanism·························································································································358

Protocols and standards ························································································································359

IKE configuration prerequisites······················································································································359

IKE configuration task list·······························································································································359

Configuring an IKE profile······························································································································360

Configuring an IKE proposal··························································································································362

Configuring an IKE keychain··························································································································363

Configuring the global identity information·····································································································364

Configuring the IKE keepalive feature ···········································································································365

Configuring the IKE NAT keepalive feature ···································································································365

Configuring IKE DPD ·····································································································································366

Enabling invalid SPI recovery ························································································································366

Setting the maximum number of IKE SAs······································································································367

Configuring an IKE IPv4 address pool···········································································································367

Configuring SNMP notifications for IKE ·········································································································368

Displaying and maintaining IKE ·····················································································································368

IKE configuration examples ···························································································································369

Main mode IKE with pre-shared key authentication configuration example···········································369

Aggressive mode with RSA signature authentication configuration example········································371

Troubleshooting IKE·······································································································································375

IKE negotiation failed because no matching IKE proposals were found················································375

IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly··················376

IPsec SA negotiation failed because no matching IPsec transform sets were found ····························376

IPsec SA negotiation failed due to invalid identity information·······························································377

Configuring IKEv2······················································································380

IKEv2 negotiation process ·····················································································································380

New features in IKEv2····························································································································381

Protocols and standards ························································································································381

IKEv2 configuration task list···························································································································381

Configuring an IKEv2 profile ··························································································································382

Configuring an IKEv2 policy···························································································································385

Configuring an IKEv2 proposal ······················································································································386

Configuring an IKEv2 keychain······················································································································387

Configure global IKEv2 parameters···············································································································388

Enabling the cookie challenging feature ································································································388

Configuring the IKEv2 DPD feature ·······································································································388

Configuring the IKEv2 NAT keepalive feature························································································389

Configuring IKEv2 address pools···········································································································389

Displaying and maintaining IKEv2··················································································································389

IKEv2 configuration examples ·······················································································································390

IKEv2 with pre-shared key authentication configuration example··························································390

IKEv2 with RSA signature authentication configuration example ··························································393

Troubleshooting IKEv2···································································································································397

IKEv2 negotiation failed because no matching IKEv2 proposals were found········································397

IPsec SA negotiation failed because no matching IPsec transform sets were found ····························398

IPsec tunnel establishment failed···········································································································398

Configuring SSH························································································399

How SSH works·····································································································································399

SSH authentication methods··················································································································400

SSH support for Suite B·························································································································401

Configuring the device as an SSH server······································································································402

SSH server configuration task list··········································································································402

Generating local key pairs······················································································································402

Enabling the Stelnet server····················································································································403

Enabling the SFTP server······················································································································403

Enabling the SCP server························································································································404

Enabling NETCONF over SSH ··············································································································404

Configuring the user lines for SSH login································································································404

Configuring a client's host public key·····································································································405

Configuring an SSH user ·······················································································································406

Configuring the SSH management parameters·····················································································407

Specifying a PKI domain for the SSH server ·························································································408

Specifying the SSH service port·············································································································408

Disconnecting SSH sessions·················································································································409

Configuring the device as an Stelnet client····································································································409

Stelnet client configuration task list········································································································409

Generating local key pairs······················································································································409

Specifying the source IP address for SSH packets················································································410

Establishing a connection to an Stelnet server······················································································410

Deleting server public keys saved in the public key file on the Stelnet client·········································412

Establishing a connection to an Stelnet server based on Suite B··························································413

Configuring the device as an SFTP client······································································································413

SFTP client configuration task list··········································································································413

Generating local key pairs······················································································································414

Specifying the source IP address for SFTP packets··············································································414

Establishing a connection to an SFTP server························································································414

Deleting server public keys saved in the public key file on the SFTP client···········································416

Establishing a connection to an SFTP server based on Suite B····························································417

Working with SFTP directories···············································································································417

Working with SFTP files·························································································································418

Displaying help information····················································································································418

Terminating the connection with the SFTP server·················································································418

Configuring the device as an SCP client········································································································418

SCP client configuration task list············································································································418

Generating local key pairs······················································································································419

Establishing a connection to an SCP server··························································································419

Deleting server public keys saved in the public key file on the SCP client············································421

Establishing a connection to an SCP server based on Suite B······························································422

Specifying algorithms for SSH2 ·····················································································································422

