HPE FlexNetwork 7500 Series User manual
HPE FlexNetwork 7500 Switch Series
Security Configuration Guide
Part number: 5998-7485R
Software version: 7500-CMW710-R7178
Document version: 6W100-20160129
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® andAcrobat® are trademarks ofAdobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ·····························································································1
Overview····························································································································································1
RADIUS······················································································································································2
HWTACACS···············································································································································7
LDAP··························································································································································9
AAA implementation on the device··········································································································11
AAA for MPLS L3VPNs····························································································································13
Protocols and standards ··························································································································13
RADIUS attributes····································································································································14
FIPS compliance··············································································································································17
AAA configuration considerations and task list································································································17
Configuring AAA schemes·······························································································································18
Configuring local users·····························································································································18
Configuring RADIUS schemes·················································································································23
Configuring HWTACACS schemes··········································································································33
Configuring LDAP schemes·····················································································································39
Configuring AAA methods for ISP domains·····································································································42
Configuration prerequisites······················································································································42
Creating an ISP domain···························································································································43
Configuring ISP domain attributes ···········································································································43
Configuring authentication methods for an ISP domain···········································································44
Configuring authorization methods for an ISP domain·············································································45
Configuring accounting methods for an ISP domain················································································46
Enabling the session-control feature················································································································47
Configuring the RADIUS DAE server feature ··································································································48
Setting the maximum number of concurrent login users··················································································48
Configuring a NAS-ID profile····························································································································49
Displaying and maintaining AAA······················································································································49
AAA configuration examples····························································································································49
AAA for SSH users by an HWTACACS server························································································49
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users·····················51
Authentication and authorization for SSH users by a RADIUS server·····················································53
Authentication for SSH users by an LDAP server····················································································56
AAA for 802.1X users by a RADIUS server·····························································································61
Troubleshooting RADIUS·································································································································65
RADIUS authentication failure ·················································································································65
RADIUS packet delivery failure················································································································66
RADIUS accounting error·························································································································66
Troubleshooting HWTACACS··························································································································66
Troubleshooting LDAP·····································································································································67
802.1X overview ···························································································68
802.1X architecture··········································································································································68
Controlled/uncontrolled port and port authorization status ··············································································68
802.1X-related protocols··································································································································69
Packet formats·········································································································································69
EAP over RADIUS ···································································································································70
802.1X authentication initiation························································································································71
802.1X client as the initiator·····················································································································71
Access device as the initiator···················································································································71
802.1X authentication procedures ···················································································································72
Comparing EAP relay and EAP termination·····························································································72
EAP relay·················································································································································73
EAP termination·······································································································································74
Configuring 802.1X·······················································································76
Access control methods···································································································································76
ii
802.1X VLAN manipulation······························································································································76
Authorization VLAN··································································································································76
Guest VLAN·············································································································································78
Auth-Fail VLAN ········································································································································79
Critical VLAN············································································································································80
Using 802.1X authentication with other features ·····························································································82
ACL assignment·······································································································································82
EAD assistant···········································································································································82
Redirect URL assignment························································································································83
SmartOn···················································································································································83
Configuration prerequisites······························································································································84
802.1X configuration task list···························································································································84
Enabling 802.1X···············································································································································85
Enabling EAP relay or EAP termination···········································································································86
Setting the port authorization state ··················································································································86
Specifying an access control method ··············································································································87
Setting the maximum number of concurrent 802.1X users on a port·······························································87
Setting the maximum number of authentication request attempts···································································87
Setting the 802.1X authentication timeout timers ····························································································88
Configuring the online user handshake feature ·······························································································88
Configuration guidelines···························································································································89
Configuration procedure···························································································································89
Configuring the authentication trigger feature··································································································89
Configuration guidelines···························································································································89
Configuration procedure···························································································································90
Specifying a mandatory authentication domain on a port················································································90
Configuring the quiet timer·······························································································································90
Enabling the periodic online user reauthentication feature··············································································91
Manually reauthenticating all online 802.1X users on a port ···········································································92
Sending 802.1X protocol packets out of a port without VLAN tags ·································································92
Configuring an 802.1X guest VLAN·················································································································93
Configuration guidelines···························································································································93
Configuration prerequisites······················································································································93
Configuration procedure···························································································································93
Configuring an 802.1X Auth-Fail VLAN ···········································································································94
Configuration guidelines···························································································································94
Configuration prerequisites······················································································································94
Configuration procedure···························································································································94
