HPE FlexNetwork 5510 HI Series User manual
HPE FlexNetwork 5510 HI Switch Series
Security Configuration Guide
P
art number: 5200-0019b
Software
version: Release 11xx
Document version: 6W102-20171020
© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® andAcrobat® are trademarks ofAdobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ··············································································1
Overview··································································································································1
RADIUS ····························································································································2
HWTACACS ······················································································································6
LDAP································································································································9
AAA implementation on the device························································································11
AAA for MPLS L3VPNs ······································································································13
Protocols and standards ·····································································································13
RADIUS attributes············································································································· 14
FIPS compliance······················································································································16
AAA configuration considerations and task list ··············································································· 17
Configuring AAA schemes ········································································································· 18
Configuring local users·······································································································18
Configuring RADIUS schemes ·····························································································22
Configuring HWTACACS schemes························································································33
Configuring LDAP schemes·································································································40
Configuring AAA methods for ISP domains····················································································43
Configuration prerequisites··································································································43
Creating an ISP domain······································································································43
Configuring ISP domain attributes·························································································44
Configuring authentication methods for an ISP domain······························································44
Configuring authorization methods for an ISP domain ·······························································45
Configuring accounting methods for an ISP domain··································································47
Enabling the session-control feature ····························································································48
Setting the maximum number of concurrent login users····································································48
Configuring a NAS-ID profile ······································································································ 48
Displaying and maintaining AAA·································································································· 49
AAA configuration examples······································································································· 49
AAA for SSH users by an HWTACACS server·········································································49
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·················50
Authentication and authorization for SSH users by a RADIUS server············································52
Authentication for SSH users by an LDAP server ·····································································56
Troubleshooting RADIUS···········································································································61
RADIUS authentication failure······························································································ 61
RADIUS packet delivery failure ····························································································61
RADIUS accounting error···································································································· 62
Troubleshooting HWTACACS····································································································· 62
Troubleshooting LDAP··············································································································62
LDAP authentication failure ·································································································62
802.1X overview ············································································64
802.1X architecture ·················································································································· 64
Controlled/uncontrolled port and port authorization status·································································64
802.1X-related protocols············································································································65
Packet formats·················································································································· 65
EAP over RADIUS·············································································································66
802.1X authentication initiation ··································································································· 67
802.1X client as the initiator································································································· 67
Access device as the initiator·······························································································67
802.1X authentication procedures ·······························································································68
Comparing EAP relay and EAP termination·············································································68
EAP relay ························································································································69
EAP termination················································································································ 70
Configuring 802.1X·········································································72
Access control methods ············································································································ 72
802.1X VLAN manipulation ········································································································72
ii
Authorization VLAN ··········································································································· 72
Guest VLAN····················································································································· 74
Auth-Fail VLAN·················································································································75
Critical VLAN···················································································································· 76
Critical voice VLAN············································································································78
Using 802.1X authentication with other features ·············································································79
ACL assignment················································································································ 79
User profile assignment······································································································79
EAD assistant··················································································································· 79
Configuration prerequisites ········································································································80
802.1X configuration task list······································································································ 80
Enabling 802.1X ······················································································································ 80
Enabling EAP relay or EAP termination ························································································81
Setting the port authorization state······························································································· 82
Specifying an access control method ···························································································82
Setting the maximum number of concurrent 802.1X users on a port····················································82
Setting the maximum number of authentication request attempts ·······················································83
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users·················83
Setting the 802.1X authentication timeout timers ············································································83
Configuring the online user handshake feature···············································································84
Configuration guidelines ····································································································· 84
Configuration procedure ····································································································· 85
Configuring the authentication trigger feature·················································································85
Configuration guidelines ····································································································· 85
