Professional Documents
Culture Documents
HPE FlexFabric 5945 Switch Series Security Configuration Guide-Release 655x
HPE FlexFabric 5945 Switch Series Security Configuration Guide-Release 655x
i
Specifying the HWTACACS authorization servers ···································································· 41
Specifying the HWTACACS accounting servers ······································································· 42
Specifying the shared keys for secure HWTACACS communication ············································· 43
Specifying an MPLS L3VPN instance for the scheme ································································ 43
Setting HWTACACS timers ································································································· 44
Specifying the source IP address for outgoing HWTACACS packets ············································ 45
Setting the username format and traffic statistics units ······························································ 46
Configuring HWTACACS stop-accounting packet buffering ························································ 47
Display and maintenance commands for HWTACACS ······························································ 47
Configuring LDAP ···················································································································· 48
LDAP tasks at a glance ······································································································ 48
Creating an LDAP server ···································································································· 48
Configuring the IP address of the LDAP server ········································································ 48
Specifying the LDAP version ································································································ 48
Setting the LDAP server timeout period ·················································································· 49
Configuring administrator attributes ······················································································· 49
Configuring LDAP user attributes ·························································································· 50
Configuring an LDAP attribute map ······················································································· 51
Creating an LDAP scheme ·································································································· 51
Specifying the LDAP authentication server·············································································· 51
Specifying the LDAP authorization server ··············································································· 51
Specifying an LDAP attribute map for LDAP authorization ·························································· 52
Display and maintenance commands for LDAP········································································ 52
Creating an ISP domain ············································································································ 52
About ISP domains ············································································································ 52
Restrictions and guidelines for ISP domain configuration ··························································· 53
Creating an ISP domain ······································································································ 53
Specifying the default ISP domain ························································································· 53
Specifying an ISP domain for users that are assigned to nonexistent domains································ 53
Configuring ISP domain attributes ······························································································· 54
Setting ISP domain status ··································································································· 54
Configuring authorization attributes for an ISP domain ······························································ 54
Including the idle timeout period in the user online duration to be sent to the server ························· 55
Configuring AAA methods for an ISP domain ················································································· 55
Configuring authentication methods for an ISP domain ······························································ 55
Configuring authorization methods for an ISP domain ······························································· 56
Configuring accounting methods for an ISP domain ·································································· 57
Display and maintenance commands for ISP domains ······························································ 59
Setting the maximum number of concurrent login users···································································· 59
Configuring a NAS-ID ··············································································································· 59
Configuring the device ID··········································································································· 60
Configuring the connection recording policy ··················································································· 60
About the connection recording policy ···················································································· 60
Restrictions and guidelines ·································································································· 60
Procedure ························································································································ 60
Display and maintenance commands for the connection recording policy ······································ 61
Configuring the AAA test feature ································································································· 61
AAA configuration examples······································································································· 63
Example: Configuring AAA for SSH users by an HWTACACS server············································ 63
Example: Configuring local authentication, HWTACACS authorization, and RADIUS accounting for SSH
users ······························································································································ 65
Example: Configuring authentication and authorization for SSH users by a RADIUS server ··············· 67
Example: Configuring authentication for SSH users by an LDAP server ········································ 70
Example: Configuring AAA for 802.1X users by a RADIUS server ················································ 73
Troubleshooting AAA ················································································································ 78
RADIUS authentication failure ······························································································ 78
RADIUS packet delivery failure ···························································································· 79
RADIUS accounting error ···································································································· 79
Troubleshooting HWTACACS ······························································································ 80
LDAP authentication failure ································································································· 80
Appendixes ···························································································································· 80
Appendix A Commonly used RADIUS attributes······································································· 80
ii
Appendix B Descriptions for commonly used standard RADIUS attributes ····································· 82
Appendix C RADIUS subattributes (vendor ID 25506) ······························································· 84
802.1X overview ············································································ 88
About the 802.1X protocol·········································································································· 88
802.1X architecture············································································································ 88
Controlled/uncontrolled port and port authorization status ·························································· 88
Packet exchange methods ·································································································· 89
Packet formats·················································································································· 90
802.1X authentication procedures ························································································· 92
802.1X authentication initiation ····························································································· 94
Access control methods ············································································································ 95
802.1X VLAN manipulation ········································································································ 95
Authorization VLAN ··········································································································· 95
Guest VLAN ····················································································································· 98
Auth-Fail VLAN ················································································································· 99
Critical VLAN ·················································································································· 100
Critical voice VLAN ·········································································································· 102
802.1X VSI manipulation ········································································································· 102
802.1X support for VXLANs ······························································································· 102
Authorization VSI ············································································································ 103
Guest VSI ······················································································································ 103
Auth-Fail VSI ·················································································································· 104
Critical VSI ····················································································································· 104
ACL assignment ···················································································································· 105
User profile assignment ··········································································································· 106
Redirect URL assignment ········································································································ 106
Periodic 802.1X reauthentication ······························································································· 106
EAD assistant ······················································································································· 107
Configuring 802.1X ······································································· 108
Restrictions and guidelines: 802.1X configuration ········································································· 108
802.1X tasks at a glance ········································································································· 108
Prerequisites for 802.1X ·········································································································· 109
Enabling 802.1X ···················································································································· 110
Enabling EAP relay or EAP termination ······················································································ 110
Setting the port authorization state····························································································· 111
Specifying an access control method ························································································· 111
Specifying a mandatory authentication domain on a port ································································ 111
Setting the 802.1X authentication timeout timers ·········································································· 112
Configuring 802.1X reauthentication ·························································································· 113
Setting the quiet timer ············································································································· 114
Configuring an 802.1X guest VLAN···························································································· 114
Enabling 802.1X guest VLAN assignment delay ··········································································· 115
Configuring an 802.1X Auth-Fail VLAN ······················································································· 116
Configuring an 802.1X critical VLAN ·························································································· 117
Enabling the 802.1X critical voice VLAN feature ··········································································· 117
Configuring an 802.1X guest VSI······························································································· 118
Enabling 802.1X guest VSI assignment delay ·············································································· 118
Configuring an 802.1X Auth-Fail VSI ·························································································· 119
Configuring an 802.1X critical VSI ····························································································· 119
Configuring 802.1X unauthenticated user aging ············································································ 120
Sending EAP-Success packets on assignment of users to the 802.1X Auth-Fail VLAN or VSI ················ 121
Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN or VSI···················· 121
Enabling 802.1X online user synchronization ··············································································· 122
Configuring the authentication trigger feature ··············································································· 122
Setting the maximum number of concurrent 802.1X users on a port ·················································· 123
Setting the maximum number of authentication request attempts ····················································· 123
Configuring online user handshake ···························································································· 124
Configuring 802.1X offline detection ··························································································· 125
Specifying supported domain name delimiters ·············································································· 126
Removing the VLAN tags of 802.1X protocol packets sent out of a port ············································· 126
iii
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··············· 127
Enabling 802.1X user IP freezing ······························································································ 127
Configuring 802.1X MAC address binding ··················································································· 128
Configuring the EAD assistant feature ························································································ 128
Setting the maximum size of EAP-TLS fragments sent to the server ················································· 129
Logging off 802.1X users ········································································································· 130
Enabling 802.1X user logging ··································································································· 130
Display and maintenance commands for 802.1X ·········································································· 130
802.1X authentication configuration examples ·············································································· 131
Example: Configuring basic 802.1X authentication ································································· 131
Example: Configuring 802.1X guest VLAN and authorization VLAN············································ 133
Example: Configuring 802.1X with ACL assignment ································································ 136
Example: Configuring 802.1X guest VSI and authorization VSI ················································· 138
Example: Configuring 802.1X with EAD assistant (with DHCP relay agent) ·································· 140
Example: Configuring 802.1X with EAD assistant (with DHCP server) ········································ 143
Troubleshooting 802.1X ·········································································································· 145
EAD assistant URL redirection failure ·················································································· 145
Configuring MAC authentication ······················································ 146
About MAC authentication ······································································································· 146
User account policies ······································································································· 146
Authentication methods ···································································································· 147
VLAN assignment············································································································ 147
VSI manipulation ············································································································· 152
ACL assignment·············································································································· 154
User profile assignment ···································································································· 154
Redirect URL assignment ································································································· 154
Blackhole MAC attribute assignment ··················································································· 155
Periodic MAC reauthentication ··························································································· 155
Restrictions and guidelines: MAC authentication configuration ························································· 156
MAC authentication tasks at a glance ························································································· 156
Prerequisites for MAC authentication ························································································· 157
Enabling MAC authentication···································································································· 157
Specifying a MAC authentication method ···················································································· 158
Specifying a MAC authentication domain ···················································································· 158
Configuring the user account format··························································································· 159
Configuring MAC authentication timers ······················································································· 159
Configuring periodic MAC reauthentication ·················································································· 160
Configuring a MAC authentication guest VLAN ············································································· 161
Configuring a MAC authentication critical VLAN ··········································································· 162
Enabling the MAC authentication critical voice VLAN feature ··························································· 163
Configuring a MAC authentication guest VSI ················································································ 163
Configuring a MAC authentication critical VSI ·············································································· 164
Configuring user aging for unauthenticated MAC authentication users ··············································· 164
Configuring MAC authentication offline detection ·········································································· 165
Enabling online user synchronization for MAC authentication ·························································· 166
Setting the maximum number of concurrent MAC authentication users on a port ································· 167
Enabling MAC authentication multi-VLAN mode on a port ······························································· 167
Configuring MAC authentication delay ························································································ 168
Including user IP addresses in MAC authentication requests ··························································· 169
Enabling parallel processing of MAC authentication and 802.1X authentication ··································· 170
Logging off MAC authentication users ························································································ 171
Enabling MAC authentication user logging ·················································································· 171
Display and maintenance commands for MAC authentication ·························································· 171
MAC authentication configuration examples ················································································ 172
Example: Configuring local MAC authentication ····································································· 172
Example: Configuring RADIUS-based MAC authentication ······················································· 175
Example: Configuring ACL assignment for MAC authentication ················································· 177
Example: Configuring MAC authentication authorization VSI assignment ···································· 180
Configuring portal authentication ····················································· 183
About portal authentication······································································································· 183
iv
Advantages of portal authentication ····················································································· 183
Extended portal functions ·································································································· 183
Portal system ················································································································· 183
Portal authentication using a remote portal server ·································································· 184
Local portal service ·········································································································· 185
Portal authentication modes ······························································································ 185
Portal authentication process ····························································································· 186
Portal support for EAP ······································································································ 188
Portal filtering rules ·········································································································· 188
Restrictions and guidelines: Portal configuration ··········································································· 189
Portal authentication tasks at a glance ························································································ 189
Prerequisites for portal authentication ························································································· 190
Configuring a remote portal authentication server ········································································· 191
Configuring a portal Web server ································································································ 192
Portal Web server tasks at a glance ···················································································· 192
Configure basic parameters for a portal Web server ································································ 192
Enabling the captive-bypass feature ···················································································· 192
Configuring a match rule for URL redirection ········································································· 193
Specifying the HTTPS redirect listening port number ····································································· 193
Configuring local portal service features ······················································································ 194
About the local portal service ····························································································· 194
Restrictions and guidelines for configuring local portal service features ······································· 194
Customizing authentication pages ······················································································· 194
Configuring a local portal Web service ················································································· 196
Enabling portal authentication on an interface ·············································································· 197
Specifying a portal Web server on an interface ············································································· 198
Configuring a portal preauthentication domain ·············································································· 198
Specifying a preauthentication IP address pool ············································································ 199
Specifying a portal authentication domain ··················································································· 200
About portal authentication domains ···················································································· 200
Restrictions and guidelines for specifying a portal authentication domain····································· 200
Specifying a portal authentication domain on an interface ························································ 200
Controlling portal user access ··································································································· 201
Configuring a portal-free rule ····························································································· 201
Configuring an authentication source subnet ········································································· 202
Configuring an authentication destination subnet···································································· 202
Configuring support of Web proxy for portal authentication ······················································· 203
Checking the issuing of category-2 portal filtering rules ···························································· 204
Setting the maximum number of portal users ········································································· 204
Enabling strict-checking on portal authorization information ······················································ 205
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ····················· 205
Enabling portal roaming ···································································································· 206
Configuring the portal fail-permit feature ··············································································· 206
Configuring portal detection features ·························································································· 207
Configuring online detection of portal users ··········································································· 207
Configuring portal authentication server detection ·································································· 208
Configuring portal Web server detection ··············································································· 208
Configuring portal user synchronization ················································································ 209
Configuring portal packet attributes ···························································································· 210
Configuring the BAS-IP or BAS-IPv6 attribute ········································································ 210
Specifying the device ID ··································································································· 211
Configuring attributes for RADIUS packets ·················································································· 211
Specifying a format for the NAS-Port-Id attribute ···································································· 211
Configuring the NAS-Port-Type attribute··············································································· 212
Applying a NAS-ID profile to an interface ·············································································· 212
Logging out online portal users ································································································· 213
Enabling portal user login/logout logging ····················································································· 213
Disabling the Rule ARP or ND entry feature for portal clients ··························································· 214
Configuring Web redirect ········································································································· 214
Display and maintenance commands for portal ············································································ 214
Portal configuration examples ··································································································· 215
Example: Configuring direct portal authentication ··································································· 215
v
Example: Configuring re-DHCP portal authentication ······························································ 221
Example: Configuring cross-subnet portal authentication ························································· 225
Example: Configuring extended direct portal authentication ······················································ 229
Example: Configuring extended re-DHCP portal authentication ················································· 232
Example: Configuring extended cross-subnet portal authentication ············································ 237
Example: Configuring portal server detection and portal user synchronization ······························ 240
Example: Configuring cross-subnet portal authentication for MPLS L3VPNs ································ 246
Example: Configuring direct portal authentication with a preauthentication domain ························ 248
Example: Configuring re-DHCP portal authentication with a preauthentication domain ··················· 250
Example: Configuring direct portal authentication using a local portal Web service ························ 253
Troubleshooting portal ············································································································ 256
No portal authentication page is pushed for users ·································································· 256
Cannot log out portal users on the access device ··································································· 256
Cannot log out portal users on the RADIUS server ································································· 257
Users logged out by the access device still exist on the portal authentication server ······················ 257
Re-DHCP portal authenticated users cannot log in successfully ················································ 258
Configuring Web authentication ······················································· 259
About Web authentication ········································································································ 259
Advantages of Web authentication ······················································································ 259
Web authentication system ································································································ 259
Web authentication process ······························································································· 260
Web authentication support for VLAN assignment ·································································· 260
Web authentication support for authorization ACLs ································································· 261
Restrictions and guidelines: Web authentication configuration ························································· 261
Web authentication task at a glance ··························································································· 262
Prerequisites for Web authentication ·························································································· 262
Configuring a Web authentication server ····················································································· 263
Configuring a local portal service ······························································································· 263
Specifying the HTTPS redirect listening port number ····································································· 263
Enabling Web authentication ···································································································· 264
Specifying a Web authentication domain ····················································································· 264
Setting the redirection wait time ································································································ 265
Configuring a Web authentication-free subnet ·············································································· 265
Setting the maximum number of Web authentication users ····························································· 266
Configuring online Web authentication user detection ···································································· 266
Configuring an Auth-Fail VLAN ································································································· 266
Configuring Web authentication to support Web proxy ··································································· 267
Display and maintenance commands for Web authentication ·························································· 268
Web authentication configuration examples ················································································· 268
Example: Configuring Web authentication by using the local authentication method ······················ 268
Example: Configuring Web authentication by using the RADIUS authentication method ················· 270
Troubleshooting Web authentication ·························································································· 272
Failure to come online (local authentication interface using the default ISP domain ······················· 272
Configuring port security ································································ 273
About port security ················································································································· 273
Major functions ··············································································································· 273
Port security features ······································································································· 273
Port security modes ········································································································· 273
Restrictions and guidelines: Port security configuration ·································································· 276
Port security tasks at a glance ·································································································· 276
Enabling port security ············································································································· 277
Setting the port security mode ·································································································· 277
Setting port security's limit on the number of secure MAC addresses on a port···································· 278
Configuring secure MAC addresses ··························································································· 279
About secure MAC addresses ···························································································· 279
Prerequisites ·················································································································· 280
Adding secure MAC addresses ·························································································· 280
Enabling inactivity aging for secure MAC addresses ······························································· 280
Enabling the dynamic secure MAC feature············································································ 281
Configuring NTK ···················································································································· 281
vi
Configuring intrusion protection ································································································· 282
Ignoring authorization information from the server ········································································· 282
Configuring MAC move ··········································································································· 283
Enabling the authorization-fail-offline feature ················································································ 284
Setting port security's limit on the number of MAC addresses for specific VLANs on a port ···················· 284
Enabling open authentication mode ··························································································· 285
Applying a NAS-ID profile to port security ···················································································· 286
Enabling the escape critical VSI feature for 802.1X and MAC authentication users ······························ 287
Enabling SNMP notifications for port security ··············································································· 288
Enabling port security user logging ···························································································· 288
Display and maintenance commands for port security ···································································· 289
Port security configuration examples ·························································································· 289
Example: Configuring port security in autoLearn mode ···························································· 289
Example: Configuring port security in userLoginWithOUI mode ················································· 291
Example: Configuring port security in macAddressElseUserLoginSecure mode ···························· 294
Troubleshooting port security···································································································· 298
Cannot set the port security mode ······················································································· 298
Cannot configure secure MAC addresses ············································································· 299
Configuring user profiles ································································ 300
About user profiles ················································································································· 300
Prerequisites for user profile ····································································································· 300
Configuring a user profile ········································································································· 300
Display and maintenance commands for user profiles ···································································· 300
User profile configuration examples ··························································································· 301
Example: Configuring user profiles and QoS policies ······························································ 301
Configuring password control ·························································· 305
About password control ··········································································································· 305
Password setting ············································································································· 305
Password updating and expiration ······················································································ 306
User login control ············································································································ 307
Password not displayed in any form ···················································································· 308
Logging ························································································································· 308
FIPS compliance···················································································································· 308
Restrictions and guidelines: Password control configuration ···························································· 308
Password control tasks at a glance ···························································································· 309
Enabling password control ······································································································· 309
Setting global password control parameters ················································································· 310
Setting user group password control parameters ·········································································· 312
Setting local user password control parameters ············································································ 312
Setting super password control parameters ················································································· 313
Display and maintenance commands for password control ····························································· 314
Password control configuration examples ···················································································· 314
Example: Configuring password control················································································ 314
Configuring keychains ··································································· 318
About keychains ···················································································································· 318
Restrictions and guidelines: Keychain configuration ······································································ 318
Configuring a keychain ············································································································ 318
Display and maintenance commands for keychain ········································································ 319
Keychain configuration example ································································································ 319
Example: Configuring keychains ························································································· 319
Managing public keys ···································································· 325
About public key management ·································································································· 325
Asymmetric key algorithm overview ····················································································· 325
Usage of asymmetric key algorithms ··················································································· 325
FIPS compliance···················································································································· 325
Public key management tasks at a glance ··················································································· 325
Creating a local key pair ·········································································································· 326
Distributing a local host public key ····························································································· 327
vii
About distribution of local host public keys ············································································ 327
Exporting a host public key ································································································ 327
Displaying a host public key ······························································································· 328
Configuring a peer host public key ····························································································· 328
About peer host public key configuration ·············································································· 328
Restrictions and guidelines for peer host public key configuration ·············································· 329
Importing a peer host public key from a public key file ····························································· 329
Entering a peer host public key ·························································································· 329
Destroying a local key pair ······································································································· 330
Display and maintenance commands for public keys ····································································· 330
Examples of public key management ························································································· 330
Example: Entering a peer host public key ············································································· 330
Example: Importing a public key from a public key file ····························································· 332
Configuring PKI ··········································································· 335
About PKI ····························································································································· 335
PKI terminology ·············································································································· 335
PKI architecture ·············································································································· 336
Retrieval, usage, and maintenance of a digital certificate ························································· 337
PKI applications ·············································································································· 337
Support for MPLS L3VPN ································································································· 337
FIPS compliance···················································································································· 338
PKI tasks at a glance ·············································································································· 338
Configuring a PKI entity ··········································································································· 339
Configuring a PKI domain ········································································································ 340
About PKI domain ··········································································································· 340
PKI domain tasks at a glance ····························································································· 340
Creating a PKI domain ····································································································· 340
Specifying the trusted CA ·································································································· 341
Specifying the PKI entity name ··························································································· 341
Specifying the certificate request reception authority ······························································· 341
Specifying the certificate request URL·················································································· 341
Setting the SCEP polling interval and maximum polling attempts ··············································· 342
Specifying the LDAP server ······························································································· 342
Specifying the fingerprint for root CA certificate verification ······················································· 342
Specifying the key pair for certificate request ········································································· 342
Specifying the intended purpose for the certificate ·································································· 343
Specifying the source IP address for PKI protocol packets ······················································· 343
Specifying the storage path for certificates and CRLs ···································································· 344
Requesting a certificate ··········································································································· 344
About certificate request configuration ················································································· 344
Restrictions and guidelines for certificate request configuration ················································· 345
Prerequisites for certificate request configuration ··································································· 345
Enabling the automatic online certificate request mode ···························································· 345
Manually submitting an online certificate request ···································································· 346
Manually submitting a certificate request in offline mode ·························································· 346
Aborting a certificate request ···································································································· 347
Obtaining certificates ·············································································································· 347
Verifying PKI certificates ·········································································································· 348
About certification verification ····························································································· 348
Restrictions and guidelines for certificate verification ······························································· 349
Verifying certificates with CRL checking ··············································································· 349
Verifying certificates without CRL checking ··········································································· 350
Exporting certificates ·············································································································· 350
Removing a certificate············································································································· 351
Configuring a certificate-based access control policy ····································································· 352
About certificate-based access control policies ······································································ 352
Procedure ······················································································································ 352
Display and maintenance commands for PKI ··············································································· 353
PKI configuration examples ······································································································ 353
Example: Requesting a certificate from an RSA Keon CA server ··············································· 353
Example: Requesting a certificate from a Windows Server 2003 CA server·································· 356
viii
Example: Requesting a certificate from an OpenCA server ······················································· 359
Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server
··································································································································· 363
Example: Configuring a certificate-based access control policy ················································· 365
Example: Importing and exporting certificates ········································································ 367
Troubleshooting PKI configuration ····························································································· 372
Failed to obtain the CA certificate ······················································································· 372
Failed to obtain local certificates ························································································· 373
Failed to request local certificates ······················································································· 373
Failed to obtain CRLs ······································································································· 374
Failed to import the CA certificate ······················································································· 375
Failed to import the local certificate ····················································································· 375
Failed to export certificates ································································································ 376
Failed to set the storage path ····························································································· 376
Configuring IPsec ········································································· 378
About IPsec ·························································································································· 378
IPsec framework ············································································································· 378
IPsec security services ····································································································· 378
Benefits of IPsec ············································································································· 378
Security protocols ············································································································ 378
Encapsulation modes ······································································································· 379
Security association ········································································································· 380
Authentication and encryption ···························································································· 380
IPsec-protected traffic ······································································································ 381
ACL-based IPsec ············································································································ 381
IPv6 routing protocol-based IPsec ······················································································· 382
IPsec policy and IPsec profile ···························································································· 382
IPsec RRI ······················································································································ 383
Protocols and standards ··································································································· 384
FIPS compliance···················································································································· 384
Restrictions and guidelines: IPsec configuration ··········································································· 384
Implementing ACL-based IPsec ································································································ 384
ACL-based IPsec tasks at a glance ····················································································· 384
Configuring an ACL ········································································································· 385
Configuring an IPsec transform set ····················································································· 388
Configuring a manual IPsec policy ······················································································ 390
Configuring an IKE-based IPsec policy················································································· 391
Applying an IPsec policy to an interface ··············································································· 394
Enabling ACL checking for de-encapsulated packets ······························································ 395
Configuring IPsec anti-replay ····························································································· 395
Configuring IPsec anti-replay redundancy ············································································· 396
Binding a source interface to an IPsec policy ········································································· 397
Enabling QoS pre-classify ································································································· 397
Configuring the DF bit of IPsec packets ················································································ 398
Configuring IPsec RRI ······································································································ 399
Configuring IPsec for IPv6 routing protocols ················································································ 400
IPsec protection for IPv6 routing protocols tasks at a glance ····················································· 400
Configuring a manual IPsec profile ······················································································ 400
Applying the IPsec profile to an IPv6 routing protocol ······························································ 401
Configuring the global IPsec SA lifetime and idle timeout ································································ 401
Configuring IPsec fragmentation ······························································································· 402
Setting the maximum number of IPsec tunnels ············································································· 402
Enabling logging for IPsec packets ···························································································· 402
Configuring SNMP notifications for IPsec ···················································································· 403
Display and maintenance commands for IPsec ············································································ 403
IPsec configuration examples ··································································································· 404
Example: Configuring a manual mode IPsec tunnel for IPv4 packets ·········································· 404
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ············································ 407
Example: Configuring IPsec for RIPng ················································································· 409
Example: Configuring IPsec RRI ························································································· 413
ix
Configuring IKE ··········································································· 417
About IKE ····························································································································· 417
Benefits of IKE ················································································································ 417
Relationship between IPsec and IKE ··················································································· 417
IKE negotiation process ···································································································· 417
IKE security mechanism ··································································································· 419
Protocols and standards ··································································································· 419
FIPS compliance···················································································································· 420
IKE tasks at a glance ·············································································································· 420
Prerequisites for IKE configuration ····························································································· 420
Configuring an IKE profile ········································································································ 421
Creating an IKE profile ····································································································· 421
Configuring peer IDs for the IKE profile ················································································ 421
Specifying the IKE keychain or PKI domain ··········································································· 421
Configuring the IKE phase 1 negotiation mode ······································································ 422
Specifying IKE proposals for the IKE profile ·········································································· 422
Configuring the local ID for the IKE profile············································································· 423
Specifying an inside VPN instance for the IKE profile ······························································ 423
Configuring optional features for the IKE profile ····································································· 423
Configuring an IKE proposal ····································································································· 424
Configuring an IKE keychain ···································································································· 425
Configuring the global identity information ··················································································· 426
Configuring the IKE keepalive feature ························································································· 427
Configuring the IKE NAT keepalive feature ·················································································· 427
Configuring global IKE DPD ····································································································· 428
Enabling invalid SPI recovery ··································································································· 428
Setting the maximum number of IKE SAs ···················································································· 429
Configuring SNMP notifications for IKE ······················································································· 429
Display and maintenance commands for IKE ··············································································· 430
IKE configuration examples ······································································································ 430
Example: Configuring main-mode IKE with preshared key authentication ···································· 430
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ············································ 433
Troubleshooting IKE ··············································································································· 435
IKE negotiation failed because no matching IKE proposals were found ······································· 435
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 436
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 437
IPsec SA negotiation failed due to invalid identity information ··················································· 437
Configuring IKEv2 ········································································ 440
About IKEv2 ························································································································· 440
IKEv2 negotiation process ································································································· 440
New features in IKEv2 ······································································································ 441
Protocols and standards ··································································································· 441
IKEv2 tasks at a glance ··········································································································· 441
Prerequisites for IKEv2 configuration·························································································· 442
Configuring an IKEv2 profile ····································································································· 442
Creating an IKEv2 profile ·································································································· 442
Specifying the local and remote identity authentication methods ················································ 443
Configuring the IKEv2 keychain or PKI domain ······································································ 443
Configuring the local ID for the IKEv2 profile ········································································· 443
Configuring peer IDs for the IKEv2 profile ············································································· 444
Specifying a VPN instance for the IKEv2 profile ····································································· 444
Specifying an inside VPN instance for the IKEv2 profile ··························································· 445
Configuring optional features for the IKEv2 profile ·································································· 445
Configuring an IKEv2 policy ····································································································· 446
Configuring an IKEv2 proposal·································································································· 447
Configuring an IKEv2 keychain ································································································· 448
Configure global IKEv2 parameters···························································································· 449
Enabling the cookie challenging feature ··············································································· 449
Configuring the IKEv2 DPD feature ····················································································· 449
Configuring the IKEv2 NAT keepalive feature ········································································ 450
x
Display and maintenance commands for IKEv2 ············································································ 450
Troubleshooting IKEv2 ············································································································ 451
IKEv2 negotiation failed because no matching IKEv2 proposals were found ································· 451
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 451
IPsec tunnel establishment failed ························································································ 452
Configuring SSH ·········································································· 453
About SSH ··························································································································· 453
SSH applications ············································································································· 453
How SSH works ·············································································································· 453
SSH authentication methods ······························································································ 454
SSH support for Suite B ···································································································· 455
FIPS compliance···················································································································· 456
Configuring the device as an SSH server ···················································································· 456
SSH server tasks at a glance ····························································································· 456
Generating local key pairs ································································································· 457
Specifying the SSH service port ························································································· 457
Enabling the Stelnet server ································································································ 458
Enabling the SFTP server ································································································· 458
Enabling the SCP server ··································································································· 458
Enabling NETCONF over SSH ··························································································· 459
Configuring the user lines for SSH login ··············································································· 459
Configuring a client's host public key ··················································································· 459
Configuring an SSH user ·································································································· 461
Configuring the SSH management parameters ······································································ 462
Specifying a PKI domain for the SSH server·········································································· 464
Disconnecting SSH sessions ····························································································· 464
Configuring the device as an Stelnet client ·················································································· 465
Stelnet client tasks at a glance ··························································································· 465
Generating local key pairs ································································································· 465
Specifying the source IP address for outgoing SSH packets ····················································· 465
Establishing a connection to an Stelnet server ······································································· 466
Deleting server public keys saved in the public key file on the Stelnet client ································· 468
Establishing a connection to an Stelnet server based on Suite B ··············································· 468
Configuring the device as an SFTP client ···················································································· 468
SFTP client tasks at a glance ····························································································· 468
Generating local key pairs ································································································· 469
Specifying the source IP address for outgoing SFTP packets ···················································· 469
Establishing a connection to an SFTP server········································································· 470
Deleting server public keys saved in the public key file on the SFTP client ··································· 471
Establishing a connection to an SFTP server based on Suite B ················································· 472
Working with SFTP directories ··························································································· 472
Working with SFTP files ···································································································· 473
Displaying help information ································································································ 474
Terminating the connection with the SFTP server ··································································· 474
Configuring the device as an SCP client ····················································································· 474
SCP client tasks at a glance ······························································································ 474
Generating local key pairs ································································································· 475
Specifying the source IP address for outgoing SCP packets ····················································· 475
Establishing a connection to an SCP server ·········································································· 476
Deleting server public keys saved in the public key file on the SCP client ···································· 477
Establishing a connection to an SCP server based on Suite B ·················································· 478
Specifying algorithms for SSH2 ································································································· 478
About algorithms for SSH2 ································································································ 478
Specifying key exchange algorithms for SSH2 ······································································· 478
Specifying public key algorithms for SSH2 ············································································ 479
Specifying encryption algorithms for SSH2············································································ 479
Specifying MAC algorithms for SSH2 ··················································································· 479
Display and maintenance commands for SSH ·············································································· 480
Stelnet configuration examples ································································································· 480
Example: Configuring the device as an Stelnet server (password authentication) ·························· 481
Example: Configuring the device as an Stelnet server (publickey authentication) ·························· 483
xi
Example: Configuring the device as an Stelnet client (password authentication) ··························· 489
Example: Configuring the device as an Stelnet client (publickey authentication) ···························· 492
Example: Configuring Stelnet based on 128-bit Suite B algorithms ············································· 495
SFTP configuration examples ··································································································· 499
Example: Configuring the device as an SFTP server (password authentication) ···························· 499
Example: Configuring the device as an SFTP client (publickey authentication) ····························· 501
Example: Configuring SFTP based on 192-bit Suite B algorithms ·············································· 504
SCP configuration examples ···································································································· 508
Example: Configuring SCP with password authentication ························································· 508
Example: Configuring SCP based on Suite B algorithms ·························································· 510
NETCONF over SSH configuration examples ·············································································· 517
Example: Configuring NETCONF over SSH with password authentication ··································· 517
Configuring SSL ··········································································· 519
About SSL ···························································································································· 519
SSL security services ······································································································· 519
SSL protocol stack··········································································································· 519
SSL protocol versions ······································································································ 520
FIPS compliance···················································································································· 520
Restrictions and guidelines: SSL configuration ············································································· 520
SSL tasks at a glance ············································································································· 520
Configuring the SSL server ································································································ 520
Configuring the SSL client ································································································· 521
Configuring an SSL server policy······························································································· 521
Configuring an SSL client policy ································································································ 522
Disabling SSL protocol versions for the SSL server ······································································· 523
Disabling SSL session renegotiation ·························································································· 523
Display and maintenance commands for SSL ·············································································· 524
Configuring attack detection and prevention ······································· 525
About attack detection and prevention ························································································ 525
Attacks that the device can prevent···························································································· 525
Single-packet attacks ······································································································· 525
Scanning attacks ············································································································· 526
Flood attacks ·················································································································· 527
TCP fragment attack ········································································································ 528
Login DoS attack ············································································································· 528
Login dictionary attack ······································································································ 528
Blacklist feature ····················································································································· 529
IP blacklist ····················································································································· 529
Attack detection and prevention tasks at a glance ········································································· 529
Configuring and applying an attack defense policy ········································································ 529
Creating an attack defense policy ······················································································· 529
Configuring a single-packet attack defense policy··································································· 530
Configuring a scanning attack defense policy ········································································ 531
Configuring a flood attack defense policy ·············································································· 532
Configuring attack detection exemption ················································································ 536
Applying an attack defense policy to an interface ··································································· 537
Applying an attack defense policy to the device ····································································· 537
Enabling log non-aggregation for single-packet attack events ·························································· 538
Configuring TCP fragment attack prevention ················································································ 538
Configuring the IP blacklist feature····························································································· 539
Configuring login attack prevention ···························································································· 540
Enabling the login delay ·········································································································· 540
Display and maintenance commands for attack detection and prevention ·········································· 540
Attack detection and prevention configuration examples ································································· 546
Example: Configuring attack detection and prevention on the device ·········································· 546
Example: Configuring IP blacklist ························································································ 549
Configuring TCP attack prevention ··················································· 551
About TCP attack prevention ···································································································· 551
Configuring Naptha attack prevention ························································································· 551
xii
Configuring IP source guard ··························································· 552
About IPSG ·························································································································· 552
IPSG operating mechanism ······························································································· 552
Static IPSG bindings ········································································································ 552
Dynamic IPSG bindings ···································································································· 553
Restrictions and guidelines: IPSG configuration ············································································ 553
IPSG tasks at a glance ············································································································ 553
Configuring the IPv4SG feature································································································· 554
Enabling IPv4SG on an interface ························································································ 554
Configuring a static IPv4SG binding ···················································································· 554
Configuring the IPv6SG feature································································································· 555
Enabling IPv6SG on an interface ························································································ 555
Configuring a static IPv6SG binding ···················································································· 556
Display and maintenance commands for IPSG ············································································· 557
IPSG configuration examples ··································································································· 557
Example: Configuring static IPv4SG ···················································································· 557
Example: Configuring DHCP snooping-based dynamic IPv4SG ················································ 558
Example: Configuring DHCP relay agent-based dynamic IPv4SG ·············································· 559
Example: Configuring static IPv6SG ···················································································· 560
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings ······················ 561
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings ························· 562
Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG ··········································· 563
Configuring ARP attack protection ··················································· 565
About ARP attack protection····································································································· 565
ARP attack protection tasks at a glance ······················································································ 565
Configuring unresolvable IP attack protection ··············································································· 565
About unresolvable IP attack protection················································································ 565
Configuring ARP source suppression··················································································· 566
Configuring ARP blackhole routing ······················································································ 566
Display and maintenance commands for unresolvable IP attack protection ·································· 567
Example: Configuring unresolvable IP attack protection ··························································· 567
Configuring ARP packet rate limit ······························································································ 568
Configuring source MAC-based ARP attack detection ···································································· 569
Display and maintenance commands for source MAC-based ARP attack detection ······················· 570
Example: Configuring source MAC-based ARP attack detection ················································ 570
Configuring ARP packet source MAC consistency check ································································ 571
About ARP packet source MAC consistency check ································································· 571
Procedure ······················································································································ 571
Configuring ARP active acknowledgement ·················································································· 571
Configuring authorized ARP ····································································································· 572
About authorized ARP ······································································································ 572
Procedure ······················································································································ 572
Example: Configuring authorized ARP on a DHCP server ························································ 572
Example: Configuring authorized ARP on a DHCP relay agent ·················································· 573
Configuring ARP attack detection ······························································································ 574
About ARP attack detection ······························································································· 574
Configuring user validity check ··························································································· 575
Configuring ARP packet validity check ················································································· 576
Configuring ARP restricted forwarding ················································································· 577
Ignoring ingress ports of ARP packets during user validity check ··············································· 578
Enabling ARP attack detection logging ················································································· 578
Display and maintenance commands for ARP attack detection ················································· 578
Example: Configuring user validity check ·············································································· 579
Example: Configuring user validity check and ARP packet validity check ····································· 580
Example: Configuring ARP restricted forwarding ···································································· 581
Configuring ARP scanning and fixed ARP ··················································································· 583
Configuring ARP gateway protection ·························································································· 584
About ARP gateway protection ··························································································· 584
Restrictions and guidelines ································································································ 584
Procedure ······················································································································ 584
xiii
Example: Configuring ARP gateway protection ······································································ 585
Configuring ARP filtering ········································································································· 585
ARP filtering ··················································································································· 585
Restrictions and guidelines ································································································ 585
Procedure ······················································································································ 586
Example: Configuring ARP filtering······················································································ 586
Configuring ARP sender IP address checking ·············································································· 587
About ARP sender IP address checking ··············································································· 587
Restrictions and guidelines ································································································ 587
Procedure ······················································································································ 587
Example: Configuring ARP sender IP address checking ·························································· 587
Configuring ND attack defense ························································ 590
About ND attack defense ········································································································· 590
ND attack defense tasks at a glance ·························································································· 590
Enabling source MAC consistency check for ND messages ···························································· 591
Configuring ND attack detection ································································································ 591
About ND attack detection ································································································· 591
Restrictions and guidelines ································································································ 592
Procedure ······················································································································ 592
Enabling ND attack detection logging ·················································································· 592
Display and maintenance commands for ND attack detection ··················································· 593
Configuring RA guard ············································································································· 593
About RA guard ·············································································································· 593
Specifying the role of the attached device ············································································· 593
Configuring and applying an RA guard policy ········································································ 594
Enabling the RA guard logging feature ················································································· 595
Display and maintenance commands for RA guard ································································· 595
Example: Configuring RA guard ························································································· 595
Configuring IPv6 destination guard ···························································································· 597
About IPv6 destination guard ····························································································· 597
Restrictions and guidelines: IPv6 destination guard configuration ·············································· 598
Enabling/disabling IPv6 destination guard globally ·································································· 598
Enabling/disabling IPv6 destination guard on an interface ························································ 598
Display and maintenance commands for IPv6 destination guard ················································ 598
Configuring uRPF ········································································· 600
About uRPF ·························································································································· 600
uRPF application scenario ································································································· 600
uRPF check modes ········································································································· 600
Network application ········································································································· 600
Restrictions and guidelines: uRPF configuration ··········································································· 601
Enabling uRPF globally ··········································································································· 601
Enabling uRPF on an interface ································································································· 601
Display and maintenance commands for uRPF ············································································ 602
Configuring MFF ·········································································· 603
About MFF ··························································································································· 603
MFF network model ········································································································· 603
Port roles ······················································································································· 603
Processing of ARP packets in MFF ····················································································· 604
MFF default gateway ········································································································ 604
Protocols and standards ··································································································· 604
MFF tasks at a glance ············································································································· 604
Enabling MFF ······················································································································· 605
Configuring a network port ······································································································· 605
Enabling periodic gateway probe ······························································································· 606
Specifying the IP addresses of servers ······················································································· 606
Display and maintenance commands for MFF ·············································································· 606
MFF configuration examples ···································································································· 607
Example: Configuring MFF in a tree network ········································································· 607
Example: Configuring MFF in a ring network ········································································· 608
xiv
Configuring crypto engines ····························································· 610
About crypto engines ·············································································································· 610
Display and maintenance commands for crypto engines································································· 610
Configuring FIPS ·········································································· 611
About FIPS ··························································································································· 611
FIPS security levels ········································································································· 611
FIPS functionality ············································································································ 611
FIPS self-tests ················································································································ 611
Restrictions and guidelines: FIPS ······························································································ 612
Entering FIPS mode ··············································································································· 613
About entering FIPS mode ································································································ 613
Restrictions and guidelines ································································································ 614
Using the automatic reboot method to enter FIPS mode ·························································· 614
Using the manual reboot method to enter FIPS mode ····························································· 614
Manually triggering self-tests ···································································································· 615
Exiting FIPS mode ················································································································· 616
Display and maintenance commands for FIPS ············································································· 617
FIPS configuration examples ···································································································· 617
Example: Entering FIPS mode through automatic reboot ························································· 617
Example: Entering FIPS mode through manual reboot ···························································· 618
Example: Exiting FIPS mode through automatic reboot ··························································· 620
Example: Exiting FIPS mode through manual reboot······························································· 620
Configuring MACsec ····································································· 622
About MACsec ······················································································································ 622
Basic concepts ··············································································································· 622
MACsec services ············································································································ 622
MACsec application modes ······························································································· 623
MACsec operating mechanism ··························································································· 624
Protocols and standards ··································································································· 625
Restrictions: Hardware compatibility with MACsec ········································································ 625
MACsec tasks at a glance········································································································ 626
Enabling MKA ······················································································································· 626
Enabling MACsec desire ········································································································· 627
Specifying the cipher suite for MACsec encryption ········································································ 627
Configuring a preshared key····································································································· 627
Configuring the MKA key server priority ······················································································ 628
Setting the MKA life time ········································································································· 629
Configuring MACsec protection parameters ················································································· 629
About MACsec protection parameters ·················································································· 629
Restrictions and guidelines for MACsec protection parameter configuration ································· 629
Configuring MACsec protection parameters in interface view ···················································· 629
Configuring MACsec protection parameters by MKA policy ······················································ 630
Enabling MKA session logging ·································································································· 631
Display and maintenance commands for MACsec ········································································· 632
MACsec configuration examples ······························································································· 632
Example: Configuring client-oriented MACsec ······································································· 632
Example: Configuring device-oriented MACsec······································································ 635
Troubleshooting MACsec········································································································· 638
Cannot establish MKA sessions between MACsec devices ······················································ 638
Document conventions and icons ···················································· 640
Conventions ························································································································· 640
Network topology icons ··········································································································· 641
Support and other resources ·························································· 642
Accessing Hewlett Packard Enterprise Support ············································································ 642
Accessing updates ················································································································· 642
Websites ······················································································································· 642
Customer self repair········································································································· 643
xv
Remote support ·············································································································· 643
Documentation feedback ·································································································· 643
Index ························································································· 644
xvi
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
• Authentication—Identifies users and verifies their validity.
• Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
• Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
Internet
Network
HWTACACS server
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including HWTACACS, LDAP, and RADIUS. RADIUS is most
often used.
You can use different servers to implement different security functions. For example, you can use an
HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
1
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
2
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
Host RADIUS client RADIUS server
3) Access-Accept/Reject
4) Accounting-Request (start)
5) Accounting-Response
7) Teardown request
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of access termination
3
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
Figure 4 RADIUS packet format
• The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
4
• The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
{ Type—Type of the attribute.
{ Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
{ Value—Value of the attribute. Its format and content depend on the Type subfield.
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)
allows a vendor to define extended attributes. The extended attributes can implement functions that
the standard RADIUS protocol does not provide.
A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following
parts:
• Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
• Vendor-Type—Type of the subattribute.
• Vendor-Length—Length of the subattribute.
• Vendor-Data—Contents of the subattribute.
The device supports RADIUS subattributes with a vendor ID of 25506. For more information, see
"Appendix C RADIUS subattributes (vendor ID 25506)."
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server
model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,
the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After
passing authentication and obtaining authorized rights, a user logs in to the device and performs
operations. The HWTACACS server records the operations that each user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS have many features in common, such as using a client/server model,
using shared keys for data encryption, and providing flexibility and scalability. Table 2 lists the
primary differences between HWTACACS and RADIUS.
Table 2 Primary differences between HWTACACS and RADIUS
HWTACACS RADIUS
Uses TCP, which provides reliable network
Uses UDP, which provides high transport efficiency.
transmission.
5
HWTACACS RADIUS
Encrypts the entire packet except for the Encrypts only the user password field in an
HWTACACS header. authentication packet.
Protocol packets are complicated and authorization
Protocol packets are simple and the authorization
is independent of authentication. Authentication and
process is combined with the authentication
authorization can be deployed on different
process.
HWTACACS servers.
Supports authorization of configuration commands.
Does not support authorization of configuration
Access to commands depends on both the user's
commands. Access to commands solely depends on
roles and authorization. A user can use only
the user's roles. For more information about user
commands that are permitted by the user roles and
roles, see Fundamentals Configuration Guide.
authorized by the HWTACACS server.
6
Figure 6 Basic HWTACACS packet exchange process for a Telnet user
Host HWTACACS client HWTACACS server
2) Start-authentication packet
7
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11. If the authentication succeeds, the HWTACACS server sends back an authentication response
to indicate that the user has passed authentication.
12. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13. If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.
14. Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
LDAP
The Lightweight Directory Access Protocol (LDAP) provides standard multiplatform directory service.
LDAP was developed on the basis of the X.500 protocol. It improves the following functions of X.500:
• Read/write interactive access.
• Browse.
• Search.
LDAP is suitable for storing data that does not often change. The protocol is used to store user
information. For example, LDAP server software Active Directory Server is used in Microsoft
Windows operating systems. The software stores the user information and user group information
for user login authentication and authorization.
LDAP directory service
LDAP uses directories to maintain the organization information, personnel information, and resource
information. The directories are organized in a tree structure and include entries. An entry is a set of
attributes with distinguished names (DNs). The attributes are used to store information such as
usernames, passwords, emails, computer names, and phone numbers.
LDAP uses a client/server model, and all directory information is stored in the LDAP server.
Commonly used LDAP server products include Microsoft Active Directory Server, IBM Tivoli
Directory Server, and Sun ONE Directory Server.
LDAP authentication and authorization
AAA can use LDAP to provide authentication and authorization services for users. LDAP defines a
set of operations to implement its functions. The main operations for authentication and authorization
are the bind operation and search operation.
• The bind operation allows an LDAP client to perform the following operations:
{ Establish a connection with the LDAP server.
{ Obtain the access rights to the LDAP server.
{ Check the validity of user information.
• The search operation constructs search conditions and obtains the directory resource
information of the LDAP server.
In LDAP authentication, the client completes the following tasks:
8
1. Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is
created, the client establishes a connection to the server and obtains the right to search.
2. Constructs search conditions by using the username in the authentication information of a user.
The specified root directory of the server is searched and a user DN list is generated.
3. Binds with the LDAP server by using each user DN and password. If a binding is created, the
user is considered legal.
In LDAP authorization, the client performs the same tasks as in LDAP authentication. When the
client constructs search conditions, it obtains both authorization information and the user DN list.
Basic LDAP authentication process
The following example illustrates the basic LDAP authentication process for a Telnet user.
Figure 7 Basic LDAP authentication process for a Telnet user
9
8. The LDAP server processes the request, and sends a response to notify the LDAP client of the
bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN
as the parameter to send a user DN bind request to the LDAP server. This process continues
until a DN is bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the
LDAP client notifies the user of the login failure and denies the user's access request.
9. The LDAP client saves the user DN that has been bound and exchanges authorization packets
with the authorization server.
If LDAP authorization is used, see the authorization process shown in Figure 8.
If another method is expected for authorization, the authorization process of that method applies.
10. After successful authorization, the LDAP client notifies the user of the successful login.
Basic LDAP authorization process
The following example illustrates the basic LDAP authorization process for a Telnet user.
Figure 8 Basic LDAP authorization process for a Telnet user
10
6. The LDAP client sends an authorization search request with the username of the Telnet user to
the LDAP server. If the user uses the same LDAP server for authentication and authorization,
the client sends the request with the saved user DN of the Telnet user to the LDAP server.
7. After receiving the request, the LDAP server searches for the user information by the base DN,
search scope, filtering conditions, and LDAP attributes. If a match is found, the LDAP server
sends a response to notify the LDAP client of the successful search.
8. After successful authorization, the LDAP client notifies the user of the successful login.
AAA manages users in the same ISP domain based on the users' access types. The device supports
the following user access types:
• LAN—LAN users must pass 802.1X or MAC authentication to come online.
• Login—Login users include SSH, Telnet, FTP, and terminal users that log in to the device.
Terminal users can access through a console port.
• Portal—Portal users must pass portal authentication to access the network.
• HTTP/HTTPS—Users log in to the device through HTTP or HTTPS.
The device also provides authentication modules (such as 802.1X) for implementation of user
authentication management policies. If you configure these authentication modules, the ISP
domains for users of the access types depend on the configuration of the authentication modules.
11
• No authentication—This method trusts all users and does not perform authentication. For
security purposes, do not use this method.
• Local authentication—The NAS authenticates users by itself, based on the locally configured
user information including the usernames, passwords, and attributes. Local authentication
allows high speed and low cost, but the amount of information that can be stored is limited by
the size of the storage space.
• Remote authentication—The NAS works with a remote server to authenticate users. The NAS
communicates with the remote server through the RADIUS, LDAP, or HWTACACS protocol.
The server manages user information in a centralized manner. Remote authentication provides
high capacity, reliable, and centralized authentication services for multiple NASs. You can
configure backup methods to be used when the remote server is not available.
Authorization methods
The device supports the following authorization methods:
• No authorization—The NAS performs no authorization exchange. The following default
authorization information applies after users pass authentication:
{ Login users obtain the level-0 user role. For more information about the level-0 user role,
see RBAC configuration in Fundamentals Configuration Guide.
{ The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.
However, the users do not have permission to access the root directory.
{ Non-login users can access the network.
• Local authorization—The NAS performs authorization according to the user attributes locally
configured for users.
• Remote authorization—The NAS works with a remote server to authorize users. RADIUS
authorization is bound with RADIUS authentication. RADIUS authorization can work only after
RADIUS authentication is successful, and the authorization information is included in the
Access-Accept packet. HWTACACS or LDAP authorization is separate from authentication,
and the authorization information is included in the authorization response after successful
authentication. You can configure backup methods to be used when the remote server is not
available.
Accounting methods
The device supports the following accounting methods:
• No accounting—The NAS does not perform accounting for the users.
• Local accounting—Local accounting is implemented on the NAS. It counts and controls the
number of concurrent users that use the same local user account, but does not provide
statistics for charging.
• Remote accounting—The NAS works with a RADIUS server or HWTACACS server for
accounting. You can configure backup methods to be used when the remote server is not
available.
12
• User role authentication—Authenticates each user that wants to obtain another user role
without logging out or getting disconnected. For more information about user role authentication,
see Fundamentals Configuration Guide.
VPN 1
CE
VPN 3
RADIUS
Host MPLS backbone
server
PE
PE CE
VPN 2 P
HWTACACS
CE
Host server
This feature can also help an MCE to implement portal authentication for VPNs. For more
information about MCE, see MPLS L3VPN configuration in MPLS Configuration Guide. For more
information about portal authentication, see "Configuring portal authentication."
13
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
14
• Service type—Services that the user can use. Local authentication checks the service types of
a local user. If none of the service types is available, the user cannot pass authentication.
• User state—Whether or not a local user can request network services. There are two user
states: active and blocked. A user in active state can request network services, but a user in
blocked state cannot.
• Upper limit of concurrent logins using the same user name—Maximum number of users
that can concurrently access the device by using the same user name. When the number
reaches the upper limit, no more local users can access the device by using the user name.
• User group—Each local user belongs to a local user group and has all attributes of the group.
The attributes include the password control attributes and authorization attributes. For more
information about local user group, see "Configuring user group attributes."
• Binding attributes—Binding attributes control the scope of users, and are checked during
local authentication of a user. If the attributes of a user do not match the binding attributes
configured for the local user account, the user cannot pass authentication.
• Authorization attributes—Authorization attributes indicate the user's rights after it passes
local authentication.
Configure the authorization attributes based on the service type of local users.
You can configure an authorization attribute in user group view or local user view. The setting of
an authorization attribute in local user view takes precedence over the attribute setting in user
group view.
{ The attribute configured in user group view takes effect on all local users in the user group.
{ The attribute configured in local user view takes effect only on the local user.
• Password control attributes—Password control attributes help control password security for
local users. Password control attributes include password aging time, minimum password
length, password composition checking, password complexity checking, and login attempt limit.
You can configure a password control attribute in system view, user group view, or local user
view. A password control attribute with a smaller effective range has a higher priority. For more
information about password management and global password configuration, see "Configuring
password control."
• Validity period—Time period in which a network access user is considered valid for
authentication.
15
If password control is globally enabled for device management users by using the
password-control enable command, the device neither displays local user passwords nor
retains them in the running configuration. When you globally disable password control for device
management users, local user passwords are automatically restored to the running configuration. To
display the running configuration, use the display current-configuration command.
You can configure authorization attributes and password control attributes in local user view or user
group view. The setting in local user view takes precedence over the setting in user group view.
Procedure
1. Enter system view.
system-view
2. Add a device management user and enter device management user view.
local-user user-name class manage
3. Configure a password for the device management user.
In non-FIPS mode:
password [ { hash | simple } string ]
A non-password-protected user passes authentication if the user provides the correct
username and passes attribute checks. To enhance security, configure a password for each
device management user.
In FIPS mode:
password
Only password-protected users can pass authentication. You must set the password in
interactive mode for a device management user.
4. Assign services to the device management user.
In non-FIPS mode:
service-type { ftp | { http | https | ssh | telnet | terminal } * }
In FIPS mode:
service-type { https | ssh | terminal } *
By default, no services are authorized to a device management user.
5. (Optional.) Set the status of the device management user.
state { active | block }
By default, a device management user is in active state and can request network services.
6. (Optional.) Set the upper limit of concurrent logins using the device management username.
access-limit max-user-number
By default, the number of concurrent logins is not limited for a device management user.
This command takes effect only when local accounting is configured for device management
users. This command does not apply to FTP, SFTP, or SCP users that do not support
accounting.
7. (Optional.) Configure the interface binding attribute for the device management user.
bind-attribute location interface interface-type interface-number
By default, no interface binding attribute is configured for a device management user.
8. (Optional.) Configure authorization attributes for the device management user.
authorization-attribute { idle-cut minutes | user-role role-name |
work-directory directory-name } *
The following default settings apply:
{ The working directory for FTP, SFTP, and SCP users is the root directory of the NAS.
However, the users do not have permission to access the root directory.
16
{ The network-operator user role is assigned to local users that are created by a
network-admin or level-15 user.
9. (Optional.) Configure password control attributes for the device management user. Choose the
following tasks as needed:
{ Set the password aging time.
password-control aging aging-time
{ Set the minimum password length.
password-control length length
{ Configure the password composition policy.
password-control composition type-number type-number [ type-length
type-length ]
{ Configure the password complexity checking policy.
password-control complexity { same-character | user-name } check
{ Configure the maximum login attempts and the action to take if there is a login failure.
password-control login-attempt login-times [ exceed { lock |
lock-time time | unlock } ]
By default, a device management user uses password control attributes of the user group to
which the user belongs.
10. (Optional.) Assign the device management user to a user group.
group group-name
By default, a device management user belongs to user group system.
17
3. (Optional.) Configure a password for the network access user.
password { cipher | simple } string
4. (Optional.) Configure a description for the network access user.
description text
By default, no description is configured for a local user.
5. Assign services to the network access user.
service-type { lan-access | portal }
By default, no services are authorized to a network access user.
6. (Optional.) Set the status of the network access user.
state { active | block }
By default, a network access user is in active state and can request network services.
7. (Optional.) Set the upper limit of concurrent logins using the network access username.
access-limit max-user-number
By default, the number of concurrent logins is not limited for a network access user.
8. (Optional.) Configure binding attributes for the network access user.
bind-attribute { ip ip-address | location interface interface-type
interface-number | mac mac-address | vlan vlan-id } *
By default, no binding attributes are configured for a network access user.
9. (Optional.) Configure authorization attributes for the network access user.
authorization-attribute { acl acl-number | idle-cut minutes | ip-pool
ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes |
user-profile profile-name | vlan vlan-id } *
By default, a network access user does not have authorization attributes.
10. (Optional.) Configure password control attributes for the network access user. Choose the
following tasks as needed:
{ Set the minimum password length.
password-control length length
{ Configure the password composition policy.
password-control composition type-number type-number [ type-length
type-length ]
{ Configure the password complexity checking policy.
password-control complexity { same-character | user-name } check
By default, a network access user uses password control attributes of the user group to which
the user belongs.
11. (Optional.) Assign the network access user to a user group.
group group-name
By default, a network access user belongs to user group system.
12. (Optional.) specify the validity period for the local user.
validity-datetime { from start-date start-time to expiration-date
expiration-time | from start-date start-time | to expiration-date
expiration-time }
By default, the validity period for a network access user does not expire.
18
Configuring user group attributes
About user group attributes
User groups simplify local user configuration and management. A user group contains a group of
local users and has a set of local user attributes. You can configure local user attributes for a user
group to implement centralized user attributes management for the local users in the group. Local
user attributes that are manageable include authorization attributes.
Procedure
1. Enter system view.
system-view
2. Create a user group and enter user group view.
user-group group-name
By default, a system-defined user group exists. The group name is system.
3. Configure authorization attributes for the user group.
authorization-attribute { acl acl-number | idle-cut minutes | ip-pool
ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes |
user-profile profile-name | vlan vlan-id | work-directory
directory-name } *
By default, no authorization attributes are configured for a user group.
4. (Optional.) Configure password control attributes for the user group. Choose the following tasks
as needed:
{ Set the password aging time.
password-control aging aging-time
{ Set the minimum password length.
password-control length length
{ Configure the password composition policy.
password-control composition type-number type-number [ type-length
type-length ]
{ Configure the password complexity checking policy.
password-control complexity { same-character | user-name } check
{ Configure the maximum login attempts and the action to take for login failures.
password-control login-attempt login-times [ exceed { lock |
lock-time time | unlock } ]
By default, a user group uses the global password control settings. For more information, see
"Configuring password control."
19
local-user auto-delete enable
By default, the local user auto-delete feature is disabled.
Task Command
display local-user [ class { manage | network }
| idle-cut { disable | enable } | service-type
Display the local user { ftp | http | https | lan-access | portal | ssh |
configuration and online user
statistics.
telnet | terminal } | state { active | block } |
user-name user-name class { manage | network } |
vlan vlan-id ]
Display user group
display user-group { all | name group-name }
configuration.
Configuring RADIUS
RADIUS tasks at a glance
To configure RADIUS, perform the following tasks:
1. Configuring an EAP profile
To perform EAP-based RADIUS server status detection, you must configure an EAP profile and
specify the EAP profile in a test profile.
2. Configuring a test profile for RADIUS server status detection
To detect the status of a RADIUS server, you must configure a test profile and configure the
RADIUS server to use the test profile in a RADIUS scheme.
3. Creating a RADIUS scheme
4. Specifying RADIUS authentication servers
5. Specifying the RADIUS accounting servers
6. Specifying the shared keys for secure RADIUS communication
Perform this task if no shared keys are specified when configuring RADIUS authentication or
accounting servers.
7. Specifying the MPLS L3VPN instance for a RADIUS scheme
Perform this task if no MPLS L3VPN instances are specified when configuring RADIUS
authentication or accounting servers.
8. (Optional.) Setting the status of RADIUS servers
9. (Optional.) Setting RADIUS timers
10. (Optional.) Configuring parameters for RADIUS packets
{ Specifying the source IP address for outgoing RADIUS packets
{ Setting the username format and traffic statistics units
{ Setting the maximum number of RADIUS request transmission attempts
{ Setting the maximum number of real-time accounting attempts
{ Setting the DSCP priority for RADIUS packets
20
11. (Optional.) Configuring parameters for RADIUS attributes
{ Configuring the Login-Service attribute check method for SSH, FTP, and terminal users
{ Interpreting the RADIUS class attribute as CAR parameters
{ Configuring the MAC address format for RADIUS attribute 31
{ Setting the data measurement unit for the Remanent_Volume attribute
{ Configuring the RADIUS attribute translation feature
12. (Optional.) Configuring extended RADIUS features
{ Configuring RADIUS stop-accounting packet buffering
{ Enabling forcibly sending stop-accounting packets
{ Enabling the RADIUS server load sharing feature
{ Specifying a RADIUS server selection mode for reauthentication
{ Configuring the RADIUS accounting-on feature
{ Configuring the RADIUS session-control feature
{ Configuring the RADIUS DAS feature
{ Enabling SNMP notifications for RADIUS
{ Disabling the RADIUS service
21
Configuring a test profile for RADIUS server status detection
About test profiles for RADIUS server status detection
To detect the reachability or availability of a RADIUS authentication server, specify a test profile for
the RADIUS server when you specify the server in a RADIUS scheme. With the test profile, the
device refreshes the RADIUS server status at each detection interval according to the detection
result. If the server is unreachable or unavailable, the device sets the status of the server to blocked.
If the server is reachable or available, the device sets the status of the server to active.
The device supports the following RADIUS server status detection methods:
• Simple detection—For a RADIUS server, the device simulates an authentication request with
the username and password specified in the test profile used by the server. The authentication
request is sent to the RADIUS server within each detection interval. The device determines that
the RADIUS server is reachable if the device receives a response from the server within the
interval.
• EAP-based detection—For a RADIUS server, the device simulates an EAP authentication
with the username and password specified in the test profile used by the server. The simulated
EAP authentication starts at the beginning of each detection interval. If the EAP authentication
completes within a detection interval, the device determines that the RADIUS server is
available.
Simulating a complete EAP authentication process, EAP-based detection provides more reliable
detection results than simple detection. As a best practice, configure EAP-based detection on a
network environment where EAP authentication is configured.
Restrictions and guidelines
You can configure multiple test profiles in the system.
The device starts detecting the status of a RADIUS authentication server only if an existing test
profile is specified for the server.
If you specify a nonexistent EAP profile in a test profile, the device performs simple detection for the
RADIUS servers that use the test profile. After the EAP profile is configured, the device will start
EAP-based detection at the next detection interval.
The device stops detecting the status of a RADIUS server when one of the following operations is
performed:
• The RADIUS server is removed from the RADIUS scheme.
• The test profile configuration for the RADIUS server is removed in RADIUS scheme view.
• The test profile specified for the RADIUS server is deleted.
• The RADIUS server is manually set to the blocked state.
• The RADIUS scheme that contains the RADIUS server is deleted.
Procedure
1. Enter system view.
system-view
2. Configure a test profile for detecting the status of RADIUS authentication servers.
radius-server test-profile profile-name username name [ password
{ cipher | simple } string ] [ interval interval ] [ eap-profile
eap-profile-name ]
22
Creating a RADIUS scheme
Restrictions and guidelines
You can configure a maximum of 16 RADIUS schemes. A RADIUS scheme can be used by multiple
ISP domains.
Procedure
1. Enter system view.
system-view
2. Create a RADIUS scheme and enter RADIUS scheme view.
radius scheme radius-scheme-name
23
test-profile profile-name | vpn-instance vpn-instance-name | weight
weight-value ] *
By default, no secondary RADIUS authentication servers are specified.
The weight keyword takes effect only when the RADIUS server load sharing feature is
enabled for the RADIUS scheme.
24
Specifying the shared keys for secure RADIUS
communication
About the shared keys for secure RADIUS communication
The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator
value for packet authentication and user password encryption. The client and server must use the
same key for each type of communication.
A key configured in this task is for all servers of the same type (accounting or authentication) in the
scheme. The key has a lower priority than a key configured individually for a RADIUS server.
Restrictions and guidelines
The shared key configured on the device must be the same as the shared key configured on the
RADIUS server.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Specify a shared key for secure RADIUS communication.
key { accounting | authentication } { cipher | simple } string
By default, no shared key is specified for secure RADIUS communication.
25
• When the primary server is in active state, the device first tries to communicate with the primary
server. If the primary server is unreachable, the device searches for an active secondary server
in the order the servers are configured.
• When one or more servers are in active state, the device tries to communicate with these active
servers only, even if the servers are unavailable.
• When all servers are in blocked state, the device only tries to communicate with the primary
server.
• If a server is unreachable, the device performs the following operations:
{ Changes the server status to blocked.
{ Starts a quiet timer for the server.
{ Tries to communicate with the next secondary server in active state that has the highest
priority.
• When the quiet timer of a server expires or you manually set the server to the active state, the
status of the server changes back to active. The device does not check the server again during
the authentication or accounting process.
• The search process continues until the device finds an available secondary server or has
checked all secondary servers in active state. If no server is reachable, the device considers the
authentication or accounting attempt a failure.
• When you remove a server in use, communication with the server times out. The device looks
for a server in active state by first checking the primary server, and then checking secondary
servers in the order they are configured.
• When a RADIUS server's status changes automatically, the device changes this server's status
accordingly in all RADIUS schemes in which this server is specified.
• When a RADIUS server is manually set to blocked, server detection is disabled for the server,
regardless of whether a test profile has been specified for the server. When the RADIUS server
is set to active state, server detection is enabled for the server on which an existing test profile
is specified.
By default, the device sets the status of all RADIUS servers to active. However, in some situations,
you must change the status of a server. For example, if a server fails, you can change the status of
the server to blocked to avoid communication attempts to the server.
Restrictions and guidelines
The configured server status cannot be saved to any configuration file, and can only be viewed by
using the display radius scheme command.
After the device restarts, all servers are restored to the active state.
The device selects a reachable server for the authentication or accounting of a new user according
to the server selection rules in this section if the RADIUS server load sharing feature is disabled.
However, these rules are inapplicable to the reauthentication of online users if the RADIUS server
selection mode for reauthentication is set to inherit by using the reauthentication
server-select inherit command.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Set the RADIUS server status. Choose the following tasks as needed:
{ Set the status of the primary RADIUS authentication server.
state primary authentication { active | block }
{ Set the status of the primary RADIUS accounting server.
26
state primary accounting { active | block }
{ Set the status of a secondary RADIUS authentication server.
state secondary authentication [ { host-name | ipv4-address | ipv6
ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
{ active | block }
{ Set the status of a secondary RADIUS accounting server.
state secondary accounting [ { host-name | ipv4-address | ipv6
ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
{ active | block }
By default, a RADIUS server is in active state.
27
timer response-timeout seconds
The default setting is 3 seconds.
{ Set the quiet timer for the servers.
timer quiet minutes
The default setting is 5 minutes.
{ Set the real-time accounting timer.
timer realtime-accounting interval [ second ]
The default setting is 12 minutes.
28
radius nas-ip { interface interface-type interface-number |
{ ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] }
By default, the source IP address of an outgoing RADIUS packet is the primary IPv4 address or
the IPv6 address of the outbound interface.
Specifying a source interface or source IP address for a RADIUS scheme
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Specify a source interface or source IP address for outgoing RADIUS packets.
nas-ip { ipv4-address | interface interface-type interface-number |
ipv6 ipv6-address }
By default, the source IP address of an outgoing RADIUS packet is that specified by using the
radius nas-ip command in system view. If the radius nas-ip command is not used, the
source IP address is the primary IP address of the outbound interface.
29
Setting the maximum number of RADIUS request
transmission attempts
About setting the maximum number of RADIUS request transmission attempts
RADIUS uses UDP packets to transfer data. Because UDP communication is not reliable, RADIUS
uses a retransmission mechanism to improve reliability. A RADIUS request is retransmitted if the
NAS does not receive a server response for the request within the response timeout timer. For more
information about the RADIUS server response timeout timer, see "Setting the status of RADIUS
servers."
You can set the maximum number for the NAS to retransmit a RADIUS request to the same server.
When the maximum number is reached, the NAS tries to communicate with other RADIUS servers in
active state. If no other servers are in active state at the time, the NAS considers the authentication
or accounting attempt a failure.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Set the maximum number of RADIUS request transmission attempts.
retry retries
By default, the maximum number is 3 for RADIUS request transmission attempts.
30
system-view
2. Set the DSCP priority for RADIUS packets.
radius [ ipv6 ] dscp dscp-value
By default, the DSCP priority is 0 for RADIUS packets.
31
Configuring the MAC address format for RADIUS attribute 31
Restrictions and guidelines
RADIUS servers of different types might have different requirements for the MAC address format in
RADIUS attribute 31. Configure the MAC address format for RADIUS attribute 31 to meet the
requirements of the RADIUS servers.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Configure the MAC address format for RADIUS attribute 31.
attribute 31 mac-format section { six | three } separator
separator-character { lowercase | uppercase }
By default, a MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is
separated by hyphen (-) into six sections with letters in upper case.
32
• Attribute rejection—Rejects RADIUS attributes based on RADIUS attribute rejection rules.
When the RADIUS attribute translation feature is enabled, the device processes RADIUS packets as
follows:
• For the sent RADIUS packets:
{ Deletes the rejected attributes from the packets.
{ Uses the destination RADIUS attributes to replace the attributes that match RADIUS
attribute conversion rules in the packets.
• For the received RADIUS packets:
{ Ignores the rejected attributes in the packets.
{ Interprets the attributes that match RADIUS attribute conversion rules as the destination
RADIUS attributes.
To identify proprietary RADIUS attributes, you can define the attributes as extended RADIUS
attributes, and then convert the extended RADIUS attributes to device-supported attributes.
Restrictions and guidelines for RADIUS attribute translation configuration
Configure either conversion rules or rejection rules for a RADIUS attribute.
Configure either direction-based rules or packet type-based rules for a RADIUS attribute.
For direction-based translation of a RADIUS attribute, you can configure a rule for each direction
(inbound or outbound). For packet type-based translation of a RADIUS attribute, you can configure a
rule for each RADIUS packet type (RADIUS Access-Accept, RADIUS Access-Request, or RADIUS
accounting).
Configuring the RADIUS attribute translation feature for a RADIUS scheme
1. Enter system view.
system-view
2. (Optional.) Define an extended RADIUS attribute.
radius attribute extended attribute-name [ vendor vendor-id ] code
attribute-code type { binary | date | integer | interface-id | ip | ipv6 |
ipv6-prefix | octets | string }
3. Enter RADIUS scheme view.
radius scheme radius-scheme-name
4. Enable the RADIUS attribute translation feature.
attribute translate
By default, this feature is disabled.
5. Configure a RADIUS attribute conversion rule or a RADIUS attribute reject rule. Choose the
following tasks as needed:
{ Configure a RADIUS attribute conversion rule.
attribute convert src-attr-name to dest-attr-name { { access-accept
| access-request | accounting } * | { received | sent } * }
By default, no RADIUS attribute conversion rules are configured.
{ Configure a RADIUS attribute rejection rule.
attribute reject attr-name { { access-accept | access-request |
accounting } * | { received | sent } * }
By default, no RADIUS attribute rejection rules are configured.
Configuring the RADIUS attribute translation feature for a RADIUS DAS
1. Enter system view.
system-view
33
2. (Optional.) Define an extended RADIUS attribute.
radius attribute extended attribute-name [ vendor vendor-id ] code
attribute-code type { binary | date | integer | interface-id | ip | ipv6 |
ipv6-prefix | octets | string }
3. Enter RADIUS DAS view.
radius dynamic-author server
4. Enable the RADIUS attribute translation feature.
attribute translate
By default, this feature is disabled.
5. Configure a RADIUS attribute conversion rule or a RADIUS attribute rejection rule. Choose the
following tasks as needed:
{ Configure a RADIUS attribute conversion rule.
attribute convert src-attr-name to dest-attr-name { { coa-ack |
coa-request } * | { received | sent } * }
By default, no RADIUS attribute conversion rules are configured.
{ Configure a RADIUS attribute rejection rule.
attribute reject attr-name { { coa-ack | coa-request } * | { received |
sent } * }
By default, no RADIUS attribute rejection rules are configured.
34
Enabling forcibly sending stop-accounting packets
About forcibly sending stop-accounting packets
Typically, if the device does not send a start-accounting packet to the RADIUS server for an
authenticated user, it does not send a stop-accounting packet when the user goes offline. If the
server has generated a user entry for the user without start-accounting packets, it does not release
the user entry when the user goes offline. This feature forces the device to send stop-accounting
packets to the RADIUS server when the user goes offline for timely releasing the user entry on the
server.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Enable the device to send stop-accounting packets when users for which no start-accounting
packets are sent go offline.
stop-accounting-packet send-force
By default, forcibly sending stop-accounting packets is disabled. The device does not send
stop-accounting packets when users for which no start-accounting packets are sent go offline.
35
Specifying a RADIUS server selection mode for
reauthentication
About the RADIUS server selection mode for reauthentication
Use this feature to configure the RADIUS server selection mechanism in reauthentication. The
following RADIUS server selection modes are available:
• Inherit—The device uses the RADIUS server that performed authentication for a user to
reauthenticate that user. This mode reduces the amount of time used in reauthentication.
However, if the RADIUS server is unreachable, the reauthentication will fail.
• Reselect—The device searches for a reachable RADIUS server to reauthenticate a user. This
mode requires more time than the inherit mode. However, this mode ensures that the device
uses the optimal reachable RADIUS server for reauthentication. The following factors affect the
RADIUS server selection:
{ Server configuration in the RADIUS scheme, including the configuration order.
{ Enabling status of the RADIUS server load sharing feature.
{ Status of the RADIUS servers in the RADIUS scheme.
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Specify a RADIUS server selection mode for reauthentication.
reauthentication server-select { inherit | reselect }
By default, the inherit mode is used.
36
Procedure
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Enable accounting-on.
accounting-on enable [ interval interval | send send-times ] *
By default, the accounting-on feature is disabled.
4. (Optional.) Enable extended accounting-on.
accounting-on extended
By default, extended accounting-on is disabled.
37
3. Sends DAE responses to the DAC.
DAE defines the following types of packets:
• Disconnect Messages (DMs)—The DAC sends DM requests to the DAS to log off specific
online users.
• Change of Authorization Messages (CoA Messages)—The DAC sends CoA requests to the
DAS to change the authorization information of specific online users.
Procedure
1. Enter system view.
system-view
2. Enable the RADIUS DAS feature and enter RADIUS DAS view.
radius dynamic-author server
By default, the RADIUS DAS feature is disabled.
3. Specify a RADIUS DAC.
client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple }
string | vpn-instance vpn-instance-name ] *
By default, no RADIUS DACs are specified.
4. (Optional.) Specify the RADIUS DAS port.
port port-number
By default, the RADIUS DAS port is 3799.
38
By default, all SNMP notifications are disabled for RADIUS.
3. Set the version of RADIUS server status change MIB nodes.
radius trap-version { v1 | v2 } [ accounting-server-down |
accounting-server-up | authentication-server-down |
authentication-server-up ] *
By default, the device sends notifications about RADIUS server status change MIB nodes over
SNMPv1.
The command is supported only in Release 6555 and later.
39
By default, the RADIUS service is enabled.
To re-enable the RADIUS service, use the radius enable command.
Task Command
Display the RADIUS scheme
display radius scheme [ radius-scheme-name ]
configuration.
Display authentication and accounting
display radius server-load statistics
load statistics for all RADIUS servers.
Configuring HWTACACS
HWTACACS tasks at a glance
To configure HWTACACS, perform the following tasks:
1. Creating an HWTACACS scheme
2. Specifying the HWTACACS authentication servers
3. Specifying the HWTACACS authorization servers
4. Specifying the HWTACACS accounting servers
5. Specifying the shared keys for secure HWTACACS communication
Perform this task if no shared keys are specified when configuring HWTACACS servers.
6. Specifying an MPLS L3VPN instance for the scheme
Perform this task if no MPLS L3VPN instances are specified when configuring HWTACACS
servers.
7. (Optional.) Setting HWTACACS timers
8. (Optional.) Configuring parameters for HWTACACS packets
{ Specifying the source IP address for outgoing HWTACACS packets
{ Setting the username format and traffic statistics units
9. (Optional.) Configuring HWTACACS stop-accounting packet buffering
40
Creating an HWTACACS scheme
Restrictions and guidelines
You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used
by multiple ISP domains.
Procedure
1. Enter system view.
system-view
2. Create an HWTACACS scheme and enter HWTACACS scheme view.
hwtacacs scheme hwtacacs-scheme-name
41
for the secondary servers in the order they are configured. The first secondary server in active state
is used for communication.
Restrictions and guidelines
If redundancy is not required, specify only the primary server.
An HWTACACS server can function as the primary authorization server of one scheme and as the
secondary authorization server of another scheme at the same time.
Two HWTACACS authorization servers in a scheme, primary or secondary, cannot have the same
combination of VPN instance, host name, IP address, and port number.
Procedure
1. Enter system view.
system-view
2. Enter HWTACACS scheme view.
hwtacacs scheme hwtacacs-scheme-name
3. Specify the primary HWTACACS authorization server.
primary authorization { host-name | ipv4-address | ipv6 ipv6-address }
[ port-number | key { cipher | simple } string | single-connection |
vpn-instance vpn-instance-name ] *
By default, no primary HWTACACS authorization server is specified.
4. (Optional.) Specify a secondary HWTACACS authorization server.
secondary authorization { host-name | ipv4-address | ipv6 ipv6-address }
[ port-number | key { cipher | simple } string | single-connection |
vpn-instance vpn-instance-name ] *
By default, no secondary HWTACACS authorization servers are specified.
42
primary accounting { host-name | ipv4-address | ipv6 ipv6-address }
[ port-number | key { cipher | simple } string | single-connection |
vpn-instance vpn-instance-name ] *
By default, no primary HWTACACS accounting server is specified.
4. (Optional.) Specify a secondary HWTACACS accounting server.
secondary accounting { host-name | ipv4-address | ipv6 ipv6-address }
[ port-number | key { cipher | simple } string | single-connection |
vpn-instance vpn-instance-name ] *
By default, no secondary HWTACACS accounting servers are specified.
43
vpn-instance vpn-instance-name
By default, an HWTACACS scheme belongs to the public network.
44
3. Set the HWTACACS timers. Choose the following tasks as needed:
{ Set the HWTACACS server response timeout timer.
timer response-timeout seconds
By default, the HWTACACS server response timeout timer is 5 seconds.
{ Set the real-time accounting interval.
timer realtime-accounting minutes
By default, the real-time accounting interval is 12 minutes.
{ Set the server quiet timer.
timer quiet minutes
By default, the server quiet timer is 5 minutes.
45
hwtacacs nas-ip { interface interface-type interface-number |
{ ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] }
By default, the source IP address of an HWTACACS packet sent to the server is the primary
IPv4 address or the IPv6 address of the outbound interface.
Specifying a source interface or source IP address for an HWTACACS scheme
1. Enter system view.
system-view
2. Enter HWTACACS scheme view.
hwtacacs scheme hwtacacs-scheme-name
3. Specify a source interface or source IP address for outgoing HWTACACS packets.
nas-ip { ipv4-address | interface interface-type interface-number |
ipv6 ipv6-address }
By default, the source IP address of an outgoing HWTACACS packet is that configured by
using the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command
is not used, the source IP address is the primary IP address of the outbound interface.
46
Configuring HWTACACS stop-accounting packet buffering
About HWTACACS stop-accounting packet buffering
The device sends HWTACACS stop-accounting requests when it receives connection teardown
requests from hosts or connection teardown commands from an administrator. However, the device
might fail to receive a response for a stop-accounting request in a single transmission. Enable the
device to buffer HWTACACS stop-accounting requests that have not received responses from the
accounting server. The device will resend the requests until responses are received.
To limit the transmission times, set a maximum number of attempts that can be made for transmitting
individual HWTACACS stop-accounting requests. When the maximum attempts are made for a
request, the device discards the buffered request.
Procedure
1. Enter system view.
system-view
2. Enter HWTACACS scheme view.
hwtacacs scheme hwtacacs-scheme-name
3. Enable buffering of HWTACACS stop-accounting requests to which no responses have been
received.
stop-accounting-buffer enable
By default, the buffering feature is enabled.
4. (Optional.) Set the maximum number of transmission attempts for individual HWTACACS
stop-accounting requests.
retry stop-accounting retries
The default setting is 100.
Task Command
Display the configuration or server display hwtacacs scheme
statistics of HWTACACS schemes. [ hwtacacs-scheme-name [ statistics ] ]
Display information about buffered
HWTACACS stop-accounting requests display stop-accounting-buffer
to which no responses have been hwtacacs-scheme hwtacacs-scheme-name
received.
47
Configuring LDAP
LDAP tasks at a glance
To configure LDAP, perform the following tasks:
1. Configuring an LDAP server
a. Creating an LDAP server
b. Configuring the IP address of the LDAP server
c. (Optional.) Specifying the LDAP version
d. (Optional.) Setting the LDAP server timeout period
e. Configuring administrator attributes
f. Configuring LDAP user attributes
2. (Optional.) Configuring an LDAP attribute map
3. Creating an LDAP scheme
4. Specifying the LDAP authentication server
5. (Optional.) Specifying the LDAP authorization server
6. (Optional.) Specifying an LDAP attribute map for LDAP authorization
48
A Microsoft LDAP server supports only LDAPv3.
The LDAP version specified on the device must be consistent with the version specified on the LDAP
server.
Procedure
1. Enter system view.
system-view
2. Enter LDAP server view.
ldap server server-name
3. Specify the LDAP version.
protocol-version { v2 | v3 }
By default, LDAPv3 is used.
49
login-password { cipher | simple } string
By default, no administrator password is specified.
50
Configuring an LDAP attribute map
About LDAP attribute maps
Configure an LDAP attribute map to define a list of LDAP-AAA attribute mapping entries. To apply the
LDAP attribute map, specify the name of the LDAP attribute map in the LDAP scheme used for
authorization.
The LDAP attribute map feature enables the device to convert LDAP attributes obtained from an
LDAP authorization server to device-recognizable AAA attributes based on the mapping entries.
Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include
important LDAP attributes that should not be ignored.
An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be
mapped to the same AAA attribute.