Configuring an 802.1X critical VLAN················································································································95
Configuration guidelines···························································································································95
Configuration prerequisites······················································································································95
Configuration procedure···························································································································95
Enabling the 802.1X critical voice VLAN··········································································································96
Configuration prerequisites······················································································································96
Configuration procedure···························································································································96
Sending EAP-Success packets for 802.1X users assignment to the 802.1X critical VLAN·····························96
Specifying supported domain name delimiters ································································································97
Enabling 802.1X guest VLAN assignment delay ·····························································································97
Configuring the EAD assistant feature·············································································································98
Configuring 802.1X SmartOn···························································································································99
Displaying and maintaining 802.1X··················································································································99
802.1X authentication configuration examples ······························································································100
Basic 802.1X authentication configuration example ··············································································100
802.1X guest VLAN and authorization VLAN configuration example ····················································102
802.1X with ACL assignment configuration example·············································································104
802.1X with EAD assistant configuration example (with DHCP relay agent)·········································106
802.1X with EAD assistant configuration example (with DHCP server)·················································109
802.1X SmartOn configuration example································································································111
Troubleshooting 802.1X EAD assistant for Web browser users····································································112
Configuring MAC authentication ·································································114
Overview························································································································································114
iii
User account policies·····························································································································114
Authentication methods··························································································································114
VLAN assignment ··································································································································115
ACL assignment·····································································································································116
Redirect URL assignment······················································································································117
Periodic MAC reauthentication···············································································································117
Configuration prerequisites····························································································································117
General guidelines and restrictions················································································································117
Configuration task list·····································································································································118
Enabling MAC authentication·························································································································118
Specifying a MAC authentication domain ······································································································118
Configuring the user account format··············································································································119
Setting MAC authentication timers·················································································································119
Enabling MAC authentication offline detection ······························································································120
Setting the maximum number of concurrent MAC authentication users on a port·········································120
Enabling MAC authentication multi-VLAN mode on a port ············································································120
Configuring MAC authentication delay···········································································································121
Configuring a MAC authentication guest VLAN·····························································································121
Configuration prerequisites····················································································································121
Configuration restrictions and guidelines·······························································································122
Configuration procedure·························································································································122
Configuring a MAC authentication critical VLAN····························································································123
Enabling the MAC authentication critical voice VLAN····················································································123
Configuration prerequisites····················································································································124
Configuration procedure·························································································································124
Configuring the keep-online feature···············································································································124
Including user IP addresses in MAC authentication requests········································································124
Enabling parallel processing of MAC authentication and 802.1X authentication···········································125
Configuration restrictions and guidelines·······························································································125
Configuration procedure·························································································································126
Displaying and maintaining MAC authentication····························································································126
MAC authentication configuration examples··································································································127
Local MAC authentication configuration example··················································································127
RADIUS-based MAC authentication configuration example··································································129
ACL assignment configuration example·································································································131
Configuring portal authentication ································································134
Overview························································································································································134
Extended portal functions·······················································································································134
Portal system components·····················································································································134
Interaction between portal system components·····················································································136
Portal authentication modes···················································································································136
Portal support for EAP ···························································································································137
Portal authentication process·················································································································137
Portal configuration task list···························································································································139
Configuration prerequisites····························································································································140
Configuring a portal authentication server ·····································································································141
Configuring a portal Web server ····················································································································141
Enabling portal authentication on an interface·······························································································142
Configuration restrictions and guidelines·······························································································142
Configuration procedure·························································································································142
Specifying a portal Web server on an interface ·····························································································143
Controlling portal user access························································································································143
Configuring a portal-free rule ·················································································································143
Configuring an authentication source subnet·························································································144
Configuring an authentication destination subnet··················································································145
Setting the maximum number of portal users ························································································146
Specifying a portal authentication domain ·····························································································146
Enabling outgoing packets filtering on a portal-enabled interface··························································147
Configuring portal detection features·············································································································147
Configuring online detection of portal users···························································································147
Configuring portal authentication server detection·················································································148
iv
Configuring portal Web server detection································································································149
Configuring portal user synchronization·································································································150
Configuring the portal fail-permit feature········································································································150
Configuring BAS-IP for portal packets sent to the portal authentication server·············································151
Applying a NAS-ID profile to an interface ······································································································152
Configuring the local portal Web server feature·····························································································152
Customizing authentication pages·········································································································153
Configuring a local portal Web server····································································································155
Enabling portal roaming·································································································································155
Logging out online portal users······················································································································156
Displaying and maintaining portal··················································································································156
Portal configuration examples························································································································157
Configuring direct portal authentication··································································································157
Configuring re-DHCP portal authentication····························································································162