Configuration procedure ····································································································· 85
Specifying a mandatory authentication domain on a port ··································································86
Configuring the quiet timer·········································································································86
Enabling the periodic online user reauthentication feature·································································87
Configuring an 802.1X guest VLAN······························································································87
Configuration guidelines ····································································································· 87
Configuration prerequisites··································································································88
Configuration procedure ····································································································· 88
Enabling 802.1X guest VLAN assignment delay ·············································································88
Configuring an 802.1X Auth-Fail VLAN·························································································89
Configuration guidelines ····································································································· 89
Configuration prerequisites··································································································90
Configuration procedure ····································································································· 90
Configuring an 802.1X critical VLAN ····························································································90
Configuration guidelines ····································································································· 90
Configuration prerequisites··································································································90
Configuring the 802.1X critical VLAN on a port ········································································91
Sending EAP-Success packets to users in the 802.1X critical VLAN ············································91
Enabling the 802.1X critical voice VLAN ·······················································································91
Configuration restrictions and guidelines ················································································91
Configuration prerequisites··································································································92
Configuration procedure ····································································································· 92
Specifying supported domain name delimiters················································································92
Configuring the EAD assistant feature·························································································· 93
Displaying and maintaining 802.1X······························································································ 93
802.1X authentication configuration examples················································································94
Basic 802.1X authentication configuration example ··································································94
802.1X guest VLAN and authorization VLAN configuration example·············································96
802.1X with ACL assignment configuration example·································································98
802.1X with EAD assistant configuration example ·································································· 100
Troubleshooting 802.1X ·········································································································· 102
EAD assistant for Web browser users·················································································· 102
Configuring MAC authentication······················································ 103
Overview······························································································································ 103
User account policies······································································································· 103
Authentication methods ···································································································· 103
VLAN assignment············································································································ 104
iii
ACL assignment·············································································································· 105
User profile assignment···································································································· 106
Periodic MAC reauthentication ··························································································· 106
Configuration prerequisites ······································································································ 106
Configuration task list·············································································································· 107
Enabling MAC authentication···································································································· 107
Specifying a MAC authentication domain ···················································································· 108
Configuring the user account format··························································································· 108
Configuring MAC authentication timers······················································································· 108
Setting the maximum number of concurrent MAC authentication users on a port ································· 109
Enabling MAC authentication multi-VLAN mode on a port······························································· 109
Configuring MAC authentication delay························································································ 110
Enabling parallel processing of MAC authentication and 802.1X authentication··································· 110
Configuration restrictions and guidelines ·············································································· 111
Configuration procedure ··································································································· 111
Configuring a MAC authentication guest VLAN············································································· 111
Configuring a MAC authentication critical VLAN ··········································································· 112
Enabling the MAC authentication critical voice VLAN····································································· 113
Configuration prerequisites································································································ 113
Configuration procedure ··································································································· 114
Configuring the keep-online feature ··························································································· 114
Enabling MAC authentication offline detection·············································································· 114
Displaying and maintaining MAC authentication ··········································································· 115
MAC authentication configuration examples ················································································ 115
Local MAC authentication configuration example ··································································· 115
RADIUS-based MAC authentication configuration example ······················································ 117
ACL assignment configuration example ··············································································· 119
Configuring portal authentication ····················································· 123
Overview······························································································································ 123
Extended portal functions·································································································· 123
Portal system components ································································································ 123
Portal system using the local portal Web server····································································· 125
Interaction between portal system components······································································ 125
Portal authentication modes ······························································································ 126
Portal authentication process····························································································· 127
Portal configuration task list······································································································ 129
Configuration prerequisites ······································································································ 129
Configuring a portal authentication server ··················································································· 130
Configuring a portal Web server································································································ 130
Enabling portal authentication on an interface·············································································· 131
Configuration restrictions and guidelines ·············································································· 131
Configuration procedure ··································································································· 131
Referencing a portal Web server for an interface ·········································································· 132
Controlling portal user access··································································································· 132