Procedure
1. Enter system view.
system-view
2. Create an LDAP attribute map and enter LDAP attribute map view.
ldap attribute-map map-name
3. Configure a mapping entry.
map ldap-attribute ldap-attribute-name [ prefix prefix-value
delimiter delimiter-value ] aaa-attribute { user-group | user-profile }
51
system-view
2. Enter LDAP scheme view.
ldap scheme ldap-scheme-name
3. Specify the LDAP authorization server.
authorization-server server-name
By default, no LDAP authorization server is specified.
Task Command
display ldap scheme
Display the configuration of LDAP schemes.
[ ldap-scheme-name ]
52
Each ISP domain has a set of system-defined AAA methods, which are local authentication, local
authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the
device uses the system-defined AAA methods for users in the domain.
The device chooses an authentication domain for each user in the following order:
1. The authentication domain specified for the access module.
2. The ISP domain in the username.
3. The default ISP domain of the device.
If the chosen domain does not exist on the device, the device searches for the ISP domain that
accommodates users assigned to nonexistent domains. (Support for the authentication domain
configuration depends on the access module.) If no such ISP domain is configured, user
authentication fails.
53
Configuring ISP domain attributes
Setting ISP domain status
About the ISP domain status
By placing the ISP domain in active or blocked state, you allow or deny network service requests
from users in the domain.
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain isp-name
3. Set the status of the ISP domain.
state { active | block }
By default, an ISP domain is in active state, and users in the domain can request network
services.
54
max-access-number max-access-number | ip-pool ipv4-pool-name |
ipv6-pool ipv6-pool-name | mld max-access-number max-access-number |
url url-string | user-group user-group-name | user-profile
profile-name }
The default settings are as follows:
{ An IPv4 user can concurrently join a maximum of four IGMP multicast groups.
{ An IPv6 user can concurrently join a maximum of four MLD multicast groups.
{ No other authorization attributes exist.
55
1. Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each access type and service type.
2. Determine whether to configure the default authentication method for all access types or
service types. The default authentication method applies to all access users. However, the
method has a lower priority than the authentication method that is specified for an access type
or service type.
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain isp-name
3. (Optional.) Specify default authentication methods for all types of users.
authentication default { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme
ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ]
[ none ] }
By default, the default authentication method is local.
4. Specify authentication methods for a user type or a service.
{ Specify authentication methods for LAN users.
authentication lan-access { ldap-scheme ldap-scheme-name [ local ]
[ none ] | local [ none ] | none | radius-scheme radius-scheme-name
[ local ] [ none ] }
By default, the default authentication methods are used for LAN users.
{ Specify authentication methods for login users.
authentication login { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme
ldap-scheme-name [ local ] [ none ] | local [ none ] | none |
radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the default authentication methods are used for login users.
{ Specify authentication methods for portal users.
authentication portal { ldap-scheme ldap-scheme-name [ local ]
[ none ] | local [ none ] | none | radius-scheme radius-scheme-name
[ local ] [ none ] }
By default, the default authentication methods are used for portal users.
{ Specify authentication methods for obtaining a temporary user role.
authentication super { hwtacacs-scheme hwtacacs-scheme-name |
radius-scheme radius-scheme-name } *
By default, the default authentication methods are used for obtaining a temporary user role.
56
The none keyword is not supported in FIPS mode.
Prerequisites
Before configuring authorization methods, complete the following tasks:
1. Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type.
2. Determine whether to configure the default authorization method for all access types or service
types. The default authorization method applies to all access users. However, the method has a
lower priority than the authorization method that is specified for an access type or service type.
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain isp-name
3. (Optional.) Specify default authorization methods for all types of users.
authorization default { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ]
| none | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the authorization method is local.
4. Specify authorization methods for a user type or a service.
{ Specify command authorization methods.
authorization command { hwtacacs-scheme hwtacacs-scheme-name
[ local ] [ none ] | local [ none ] | none }
By default, the default authorization methods are used for command authorization.
{ Specify authorization methods for LAN users.
authorization lan-access { local [ none ] | none | radius-scheme
radius-scheme-name [ local ] [ none ] }
By default, the default authorization methods are used for LAN users.
{ Specify authorization methods for login users.
authorization login { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ]
| none | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the default authorization methods are used for login users.
{ Specify authorization methods for portal users.
authorization portal { local [ none ] | none | radius-scheme
radius-scheme-name [ local ] [ none ] }
By default, the default authorization methods are used for portal users.
57
The none keyword is not supported in FIPS mode.
Prerequisites
Before configuring accounting methods, complete the following tasks:
1. Determine the access type or service type to be configured. With AAA, you can configure an
accounting method for each access type and service type.
2. Determine whether to configure the default accounting method for all access types or service
types. The default accounting method applies to all access users. However, the method has a
lower priority than the accounting method that is specified for an access type or service type.
Procedure
1. Enter system view.
system-view
2. Enter ISP domain view.
domain isp-name
3. (Optional.) Specify default accounting methods for all types of users.
accounting default { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ]
| none | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the accounting method is local.
4. Specify accounting methods for a user type.
{ Specify the command accounting method.
accounting command hwtacacs-scheme hwtacacs-scheme-name
By default, the default accounting methods are used for command accounting.
{ Specify accounting methods for LAN users.
accounting lan-access { broadcast radius-scheme
radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ]
[ none ] | local [ none ] | none | radius-scheme radius-scheme-name
[ local ] [ none ] }
By default, the default accounting methods are used for LAN users.
{ Specify accounting methods for login users.
accounting login { hwtacacs-scheme hwtacacs-scheme-name
[ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ]
| none | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the default accounting methods are used for login users.
{ Specify accounting methods for portal users.
accounting portal { broadcast radius-scheme radius-scheme-name1
radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] |
none | radius-scheme radius-scheme-name [ local ] [ none ] }
By default, the default accounting methods are used for portal users.
5. (Optional.) Configure extended accounting policies.
{ Configure access control for users that encounter accounting-start failures.
accounting start-fail { offline | online }
By default, the device allows users that encounter accounting-start failures to stay online.
{ Configure access control for users that have failed all their accounting-update attempts.
accounting update-fail { [ max-times max-times ] offline | online }
58
By default, the device allows users that have failed all their accounting-update attempts to
stay online.
{ Configure access control for users that have used up their data or time accounting quotas.
accounting quota-out { offline | online }
By default, the device logs off users that have used up their accounting quotas.
Task Command
Display configuration information about an ISP
display domain [ isp-name ]
domain or all ISP domains.
Configuring a NAS-ID
About NAS-IDs
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of
RADIUS packets so that the RADIUS server can identify the access location of users.
Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device so that the device
can send different NAS-Identifier attribute strings in RADIUS requests from different VLANs.
Restrictions and guidelines
You can apply a NAS-ID profile to portal- or port security-enabled interfaces. For more information,
see "Configuring portal authentication" and "Configuring port security."
You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.
A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID.
If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.
59
Procedure
1. Enter system view.
system-view
2. Create a NAS-ID profile and enter NAS-ID profile view.
aaa nas-id profile profile-name
3. Configure a NAS-ID and VLAN binding in the profile.
nas-id nas-identifier bind vlan vlan-id
Procedure
1. Enter system view.
system-view
2. Create a connection recording policy and enter its view.
aaa connection-recording policy
3. Specify the accounting method for the connection recording policy.
accounting hwtacacs-scheme hwtacacs-scheme-name
60
Display and maintenance commands for the connection
recording policy
Execute display commands in any view.
Task Command
Display the connection recording policy display aaa connection-recording
configuration. policy
61
Table 3 Attributes that RADIUS requests carry by default
62
radius attribute-test-group attr-test-group-name
You can create multiple RADIUS attribute test groups.
c. Include an attribute in RADIUS requests.
include { accounting | authentication } { name attribute-name |
[ vendor vendor-id ] code attribute-code } type { binary | date |
integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }
value attribute-value
Use this command to add attributes that RADIUS requests do not carry by default to the
RADIUS requests.
For an attribute that RADIUS requests carry by default, you can use this command to
change its attribute value.
d. Exclude an attribute from RADIUS requests.
exclude { accounting | authentication } name attribute-name
Use this command to exclude an attribute that RADIUS requests carry by default from the
RADIUS requests sent during an AAA test to help troubleshoot authentication or accounting
failures.
e. Return to system view.
quit
f. Return to user view.
quit
2. Perform an AAA test in user view.
test-aaa user user-name password password radius-scheme
radius-scheme-name [ radius-server { ipv4-address | ipv6
ipv6-address } port-number [ vpn-instance vpn-instance-name ] ] [ chap
| pap ] [ attribute-test-group attr-test-group-name ] [ trace ]
63
Figure 11 Network diagram
# Set the shared keys to expert in plaintext form for secure HWTACACS communication.
[Switch-hwtacacs-hwtac] key authentication simple expert
[Switch-hwtacacs-hwtac] key authorization simple expert
[Switch-hwtacacs-hwtac] key accounting simple expert
# Exclude domain names from the usernames sent to the HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain
[Switch-hwtacacs-hwtac] quit
# Create an ISP domain named bbb and configure the domain to use the HWTACACS scheme for
authentication, authorization, and accounting of login users.
[Switch-isp-bbb] authentication login hwtacacs-scheme hwtac
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac
[Switch-isp-bbb] accounting login hwtacacs-scheme hwtac
[Switch-isp-bbb] quit
# Enable scheme authentication for user lines VTY 0 through VTY 63.
64
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable the default user role feature to assign authenticated SSH users the default user role
network-operator.
[Switch] role default-role enable
65
<Switch> system-view
[Switch] public-key local create rsa
[Switch] public-key local create dsa
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Set the password to 123456TESTplat&! in plaintext form for the local user. In FIPS mode, you
must set the password in interactive mode.
[Switch-luser-manage-hello] password simple 123456TESTplat&!
[Switch-luser-manage-hello] quit
# Create an ISP domain named bbb and configure the login users to use local authentication,
HWTACACS authorization, and RADIUS accounting.
[Switch] domain bbb
[Switch-isp-bbb] authentication login local
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac
[Switch-isp-bbb] accounting login radius-scheme rd
[Switch-isp-bbb] quit
# Enable the default user role feature to assign authenticated SSH users the default user role
network-operator.
[Switch] role default-role enable
66
Example: Configuring authentication and authorization for
SSH users by a RADIUS server
Network configuration
As shown in Figure 13, configure the switch to meet the following requirements:
• Use the RADIUS server for SSH user authentication and authorization.
• Include domain names in the usernames sent to the RADIUS server.
• Assign the default user role network-operator to SSH users after they pass authentication.
The RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101). Add an account with
username hello@bbb on the RADIUS server.
The RADIUS server and the switch use expert as the shared key for secure RADIUS communication.
The ports for authentication and accounting are 1812 and 1813, respectively.
Figure 13 Network diagram
67
Figure 14 Adding the switch as an access device
NOTE:
The IP address range must contain the IP address of the switch.
68
Figure 15 Adding an account for device management
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable the default user role feature to assign authenticated SSH users the default user role
network-operator.
[Switch] role default-role enable
# Set the shared key to expert in plaintext form for secure communication with the server.
[Switch-radius-rad] key authentication simple expert
69
[Switch-radius-rad] user-name-format with-domain
[Switch-radius-rad] quit
# Create an ISP domain named bbb and configure authentication, authorization, and accounting
methods for login users.
[Switch] domain bbb
[Switch-isp-bbb] authentication login radius-scheme rad
[Switch-isp-bbb] authorization login radius-scheme rad
[Switch-isp-bbb] accounting login none
[Switch-isp-bbb] quit
70
e. Enter logon name aaa and click Next.
Figure 17 Adding user aaa
a. In the dialog box, enter password ldap!123456, select options as needed, and click Next.
Figure 18 Setting the user's password
a. Click OK.
2. Add user aaa to group Users:
a. From the navigation tree, click Users under the ldap.com node.
b. In the right pane, right-click user aaa and select Properties.
c. In the dialog box, click the Member Of tab and click Add.
71
Figure 19 Modifying user properties
a. In the Select Groups dialog box, enter Users in the Enter the object names to select field,
and click OK.
User aaa is added to group Users.
Figure 20 Adding user aaa to group Users
72
# Create local RSA and DSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
[Switch] public-key local create dsa
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Create an ISP domain named bbb and configure authentication, authorization, and accounting
methods for login users.
[Switch] domain bbb
[Switch-isp-bbb] authentication login ldap-scheme ldap-shm1
[Switch-isp-bbb] authorization login none
[Switch-isp-bbb] accounting login none
[Switch-isp-bbb] quit
73
• Use MAC-based access control on Twenty-FiveGigE 1/0/1 to authenticate all 802.1X users on
the port separately.
• Include domain names in the usernames sent to the RADIUS server.
In this example, the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101). On
the RADIUS server, perform the following tasks:
• Add a service that charges 120 dollars for up to 120 hours per month and assigns authenticated
users to VLAN 4.
• Configure a user with name dot1x@bbb and assign the service to the user.
Set the shared keys to expert for secure RADIUS communication. Set the ports for authentication
and accounting to 1812 and 1813, respectively.
Figure 21 Network diagram
74
Figure 22 Adding the switch as an access device
3. Add a service:
Click the Service tab, and select User Access Manager > Service Configuration from the
navigation tree. Then, click Add to configure a service as follows:
75
a. Add a service named Dot1x auth, and set the service suffix to bbb, the authentication
domain for the 802.1X user. With the service suffix configured, you must configure the
access device to send usernames that include domain names to the RADIUS server.
b. Select UserAcct from the Charging Plan list.
c. Select Deploy VLAN and set the ID of the VLAN to be assigned to 4.
d. Configure other parameters as needed.
e. Click OK.
Figure 24 Adding a service
4. Add a user:
Click the User tab, and select Access User View > All Access Users from the navigation tree
to enter the All Access Users page. Then, click Add to configure a user as follows:
a. Select the user or add a user named hello.
b. Specify the account name as dot1x and configure the password.
c. Select Dot1x auth in the Access Service area.
d. Configure other parameters as needed and click OK.
76
Figure 25 Adding an access user account
77
# Configure the access control method. By default, an 802.1X-enabled port uses the
MAC-based access control.
[Switch-Twenty-FiveGigE1/0/1] dot1x port-method macbased
IMPORTANT:
Make sure the client can update its IP address to access the resources in the authorized VLAN
after passing authentication.
2. On the switch, verify that the server assigns the port connecting the client to VLAN 4 after the
user passes authentication. (Details not shown.)
3. Display 802.1X connection information on the switch.
[Switch] display dot1x connection
Troubleshooting AAA
RADIUS authentication failure
Symptom
User authentication always fails.
Analysis
Possible reasons include:
• A communication failure exists between the NAS and the RADIUS server.
• The username is not in the userid@isp-name format, or the ISP domain is not correctly
configured on the NAS.
• The user is not configured on the RADIUS server.
• The password entered by the user is incorrect.
• The RADIUS server and the NAS are configured with different shared keys.
Solution
To resolve the problem:
1. Verify the following items:
{ The NAS and the RADIUS server can ping each other.
{ The username is in the userid@isp-name format and the ISP domain is correctly configured
on the NAS.
78
{ The user is configured on the RADIUS server.
{ The correct password is entered.
{ The same shared key is configured on both the RADIUS server and the NAS.
2. If the problem persists, contact Hewlett Packard Enterprise Support.
79
Troubleshooting HWTACACS
Similar to RADIUS troubleshooting. See "RADIUS authentication failure," "RADIUS packet delivery
failure," and "RADIUS accounting error."
Appendixes
Appendix A Commonly used RADIUS attributes
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
80
Table 4 Commonly used RADIUS attributes
81
No. Attribute No. Attribute
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
82
No. Attribute Description
Maximum idle time permitted for the user before termination of the
28 Idle-Timeout
session.
User identification that the NAS sends to the server. For the LAN
31 Calling-Station-Id access service provided by an HPE device, this attribute includes the
MAC address of the user.
32 NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Type of the Accounting-Request packet. Possible values include:
• 1—Start.
• 2—Stop.
• 3—Interim-Update.
• 4—Reset-Charge.
40 Acct-Status-Type • 7—Accounting-On. (Defined in the 3rd Generation Partnership
Project.)
• 8—Accounting-Off. (Defined in the 3rd Generation Partnership
Project.)
• 9 to 14—Reserved for tunnel accounting.
• 15—Reserved for failed.
Authentication method used by the user. Possible values include:
• 1—RADIUS.
45 Acct-Authentic
• 2—Local.
• 3—Remote.
CHAP challenge generated by the NAS for MD5 calculation during
60 CHAP-Challenge
CHAP authentication.
Type of the physical port of the NAS that is authenticating the user.
Possible values include:
• 15—Ethernet.
• 16—Any type of ADSL.
• 17—Cable. (With cable for cable TV.)
61 NAS-Port-Type
• 19—WLAN-IEEE 802.11.
• 201—VLAN.
• 202—ATM.
If the port is an ATM or Ethernet one and VLANs are implemented on it,
the value of this attribute is 201.
Tunneling protocols used.
64 Tunnel-Type The value 13 represents VLAN. If the value is 13, the device interprets
the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID
attributes as attributes to assign VLANs.
Transport medium type to use for creating a tunnel.
65 Tunnel-Medium-Type For VLAN assignment, the value must be 6 to indicate the 802 media
plus Ethernet.
Used to encapsulate EAP packets to allow RADIUS to support EAP
79 EAP-Message
authentication.
Used for authentication and verification of authentication packets to
80 Message-Authenticator prevent spoofing Access-Requests. This attribute is present when EAP
authentication is used.
Group ID for a tunnel session. To assign VLANs, the NAS conveys
81 Tunnel-Private-Group-ID
VLAN IDs by using this attribute.
87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user.
83
No. Attribute Description
Server-assigned IPv6 address for the NAS to assign to the host. The
168 Framed-IPv6-Address
address must be unique.
84
No. Subattribute Description
accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A
space is required between the IP address and the MAC address.
Information that must be sent from the server to the client
61 User_Notify
transparently.
Hash value assigned after an 802.1X user passes authentication,
which is a 32-byte string. This attribute is stored in the user list on
62 User_HeartBeat the NAS and verifies the handshake packets from the 802.1X
user. This attribute only exists in Access-Accept and
Accounting-Request packets.
IP address of the multicast group that the user's host joins as a
receiver. This subattribute can appear multiple times in a
98 Multicast_Receive_Group
multicast packet to indicate that the user belongs to multiple
multicast groups.
IPv6 address of the multicast group that the user's host joins as a
receiver. This subattribute can appear multiple times in a
100 IP6_Multicast_Receive_Group
multicast packet to indicate that the user belongs to multiple
multicast groups.
Maximum number of MLD multicast groups that the user can join
101 MLD-Access-Limit
concurrently.
102 local-name L2TP local tunnel name.
Maximum number of IGMP multicast groups that the user can join
103 IGMP-Access-Limit
concurrently.
104 VPN-Instance MPLS L3VPN instance to which a user belongs.
105 ANCP-Profile ANCP profile name.
135 Client-Primary-DNS IP address of the primary DNS server.
136 Client-Secondary-DNS IP address of the secondary DNS server.
User groups assigned after the user passes authentication.
140 User_Group Typically, a user can belong to only one user group. An SSL VPN
user can belong to multiple user groups that are separated by
semicolons.
Bytes of IPv6 packets in the inbound direction. The measurement
144 Acct_IPv6_Input_Octets
unit depends on the configuration on the device.
Bytes of IPv6 packets in the outbound direction. The
145 Acct_IPv6_Output_Octets
measurement unit depends on the configuration on the device.
Number of IPv6 packets in the inbound direction. The
146 Acct_IPv6_Input_Packets
measurement unit depends on the configuration on the device.
Number of IPv6 packets in the outbound direction. The
147 Acct_IPv6_Output_Packets
measurement unit depends on the configuration on the device.
Bytes of IPv6 packets in the inbound direction. The measurement
148 Acct_IPv6_Input_Gigawords
unit is 4G bytes.
Bytes of IPv6 packets in the outbound direction. The
149 Acct_IPv6_Output_Gigawords
measurement unit is 4G bytes.
155 User-Roles List of space-separated user roles.
User-defined attribute pair. Available attribute pairs include:
• Server-assigned voice VLAN in the format of
210 Av-Pair device-traffic-class=voice.
• Server-assigned user role in the format of shell:role=xxx.
• Server-assigned ACL in the format of url-redirect-acl=xxx.
85
No. Subattribute Description
• Server-assigned Web redirect URL in the format of
url-redirect=xxx.
• Server-deployed command to reboot a port, in the format of
subscriber:command=bounce-host-port.
• Server-assigned port shutdown duration in the format of
bounce:seconds=xxx.
• Server-deployed command to shut down a port, in the format
of subscriber:command=disable-host-port.
• Server-assigned VSI in the format of vxlan:vsi-name=xxx.
• VSI-based ACL resource assignment capability in the format
of ACL:match-by-vsiindex=x. Value 1 of x indicates that this
feature is supported, and the other values of x are reserved.
• Server-assigned blackhole MAC address attribute in the
format of mac:block-mac=xxx.
• Server-assigned MAC authentication offline detect timer (in
seconds) in the format of mac-authentication:
offline-detect-time=xxx. Value 0 of xxx indicates that MAC
authentication offline detection is disabled.
• Server-assigned MAC authentication offline detection flag in
the format of mac-authentication: offline-detect-check=x. x
has the following values:
{ 0—The device does not search for the ARP snooping
entry or ND snooping entry of the MAC address.
{ 1—The device searches for the ARP snooping entry or
ND snooping entry of the MAC address.
230 NAS-Port-Name Interface through which the user is connected to the NAS.
Accounting details. The server sends Access-Accept packets with
subattributes 246 and 250 in the following situations:
• 1—The subscriber charge is overdue. The subscriber is
allowed to access network resources in the whitelist. If the
subscriber accesses other network resources, the device
246 Auth_Detail_Result
redirects it to the URL specified by subattribute 250.
• 2—The broadband lease of the subscriber expires. The
device redirects the subscriber to the URL specified by
subattribute 250 when the subscriber requests to access
webpages for the first time.
Committed burst size from the user to the NAS, in bits. The total
length cannot exceed 4 bytes for this field.
247 Input-Committed-Burst-Size
This subattribute must be assigned together with the
Input-Average-Rate attribute.
Committed burst size from the NAS to the user, in bits. The total
length cannot exceed 4 bytes for this field.
248 Output-Committed-Burst-Size
This subattribute must be assigned together with the
Output-Average-Rate attribute.
Authentication type. The value can be:
• 1—Intranet access authentication.
249 authentication-type • 2—Internet access authentication.
If the packet does not contain this subattribute, common
authentication applies.
250 WEB-URL Redirect URL for users.
251 Subscriber-ID Family plan ID.
252 Subscriber-Profile QoS policy name for the family plan of the subscriber.
86
No. Subattribute Description
255 Product_ID Product name.
87
802.1X overview
About the 802.1X protocol
802.1X is a port-based network access control protocol widely used on Ethernet networks. The
protocol controls network access by authenticating the devices connected to 802.1X-enabled LAN
ports.
802.1X architecture
802.1X operates in the client/server model. As shown in Figure 26, 802.1X authentication includes
the following entities:
• Client (supplicant)—A user terminal seeking access to the LAN. The terminal must have
802.1X software to authenticate to the access device.
• Access device (authenticator)—Authenticates the client to control access to the LAN. In a
typical 802.1X environment, the access device uses an authentication server to perform
authentication.
• Authentication server—Provides authentication services for the access device. The
authentication server first authenticates 802.1X clients by using the data sent from the access
device. Then, the server returns the authentication results to the access device to make access
decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use
the access device as the authentication server.
Figure 26 802.1X architecture
88
Figure 27 Authorization state of a controlled port
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On
the access device, you only need to use the dot1x authentication-method eap command
to enable EAP relay.
EAP termination
As shown in Figure 29, the access device performs the following operations in EAP termination
mode:
1. Terminates the EAP packets received from the client.
2. Encapsulates the client authentication information in standard RADIUS packets.
3. Uses PAP or CHAP to authenticate to the RADIUS server.
89
Figure 29 EAP termination
Packet exchange
Benefits Limitations
method
• Supports various EAP The RADIUS server must support the
authentication methods. EAP-Message and
EAP relay • The configuration and Message-Authenticator attributes, and
processing are simple on the the EAP authentication method used by
access device. the client.
• Supports only the following EAP
authentication methods:
{ MD5-Challenge EAP
Works with any RADIUS server authentication.
EAP termination that supports PAP or CHAP { The username and password
authentication. EAP authentication initiated by
an iNode 802.1X client.
• The processing is complex on the
access device.
Packet formats
EAP packet format
Figure 30 shows the EAP packet format.
Figure 30 EAP packet format
• Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or
Failure (4).
• Identifier—Used for matching Responses with Requests.
• Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code,
Identifier, Length, and Data fields.
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP
packet. The Data field contains the request type (or the response type) and the type data. Type
1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field.
EAPOL packet format
Figure 31 shows the EAPOL packet format.
90
Figure 31 EAPOL packet format
0 7 15
Packet body
N
• PAE Ethernet type—Protocol type. It takes the value 0x888E for EAPOL.
• Protocol version—The EAPOL protocol version used by the EAPOL packet sender.
• Type—Type of the EAPOL packet. Table 6 lists the types of EAPOL packets supported by
implementation of 802.1X on the device.
Table 6 Types of EAPOL packets
• Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or
EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
• Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet
body field contains an EAP packet.
EAP over RADIUS
RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP
authentication. For the RADIUS packet format, see "Configuring AAA."
• EAP-Message.
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 32. The
Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than
253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes.
Figure 32 EAP-Message attribute format
• Message-Authenticator.
As shown in Figure 33, RADIUS includes the Message-Authenticator attribute in all packets that
have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if
the calculated packet integrity checksum is different from the Message-Authenticator attribute
value. The Message-Authenticator prevents EAP authentication packets from being tampered
with during EAP authentication.
91
Figure 33 Message-Authenticator attribute format
EAPOL EAPOR
(1) EAPOL-Start
(2) EAP-Request/Identity
Port authorized
(11) EAP-Request/Identity
(12) EAP-Response/Identity
...
(13) EAPOL-Logoff
Port unauthorized
(14) EAP-Failure
92
4. The access device relays the EAP-Response/Identity packet in a RADIUS Access-Request
packet to the authentication server.
5. The authentication server uses the identity information in the RADIUS Access-Request to
search its user database. If a matching entry is found, the server uses a randomly generated
challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the
server sends the challenge in a RADIUS Access-Challenge packet to the access device.
6. The access device transmits the EAP-Request/MD5-Challenge packet to the client.
7. The client uses the received challenge to encrypt the password, and sends the encrypted
password in an EAP-Response/MD5-Challenge packet to the access device.
8. The access device relays the EAP-Response/MD5-Challenge packet in a RADIUS
Access-Request packet to the authentication server.
9. The authentication server compares the received encrypted password with the encrypted
password it generated at step 5. If the two passwords are identical, the server considers the
client valid and sends a RADIUS Access-Accept packet to the access device.
10. Upon receiving the RADIUS Access-Accept packet, the access device performs the following
operations:
a. Sends an EAP-Success packet to the client.
b. Sets the controlled port in authorized state.
The client can access the network.
11. After the client comes online, the access device periodically sends handshake requests to
check whether the client is still online. By default, if two consecutive handshake attempts fail,
the device logs off the client.
12. Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a number of consecutive handshake attempts (two by default), the access
device logs off the client. This handshake mechanism enables timely release of the network
resources used by 802.1X users that have abnormally gone offline.
13. The client can also send an EAPOL-Logoff packet to ask the access device for a logoff.
14. In response to the EAPOL-Logoff packet, the access device changes the status of the
controlled port from authorized to unauthorized. Then, the access device sends an EAP-Failure
packet to the client.
EAP termination
Figure 35 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that
CHAP authentication is used.
93
Figure 35 802.1X authentication procedure in EAP termination mode
In EAP termination mode, the access device rather than the authentication server generates an MD5
challenge for password encryption. The access device then sends the MD5 challenge together with
the username and encrypted password in a standard RADIUS packet to the RADIUS server.
94
• Unicast trigger mode—Upon receiving a frame from an unknown MAC address, the access
device sends an EAP-Request/Identity packet out of the receiving port to the MAC address.
The device retransmits the packet if no response has been received within the identity request
timeout interval. This process continues until the maximum number of request attempts set by
using the dot1x retry command is reached.
The username request timeout timer sets both the identity request interval for the multicast trigger
and the identity request timeout interval for the unicast trigger.
IMPORTANT:
Only remote servers can assign tagged authorization VLANs.
95
IMPORTANT:
For a VLAN represented by its VLAN name to be assigned successfully, you must make sure the
VLAN has been created on the device.
To assign VLAN IDs with suffixes, make sure the access port is a hybrid or trunk port that performs
port-based access control.
To ensure a successful assignment, the authorization VLANs assigned by the remote server cannot
be any of the following types:
• Dynamically learned VLANs.
• Reserved VLANs.
• Super VLANs.
• Private VLANs.
If the server assigns a group of VLANs, the access device selects a VLAN as described in Table 7.
Table 7 Authorization VLAN selection from a group of VLANs
96
IMPORTANT:
Local VLAN authorization does not support assignment of tagged VLANs.
For more information about local user configuration, see "Configuring AAA."
Authorization VLAN manipulation for an 802.1X-enabled port
Table 8 describes how the access device handles VLANs (except for the VLANs specified with
suffixes) on an 802.1X-enabled port.
Table 8 VLAN manipulation
IMPORTANT:
• For users attached to an access port, make sure the authorization VLAN assigned by the server
has the untagged attribute. VLAN assignment will fail if the server issues a VLAN that has the
tagged attribute.
• When you assign VLANs to users attached to a trunk port or a MAC-based VLAN disabled hybrid
port, make sure there is only one untagged VLAN. If a different untagged VLAN is assigned to a
subsequent user, the user cannot pass authentication.
• As a best practice to enhance network security, do not use the port hybrid vlan command
to assign a hybrid port to an authorization VLAN as a tagged member.
Whether the authorization VLAN of an authenticated user takes effect on the 802.1X-enabled port
depends on the port link type and VLAN tagging mode.
• If the port is an access or trunk port, the authorization VLAN always takes effect.
• If the port is a hybrid port, the device compares the VLAN tagging mode assigned by the server
with the VLAN tagging mode configured on the port for the authorization VLAN.
{ If the VLAN tagging modes are the same one (tagged or untagged), the authorization VLAN
takes effect.
{ If the VLAN tagging modes are different, the configuration on the port takes effect instead of
the assigned information.
Authorization VLAN assignment does not affect the VLAN configuration on the 802.1X-enabled port.
After the user is logged off, the original VLAN configuration on the port is restored.
97
For an 802.1X authenticated user to access the network on a hybrid port when no authorization
VLANs are assigned to the user, perform one of the following tasks:
• If the port receives tagged authentication packets from the user in a VLAN, use the port
hybrid vlan command to configure the port as a tagged member in the VLAN.
• If the port receives untagged authentication packets from the user in a VLAN, use the port
hybrid vlan command to configure the port as an untagged member in the VLAN.
On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not
take effect on a user that has been online since before this feature was enabled. The access device
creates a MAC-to-VLAN mapping for the user when the following requirements are met:
• The user passes reauthentication.
• The authorization VLAN for the user is changed.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Guest VLAN
The 802.1X guest VLAN on a port accommodates users that have not performed 802.1X
authentication. Users in the guest VLAN can access a limited set of network resources, such as a
software server, to download antivirus software and system patches. Once a user in the guest VLAN
passes 802.1X authentication, it is removed from the guest VLAN and can access authorized
network resources.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
Port-based access control
If an 802.1X Auth-Fail VLAN is available, the device assigns the port to the
Auth-Fail VLAN. All users on this port can access only resources in the
A user in the 802.1X guest Auth-Fail VLAN.
VLAN fails 802.1X
If no Auth-Fail VLAN is configured, the port is still in the 802.1X guest VLAN.
authentication.
All users on the port are in the guest VLAN.
For information about the 802.1X Auth-Fail VLAN, see "Auth-Fail VLAN."
The device removes the port from the 802.1X guest VLAN and assigns the
port to the authorization VLAN of the user.
If the authentication server does not assign an authorization VLAN, the initial
A user in the 802.1X guest PVID of the port applies. The user and all subsequent 802.1X users are
VLAN passes 802.1X assigned to the initial port VLAN.
authentication. After the user logs off, the port is assigned to the guest VLAN again.
NOTE:
The initial PVID of an 802.1X-enabled port refers to the PVID used by the
port before the port is assigned to any 802.1X VLANs.
IMPORTANT:
When the port receives a packet with a VLAN tag, the packet will be forwarded within the tagged
98
VLAN if the VLAN is not the guest VLAN.
A user in the 802.1X guest The device remaps the MAC address of the user to the authorization VLAN.
VLAN passes 802.1X If the authentication server does not assign an authorization VLAN, the
authentication. device remaps the MAC address of the user to the initial PVID on the port.
Auth-Fail VLAN
The 802.1X Auth-Fail VLAN on a port accommodates users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy. For example, the VLAN
accommodates users that have entered a wrong password. Users in the Auth-Fail VLAN can access
a limited set of network resources, such as a software server, to download antivirus software and
system patches.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
Port-based access control
The device assigns the port to the authorization VLAN of the user, and it
removes the port from the Auth-Fail VLAN.
A user in the 802.1X If the authentication server does not assign an authorization VLAN, the initial
Auth-Fail VLAN passes PVID of the port applies. The user and all subsequent 802.1X users are
802.1X authentication. assigned to the initial PVID.
After the user logs off, the port is assigned to the guest VLAN. If no guest
VLAN is configured, the port is assigned to the initial PVID of the port.
99
MAC-based access control
A user in the 802.1X The device remaps the MAC address of the user to the authorization VLAN.
Auth-Fail VLAN passes If the authentication server does not assign an authorization VLAN, the
802.1X authentication. device remaps the MAC address of the user to the initial PVID on the port.
Critical VLAN
The 802.1X critical VLAN on a port accommodates 802.1X users that have failed authentication
because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VLAN
can access a limited set of network resources depending on the configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through
RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is
not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring AAA."
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
Port-based access control
A user in the 802.1X critical VLAN fails If an 802.1X Auth-Fail VLAN has been configured, the port is
authentication for any reason other than assigned to the Auth-Fail VLAN. If no 802.1X Auth-Fail VLAN is
unreachable servers. configured, the port is assigned to the initial PVID of the port.
100
Authentication status VLAN manipulation
A user in the 802.1X guest VLAN fails
The device assigns the port to the 802.1X critical VLAN, and all
authentication because all the RADIUS
802.1X users on this port are in this VLAN.
servers are unreachable.
A user in the 802.1X Auth-Fail VLAN fails The port is still in the 802.1X Auth-Fail VLAN. All 802.1X users
authentication because all the RADIUS on this port can access only resources in the 802.1X Auth-Fail
servers are unreachable. VLAN.
IMPORTANT:
When a reachable RADIUS server is detected, the device removes the port from the critical VLAN.
The port sends a multicast EAP-Request/Identity to all 802.1X users on the port to trigger
authentication.
A user accesses the port and fails 802.1X The device maps the MAC address of the user to the 802.1X
authentication because all the RADIUS critical VLAN. The user can access only resources in the
servers are unreachable. 802.1X critical VLAN.
IMPORTANT:
When a reachable RADIUS server is detected, the device removes 802.1X users from the critical
VLAN on the port. The port sends a unicast EAP-Request/Identity to these users to trigger
authentication.
101
Critical voice VLAN
The 802.1X critical voice VLAN on a port accommodates 802.1X voice users that have failed
authentication because none of the RADIUS servers in their ISP domain are reachable.
The critical voice VLAN feature takes effect when 802.1X authentication is performed only through
RADIUS servers. If an 802.1X voice user fails local authentication after RADIUS authentication, the
voice user is not assigned to the critical voice VLAN. For more information about the authentication
methods, see "Configuring AAA."
When a reachable RADIUS server is detected, the device performs operations on a port based on its
802.1X access control method.
Port-based access control
When a reachable RADIUS server is detected, the device removes the port from the critical voice
VLAN. The port sends a multicast EAP-Request/Identity packet to all 802.1X voice users on the port
to trigger authentication.
MAC-based access control
When a reachable RADIUS server is detected, the device removes 802.1X voice users from the
critical voice VLAN. The port sends a unicast EAP-Request/Identity packet to each 802.1X voice
user that was assigned to the critical voice VLAN to trigger authentication.
102
Figure 36 VXLAN network diagram for 802.1X authentication
Authorization VSI
An authorization VSI is associated with a VXLAN that has network resources inaccessible to
unauthenticated users.
802.1X supports remote VSI authorization. When a user passes remote 802.1X authentication, the
remote server assigns the authorization VSI information of the user to the user's access port. Upon
receiving the authorization VSI information, the VTEP performs the following operations:
• Dynamically creates an Ethernet service instance based on the user's access port, VLAN, and
MAC address.
• Maps the Ethernet service instance to the authorization VSI.
The user then can access resources in the VXLAN associated with the authorization VSI.
If the VTEP does not receive authorization VSI information for the user from the remote server, the
user cannot access resources in any VXLAN after passing authentication.
For information about dynamic creation of Ethernet service instances, see VXLAN configuration
Guide.
Guest VSI
The 802.1X guest VSI on a port accommodates users that have not performed 802.1X
authentication. You can deploy a limited set of network resources in the VXLAN that is associated
with the guest VSI. For example, deploy a software server for users to download anti-virus software
and system patches. Once a user in the guest VSI passes 802.1X authentication, the user is
removed from the guest VSI and can access authorized network resources.
The access device handles VSIs on an 802.1X-enabled port, as shown in Table 9:
103
Table 9 VSI manipulation when a guest VSI is configured
If an 802.1X Auth-Fail VSI is available on the port, the VTEP remaps the
A user in the 802.1X guest user's MAC address and access VLAN to the Auth-Fail VSI. The user can
VSI fails 802.1X access only resources in the VXLAN associated with the Auth-Fail VSI.
authentication. If no 802.1X Auth-Fail VSI is configured on the port, the user is removed from
the 802.1X guest VSI.
Auth-Fail VSI
The 802.1X Auth-Fail VSI on a port accommodates users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy. For example, the VSI
accommodates users with wrong passwords entered. Users in the Auth-Fail VSI can access a
limited set of network resources in the VXLAN associated with this VSI. You can deploy a software
server in the Auth-Fail VSI for users to download antivirus software and system patches.
The access device handles VSIs on an 802.1X-enabled port, as shown in Table 10:
Table 10 VSI manipulation when an Auth-Fail VSI is configured
Critical VSI
The 802.1X critical VSI on a port accommodates 802.1X users that have failed authentication
because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VSI can
access a limited set of network resources in the VXLAN associated with this VSI.
The critical VSI feature takes effect when 802.1X authentication is performed only through RADIUS
servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not
assigned to the critical VSI. For more information about the authentication methods, see
"Configuring AAA."
104
The access device handles VSIs on an 802.1X-enabled port, as shown in Table 11:
Table 11 VSI manipulation when a critical VSI is configured
A user accesses the port and fails 802.1X The VTEP maps the user's MAC address and access VLAN
authentication because all the RADIUS to the 802.1X critical VSI on the port. The user can access
servers are unreachable. only resources in the VXLAN associated with the critical VSI.
A user in the 802.1X critical VSI passes The VTEP remaps the user's MAC address and access
802.1X authentication. VLAN to the authorization VSI.
A user in the 802.1X guest VSI fails The VTEP maps the user's MAC address and access VLAN
authentication because all the RADIUS to the 802.1X critical VSI on the port. The user can access
servers are unreachable. only resources in the VXLAN associated with the critical VSI.
ACL assignment
You can specify an ACL for an 802.1X user on the authentication server to control the user's access
to network resources. After the user passes 802.1X authentication, the authentication server assigns
the ACL to the access port of the user. The ACL will filter traffic for this user by permitting or rejecting
matching traffic. The authentication server can be the local access device or a RADIUS server. In
either case, you must configure the ACL on the access device.
To change the access control criteria for the user, you can use one of the following methods:
• Modify ACL rules on the access device.
• Specify another authorization ACL on the authentication server.
The supported authorization ACLs include the following types:
• Basic ACLs, which are numbered in the range of 2000 to 2999.
• Advanced ACLs, which are numbered in the range of 3000 to 3999.
• Layer 2 ACLs, which are numbered in the range of 4000 to 4999.
For an authorization ACL to take effect, the following requirements must be met:
• The ACL exists with rules.
105
• The rules contain only match criteria that are specified by using the dscp, source,
destination, type, source-port, and destination-port keywords.
• If the source-port or destination-port criterion exists, make sure only one source port
or one destination port is specified.
For more information about ACL configuration, see ACL and QoS Configuration Guide.
106
If no session timeout timer is assigned by the server, whether the device performs periodic 802.1X
reauthentication depends on the periodic reauthentication configuration on the device. Support for
the assignment of Session-Timeout and Termination-Action attributes depends on the server model.
With the RADIUS DAS feature enabled, the device immediately reauthenticates a user upon
receiving a CoA message that carries the reauthentication attribute from a RADIUS authentication
server. In this case, reauthentication will be performed regardless of whether 802.1X periodic
reauthentication is enabled on the device. For more information about RADIUS DAS configuration,
see "Configuring AAA."