Configuring cross-subnet portal authentication······················································································165
Configuring extended direct portal authentication··················································································168
Configuring extended re-DHCP portal authentication············································································171
Configuring extended cross-subnet portal authentication······································································175
Configuring portal server detection and portal user synchronization·····················································178
Configuring cross-subnet portal authentication for MPLS L3VPNs························································184
Configuring direct portal authentication using the local portal Web server············································186
Troubleshooting portal ···································································································································189
No portal authentication page is pushed for users·················································································189
Cannot log out portal users on the access device ·················································································189
Cannot log out portal users on the RADIUS server ···············································································190
Users logged out by the access device still exist on the portal authentication server····························190
Re-DHCP portal authenticated users cannot log in successfully···························································190
Configuring port security·············································································192
Overview························································································································································192
Port security features·····························································································································192
Port security modes ·······························································································································192
Configuration task list·····································································································································195
Enabling port security ····································································································································195
Setting port security's limit on the number of secure MAC addresses on a port············································196
Setting the port security mode ·······················································································································196
Configuring port security features··················································································································197
Configuring NTK·····································································································································197
Configuring intrusion protection ·············································································································198
Configuring secure MAC addresses ··············································································································199
Configuration prerequisites····················································································································199
Configuration procedure·························································································································200
Ignoring authorization information from the server ························································································200
Enabling MAC move ······································································································································201
Enabling the authorization-fail-offline feature·································································································201
Applying a NAS-ID profile to port security······································································································201
Displaying and maintaining port security ·······································································································202
Port security configuration examples·············································································································202
autoLearn configuration example···········································································································202
userLoginWithOUI configuration example······························································································204
macAddressElseUserLoginSecure configuration example····································································207
Troubleshooting port security·························································································································211
Cannot set the port security mode·········································································································211
Cannot configure secure MAC addresses ·····························································································211
Configuring password control ·····································································212
Overview························································································································································212
Password setting····································································································································212
Password updating and expiration·········································································································213
User login control···································································································································214
Password not displayed in any form ······································································································214
Logging ··················································································································································214
v
FIPS compliance············································································································································215
Password control configuration task list·········································································································215
Enabling password control·····························································································································215
Setting global password control parameters··································································································216
Setting user group password control parameters ··························································································217
Setting local user password control parameters····························································································218
Setting super password control parameters ··································································································218
Displaying and maintaining password control································································································219
Password control configuration example ·······································································································219
Network requirements····························································································································219
Configuration procedure·························································································································220
Verifying the configuration······················································································································221
Managing public keys ·················································································223
Overview························································································································································223
FIPS compliance············································································································································223
Creating a local key pair ································································································································223
Distributing a local host public key·················································································································225
Exporting a host public key····················································································································225
Displaying a host public key···················································································································225
Destroying a local key pair·····························································································································226
Configuring a peer host public key·················································································································226
Importing a peer host public key from a public key file ··········································································226
Entering a peer host public key··············································································································227
Displaying and maintaining public keys ·········································································································227
Examples of public key management ············································································································227
Example for entering a peer host public key··························································································227
Example for importing a public key from a public key file ······································································229
Configuring SSL··························································································232
Overview························································································································································232
SSL security services·····························································································································232
SSL protocol stack·································································································································232
FIPS compliance············································································································································233
SSL configuration task list······························································································································233
Configuring an SSL server policy···················································································································233
Configuring an SSL client policy ····················································································································235
Displaying and maintaining SSL ····················································································································237
SSL server policy configuration example·······································································································237
Configuring PKI···························································································240
Overview························································································································································240
PKI terminology······································································································································240
PKI architecture······································································································································241
PKI operation ·········································································································································241
PKI applications ·····································································································································242
Support for MPLS L3VPN······················································································································242
FIPS compliance············································································································································243
PKI configuration task list·······························································································································243
Configuring a PKI entity ·································································································································243
Configuring a PKI domain······························································································································244
Requesting a certificate ·································································································································246
Configuration guidelines·························································································································246