Configuring a portal-free rule ····························································································· 132
Configuring an authentication source subnet········································································· 133
Configuring an authentication destination subnet···································································· 134
Setting the maximum number of portal users········································································· 135
Specifying a portal authentication domain············································································· 135
Configuring portal detection features·························································································· 136
Configuring online detection of portal users··········································································· 136
Configuring portal authentication server detection ·································································· 137
Configuring portal Web server detection··············································································· 138
Configuring portal user synchronization················································································ 138
Configuring the portal fail-permit feature ····················································································· 139
Configuring BAS-IP for portal packets sent to the portal authentication server····································· 140
Applying a NAS-ID profile to an interface ···················································································· 141
Enabling portal roaming··········································································································· 141
Logging out portal users·········································································································· 142
Configuring the local portal Web server feature ············································································ 142
Customizing authentication pages······················································································· 142
iv
Configuring a local portal Web server ·················································································· 144
Displaying and maintaining portal······························································································ 145
Portal configuration examples··································································································· 145
Configuring direct portal authentication ················································································ 145
Configuring re-DHCP portal authentication············································································ 153
Configuring cross-subnet portal authentication······································································· 156
Configuring extended direct portal authentication ··································································· 159
Configuring extended re-DHCP portal authentication ······························································ 162
Configuring extended cross-subnet portal authentication ························································· 166
Configuring portal server detection and portal user synchronization ··········································· 169
Configuring cross-subnet portal authentication for MPLS L3VPNs ············································· 177
Configuring direct portal authentication using local portal Web server········································· 179
Troubleshooting portal ············································································································ 182
No portal authentication page is pushed for users ·································································· 182
Cannot log out portal users on the access device··································································· 182
Cannot log out portal users on the RADIUS server ································································· 183
Users logged out by the access device still exist on the portal authentication server ······················ 183
Re-DHCP portal authenticated users cannot log in successfully ················································ 184
Configuring port security································································ 185
Overview······························································································································ 185
Port security features ······································································································· 185
Port security modes········································································································· 185
Configuration task list·············································································································· 188
Enabling port security ············································································································· 188
Setting port security's limit on the number of secure MAC addresses on a port···································· 189
Setting the port security mode ·································································································· 189
Configuring port security features······························································································ 190
Configuring NTK ············································································································· 190
Configuring intrusion protection ·························································································· 191
Configuring secure MAC addresses··························································································· 191
Configuration prerequisites································································································ 192
Configuration procedure ··································································································· 192
Ignoring authorization information from the server········································································· 193
Enabling MAC move··············································································································· 193
Applying a NAS-ID profile to port security···················································································· 194
Enabling the authorization-fail-offline feature················································································ 194
Enabling SNMP notifications for port security··············································································· 195
Displaying and maintaining port security ····················································································· 195
Port security configuration examples·························································································· 196
autoLearn configuration example························································································ 196
userLoginWithOUI configuration example············································································· 198
macAddressElseUserLoginSecure configuration example························································ 201
Troubleshooting port security···································································································· 204
Cannot set the port security mode······················································································· 204
Cannot configure secure MAC addresses············································································· 205
Configuring password control·························································· 206
Overview······························································································································ 206
Password setting············································································································· 206
Password updating and expiration ······················································································ 207
User login control ············································································································ 208
Password not displayed in any form ···················································································· 208
Logging························································································································· 208
FIPS compliance···················································································································· 209
Password control configuration task list ······················································································ 209
Enabling password control······································································································· 209
Setting global password control parameters················································································· 210
Setting user group password control parameters ·········································································· 211
Setting local user password control parameters············································································ 212
Setting super password control parameters················································································· 212
Displaying and maintaining password control··············································································· 213
v
Password control configuration example····················································································· 213
Network requirements ······································································································ 213
Configuration procedure ··································································································· 214
Verifying the configuration································································································· 215
Managing public keys···································································· 217