By default, the device logs off online 802.1X users if no server is reachable for 802.1X
reauthentication. The keep-online feature keeps authenticated 802.1X users online when no server
is reachable for 802.1X reauthentication.
The VLANs assigned to an online user before and after reauthentication can be the same or
different.
EAD assistant
Endpoint Admission Defense (EAD) is an Hewlett Packard Enterprise integrated endpoint access
control solution to improve the threat defensive capability of a network. The solution enables the
security client, security policy server, access device, and third-party server to operate together. If a
terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X
authentication.
The EAD assistant feature enables the access device to redirect the HTTP or HTTPS requests of a
user to a redirect URL for downloading and installing an EAD client. This feature eliminates the
administrative task to deploy EAD clients.
EAD assistant is implemented by the following functionality:
• Free IP.
A free IP is a freely accessible network segment, which has a limited set of network resources
such as software and DHCP servers. To ensure security strategy compliance, an
unauthenticated user can access only this segment to perform operations. For example, the
user can download EAD client from a software server or obtain a dynamic IP address from a
DHCP server.
• Redirect URL.
If an unauthenticated 802.1X user is using a Web browser to access the network, EAD
assistant redirects the network access requests of the user to a specific URL. For example, you
can use this feature to redirect the user to the EAD client software download page.
The EAD assistant feature creates an ACL-based EAD rule automatically to open access to the
redirect URL for each redirected user.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user
passes authentication, the rule is removed. If users fail to download EAD client or fail to pass
authentication before the timer expires, they must reconnect to the network to access the free IP.
107
Configuring 802.1X
Restrictions and guidelines: 802.1X configuration
You can configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different
authentication methods for different users on a port. For more information about the port security
feature, see "Configuring port security."
When you configure 802.1X VLANs or VSIs, follow these restrictions and guidelines:
• If the server assigns both an authorization VSI and authorization VLAN to a user, the device
uses only the authorization VLAN.
• On a port, the guest VLAN, Auth-Fail VLAN, and critical VLAN settings are mutually exclusive
with the guest VSI, Auth-Fail VSI, and critical VSI settings.
• To ensure a successful authentication, you must configure the authentication server to assign
authorization VLANs or VSIs to the 802.1X users attached to a port in the following situations:
{ If the port is configured with the guest VLAN, Auth-Fail VLAN, or critical VLAN, you must
configure VLAN authorization for the 802.1X users.
{ If the port is configured with the guest VSI, Auth-Fail VSI, or critical VSI, you must configure
VSI authorization for the 802.1X users.
{ If both 802.1X and MAC authentication are configured on the port, be careful with the VSI
settings of the two authentication features.
− You must configure VSI authorization for the 802.1X users if the port has a guest or
critical VSI for MAC authentication.
− Likewise, you must configure VSI authorization for the MAC authentication users if the
port has an Auth-Fail, guest, or critical VSI for 802.1X authentication.
• Do not change the link type of a port when the 802.1X guest VLAN, Auth-Fail VLAN, or critical
VLAN on the port has users.
When you configure 802.1X settings on an interface, follow these restrictions and guidelines:
• 802.1X is supported only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.
• When you add a Layer 2 Ethernet interface to an aggregation group, its existing 802.1X settings
are automatically removed. After a Layer 2 Ethernet interface is added to an aggregation group,
you cannot configure 802.1X on it.
• Do not delete a Layer 2 aggregate interface if the interface has online 802.1X users.
108
{ (Optional.) Setting the quiet timer
3. (Optional.) Configuring 802.1X VLAN assignment
{ Configuring an 802.1X guest VLAN
{ Enabling 802.1X guest VLAN assignment delay
{ Configuring an 802.1X Auth-Fail VLAN
{ Configuring an 802.1X critical VLAN
{ Enabling the 802.1X critical voice VLAN feature
4. (Optional.) Configuring 802.1X VSI assignment
{ Configuring an 802.1X guest VSI
{ Enabling 802.1X guest VSI assignment delay
{ Configuring an 802.1X Auth-Fail VSI
{ Configuring an 802.1X critical VSI
5. (Optional.) Setting the upper limit for 802.1X parameters
{ Setting the maximum number of concurrent 802.1X users on a port
{ Setting the maximum number of authentication request attempts
{ Setting the maximum number of 802.1X authentication attempts for MAC authenticated
users
6. (Optional.) Configuring other 802.1X features
{ Configuring 802.1X unauthenticated user aging
{ Sending EAP-Success packets on assignment of users to the 802.1X Auth-Fail VLAN or
VSI
{ Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN or VSI
{ Enabling 802.1X online user synchronization
{ Configuring the authentication trigger feature
Perform this task when 802.1X clients cannot initiate authentication.
{ Configuring online user handshake
{ Configuring 802.1X offline detection
{ Specifying supported domain name delimiters
{ Removing the VLAN tags of 802.1X protocol packets sent out of a port
{ Enabling 802.1X user IP freezing
{ Configuring 802.1X MAC address binding
{ Configuring the EAD assistant feature
{ Setting the maximum size of EAP-TLS fragments sent to the server
Use this feature to reduce the size of authentication packets sent to the server when the
device uses EAP-TLS authentication method in EAP relay mode.
{ Logging off 802.1X users
{ Enabling 802.1X user logging
109
Enabling 802.1X
Restrictions and guidelines
For 802.1X to take effect on a port, you must enable it both globally and on the port.
Do not enable 802.1X on a port that is in a service loopback group.
If the PVID is a voice VLAN, the 802.1X feature cannot take effect on the port. For more information
about voice VLANs, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable 802.1X globally.
dot1x
By default, 802.1X is disabled globally.
3. Enter interface view.
interface interface-type interface-number
4. Enable 802.1X on a port.
dot1x
By default, 802.1X is disabled on a port.
110
By default, the access device performs EAP termination and uses CHAP to communicate with
the RADIUS server.
111
the network through the port. The implementation of a mandatory authentication domain enhances
the flexibility of 802.1X access control deployment.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify a mandatory 802.1X authentication domain on the port.
dot1x mandatory-domain domain-name
By default, no mandatory 802.1X authentication domain is specified.
112
Configuring 802.1X reauthentication
Restrictions and guidelines
The device selects a periodic reauthentication timer for 802.1X reauthentication in the following
order:
1. Server-assigned reauthentication timer.
2. Port-specific reauthentication timer.
3. Global reauthentication timer.
4. Default reauthentication timer.
After you perform a manual reauthentication, the device reauthenticates all online 802.1X users on a
port regardless of the server-assigned reauthentication attribute and the periodic reauthentication
feature on the port.
Modification to the mandatory authentication domain or EAP message handling method setting does
not affect the reauthentication of online 802.1X users. The modified setting takes effect only on
802.1X users that come online after the modification.
If periodic reauthentication is triggered for a user while that user is waiting for online synchronization,
the system performs online synchronization and does not perform reauthentication for the user.
Procedure
1. Enter system view.
system-view
2. Set the periodic reauthentication timer.
{ Set a global periodic reauthentication timer.
dot1x timer reauth-period reauth-period-value
The default setting is 3600 seconds.
{ Execute the following commands in sequence to set a port-specific periodic
reauthentication timer:
interface interface-type interface-number
dot1x timer reauth-period reauth-period-value
quit
By default, no periodic reauthentication timer is set on a port. The port uses the global
802.1X periodic reauthentication timer.
3. Enter interface view.
interface interface-type interface-number
4. Enable periodic online user reauthentication.
dot1x re-authenticate
By default, the feature is disabled.
5. (Optional.) Manually reauthenticate all online 802.1X users on the port.
dot1x re-authenticate manual
6. (Optional.) Enable the keep-online feature for 802.1X users.
dot1x re-authenticate server-unreachable keep-online
By default, this feature is disabled. The device logs off online 802.1X users if no authentication
server is reachable for 802.1X reauthentication.
Use the keep-online feature according to the actual network condition. In a fast-recovery
network, you can use the keep-online feature to prevent 802.1X users from coming online and
going offline frequently.
113
Setting the quiet timer
About the quiet timer
The quiet timer enables the access device to wait a period of time before it can process any
authentication request from a client that has failed an 802.1X authentication.
Restrictions and guidelines
You can edit the quiet timer, depending on the network conditions.
• In a vulnerable network, set the quiet timer to a high value.
• In a high-performance network with quick authentication response, set the quiet timer to a low
value.
Procedure
1. Enter system view.
system-view
2. Enable the quiet timer.
dot1x quiet-period
By default, the timer is disabled.
3. Set the quiet timer.
dot1x timer quiet-period quiet-period-value
The default is 60 seconds.
114
Prerequisites
Before you configure an 802.1X guest VLAN, complete the following tasks:
• Create the VLAN to be specified as the 802.1X guest VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the 802.1X guest VLAN as an untagged member.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the 802.1X guest VLAN on the port.
dot1x guest-vlan guest-vlan-id
By default, no 802.1X guest VLAN exists on a port.
115
Configuring an 802.1X Auth-Fail VLAN
Restrictions and guidelines
• Assign different IDs to the port VLAN, the voice VLAN, and the 802.1X Auth-Fail VLAN on a port.
The assignment makes sure the port can correctly process VLAN-tagged incoming traffic.
• You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
different ports can be different.
• When you configure multiple security features on a port, follow the guidelines in Table 13.
Table 13 Relationships of the 802.1X Auth-Fail VLAN with other features
Prerequisites
Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks:
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the Auth-Fail VLAN as an untagged member.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the 802.1X Auth-Fail VLAN on the port.
dot1x auth-fail vlan authfail-vlan-id
By default, no 802.1X Auth-Fail VLAN exists on a port.
116
Configuring an 802.1X critical VLAN
Restrictions and guidelines
• Assign different IDs to the PVID, the voice VLAN, and the 802.1X critical VLAN on a port. The
assignment makes sure the port can correctly process VLAN-tagged incoming traffic.
• You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on
different ports can be different.
• You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information
about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Prerequisites
Before you configure an 802.1X critical VLAN, complete the following tasks:
• Create the VLAN to be specified as a critical VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the 802.1X critical VLAN as an untagged member.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the 802.1X critical VLAN on the port.
dot1x critical vlan critical-vlan-id
By default, no 802.1X critical VLAN exists on a port.
117
3. Enable the 802.1X critical voice VLAN feature on a port.
dot1x critical-voice-vlan
By default, the 802.1X critical voice VLAN feature is disabled on a port.
118
information about the parallel processing of MAC authentication and 802.1X authentication feature,
see "Configuring MAC authentication."
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable 802.1X guest VSI assignment delay on the port.
dot1x guest-vsi-delay { eapol | new-mac }
By default, 802.1X guest VSI assignment delay is disabled on a port.
119
• Enable MAC-based traffic match mode for dynamic Ethernet service instances on the port.
For more information, see VXLAN Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the 802.1X critical VSI on the port.
dot1x critical vsi critical-vsi-name
By default, no 802.1X critical VSI exists on a port.
120
dot1x unauthenticated-user aging enable
By default, 802.1X unauthenticated user aging is enabled.
121
By default, the device sends an EAP-Failure packet to an 802.1X client when its client user is
assigned to the critical VLAN or VSI on a port.
IMPORTANT:
This feature takes effect only when the device uses an IMC RADIUS server to authenticate 802.1X
users.
To ensure that the RADIUS server maintains the same online 802.1X user information as the device
after the server state changes from unreachable to reachable, use this feature.
This feature synchronizes online 802.1X user information between the device and the RADIUS
server when the RADIUS server state is detected having changed from unreachable to reachable.
When synchronizing online 802.1X user information on a port with the RADIUS server, the device
initiates 802.1X authentication in turn for each authenticated online 802.1X user to the RADIUS
server.
If synchronization fails for an online user, the device logs off that user unless the failure occurs
because the server has become unreachable again.
Restrictions and guidelines
The amount of time required to complete online user synchronization increases as the number of
online users grows. This might result in an increased delay for new 802.1X users and users in the
critical VLAN or VSI to authenticate or reauthenticate to the RADIUS server and come online.
To have this feature take effect, you must use it in conjunction with the RADIUS server status
detection feature, which is configurable with the radius-server test-profile command.
When you configure this feature, make sure the detection interval is shorter than the RADIUS server
quiet timer configured by using the timer quiet command in RADIUS scheme view. The server
state changes to active on expiration of the quiet timer regardless of its actual reachability. Setting a
shorter detection interval than the quiet timer prevents the RADIUS server status detection feature
from falsely reporting the server reachability.
For more information about the RADIUS server status detection feature, see "Configuring AAA."
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable 802.1X online user synchronization.
dot1x server-recovery online-user-sync
By default, 802.1X online user synchronization is disabled.
122
This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in
"802.1X overview").
Restrictions and guidelines
• Enable the multicast trigger on a port when the clients attached to the port cannot send
EAPOL-Start packets to initiate 802.1X authentication.
• Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and
these clients cannot initiate authentication.
• To avoid duplicate authentication packets, do not enable both triggers on a port.
• As a best practice, do not use the unicast trigger on a port that performs port-based access
control. If you do so, users on the port might fail to come online correctly.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the username request timeout timer.
dot1x timer tx-period tx-period-value
The default is 30 seconds.
3. Enter interface view.
interface interface-type interface-number
4. Enable an authentication trigger.
dot1x { multicast-trigger | unicast-trigger }
By default, the multicast trigger is enabled, and the unicast trigger is disabled.
123
tx-period-value command or the dot1x timer supp-timeout supp-timeout-value
command. The access device stops retransmitting the request if it has made the maximum number
of request transmission attempts but still receives no response.
Procedure
1. Enter system view.
system-view
2. Set the maximum number of attempts for sending an authentication request.
dot1x retry retries
The default setting is 2.
124
By default, the feature is enabled.
5. (Optional.) Enable the online user handshake security feature.
dot1x handshake secure
By default, the feature is disabled.
6. (Optional.) Enable the 802.1X online user handshake reply feature.
dot1x handshake reply enable
By default, the device does not reply to 802.1X clients' EAP-Response/Identity packets during
the online handshake process.
125
Specifying supported domain name delimiters
About supported domain name delimiters
By default, the access device supports the at sign (@) as the delimiter. You can also configure the
access device to accommodate 802.1X users that use other domain name delimiters. The
configurable delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/).
Usernames that include domain names can use the format of username@domain-name,
domain-name\username, username.domain-name, or username/domain-name.
If an 802.1X username string contains multiple configured delimiters, the rightmost delimiter is the
domain name delimiter. For example, if you configure the backslash (\), dot (.), and forward slash (/)
as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash
(\). The username is @abc and the domain name is 121.123/22.
Restrictions and guidelines
If a username string contains none of the delimiters, the access device authenticates the user in the
mandatory or default ISP domain.
If you configure the access device to send usernames with domain names to the RADIUS server,
make sure the domain delimiter can be recognized by the RADIUS server. For username format
configuration, see the user-name-format command in Security Command Reference.
Procedure
1. Enter system view.
system-view
2. Specify a set of domain name delimiters for 802.1X users.
dot1x domain-delimiter string
By default, only the at sign (@) delimiter is supported.
126
3. Remove the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients.
dot1x eapol untag
By default, whether the device removes the VLAN tags of all 802.1X protocol packets sent out
of a port to 802.1X clients depends on the configuration in the VLAN module.
127
dot1x user-ip freeze
By default, 802.1X user IP freezing is disabled.
128
• If you use free IP and Auth-Fail VLAN features together, make sure the resources in the
Auth-Fail VLAN are on the free IP segments.
• The server that provides the redirect URL must be on the free IP accessible to unauthenticated
users.
Procedure
1. Enter system view.
system-view
2. Enable the EAD assistant feature.
dot1x ead-assistant enable
By default, this feature is disabled.
3. Configure a free IP.
dot1x ead-assistant free-ip ip-address { mask-length | mask-address }
Repeat this command to configure multiple free IPs.
4. (Optional.) Configure the redirect URL if users will use Web browsers to access the network.
dot1x ead-assistant url url-string
By default, no redirect URL exists.
To redirect the HTTPS requests of 802.1X users, specify the HTTPS redirect listening port on
the device. For more information, see HTTP redirect in Layer 3—IP Services Configuration
Guide.
5. (Optional.) Set the EAD rule timer.
dot1x timer ead-timeout ead-timeout-value
The default setting is 30 minutes.
To avoid using up ACL resources when a large number of EAD users exist, you can shorten the
EAD rule timer.
129
2. Enable 802.1X EAP-TLS fragmentation and set the maximum EAP-TLS fragment size.
dot1x eap-tls-fragment to-server eap-tls-max-length
By default, EAP-TLS messages are not fragmented.
Task Command
Display 802.1X session information, display dot1x [ sessions | statistics ]
statistics, or configuration information of [ interface interface-type
specified or all ports. interface-number ]
display dot1x connection [ open ] [ interface
interface-type interface-number | slot
Display online 802.1X user information.
slot-number | user-mac mac-address |
user-name name-string ]
130
Task Command
display dot1x mac-address { auth-fail-vlan |
auth-fail-vsi | critical-vlan |
Display the MAC addresses of 802.1X
critical-vsi | guest-vlan | guest-vsi }
users in a type of 802.1X VLAN or VSI.
[ interface interface-type
interface-number ]
reset dot1x guest-vlan interface
Remove users from the 802.1X guest
interface-type interface-number
VLAN on a port.
[ mac-address mac-address ]
reset dot1x guest-vsi interface
Remove users from the 802.1X guest
interface-type interface-number
VSI on a port.
[ mac-address mac-address ]
reset dot1x statistics [ interface
Clear 802.1X statistics.
interface-type interface-number ]
Procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
131
1. Configure the RADIUS servers and add user accounts for the 802.1X users. Make sure the
RADIUS servers can provide authentication, authorization, and accounting services. (Details
not shown.)
2. Assign an IP address to each interface. (Details not shown.)
3. Configure user accounts for the 802.1X users on the access device:
# Add a local network access user with username localuser and password localpass in
plaintext. (Make sure the username and password are the same as those configured on the
RADIUS servers.)
<Device> system-view
[Device] local-user localuser class network
[Device-luser-network-localuser] password simple localpass
# Set the service type to lan-access.
[Device-luser-network-localuser] service-type lan-access
[Device-luser-network-localuser] quit
4. Configure a RADIUS scheme on the access device:
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
[Device] radius scheme radius1
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
# Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
[Device-radius-radius1] secondary authentication 10.1.1.2
[Device-radius-radius1] secondary accounting 10.1.1.2
# Specify the shared key between the access device and the authentication server.
[Device-radius-radius1] key authentication simple name
# Specify the shared key between the access device and the accounting server.
[Device-radius-radius1] key accounting simple money
# Exclude the ISP domain names from the usernames sent to the RADIUS servers.
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
NOTE:
The access device must use the same username format as the RADIUS server. If the RADIUS
server includes the ISP domain name in the username, so must the access device.
132
# Enable MAC-based access control on the port. By default, the port uses MAC-based access
control.
[Device-Twenty-FiveGigE1/0/1] dot1x port-method macbased
# Specify ISP domain bbb as the mandatory domain.
[Device-Twenty-FiveGigE1/0/1] dot1x mandatory-domain bbb
[Device-Twenty-FiveGigE1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
7. Configure the 802.1X client. If an iNode client is used, do not select the Carry version info
option in the client configuration. (Details not shown.)
Verifying the configuration
# Verify the 802.1X configuration on Twenty-FiveGigE 1/0/1.
[Device] display dot1x interface twenty-fivegige 1/0/1
# Display the user connection information after an 802.1X user passes authentication.
[Device] display dot1x connection
133
Figure 38 Network diagram
Procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.
(Details not shown.)
2. Create VLANs, and assign ports to the VLANs on the access device.
<Device> system-view
[Device] vlan 1
[Device-vlan1] port twenty-fivegige 1/0/2
[Device-vlan1] quit
[Device] vlan 10
[Device-vlan10] port twenty-fivegige 1/0/1
[Device-vlan10] quit
[Device] vlan 2
[Device-vlan2] port twenty-fivegige 1/0/4
[Device-vlan2] quit
[Device] vlan 5
[Device-vlan5] port twenty-fivegige 1/0/3
[Device-vlan5] quit
3. Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the
authentication port to 1812.
134
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port
to 1813.
[Device-radius-2000] primary accounting 10.11.1.1 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
4. Configure an ISP domain on the access device:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
5. Configure 802.1X on the access device:
# Enable 802.1X on Twenty-FiveGigE 1/0/2.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] dot1x
# Implement port-based access control on the port.
[Device-Twenty-FiveGigE1/0/2] dot1x port-method portbased
# Set the port authorization mode to auto. By default, the port uses the auto mode.
[Device-Twenty-FiveGigE1/0/2] dot1x port-control auto
# Specify VLAN 10 as the 802.1X guest VLAN on Twenty-FiveGigE 1/0/2.
[Device-Twenty-FiveGigE1/0/2] dot1x guest-vlan 10
[Device-Twenty-FiveGigE1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
6. Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the
access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.)
Verifying the configuration
# Verify the 802.1X guest VLAN configuration on Twenty-FiveGigE 1/0/2.
[Device] display dot1x interface twenty-fivegige 1/0/2
# Verify that Twenty-FiveGigE 1/0/2 is assigned to VLAN 10 before any user passes authentication
on the port.
[Device] display vlan 10
# After a user passes authentication, display information on Twenty-FiveGigE 1/0/2. Verify that
Twenty-FiveGigE 1/0/2 is assigned to VLAN 5.
[Device] display interface twenty-fivegige 1/0/2
135
Example: Configuring 802.1X with ACL assignment
Network configuration
As shown in Figure 39, the host that connects to Twenty-FiveGigE 1/0/1 must pass 802.1X
authentication to access the Internet.
Perform 802.1X authentication on Twenty-FiveGigE 1/0/1. Use the RADIUS server at 10.1.1.1 as the
authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting
server.
Configure ACL assignment on Twenty-FiveGigE 1/0/1 to deny access of 802.1X users to the FTP
server from 8:00 to 18:00 on weekdays.
Figure 39 Network diagram
Procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS servers to provide authentication, authorization, and accounting
services. Add user accounts and specify the ACL (ACL 3000 in this example) for the users.
(Details not shown.)
2. Assign an IP address to each interface, as shown in Figure 39. (Details not shown.)
3. Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
<Device> system-view
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
136
[Device-radius-2000] quit
4. Configure an ISP domain on the access device:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
5. Configure a time range named ftp from 8:00 to 18:00 on weekdays on the access device.
[Device] time-range ftp 8:00 to 18:00 working-day
6. Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 during the
specified time range on the access device.
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range ftp
[Device-acl-ipv4-adv-3000] quit
7. Configure 802.1X on the access device:
# Enable 802.1X on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] dot1x
[Device-Twenty-FiveGigE1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
8. Configure the 802.1X client. Make sure the client is able to update its IP address after the
access port is assigned to the 802.1X guest VLAN or an authorization VLAN. (Details not
shown.)
Verifying the configuration
# Use the user account to pass authentication. (Details not shown.)
# Verify that the user cannot ping the FTP server at any time from 8:00 to 18:00 on any weekday.
C:\>ping 10.0.0.1
The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server.
137
Example: Configuring 802.1X guest VSI and authorization
VSI
Network configuration
As shown in Figure 40:
• The device acts as both a VXLAN VTEP and a network access device. It uses the RADIUS
server to perform authentication, authorization, and accounting for 802.1X users that connect to
Twenty-FiveGigE 1/0/2.
• Twenty-FiveGigE 1/0/2 uses MAC-based access control and is configured with the 802.1X
guest VSI. VXLAN 10 is created on the guest VSI. Users in the guest VSI can access the
update server in VXLAN 10 and download the 802.1X client software.
• The RADIUS server assigns an authorization VSI to the host. The VSI is associated with
VXLAN 5 on the device. After passing authentication, the host can access the Internet.
Figure 40 Network diagram
Update server RADIUS server
VXLAN 10
VLAN 1
VXLAN 5
WGE1/0/2
Device
(VTEP)
Internet
Host
WGE1/0/2 is moved to VXLAN 10
on the guest VSI
VXLAN 10
User passes authentication
Host Host
Procedure
For information about the RADIUS commands used on the access device in this example, see
Security Command Reference.
1. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Configure user accounts and authorization VSI (VSI vpn5 in this example) for the users.
(Details not shown.)
If an ADCAM server is used for authentication and authorization, configure VSIs on the server.
The server will assign these VSIs to the device. You do not need to configure VSIs on the
device.
2. Enable L2VPN on the access device.
<Device> system-view
138
[Device] l2vpn enable
3. Create VSIs and the corresponding VXLANs on the access device.
[Device] vsi vpn10
[Device-vsi-vpn10] vxlan 10
[Device-vsi-vpn10-vxlan-10] quit
[Device-vsi-vpn10] quit
[Device] vsi vpn5
[Device-vsi-vpn5] vxlan 5
[Device-vsi-vpn5-vxlan-5] quit
[Device-vsi-vpn5] quit
4. Configure a RADIUS scheme on the access device:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.11.1.1 as the primary authentication server, and set the
authentication port to 1812.
[Device-radius-2000] primary authentication 10.11.1.1 1812
# Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port
to 1813.
[Device-radius-2000] primary accounting 10.11.1.1 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the authentication and
accounting servers.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain on the access device:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X on the access device:
# Enable 802.1X on Twenty-FiveGigE 1/0/2.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] dot1x
# Set the port authorization mode to auto. By default, the port uses the auto mode.
[Device-Twenty-FiveGigE1/0/2] dot1x port-control auto
# Enable MAC-based traffic matching for dynamic Ethernet service instances on
Twenty-FiveGigE 1/0/2.
[Device-Twenty-FiveGigE1/0/2] mac-based ac
# Enable 802.1X unicast trigger on Twenty-FiveGigE 1/0/2.
139
[Device-Twenty-FiveGigE1/0/2] dot1x unicast-trigger
# Specify VSI vpn10 as the 802.1X guest VSI on Twenty-FiveGigE 1/0/2.
[Device-Twenty-FiveGigE1/0/2] dot1x guest-vsi vpn10
[Device-Twenty-FiveGigE1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
7. Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the
access port is assigned to the guest VSI or an authorization VSI. (Details not shown.)
Verifying the configuration
# Verify that Twenty-FiveGigE 1/0/2 is assigned to VSI vpn10 if no responses are received from the
client after 802.1X authentication is triggered.
[Device] display l2vpn forwarding ac verbose
# Verify that Twenty-FiveGigE 1/0/2 is assigned to VSI vpn5 after a user passes authentication on
the port.
[Device] display l2vpn forwarding ac verbose
140
Figure 41 Network diagram
Procedure
1. Make sure the DHCP server, the Web server, and the authentication servers have been
configured correctly. (Details not shown.)
2. Configure an IP address for each interface. (Details not shown.)
3. Configure DHCP relay:
# Enable DHCP.
<Device> system-view
[Device] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp select relay
# Specify the DHCP server 192.168.2.2 on the relay agent interface VLAN-interface 2.
[Device-Vlan-interface2] dhcp relay server-address 192.168.2.2
[Device-Vlan-interface2] quit
4. Configure a RADIUS scheme:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
141
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X:
# Configure the free IP.
[Device] dot1x ead-assistant free-ip 192.168.2.0 24
# Configure the redirect URL for client software download.
[Device] dot1x ead-assistant url http://192.168.2.3
# Enable the EAD assistant feature.
[Device] dot1x ead-assistant enable
# Enable 802.1X on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] dot1x
[Device-Twenty-FiveGigE1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
# Verify that you can ping an IP address on the free IP subnet from a host.
C:\>ping 192.168.2.3
The output shows that you can access the free IP subnet before passing 802.1X authentication.
# Verify that you are redirected to the Web server when you enter in your Web browser an IP address
not on the free IP. (Details not shown.)
142
Example: Configuring 802.1X with EAD assistant (with DHCP
server)
Network configuration
As shown in Figure 42:
• The intranet 192.168.1.0/24 is attached to Twenty-FiveGigE 1/0/1 of the access device.
• The hosts use DHCP to obtain IP addresses.
• A Web server is deployed on the 192.168.2.0/24 subnet for users to download client software.
Deploy an EAD solution for the intranet to meet the following requirements:
• Allow unauthenticated users and users that have failed 802.1X authentication to access
192.168.2.0/24. The users can download software.
• If these users use a Web browser to access a network other than 192.168.2.0/24, redirect them
to the Web server for 802.1X client downloading.
• Allow authenticated 802.1X users to access the network.
Figure 42 Network diagram
Procedure
1. Make sure the Web server and the authentication servers have been configured correctly.
(Details not shown.)
2. Configure an IP address for each interface. (Details not shown.)
3. Configure the DHCP server:
# Enable DHCP.
<Device> system-view
[Device] dhcp enable
# Enable the DHCP server on VLAN-interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp select server
[Device-Vlan-interface2] quit
# Create DHCP address pool 0.
143
[Device] dhcp server ip-pool 0
# Specify subnet 192.168.1.0/24 in DHCP address pool 0.
[Device-dhcp-pool-0] network 192.168.1.0 mask 255.255.255.0
# Specify the gateway address 192.168.1.1 in DHCP address pool 0.
[Device-dhcp-pool-0] gateway-list 192.168.1.1
[Device-dhcp-pool-0] quit
4. Configure a RADIUS scheme:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5. Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6. Configure 802.1X:
# Configure the free IP.
[Device] dot1x ead-assistant free-ip 192.168.2.0 24
# Configure the redirect URL for client software download.
[Device] dot1x ead-assistant url http://192.168.2.3
# Enable the EAD assistant feature.
[Device] dot1x ead-assistant enable
# Enable 802.1X on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] dot1x
[Device-Twenty-FiveGigE1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
144
Verifying the configuration
# Verify the 802.1X configuration.
[Device] display dot1x
# Verify that you can ping an IP address on the free IP subnet from a host.
C:\>ping 192.168.2.3
The output shows that you can access the free IP subnet before passing 802.1X authentication.
# Verify that you are redirected to the Web server when you enter in your Web browser an IP address
not on the free IP. (Details not shown.)
Troubleshooting 802.1X
EAD assistant URL redirection failure
Symptom
Unauthenticated users are not redirected to the specified redirect URL after they enter external
website addresses in their Web browsers.
Analysis
Redirection will not happen for one of the following reasons:
• The address is in the string format. The operating system of the host regards the string as a
website name and tries to resolve the string. If the resolution fails, the operating system sends
an ARP request, but the target address is not in the dotted decimal notation. The redirection
feature does redirect this kind of ARP request.
• The address is within a free IP segment. No redirection will take place, even if no host is present
with the address.
• The redirect URL is not in a free IP segment.
• No server is using the redirect URL, or the server with the URL does not provide Web services.
Solution
To resolve the issue:
1. Enter a dotted decimal IP address that is not in any free IP segments.
2. Verify that the access device and the server are configured correctly.
3. If the issue persists, contact Hewlett Packard Enterprise Support.
145
Configuring MAC authentication
About MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port.
The feature does not require client software, and users do not have to enter a username and
password for network access. The device initiates a MAC authentication process when it detects an
unknown source MAC address on a MAC authentication-enabled port. If the MAC address passes
authentication, the user can access authorized network resources. If the authentication fails, the
device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer.
The device drops all subsequent packets from the MAC address within the quiet time. The quiet
mechanism avoids repeated authentication during a short time.
Device
Local user account
abc
Host User account
MAC: 1-1-1
RADIUS user account
Fixed account
Username/Password abc
Username:abc
Password:123 (abc/123)
146
Authentication methods
You can perform MAC authentication on the access device (local authentication) or through a
RADIUS server.
For more information about configuring local authentication and RADIUS authentication, see
"Configuring AAA."
RADIUS authentication
If MAC-based accounts are used, the access device sends the source MAC address of a packet as
the username and password to the RADIUS server for authentication. If a password is configured for
MAC-based accounts, the access device sends the configured password as the password to the
RADIUS server.
If a shared account is used, the access device sends the shared account username and password to
the RADIUS server for authentication.
The access device and the RADIUS server use Password Authentication Protocol (PAP) or
Challenge Handshake Authentication Protocol (CHAP) for communication.
Local authentication
If MAC-based accounts are used, the access device uses the source MAC address of a packet as
the username and password to search the local account database for a match. If a password is
configured for MAC-based accounts, the device uses the configured password to search the local
account database for a match.
If a shared account is used, the access device uses the shared account username and password to
search the local account database for a match.
VLAN assignment
Authorization VLAN
The authorization VLAN controls the access of a MAC authentication user to authorized network
resources. The device supports authorization VLANs assigned locally or by a remote server.
IMPORTANT:
Only remote servers can assign tagged authorization VLANs.
147
The t and u suffixes require the device to assign the access port to the VLAN as a tagged or
untagged member, respectively. For example, 2u indicates assigning the port to VLAN 2 as an
untagged member.
If a VLAN name or VLAN group name is assigned, the device converts the information into a VLAN
ID before VLAN assignment.
IMPORTANT:
For a VLAN represented by its VLAN name to be assigned successfully, you must make sure the
VLAN has been created on the device.
To assign VLAN IDs with suffixes, make sure the access port is a hybrid or trunk port.
IMPORTANT:
To ensure a successful assignment, the authorization VLANs assigned by the remote server cannot
be any of the following types:
• Dynamically learned VLANs.
• Reserved VLANs.
• Super VLANs.
• Private VLANs.
If the server assigns a group of VLANs, the access device selects a VLAN as described in Table 14.
Table 14 Authorization VLAN selection from a group of VLANs
148
Local VLAN authorization
To perform local VLAN authorization for a user, specify the VLAN ID in the authorization attribute list
of the local user account for that user. For each local user, you can specify only one authorization
VLAN ID. The port through which the user accesses the device is assigned to the VLAN as an
untagged member.
IMPORTANT:
Local VLAN authorization does not support assignment of tagged VLANs.
For more information about local user configuration, see "Configuring AAA."
Authorization VLAN manipulation for a MAC authentication-enabled port
Table 15 describes the way the network access device handles authorization VLANs (except for the
VLANs specified with suffixes) for MAC authenticated users on a port.
Table 15 VLAN manipulation
IMPORTANT:
• For users attached to an access port, make sure the authorization VLAN assigned by the server
has the untagged attribute. VLAN assignment will fail if the server issues a VLAN that has the
tagged attribute.
• When you assign VLANs to users attached to a trunk port or a MAC-based VLAN disabled hybrid
port, make sure there is only one untagged VLAN. If a different untagged VLAN is assigned to a
subsequent user, the user cannot pass authentication.
• As a best practice to enhance network security, do not use the port hybrid vlan command
to assign a hybrid port to an authorization VLAN as a tagged member.
Whether the authorization VLAN of an authenticated user takes effect on the MAC
authentication-enabled port depends on the port link type and VLAN tagging mode.
• If the port is an access or trunk port, the authorization VLAN always takes effect.
• If the port is a hybrid port, the device compares the VLAN tagging mode assigned by the server
with the VLAN tagging mode configured on the port for the authorization VLAN.
{ If the VLAN tagging modes are the same one (tagged or untagged), the authorization VLAN
takes effect.
{ If the VLAN tagging modes are different, the configuration on the port takes effect instead of
the assigned information.
Authorization VLAN assignment does not affect the VLAN configuration on the MAC
authentication-enabled port. After the user is logged off, the original VLAN configuration on the port
is restored.
For a MAC authenticated user to access the network on a hybrid port when no authorization VLANs
are assigned to the user, perform either of the following tasks:
149
• If the port receives tagged authentication packets from the user in a VLAN, use the port
hybrid vlan command to configure the port as a tagged member in the VLAN.
• If the port receives untagged authentication packets from the user in a VLAN, use the port
hybrid vlan command to configure the port as an untagged member in the VLAN.
Guest VLAN
The MAC authentication guest VLAN on a port accommodates users that have failed MAC
authentication for any reason other than server unreachable. For example, the VLAN
accommodates users with invalid passwords entered.
You can deploy a limited set of network resources in the MAC authentication guest VLAN. For
example, a software server for downloading software and system patches.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After
the assignment, do not reconfigure the port as a tagged member in the VLAN.
The device reauthenticates users in the MAC authentication guest VLAN at a specific interval. Table
16 shows the way that the network access device handles guest VLANs for MAC authentication
users.
Table 16 VLAN manipulation
Critical VLAN
The MAC authentication critical VLAN on a port accommodates users that have failed MAC
authentication because no RADIUS authentication servers are reachable. Users in a MAC
authentication critical VLAN can access only network resources in the critical VLAN.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS
servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user
is not assigned to the critical VLAN. For more information about the authentication methods, see
"Configuring AAA."
Table 17 shows the way that the network access device handles critical VLANs for MAC
authentication users.
Table 17 VLAN manipulation
150
Authentication status VLAN manipulation
A user in the MAC authentication guest VLAN The user remains in the MAC authentication guest VLAN.
fails authentication because all the RADIUS
servers are unreachable.
151
VSI manipulation
MAC authentication support for VXLANs
As shown in Figure 45, when the device acts as both a VXLAN VTEP and a NAS, users' service
information cannot be identified by VLANs. To resolve this issue, you must configure the RADIUS
server to assign VSIs to MAC authenticated users. The NAS will map a user's traffic to the VXLAN
that is associated with the user's authorization VSI. The mapping criteria include the user's access
VLAN, access port, and MAC address.
For information about VSIs and VXLANs, see VXLAN Configuration Guide.
Figure 45 VXLAN network diagram for MAC authentication
Authorization VSI
An authorization VSI is associated with a VXLAN that has network resources inaccessible to
unauthenticated users.
MAC authentication supports remote VSI authorization. If the VTEP does not receive authorization
VSI information for a MAC authentication user from the remote server, the user cannot access
resources in any VXLAN after passing authentication. If the VTEP receives authorization VSI
information for the user from the remote server, it performs the following operations:
• Dynamically creates an Ethernet service instance according to the user's access port, VLAN,
and MAC address.
• Maps the Ethernet service instance to the authorization VSI.
The user then can access resources in the VXLAN associated with the authorization VSI.
For information about dynamic creation of Ethernet service instances, see VXLAN configuration
Guide.
152
Guest VSI
The MAC authentication guest VSI on a port accommodates users that have failed MAC
authentication for any reason other than server unreachable. For example, the VSI accommodates
users with invalid passwords entered.
You can deploy a limited set of network resources in the VXLAN that is associated with the MAC
authentication guest VSI. For example, a software server for downloading software and system
patches.
Table 19 shows the way that the VTEP handles guest VSIs for MAC authentication users.
Table 19 VSI manipulation
Critical VSI
The MAC authentication critical VSI on a port accommodates users that have failed MAC
authentication because no RADIUS authentication servers are reachable. Users in a MAC
authentication critical VSI can access only network resources in the VXLAN associated with this VSI.
The critical VSI feature takes effect when MAC authentication is performed only through RADIUS
servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user
is not assigned to the critical VSI. For more information about the authentication methods, see
"Configuring AAA."
Table 20 shows the way that the VTEP handles critical VSIs for MAC authentication users.
Table 20 VSI manipulation
A user in the MAC authentication critical VSI If a guest VSI has been configured, the VTEP maps the
fails MAC authentication for any reason other user's MAC address and access VLAN to the guest VSI.
than server unreachable. If no guest VSI is configured, the VTEP logs off the user.
A user in the MAC authentication guest VSI The user remains in the MAC authentication guest VSI.
fails authentication because all the RADIUS
servers are unreachable.
153
Authentication status VSI manipulation
ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user on the
authentication server to control the user's access to network resources. After the user passes MAC
authentication, the authentication server (local or remote) assigns the authorization ACL to the
access port of the user. The ACL will filter traffic for this user by permitting or denying matching traffic.
You must configure ACL rules for the authorization ACL on the access device for the ACL
assignment feature.
To change the access control criteria for the user, you can use one of the following methods:
• Modify ACL rules on the access device.
• Specify another authorization ACL on the authentication server.
The supported authorization ACLs include the following types:
• Basic ACLs, which are numbered in the range of 2000 to 2999.
• Advanced ACLs, which are numbered in the range of 3000 to 3999.
• Layer 2 ACLs, which are numbered in the range of 4000 to 4999.
For an authorization ACL to take effect, the following requirements must be met:
• The ACL exists with rules.
• The rules contain only match criteria that are specified by using the dscp, source,
destination, type, source-port, and destination-port keywords.
• If the source-port or destination-port criterion exists, make sure only one source port
or one destination port is specified.
For more information about ACLs, see ACL and QoS Configuration Guide.
154
records the MAC address of the user and uses a DM (Disconnect Message) to log off the user. When
the user initiates MAC authentication again, it will pass the authentication and come online
successfully.
To redirect the HTTPS requests of MAC authentication users, specify the HTTPS redirect listening
port on the device. For more information, see HTTP redirect in Layer 3—IP Services Configuration
Guide.
155
By default, the device logs off online MAC authentication users if no server is reachable for MAC
reauthentication. The keep-online feature keeps authenticated MAC authentication users online
when no server is reachable for MAC reauthentication.
The VLANs assigned to an online user before and after reauthentication can be the same or
different.