Specifying key exchange algorithms for SSH2······················································································422

Specifying public key algorithms for SSH2 ····························································································423

Specifying encryption algorithms for SSH2····························································································423

Specifying MAC algorithms for SSH2 ····································································································424

Displaying and maintaining SSH····················································································································424

Stelnet configuration examples······················································································································425

Password authentication enabled Stelnet server configuration example···············································425

Publickey authentication enabled Stelnet server configuration example···············································427

Password authentication enabled Stelnet client configuration example ················································433

Publickey authentication enabled Stelnet client configuration example·················································436

Stelnet configuration example based on 128-bit Suite B algorithms······················································438

SFTP configuration examples························································································································442

Password authentication enabled SFTP server configuration example·················································442

Publickey authentication enabled SFTP client configuration example···················································445

SFTP configuration example based on 192-bit Suite B algorithms························································448

SCP configuration examples··························································································································452

SCP configuration example with password authentication ····································································452

SCP configuration example based on Suite B algorithms······································································454

NETCONF over SSH configuration example with password authentication··················································460

Network requirements····························································································································460

Configuration procedure·························································································································461

Verifying the configuration······················································································································462

Configuring SSL ························································································463

SSL security services·····························································································································463

SSL protocol stack·································································································································463

SSL configuration task list······························································································································464

Configuring an SSL server policy···················································································································464

Configuring an SSL client policy ····················································································································467

Displaying and maintaining SSL ····················································································································469

SSL server policy configuration example·······································································································469

Configuring attack detection and prevention··············································472

Attacks that the device can prevent···············································································································472

Single-packet attacks·····························································································································472

Scanning attacks····································································································································473

Flood attacks··········································································································································474

TCP fragment attack······························································································································475

Login DoS attack····································································································································475

Login dictionary attack ···························································································································475

Blacklist feature··············································································································································475

IP blacklist··············································································································································475

User blacklist··········································································································································476

Attack detection and prevention configuration task list··················································································476

Configuring an attack defense policy·············································································································476

Creating an attack defense policy··········································································································476

Configuring a single-packet attack defense policy·················································································477

Configuring a scanning attack defense policy························································································479

Configuring a flood attack defense policy ······························································································479

Configuring attack detection exemption·································································································484

Applying an attack defense policy to an interface··················································································484

Applying an attack defense policy to the device ····················································································485

Enabling log non-aggregation for single-packet attack events·······························································485

Configuring TCP fragment attack prevention·································································································485

Configuring the IP blacklist feature ················································································································486

Configuring the user blacklist feature·············································································································486

Configuring login attack prevention················································································································487

Enabling the login delay·································································································································487

Displaying and maintaining attack detection and prevention·········································································488

Attack detection and prevention configuration examples···············································································490

Interface-based attack detection and prevention configuration example···············································490

IP blacklist configuration example··········································································································493

User blacklist configuration example······································································································494

Configuring TCP attack prevention····························································496

Configuring Naptha attack prevention············································································································496

Configuring IP source guard······································································497

Static IPSG bindings······························································································································497

Dynamic IPSG bindings·························································································································498

Configuration restrictions and guidelines·······································································································498

IPSG configuration task list····························································································································499

Configuring the IPv4SG feature·····················································································································499

Enabling IPv4SG on an interface···········································································································499

Configuring a static IPv4SG binding ······································································································500

Excluding IPv4 packets from IPSG filtering····························································································500

Configuring the IPv6SG feature·····················································································································501

Enabling IPv6SG on an interface···········································································································501

Configuring a static IPv6SG binding ······································································································501

Displaying and maintaining IPSG···················································································································502

IPSG configuration examples ························································································································503

Static IPv4SG configuration example·····································································································503

Dynamic IPv4SG using DHCP snooping configuration example···························································504

Dynamic IPv4SG using DHCP relay agent configuration example························································505

Static IPv6SG configuration example·····································································································506

Dynamic IPv6SG using DHCPv6 snooping configuration example ·······················································507

Dynamic IPv6SG using DHCPv6 relay agent configuration example····················································508

Configuring ARP attack protection·····························································510

ARP attack protection configuration task list··································································································510

Configuring unresolvable IP attack protection ·······························································································510

Configuring ARP source suppression····································································································511

Configuring ARP blackhole routing········································································································511

Displaying and maintaining unresolvable IP attack protection·······························································511

Configuration example···························································································································511