Configuring automatic certificate request·······························································································247
Manually requesting a certificate············································································································247
Aborting a certificate request ·························································································································248
Obtaining certificates ·····································································································································248
Configuration prerequisites····················································································································248
Configuration guidelines·························································································································248
Configuration procedure·························································································································249
Verifying PKI certificates································································································································249
Verifying certificates with CRL checking································································································249
vi
Verifying certificates without CRL checking···························································································250
Specifying the storage path for the certificates and CRLs·············································································251
Exporting certificates······································································································································251
Removing a certificate ···································································································································252
Configuring a certificate-based access control policy····················································································252
Displaying and maintaining PKI ·····················································································································253
PKI configuration examples ···························································································································253
Requesting a certificate from an RSA Keon CA server··········································································254
Requesting a certificate from a Windows Server 2003 CA server·························································256
Requesting a certificate from an OpenCA server···················································································260
Certificate-based access control policy configuration example······························································263
Certificate import and export configuration example··············································································264
Troubleshooting PKI configuration·················································································································269
Failed to obtain the CA certificate··········································································································270
Failed to obtain local certificates············································································································270
Failed to request local certificates··········································································································271
Failed to obtain CRLs·····························································································································272
Failed to import the CA certificate··········································································································272
Failed to import the local certificate········································································································273
Failed to export certificates····················································································································273
Failed to set the storage path·················································································································274
Configuring SSH·························································································275
Overview························································································································································275
How SSH works·····································································································································275
SSH authentication methods··················································································································276
SSH support for Suite B·························································································································277
Protocols and standards ························································································································277
FIPS compliance············································································································································278
Configuring the device as an SSH server······································································································278
SSH server configuration task list··········································································································278
Generating local key pairs······················································································································278
Enabling the Stelnet server····················································································································279
Enabling the SFTP server······················································································································279
Enabling the SCP server························································································································280
Enabling NETCONF over SSH ··············································································································280
Configuring the user lines for SSH login································································································280
Configuring a client's host public key·····································································································281
Configuring an SSH user ·······················································································································282
Configuring the SSH management parameters·····················································································283
Specifying a PKI domain for the SSH server ·························································································284
Configuring the device as an Stelnet client····································································································284
Stelnet client configuration task list········································································································284
Specifying the source IP address for SSH packets················································································285
Establishing a connection to an Stelnet server······················································································285
Establishing a connection to an Stelnet server based on Suite B··························································288
Configuring the device as an SFTP client······································································································288
SFTP client configuration task list··········································································································288
Specifying the source IP address for SFTP packets··············································································288
Establishing a connection to an SFTP server························································································289
Establishing a connection to an SFTP server based on Suite B····························································291
Working with SFTP directories···············································································································292
Working with SFTP files·························································································································292
Displaying help information····················································································································293
Terminating the connection with the SFTP server·················································································293
Configuring the device as an SCP client········································································································293
Establishing a connection to an SCP server··························································································293
Establishing a connection to an SCP server based on Suite B······························································296
Specifying algorithms for SSH2 ·····················································································································296
Specifying key exchange algorithms for SSH2······················································································296
Specifying public key algorithms for SSH2 ····························································································297
Specifying encryption algorithms for SSH2····························································································297
vii
Specifying MAC algorithms for SSH2 ····································································································298
Displaying and maintaining SSH····················································································································298
Stelnet configuration examples······················································································································298
Password authentication enabled Stelnet server configuration example···············································298
Publickey authentication enabled Stelnet server configuration example···············································301
Password authentication enabled Stelnet client configuration example ················································306
Publickey authentication enabled Stelnet client configuration example·················································309
Stelnet configuration example based on 128-bit Suite B algorithms······················································311
SFTP configuration examples························································································································315
Password authentication enabled SFTP server configuration example·················································316
Publickey authentication enabled SFTP client configuration example···················································318
SFTP configuration example based on 192-bit Suite B algorithms························································321
SCP configuration examples··························································································································325
SCP configuration example with password authentication ····································································325
SCP configuration example based on Suite B algorithms······································································327
NETCONF over SSH configuration example with password authentication··················································334
Network requirements····························································································································334
Configuration procedure·························································································································334
Verifying the configuration······················································································································336
Configuring IP source guard·······································································337
Overview························································································································································337
Static IPSG bindings······························································································································337
Dynamic IPSG bindings·························································································································338
IPSG configuration task list····························································································································338
Configuring the IPv4SG feature·····················································································································339
Enabling IPv4SG on an interface···········································································································339
Configuring a static IPv4SG binding ······································································································339
Configuring the IPv6SG feature·····················································································································340
Enabling IPv6SG on an interface···········································································································340