156
1. Enabling MAC authentication
2. Configure basic MAC authentication features
{ Specifying a MAC authentication method
{ Specifying a MAC authentication domain
{ Configuring the user account format
{ (Optional.) Configuring MAC authentication timers
{ (Optional.) Configuring periodic MAC reauthentication
3. (Optional.) Configuring MAC authentication VLAN assignment
{ Configuring a MAC authentication guest VLAN
{ Configuring a MAC authentication critical VLAN
{ Enabling the MAC authentication critical voice VLAN feature
4. (Optional.) Configuring MAC authentication VSI assignment
{ Configuring a MAC authentication guest VSI
{ Configuring a MAC authentication critical VSI
5. (Optional.) Configuring other MAC authentication features
{ Configuring user aging for unauthenticated MAC authentication users
{ Configuring MAC authentication offline detection
{ Enabling online user synchronization for MAC authentication
{ Setting the maximum number of concurrent MAC authentication users on a port
{ Enabling MAC authentication multi-VLAN mode on a port
Perform this task to not reauthenticate online users when VLAN changes occur on a port.
{ Configuring MAC authentication delay
{ Including user IP addresses in MAC authentication requests
{ Enabling parallel processing of MAC authentication and 802.1X authentication
{ Logging off MAC authentication users
{ Enabling MAC authentication user logging
157
The following MAC authentication enabling operations cannnot take effect if you perform them when
the device has run out of ACL resources:
• Enable MAC authentication on a Layer 2 Ethernet interface or Layer 2 aggregate interface.
• Enable MAC authentication globally.
Procedure
1. Enter system view.
system-view
2. Enable MAC authentication globally.
mac-authentication
By default, MAC authentication is disabled globally.
3. Enter interface view.
interface interface-type interface-number
4. Enable MAC authentication on the port.
mac-authentication
By default, MAC authentication is disabled on a port.
158
MAC authentication chooses an authentication domain for users on a port in this order: the
port-specific domain, the global domain, and the default domain. For more information about
authentication domains, see "Configuring AAA."
Procedure
1. Enter system view.
system-view
2. Specify an authentication domain for MAC authentication users.
{ In system view:
mac-authentication domain domain-name
{ In interface view:
interface interface-type interface-number
mac-authentication domain domain-name
By default, the system default authentication domain is used for MAC authentication users.
159
Restrictions and guidelines
To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value
that is lower than or equal to the product of the following values:
• The maximum number of RADIUS packet transmission attempts set by using the retry
command in RADIUS scheme view.
• The RADIUS server response timeout timer set by using the timer response-timeout
command in RADIUS scheme view.
For information about setting the maximum number of RADIUS packet transmission attempts and
the RADIUS server response timeout timer, see "Configuring AAA."
Procedure
1. Enter system view.
system-view
2. Configure MAC authentication timers.
mac-authentication timer { offline-detect offline-detect-value |
quiet quiet-value | server-timeout server-timeout-value }
By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server
timeout timer is 100 seconds.
160
3. Enter interface view.
interface interface-type interface-number
4. Enable periodic MAC reauthentication.
mac-authentication re-authenticate
By default, periodic MAC reauthentication is disabled on a port.
5. (Optional.) Enable the keep-online feature for MAC authenticated users on the port.
mac-authentication re-authenticate server-unreachable keep-online
By default, the keep-online feature is disabled. The device logs off online MAC authentication
users if no server is reachable for MAC reauthentication.
In a fast-recovery network, you can use the keep-online feature to prevent MAC authentication
users from coming online and going offline frequently.
Prerequisites
Before you configure the MAC authentication guest VLAN on a port, complete the following tasks:
• Create the VLAN to be specified as the MAC authentication guest VLAN.
• Configure the port as a hybrid port, and configure the VLAN as an untagged member on the
port.
• Enable MAC-based VLAN on the port.
For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify the MAC authentication guest VLAN on the port.
mac-authentication guest-vlan guest-vlan-id
By default, no MAC authentication guest VLAN is specified on a port.
161
You can configure only one MAC authentication guest VLAN on a port. The MAC authentication
guest VLANs on different ports can be different.
4. Set the authentication interval for users in the MAC authentication guest VLAN.
mac-authentication guest-vlan auth-period period-value
The default setting is 30 seconds.
Prerequisites
Before you configure the MAC authentication critical VLAN on a port, complete the following tasks:
• Create the VLAN to be specified as the MAC authentication critical VLAN.
• Configure the port as a hybrid port, and configure the VLAN as an untagged member on the
port.
• Enable MAC-based VLAN on the port.
For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify the MAC authentication critical VLAN on the port.
mac-authentication critical vlan critical-vlan-id
By default, no MAC authentication critical VLAN is specified on a port.
You can configure only one MAC authentication critical VLAN on a port. The MAC
authentication critical VLANs on different ports can be different.
162
Enabling the MAC authentication critical voice
VLAN feature
Prerequisites
Before you enable the MAC authentication critical voice VLAN feature on a port, complete the
following tasks:
• Enable LLDP both globally and on the port.
The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN
Switching Configuration Guide.
• Enable voice VLAN on the port.
For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the MAC authentication critical voice VLAN feature on a port.
mac-authentication critical-voice-vlan
By default, the MAC authentication critical voice VLAN feature is disabled on a port.
163
By default, no MAC authentication guest VSI exists on a port.
4. (Optional.) Set the authentication interval for users in the MAC authentication guest VSI.
mac-authentication guest-vsi auth-period period-value
The default setting is 30 seconds.
164
Restrictions and guidelines
As a best practice, use this feature on a port only if you want to have its unauthenticated users to be
authenticated and come online on a different port.
Procedure
1. Enter system view.
system-view
2. Set the user aging timer for a type of MAC authentication VLAN or VSI.
mac-authentication timer user-aging { critical-vlan | critical-vsi
| guest-vlan | guest-vsi } aging-time-value
By default, the user aging timer is 1000 seconds for all applicable types of MAC authentication
VLANs and VSIs.
3. Enter interface view.
interface interface-type interface-number
4. Enable user aging for unauthenticated MAC authentication users.
mac-authentication unauthenticated-user aging enable
By default, user aging is enabled for unauthenticated MAC authentication users.
165
3. Port-based offline detection settings.
Restrictions and guidelines
For the user-specific offline detection feature to take effect on a user, make sure the MAC
authentication offline detection feature is enabled on the user's access port.
The user-specific offline detection settings take effect on the online users immediately after they are
configured.
If you enable MAC authentication offline detection on a Layer 2 aggregate interface, delay exists for
the device to log off an idle user.
Procedure
1. Enter system view.
system-view
2. (Optional.) Configure MAC authentication offline detection for a user.
mac-authentication offline-detect mac-address mac-address { ignore
| timer offline-detect-value [ check-arp-or-nd-snooping ] }
By default, offline detection settings configured on access ports take effect and the offline
detect timer set in system view is used.
3. Enter interface view.
interface interface-type interface-number
4. Enable MAC authentication offline detection.
mac-authentication offline-detect enable
By default, MAC authentication offline detection is enabled on a port.
IMPORTANT:
This feature takes effect only when the device uses an IMC RADIUS server to authenticate MAC
authentication users.
To ensure that the RADIUS server maintains the same online MAC authentication user information
as the device after the server state changes from unreachable to reachable, use this feature.
This feature synchronizes online MAC authentication user information between the device and the
RADIUS server when the RADIUS server state is detected having changed from unreachable to
reachable.
When synchronizing online MAC authentication user information on a port with the RADIUS server,
the device initiates MAC authentication in turn for each authenticated online MAC authentication
user to the RADIUS server.
If synchronization fails for an online user, the device logs off that user unless the failure occurs
because the server has become unreachable again.
Restrictions and guidelines
The amount of time required to complete online user synchronization increases as the number of
online users grows. This might result in an increased delay for new MAC authentication users and
users in the critical VLAN or VSI to authenticate or reauthenticate to the RADIUS server and come
online.
166
To have this feature take effect, you must use it in conjunction with the RADIUS server status
detection feature, which is configurable with the radius-server test-profile command.
When you configure this feature, make sure the detection interval is shorter than the RADIUS server
quiet timer configured by using the timer quiet command in RADIUS scheme view. The server
state changes to active on expiration of the quiet timer regardless of its actual reachability. Setting a
shorter detection interval than the quiet timer prevents the RADIUS server status detection feature
from falsely reporting the server reachability.
For more information about the RADIUS server status detection feature, see "Configuring AAA."
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable online user synchronization for MAC authentication.
mac-authentication server-recovery online-user-sync
By default, online user synchronization for MAC authentication is disabled.
167
In multi-VLAN mode, the device creates a new MAC-VLAN mapping for an online user when that
user moves from one VLAN to another. The original MAC-VLAN mapping of the user remains on the
device until it dynamically ages out.
In single-VLAN mode, the device handles the movement depending on authorization VLAN
assignment:
• If no authorization VLAN has been assigned to the online user, the device first logs off and then
reauthenticates the user in the new VLAN.
• In Release 6553, if the online user has been assigned an authorization VLAN, the device
reauthenticates the user in the new VLAN without logging it off from the original VLAN.
• In Release 6555 and later, if the online user has been assigned an authorization VLAN, the
device handles the user depending on the status of the port security MAC move feature.
{ If port security MAC move is disabled, the user cannot pass authentication and come online
from the new VLAN until after it goes offline from the original VLAN.
{ If port security MAC move is enabled, the user can pass authentication on the new VLAN
and come online without having to first go offline from the original VLAN. After the user
passes authentication on the new VLAN, the authentication session of that user is deleted
from the original VLAN.
To enable the port security MAC move feature, use the port-security mac-move permit
command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable MAC authentication multi-VLAN mode.
mac-authentication host-mode multi-vlan
By default, MAC authentication operates in single-VLAN mode on a port.
168
mac-authentication timer auth-delay time
By default, MAC authentication delay is disabled.
IMPORTANT:
This feature can only operate in conjunction with an IMC server.
To avoid IP conflicts that result from changes to static IP addresses, use this feature on a port that
has MAC authentication users that use static IP addresses.
This feature adds user IP addresses to the MAC authentication requests sent to the authentication
server. When MAC authentication is triggered for a user, the device checks the user's IP address for
invalidity.
• If the IP address is valid, the device sends a MAC authentication request with the IP address
included.
• If the IP address is not a valid host IP address or the triggering packet does not contain an IP
address, the device does not initiate MAC authentication.
• If the packet is a DHCP packet with a source IP address of 0.0.0.0, the device sends a MAC
authentication request without including the IP address. In this case, the IMC server does not
examine the user IP address when it performs authentication.
Upon receipt of the authentication request that includes a user's IP address, the IMC server
compares the user's IP and MAC addresses with its local IP-MAC mappings.
• If an exact match is found or if no match is found, the user passes MAC authentication. In the
latter case, the server creates an IP-MAC mapping for the user.
• If a mapping is found for the MAC address but the IP addresses do not match, the user fails the
MAC authentication.
IMPORTANT:
If the user host is configured with IPv6, the device might receive packets that contain an IPv6
link-local address, which starts with fe80. MAC authentication failure will occur if this address is used
in MAC authentication. To avoid MAC authentication failure, configure a basic ACL to exclude the
IPv6 IP addresses that start with fe80.
169
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Include user IP addresses in MAC authentication requests.
mac-authentication carry user-ip [ exclude-ip acl acl-number ]
By default, a MAC authentication request does not include the user IP address.
170
interface interface-type interface-number
3. Enable parallel processing of MAC authentication and 802.1X authentication on the port.
mac-authentication parallel-with-dot1x
By default, this feature is disabled.
Task Command
display mac-authentication [ interface
Display MAC authentication information.
interface-type interface-number ]
171
Task Command
display mac-authentication connection
[ open ] [ interface interface-type
Display MAC authentication connections. interface-number | slot slot-number |
user-mac mac-address | user-name
user-name ]
display mac-authentication
Display the MAC addresses of MAC mac-address { critical-vlan |
authentication users in a type of MAC critical-vsi | guest-vlan | guest-vsi }
authentication VLAN or VSI. [ interface interface-type
interface-number ]
reset mac-authentication statistics
Clear MAC authentication statistics. [ interface interface-type
interface-number ]
reset mac-authentication critical
Remove users from the MAC authentication vlan interface interface-type
critical VLAN on a port. interface-number [ mac-address
mac-address ]
reset mac-authentication
Remove users from the MAC authentication critical-voice-vlan interface
critical voice VLAN on a port. interface-type interface-number
[ mac-address mac-address ]
reset mac-authentication guest-vlan
Remove users from the MAC authentication interface interface-type
guest VLAN on a port. interface-number [ mac-address
mac-address ]
reset mac-authentication critical vsi
Remove users from the MAC authentication interface interface-type
critical VSI on a port. interface-number [ mac-address
mac-address ]
reset mac-authentication guest-vsi
Remove users from the MAC authentication interface interface-type
guest VSI on a port. interface-number [ mac-address
mac-address ]
172
• Use the MAC address of each user as both the username and password for authentication. The
MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.
Figure 46 Network diagram
Procedure
# Add a network access local user. In this example, configure both the username and password as
Host A's MAC address 00-e0-fc-12-34-56.
<Device> system-view
[Device] local-user 00-e0-fc-12-34-56 class network
[Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
# Configure ISP domain bbb to perform local authentication for LAN users.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access local
[Device-isp-bbb] quit
# Use the MAC address of each user as both the username and password for MAC authentication.
The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
173
Password : Not configured
Offline detect period : 180 s
Quiet period : 180 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for critical VSI : 1000 s
User aging period for guest VLAN : 1000 s
User aging period for guest VSI : 1000 s
Authentication domain : bbb
Online MAC-auth wired users : 1
Twenty-FiveGigE1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
The output shows that Host A has passed MAC authentication and has come online. Host B failed
MAC authentication and its MAC address is marked as a silent MAC address.
174
Example: Configuring RADIUS-based MAC authentication
Network configuration
As shown in Figure 47, the device uses RADIUS servers to perform authentication, authorization,
and accounting for users. The RADIUS servers use the CHAP authentication method.
To control user access to the Internet by MAC authentication, perform the following tasks:
• Enable MAC authentication globally and on Twenty-FiveGigE 1/0/1.
• Configure the device to use CHAP for MAC authentication.
• Configure the device to detect whether a user has gone offline every 180 seconds.
• Configure the device to deny a user for 180 seconds if the user fails MAC authentication.
• Configure all users to belong to ISP domain bbb.
• Use a shared user account for all users, with username aaa and password 123456.
Figure 47 Network diagram
RADIUS servers
Auth:10.1.1.1
Acct:10.1.1.2
WGE1/0/1
IP network
Host Device
Procedure
Make sure the RADIUS servers and the access device can reach each other.
1. Configure the RADIUS servers to provide authentication, authorization, and accounting
services. Create a shared account with username aaa and password 123456 for MAC
authentication users. (Details not shown.)
2. Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Specify CHAP as the authentication method for MAC authentication.
[Device] mac-authentication authentication-method chap
# Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and
accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
175
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Enable MAC authentication on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
[Device-Twenty-FiveGigE1/0/1] quit
# Specify the MAC authentication domain as ISP domain bbb.
[Device] mac-authentication domain bbb
# Set MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Specify username aaa and password 123456 in plain text for the account shared by MAC
authentication users.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456
# Enable MAC authentication globally.
[Device] mac-authentication
Twenty-FiveGigE1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
176
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
RADIUS servers
Auth:10.1.1.1
Acct:10.1.1.2
WGE1/0/1
Internet
Procedure
Make sure the RADIUS servers and the access device can reach each other.
1. Configure the RADIUS servers:
177
# Configure the RADIUS servers to provide authentication, authorization, and accounting
services. (Details not shown.)
# Add a user account with 00-e0-fc-12-34-56 as both the username and password on each
RADIUS server. (Details not shown.)
# Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)
2. Configure ACL 3000 to deny packets destined for 10.0.0.1 on the device.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-ipv4-adv-3000] quit
3. Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and
accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain bbb
# Use the MAC address of each user as both the username and password for MAC
authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters
are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
[Device-Twenty-FiveGigE1/0/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
178
Quiet period : 60 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for critical VSI : 1000 s
User aging period for guest VLAN : 1000 s
User aging period for guest VSI : 1000 s
Authentication domain : bbb
Online MAC-auth wired users : 1
Twenty-FiveGigE1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
# Verify that you cannot ping the FTP server from the host.
C:\>ping 10.0.0.1
179
Request timed out.
The output shows that ACL 3000 has been assigned to Twenty-FiveGigE 1/0/1 to deny access to the
FTP server.
WGE1/0/1
Internet
Device
Host VXLAN
(VTEP)
Procedure
Make sure the RADIUS servers and the access device can reach each other.
1. Configure the RADIUS servers:
# Configure the RADIUS servers to provide authentication, authorization, and accounting
services. (Details not shown.)
# Add a user account with d4-85-64-be-c6-3e as both the username and password on each
RADIUS server. (Details not shown.)
# Specify VSI bbb as the authorization VSI for the user account. (Details not shown.)
NOTE:
If an ADCAM server is used for authentication and authorization, configure VSIs on the server.
The server will assign these VSIs to the device. You do not need to configure VSIs on the
device.
180
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme bbb
[Device-radius-bbb] primary authentication 10.1.1.1
[Device-radius-bbb] primary accounting 10.1.1.2
[Device-radius-bbb] key authentication simple bbb
[Device-radius-bbb] key accounting simple bbb
[Device-radius-bbb] user-name-format without-domain
[Device-radius-bbb] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000] authentication lan-access radius-scheme bbb
[Device-isp-2000] authorization lan-access radius-scheme bbb
[Device-isp-2000] accounting lan-access radius-scheme bbb
[Device-isp-2000] quit
# Enable MAC authentication on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
# Enable the MAC match mode for dynamic Ethernet service instances on Twenty-FiveGigE
1/0/1.
[Device-Twenty-FiveGigE1/0/1] mac-based ac
[Device-Twenty-FiveGigE1/0/1] quit
# Enable L2VPN.
[Device] l2vpn enable
# Create a VSI named bbb and the associated VXLAN.
[Device] vsi bbb
[Device-vsi-bbb] vxlan 5
[Device-vsi-bbb-vxlan-5] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain 2000
# Use the MAC address of each user as both the username and password for MAC
authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters
are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication globally.
[Device] mac-authentication
181
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization VSI: bbb
Authorization ACL ID: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Termination action: N/A
Session timeout period: N/A
Offline detection: 300 sec (server-assigned)
Online from: 2016/06/13 09:06:37
Online duration: 0h 0m 35s
182
Configuring portal authentication
About portal authentication
Portal authentication controls user access to networks. Portal authenticates a user by the username
and password the user enters on a portal authentication page. Typically, portal authentication is
deployed on the access layer and vital data entries.
In a portal-enabled network, users can actively initiate portal authentication by visiting the
authentication website provided by the portal Web server. Or, they are redirected to the portal
authentication page for authentication when they visit other websites.
The device supports Portal 1.0, Portal 2.0, and Portal 3.0.
Portal system
A typical portal system consists of these basic components: authentication client, access device,
portal authentication server, portal Web server, AAA server, and security policy server.
183
Figure 50 Portal system
Portal authentication
server
Authentication client
AAA server
Authentication client
Security policy
server
Authentication client
An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal
client. Security check for the user host is implemented through the interaction between the portal
client and the security policy server. Only the iNode client is supported.
Access device
An access device provides access services. It has the following functions:
• Redirects all HTTP or HTTPS requests of unauthenticated users to the portal Web server.
• Interacts with the portal authentication server and the AAA server to complete authentication,
authorization, and accounting.
• Allows users that pass portal authentication to access authorized network resources.
Portal server
A portal server collectively refers to a portal authentication server and portal Web server.
The portal Web server pushes the Web authentication page to authentication clients and forwards
user authentication information (username and password) to the portal authentication server. The
portal authentication server receives authentication requests from authentication clients and
interacts with the access device to authenticate users. The portal Web server is typically integrated
with the portal authentication server and it can also be an independent server.
AAA server
The AAA server interacts with the access device to implement authentication, authorization,
accounting for portal users. In a portal system, a RADIUS server can perform authentication,
authorization, accounting for portal users, and an LDAP server can perform authentication for portal
users.
Security policy server
The security policy server interacts with the portal client and the access device for security check and
authorization for users. Only hosts that run portal clients can interact with the security policy server.
184
Web authentication page provided by the portal Web server. The user can also visit the
authentication website to log in. The user must log in through the iNode client for extended
portal functions.
2. The user enters the authentication information on the authentication page/dialog box and
submits the information. The portal Web server forwards the information to the portal
authentication server. The portal authentication server processes the information and forwards
it to the access device.
3. The access device interacts with the AAA server to implement authentication, authorization,
accounting for the user.
4. If security policies are not imposed on the user, the access device allows the authenticated user
to access networks.
If security policies are imposed on the user, the portal client, the access device, and the security
policy server interact to check the user host. If the user passes the security check, the security
policy server authorizes the user to access resources based on the check result.
185
websites. After passing authentication, the user can access other network resources. The process of
direct authentication is simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before a user passes authentication, DHCP allocates an IP address (a private IP address) to the
user. The user can access only the portal Web server and predefined authentication-free websites.
After the user passes authentication, DHCP reallocates an IP address (a public IP address) to the
user. The user then can access other network resources. No public IP address is allocated to users
who fail authentication. Re-DHCP authentication saves public IP addresses. For example, an ISP
can allocate public IP addresses to broadband users only when they access networks beyond the
residential community network.
Only the iNode client supports re-DHCP authentication. IPv6 portal authentication does not support
the re-DHCP authentication mode.
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding
devices to exist between the authentication client and the access device.
In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP
address uniquely identifies the user. After a user passes authentication, the access device generates
an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Because no Layer 3 forwarding device exists between authentication clients and the access device
in direct authentication and re-DHCP authentication, the access device can learn the user MAC
addresses. The access device can enhance its capability of controlling packet forwarding by using
the learned MAC addresses.
186
{ If the packet does not match any portal-free rule, the access device redirects the packet to
the portal Web server. The portal Web server pushes the Web authentication page to the
user for him to enter his username and password.
2. The portal Web server submits the user authentication information to the portal authentication
server.
3. The portal authentication server and the access device exchange CHAP messages. This step
is skipped for PAP authentication. The portal authentication server decides the method (CHAP
or PAP) to use.
4. The portal authentication server adds the username and password into an authentication
request packet and sends it to the access device. Meanwhile, the portal authentication server
starts a timer to wait for an authentication reply packet.
5. The access device and the RADIUS server exchange RADIUS packets.
6. The access device sends an authentication reply packet to the portal authentication server to
notify authentication success or failure.
7. The portal authentication server sends an authentication success or failure packet to the client.
8. If the authentication is successful, the portal authentication server sends an authentication
reply acknowledgment packet to the access device.
If the client is an iNode client, the authentication process includes step 9 and step 10 for extended
portal functions. Otherwise the authentication process is complete.
9. The client and the security policy server exchange security check information. The security
policy server detects whether or not the user host installs anti-virus software, virus definition
files, unauthorized software, and operating system patches.
10. The security policy server authorizes the user to access certain network resources based on
the check result. The access device saves the authorization information and uses it to control
access of the user.
Re-DHCP authentication process (with CHAP/PAP authentication)
Figure 53 Re-DHCP authentication process
187
Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication
process.
1. After receiving the authentication success packet, the client obtains a public IP address through
DHCP. The client then notifies the portal authentication server that it has a public IP address.
2. The portal authentication server notifies the access device that the client has obtained a public
IP address.
3. The access device detects the IP change of the client through DHCP and then notifies the
portal authentication server that it has detected an IP change of the client IP.
4. After receiving the IP change notification packets sent by the client and the access device, the
portal authentication server notifies the client of login success.
5. The portal authentication server sends an IP change acknowledgment packet to the access
device.
Step 13 and step 14 are for extended portal functions.
6. The client and the security policy server exchanges security check information. The security
policy server detects whether or not the user host installs anti-virus software, virus definition
files, unauthorized software, and operating system patches.
7. The security policy server authorizes the user to access certain network resources based on
the check result. The access device saves the authorization information and uses it to control
access of the user.
As shown in Figure 54, the authentication client and the portal authentication server exchange EAP
authentication packets. The portal authentication server and the access device exchange portal
authentication packets that carry the EAP-Message attributes. The access device and the RADIUS
server exchange RADIUS packets that carry the EAP-Message attributes. The RADIUS server that
supports the EAP server function processes the EAP packets encapsulated in the EAP-Message
attributes, and provides the EAP authentication result.
The access device does not process but only transports EAP-Message attributes between the portal
authentication server and the RADIUS server. Therefore, the access device requires no additional
configuration to support EAP authentication.
188
• Category 1—The rule permits user packets that are destined for the portal Web server and
packets that match the portal-free rules to pass through.
• Category 2—For an authenticated user with no ACL authorized, the rule allows the user to
access any destination network resources. For an authenticated user with an ACL authorized,
the rule allows users to access resources permitted by the ACL. The device adds the rule when
a user comes online and deletes the rule when the user goes offline.
The device supports the following types of authorization ACLs:
{ Basic ACLs (ACL 2000 to ACL 2999).
{ Advanced ACLs (ACL 3000 to ACL 3999).
{ Layer 2 ACLs (ACL 4000 to ACL 4999).
For an authorization ACL to take effect, make sure the following requirements are met:
{ The ACL exists and has ACL rules.
{ The ACL rules contain only the dscp, source, destination, type, source-port,
and destination-port settings, and the source-port and destination-port
keywords each can specify only one port number.
For more information about ACL rules, see ACL commands in ACL and QoS Command
Reference.
• Category 3—The rule redirects all HTTP or HTTPS requests from unauthenticated users to the
portal Web server.
• Category 4—For direct authentication and cross-subnet authentication, the rule forbids any
user packets to pass through. For re-DHCP authentication, the device forbids user packets with
private source addresses to pass.
After receiving a user packet, the device compares the packet against the filtering rules from
category 1 to category 4. Once the packet matches a rule, the matching process completes.
189
4. Enabling portal authentication and specifying a portal Web server
{ Enabling portal authentication on an interface
{ Specifying a portal Web server on an interface
5. (Optional.) Configure parameters for preauthentication portal users
{ Configuring a portal preauthentication domain
{ Specifying a preauthentication IP address pool
6. (Optional.) Specifying a portal authentication domain
7. (Optional.) Controlling portal user access
{ Configuring a portal-free rule
{ Configuring an authentication source subnet
{ Configuring an authentication destination subnet
{ Configuring support of Web proxy for portal authentication
{ Checking the issuing of category-2 portal filtering rules
{ Setting the maximum number of portal users
{ Enabling strict-checking on portal authorization information
{ Allowing only users with DHCP-assigned IP addresses to pass portal authentication
{ Enabling portal roaming
{ Configuring the portal fail-permit feature
8. (Optional.) Configuring portal detection features
{ Configuring online detection of portal users
{ Configuring portal authentication server detection
{ Configuring portal Web server detection
{ Configuring portal user synchronization
9. (Optional.) Configuring attributes for portal packets and RADIUS packets
{ Configuring portal packet attributes
You can configure the BAS-IP or BAS-IPv6 attribute for portal packets and specify the
device ID.
{ Configuring attributes for RADIUS packets
You can configure the NAS-Port-Id and NAS-Port-Type attributes and apply a NAS-ID
profile to an interface.
10. (Optional.) Configuring online and offline related features for portal users
{ Logging out online portal users
{ Enabling portal user login/logout logging
11. (Optional.) Configuring extended portal authentication features
{ Disabling the Rule ARP or ND entry feature for portal clients
{ Configuring Web redirect
190
• To use the re-DHCP portal authentication mode, make sure the DHCP relay agent is enabled
on the access device, and the DHCP server is installed and configured correctly.
• The portal client, access device, and servers can reach each other.
• To use the remote RADIUS server, configure usernames and passwords on the RADIUS server,
and configure the RADIUS client on the access device. For information about RADIUS client
configuration, see "Configuring AAA."
• To implement extended portal functions, install and configure CAMS EAD or IMC EAD. Make
sure the ACLs configured on the access device correspond to the isolation ACL and the
security ACL on the security policy server. For installation and configuration about the security
policy server, see CAMS EAD Security Policy Component User Manual or IMC EAD Security
Policy Help.
191
The specified server type must be the same as the type of the portal authentication server
actually used.
192
system-view
2. Enter portal Web server view.
portal web-server server-name
3. Enable the captive-pass feature.
captive-bypass enable
By default, the captive-bypass feature is disabled.
193
http-redirect https-port port-number
By default, no HTTPS redirect listening port number is specified.
For more information about how to specify the HTTPS redirect listening port number, see HTTP
redirect in Layer 3—IP Services Configuration Guide.
194
Main authentication page File name
Logon success page logonSuccess.htm
Logon failure page logonFail.htm
Online page
online.htm
Pushed after the user gets online for online notification
System busy page
busy.htm
Pushed when the system is busy or the user is in the logon process
Logoff success page logoffSuccess.htm
195
• Zip files can be transferred to the device through FTP or TFTP and must be saved in the root
directory of the device.
Examples of zip files on the device:
<Sysname> dir
Directory of flash:
1 -rw- 1405 Feb 28 2008 15:53:20 ssid1.zip
0 -rw- 1405 Feb 28 2008 15:53:31 ssid2.zip
2 -rw- 1405 Feb 28 2008 15:53:39 ssid3.zip
3 -rw- 1405 Feb 28 2008 15:53:44 ssid4.zip
2540 KB total (1319 KB free)
196
portal local-web-server { http | https ssl-server-policy policy-name
[ tcp-port port-number ] }
3. Specify the default authentication page file for the local portal Web service.
default-logon-page filename
By default, no default authentication page file is provided.
4. (Optional.) Configure the HTTP or HTTPS listening TCP port for the local portal Web service.
tcp-port port-number
By default, the HTTP service listening port number is 80 and the HTTPS service listening port
number is the TCP port number set by the portal local-web-server command.
197
Specifying a portal Web server on an interface
About specifying a portal Web server on an interface
With a portal Web server specified on an interface, the device redirects the HTTP requests of portal
users on the interface to the portal Web server.
You can specify both an IPv4 portal Web server and an IPv6 portal Web server on an interface.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Specify a portal Web server on the interface.
portal [ ipv6 ] apply web-server server-name [ fail-permit ]
By default, no portal Web servers are specified on an interface.
198
• If the traffic of preauthentication users does not match any rule in the ACL, the device pushes
the authentication page to the users. The users can access the network resources after passing
authentication.
• If the ACL contains rules that specify a source address, users might not be able to get online.
Do not specify a source IPv4, IPv6 or MAC address when you configure a rule in the ACL.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify a portal preauthentication domain.
portal [ ipv6 ] pre-auth domain domain-name
199
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Specify a preauthentication IP address pool on the interface.
portal [ ipv6 ] pre-auth ip-pool pool-name
By default, no preauthentication IP address pool is specified on an interface.
200
Controlling portal user access
Configuring a portal-free rule
About portal-free rules
A portal-free rule allows specified users to access specified external websites without portal
authentication.
The matching items for a portal-free rule include the host name, source/destination IP address,
TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a
portal-free rule will not trigger portal authentication, so users sending the packets can directly access
the specified external websites.
Restrictions and guidelines for configuring a portal-free rule
If you specify both a VLAN and an interface, the interface must belong to the VLAN. If the interface
does not belong to the VLAN, the portal-free rule does not take effect.
You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the
system prompts that the rule already exists.
Regardless of whether portal authentication is enabled or not, you can only add or remove a
portal-free rule. You cannot modify it.
Configuring an IP-based portal-free rule
1. Enter system view.
system-view
2. Configure an IP-based portal-free rule.
IPv4:
portal free-rule rule-number { destination ip { ipv4-address
{ mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ]
| source ip { ipv4-address { mask-length | mask } | any } [ tcp
tcp-port-number | udp udp-port-number ] } * [ interface interface-type
interface-number ]
IPv6:
portal free-rule rule-number { destination ipv6 { ipv6-address
prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] |
source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number |
udp udp-port-number ] } * [ interface interface-type interface-number ]
Configuring a source-based portal-free rule
1. Enter system view.
system-view
2. Configure a source-based portal-free rule.
portal free-rule rule-number source { interface interface-type
interface-number | mac mac-address | vlan vlan-id } *
The vlan vlan-id option takes effect only on portal users that access the network through
VLAN interfaces.
Configuring a destination-based portal-free rule
1. Enter system view.
system-view
2. Configure a destination-based portal-free rule.
201
portal free-rule rule-number destination host-name
Before you configure destination-based portal-free rules, make sure a DNS server is deployed
on the network.
202
You can configure multiple authentication destination subnets. If the destination subnets overlap, the
subnet with the largest address scope (with the smallest mask or prefix) takes effect.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Configure a portal authentication destination subnet.
IPv4:
portal free-all except destination ipv4-network-address { mask-length
| mask }
IPv6:
portal ipv6 free-all except destination ipv6-network-address
prefix-length
By default, users accessing any subnets must pass portal authentication.
203
Checking the issuing of category-2 portal filtering rules
About checking the issuing of category-2 portal filtering rules
Category-2 portal filtering rules permit authenticated users to access authorized network resources.
By default, the device allows an authenticated user to come online as long as a member device has
issued a category-2 portal filtering rule for the user. Users coming online from global interfaces might
fail to access network resources because some member ports might not have category-2 rules for
the users. To resolve this issue, enable the device to check the issuing of category-2 portal filtering
rules. Then, the device allows users to come online only when all member devices have issued
category-2 portal filtering rules for the users.
As a best practice, perform this task when portal authentication is enabled on a global interface.
Procedure
1. Enter system view.
system-view
2. Enable the device to check the issuing of category-2 portal filtering rules.
portal user-rule assign-check enable
By default, the device does not check the issuing of category-2 portal filtering rules.
204
If you set the maximum number smaller than the current number of portal users on an interface,
this configuration still takes effect. The online users are not affected but the system forbids new
portal users to log in from the interface.
205
By default, both users with IP addresses obtained through DHCP and users with static IP
addresses can pass authentication to come online.
206
portal [ ipv6 ] fail-permit server server-name
By default, portal fail-permit is disabled for a portal authentication server.
4. Enable portal fail-permit for a portal Web server.
portal [ ipv6 ] apply web-server server-name [ fail-permit ]
By default, portal fail-permit is disabled for a portal Web server.
207
Configuring portal authentication server detection
About portal authentication server detection
During portal authentication, if the communication between the access device and portal
authentication server is broken, new portal users are not able to log in. Online portal users are not
able to log out normally.
To address this problem, the access device needs to be able to detect the reachability changes of the
portal server quickly and take corresponding actions to deal with the changes.
The portal authentication server detection feature enables the device to periodically detect portal
packets sent by a portal authentication server to determine the reachability of the server. If the device
receives a portal packet within a detection timeout (timeout timeout) and the portal packet is
valid, the device considers the portal authentication server to be reachable. Otherwise, the device
considers the portal authentication server to be unreachable.
Portal packets include user login packets, user logout packets, and heartbeat packets. Heartbeat
packets are periodically sent by a server. By detecting heartbeat packets, the device can detect the
server's actual status more quickly than by detecting other portal packets.
Restrictions and guidelines
The portal authentication server detection feature takes effect only when the device has a
portal-enabled interface.
Only the IMC portal authentication server supports sending heartbeat packets. To test server
reachability by detecting heartbeat packets, you must enable the server heartbeat feature on the
IMC portal authentication server.
You can configure the device to take one or more of the following actions when the server
reachability status changes:
• Sending a log message, which contains the name, the current state, and the original state of the
portal authentication server.
• Enabling portal fail-permit. When the portal authentication server is unreachable, the portal
fail-permit feature on an interface allows users on the interface to have network access. When
the server recovers, it resumes portal authentication on the interface. For more information, see
"Configuring the portal fail-permit feature."
• Make sure the detection timeout configured on the device is greater than the server heartbeat
interval configured on the portal authentication server.
Procedure
1. Enter system view.
system-view
2. Enter portal authentication server view.
portal server server-name
3. Configure portal authentication server detection.
server-detect [ timeout timeout ] log
By default, portal authentication server detection is disabled.
208
With the portal Web server detection feature, the access device simulates a Web access process to
initiate a TCP connection to the portal Web server. If the TCP connection can be established
successfully, the access device considers the detection successful, and the portal Web server is
reachable. Otherwise, it considers the detection to have failed. Portal authentication status on
interfaces of the access device does not affect the portal Web server detection feature.
You can configure the following detection parameters:
• Detection interval—Interval at which the device detects the server reachability.
• Maximum number of consecutive failures—If the number of consecutive detection failures
reaches this value, the access device considers that the portal Web server is unreachable.
You can configure the device to take one or more of the following actions when the server
reachability status changes:
• Sending a log message, which contains the name, the current state, and the original state of the
portal Web server.
• Enabling portal fail-permit. When the portal Web server is unreachable, the portal fail-permit
feature on an interface allows users on the interface to have network access. When the server
recovers, it resumes portal authentication on the interface. For more information, see
"Configuring the portal fail-permit feature."
Restrictions and guidelines
The portal Web server detection feature takes effect only when the URL of the portal Web server is
specified and the device has a portal-enabled interface.
Procedure
1. Enter system view.
system-view
2. Enter portal Web server view.
portal web-server server-name
3. Configure portal Web server detection.
server-detect [ interval interval ] [ retry retries ] log
By default, portal Web server detection is disabled.
209
Restrictions and guidelines
Portal user synchronization requires a portal authentication server to support the portal user
heartbeat function. Only the IMC portal authentication server supports the portal user heartbeat
function. To implement the portal user synchronization feature, you also need to configure the user
heartbeat function on the portal authentication server. Make sure the user heartbeat interval
configured on the portal authentication server is not greater than the synchronization detection
timeout configured on the access device.
Deleting a portal authentication server on the access device also deletes the user synchronization
configuration for the portal authentication server.
Procedure
1. Enter system view.
system-view
2. Enter portal authentication server view.
portal server server-name
3. Configure portal user synchronization.
user-sync timeout timeout
By default, portal user synchronization is disabled.
210
IPv4:
portal bas-ip ipv4-address
By default, the BAS-IP attribute of an IPv4 portal reply packet is the source IPv4 address of the
packet. The BAS-IP attribute of an IPv4 portal notification packet is the IPv4 address of the
packet's output interface.
IPv6:
portal bas-ipv6 ipv6-address
By default, the BAS-IPv6 attribute of an IPv6 portal reply packet is the source IPv6 address of
the packet. The BAS-IPv6 attribute of an IPv6 portal notification packet is the IPv6 address of
the packet's output interface.
211
Configuring the NAS-Port-Type attribute
About the NAS-Port-Type attribute
The NAS-Port-Type attribute in a RADIUS request represents the type of a user's access interface.
The access device might not be able to correctly obtain the type of users' access interfaces when
multiple network devices exist between the access device and the portal client. For the access
device to send the correct access interface type to the RADIUS server, perform this task to configure
the NAS-Port-Type attribute.
Restrictions and guidelines
This configuration takes effect only on portal users that newly come online.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the NAS-Port-Type attribute carried in outgoing RADIUS requests on the interface.
portal nas-port-type { 802.11 | adsl-cap | adsl-dmt | async | cable
| ethernet | g.3-fax | hdlc | idsl | isdn-async-v110 | isdn-async-v120
| isdn-sync | piafs | sdsl | sync | virtual | wireless-other | x.25
| x.75 | xdsl }
By default, the NAS-Port-Type carried in outgoing RADIUS requests is Ethernet (attribute value
15).
212
For more information about this command, see Security Command Reference. Portal access
matches only the inner VLAN ID of QinQ packets. For more information about QinQ, see Layer
2—LAN Switching Configuration Guide.
4. Specify the NAS-ID profile on the interface.
a. Return to system view.
quit
b. Enter Layer 3 interface view.
interface interface-type interface-number
c. Specify the NAS-ID profile on the interface.
portal nas-id-profile profile-name
213
Disabling the Rule ARP or ND entry feature for
portal clients
About the Rule ARP or ND entry feature for portal clients
When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal
clients are Rule entries after the clients come online. The Rule entries will not age out and will be
deleted immediately after the portal clients go offline. If a portal client goes offline and then tries to
get online before the ARP or ND entry is relearned for the client, the client will fail the authentication.
To avoid such authentication failure, disable this feature. Then, ARP or ND entries for portal clients
are dynamic entries after the clients come online and are deleted only when they age out.
Restrictions and guidelines
Enabling or disabling of this feature does not affect existing Rule/dynamic ARP or ND entries.
Procedure
1. Enter system view.
system-view
2. Disable the Rule ARP or ND entry feature for portal clients.
undo portal refresh { arp | nd } enable
By default, the Rule ARP or ND entry feature is enabled for portal clients.
214
Task Command
Display portal configuration and portal display portal interface interface-type
running state. interface-number
Display packet statistics for portal display portal packet statistics
authentication servers. [ server server-name ]
display portal rule { all | dynamic |
Display portal rules. static } interface interface-type
interface-number [ slot slot-number ]
Display portal authentication server
display portal server [ server-name ]
information.