Configuring ARP packet rate limit··················································································································512

Configuration guidelines·························································································································512

Configuration procedure·························································································································513

Configuring source MAC-based ARP attack detection ··················································································514

Configuration procedure·························································································································514

Displaying and maintaining source MAC-based ARP attack detection··················································514

Configuration example···························································································································515

Configuring ARP packet source MAC consistency check··············································································516

Configuring ARP active acknowledgement····································································································516

xii

Configuring authorized ARP···························································································································517

Configuration procedure·························································································································517

Configuration example (on a DHCP server)···························································································517

Configuration example (on a DHCP relay agent)···················································································518

Configuring ARP attack detection··················································································································519

Configuring user validity check ··············································································································520

Configuring ARP packet validity check ··································································································521

Configuring ARP restricted forwarding···································································································522

Ignoring ingress ports of ARP packets during user validity check ·························································522

Configuring ARP attack detection for a VSI···························································································523

Enabling ARP attack detection logging··································································································524

Displaying and maintaining ARP attack detection··················································································524

User validity check and ARP packet validity check configuration example············································525

Configuring ARP scanning and fixed ARP·····································································································526

Configuration restrictions and guidelines·······························································································526

Configuration procedure·························································································································526

Configuring ARP gateway protection·············································································································527

Configuration guidelines·························································································································527

Configuration procedure·························································································································527

Configuration example···························································································································527

Configuring ARP filtering································································································································528

Configuration guidelines·························································································································528

Configuration procedure·························································································································528

Configuration example···························································································································529

Configuring ARP sender IP address checking·······························································································530

Configuring ND attack defense··································································531

ND attack defense configuration task list·······································································································531

Enabling source MAC consistency check for ND messages ·········································································531

Configuring ND attack detection ····················································································································532

About ND attack detection ·····················································································································532

Configuration guidelines·························································································································532

Configuration procedure·························································································································533

Displaying and maintaining ND attack detection····················································································533

ND attack detection configuration example····························································································533

Configuring RA guard·····································································································································535

About RA guard······································································································································535

Specifying the role of the attached device ·····························································································535

Configuring an RA guard policy ·············································································································536

Enabling the RA guard logging feature··································································································536

Displaying and maintaining RA guard····································································································537

RA guard configuration example············································································································537

Configuring uRPF······················································································540

uRPF check modes································································································································540

Cooperation with default route···············································································································540

uRPF operation······································································································································541

Network application································································································································542

Enabling uRPF···············································································································································543

Displaying and maintaining uRPF··················································································································543

uRPF configuration example··························································································································543

Configuring IPv6 uRPF··············································································545

IPv6 uRPF check modes························································································································545

Cooperation with default route···············································································································545

IPv6 uRPF operation······························································································································546

Network application································································································································547

Enabling IPv6 uRPF·······································································································································548

Displaying and maintaining IPv6 uRPF··········································································································548

xiii

IPv6 uRPF configuration example ·················································································································548

Configuring MFF························································································550

Basic concepts·······································································································································551

MFF operation mode······························································································································551

MFF working mechanism·······················································································································552

Protocols and standards ························································································································552

Enabling MFF·········································································································································552

Configuring a network port·····················································································································552

Enabling periodic gateway probe···········································································································553

Specifying the IP addresses of servers··································································································553

Displaying and maintaining MFF····················································································································553

MFF configuration examples··························································································································554

Manual-mode MFF configuration example in a tree network·································································554

Manual-mode MFF configuration example in a ring network·································································555

Configuring FIPS ·······················································································557

Configuration restrictions and guidelines·······································································································557

Configuring FIPS mode··································································································································558

Entering FIPS mode·······························································································································558

Configuration changes in FIPS mode ····································································································559

Exiting FIPS mode ·································································································································560

FIPS self-tests················································································································································560

Power-up self-tests ································································································································561

Conditional self-tests······························································································································561

Triggering self-tests································································································································562

Displaying and maintaining FIPS···················································································································562

FIPS configuration examples·························································································································562

Entering FIPS mode through automatic reboot······················································································562

Entering FIPS mode through manual reboot··························································································563

Exiting FIPS mode through automatic reboot ························································································565

Exiting FIPS mode through manual reboot····························································································565

Configuring MACsec··················································································567

Basic concepts·······································································································································567

MACsec services ···································································································································567

MACsec applications······························································································································568