Overview······························································································································ 217
FIPS compliance···················································································································· 217
Creating a local key pair·········································································································· 217
Distributing a local host public key····························································································· 219
Exporting a host public key································································································ 219
Displaying a host public key······························································································· 219
Destroying a local key pair······································································································· 220
Configuring a peer host public key····························································································· 220
Importing a peer host public key from a public key file····························································· 220
Entering a peer host public key ·························································································· 221
Displaying and maintaining public keys······················································································· 221
Examples of public key management ························································································· 221
Example for entering a peer host public key·········································································· 221
Example for importing a public key from a public key file·························································· 223
Configuring PKI ··········································································· 226
Overview······························································································································ 226
PKI terminology ·············································································································· 226
PKI architecture ·············································································································· 227
PKI operation ················································································································· 227
PKI applications·············································································································· 228
Support for MPLS L3VPN ································································································· 228
FIPS compliance···················································································································· 229
PKI configuration task list········································································································· 229
Configuring a PKI entity··········································································································· 229
Configuring a PKI domain········································································································ 230
Requesting a certificate··········································································································· 232
Configuration guidelines ··································································································· 232
Configuring automatic certificate request·············································································· 233
Manually requesting a certificate························································································· 233
Aborting a certificate request···································································································· 234
Obtaining certificates ·············································································································· 234
Configuration prerequisites································································································ 234
Configuration guidelines ··································································································· 234
Configuration procedure ··································································································· 235
Verifying PKI certificates·········································································································· 235
Verifying certificates with CRL checking ··············································································· 235
Verifying certificates without CRL checking··········································································· 236
Specifying the storage path for the certificates and CRLs ······························································· 236
Exporting certificates ·············································································································· 237
Removing a certificate············································································································· 237
Configuring a certificate-based access control policy ····································································· 238
Displaying and maintaining PKI································································································· 239
PKI configuration examples······································································································ 239
Requesting a certificate from an RSA Keon CA server ···························································· 239
Requesting a certificate from a Windows Server 2003 CA server··············································· 242
Requesting a certificate from an OpenCA server···································································· 245
Certificate import and export configuration example································································ 248
Troubleshooting PKI configuration····························································································· 253
Failed to obtain the CA certificate ······················································································· 254
Failed to obtain local certificates························································································· 254
Failed to request local certificates ······················································································· 255
Failed to obtain CRLs······································································································· 255
Failed to import the CA certificate ······················································································· 256
Failed to import a local certificate························································································ 257
Failed to export certificates································································································ 257
vi
Failed to set the storage path····························································································· 258
Configuring IPsec········································································· 259
Overview······························································································································ 259
Security protocols and encapsulation modes········································································· 260
Security association········································································································· 261
Authentication and encryption ···························································································· 262
IPsec implementation······································································································· 262
Protocols and standards ··································································································· 263
FIPS compliance···················································································································· 263
IPsec tunnel establishment ······································································································ 263
Implementing ACL-based IPsec································································································ 264
Feature restrictions and guidelines······················································································ 264
ACL-based IPsec configuration task list················································································ 264
Configuring an ACL ········································································································· 265
Configuring an IPsec transform set ····················································································· 265
Configuring a manual IPsec policy ······················································································ 267
Configuring an IKE-based IPsec policy················································································· 269
Applying an IPsec policy to an interface ··············································································· 273
Enabling ACL checking for de-encapsulated packets ······························································ 273
Configuring IPsec anti-replay ····························································································· 274
Configuring IPsec anti-replay redundancy············································································· 274
Binding a source interface to an IPsec policy········································································· 275
Enabling QoS pre-classify ································································································· 276
Enabling logging of IPsec packets······················································································· 276
Configuring the DF bit of IPsec packets················································································ 276