215
Figure 55 Network diagram
216
Figure 56 Portal server configuration
217
a. Select User Access Manager > Portal Service Management > Device from the
navigation tree to open the portal device configuration page.
b. Click Add to open the page as shown in Figure 58.
c. Enter the device name NAS.
d. Enter the IP address of the switch's interface connected to the host.
e. Enter the key, which must be the same as that configured on the switch.
f. Set whether to enable IP address reallocation.
This example uses direct portal authentication, and therefore select No from the Reallocate
IP list.
g. Select whether to support server heartbeat and user heartbeat functions.
In this example, select No for both Support Server Heartbeat and Support User
Heartbeat.
h. Click OK.
Figure 58 Adding a portal device
218
Figure 60 Adding a port group
5. Select User Access Manager > Service Parameters > Validate System Configuration from
the navigation tree to make the configurations take effect.
Configuring the switch
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<Switch> system-view
[Switch] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the
keys for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.112
[Switch-radius-rs1] primary accounting 192.168.0.112
[Switch-radius-rs1] key authentication simple radius
[Switch-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
# Enable RADIUS session control.
[Switch] radius session-control enable
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[Switch] domain default enable dm1
3. Configure portal authentication:
219
# Configure a portal authentication server.
[Switch] portal server newpt
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
[Switch-portal-server-newpt] quit
# Configure a portal Web server.
[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Switch-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[Switch] http-redirect https-port 8888
# Enable direct portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal enable method direct
# Specify portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
# Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal
authentication server.
[Switch–Vlan-interface100] portal bas-ip 2.2.2.1
[Switch–Vlan-interface100] quit
220
IPv6:
Portal status: Disabled
Portal authentication method: Disabled
Portal web server: Not configured
Portal mac-trigger-server: Not configured
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max Portal users: Not configured
Bas-ipv6: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
A user can perform portal authentication by using the iNode client or through a Web browser. Before
passing the authentication, the user can access only the authentication page
http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the
authentication page. After passing the authentication, the user can access other network resources.
# After the user passes authentication, use the following command to display information about the
portal user.
[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 2.2.2.2 100 Vlan-interface100
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
Inbound CAR: N/A
Outbound CAR: N/A
221
Configure re-DHCP portal authentication. Before passing the authentication, the host is assigned a
private IP address. After passing the authentication, the host gets a public IP address and can
access network resources.
Figure 61 Network diagram
Portal Server
192.168.0.111/24
Vlan-int100
20.20.20.1/24 Vlan-int2
10.0.0.1/24 sub 192.168.0.100/24
RADIUS server
192.168.0.113/24
222
[Switch-radius-rs1] primary accounting 192.168.0.113
[Switch-radius-rs1] key authentication simple radius
[Switch-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
# Enable RADIUS session control.
[Switch] radius session-control enable
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[Switch] domain default enable dm1
3. Configure DHCP relay and authorized ARP:
# Configure DHCP relay.
[Switch] dhcp enable
[Switch] dhcp relay client-information record
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
[Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
[Switch-Vlan-interface100] dhcp select relay
[Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112
# Enable authorized ARP.
[Switch-Vlan-interface100] arp authorized enable
[Switch-Vlan-interface100] quit
4. Configure portal authentication:
# Configure a portal authentication server.
[Switch] portal server newpt
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
[Switch-portal-server-newpt] quit
# Configure a portal Web server.
[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Switch-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[Switch] http-redirect https-port 8888
# Enable re-DHCP portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal enable method redhcp
223
# Specify portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the
portal authentication server.
[Switch–Vlan-interface100] portal bas-ip 20.20.20.1
[Switch–Vlan-interface100] quit
224
-- -- --
Layer3 source network:
IP address Prefix length
Before passing the authentication, a user that uses the iNode client can access only the
authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be
redirected to the authentication page. After passing the authentication, the user can access other
network resources.
# After the user passes authentication, use the following command to display information about the
portal user.
[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 20.20.20.2 100 Vlan-interface100
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
Inbound CAR: N/A
Outbound CAR: N/A
225
Figure 62 Network diagram
226
[SwitchA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[SwitchA] domain default enable dm1
3. Configure portal authentication:
# Configure a portal authentication server.
[SwitchA] portal server newpt
[SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal
[SwitchA-portal-server-newpt] port 50100
[SwitchA-portal-server-newpt] quit
# Configure a portal Web server.
[SwitchA] portal web-server newpt
[SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[SwitchA-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[SwitchA] http-redirect https-port 8888
# Enable cross-subnet portal authentication on VLAN-interface 4.
[SwitchA] interface vlan-interface 4
[SwitchA–Vlan-interface4] portal enable method layer3
# Specify portal Web server newpt on VLAN-interface 4.
[SwitchA–Vlan-interface4] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 4 to the
portal authentication server.
[SwitchA–Vlan-interface4] portal bas-ip 20.20.20.1
[SwitchA–Vlan-interface4] quit
227
-- -- --
Layer3 source network:
IP address Mask
A user can perform portal authentication by using the iNode client or through a Web browser. Before
passing the authentication, the user can access only the authentication page
http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the
authentication page. After passing the authentication, the user can access other network resources.
# After the user passes authentication, use the following command to display information about the
portal user.
[SwitchA] display portal user interface vlan-interface 4
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 8.8.8.2 4 Vlan-interface4
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
Inbound CAR: N/A
Outbound CAR: N/A
228
Example: Configuring extended direct portal authentication
Network configuration
As shown in Figure 63, the host is directly connected to the switch (the access device). The host is
assigned a public IP address either manually or through DHCP. A portal server acts as both a portal
authentication server and a portal Web server. A RADIUS server acts as the
authentication/accounting server.
Configure extended direct portal authentication. If the host fails security check after passing identity
authentication, it can access only subnet 192.168.0.0/24. After passing security check, the host can
access other network resources.
Figure 63 Network diagram
Portal server
192.168.0.111/24
Vlan-int100 Vlan-int2
2.2.2.1/24 192.168.0.100/24
229
# Specify a session-control client with IP address 192.168.0.112 and shared key 12345 in
plaintext form.
[Switch] radius session-control client ip 192.168.0.112 key simple 12345
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[Switch] domain default enable dm1
3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
[Switch] acl advanced 3000
[Switch-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-ipv4-adv-3000] rule deny ip
[Switch-acl-ipv4-adv-3000] quit
[Switch] acl advanced 3001
[Switch-acl-ipv4-adv-3001] rule permit ip
[Switch-acl-ipv4-adv-3001] quit
NOTE:
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
230
[Switch–Vlan-interface100] quit
231
IP address Prefix length
Before passing portal authentication, a user that uses the iNode client can access only the
authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be
redirected to the authentication page.
• The user can access the resources permitted by ACL 3000 after passing only identity
authentication.
• The user can access network resources permitted by ACL 3001 after passing both identity
authentication and security check.
# After the user passes identity authentication and security check, use the following command to
display information about the portal user.
[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 2.2.2.2 100 Vlan-interface100
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: 3001
Inbound CAR: N/A
Outbound CAR: N/A
232
Figure 64 Network diagram
233
[Switch-radius-rs1] key accounting simple radius
[Switch-radius-rs1] key authentication simple radius
[Switch-radius-rs1] user-name-format without-domain
# Enable RADIUS session control.
[Switch] radius session-control enable
# Specify a session-control client with IP address 192.168.0.113 and shared key 12345 in
plaintext form.
[Switch] radius session-control client ip 192.168.0.113 key simple 12345
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[Switch] domain default enable dm1
3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
[Switch] acl advanced 3000
[Switch-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-ipv4-adv-3000] rule deny ip
[Switch-acl-ipv4-adv-3000] quit
[Switch] acl advanced 3001
[Switch-acl-ipv4-adv-3001] rule permit ip
[Switch-acl-ipv4-adv-3001] quit
NOTE:
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
234
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
[Switch-portal-server-newpt] quit
# Configure a portal Web server.
[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Switch-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[Switch] http-redirect https-port 8888
# Enable re-DHCP portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal enable method redhcp
# Specify portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the
portal authentication server.
[Switch–Vlan-interface100] portal bas-ip 20.20.20.1
[Switch–Vlan-interface100] quit
235
Portal authentication method: Disabled
Portal web server: Not configured
Portal mac-trigger-server: Not configured
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max Portal users: Not configured
Bas-ipv6: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
Before passing portal authentication, a user that uses the iNode client can access only the
authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be
redirected to the authentication page.
• The user can access the resources permitted by ACL 3000 after passing only identity
authentication.
• The user can access network resources permitted by ACL 3001 after passing both identity
authentication and security check.
# After the user passes identity authentication and security check, use the following command to
display information about the portal user.
[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 20.20.20.2 100 Vlan-interface100
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: 3001
Inbound CAR: N/A
Outbound CAR: N/A
236
Example: Configuring extended cross-subnet portal
authentication
Network configuration
As shown in Figure 65, Switch A supports portal authentication. The host accesses Switch A through
Switch B. A portal server acts as both a portal authentication server and a portal Web server. A
RADIUS server acts as the authentication/accounting server.
Configure Switch A for extended cross-subnet portal authentication. Before passing portal
authentication, the host can access only the portal server. After passing portal identity authentication,
the host accepts security check. If the host fails the security check it can access only the subnet
192.168.0.0/24. After passing the security check, the host can access other network resources.
Figure 65 Network diagram
237
[SwitchA-radius-rs1] key authentication simple radius
[SwitchA-radius-rs1] user-name-format without-domain
# Enable RADIUS session control.
[SwitchA] radius session-control enable
# Specify a session-control client with IP address 192.168.0.112 and shared key 12345 in
plaintext form.
[SwitchA] radius session-control client ip 192.168.0.112 key simple 12345
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[SwitchA] domain dm1
# Configure AAA methods for the ISP domain.
[SwitchA-isp-dm1] authentication portal radius-scheme rs1
[SwitchA-isp-dm1] authorization portal radius-scheme rs1
[SwitchA-isp-dm1] accounting portal radius-scheme rs1
[SwitchA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[SwitchA] domain default enable dm1
3. Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
[SwitchA] acl advanced 3000
[SwitchA-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3000] rule deny ip
[SwitchA-acl-ipv4-adv-3000] quit
[SwitchA] acl advanced 3001
[SwitchA-acl-ipv4-adv-3001] rule permit ip
[SwitchA-acl-ipv4-adv-3001] quit
NOTE:
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
238
[SwitchA–Vlan-interface4] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 4 to the
portal authentication server.
[SwitchA–Vlan-interface4] portal bas-ip 20.20.20.1
[SwitchA–Vlan-interface4] quit
239
Layer3 source network:
IP address Prefix length
Before passing portal authentication, a user that uses the iNode client can access only the
authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be
redirected to the authentication page.
• The user can access the resources permitted by ACL 3000 after passing only identity
authentication.
• The user can access network resources permitted by ACL 3001 after passing both identity
authentication and security check.
# After the user passes identity authentication and security check, use the following command to
display information about the portal user.
[SwitchA] display portal user interface vlan-interface 4
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0015-e9a6-7cfe 8.8.8.2 4 Vlan-interface4
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: 3001
Inbound CAR: N/A
Outbound CAR: N/A
240
Figure 66 Network diagram
241
Figure 67 Portal authentication server configuration
242
a. Select User Access Manager > Portal Service Management > Device from the
navigation tree to open the portal device configuration page.
b. Click Add to open the page as shown in Figure 69.
c. Enter the device name NAS.
d. Enter the IP address of the switch's interface connected to the host.
e. Enter the key, which must be the same as that configured on the switch.
f. Set whether to enable IP address reallocation.
This example uses direct portal authentication, and therefore select No from the Reallocate
IP list.
g. Select whether to support server heartbeat and user heartbeat functions.
In this example, select Yes for both Support Server Heartbeat and Support User
Heartbeat.
h. Click OK.
Figure 69 Adding a portal device
243
Figure 71 Adding a port group
5. Select User Access Manager > Service Parameters > Validate System Configuration from
the navigation tree to make the configurations take effect.
Configuring the switch
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<Switch> system-view
[Switch] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the
keys for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.112
[Switch-radius-rs1] primary accounting 192.168.0.112
[Switch-radius-rs1] key authentication simple radius
[Switch-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
# Enable RADIUS session control.
[Switch] radius session-control enable
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[Switch] domain default enable dm1
3. Configure portal authentication:
244
# Configure a portal authentication server.
[Switch] portal server newpt
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
# Configure reachability detection of the portal authentication server: set the server detection
interval to 40 seconds, and send log messages upon reachability status changes.
[Switch-portal-server-newpt] server-detect timeout 40 log
NOTE:
The value of timeout must be greater than or equal to the portal server heartbeat interval.
# Configure portal user synchronization with the portal authentication server, and set the
synchronization detection interval to 600 seconds.
[Switch-portal-server-newpt] user-sync timeout 600
[Switch-portal-server-newpt] quit
NOTE:
The value of timeout must be greater than or equal to the portal user heartbeat interval.
245
The Up status of the portal authentication server indicates that the portal authentication server is
reachable. If the access device detects that the portal authentication server is unreachable, the
Status field in the command output displays Down. The access device generates a server
unreachable log "Portal server newpt turns down from up." and disables portal authentication on the
access interface, so the host can access the external network without authentication.
246
[SwitchA-radius-rs1] primary accounting 192.168.0.111
[SwitchA-radius-rs1] key accounting simple radius
[SwitchA-radius-rs1] key authentication simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[SwitchA-radius-rs1] user-name-format without-domain
# Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must
be the same as that of the portal device specified on the portal authentication server to avoid
authentication failures.
[SwitchA-radius-rs1] nas-ip 3.3.0.3
[SwitchA-radius-rs1] quit
# Enable RADIUS session control.
[SwitchA] radius session-control enable
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[SwitchA] domain dm1
# Configure AAA methods for the ISP domain.
[SwitchA-isp-dm1] authentication portal radius-scheme rs1
[SwitchA-isp-dm1] authorization portal radius-scheme rs1
[SwitchA-isp-dm1] accounting portal radius-scheme rs1
[SwitchA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[SwitchA] domain default enable dm1
3. Configure portal authentication:
# Configure a portal authentication server.
[SwitchA] portal server newpt
[SwitchA-portal-server-newpt] ip 192.168.0.111 vpn-instance vpn3 key simple portal
[SwitchA-portal-server-newpt] port 50100
[SwitchA-portal-server-newpt] quit
# Configure a portal Web server.
[SwitchA] portal web-server newpt
[SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[SwitchA-portal-websvr-newpt] vpn-instance vpn3
[SwitchA-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[SwitchA] http-redirect https-port 8888
# Enable cross-subnet portal authentication on VLAN-interface 3.
[SwitchA] interface vlan-interface 3
[SwitchA–Vlan-interface3] portal enable method layer3
# Specify portal Web server newpt on VLAN-interface 3.
[SwitchA–Vlan-interface3] portal apply web-server newpt
# Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal
authentication server.
[SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3
[SwitchA–Vlan-interface3] quit
247
Verifying the configuration
# Verify the portal configuration by executing the display portal interface command.
(Details not shown.)
# After the user passes authentication, execute the display portal user command to display
the portal user information.
[SwitchA] display portal user all
Total portal users: 1
Username: abc
Portal server: newpt
State: Online
VPN instance: vpn3
MAC IP VLAN Interface
000d-88f7-c268 3.3.0.1 3 Vlan-interface3
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
Inbound CAR: N/A
Outbound CAR: N/A
248
Prerequisites
• Configure IP addresses for the host, switch, and servers as shown in Figure 73 and make sure
they can reach each other.
• Configure the RADIUS server correctly to provide authentication and accounting functions.
Procedure
1. Configure a preauthentication IP address pool:
# Configure DHCP address pool pre to assign IP addresses and other configuration
parameters to clients on subnet 2.2.2.0/24.
<Switch> system-view
[Switch] dhcp server ip-pool pre
[Switch-dhcp-pool-pre] gateway-list 2.2.2.1
[Switch-dhcp-pool-pre] network 2.2.2.0 24
[Switch-dhcp-pool-pre] quit
# Enable the DHCP server on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] dhcp select server
[Switch–Vlan-interface100] quit
2. Configure a portal preauthentication domain:
# Create an ISP domain named abc.
[Switch] domain abc
# Specify user attribute ACL 3010 in the ISP domain.
[Switch-isp-abc] authorization-attribute acl 3010
[Switch-isp-abc] quit
# In ACL 3010, configure a rule to permit access to the subnet 192.168.0.0/24.
[Switch] acl advanced 3010
[Switch-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-ipv4-adv-3010] quit
# Specify ISP domain abc as the portal authentication domain on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal pre-auth domain abc
[Switch–Vlan-interface100] quit
3. Configure portal authentication:
# Configure a portal authentication server.
[Switch] portal server newpt
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
[Switch-portal-server-newpt] quit
# Configure a portal Web server.
[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Switch-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[Switch] http-redirect https-port 8888
# Enable direct portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal enable method direct
249
# Specify portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
# Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal
authentication server.
[Switch–Vlan-interface100] portal bas-ip 2.2.2.1
[Switch–Vlan-interface100] quit
250
Figure 74 Network diagram
251
[Switch-isp-abc] authorization-attribute acl 3010
[Switch-isp-abc] quit
# In ACL 3010, configure a rule to permit access to the subnet 192.168.0.0/24.
[Switch] acl advanced 3010
[Switch-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-ipv4-adv-3010] quit
# Specify ISP domain abc as the portal authentication domain on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal pre-auth domain abc
[Switch–Vlan-interface100] quit
2. Configure DHCP relay and authorized ARP.
# Configure DHCP relay.
[Switch] dhcp enable
[Switch] dhcp relay client-information record
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
[Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
[Switch-Vlan-interface100] dhcp select relay
[Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112
# Enable authorized ARP.
[Switch-Vlan-interface100] arp authorized enable
[Switch-Vlan-interface100] quit
3. Configure portal authentication:
# Configure a portal authentication server.
[Switch] portal server newpt
[Switch-portal-server-newpt] ip 192.168.0.111 key simple portal
[Switch-portal-server-newpt] port 50100
[Switch-portal-server-newpt] quit
# Configure a portal Web server.
[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[Switch-portal-websvr-newpt] quit
# Specify the HTTPS redirect listening port number.
[Switch] http-redirect https-port 8888
# Enable re-DHCP portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] portal enable method redhcp
# Specify portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
# Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the
portal authentication server.
[Switch–Vlan-interface100] portal bas-ip 20.20.20.1
[Switch–Vlan-interface100] quit
252
[Switch] display portal user pre-auth interface vlan-interface 100
MAC IP VLAN Interface
0015-e9a6-7cfe 10.10.10.4 100 Vlan-interface100
State: Online
VPN instance: --
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: 3010
Inbound CAR: N/A
Outbound CAR: N/A
Prerequisites
• Configure IP addresses for the host, switch, and server as shown in Figure 75 and make sure
they can reach each other.
• Configure the RADIUS server correctly to provide authentication and accounting functions.
• Customize the authentication pages, compress them to a file, and upload the file to the root
directory of the storage medium of the switch.
Procedure
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
<Switch> system-view
[Switch] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the
keys for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.112
[Switch-radius-rs1] primary accounting 192.168.0.112
[Switch-radius-rs1] key authentication simple radius
253
[Switch-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
# Enable RADIUS session control.
[Switch] radius session-control enable
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user enters the username without the
ISP domain name at login, the authentication and accounting methods of the default domain
are used for the user.
[Switch] domain default enable dm1
3. Configure portal authentication:
# Configure a portal Web server named newpt and specify http://2.2.2.1:2331/portal as the
URL of the portal Web server. The IP address in the URL must be the IP address of a Layer 3
interface reachable to portal clients or a loopback interface (except 127.0.0.1) on the device.
[Switch] portal web-server newpt
[Switch-portal-websvr-newpt] url http://2.2.2.1:2331/portal
[Switch-portal-websvr-newpt] quit
# Enable direct portal authentication on VLAN-interface 100.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal enable method direct
# Specify portal Web server newpt on VLAN-interface 100.
[Switch–Vlan-interface100] portal apply web-server newpt
[Switch–Vlan-interface100] quit
# Create an HTTP-based local portal Web service and enter its view.
[Switch] portal local-web-server http
# Specify file abc.zip as the default authentication page file for the local portal Web service.
(Make sure the file exist under the root directory of the switch.)
[Switch–portal-local-websvr-http] default-logon-page abc.zip
# Set the HTTP listening port number to 2331 for the local portal Web service.
[Switch–portal-local-webserver-http] tcp-port 2331
[Switch–portal-local-websvr-http] quit
254
Portal status: Enabled
Portal authentication method: Direct
Portal web server: newpt
Portal mac-trigger-server: Not configured
Authentication domain: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max Portal users: Not configured
Bas-ip: Not configured
User detection: Not configured
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Mask
A user can perform portal authentication through a Web page. Before passing the authentication, the
user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be
redirected to the authentication page. After passing the authentication, the user can access other
network resources.
# After the user passes authentication, use the following command to display information about the
portal user.
[Switch] display portal user interface vlan-interface 100
Total portal users: 1
Username: abc
Portal server: newpt
255
State: Online
VPN instance: --
MAC IP VLAN Interface
0015-e9a6-7cfe 2.2.2.2 100 Vlan-interface100
Authorization information:
IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Troubleshooting portal
No portal authentication page is pushed for users
Symptom
When a user is redirected to the IMC portal authentication server, no portal authentication page or
error message is prompted for the user. The login page is blank.
Analysis
The key configured on the portal access device and that configured on the portal authentication
server are inconsistent. As a result, packet verification fails, and the portal authentication server
refuses to push the authentication page.
Solution
Use the display portal server command on the access device to check whether a key is
configured for the portal authentication server.
• If no key is configured, configure the right key.
• If a key is configured, use the ip or ipv6 command in the portal authentication server view to
correct the key, or correct the key configured for the access device on the portal authentication
server.
256
message. As a result, the portal authentication server can definitely receive the logout ACK message
and log out the user.
Solution
1. Use the display portal server command to display the listening port of the portal
authentication server configured on the access device.
2. Use the portal server command in system view to change the listening port number to the
actual listening port of the portal authentication server.
Users logged out by the access device still exist on the portal
authentication server
Symptom
After you log out a portal user on the access device, the user still exists on the portal authentication
server.
Analysis
When you execute the portal delete-user command on the access device to log out a user,
the access device sends an unsolicited logout notification to the portal authentication server. If the
BAS-IP or BAS-IPv6 address carried in the logout notification is different from the portal device IP
address specified on the portal authentication server, the portal authentication server discards the
logout notification. When sending of the logout notifications times out, the access device logs out the
user. However, the portal authentication server does not receive the logout notification successfully,
and therefore it regards the user is still online.
Solution
Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication.
Make sure the attribute value is the same as the portal device IP address specified on the portal
authentication server.
257
Re-DHCP portal authenticated users cannot log in
successfully
Symptom
The device performs re-DHCP portal authentication for users. A user enters the correct username
and password, and the client successfully obtains the private and public IP addresses. However, the
authentication result for the user is failure.
Analysis
When the access device detects that the client IP address is changed, it sends an unsolicited portal
packet to notify of the IP change to the portal authentication server. The portal authentication server
notifies of the authentication success only after it receives the IP change notification from both the
access device and the client.
If the BAS-IP or BAS-IPv6 address carried in the portal notification packet is different from the portal
device IP address specified on the portal authentication server, the portal authentication server
discards the portal notification packet. As a result, the portal authentication server considers that the
user has failed the authentication.
Solution
Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication.
Make sure the attribute value is the same as the portal device IP address specified on the portal
authentication server.
258
Configuring Web authentication
About Web authentication
Web authentication is deployed on Layer 2 Ethernet interfaces of the access device to control user
access to networks. The access device redirects unauthenticated users to the specified website. The
users can access the resources on the website without authentication. If the users want to access
other network resources, they must pass authentication.
Authentication client
An authentication client is a Web browser that runs HTTP or HTTPS.
Access device
An access device has the following functions:
• Redirects all user HTTP or HTTPS requests that do not match authentication-free rules to the
Web authentication page before authentication.
• Interacts with the AAA server to complete authentication, authorization, and accounting. For
more information about AAA, see "Configuring AAA."
• Allows users that pass authentication to access authorized network resources.
Local portal Web server
The access device acts as the local portal Web server. The local portal Web server pushes the Web
authentication page to authentication clients and obtains user authentication information (username
and password).
AAA server
An AAA server interacts with the access device to implement user authentication, authorization, and
accounting. A RADIUS server can perform authentication, authorization, and accounting for Web
authentication users. An LDAP server can perform authentication for Web authentication users.
259
Web authentication process
Figure 77 Web authentication process
260
Auth-Fail VLAN
An Auth-Fail VLAN is a VLAN assigned to users who fail authentication. The Auth-Fail VLAN
provides network resources such as the patch server, virus definitions server, client software server,
and anti-virus software server to the users. The users can use these resources to upgrade their client
software or other programs.
Web authentication supports Auth-Fail VLAN on an interface that performs MAC-based access
control. If a user on the interface fails authentication, the access devices creates a MAC VLAN entry
based on the MAC address of the user and adds the user to the Auth-Fail VLAN. Then, the user can
access the portal-free IP resources in the Auth-Fail VLAN. All HTTP or HTTPS requests to
non-portal-free IP resources will be redirected to the authentication page. If the user still fails
authentication, the interface remains in the Auth-Fail VLAN. If the user passes authentication, the
access device removes the interface from the Auth-Fail VLAN and assigns the interface to a VLAN
as follows:
• If the authentication server assigns an authorization VLAN to the user, the access device
assigns the interface to the authorization VLAN.
• If the authentication server does not assign an authorization VLAN to the user, the access
device assigns the interface to the default VLAN.
261
• If the RADIUS server assigns an authorization VLAN to the users, make sure the following
conditions are met:
{ The link between Device A and Device B is a trunk link.
{ The PVIDs of Port A1 and Port B are the same as the authorization VLAN ID.
• If the RADIUS server does not assign an authorization VLAN to the users, make sure the PVIDs
of Port A1 and Port B are the same.
Figure 78 Web authentication for non-directly connected users
262
• Configure user accounts on the RADIUS server and configure the RADIUS client information on
the access device.
To use the local authentication method, you must configure local users on the access device.
For more information about RADIUS clients and local users, see "Configuring AAA."
263
command, see IP performance optimization commands in Layer 3—IP Services Command
Reference.
If you perform this task multiple times, the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Specify the HTTPS redirect listening port number.
http-redirect https-port port-number
By default, no HTTPS redirect listening port number is specified.
For more information about how to specify the HTTPS redirect listening port number, see HTTP
redirect in Layer 3—IP Services Configuration Guide.
264
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify an authentication domain for Web authentication users on the interface.
web-auth domain domain-name
By default, no authentication domain is specified for Web authentication users.
265
Setting the maximum number of Web
authentication users
Restrictions and guidelines
If the maximum number of online Web authentication users you set is less than that of the current
online Web authentication users, the limit can be set successfully and does not impact the online
Web authentication users. However, the system does not allow new Web authentication users to log
in until the number drops down below the limit.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum number of Web authentication users on the interface.
web-auth max-user max-number
By default, the maximum number of Web authentication users is 1024.
266
Because MAC-based VLAN takes effect only on Hybrid ports, Auth-Fail VLAN also takes effect only
on Hybrid ports.
If a VLAN is specified as the super VLAN, do not configure the VLAN as an Auth-Fail VLAN of an
interface. If a VLAN is specified as an Auth-Fail VLAN of an interface, do not configure the VLAN as
a super VLAN.
Do not delete the VLAN that has been configured as an Auth-Fail VLAN. To delete this VLAN, first
cancel the Auth-Fail VLAN configuration by using undo web-auth auth-fail vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure an Auth-Fail VLAN.
web-auth auth-fail vlan authfail-vlan-id
By default, no Auth-Fail VLAN is configured on an interface.
267
Display and maintenance commands for Web
authentication
Execute display commands in any view.
Task Command
Display Web authentication configuration display web-auth [ interface
information on interfaces. interface-type interface-number ]
Display Web authentication-free subnets. display web-auth free-ip
Display Web authentication server
display web-auth server [ server-name ]
information.
Vlan-int100
2.2.2.1/24
Internet
GE1/0/1
Host Device
2.2.2.2/24
Procedure
1. Customize the authentication pages, compress them to a file, and upload the file to the root
directory of the storage medium of the device. In this example, the file is abc.zip. (Details not
shown.)
2. Assign IP addresses to the host and the device as shown in Figure 79, and make sure the host
and the device can reach each other.
3. Configure a local user:
# Create a local network access user named localuser.
<Device>system-view
268
[Device] local-user localuser class network
# Set the password to localpass in plaintext form for user localuser.
[Device-luser-network-localuser] password simple localpass
# Authorize the user to use LAN access services.
[Device-luser-network-localuser] service-type lan-access
[Device-luser-network-localuser] quit
4. Configure an ISP domain:
# Create an ISP domain named local.
[Device] domain local
# Configure the ISP domain to perform local authentication, authorization, and accounting for
LAN access users.
[Device-isp-local] authentication lan-access local
[Device-isp-local] authorization lan-access local
[Device-isp-local] accounting lan-access local
[Device-isp-local] quit
5. Configure a local portal Web service:
# Create an HTTP-based local portal Web service and enter its view.
[Device] portal local-web-server http
# Specify file abc.zip as the default authentication page file for the local portal Web service.
(This file must exist in the root directory of the device.)
[Device-portal-local-websvr-http] default-logon-page abc.zip
# Specify the HTTP listening port number as 80 for the portal Web service.
[Device–portal-local-websvr-http] tcp-port 80
[Device-portal-local-websvr-http] quit
6. Configure Web authentication:
# Create a Web authentication server named user.
[Device] web-auth server user
# Configure the redirection URL for the Web authentication server as http://20.20.0.1/portal/.
[Device-web-auth-server-user] url http://20.20.0.1/portal/
# Specify 20.20.0.1 as the IP address and 80 as the port number for the Web authentication
server.
[Device-web-auth-server-user] ip 20.20.0.1 port 80
[Device-web-auth-server-user] quit
# Specify ISP domain local as the Web authentication domain.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] web-auth domain local
# Enable Web authentication by using Web authentication server user.
[Device-Twenty-FiveGigE1/0/1] web-auth enable apply server user
[Device-Twenty-FiveGigE1/0/1] quit
269
Access interface: Twenty-FiveGigE1/0/1
Initial VLAN: 100
Authorization VLAN: N/A
Authorization ACL ID: N/A
Authorization user profile: N/A
Procedure
1. Configure the RADIUS server properly to provide authentication and accounting functions for
users. In this example, the username is configured as user1 on the RADIUS server. (Details not
shown.)
2. Customize the authentication pages, compress them to a file, and upload the file to the root
directory of the storage medium of the switch. In this example, the file is abc.zip.
3. Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the
VLANs. Make sure the host, the RADIUS server, and the device can reach each other. (Details
not shown.)
4. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1.
<Device> system-view
[Device] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the
keys for communication with the servers.
[Device-radius-rs1] primary authentication 192.168.0.112
[Device-radius-rs1] primary accounting 192.168.0.112
270
[Device-radius-rs1] key authentication simple radius
[Device-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain
[Device-radius-rs1] quit
5. Configure an authentication domain:
# Create an ISP domain named dm1.
[Device] domain dm1
# Configure AAA methods for the ISP domain
[Device-isp-dm1] authentication lan-access radius-scheme rs1
[Device-isp-dm1] authorization lan-access radius-scheme rs1
[Device-isp-dm1] accounting lan-access radius-scheme rs1
[Device-isp-dm1] quit
6. Configure a local portal Web service:
# Create an HTTP-based local portal Web service.
[Device] portal local-web-server http
# Specify the file abc.zip as the default authentication page file for the local portal Web service.
(This file must exist in the directly root directory of the storage medium.)
[Device-portal-local-websvr-http] default-logon-page abc.zip
# Specify 80 as the port number listened by the local portal Web service.
[Device–portal-local-websvr-http] tcp-port 80
[Device-portal-local-websvr-http] quit
7. Configure Web authentication:
# Create Web authentication server named user.
[Device] web-auth server user
# Specify http://20.20.0.1/portal/ as the redirection URL for the Web authentication server.
[Device-web-auth-server-user] url http://20.20.0.1/portal/
# Specify the IP address of the Web authentication server as 20.20.0.1 (the IP address of
Loopback 0) and the port number as 80.
[Device-web-auth-server-user] ip 20.20.0.1 port 80
[Device-web-auth-server-user] quit
# Specify domain dml as the Web authentication domain.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] web-auth domain dm1
# Enable Web authentication by using Web authentication server user.
[Device-Twenty-FiveGigE1/0/1] web-auth enable apply server user
[Device-Twenty-FiveGigE1/0/1] quit
271
Authorization ACL ID: N/A
Authorization user profile: N/A
272
Configuring port security
About port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. The feature applies to ports that use different authentication methods for users.
Major functions
Port security provides the following functions:
• Prevents unauthorized access to a network by checking the source MAC address of inbound
traffic.
• Prevents access to unauthorized devices or hosts by checking the destination MAC address of
outbound traffic.
• Controls MAC address learning and authentication on a port to make sure the port learns only
source trusted MAC addresses.
273
Table 25 Port security modes
userLogin N/A
274
MAC address learning is disabled on a port in secure mode. You configure MAC addresses by
using the mac-address static and mac-address dynamic commands. For more
information about configuring MAC address table entries, see Layer 2—LAN Switching
Configuration Guide.
A port in secure mode allows only frames sourced from the following MAC addresses to pass:
{ Secure MAC addresses.
{ MAC addresses configured by using the mac-address dynamic and mac-address
static commands.
Performing 802.1X authentication
• userLogin.
A port in this mode performs 802.1X authentication and implements port-based access control.
The port can service multiple 802.1X users. Once an 802.1X user passes authentication on the
port, any subsequent 802.1X users can access the network through the port without
authentication.
• userLoginSecure.
A port in this mode performs 802.1X authentication and implements MAC-based access control.
The port services only one user passing 802.1X authentication.
• userLoginSecureExt.
This mode is similar to the userLoginSecure mode except that this mode supports multiple
online 802.1X users.
• userLoginWithOUI.
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode
also permits frames from one user whose MAC address contains a specific OUI.
In this mode, the port performs OUI check at first. If the OUI check fails, the port performs
802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.
NOTE:
An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In
MAC addresses, the first three octets are the OUI.
275
• macAddressOrUserLoginSecureExt.
This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode
supports multiple 802.1X and MAC authentication users.
• macAddressElseUserLoginSecure.
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with
MAC authentication having a higher priority as the Else keyword implies. The mode allows one
802.1X authentication user and multiple MAC authentication users to log in.
In this mode, the port performs MAC authentication upon receiving non-802.1X frames. Upon
receiving 802.1X frames, the port performs MAC authentication and then, if the authentication
fails, 802.1X authentication.
• macAddressElseUserLoginSecureExt.
This mode is similar to the macAddressElseUserLoginSecure mode except that this mode
supports multiple 802.1X and MAC authentication users as the Ext keyword implies.
276
3. (Optional.) Enabling SNMP notifications for port security
4. (Optional.) Enabling port security user logging
277
• userlogin-secure-or-mac.
• userlogin-secure-or-mac-ext.
• userlogin-withoui.
During authentication, the HTTP or HTTPS requests of a user are redirected to the Web interface
specified by the server-assigned URL attribute. After the user passes the Web authentication, the
RADIUS server records the MAC address of the user and uses a DM (Disconnect Message) to log
off the user. When the user initiates 802.1X or MAC authentication again, it will pass the
authentication and come online successfully.
To redirect the HTTPS requests of port security users, specify the HTTPS redirect listening port on
the device. For more information, see HTTP redirect in Layer 3—IP Services Configuration Guide.
Prerequisites
Before you set a port security mode for a port, complete the following tasks:
• Disable 802.1X and MAC authentication.
• Verify that the port does not belong to any service loopback group.
• If you are configuring the autoLearn mode, set port security's limit on the number of secure
MAC addresses. You cannot change the setting when the port is operating in autoLearn mode.
Procedure
1. Enter system view.
system-view
2. Set an OUI value for user authentication.
port-security oui index index-value mac-address oui-value
By default, no OUI values are configured for user authentication.
This command is required only for the userlogin-withoui mode.
You can set multiple OUIs, but when the port security mode is userlogin-withoui, the port
allows one 802.1X user and only one user that matches one of the specified OUIs.
3. Enter interface view.
interface interface-type interface-number
4. Set the port security mode.
port-security port-mode { autolearn | mac-authentication |
mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure
| userlogin | userlogin-secure | userlogin-secure-ext |
userlogin-secure-or-mac | userlogin-secure-or-mac-ext |
userlogin-withoui }
By default, a port operates in noRestrictions mode.
278
{ The limit of concurrent users allowed by the authentication mode in use.
• Controlling the number of secure MAC addresses on the port in autoLearn mode.
You can also set the maximum number of secure MAC addresses that port security allows for
specific VLANs or each VLAN on a port.
Port security's limit on the number of secure MAC addresses on a port is independent of the MAC
learning limit described in MAC address table configuration. For more information about MAC
address table configuration, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum number of secure MAC addresses allowed on a port.
port-security max-mac-count max-count[ vlan [ vlan-id-list ] ]
By default, port security does not limit the number of secure MAC addresses on a port.
279
Can be saved and
Type Address sources Aging mechanism survive a device
reboot?
disabled. configured, the aging timer restarts
once traffic data is detected from
the sticky MAC addresses.
• Converted from sticky
MAC addresses. No.
• Automatically learned All dynamic secure
Dynamic Same as sticky MAC addresses.
after the dynamic MAC addresses are
secure MAC feature is lost at reboot.
enabled.
When the maximum number of secure MAC address entries is reached, the port changes to secure
mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port
allows only frames sourced from secure MAC addresses or MAC addresses configured by using the
mac-address dynamic or mac-address static command to pass through.
Prerequisites
Before you configure secure MAC addresses, complete the following tasks:
• Set port security's limit on the number of MAC addresses on the port. Perform this task before
you enable autoLearn mode.
• Set the port security mode to autoLearn.
• Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN.
Make sure the VLAN already exists.
280
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable inactivity aging for secure MAC addresses.
port-security mac-address aging-type inactivity
By default, the inactivity aging feature is disabled for secure MAC addresses.
Configuring NTK
About the NTK feature
The NTK feature checks the destination MAC addresses in outbound frames to allow a port to send
only legitimate frames.
The NTK feature supports the following modes:
• ntkonly—Forwards only unicast frames with an authenticated destination MAC address.
• ntk-withbroadcasts—Forwards only broadcast and unicast frames with an authenticated
destination MAC address.
• ntk-withmulticasts—Forwards only broadcast, multicast, and unicast frames with an
authenticated destination MAC address.
• ntkauto—Forwards only broadcast, multicast, and unicast frames with an authenticated
destination MAC address, and only when the port has online users.
Restrictions and guidelines
The NTK feature drops any unicast frame with an unknown destination MAC address.
Not all port security modes support triggering the NTK feature. For more information, see Table 25.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the NTK feature.
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts |
ntkauto | ntkonly }
By default, NTK is disabled on a port and all frames are allowed to be sent.
281
Configuring intrusion protection
About intrusion protection
Intrusion protection enables a device to take one of the following actions on a port in response to
illegal frames:
• blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC address list,
and then discards frames sourced from blocked MAC addresses for a period set by the block
timer. A blocked MAC address will be unblocked when the block timer expires.
• disableport—Disables the port until you bring it up manually.
• disableport-temporarily—Disables the port for a period of time. The period can be configured
with the port-security timer disableport command.
Restrictions and guidelines
On a port operating in either macAddressElseUserLoginSecure mode or
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication fail for the same frame.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the intrusion protection feature.
port-security intrusion-mode { blockmac | disableport |
disableport-temporarily }
By default, intrusion protection is disabled.
4. Return to system view.
quit
5. (Optional.) Set the silence timeout period during which a port remains disabled.
port-security timer disableport time-value
By default, the port silence timeout period is 20 seconds.
6. (Optional.) Set the block timer for blocked MAC addresses.
port-security timer blockmac time-value
By default, the block timer is 180 seconds.
282
port-security authorization ignore
By default, a port uses the authorization information received from the authentication server.
283
Enabling the authorization-fail-offline feature
About the authorization-fail-offline feature
IMPORTANT:
The authorization-fail-offline feature takes effect only on port security users that have failed ACL or
user profile authorization.
The authorization-fail-offline feature logs off port security users that have failed authorization.
A user fails authorization in the following situations:
• The device or server fails to assign the specified authorization attribute to the user.
• The device or server assigns authorization information that does not exist on the device to the
user.
This feature does not apply to users that have failed VLAN authorization. The device logs off these
users directly.
You can also enable the quiet timer feature for 802.1X or MAC authentication users that are logged
off by the authorization-fail-offline feature. The device adds these users to the 802.1X or MAC
authentication quiet queue. Within the quiet timer, the device does not process packets from these
users or authenticate them. If you do not enable the quiet timer feature, the device immediately
authenticates these users upon receiving packets from them.
Prerequisites
For the quiet timer feature to take effect, complete the following tasks:
• For 802.1X users, use the dot1x quiet-period command to enable the quiet timer and
use the dot1x timer quiet-period command to set the timer.