MACsec operating mechanism··············································································································568

Protocols and standards ························································································································570

Feature and hardware compatibility···············································································································570

General restrictions and guidelines················································································································570

MACsec configuration task list·······················································································································571

Enabling MKA ················································································································································571

Enabling MACsec desire································································································································572

Configuring a preshared key··························································································································572

Configuring the MKA key server priority ········································································································573

Configuring MACsec protection parameters in interface view ·······································································573

Configuring the MACsec confidentiality offset························································································573

Configuring MACsec replay protection···································································································574

Configuring the MACsec validation mode······························································································574

Configuring MACsec protection parameters by MKA policy ··········································································575

Configuring an MKA policy·····················································································································575

Applying an MKA policy ·························································································································575

Enabling MKA session logging·······················································································································576

Configuration restrictions and guidelines·······························································································576

Configuration procedure·························································································································576

Displaying and maintaining MACsec··············································································································576

xiv

MACsec configuration examples····················································································································577

Client-oriented MACsec configuration example (host as client)·····························································577

Client-oriented MACsec configuration example (device as client)·························································579

Device-oriented MACsec configuration example···················································································583

Troubleshooting MACsec·······························································································································586

Cannot establish MKA sessions between MACsec devices··································································586

Configuring 802.1X client···········································································588

802.1X client configuration task list················································································································588

Enabling the 802.1X client feature·················································································································588

Configuring an 802.1X client username and password ·················································································589

Configuring an 802.1X client MAC address···································································································589

Specifying an 802.1X client EAP authentication method···············································································590

Configuring an 802.1X client anonymous identifier························································································590

Specifying an SSL client policy······················································································································591

Displaying and maintaining 802.1X client ······································································································591

Configuring Web authentication·································································592

Web authentication types·······················································································································592

Advantages of Web authentication ········································································································592

Web authentication system····················································································································592

Web authentication process···················································································································593

Web authentication support for VLAN assignment ················································································593

Web authentication support for authorization ACLs···············································································594

Web authentication task list ···························································································································594

Configuring the Web authentication server····································································································595

Enabling Web authentication ·························································································································596

Specifying a Web authentication domain·······································································································596

Setting the redirection wait time·····················································································································596

Configuring a Web authentication-free subnet·······························································································597

Setting the maximum number of Web authentication users ··········································································597

Configuring online Web authentication user detection···················································································597

Configuring an Auth-Fail VLAN······················································································································598

Configuring Web authentication to support Web proxy··················································································598

Displaying and maintaining Web authentication····························································································599

Web authentication configuration examples··································································································599

Web authentication using the local authentication server······································································599

Web authentication using the RADIUS authentication server································································601

Troubleshooting Web authentication ·············································································································603

Failure to come line (Web authentication configuration correct)····························································603

Failure to come online (local authentication interface using the default ISP domain)····························604

Failure to come line (VLAN configured on interface) ·············································································604

Configuring triple authentication ································································605

Triple authentication mechanism ···········································································································605

Extended triple authentication features··································································································606

Configuration restrictions and guidelines·······································································································607

Configuring triple authentication ····················································································································607

Triple authentication configuration examples·································································································607

Triple authentication basic function configuration example····································································607

Triple authentication supporting authorization VLAN and authentication failure VLAN configuration

example··················································································································································611

Document conventions and icons······························································617

Conventions···················································································································································617

Network topology icons··································································································································618

Support and other resources ·····································································619

Accessing Hewlett Packard Enterprise Support·····························································································619

Accessing updates·········································································································································619

Websites ················································································································································620

Customer self repair·······························································································································620

Remote support······································································································································620

Documentation feedback ·······················································································································620

Index··········································································································622

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. This feature specifies the following security functions:

•

Authentication—Identifies users and verifies their validity.

•

Authorization—Grants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and

prevent guests from accessing files on the device.

•

Accounting—Records network usage details of users, including the service type, start time,

and traffic. This function enables time-based and traffic-based charging and user behavior

auditing.

AAA uses a client/server model. The client runs on the access device, or the network access server

(NAS), which authenticates user identities and controls user access. The server maintains user

information centrally. See Figure 1.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS.

The NAS transparently passes the user information to AAAservers and waits for the authentication,

authorization, and accounting result. Based on the result, the NAS determines whether to permit or

deny the access request.

AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most

often used.

The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different

servers to implement different security functions. For example, you can use the HWTACACS server

for authentication and authorization, and use the RADIUS server for accounting.