Configuring IPsec for IPv6 routing protocols ················································································ 277
Configuration task list······································································································· 277
Configuring a manual IPsec profile······················································································ 278
Configuring SNMP notifications for IPsec ···················································································· 279
Displaying and maintaining IPsec······························································································ 280
IPsec configuration examples··································································································· 280
Configuring a manual mode IPsec tunnel for IPv4 packets ······················································· 280
Configuring an IKE-based IPsec tunnel for IPv4 packets·························································· 283
Configuring IPsec for RIPng ······························································································ 285
Configuring IKE ··········································································· 290
Overview······························································································································ 290
IKE negotiation process···································································································· 290
IKE security mechanism ··································································································· 291
Protocols and standards ··································································································· 292
FIPS compliance···················································································································· 292
IKE configuration prerequisites ································································································· 292
IKE configuration task list········································································································· 292
Configuring an IKE profile········································································································ 293
Configuring an IKE proposal····································································································· 295
Configuring an IKE keychain ···································································································· 296
Configuring the global identity information··················································································· 297
Configuring the IKE keepalive feature························································································· 298
Configuring the IKE NAT keepalive feature·················································································· 298
Configuring IKE DPD·············································································································· 298
Enabling invalid SPI recovery ··································································································· 299
Setting the maximum number of IKE SAs···················································································· 300
Configuring SNMP notifications for IKE······················································································· 300
Displaying and maintaining IKE································································································· 301
IKE configuration examples······································································································ 301
Main mode IKE with pre-shared key authentication configuration example··································· 301
Verifying the configuration································································································· 304
Troubleshooting IKE··············································································································· 304
IKE negotiation failed because no matching IKE proposals were found······································· 304
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 304
IPsec SA negotiation failed because no matching IPsec transform sets were found······················· 305
vii
IPsec SA negotiation failed due to invalid identity information ··················································· 305
Configuring IKEv2 ········································································ 309
Overview······························································································································ 309
IKEv2 negotiation process································································································· 309
New features in IKEv2······································································································ 310
Protocols and standards ··································································································· 310
Feature and software version compatibility·················································································· 310
IKEv2 configuration task list ····································································································· 311
Configuring an IKEv2 profile····································································································· 311
Configuring an IKEv2 policy ····································································································· 314
Configuring an IKEv2 proposal·································································································· 314
Configuring an IKEv2 keychain ································································································· 316
Configure global IKEv2 parameters···························································································· 317
Enabling the cookie challenging feature ··············································································· 317
Configuring the IKEv2 DPD feature ····················································································· 317
Configuring the IKEv2 NAT keepalive feature········································································ 317
Displaying and maintaining IKEv2······························································································ 318
IKEv2 configuration examples··································································································· 318
IKEv2 with pre-shared key authentication configuration example ··············································· 318
IKEv2 with RSA signature authentication configuration example················································ 321
Troubleshooting IKEv2············································································································ 326
IKEv2 negotiation failed because no matching IKEv2 proposals were found································· 326
IPsec SA negotiation failed because no matching IPsec transform sets were found······················· 326
IPsec tunnel establishment failed························································································ 326
Configuring SSH·········································································· 328
Overview······························································································································ 328
How SSH works·············································································································· 328
SSH authentication methods······························································································ 329
SSH support for Suite B···································································································· 330
Feature and software version compatibility·················································································· 331
FIPS compliance···················································································································· 331
Configuring the device as an SSH server···················································································· 331
SSH server configuration task list ······················································································· 331
Generating local key pairs································································································· 332
Enabling the Stelnet server································································································ 332
Enabling the SFTP server ································································································· 333
Enabling the SCP server··································································································· 333
Configuring NETCONF over SSH ······················································································· 333
Configuring user lines for SSH login ···················································································· 334
Configuring a client's host public key ··················································································· 334
Configuring an SSH user ·································································································· 335
Configuring the SSH management parameters······································································ 336
Specifying a PKI domain for the SSH server·········································································· 337
Configuring the device as an Stelnet client ·················································································· 338
Stelnet client configuration task list······················································································ 338
Specifying the source IP address for SSH packets ································································· 338
Establishing a connection to an Stelnet server······································································· 339