Configuring a static IPv6SG binding ······································································································340
Displaying and maintaining IPSG ··················································································································341
IPSG configuration examples ························································································································342
Static IPv4SG configuration example·····································································································342
Dynamic IPv4SG using DHCP snooping configuration example···························································343
Dynamic IPv4SG using DHCP relay configuration example··································································344
Static IPv6SG configuration example·····································································································345
Dynamic IPv6SG using DHCPv6 snooping configuration example ·······················································346
Configuring ARP attack protection······························································347
ARP attack protection configuration task list··································································································347
Configuring unresolvable IP attack protection ·······························································································347
Configuring ARP source suppression····································································································348
Configuring ARP blackhole routing········································································································348
Displaying and maintaining unresolvable IP attack protection·······························································348
Configuration example···························································································································349
Configuring ARP packet rate limit··················································································································350
Configuration guidelines·························································································································350
Configuration procedure·························································································································350
Configuring source MAC-based ARP attack detection ··················································································351
Configuration procedure·························································································································351
Displaying and maintaining source MAC-based ARP attack detection··················································351
Configuration example···························································································································352
Configuring ARP packet source MAC consistency check··············································································353
Configuring ARP active acknowledgement····································································································353
Configuring authorized ARP ··························································································································354
Configuration procedure·························································································································354
Configuration example (on a DHCP server)···························································································354
Configuration example (on a DHCP relay agent)···················································································355
Configuring ARP detection·····························································································································356
Configuring user validity check ··············································································································357
Configuring ARP packet validity check ··································································································358
viii
Configuring ARP restricted forwarding···································································································358
Enabling ARP detection logging·············································································································359
Displaying and maintaining ARP detection····························································································359
User validity check configuration example·····························································································359
User validity check and ARP packet validity check configuration example············································361
Configuring ARP scanning and fixed ARP·····································································································362
Configuration restrictions and guidelines·······························································································362
Configuration procedure·························································································································363
Configuring ARP gateway protection·············································································································363
Configuration guidelines·························································································································363
Configuration procedure·························································································································363
Configuration example···························································································································364
Configuring ARP filtering································································································································364
Configuration guidelines·························································································································364
Configuration procedure·························································································································365
Configuration example···························································································································365
Configuring the checking of sender IP addresses for ARP packets ······························································366
Configuring uRPF ·······················································································367
Overview························································································································································367
uRPF check modes································································································································367
Features·················································································································································367
uRPF operation······································································································································368
Network application································································································································369
Configuration procedure ································································································································370
Displaying and maintaining uRPF··················································································································370
uRPF configuration example··························································································································370
Configuring IPv6 uRPF···············································································372
Overview························································································································································372
IPv6 uRPF check modes························································································································372
Features·················································································································································372
IPv6 uRPF operation······························································································································373
Network application································································································································374
Configuration procedure ································································································································375
Displaying and maintaining IPv6 uRPF··········································································································375
IPv6 uRPF configuration example ·················································································································375
Configuring FIPS·························································································377
Overview························································································································································377
Configuration restrictions and guidelines·······································································································377
Configuring FIPS mode··································································································································378
Entering FIPS mode·······························································································································378
Configuration changes in FIPS mode ····································································································379
Exiting FIPS mode ·································································································································380
FIPS self-tests················································································································································380
Power-up self-tests ································································································································381
Conditional self-tests······························································································································381
Triggering self-tests································································································································382
Displaying and maintaining FIPS···················································································································382
FIPS configuration examples·························································································································382
Entering FIPS mode through automatic reboot······················································································382
Entering FIPS mode through manual reboot··························································································383
Exiting FIPS mode through automatic reboot ························································································385
Exiting FIPS mode through manual reboot····························································································385
Configuring attack detection and prevention···············································387
Overview························································································································································387
Attacks that the device can prevent···············································································································387
Single-packet attacks·····························································································································387
Scanning attacks····································································································································388
Flood attacks··········································································································································389
ix
TCP fragment attack······························································································································390
Login DoS attack····································································································································390
Login dictionary attack ···························································································································390
Blacklist feature··············································································································································390
Attack detection and prevention configuration task list··················································································391
Configuring an attack defense policy·············································································································391
Creating an attack defense policy··········································································································391
Configuring a single-packet attack defense policy·················································································391