• For MAC authentication users, use the mac-authentication timer quiet command to
set the quiet timer for MAC authentication.
Procedure
1. Enter system view.
system-view
2. Enable the authorization-fail-offline feature.
port-security authorization-fail offline [ quiet-period ]
By default, this feature is disabled, and the device does not log off users that have failed
authorization.
284
This feature limits the number of MAC addresses that port security allows to access a port through
specific VLANs. Use this feature to prevent resource contentions among MAC addresses and
ensure reliable performance for each access user on the port. When the number of MAC addresses
in a VLAN on the port reaches the upper limit, the device denies any subsequent MAC addresses in
the VLAN on the port.
Restrictions and guidelines
On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of
existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does
not take effect.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set port security's limit on the number of MAC addresses for specific VLANs on the port.
port-security mac-limit max-number per-vlan vlan-id-list
The default setting is 2147483647.
285
system-view
2. Enable global open authentication mode.
port-security authentication open global
By default, global open authentication mode is disabled.
3. Enter interface view.
interface interface-type interface-number
4. Enable open authentication mode on the port.
port-security authentication open
By default, open authentication mode is disabled on a port.
286
Enabling the escape critical VSI feature for
802.1X and MAC authentication users
About the escape critical VSI feature
The escape critical VSI feature operates on VXLAN networks. It enables 802.1X and MAC
authentication users to escape the authentication failure that occurs because the RADIUS server is
malfunctioning.
You can enable this feature temporarily to prevent 802.1X and MAC authentication service
interruption while you are troubleshooting a malfunctioning RADIUS server.
After the escape critical VSI feature is enabled on a port, the device performs the following
operations when 802.1X or MAC authentication is triggered for a user:
1. Dynamically creates an Ethernet service instance that matches the user's access VLAN and
MAC address on the access port.
2. Maps the Ethernet service instance to the 802.1X or MAC authentication critical VSI on the port.
The user can then come online without authentication and access resources in the VXLAN
associated with the critical VSI.
The escape critical VSI feature does not affect 802.1X or MAC authentication users that have been
online before this feature is enabled.
Restrictions and guidelines
For the escape critical VSI feature to work correctly on a port, make sure the port does not have the
following settings:
• Web authentication.
• Guest, Auth-Fail, or critical VLAN for 802.1X authentication.
• Guest or critical VLAN for MAC authentication.
You can enable or disable this feature globally on all ports or on a per-port basis.
If the mac-authentication critical vsi critical-vsi-name url-user-logoff
command is used in conjunction with this feature, MAC authentication users that have been
assigned authorization URLs on the port will be logged off. For more information, see "Configuring
MAC authentication."
When you disable the escape critical VSI both globally and on a port, the device logs off the users in
the critical VSIs for 802.1X and MAC authentication on that port. The users must perform
authentication to come online again on that port.
The escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if
any of the following conditions exists:
• The 802.1X client and the device use different EAP message handling methods.
• 802.1X MAC address binding is enabled on the user's access port, but the MAC address of the
802.1X user is not bound to that port.
• The user's MAC address is an all-zero, all-F, or multicast MAC address.
Prerequisites
Before you enable the escape critical VSI feature on a port, configure an 802.1X critical VSI and a
MAC authentication critical VSI on that port. For more information about critical VSI configuration,
see "Configuring 802.1X" and "Configuring MAC authentication."
Procedure
1. Enter system view.
system-view
287
2. Enable the escape critical VSI feature.
{ Enable the global escape critical VSI feature.
port-security global escape critical-vsi
{ Execute the following commands in sequence to enable the escape critical VSI feature on a
port:
interface interface-type interface-number
port-security escape critical-vsi
By default, the escape critical VSI feature is disabled.
288
Display and maintenance commands for port
security
Execute display commands in any view:
Task Command
Display the port security configuration, display port-security [ interface
operation information, and statistics. interface-type interface-number ]
display port-security mac-address block
Display information about blocked MAC
[ interface interface-type
addresses.
interface-number ] [ vlan vlan-id ] [ count ]
display port-security mac-address security
Display information about secure MAC
[ interface interface-type
addresses.
interface-number ] [ vlan vlan-id ] [ count ]
Procedure
# Enable port security.
<Device> system-view
[Device] port-security enable
# Set port security's limit on the number of secure MAC addresses to 64 on Twenty-FiveGigE 1/0/1.
289
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port-security max-mac-count 64
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
[Device-Twenty-FiveGigE1/0/1] port-security intrusion-mode disableport-temporarily
[Device-Twenty-FiveGigE1/0/1] quit
[Device] port-security timer disableport 30
Twenty-FiveGigE1/0/1 is link-up
Port mode : autoLearn
NeedToKnow mode : Disabled
Intrusion protection mode : DisablePortTemporarily
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 64
Current secure MAC addresses : 0
Authorization : Permitted
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
The port allows for MAC address learning, and you can view the number of learned MAC addresses
in the Current secure MAC addresses field.
290
# Display additional information about the learned MAC addresses.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] display this
#
interface Twenty-FiveGigE1/0/1
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security sticky 0002-0000-0015 vlan 1
port-security mac-address security sticky 0002-0000-0014 vlan 1
port-security mac-address security sticky 0002-0000-0013 vlan 1
port-security mac-address security sticky 0002-0000-0012 vlan 1
port-security mac-address security sticky 0002-0000-0011 vlan 1
#
[Device-Twenty-FiveGigE1/0/1] quit
# Verify that the port security mode changes to secure after the number of MAC addresses learned
by the port reaches 64.
[Device] display port-security interface twenty-fivegige 1/0/1
# Verify that the port will be disabled for 30 seconds after it receives a frame with an unknown MAC
address. (Details not shown.)
# After the port is re-enabled, delete several secure MAC addresses.
[Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1
[Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1
…
# Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC
addresses again. (Details not shown.)
291
Figure 82 Network diagram
Procedure
The following configuration steps cover some AAA/RADIUS configuration commands. For more
information about the commands, see Security Command Reference.
Make sure the host and the RADIUS server can reach each other.
1. Configure AAA:
# Configure a RADIUS scheme named radsun.
<Device> system-view
[Device] radius scheme radsun
[Device-radius-radsun] primary authentication 192.168.1.2
[Device-radius-radsun] primary accounting 192.168.1.3
[Device-radius-radsun] secondary authentication 192.168.1.3
[Device-radius-radsun] secondary accounting 192.168.1.2
[Device-radius-radsun] key authentication simple name
[Device-radius-radsun] key accounting simple money
[Device-radius-radsun] timer response-timeout 5
[Device-radius-radsun] retry 5
[Device-radius-radsun] timer realtime-accounting 15
[Device-radius-radsun] user-name-format without-domain
[Device-radius-radsun] quit
# Configure ISP domain sun.
[Device] domain sun
[Device-isp-sun] authentication lan-access radius-scheme radsun
[Device-isp-sun] authorization lan-access radius-scheme radsun
[Device-isp-sun] accounting lan-access radius-scheme radsun
[Device-isp-sun] quit
2. Configure 802.1X:
# Set the 802.1X authentication method to CHAP. By default, the authentication method for
802.1X is CHAP.
[Device] dot1x authentication-method chap
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users on
Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] dot1x mandatory-domain sun
[Device-Twenty-FiveGigE1/0/1] quit
3. Configure port security:
# Enable port security.
[Device] port-security enable
292
# Add five OUI values. (You can add up to 16 OUI values. The port permits only one user
matching one of the OUIs to pass authentication.)
[Device] port-security oui index 1 mac-address 1234-0100-1111
[Device] port-security oui index 2 mac-address 1234-0200-1111
[Device] port-security oui index 3 mac-address 1234-0300-1111
[Device] port-security oui index 4 mac-address 1234-0400-1111
[Device] port-security oui index 5 mac-address 1234-0500-1111
# Set the port security mode to userLoginWithOUI.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port-security port-mode userlogin-withoui
[Device-Twenty-FiveGigE1/0/1] quit
Twenty-FiveGigE1/0/1 is link-up
Port mode : userLoginWithOUI
NeedToKnow mode : Disabled
Intrusion protection mode : NoAction
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : Not configured
Current secure MAC addresses : 1
Authorization :Permitted
293
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
# Display information about the online 802.1X user to verify 802.1X configuration.
[Device] display dot1x
# Verify that the port also allows one user whose MAC address has an OUI among the specified
OUIs to pass authentication.
[Device] display mac-address interface twenty-fivegige 1/0/1
MAC Address VLAN ID State Port/NickName Aging
1234-0300-0011 1 Learned WGE1/0/1 Y
Procedure
Make sure the host and the RADIUS server can reach each other.
1. Configure RADIUS authentication/accounting and ISP domain settings. (See "Example:
Configuring port security in userLoginWithOUI mode.")
2. Configure port security:
# Enable port security.
<Device> system-view
[Device] port-security enable
294
# Use MAC-based accounts for MAC authentication. Each MAC address must be in the
hexadecimal notation with hyphens, and letters are in upper case.
[Device] mac-authentication user-name-format mac-address with-hyphen uppercase
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. By default, the authentication method for
802.1X is CHAP.
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-Twenty-FiveGigE1/0/1] port-security port-mode mac-else-userlogin-secure
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users.
[Device-Twenty-FiveGigE1/0/1] dot1x mandatory-domain sun
# Set the NTK mode of the port to ntkonly.
[Device-Twenty-FiveGigE1/0/1] port-security ntk-mode ntkonly
[Device-Twenty-FiveGigE1/0/1] quit
Twenty-FiveGigE1/0/1 is link-up
Port mode : macAddressElseUserLoginSecure
NeedToKnow mode : NeedToKnowOnly
Intrusion protection mode : NoAction
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 64
295
Current secure MAC addresses : 0
Authorization : Permitted
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
# After users pass authentication, display MAC authentication information. Verify that
Twenty-FiveGigE 1/0/1 allows multiple MAC authentication users to be authenticated.
[Device] display mac-authentication interface twenty-fivegige 1/0/1
Global MAC authentication parameters:
MAC authentication : Enabled
Authentication method : PAP
User name format : MAC address in uppercase(XX-XX-XX-XX-XX-XX)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 180 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for critical VSI : 1000 s
User aging period for guest VLAN : 1000 s
User aging period for guest VSI : 1000 s
Authentication domain : sun
Online MAC-auth wired users : 3
Twenty-FiveGigE1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
296
Critical VSI : Not configured
Max online users : 4294967295
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Authentication attempts : successful 3, failed 7
Current online users : 3
MAC address Auth state
1234-0300-0011 Authenticated
1234-0300-0012 Authenticated
1234-0300-0013 Authenticated
# Display 802.1X authentication information. Verify that Twenty-FiveGigE 1/0/1 allows only one
802.1X user to be authenticated.
[Device] display dot1x interface twenty-fivegige 1/0/1
Global 802.1X parameters:
802.1X authentication : Enabled
CHAP authentication : Enabled
Max-tx period : 30 s
Handshake period : 15 s
Offline detect period : 300 s
Quiet timer : Disabled
Quiet period : 60 s
Supp timeout : 30 s
Server timeout : 100 s
Reauth period : 3600 s
Max auth requests : 2
User aging period for Auth-Fail VLAN : 1000 s
User aging period for Auth-Fail VSI : 1000 s
User aging period for critical VLAN : 1000 s
User aging period for critical VSI : 1000 s
User aging period for guest VLAN : 1000 s
User aging period for guest VSI : 1000 s
EAD assistant function : Disabled
EAD timeout : 30 min
Domain delimiter : @
Online 802.1X wired users : 1
Twenty-FiveGigE1/0/1 is link-up
802.1X authentication : Enabled
Handshake : Enabled
Handshake reply : Disabled
Handshake security : Disabled
Unicast trigger : Disabled
Periodic reauth : Disabled
Port role : Authenticator
Authorization mode : Auto
Port access control : MAC-based
Multicast trigger : Enabled
Mandatory auth domain : sun
297
Guest VLAN : Not configured
Auth-Fail VLAN : Not configured
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Add Guest VLAN delay : Disabled
Re-auth server-unreachable : Logoff
Max online users : 4294967295
User IP freezing : Disabled
Reauth period : 60 s
Send Packets Without Tag : Disabled
Max Attempts Fail Number : 0
Guest VSI : Not configured
Auth-Fail VSI : Not configured
Critical VSI : Not configured
Add Guest VSI delay : Disabled
User aging : Enabled
Server-recovery online-user-sync : Enabled
# Verify that frames with an unknown destination MAC address, multicast address, or broadcast
address are discarded. (Details not shown.)
298
[Device-Twenty-FiveGigE1/0/1] undo port-security port-mode
2. Set a new port security mode for the port, for example, autoLearn.
[Device-Twenty-FiveGigE1/0/1] port-security port-mode autolearn
3. If the issue persists, contact Hewlett Packard Enterprise Support.
299
Configuring user profiles
About user profiles
A user profile defines a set of parameters, such as a QoS policy, for a user or a class of users. A user
profile can be reused when a user connected to the network on a different interface.
The user profile application allows flexible traffic policing on a per-user basis. Each time a user
passes authentication, the server sends the device the name of the user profile specified for the user.
The device applies the parameters in the user profile to the user.
User profiles are typically used for resource allocation per user. For example, the interface-based
traffic policing limits the total amount of bandwidth available to a group of users. However,
user-profile-based traffic policing can limit the amount of bandwidth available to a single user.
Task Command
Display configuration and online display user-profile [ name profile-name ] [ slot
user information for the specified
user profile or all user profiles. slot-number ]
300
User profile configuration examples
Example: Configuring user profiles and QoS policies
Network requirements
As shown in Figure 84, the device performs local 802.1X authentication on the users in domain user
for authentication and authorization efficiency.
Configure user profiles and QoS policies on the device to meet the following requirements:
• User A cannot access the Internet during 8: 30 and 12:00 every day even if User A passes
802.1X authentication.
• User B has an upload speed of 2 Mbps after passing 802.1X authentication.
• User C has a download speed of 4 Mbps after passing 802.1X authentication.
Figure 84 Network diagram
Configuration procedure
1. Configure a QoS policy for User A:
# Create a periodic time range from 8:30 to 12:00 every day.
<Device> system-view
[Device] time-range for_usera 8:30 to 12:00 daily
# Create IPv4 basic ACL 2000, and configure a rule to match all packets during the time range
for_usera.
[Device] acl basic 2000
[Device-acl-basic-2000] rule permit time-range for_usera
[Device-acl-basic-2000] quit
# Create a traffic class named for_usera, and use ACL 2000 as the match criterion.
[Device] traffic classifier for_usera
[Device-classifier-for_usera] if-match acl 2000
[Device-classifier-for_usera] quit
# Create a traffic behavior named for_usera, and configure the deny action.
[Device] traffic behavior for_usera
[Device-behavior-for_usera] filter deny
[Device-behavior-for_usera] quit
# Create a QoS policy named for_usera, and associate traffic class for_usera and traffic
behavior for_usera in the QoS policy.
[Device] qos policy for_usera
[Device-qospolicy-for_usera] classifier for_usera behavior for_usera
[Device-qospolicy-for_usera] quit
301
2. Create a user profile for User A and apply the QoS policy to the user profile:
# Create a user profile named usera.
[Device] user-profile usera
# Apply QoS policy for_usera to the inbound direction of user profile usera.
[[Device-user-profile-usera] qos apply policy for_usera inbound
[Device-user-profile-usera] quit
3. Configure a QoS policy for limiting the traffic rate for User B:
# Create a traffic class named class to match all packets.
[Device] traffic classifier class
[Device-classifier-class] if-match any
[Device-classifier-class] quit
# Create a traffic behavior named for_userb, and configure a traffic policing action (CIR 2000
kbps).
[Device] traffic behavior for_userb
[Device-behavior-for_userb] car cir 2000
[Device-behavior-for_userb] quit
# Create a QoS policy named for_userb, and associate traffic class class and traffic behavior
for_userb in the QoS policy.
[Device] qos policy for_userb
[Device-qospolicy-for_userb] classifier class behavior for_userb
[Device-qospolicy-for_userb] quit
4. Create a user profile for User B and apply the QoS policy to the user profile:
# Create a user profile named userb.
[Device] user-profile userb
# Apply QoS policy for_userb to the inbound direction of user profile userb.
[Device-user-profile-userb] qos apply policy for_userb inbound
[Device-user-profile-userb] quit
5. Configure a QoS policy for limiting the traffic rate for User C:
# Create a traffic behavior named for_userc, and configure a traffic policing action (CIR 4000
kbps).
[Device] traffic behavior for_userc
[Device-behavior-for_userc] car cir 4000
[Device-behavior-for_userc] quit
# Create a QoS policy named for_userc, and associate traffic class class and traffic behavior
for_userc in the QoS policy.
[Device] qos policy for_userc
[Device-qospolicy-for_userc] classifier class behavior for_userc
[Device-qospolicy-for_userc] quit
6. Create a user profile for User C and apply the QoS policy to the user profile:
# Create a user profile named userc.
[Device] user-profile userc
# Apply QoS policy for_userc to the outbound direction of user profile userc.
[Device-user-profile-userc] qos apply policy for_userc outbound
[Device-user-profile-userc] quit
7. Configure local users:
# Create a local user named usera.
[Device] local-user usera class network
302
New local user added.
# Set the password to a12345 for user usera.
[Device-luser-network-usera] password simple a12345
# Authorize user usera to use the LAN access service.
[Device-luser-network-usera] service-type lan-access
# Specify user profile usera as the authorization user profile for user usera.
[Device-luser-network-usera] authorization-attribute user-profile usera
[Device-luser-network-usera] quit
# Create a local user named userb.
[Device] local-user userb class network
New local user added.
# Set the password to b12345 for user userb.
[Device-luser-network-userb] password simple b12345
# Authorize user userb to use the LAN access service.
[Device-luser-network-userb] service-type lan-access
# Specify user profile userb as the authorization user profile for user userb.
[Device-luser-network-userb] authorization-attribute user-profile userb
[Device-luser-network-userb] quit
# Create a local user named userc.
[Device] local-user userc class network
New local user added.
# Set the password to c12345 for user userc.
[Device-luser-network-userc] password simple c12345
# Authorize user userc to use the LAN access service.
[Device-luser-network-userc] service-type lan-access
# Specify user profile userc as the authorization user profile for user userc.
[Device-luser-network-userc] authorization-attribute user-profile userc
[Device-luser-network-userc] quit
8. Configure the authentication, authorization, and accounting methods for local users:
[Device] domain user
[Device-isp-user] authentication lan-access local
[Device-isp-user] authorization lan-access local
[Device-isp-user] accounting login none
[Device-isp-user] quit
9. Configure 802.1X:
# Enable 802.1X on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] dot1x
# Enable MAC-based access control on the port. By default, a port uses MAC-based access
control.
[Device-Twenty-FiveGigE1/0/1] dot1x port-method macbased
[Device-Twenty-FiveGigE1/0/1] quit
# Enable 802.1X globally.
[Device] dot1x
303
# Display user profile information.
<Device> display user-profile
User-Profile: usera
Inbound:
Policy: for_usera
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Twenty-FiveGigE1/0/1
MAC address : 6805-ca06-557b
Service VLAN : 1
User-Profile: userb
Inbound:
Policy: for_userb
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Twenty-FiveGigE1/0/1
MAC address : 80c1-6ee0-2664
Service VLAN : 1
User-Profile: userc
Outbound:
Policy: for_userc
slot 1:
User -:
Authentication type: 802.1X
Network attributes:
Interface : Twenty-FiveGigE1/0/1
MAC address : 6805-ca05-3efa
Service VLAN : 1
304
Configuring password control
About password control
Password control allows you to implement the following features:
• Manage login and super password setup, expirations, and updates for local users.
• Control user login status based on predefined policies.
For more information about local users, see "Configuring AAA." For information about super
passwords, see RBAC in Fundamentals Configuration Guide.
Password setting
Minimum password length
You can define the minimum length of user passwords. The system rejects the setting of a password
that is shorter than the configured minimum length.
Password composition policy
A password can be a combination of characters from the following types:
• Uppercase letters A to Z.
• Lowercase letters a to z.
• Digits 0 to 9.
• Special characters in Table 27. For more information about special characters, see CLI in
Fundamentals Configuration Guide.
Table 27 Special Characters
Asterisk * At sign @
305
Character name Symbol Character name Symbol
Slash / Tilde ~
Depending on the system's security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters for each type, as shown
in Table 28.
Table 28 Password composition policy
When a user sets or changes a password, the system checks if the password meets the combination
requirement. If it does not, the operation fails.
Password complexity checking policy
A less complicated password is more likely to be cracked, such as a password containing the
username or repeated characters. For higher security, you can configure a password complexity
checking policy to ensure that all user passwords are relatively complicated. When a user configures
a password, the system checks the complexity of the password. If the password is
complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
• A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is not complex enough.
• A minimum of three identical consecutive characters is not allowed. For example, password
a111 is not complex enough.
306
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less
than the specified notification period. If so, the system notifies the user when the password will expire
and provides a choice for the user to change the password.
• If the user sets a new valid password, the system records the new password and the setup time.
• If the user does not or fails to change the password, the system allows the user to log in by
using the current password until the password expires.
Telnet users, SSH users, and console users can change their own passwords. FTP users must have
their passwords changed by the administrator.
Login with an expired password
You can allow a user to log in a certain number of times within a period of time after the password
expires. For example, if you set the maximum number of logins with an expired password to 3 and
the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
This feature allows the system to store passwords that a user has used.
When a network access user changes the password, the system compares the new password with
the current password and those stored in the password history records. The new password must be
different from the current one and those stored in the history records by a minimum of four different
characters. Otherwise, the system will display an error message, and the new password is not
successfully set.
The local passwords and super passwords for device management users are stored in hash form
and cannot be converted to plain texts. When a device management user changes a local password
or super password, follow these rules:
• If the new password is set by using the hash method, the system will not compare the new
password with the current one and those stored in the history password records.
• If the new password in set in plain text, the system compares the new password with the current
password and those stored in the password history records. A new password must be different
from those stored in the history password records. If the current password is required, the new
password must also be different from the current one by a minimum of four different characters.
Otherwise, the system will display an error message, and the new password is not successfully
set.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds the setting, the most recent record
overwrites the earliest one.
Current login passwords are not stored in the password history for device management users.
Device management users have their passwords saved in cipher text, which cannot be recovered to
plaintext passwords.
307
• Nonexistent users (users not configured on the device).
• Users logging in to the device through console ports.
If a user fails to log in, the system adds the user account and the user's IP address to the password
control blacklist. When the user fails the maximum number of consecutive attempts, login attempt
limit limits the user and user account in any of the following ways:
• Locks the user account and the user's IP address permanently. No users can use this account
to log in to the device from this IP address unless the account is manually removed from the
password control blacklist.
• Allows the user to continue using the user account. The user's IP address and user account are
removed from the password control blacklist when the user uses this account to successfully
log in to the device.
• Locks the user account and the user's IP address for a period of time.
The user can use the account to log in from the IP address when either of the following
conditions exists:
{ The locking timer expires.
{ The account is manually removed from the password control blacklist before the locking
timer expires.
NOTE:
This account is locked only for the user at the locked IP address. A user from an unlocked IP
address can still use this account, and the user at the locked IP address can use other unlocked user
accounts.
Logging
The system generates a log each time a user changes its password successfully or is added to the
password control blacklist because of login failures.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
308
The password control features can be configured in several different views, and different views
support different features. The settings configured in different views or for different objects have the
following application ranges:
• Settings for super passwords apply only to super passwords.
• Settings in local user view apply only to the password of the local user.
• Settings in user group view apply to the passwords of the local users in the user group if you do
not configure password policies for these users in local user view.
• Global settings in system view apply to the passwords of the local users in all user groups if you
do not configure password policies for these users in both local user view and user group view.
For local user passwords, the settings with a smaller application scope have higher priority.
309
system-view
2. Enable the global password control feature.
In non-FIPS mode:
password-control enable [ network-class ]
By default, the global password control feature is disabled for device management and network
access users.
In FIPS mode:
password-control enable [ network-class ]
By default, the global password control feature is enabled for device management users and
cannot be disabled. The global password control feature is disabled for network access users.
3. (Optional.) Enable a specific password control feature.
password-control { aging | composition | history | length } enable
By default, all four password control features are enabled.
310
password-control length length
The default length is 15 characters.
{ Configure the password composition policy.
In non-FIPS mode:
password-control composition type-number type-number
[ type-length type-length ]
By default, a password must contain a minimum of one character type and a minimum of
one character for each type.
In FIPS mode:
password-control composition type-number type-number
[ type-length type-length ]
By default, a password must contain a minimum of four character types and a minimum of
one character for each type.
{ Configure the password complexity checking policy.
password-control complexity { same-character | user-name } check
By default, the system does not perform password complexity checking.
{ Set the maximum number of history password records for each user.
password-control history max-record-number
The default setting is 4.
3. Configure password updating and expiration.
{ Set the minimum password update interval.
password-control update interval interval
The default setting is 24 hours.
{ Set the password aging time.
password-control aging aging-time
The default setting is 90 days.
{ Set the number of days during which a user is notified of the pending password expiration.
password-control alert-before-expire alert-time
The default setting is 7 days.
{ Set the maximum number of days and maximum number of times that a user can log in after
the password expires.
password-control expired-user-login delay delay times times
By default, a user can log in three times within 30 days after the password expires.
4. Configure user login control.
{ Configure the login attempt limit.
password-control login-attempt login-times [ exceed { lock |
lock-time time | unlock } ]
By default, the maximum number of login attempts is 3 and a user failing to log in after the
specified number of attempts must wait for 1 minute before trying again.
{ Set the maximum account idle time.
password-control login idle-time idle-time
The default setting is 90 days.
If a user account is idle for this period of time, the account becomes invalid and can no
longer be used to log in to the device. To disable the account idle time restriction, set the idle
time value to 0.
{ Set the user authentication timeout time.
311
password-control authentication-timeout timeout
The default setting is 600 seconds.
This command takes effect only on Telnet and terminal users.
{ Disable password change at first login.
undo password-control change-password first-login enable
By default, the password change at first login feature is enabled.
In FIPS mode, the password change at first login feature cannot be disabled.
312
For information about local user configuration, see "Configuring AAA."
3. Configure the password aging time for the local user.
password-control aging aging-time
By default, the setting equals that for the user group to which the local user belongs. If no aging
time is configured for the user group, the global setting applies to the local user.
This command is available only for device management users.
4. Configure the minimum password length for the local user.
password-control length length
By default, the setting equals that for the user group to which the local user belongs. If no
minimum password length is configured for the user group, the global setting applies to the
local user.
5. Configure the password composition policy for the local user.
password-control composition type-number type-number [ type-length
type-length ]
By default, the settings equal those for the user group to which the local user belongs. If no
password composition policy is configured for the user group, the global settings apply to the
local user.
6. Configure the password complexity checking policy for the local user.
password-control complexity { same-character | user-name } check
By default, the settings equal those for the user group to which the local user belongs. If no
password complexity checking policy is configured for the user group, the global settings apply
to the local user.
7. Configure the login attempt limit.
password-control login-attempt login-times [ exceed { lock | lock-time
time | unlock } ]
By default, the settings equal those for the user group to which the local user belongs. If no
login-attempt policy is configured for the user group, the global settings apply to the local user.
This command is available only for device management users.
313
password-control super composition type-number type-number
[ type-length type-length ]
By default, a super password must contain a minimum of one character type and a minimum of
one character for each type.
In FIPS mode:
password-control super composition type-number type-number
[ type-length type-length ]
By default, a super password must contain a minimum of four character types and a minimum of
one character for each type.
Task Command
Display password control configuration. display password-control [ super ]
display password-control blacklist
Display information about users in the
[ user-name user-name | ip ipv4-address
password control blacklist.
| ipv6 ipv6-address]
Delete users from the password control reset password-control blacklist
blacklist. [ user-name user-name ]
reset password-control history-record
[ user-name user-name | super [ role
Clear history password records.
role-name ] | network-class [ user-name
user-name ] ]
NOTE:
The reset password-control history-record command can delete the history password
records of one or all users even when the password history feature is disabled.
314
• The maximum account idle time is 30 days.
• A password cannot contain the username or the reverse of the username.
• A minimum of three identical consecutive characters is not allowed in a password.
Configure a super password control policy for user role network-operator to meet the following
requirements:
• A super password must contain a minimum of 24 characters.
• A super password must contain a minimum of four character types and a minimum of five
characters for each type.
Configure a password control policy for local Telnet user test to meet the following requirements:
• The password must contain a minimum of 24 characters.
• The password must contain a minimum of four character types and a minimum of five
characters for each type.
• The password for the local user expires after 20 days.
Procedure
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Allow a maximum of two consecutive login failures on a user account, and lock the user account
and the user's IP address permanently if the limit is reached.
[Sysname] password-control login-attempt 2 exceed lock
# Specify that a user can log in five times within 60 days after the password expires.
[Sysname] password-control expired-user-login delay 60 times 5
# Refuse any password that contains the username or the reverse of the username.
[Sysname] password-control complexity user-name check
# Globally specify that all passwords must each contain a minimum of four character types and a
minimum of four characters for each type.
[Sysname] password-control composition type-number 4 type-length 4
# Specify that a super password must contain a minimum of four character types and a minimum of
five characters for each type.
[Sysname] password-control super composition type-number 4 type-length 5
315
# Create a device management user named test.
[Sysname] local-user test class manage
# Specify that the password of the local user must contain a minimum of four character types and a
minimum of five characters for each type.
[Sysname-luser-manage-test] password-control composition type-number 4 type-length 5
# Set the password for the local user to expire after 20 days.
[Sysname-luser-manage-test] password-control aging 20
316
Total 1 local users matched.
317
Configuring keychains
About keychains
A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication
by periodically changing the key and authentication algorithm without service interruption.
A keychain operates in absolute time mode. In this mode, each time point during a key's lifetime is
the UTC time and is not affected by the system's time zone or daylight saving time.
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving
lifetime. When the system time is within the lifetime of a key in a keychain, an application uses the
key to authenticate incoming and outgoing packets. The keys in the keychain take effect one by one
according to the sequence of the configured lifetimes. In this way, the authentication algorithms and
keys are dynamically changed to implement dynamic authentication.
Configuring a keychain
1. Enter system view.
system-view
2. Create a keychain and enter keychain view.
keychain keychain-name mode absolute
3. (Optional.) Configure TCP authentication.
{ Set the kind value in the TCP Enhanced Authentication Option.
tcp-kind kind-value
By default, the kind value is 254.
{ Set an algorithm ID for a TCP authentication algorithm.
tcp-algorithm-id { hmac-md5 | md5 } algorithm-id
By default, the algorithm ID is 3 for the MD5 authentication algorithm and 5 for the
HMAC-MD5 authentication algorithm.
When the local device uses TCP to communicate with a peer device from another vendor, make
sure both devices have the same kind value and algorithm ID settings. If they do not, modify the
settings on the local device.
4. (Optional.) Set a tolerance time for accept keys in the keychain.
accept-tolerance { value | infinite }
By default, no tolerance time is configured for accept keys in a keychain.
If authentication information is changed, information mismatch occurs on the local and peer
devices, and the service might be interrupted. Use this command to ensure continuous packet
authentication.
318
5. Create a key and enter key view.
key key-id
6. Configure the key.
{ Specify an authentication algorithm for the key.
authentication-algorithm { hmac-md5 | hmac-sha-256 | md5 }
By default, no authentication algorithm is specified for a key.
{ Configure a key string for the key.
key-string { cipher | plain } string
By default, no key string is configured.
{ Set the sending lifetime in UTC mode for the key.
send-lifetime utc start-time start-date { duration { duration-value
| infinite } | to end-time end-date }
By default, the sending lifetime is not configured for a key.
{ Set the receiving lifetime in UTC mode for the key.
accept-lifetime utc start-time start-date { duration
{ duration-value | infinite } | to end-time end-date }
By default, the receiving lifetime is not configured for a key.
{ (Optional.) Specify the key as the default send key.
default-send-key
You can specify only one key as the default send key in a keychain.
Task Command
display keychain [ name keychain-name [ key
Display keychain information.
key-id ] ]
Procedure
1. Configure Switch A:
319
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
<SwitchA> system-view
[SwitchA] ospf 1 router-id 1.1.1.1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[SwitchA] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[SwitchA-keychain-abc] key 1
[SwitchA-keychain-abc-key-1] authentication-algorithm md5
[SwitchA-keychain-abc-key-1] key-string plain 123456
[SwitchA-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00
2015/02/06
[SwitchA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00
2015/02/06
[SwitchA-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[SwitchA-keychain-abc] key 2
[SwitchA-keychain-abc-key-2] authentication-algorithm hmac-md5
[SwitchA-keychain-abc-key-2] key-string plain pwd123
[SwitchA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00
2015/02/06
[SwitchA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00
2015/02/06
[SwitchA-keychain-abc-key-2] quit
[SwitchA-keychain-abc] quit
# Configure VLAN-interface 100 to use keychain abc for authentication.
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ospf authentication-mode keychain abc
[SwitchA-Vlan-interface100] quit
2. Configure Switch B:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
[SwitchB] ospf 1 router-id 2.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[SwitchB] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[SwitchB-keychain-abc] key 1
[SwitchB-keychain-abc-key-1] authentication-algorithm md5
320
[SwitchB-keychain-abc-key-1] key-string plain 123456
[SwitchB-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00
2015/02/06
[SwitchB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00
2015/02/06
[SwitchB-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[SwitchB-keychain-abc] key 2
[SwitchB-keychain-abc-key-2] authentication-algorithm hmac-md5
[SwitchB-keychain-abc-key-2] key-string plain pwd123
[SwitchB-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00
2015/02/06
[SwitchB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00
2015/02/06
[SwitchB-keychain-abc-key-2] quit
[SwitchB-keychain-abc] quit
# Configure VLAN-interface 100 to use keychain abc for authentication.
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ospf authentication-mode keychain abc
[SwitchB-Vlan-interface100] quit
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Active
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
321
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Inactive
# Display keychain information on Switch B. The output shows that key 1 is the valid key.
[SwitchB]display keychain
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Active
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Inactive
2. When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06,
verify the status of the keys in keychain abc.
# Display keychain information on Switch A. The output shows that key 2 becomes the valid
key.
[SwitchA]display keychain
322
Active send key ID : 2
Active accept key IDs: 2
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Active
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Active
# Display keychain information on Switch B. The output shows that key 2 becomes the valid
key.
[SwitchB]display keychain
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Active
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Active
323
324
Managing public keys
About public key management
This chapter describes public key management for the following asymmetric key algorithms:
• Revest-Shamir-Adleman Algorithm (RSA).
• Digital Signature Algorithm (DSA).
• Elliptic Curve Digital Signature Algorithm (ECDSA).
A key owner can distribute the public key in plain text on the network but must keep the private key in
privacy. It is mathematically infeasible to calculate the private key even if an attacker knows the
algorithm and the public key.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
325
1. Creating a local key pair
2. Distributing a local host public key
Choose one of the following tasks:
{ Exporting a host public key
{ Displaying a host public key
To enable the peer device to authenticate the local device, you must distribute the local device's
public key to the peer device.
3. Configuring a peer host public key
Choose one of the following tasks:
{ Importing a peer host public key from a public key file
{ Entering a peer host public key
To encrypt information sent to a peer device or authenticate the digital signature of the peer
device, you must configure the peer device's public key on the local device.
4. (Optional.) Destroying a local key pair
326
Type Generated key pairs Modulus/key length
DSA key modulus length:
• In non-FIPS mode: 512 to 2048 bits,
1024 bits by default.
DSA One host key pair.
To ensure security, use a minimum
of 768 bits.
• In FIPS mode: 2048 bits.
ECDSA key length:
• In non-FIPS mode: 192, 256, 384, or
ECDSA One host key pair.
521 bits.
• In FIPS mode: 256, 384, or 521 bits.
Procedure
1. Enter system view.
system-view
2. Create a local key pair.
In non-FIPS mode:
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1
| secp521r1 ] | rsa } [ name key-name ]
In FIPS mode:
public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 |
secp521r1 ] | rsa } [ name key-name ]
327
• If you do not specify a file name, the command exports the key to the monitor screen. You must
manually save the exported key to a file.
Procedure
1. Enter system view.
system-view
2. Export a local host public key.
{ Export an RSA host public key:
In non-FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 }
[ filename ]
In FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh2 }
[ filename ]
{ Export an ECDSA host public key.
public-key local export ecdsa [ name key-name ] { openssh | ssh2 }
[ filename ]
{ Export a DSA host public key.
public-key local export dsa [ name key-name ] { openssh | ssh2 }
[ filename ]
328
Restrictions and guidelines for peer host public key
configuration
When you configure a peer host public key, follow these restrictions and guidelines:
• When you manually enter the peer host public key, make sure the entered key is in the correct
format. To obtain the peer host public key in the correct format, use the display
public-key local public command to display the public key on the peer device and
record the key. The format of the public key displayed in any other way might be incorrect. If the
key is not in the correct format, the system discards the key and displays an error message.
• Always import rather than enter the peer host public key if you are not sure whether the device
supports the format of the recorded peer host public key.
329
Destroying a local key pair
About destroying a local key pair
To ensure security, destroy the local key pair and generate a new key pair in any of the following
situations:
• The local key has leaked. An intrusion event might occur.
• The storage media of the device is replaced.
• The local certificate has expired. For more information about local certificates, see "Configuring
PKI."
Procedure
1. Enter system view.
system-view
2. Destroy a local key pair.
public-key local destroy { dsa | ecdsa | rsa } [ name key-name ]
Task Command
display public-key local { dsa | ecdsa | rsa }
Display local public keys.
public [ name key-name ]
display public-key peer [ brief | name
Display peer host public keys.
publickey-name ]
Device A Device B
330
Procedure
1. Configure Device A:
# Create local RSA key pairs with the default names on Device A, and use the default key
modulus length (1024 bits).
<DeviceA> system-view
[DeviceA] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...
Create the key pair successfully.
# Display all local RSA public keys.
[DeviceA] display public-key local rsa public
=============================================
Key name: hostkey (default)
Key type: RSA
Time when key pair created: 16:48:31 2011/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B
8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E
45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257
6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788
CB47440AF6BB25ACA50203010001
=============================================
Key name: serverkey (default)
Key type: RSA
Time when key pair created: 16:48:31 2011/05/12
Key code:
307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC
1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE
E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A
AC41C80A15953FB22AA30203010001
2. Configure Device B:
# Enter the host public key of Device A in public key view. The key must be literally the same as
displayed on Device A.
<DeviceB> system-view
[DeviceB] public-key peer devicea
Enter public key view. Return to system view with "peer-public-key end" command.
[DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081
8902818100DA3B90F59237347B
[DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700
27AC8F04A827B30C2CAF79242E
[DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744
1D288EC54A5D31EFAE4F681257
[DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F
94EB1F2D561BF66EA27DFD4788
[DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001
331
# Save the public key and return to system view.
[DeviceB-pkey-public-key-devicea] peer-public-key end
=============================================
Key name: devicea
Key type: RSA
Key modulus: 1024
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B
8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E
45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257
6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788
CB47440AF6BB25ACA50203010001
Procedure
1. Configure Device A:
# Create local RSA key pairs with the default names on Device A, and use the default key
modulus length (1024 bits).
<DeviceA> system-view
[DeviceA] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...
Create the key pair successfully.
# Display all local RSA public keys.
[DeviceA] display public-key local rsa public
=============================================
332
Key name: hostkey (default)
Key type: RSA
Time when key pair created: 16:48:31 2011/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B
8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E
45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257
6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788
CB47440AF6BB25ACA50203010001
=============================================
Key name: serverkey (default)
Key type: RSA
Time when key pair created: 16:48:31 2011/05/12
Key code:
307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC
1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE
E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A
AC41C80A15953FB22AA30203010001
# Export the RSA host public key to file devicea.pub.
[DeviceA] public-key local export rsa ssh2 devicea.pub
# Enable the FTP server, create an FTP user with username ftp and password 123, and
configure the FTP user role as network-admin.
[DeviceA] ftp server enable
[DeviceA] local-user ftp
[DeviceA-luser-manage-ftp] password simple 123
[DeviceA-luser-manage-ftp] service-type ftp
[DeviceA-luser-manage-ftp] authorization-attribute user-role network-admin
[DeviceA-luser-manage-ftp] quit
2. Configure Device B:
# Use FTP in binary mode to get public key file devicea.pub from Device A.
<DeviceB> ftp 10.1.1.1
Connected to 10.1.1.1 (10.1.1.1).
220 FTP service ready.
User(10.1.1.1:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 TYPE is now 8-bit binary
ftp> get devicea.pub
227 Entering Passive Mode (10,1,1,1,118,252)
150 Accepted data connection
226 File successfully transferred
301 bytes received in 0.003 seconds (98.0 kbyte/s)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
333
221 Logout.
# Import the host public key from key file devicea.pub.
<DeviceB> system-view
[DeviceB] public-key peer devicea import sshkey devicea.pub
334
Configuring PKI
About PKI
Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for
securing network services.
PKI uses digital certificates to distribute and employ public keys, and provides network
communication and e-commerce with security services such as user authentication, data
confidentiality, and data integrity. For more information about public keys, see "Managing public
keys."