Establishing a connection to an Stelnet server based on Suite B ··············································· 342
Configuring the device as an SFTP client···················································································· 342
SFTP client configuration task list ······················································································· 342
Specifying the source IP address for SFTP packets································································ 342
Establishing a connection to an SFTP server········································································· 343
Establishing a connection to an SFTP server based on Suite B················································· 346
Working with SFTP directories ··························································································· 347
Working with SFTP files···································································································· 347
Displaying help information································································································ 347
Terminating the connection with the SFTP server··································································· 348
Configuring the device as an SCP client ····················································································· 348
Establishing a connection to an SCP server·········································································· 348
Establishing a connection to an SCP server based on Suite B ·················································· 351
viii
Specifying algorithms for SSH2································································································· 351
Specifying key exchange algorithms for SSH2······································································· 352
Specifying public key algorithms for SSH2············································································ 352
Specifying encryption algorithms for SSH2············································································ 352
Specifying MAC algorithms for SSH2··················································································· 353
Displaying and maintaining SSH ······························································································· 353
Stelnet configuration examples ································································································· 353
Password authentication enabled Stelnet server configuration example ······································ 354
Publickey authentication enabled Stelnet server configuration example······································· 356
Password authentication enabled Stelnet client configuration example ······································· 362
Publickey authentication enabled Stelnet client configuration example········································ 365
Stelnet configuration example based on 128-bit Suite B algorithms············································ 367
SFTP configuration examples··································································································· 371
Password authentication enabled SFTP server configuration example········································ 372
Publickey authentication enabled SFTP client configuration example ········································· 374
SFTP configuration example based on 192-bit Suite B algorithms·············································· 377
SCP configuration examples ···································································································· 381
SCP file transfer with password authentication······································································· 381
SCP configuration example based on Suite B algorithms························································· 383
NETCONF over SSH configuration example with password authentication········································· 390
Network requirements ······································································································ 390
Configuration procedure ··································································································· 391
Verifying the configuration································································································· 392
Configuring SSL··········································································· 393
Overview······························································································································ 393
SSL security services······································································································· 393
SSL protocol stack··········································································································· 393
FIPS compliance···················································································································· 394
SSL configuration task list········································································································ 394
Configuring an SSL server policy······························································································· 394
Configuring an SSL client policy································································································ 397
Displaying and maintaining SSL································································································ 399
Configuring IP source guard··························································· 400
Overview······························································································································ 400
Static IPSG bindings········································································································ 400
Dynamic IPSG bindings···································································································· 401
IPSG configuration task list ······································································································ 401
Configuring the IPv4SG feature································································································· 402
Enabling IPv4SG on an interface ························································································ 402
Configuring a static IPv4SG binding ···················································································· 402
Configuring the IPv6SG feature································································································· 403
Enabling IPv6SG on an interface ························································································ 403
Configuring a static IPv6SG binding ···················································································· 404
Displaying and maintaining IPSG ······························································································ 405
IPSG configuration examples ··································································································· 405
Static IPv4SG configuration example··················································································· 405
Dynamic IPv4SG using DHCP snooping configuration example ················································ 406
Dynamic IPv4SG using DHCP relay agent configuration example·············································· 407
Static IPv6SG configuration example··················································································· 408
Dynamic IPv6SG using DHCPv6 snooping configuration example ············································· 409
Configuring ARP attack protection ··················································· 411
ARP attack protection configuration task list ················································································ 411
Configuring unresolvable IP attack protection··············································································· 411
Configuring ARP source suppression··················································································· 412
Configuring ARP blackhole routing······················································································ 412
Displaying and maintaining unresolvable IP attack protection···················································· 412
Configuration example······································································································ 413
Configuring ARP packet rate limit······························································································ 413
Configuration guidelines ··································································································· 414
ix
Configuration procedure ··································································································· 414
Configuring source MAC-based ARP attack detection···································································· 414
Configuration procedure ··································································································· 415
Displaying and maintaining source MAC-based ARP attack detection········································· 415
Configuration example······································································································ 415
Configuring ARP packet source MAC consistency check································································ 416
Configuring ARP active acknowledgement ·················································································· 417
Configuring authorized ARP····································································································· 417
Configuration procedure ··································································································· 417
Configuration example (on a DHCP server)··········································································· 418
Configuration example (on a DHCP relay agent)···································································· 419
Configuring ARP attack detection······························································································ 420