Configuring a scanning attack defense policy························································································393
Configuring a flood attack defense policy ······························································································393
Configuring attack detection exemption·································································································398
Applying an attack defense policy to an interface··················································································398
Applying an attack defense policy to the device ····················································································399
Enabling log non-aggregation for single-packet attack events·······························································399
Configuring TCP fragment attack prevention·································································································400
Configuring the IP blacklist feature ················································································································400
Configuring login attack prevention················································································································401
Enabling the login delay·································································································································401
Displaying and maintaining attack detection and prevention·········································································402
Attack detection and prevention configuration examples···············································································404
Interface-based attack detection and prevention configuration example···············································404
IP blacklist configuration example··········································································································407
Configuring MACsec···················································································409
Overview························································································································································409
Basic concepts·······································································································································409
MACsec services ···································································································································409
MACsec applications······························································································································410
MACsec operating mechanism··············································································································410
Protocols and standards ························································································································412
Feature and hardware compatibility···············································································································412
General restrictions and guidelines················································································································412
MACsec configuration task list·······················································································································413
Enabling MKA ················································································································································413
Enabling MACsec desire································································································································413
Configuring a preshared key··························································································································414
Configuring the MKA key server priority ········································································································414
Configuring MACsec protection parameters in interface view ·······································································415
Configuring the MACsec confidentiality offset························································································415
Configuring MACsec replay protection···································································································415
Configuring the MACsec validation mode······························································································416
Configuring MACsec protection parameters by MKA policy ··········································································416
Configuring an MKA policy·····················································································································416
Applying an MKA policy ·························································································································417
Displaying and maintaining MACsec ·············································································································417
Device-oriented MACsec configuration example···························································································418
Network requirements····························································································································418
Configuration procedure·························································································································418
Verifying the configuration······················································································································419
Troubleshooting MACsec·······························································································································421
Configuring MFF·························································································422
Overview························································································································································422
Basic concepts·······································································································································423
MFF operation modes····························································································································423
MFF working mechanism·······················································································································424
Protocols and standards ························································································································424
Configuring MFF ············································································································································424
Enabling MFF·········································································································································424
Configuring a network port·····················································································································425
Enabling periodic gateway probe···········································································································425
Specifying the IP addresses of servers··································································································425
x
Displaying and maintaining MFF····················································································································426
MFF configuration examples··························································································································426
Auto-mode MFF configuration example in a tree network ·····································································426
Auto-mode MFF configuration example in a ring network······································································428
Manual-mode MFF configuration example in a tree network·································································430
Manual-mode MFF configuration example in a ring network·································································431
Configuring ND attack defense···································································433
Overview························································································································································433
Configuration restrictions and guidelines·······································································································433
Configuring source MAC consistency check for ND messages·····································································433
Configuring ND attack detection ····················································································································434
About ND attack detection ·····················································································································434
Configuration guidelines·························································································································434
Configuration procedure·························································································································435
Displaying and maintaining ND attack detection····························································································435
Configuring RA guard ····································································································································435
About RA guard······································································································································435
Specifying the role of the attached device ·····························································································436
Configuring an RA guard policy ·············································································································436
Enabling the RA guard logging feature··································································································437
Displaying and maintaining RA guard············································································································437
RA guard configuration example····················································································································437
Network requirements····························································································································437
Configuration procedure·························································································································438
Verifying the configuration······················································································································439
Configuring keychains·················································································440
Overview························································································································································440
Configuration procedure ································································································································440
Displaying and maintaining keychain·············································································································441
Keychain configuration example····················································································································441
Network requirements····························································································································441
Configuration procedure·························································································································441
Verifying the configuration······················································································································443
Document conventions and icons·······························································446
Conventions···················································································································································446
Network topology icons··································································································································447
Support and other resources ······································································448
Accessing Hewlett Packard Enterprise Support ····························································································448
Accessing updates·········································································································································448
Websites ················································································································································449
Customer self repair·······························································································································449
Remote support······································································································································449
Documentation feedback ·······················································································································449
Index···········································································································451
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•Authentication—Identifies users and verifies their validity.
•Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables user behavior auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information toAAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet andADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packetverifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Cod
e Packet type Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
5
{Type—Type of the attribute.
{Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
{Value—Value of the attribute. Its format and content depend on the Type subfield.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute No. Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
6
No. Attribute No. Attribute
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)
allows a vendor to define extended attributes. The extended attributes can implement functions that
the standard RADIUS protocol does not provide.
Avendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following
parts:
•Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
•Vendor-Type—Type of the subattribute.
•Vendor-Length—Length of the subattribute.
•Vendor-Data—Contents of the subattribute.
The device supports the RADIUS subattributes with a vendor ID of 25506. For more information, see
"Proprietary RADIUS subattributes (vendor ID 25506)Proprietary RADIUS subattributes (vendor ID
25506)."
Figure 5 Format of attribute 26
7
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server
model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically providesAAAservices for VPDN and terminal users. In a typical HWTACACS
scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS
sends users' usernames and passwords to the HWTACACS server for authentication. After passing
authentication and obtaining authorized rights, a user logs in to the device and performs operations.
The HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model,
using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the
primary differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
transmission. Uses UDP, which provides high transport efficiency.
Encrypts the entire packet except for the
HWTACACS header. Encrypts only the user password field in an
authentication packet.
Protocol packets are complicated and authorization
is independent of authentication. Authentication and
authorization can be deployed on different
HWTACACS servers.
Protocol packets are simple and the authorization
process is combined with the authentication
process.
Supports authorization of configuration commands.
Access to commands depends on both the user's
roles and authorization. A user can use only
commands that are permitted by the user roles and
authorized by the HWTACACS server.
Does not support authorization of configuration
commands. Access to commands solely depends
on the user's roles. For more information about user
roles, see Fundamentals Configuration Guide.
Basic HWTACACS packet exchange process
Figure 6 describes how HWTACACS performs user authentication, authorization, and accounting for
a Telnet user.
8
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
HWTACACS operates using in the following workflow:
1. A Telnet user sends an access request to the HWTACACS client.
2. The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
receives the request.
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user enters the username.
6. After receiving the username from the user, the HWTACACS client sends the server a
continue-authentication packet that includes the username.
7. The HWTACACS server sends back an authentication response to request the login password.
8. Upon receipt of the response, the HWTACACS client prompts the user for the login password.
9. The user enters the password.
Host HWTACACS client HWTACACS server
1) The user tries to log in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user enters the username
6) Continue-authentication packet with the username
7) Authentication response requesting the password
8) Request for password
9) The user enters the password
11) Response indicating successful authentication
12) User authorization request packet
13) Response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) Continue-authentication packet with the password
Other manuals for FlexNetwork 7500 Series
5
Table of contents
Other HPE Switch manuals
HPE
HPE H3C S9500 Series User manual
HPE
HPE 3100 v2 Series User manual
HPE
HPE FlexFabric 5800 Series User manual
HPE
HPE 1410-16G User manual
HPE
HPE StoreOnce 3100 User manual
HPE
HPE FlexNetwork 7500 Switch User manual
HPE
HPE FlexNetwork 10500 SERIES User manual
HPE
HPE 5945 Installation instructions
HPE
HPE OfficeConnect 1910 Series Safety guide
HPE
HPE OfficeConnect 1420 Series User manual
HPE
HPE FlexFabric 5940 SERIES User manual
HPE
HPE 6Gb SAS BL User manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE FlexFabric 12900E User manual
HPE
HPE FlexNetwork 5130 EI Series Instruction Manual
HPE
HPE JH390A User manual
HPE
HPE FlexFabric 5930 Series Installation manual
HPE
HPE LSQM2MPUD0 User manual
HPE
HPE OfficeConnect 1820 Series User manual