You can choose the security functions provided by AAA as needed. For example, if your company

wants employees to be authenticated before they access specific resources, you would deploy an

authentication server. If network usage information is needed, you would also configure an

accounting server.

The device performs dynamic password authentication.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction

protocol that uses a client/server model. The protocol can protect networks against unauthorized

access and is often used in network environments that require both high security and remote user

access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812

for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support

additional access methods, such as Ethernet and ADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains

information related to user authentication and network service access.

The RADIUS server operates using the following process:

1. Receives authentication, authorization, and accounting requests from RADIUS clients.

2. Performs user authentication, authorization, or accounting.

3. Returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication

proxy services.

The RADIUS server maintains the following databases:

•

Users—Stores user information, such as the usernames, passwords, applied protocols, and IP

addresses.

•

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•

Dictionary—Stores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys,

which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called

Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,

and some other information. The receiver of the packet verifies the signature and accepts the packet

only when the signature is correct. This mechanism ensures the security of information exchanged

between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

RADIUS servers

Users Clients Dictionary

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses in the following workflow:

1. The host sends a connection request that includes the user's username and password to the

RADIUS client.

2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.

The request includes the user's password, which has been processed by the MD5 algorithm

and shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds,

the server sends back an Access-Accept packet that contains the user's authorization

information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result

permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)

packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the

RADIUS server.

9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting

for the user.

10. The RADIUS client notifies the user of the termination.

RADIUS packet format

RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure

smooth packet exchange between the RADIUS server and the client. These mechanisms include the

timer mechanism, the retransmission mechanism, and the backup server mechanism.

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

8) Accounting-Request (stop)

9) Accounting-Response

10) Notification of termination

Host

6) The host access the resources

7) Teardown request

Other manuals for FlexNetwork 10500 SERIES

Table of contents

Other HPE Switch manuals

HPE

HPE OfficeConnect 1850 Series User manual

HPE

HPE FlexFabric 7900 Series Installation manual

HPE

HPE 6Gb SAS BL User manual

HPE

HPE 8325 Series Owner's manual

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE FlexFabric 5940 SERIES User manual

HPE

HPE FlexNetwork 5510 HI Series User manual

HPE

HPE Aruba Instant On 1830 24G 2SFP 195W 12p... Assembly instructions

HPE

HPE OfficeConnect 1920S Series User manual

HPE

HPE FlexFabric 7900 Series Installation manual

HPE

HPE Aruba 6200F Assembly instructions

HPE

HPE FlexFabric 12900 Installation manual

HPE

HPE Aruba 6200F Assembly instructions

HPE

HPE FlexNetwork 10500 SERIES Installation manual

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE FlexFabric 5930 Series Installation manual

HPE

HPE OfficeConnect 1950 Series User manual

HPE

HPE OfficeConnect 1420 Series User manual

HPE

HPE FlexFabric 7900 Series User manual

HPE

HPE Aruba 6200F Owner's manual

HPE

HPE Aruba 6300M Assembly instructions

HPE

HPE FlexNetwork 10500 SERIES User manual

HPE

HPE FlexNetwork 5510 HI Series User manual

HPE

HPE OfficeConnect 1950 12XGT 4SFP+ User manual

Popular Switch manuals by other brands

Edimax

Edimax EK-082C Specifications

GE GEH-4763 installation instructions

Projoy Electric

Projoy Electric PEDH Series user manual

Lutron Electronics

Lutron Electronics Stanza SZ-1SD installation instructions

Leader

Leader LVB440 user manual

steute

steute Ex ZS 80-3G Mounting and wiring instructions

Parasound

Parasound Zhd owner's guide

Eaton

Eaton GHG 273 operating instructions

DeviceWell

DeviceWell HDS6112 user manual

LevelOne

LevelOne IGP-1061 Quick installation guide

Equinox Systems

Equinox Systems ESP-2 MI Installation and user guide

MikroTik

MikroTik RB2011iL-IN manual

Dell

Dell PowerEdge KVM 1081AD user guide

Vantage Controls

Vantage Controls MPER-2 Installation

logika

logika WL-ZCSENPB-S0410-01 product manual

Aluratek

Aluratek AUS0202 product reference card

OfficeSource

OfficeSource OSF9500 Assembly instructions

HP HP 5120 series Configuration guide