Configuring user validity check··························································································· 420
Configuring ARP packet validity check················································································· 421
Configuring ARP restricted forwarding ················································································· 422
Enabling ARP attack detection logging················································································· 422
Displaying and maintaining ARP attack detection··································································· 423
User validity check and ARP packet validity check configuration example···································· 423
ARP restricted forwarding configuration example ··································································· 424
Configuring ARP scanning and fixed ARP··················································································· 426
Configuration restrictions and guidelines ·············································································· 426
Configuration procedure ··································································································· 427
Configuring ARP gateway protection·························································································· 427
Configuration guidelines ··································································································· 427
Configuration procedure ··································································································· 427
Configuration example······································································································ 428
Configuring ARP filtering ········································································································· 428
Configuration guidelines ··································································································· 428
Configuration procedure ··································································································· 429
Configuration example······································································································ 429
Configuring MFF·········································································· 431
Overview······························································································································ 431
Basic concepts ··············································································································· 432
MFF operation modes ······································································································ 432
MFF working mechanism ·································································································· 433
Protocols and standards ··································································································· 433
Configuring MFF···················································································································· 433
Enabling MFF················································································································· 433
Configuring a network port ································································································ 433
Enabling periodic gateway probe ························································································ 434
Specifying the IP addresses of servers················································································· 434
Displaying and maintaining MFF ······························································································· 434
MFF configuration examples ···································································································· 435
Manual-mode MFF configuration example in a tree network ····················································· 435
Manual-mode MFF configuration example in a ring network ····················································· 436
Configuring uRPF········································································· 438
Overview······························································································································ 438
uRPF check modes ········································································································· 438
uRPF operation··············································································································· 438
Network application ········································································································· 441
Enabling uRPF······················································································································ 441
Displaying and maintaining uRPF······························································································ 441
uRPF configuration example ···································································································· 442
Configuring crypto engines····························································· 443
Overview······························································································································ 443
Displaying and maintaining crypto engines·················································································· 443
Configuring FIPS·········································································· 444
Overview······························································································································ 444
x
Configuration restrictions and guidelines····················································································· 444
Configuring FIPS mode··········································································································· 445
Entering FIPS mode········································································································· 445
Configuration changes in FIPS mode··················································································· 446
Exiting FIPS mode··········································································································· 447
FIPS self-tests······················································································································· 447
Power-up self-tests·········································································································· 448
Conditional self-tests········································································································ 448
Triggering self-tests ········································································································· 449
Displaying and maintaining FIPS······························································································· 449
FIPS configuration examples···································································································· 449
Entering FIPS mode through automatic reboot······································································· 449
Entering FIPS mode through manual reboot·········································································· 450
Exiting FIPS mode through automatic reboot········································································· 452
Exiting FIPS mode through manual reboot············································································ 452
Configuring user profiles································································ 454
Overview······························································································································ 454
Configuration task list·············································································································· 454
Configuration restrictions and guidelines····················································································· 454
Creating a user profile············································································································· 454
Configuring parameters for a user profile ···················································································· 455
Configuring QoS parameters for traffic management······························································· 455
Displaying and maintaining user profiles ····················································································· 455
User profile configuration examples ··························································································· 455
Local 802.1X authentication/authorization with QoS policy configuration example ························· 455
Configuring attack detection and prevention······································· 460
Overview······························································································································ 460
Configuring TCP fragment attack prevention················································································ 460
Configuring MACsec····································································· 461
Overview······························································································································ 461
Basic concepts ··············································································································· 461
MACsec services ············································································································ 461
MACsec applications········································································································ 462
MACsec operating mechanism··························································································· 462
Protocols and standards ··································································································· 464
Compatibility information ········································································································· 464
Feature and hardware compatibility····················································································· 464
Feature and software version compatibility············································································ 464
MACsec configuration task list·································································································· 465
Enabling MKA ······················································································································· 465
Enabling MACsec desire ········································································································· 465
Configuring a preshared key····································································································· 466
Configuring the MKA key server priority······················································································ 466
Configuring MACsec protection parameters in interface view··························································· 467
Configuring the MACsec confidentiality offset········································································ 467
Configuring MACsec replay protection ················································································· 468
Configuring the MACsec validation mode ············································································· 468
Configuring MACsec protection parameters by MKA policy····························································· 468
Configuring an MKA policy ································································································ 468
Applying an MKA policy···································································································· 469
Displaying and maintaining MACsec ·························································································· 469
MACsec configuration examples ······························································································· 470
Client-oriented MACsec configuration example······································································ 470
Device-oriented MACsec configuration example ···································································· 473
Troubleshooting MACsec········································································································· 476
Configuring ND attack defense························································ 477
Overview······························································································································ 477
Feature and software version compatibility·················································································· 477
xi
ND attack defense configuration task list····················································································· 477
Configuring ND attack detection································································································ 478
About ND attack detection································································································· 478
Configuration guidelines ··································································································· 478
Configuration procedure ··································································································· 478
Displaying and maintaining ND attack detection····································································· 479
ND attack detection configuration example ··········································································· 479
Configuring RA guard ············································································································· 481
About RA guard ·············································································································· 481
Specifying the role of the attached device············································································· 481
Configuring and applying an RA guard policy ········································································ 481
Enabling the RA guard logging feature················································································· 482
Displaying and maintaining RA guard ·················································································· 482
RA guard configuration example························································································· 483
Document conventions and icons ···················································· 485
Conventions ························································································································· 485
Network topology icons ··········································································································· 486
Support and other resources ·························································· 487
Accessing Hewlett Packard Enterprise Support ············································································ 487
Accessing updates················································································································· 487
Websites ······················································································································· 488
Customer self repair········································································································· 488
Remote support ·············································································································· 488
Documentation feedback ·································································································· 488
Index························································································· 490
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAAservers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet andADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
RADIUS servers
Users Clients Dictionary
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Cod
e
Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user information
for the server to authenticate the user. It must contain the User-Name
attribute and can optionally contain the attributes of NAS-IP-Address,
User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included
in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included
in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
4 Accounting-Request From the client to the server. A packet of this type includes user information
for the server to start or stop accounting for the user. The Acct-Status-Type
attribute in the packet indicates whether to start or stop accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type to notify
the client that it has received the Accounting-Request and has successfully
recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
Type—Type of the attribute.
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
5
Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
Value—Value of the attribute. Its format and content depend on the Type subfield.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No.
Attribute
No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
6
No.
Attribute
No.
Attribute
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)
allows a vendor to define extended attributes. The extended attributes implement functions that the
standard RADIUS protocol does not provide.
Avendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
•Vendor-Type—Type of the subattribute.
•Vendor-Length—Length of the subattribute.
•Vendor-Data—Contents of the subattribute.
The device supports RADIUS subattributes with a vendor ID of 25506. For more information, see
"RADIUS subattributes (vendor ID 25506)."
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server
model for information exchange between the NAS and the HWTACACS server.
Type Length
0
Vendor-ID
7 15 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……
7
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,
the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After
passing authentication and obtaining authorized rights, a user logs in to the device and performs
operations. The HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model,
using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the
primary differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS
RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the
HWTACACS header. Encrypts only the user
password field in an
authentication packet.
Protocol packets are complicated and authorization
is independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication
process.
Supports authorization of configuration commands.
Access to commands depends on both the user's
roles and authorization. A user can use only
commands that are permitted by the user roles and
authorized by the HWTACACS server.
Does not support authorization
of configuration
commands. Access to commands solely depends on
the user's roles. For more information about user
roles, see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for
a Telnet user.
Other manuals for FlexNetwork 5510 HI Series
12
Table of contents
Other HPE Switch manuals
HPE
HPE FlexFabric 5940 SERIES Installation manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE Aruba 2930F User manual
HPE
HPE StoreOnce 3100 User manual
HPE
HPE FlexFabric 12900 Installation manual
HPE
HPE FlexNetwork 7500 Switch User manual
HPE
HPE FlexFabric 5940 SERIES User manual
HPE
HPE 5920 series Installation manual
HPE
HPE FlexNetwork 10500 SERIES Installation manual
HPE
HPE OfficeConnect 1420 Series User manual
HPE
HPE FlexFabric 7900 Series Installation manual
HPE
HPE JH390A User manual
HPE
HPE Aruba Instant On 1830 48G 4SFP Assembly instructions
HPE
HPE FlexFabric 7900 Series User manual
HPE
HPE FlexFabric 12900E User manual
HPE
HPE FlexFabric 5950 Series User manual
HPE
HPE FlexNetwork 5130 HI SERIES Installation manual
HPE
HPE FlexNetwork 5130 24G 4SFP+ 1-slot HI User manual
HPE
HPE FlexNetwork 10500 SERIES User manual
HPE
HPE OfficeConnect 1820 Series User manual