PKI terminology
Digital certificate
A digital certificate is an electronic document signed by a CA that binds a public key with the identity
of its owner.
A digital certificate includes the following information:
• Issuer name (name of the CA that issued the certificate).
• Subject name (name of the individual or group to which the certificate is issued).
• Identity information of the subject.
• Subject's public key.
• Signature of the CA.
• Validity period.
A digital certificate must comply with the international standards of ITU-T X.509, of which X.509 v3 is
the most commonly used.
This chapter covers the following types of certificates:
• CA certificate—Certificate of a CA. Multiple CAs in a PKI system form a CA tree, with the root
CA at the top. The root CA generates a self-signed certificate, and each lower level CA holds a
CA certificate issued by the CA immediately above it. The chain of these certificates forms a
chain of trust.
• Registration authority (RA) certificate—Certificate issued by a CA to an RA. RAs act as
proxies for CAs to process enrollment requests in a PKI system.
• Local certificate—Digital certificate issued by a CA to a local PKI entity, which contains the
entity's public key.
• Peer certificate—CA-signed digital certificate of a peer, which contains the peer's public key.
Fingerprint of root CA certificate
Each root CA certificate has a unique fingerprint, which is the hash value of the certificate content.
The fingerprint of a root CA certificate can be used to authenticate the validity of the root CA.
Certificate revocation list
A certificate revocation list (CRL) is a list of serial numbers for certificates that have been revoked. A
CRL is created and signed by the CA that originally issued the certificates.
The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the
revoked certificates should not be trusted.
The CA must revoke a certificate when any of the following conditions occurs:
335
• The certificate subject name is changed.
• The private key is compromised.
• The association between the subject and CA is changed. For example, when an employee
terminates employment with an organization.
CA policy
A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke
certificates, and to publish CRLs. Typically, a CA advertises its policy in a certification practice
statement (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and
email. Make sure you understand the CA policy before you select a trusted CA for certificate request
because different CAs might use different policies.
PKI architecture
A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in Figure
89.
Figure 89 PKI architecture
PKI entity
A PKI entity is an end user using PKI certificates. The PKI entity can be an operator, an organization,
a device like a router or a switch, or a process running on a computer. PKI entities use SCEP to
communicate with the CA or RA.
CA
Certification authority that grants and manages certificates. A CA issues certificates, defines the
certificate validity periods, and revokes certificates by publishing CRLs.
RA
Registration authority, which offloads the CA by processing certificate enrollment requests. The RA
accepts certificate requests, verifies user identity, and determines whether to ask the CA to issue
certificates.
The RA is optional in a PKI system. In cases when there is security concern over exposing the CA to
direct network access, it is advisable to delegate some of the tasks to an RA. Then, the CA can
concentrate on its primary tasks of signing certificates and CRLs.
Certificate/CRL repository
A certificate distribution point that stores certificates and CRLs, and distributes these certificates and
CRLs to PKI entities. It also provides the query function. A PKI repository can be a directory server
using the LDAP or HTTP protocol, of which LDAP is commonly used.
336
Retrieval, usage, and maintenance of a digital certificate
The following workflow describes the retrieval, usage, and maintenance of a digital certificate. This
example uses a CA which has an RA to process certificate enrollment requests.
1. A PKI entity generates an asymmetric key pair and submits a certificate request to the RA.
The certificate request contains the public key and its identity information.
2. The RA verifies the identity of the entity and sends a digital signature containing the identity
information and the public key to the CA.
3. The CA verifies the digital signature, approves the request, and issues a certificate.
4. After receiving the certificate from the CA, the RA sends the certificate to the certificate
repository and notifies the PKI entity that the certificate has been issued.
5. The PKI entity obtains the certificate from the certificate repository.
6. To establish a secure connection for communication, two PKI entities exchange local
certificates to authenticate each other. The connection can be established only if both entities
verify that the peer's certificate is valid.
7. You can remove the local certificate of a PKI entity and request a new one when any of the
following conditions occur:
{ The local certificate is about to expire.
{ The certificate's private key is compromised.
PKI applications
The PKI technology can meet security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Hewlett Packard Enterprise's PKI system can provide certificate
management for IPsec and SSL.
The following are some application examples.
VPN
A VPN is a private data communication network built on the public communication infrastructure. A
VPN can use network layer security protocols (for example, IPsec) in conjunction with PKI-based
encryption and digital signature technologies for confidentiality.
Secure emails
PKI can address the email requirements for confidentiality, integrity, authentication, and
non-repudiation. A common secure email protocol is Secure/Multipurpose Internet Mail Extensions
(S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature.
Web security
PKI can be used in the SSL handshake phase to verify the identities of the communicating parties by
digital certificates.
337
3. The CA server verifies the request and issues the certificate.
4. The PE device that connects to the CA server transmits the certificate to the PKI entity.
For information about MPLS L3VPN, see MPLS Configuration Guide.
Figure 90 PKI support for MPLS L3VPN
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
338
Configuring a PKI entity
About PKI entities
A certificate applicant uses an entity to provide its identity information to a CA. A valid PKI entity must
include one or more of following identity categories:
• Distinguished name (DN) of the entity, which further includes the common name, country code,
locality, organization, unit in the organization, and state. If you configure the DN for an entity, a
common name is required.
• FQDN of the entity.
• IP address of the entity.
Restrictions and guidelines
Follow these restrictions and guidelines when you configure a PKI entity:
• Whether the identity categories are required or optional depends on the CA policy. Follow the
CA policy to configure the entity settings. For example, if the CA policy requires the entity DN,
but you configure only the IP address, the CA rejects the certificate request from the entity.
• The SCEP add-on on the Windows 2000 CA server has restrictions on the data length of a
certificate request. If a request from a PKI entity exceeds the data length limit, the CA server
does not respond to the certificate request. In this case, you can use an out-of-band means to
submit the request. Other types of CA servers, such as RSA servers and OpenCA servers, do
not have such restrictions.
Procedure
1. Enter system view.
system-view
2. Create a PKI entity and enter its view.
pki entity entity-name
3. Set a common name for the entity.
common-name common-name-sting
By default, the common name is not set.
4. Set the country code of the entity.
country country-code-string
By default, the country code is not set.
5. Set the locality of the entity.
locality locality-name
By default, the locality is not set.
6. Set the organization of the entity.
organization org-name
By default, the organization is not set.
7. Set the unit of the entity in the organization.
organization-unit org-unit-name
By default, the unit is not set.
8. Set the state where the entity resides.
state state-name
By default, the state is not set.
9. Set the FQDN of the entity.
339
fqdn fqdn-name-string
By default, the FQDN is not set.
10. Configure the IP address of the entity.
ip { ip-address | interface interface-type interface-number }
By default, the IP address is not configured.
340
Specifying the trusted CA
About specifying the trusted CA
The PKI domain must have a CA certificate before you can request a local certificate. To obtain a CA
certificate, the trusted CA name must be specified. The trusted CA name uniquely identifies the CA to
be used if multiple CAs exist on the CA server.
Procedure
1. Enter system view.
system-view
2. Enter PKI domain view.
pki domain domain-name
3. Specify the trusted CA name.
ca identifier name
By default, no trusted CA name is specified.
341
Setting the SCEP polling interval and maximum polling
attempts
1. Enter system view.
system-view
2. Enter PKI domain view.
pki domain domain-name
3. Set the SCEP polling interval and maximum number of polling attempts.
certificate request polling { count count | interval interval }
By default, the device polls the CA server for the certificate request status every 20 minutes.
The maximum number of polling attempts is 50.
342
2. Enter PKI domain view.
pki domain domain-name
3. Specify the key pair for certificate request.
{ Specify an RSA key pair.
public-key rsa { { encryption name encryption-key-name [ length
key-length ] | signature name signature-key-name [ length
key-length ] } * | general name key-name [ length key-length ] }
{ Specify an ECDSA key pair.
In non-FIPS mode:
public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 |
secp521r1 ]
In FIPS mode:
public-key ecdsa name key-name [ secp256r1 | secp384r1 | secp521r1 ]
{ Specify a DSA key pair.
public-key dsa name key-name [ length key-length ]
By default, no key pair is specified.
343
Procedure
1. Enter system view.
system-view
2. Enter PKI domain view.
pki domain domain-name
3. Specify a source IP address for the PKI protocol packets.
IPv4:
source ip { ip-address | interface interface-type interface-number }
IPv6:
source ipv6 { ipv6-address | interface interface-type
interface-number }
By default, the source IP address of PKI protocol packets is the IP address of their outgoing
interface.
Requesting a certificate
About certificate request configuration
To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
• Offline mode—A certificate request is submitted by using an out-of-band method, such as
phone, disk, or email.
• Online mode—A certificate request can be automatically or manually submitted to a CA
through the Simple Certificate Enrollment Protocol (SCEP).
344
Restrictions and guidelines for certificate request
configuration
When you request a local certificate in a PKI domain, follow these restrictions and guidelines:
• To prevent an existing local certificate from becoming invalid, do not perform the following
tasks:
{ Create a key pair with the same name as the key pair contained in the certificate.
To create a key pair, use the public-key local create command.
{ Destroy the key pair contained in the certificate.
To destroy a key pair, use the public-key local destroy command.
• To manually request a new certificate in a PKI domain that already has a local certificate, use
the following procedure:
a. Use the pki delete-certificate command to delete the existing local certificate.
b. Use the public-key local create command to generate a new key pair.
c. Manually submit a certificate request.
• A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA,
ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If
RSA is used, a PKI domain can have one local certificate for signature, and one local certificate
for encryption.
345
certificate request mode auto [ password { cipher | simple } string ]
By default, the manual request mode applies.
If the CA policy requires a password for certificate revocation, specify the password in this
command.
346
quit
5. Obtain the CA certificate.
See "Obtaining certificates."
This step is required if the PKI domain does not have a CA certificate. The CA certificate is used
to verify the authenticity and validity of the obtained local certificate.
6. Print the certificate request in PKCS10 format on the terminal or save the certificate request to
a PKCS10 file.
pki request-certificate domain domain-name pkcs10 [ filename
filename ]
This command is not saved in the configuration file.
7. Transfer certificate request information to the CA by using an out-of-band method.
8. Transfer the issued local certificate from the CA to the local device by using an out-of-band
method.
9. Import the local certificate to the PKI domain.
pki import domain domain-name { der local filename filename | p12 local
filename filename | pem local } [ filename filename ] }
Obtaining certificates
About certificate obtaining
You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from
a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the
online mode:
• In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and
then import them locally. Use this mode when the CRL repository is not specified, the CA server
does not support SCEP, or the CA server generates the key pair for the certificates.
• In online mode, you can obtain the CA certificate through SCEP and obtain local certificates or
peer certificates through LDAP.
Restrictions and guidelines
Follow these restrictions and guidelines when obtain certificates from a CA
347
• If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new CA certificate, use the pki delete-certificate command to delete the
existing CA certificate and local certificates first.
• If local or peer certificates already exist, you can obtain new local or peer certificates to
overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for
signature and the other for encryption.
• If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
obtained has been revoked, the certificate cannot be obtained.
• The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the
CA server.
Prerequisites
• Before you obtain local or peer certificates in online mode, make sure an LDAP server is
correctly configured in the PKI domain.
• Before you import certificates in offline mode, complete the following tasks:
{ Use FTP or TFTP to upload the certificate files to the storage media of the device.
If FTP or TFTP is not available, display and copy the contents of a certificate to a file on the
device. Make sure the certificate is in PEM format because only certificates in PEM format
can be imported.
{ Before you import a local certificate or peer certificate, obtain the CA certificate chain that
signs the certificate.
This step is required only if the CA certificate chain is neither available in the PKI domain nor
contained in the certificate to be imported.
{ Before you import a local certificate that contains an encrypted key pair, contact the CA
administrator to obtain the password required for importing the certificate.
Procedure
1. Enter system view.
system-view
2. Obtain certificates.
{ Import certificates in offline mode.
pki import domain domain-name { der { ca | local | peer } filename
filename | p12 local filename filename | pem { ca | local | peer }
[ filename filename ] }
{ Obtain certificates in online mode.
pki retrieve-certificate domain domain-name { ca | local | peer
entity-name }
This command is not saved in the configuration file.
348
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL
repository in the following order:
1. CRL repository specified in the PKI domain by using the crl url command.
2. CRL repository in the certificate that is being verified.
3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the
certificate being verified is a CA certificate
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP.
In this scenario, the CA certificate and the local certificates must have been obtained.
A certificate fails CRL checking in the following situations:
• A CRL cannot be obtained during CRL checking of the certificate.
• CRL checking verifies that the certificate has been revoked.
349
The PKI domain must have a CA certificate before you can verify certificates in it.
7. (Optional.) Obtain the CRL and save it locally.
pki retrieve-crl domain domain-name
To verify a non-root CA certificate and local certificates, the device automatically retrieves the
CRL if the PKI domain has no CRL.
The newly obtained CRL overwrites the old one, if any.
The obtained CRL is issued by a CA in the CA certificate chain stored in the PKI domain.
8. Manually verify the validity of the certificates.
pki validate-certificate domain domain-name { ca | local }
Exporting certificates
About exporting certificates
You can export the CA certificate and the local certificates in a PKI domain to certificate files. The
exported certificate files can then be imported back to the device or other PKI applications.
Restrictions and guidelines
To export all certificates in PKCS12 format, the PKI domain must have a minimum of one local
certificate. If the PKI domain does not have any local certificates, the certificates in the PKI domain
cannot be exported.
If you do not specify a file name when you export a certificate in PEM format, this command displays
the certificate content on the terminal.
When you export a local certificate with RSA key pairs to a file, the certificate file name might be
different from the file name specified in the command. The actual certificate file name depends on
the purpose of the key pair contained in the certificate. For more information about the file naming
rule, see the pki export command in Security Command Reference.
Procedure
1. Enter system view.
350
system-view
2. Export certificates.
{ Export certificates in DER format.
pki export domain domain-name der { all | ca | local } filename
filename
{ Export certificates in PKCS12 format.
pki export domain domain-name p12 { all | local } passphrase p12-key
filename filename
{ Export certificates in PEM format.
pki export domain domain-name pem { { all | local } [ { 3des-cbc |
aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc } pem-key ] | ca }
[ filename filename ]
Removing a certificate
About certificate removal
You can remove certificates from a PKI domain in the following situations:
• Remove a CA certificate, local certificate, or peer certificate if the certificate has expired or is
about to expire.
• Remove a local certificate if the certificate's private key is compromised, or if you want to
request a new local certificate to replace the existing one.
Restrictions and guidelines
After you remove the CA certificate, the system automatically removes the local certificates, peer
certificates, and CRLs from the domain.
To remove a local certificate and request a new certificate, perform the following tasks:
1. Remove the local certificate.
2. Use the public-key local destroy command to destroy the existing local key pair.
3. Use the public-key local create command to generate a new key pair.
4. Request a new certificate.
For more information about the public-key local destroy and public-key local
create commands, see Security Command Reference.
Procedure
1. Enter system view.
system-view
2. Remove a certificate.
pki delete-certificate domain domain-name { ca | local | peer [ serial
serial-num ] }
If you use the peer keyword without specifying a serial number, this command removes all
peer certificates.
351
Configuring a certificate-based access control
policy
About certificate-based access control policies
Certificate-based access control policies allow you to authorize access to a device (for example, an
HTTPS server) based on the attributes of an authenticated client's certificate.
Access control rules and certificate attribute groups
A certificate-based access control policy is a set of access control rules (permit or deny statements),
each associated with a certificate attribute group. A certificate attribute group contains multiple
attribute rules, each defining a matching criterion for an attribute in the certificate issuer name,
subject name, or alternative subject name field.
Certificate matching mechanism
If a certificate matches all attribute rules in a certificate attribute group associated with an access
control rule, the system determines that the certificate matches the access control rule. In this
scenario, the match process stops, and the system performs the access control action defined in the
access control rule.
The following conditions describe how a certificate-based access control policy verifies the validity of
a certificate:
• If a certificate matches a permit statement, the certificate passes the verification.
• If a certificate matches a deny statement or does not match any statements in the policy, the
certificate is regarded invalid.
• If a statement is associated with a non-existing attribute group, or the attribute group does not
have attribute rules, the certificate matches the statement.
• If the certificate-based access control policy specified for a security application (for example,
HTTPS) does not exist, all certificates in the application pass the verification.
Procedure
1. Enter system view.
system-view
2. Create a certificate attribute group and enter its view.
pki certificate attribute-group group-name
3. Configure an attribute rule for issuer name, subject name, or alternative subject name.
attribute id { alt-subject-name { fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ}
attribute-value
By default, not attribute rules are configured.
4. Return to system view.
quit
5. Create a certificate-based access control policy and enter its view.
pki certificate access-control-policy policy-name
By default, no certificate-based access control policies exist.
6. Create a certificate access control rule.
rule [ id ] { deny | permit } group-name
352
By default, no certificate access control rules are configured, and all certificates can pass the
verification.
You can create multiple certificate access control rules for a certificate-based access control
policy.
Task Command
Display certificate-based access control display pki certificate
policy information. access-control-policy [ policy-name ]
Display certificate attribute group display pki certificate attribute-group
information. [ group-name ]
display pki certificate domain domain-name
Display the contents of a certificate.
{ ca | local | peer [ serial serial-num ] }
display pki certificate request-status
Display certificate request status.
[ domain domain-name ]
Display locally stored CRLs in a PKI
display pki crl domain domain-name
domain.
353
Configuring the RSA Keon CA server
1. Create a CA server named myca:
In this example, you must configure these basic attributes on the CA server:
{ Nickname—Name of the trusted CA.
{ Subject DN—DN attributes of the CA, including the common name (CN), organization unit
(OU), organization (O), and country (C).
You can use the default values for other attributes.
2. Configure extended attributes:
Configure parameters in the Jurisdiction Configuration section on the management page of
the CA server:
{ Select the correct extension profiles.
{ Enable the SCEP autovetting function to enable the CA server to automatically approve
certificate requests without manual intervention.
{ Specify the IP address list for SCEP autovetting.
Configuring the device
1. Synchronize the system time of the device with the CA server for the device to correctly request
certificates or obtain CRLs. (Details not shown.)
2. Create an entity named aaa and set the common name to Device.
<Device> system-view
[Device] pki entity aaa
[Device-pki-entity-aaa] common-name Device
[Device-pki-entity-aaa] quit
3. Configure a PKI domain:
# Create a PKI domain named torsa and enter its view.
[Device] pki domain torsa
# Specify the name of the trusted CA. The setting must be the same as CA name configured on
the CA server. This example uses myca.
[Device-pki-domain-torsa] ca identifier myca
# Configure the URL of the CA server. The URL format is http://host:port/Issuing
Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated
on the CA server.
[Device-pki-domain-torsa] certificate request url
http://1.1.2.22:446/80f6214aa8865301d07929ae481c7ceed99f95bd
# Configure the device to send certificate requests to ca.
[Device-pki-domain-torsa] certificate request from ca
# Set the PKI entity name to aaa.
[Device-pki-domain-torsa] certificate request entity aaa
# Specify the URL of the CRL repository.
[Device-pki-domain-torsa] crl url ldap://1.1.2.22:389/CN=myca
# Specify a 1024-bit general-purpose RSA key pair named abc for certificate request.
[Device-pki-domain-torsa] public-key rsa general name abc length 1024
[Device-pki-domain-torsa] quit
4. Generate the RSA key pair.
[Device] public-key local create rsa name abc
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512,it will take a few minutes.
Press CTRL+C to abort.
354
Input the modulus length [default = 1024]:
Generating Keys...
..........................++++++
.....................................++++++
Create the key pair successfully.
5. Request a local certificate:
# Obtain the CA certificate and save it locally.
[Device] pki retrieve-certificate domain torsa ca
The trusted CA's finger print is:
MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8
Is the finger print correct?(Y/N):y
Retrieved the certificates successfully.
# Submit a certificate request manually and set the certificate revocation password to 1111.
The certificate revocation password is required when an RSA Keon CA server is used.
[Device] pki request-certificate domain torsa password 1111
Start to request general certificate ...
……
Request certificate of domain torsa successfully
355
X509v3 CRL Distribution Points:
Full Name:
DirName: CN = myca
To display detailed information about the CA certificate, use the display pki certificate
domain command.
356
c. Click Properties, and then select Follow the settings in the certificate template, if
applicable. Otherwise, automatically issue the certificate.
4. Modify the Internet information services attributes:
a. Select Control Panel > Administrative Tools > Internet Information Services (IIS)
Manager from the start menu.
b. Select Web Sites from the navigation tree.
c. Right-click Default Web Site and select Properties > Home Directory.
d. Specify the path for certificate service in the Local path field.
e. Specify a unique TCP port number for the default website to avoid conflict with existing
services. This example uses port 8080.
Configuring the device
1. Synchronize the device's system time with the CA server for the device to correctly request
certificates. (Details not shown.)
2. Create an entity named aaa and set the common name to test.
<Device> system-view
[Device] pki entity aaa
[Device-pki-entity-aaa] common-name test
[Device-pki-entity-aaa] quit
3. Configure a PKI domain:
# Create a PKI domain named winserver and enter its view.
[Device] pki domain winserver
# Set the name of the trusted CA to myca.
[Device-pki-domain-winserver] ca identifier myca
# Configure the certificate request URL. The URL format is
http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port
number of the CA server.
[Device-pki-domain-winserver] certificate request url
http://4.4.4.1:8080/certsrv/mscep/mscep.dll
# Configure the device to send certificate requests to ra.
[Device-pki-domain-winserver] certificate request from ra
# Set the PKI entity name to aaa.
[Device-pki-domain-winserver] certificate request entity aaa
# Configure a 1024-bit general-purpose RSA key pair named abc for certificate request.
[Device-pki-domain-winserver] public-key rsa general name abc length 1024
[Device-pki-domain-winserver] quit
4. Generate RSA key pair abc.
[Device] public-key local create rsa name abc
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512,it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
..........................++++++
.....................................++++++
Create the key pair successfully.
5. Request a local certificate:
# Obtain the CA certificate and save it locally.
357
[Device] pki retrieve-certificate domain winserver ca
The trusted CA's finger print is:
MD5 fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB
SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4
Is the finger print correct?(Y/N):y
Retrieved the certificates successfully.
# Submit a certificate request manually.
[Device] pki request-certificate domain winserver
Start to request general certificate ...
…
Request certificate of domain winserver successfully
358
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34
X509v3 Authority Key Identifier:
keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9B
Full Name:
URI:file://\\g07904c\CertEnroll\sec.crl
1.3.6.1.4.1.311.20.2:
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
Signature Algorithm: sha1WithRSAEncryption
76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d:
6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5:
36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2:
14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e:
29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec:
cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99:
31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc:
0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb:
46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:
bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27:
90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a:
00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47:
6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06:
7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14:
02:09:ad:08
To display detailed information about the CA certificate, use the display pki certificate
domain command.
359
Figure 93 Network diagram
360
.....................................++++++
Create the key pair successfully.
5. Request a local certificate:
# Obtain the CA certificate and save it locally.
[Device] pki retrieve-certificate domain openca ca
The trusted CA's finger print is:
MD5 fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA
SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122
Is the finger print correct?(Y/N):y
Retrieved the certificates successfully.
# Submit a certificate request manually.
[Device] pki request-certificate domain openca
Start to request general certificate ...
…
Request certificate of domain openca successfully
361
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft
Smartcardlogin
Netscape Comment:
User Certificate of OpenCA Labs
X509v3 Subject Key Identifier:
24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B
X509v3 Authority Key Identifier:
keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B
Full Name:
URI:http://192.168.222.218/pki/pub/crl/cacrl.crl
To display detailed information about the CA certificate, use the display pki certificate
domain command.
362
Example: Configuring IKE negotiation with RSA digital
signature from a Windows Server 2003 CA server
Network configuration
As shown in Figure 94, an IPsec tunnel is required to be established between Device A and Device B.
The IPsec tunnel protects the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet
1.1.1.0/24.
Device A and Device B use IKE to set up SAs, and the IKE proposal uses RSA digital signature for
identity authentication.
Device A and Device B use the same CA.
Figure 94 Network diagram
363
[DeviceA-pki-domain-1] certificate request entity en
[DeviceA-pki-domain-1] ldap-server host 1.1.1.102
# Configure a 1024-bit general-purpose RSA key pair named abc for certificate request.
[DeviceA-pki-domain-1] public-key rsa general name abc length 1024
[DeviceA-pki-domain-1] quit
# Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[DeviceA] ike proposal 1
[DeviceA-ike-proposal-1] authentication-method rsa-signature
[DeviceA-ike-proposal-1] quit
# Specify the PKI domain used in IKE negotiation for IKE profile peer.
[DeviceA] ike profile peer
[DeviceA-ike-profile-peer] certificate domain 1
Configuring Device B
# Configure a PKI entity.
<DeviceB> system-view
[DeviceB] pki entity en
[DeviceB-pki-entity-en] ip 3.3.3.1
[DeviceB-pki-entity-en] common-name deviceb
[DeviceB-pki-entity-en] quit
# Configure a 1024-bit general-purpose RSA key pair named abc for certificate request.
[DeviceB-pki-domain-1] public-key rsa general name abc length 1024
364
[DeviceB-pki-domain-1] quit
# Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] authentication-method rsa-signature
[DeviceB-ike-proposal-1] quit
# Specify the PKI domain used in IKE negotiation for IKE profile peer.
[DeviceB] ike profile peer
[DeviceB-ike-profile-peer] certificate domain 1
The configurations are for IKE negotiation with RSA digital signature. For information about how to
configure IPsec SAs to be set up, see "Configuring IPsec."
365
Figure 95 Network diagram
Procedure
1. Create PKI domain domain1 to be used by SSL. (Details not shown.)
2. Request an SSL server certificate for the device from the CA server. (Details not shown.)
3. Configure the HTTPS server:
# Configure an SSL server policy named abc.
<Device> system-view
[Device] ssl server-policy abc
[Device-ssl-server-policy-abc] pki-domain domain1
[Device-ssl-server-policy-abc] client-verify enable
[Device-ssl-server-policy-abc] quit
# Apply SSL server policy abc to the HTTPS server.
[Device] ip https ssl-server-policy abc
# Enable the HTTPS server.
[Device] ip https enable
4. Configure certificate attribute groups:
# Create a certificate attribute group named mygroup1 and add two attribute rules. The first
rule defines that the DN in the subject DN contains the string of aabbcc. The second rule
defines that the IP address of the certificate issuer is 10.0.0.1.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
[Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
[Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute group named mygroup2 and add two attribute rules. The first
rule defines that the FQDN in the alternative subject name does not contain the string of apple.
The second rule defines that the DN of the certificate issuer name contains the string of
aabbcc.
[Device] pki certificate attribute-group mygroup2
[Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn
apple
[Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
[Device-pki-cert-attribute-group-mygroup2] quit
5. Configure a certificate-based access control policy:
# Create a certificate-based access control policy named myacp.
[Device] pki certificate access-control-policy myacp
# Define a statement to deny the certificates that match the attribute rules in certificate attribute
group mygroup1.
[Device-pki-cert-acp-myacp] rule 1 deny mygroup1
366
# Define a statement to permit the certificates that match the attribute rules in certificate
attribute group mygroup2.
[Device-pki-cert-acp-myacp] rule 2 permit mygroup2
[Device-pki-cert-acp-myacp] quit
# Apply certificate-based access control policy myacp to the HTTPS server.
[Device] ip https certificate access-control-policy myacp
Procedure
1. Export the certificates on Device A:
# Export the CA certificate to a .pem file.
<DeviceA> system-view
[DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem
# Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC
to encrypt the private key with the password 111111.
367
[DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename
pkilocal.pem
Now, Device A has three certificate files in PEM format:
{ A CA certificate file named pkicachain.pem.
{ A local certificate file named pkilocal.pem-signature, which contains the private key for
signature.
{ A local certificate file named pkilocal.pem-encryption, which contains the private key for
encryption.
# Display local certificate file pkilocal.pem-signature.
[DeviceA] quit
<DeviceA> more pkilocal.pem-signature
Bag Attributes
friendlyName:
localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subsign 11
issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgILAJgsebpejZc5UwAwDQYJKoZIhvcNAQELBQAwZjELMAkG
…
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZtjSjfslJCoCAggA
…
-----END ENCRYPTED PRIVATE KEY-----
# Display local certificate file pkilocal.pem-encryption.
<DeviceA> more pkilocal.pem-encryption
Bag Attributes
friendlyName:
localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11
issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1
-----BEGIN CERTIFICATE-----
MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD
…
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI7H0mb4O7/GACAggA
…
-----END ENCRYPTED PRIVATE KEY-----
368
2. Download certificate files pkicachain.pem, pkilocal.pem-signature, and
pkilocal.pem-encryption from Device A to the host through FTP. (Details not shown.)
3. Upload certificate files pkicachain.pem, pkilocal.pem-signature, and
pkilocal.pem-encryption from the host to Device B through FTP. (Details not shown.)
4. Import the certificate files to Device B:
# Disable CRL checking. (You can configure CRL checking as required. This example assumes
CRL checking is not required.)
<DeviceB> system-view
[DeviceB] pki domain importdomain
[DeviceB-pki-domain-importdomain] undo crl check enable
# Specify RSA key pair sign for signature and RSA key pair encr for encryption.
[DeviceB-pki-domain-importdomain] public-key rsa signature name sign encryption name
encr
[DeviceB-pki-domain-importdomain] quit
# Import CA certificate file pkicachain.pem in PEM format to the PKI domain.
[DeviceB] pki import domain importdomain pem ca filename pkicachain.pem
# Import local certificate file pkilocal.pem-signature in PEM format to the PKI domain. The
certificate file contains a key pair.
[DeviceB] pki import domain importdomain pem local filename pkilocal.pem-signature
Please input the password:******
# Import local certificate file pkilocal.pem-encryption in PEM format to the PKI domain. The
certificate file contains a key pair.
[DeviceB] pki import domain importdomain pem local filename pkilocal.pem-encryption
Please input the password:******
# Display the imported local certificate information on Device B.
[DeviceB] display pki certificate domain importdomain local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
98:2c:79:ba:5e:8d:97:39:53:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1
Validity
Not Before: May 26 05:56:49 2011 GMT
Not After : Nov 22 05:56:49 2012 GMT
Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63:
ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00:
ee:a3:aa:03:cb:b3:49:c4:f8:ae:55:ee:43:93:69:
6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83:
ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42:
ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2:
9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c:
bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12:
369
01:31:69:bf:e3:91:71:ec:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft
Smartcardlogin
Netscape Comment:
User Certificate of OpenCA Labs
X509v3 Subject Key Identifier:
AA:45:54:29:5A:50:2B:89:AB:06:E5:BD:0D:07:8C:D9:79:35:B1:F5
X509v3 Authority Key Identifier:
keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD
Full Name:
URI:http://192.168.40.130/pki/pub/crl/cacrl.crl
370
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:7c:67:01:5c:b3:5a:12:0f:2f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1
Validity
Not Before: May 26 05:58:26 2011 GMT
Not After : Nov 22 05:58:26 2012 GMT
Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:db:26:13:d3:d1:a4:af:11:f3:6d:37:cf:d0:d4:
48:50:4e:0f:7d:54:76:ed:50:28:c6:71:d4:48:ae:
4d:e7:3d:23:78:70:63:18:33:f6:94:98:aa:fa:f6:
62:ed:8a:50:c6:fd:2e:f4:20:0c:14:f7:54:88:36:
2f:e6:e2:88:3f:c2:88:1d:bf:8d:9f:45:6c:5a:f5:
94:71:f3:10:e9:ec:81:00:28:60:a9:02:bb:35:8b:
bf:85:75:6f:24:ab:26:de:47:6c:ba:1d:ee:0d:35:
75:58:10:e5:e8:55:d1:43:ae:85:f8:ff:75:81:03:
8c:2e:00:d1:e9:a4:5b:18:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Key Encipherment, Data Encipherment
Netscape Comment:
VPN Server of OpenCA Labs
X509v3 Subject Key Identifier:
CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB
X509v3 Authority Key Identifier:
keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD
371
X509v3 CRL Distribution Points:
Full Name:
URI:http://192.168.40.130/pki/pub/crl/cacrl.crl
To display detailed information about the CA certificate, use the display pki certificate
domain command.
372
4. Synchronize the system time of the device with the CA server.
5. Specify the correct source IP address that the CA server can accept. For the correct settings,
contact the CA administrator.
6. Verify the fingerprint of the CA certificate on the CA server.
7. If the problem persists, contact Hewlett Packard Enterprise Support.
373
• The certificate request reception authority is incorrect or is not specified.
• Required PKI entity parameters are not configured or are incorrectly configured.
• No key pair is specified in the PKI domain for certificate request, or the key pair is changed
during a certificate request process.
• Exclusive certificate request applications are running in the PKI domain.
• The CA server does not accept the source IP address specified in the PKI domain, or no source
IP address is specified.
• The system time of the device is not synchronized with the CA server.
Solution
1. Fix the network connection problems, if any.
2. Obtain or import the CA certificate.
3. Use the ping command to verify that the registration server is reachable.
4. Use the certificate request from command to specify the correct certificate request
reception authority.
5. Configure the PKI entity parameters as required by the registration policy on the CA or RA.
6. Specify the key pair for certificate request, or remove the existing key pair, specify a new key
pair, and submit a local certificate request again.
7. Use the pki abort-certificate-request domain command to abort the certificate
request.
8. Specify the correct source IP address that the CA server can accept. For the correct settings,
contact the CA administrator.
9. Synchronize the system time of the device with the CA server.
10. If the problem persists, contact Hewlett Packard Enterprise Support.
374
Solution
1. Fix the network connection problems, if any.
2. Obtain or import the CA certificate.
3. If the URL of the CRL repository cannot be obtained, verify that the following conditions exist:
{ The URL for certificate request is valid.
{ A local certificate has been successfully obtained.
{ The local certificate contains a public key that matches the locally stored key pair.
4. Make sure the LDAP server address is contained in the CRL repository URL, or is configured in
the PKI domain.
5. Make sure the CA server support publishing CRLs.
6. Specify a correct source IP address that the CA server can accept. For the correct settings,
contact the CA administrator.
7. If the problem persists, contact Hewlett Packard Enterprise Support.
375
Solution
1. Obtain or import the CA certificate.
2. Use the undo crl check enable command to disable CRL checking, or obtain the correct
CRL before you import certificates.
3. Make sure the format of the file to be imported is correct.
4. Make sure the certificate file contains the private key.
5. Make sure the certificate is not revoked.
6. Make sure the certificate is valid.
7. Configure the correct system time for the device.
8. If the problem persists, contact Hewlett Packard Enterprise Support.
376
4. If the problem persists, contact Hewlett Packard Enterprise Support.
377
Configuring IPsec
About IPsec
IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based
security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure
channel established between two endpoints (such as two security gateways). Such a secure channel
is usually called an IPsec tunnel.
IPsec framework
IPsec is a security framework that has the following protocols and algorithms:
• Authentication Header (AH).
• Encapsulating Security Payload (ESP).
• Internet Key Exchange (IKE).
• Algorithms for authentication and encryption.
AH and ESP are security protocols that provide security services. IKE performs automatic key
exchange. For more information about IKE, see "Configuring IKE."
Benefits of IPsec
IPsec delivers the following benefits:
• Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup
and maintenance.
• Good compatibility. You can apply IPsec to all IP-based application systems and services
without modifying them.
• Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for
flexibility and greatly enhances IP security.
Security protocols
IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets
and the security services that they can provide.
• AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown
in Figure 99. AH can provide data origin authentication, data integrity, and anti-replay services
378
to prevent data tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for
transmitting non-confidential data. The authentication algorithms supported by AH include
HMAC-MD5 and HMAC-SHA1.
• ESP (protocol 50) defines the encapsulation of the ESP header and trailer in an IP packet, as
shown in Figure 99. ESP can provide data encryption, data origin authentication, data integrity,
and anti-replay services. Unlike AH, ESP can guarantee data confidentiality because it can
encrypt the data before encapsulating the data to IP packets. ESP-supported encryption
algorithms include DES, 3DES, and AES, and authentication algorithms include HMAC-MD5
and HMAC-SHA1.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are
used, an IP packet is encapsulated first by ESP and then by AH.
Encapsulation modes
IPsec supports the following encapsulation modes: transport mode and tunnel mode.
Transport mode
The security protocols protect the upper layer data of an IP packet. Only the transport layer data is
used to calculate the security protocol headers. The calculated security protocol headers and the
encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the
transport mode when end-to-end security protection is required (the secured transmission start and
end points are the actual start and end points of the data). The transport mode is typically used for
protecting host-to-host communications, as shown in Figure 97.
Figure 97 IPsec protection in transport mode
IPsec tunnel
Host A Host B
Data flow
Tunnel mode
The security protocols protect the entire IP packet. The entire IP packet is used to calculate the
security protocol headers. The calculated security protocol headers and the encrypted data (only for
ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has
two IP headers. The inner IP header is the original IP header. The outer IP header is added by the
network device that provides the IPsec service. You must use the tunnel mode when the secured
transmission start and end points are not the actual start and end points of the data packets (for
example, when two gateways provide IPsec but the data start and end points are two hosts behind
the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications,
as shown in Figure 98.
Figure 98 IPsec protection in tunnel mode
IPsec tunnel
Figure 99 shows how the security protocols encapsulate an IP packet in different encapsulation
modes.
379
Figure 99 Security protocol encapsulations in different modes
Mode
Transport Tunnel
Protocol
AH IP AH Data IP AH IP Data
Security association
A security association (SA) is an agreement negotiated between two communicating parties called
IPsec peers. An SA includes the following parameters for data protection:
• Security protocols (AH, ESP, or both).
• Encapsulation mode (transport mode or tunnel mode).
• Authentication algorithm (HMAC-MD5 or HMAC-SHA1).
• Encryption algorithm (DES, 3DES, or AES).
• Shared keys and their lifetimes.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional
communication. If two peers want to use both AH and ESP to protect data flows between them, they
construct an independent SA for each protocol in each direction.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI),
destination IP address, and security protocol identifier. An SPI is a 32-bit number. It is transmitted in
the AH/ESP header.
An SA can be set up manually or through IKE.
• Manual mode—Configure all parameters for the SA through commands. This configuration
mode is complex and does not support some advanced features (such as periodic key update),
but it can implement IPsec without IKE. This mode is mainly used in small and static networks
or when the number of IPsec peers in the network is small.
• IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This
configuration mode is simple and has good expansibility. As a best practice, set up SAs through
IKE negotiations in medium- and large-scale dynamic networks.
A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two
types:
• Time-based lifetime—Defines how long the SA can be valid after it is created.
• Traffic-based lifetime—Defines the maximum traffic that the SA can process.
If both lifetime timers are configured for an SA, the SA becomes invalid when either of the lifetime
timers expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after
its creation.
380
identical, the receiver considers the packet intact and the sender's identity valid. IPsec uses the
Hash-based Message Authentication Code (HMAC) based authentication algorithms, including
HMAC-MD5 and HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure.
Encryption algorithms
IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same
keys. The following encryption algorithms are available for IPsec on the device:
• DES—Encrypts a 64-bit plaintext block with a 56-bit key. DES is the least secure but the fastest
algorithm.
• 3DES—Encrypts plaintext data with three 56-bit DES keys. The key length totals up to 168 bits.
It provides moderate security strength and is slower than DES.
• AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.
IPsec-protected traffic
IPsec tunnels can protect the following types of traffic:
• Packets that match specific ACLs.
• Packets routed to a tunnel interface.
• Packets of IPv6 routing protocols.
Two peers use security policies (IPsec policies or IPsec profiles) to protect packets between them. A
security policy defines the range of packets to be protected by IPsec and the security parameters
used for the protection. For more information about IPsec policies and IPsec profiles, see "IPsec
policy and IPsec profile."
The following information describes how IPsec protects packets:
• When an IPsec peer identifies the packets to be protected according to the security policy, it
sets up an IPsec tunnel and sends the packet to the remote peer through the tunnel. The IPsec
tunnel can be manually configured beforehand, or it can be set up through IKE negotiation
triggered by the packet. The IPsec tunnels are actually the IPsec SAs. The inbound packets are
protected by the inbound SA, and the outbound packets are protected by the outbound SA.
• When the remote IPsec peer receives the packet, it drops, de-encapsulates, or directly
forwards the packet according to the configured security policy.
ACL-based IPsec
To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, specify
the ACL in an IPsec policy, and then apply the IPsec policy to an interface. You can apply an IPsec
policy to physical interfaces such as serial interfaces and Ethernet interfaces, or virtual interfaces
such as tunnel interfaces and virtual template interfaces.
ACL-based IPsec works as follows:
• When packets sent by the interface match a permit rule of the ACL, the packets are protected
by the outbound IPsec SA and encapsulated with IPsec.
• When the interface receives an IPsec packet destined for the local device, it searches for the
inbound IPsec SA according to the SPI in the IPsec packet header for de-encapsulation. If the
de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If
the de-encapsulated packet does not match any permit rule of the ACL, the device drops the
packet.
The device supports the following data flow protection modes:
• Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL
rule is protected by one IPsec tunnel that is established solely for it.
381
• Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an
ACL. This mode is only used to communicate with old-version devices.
• Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data
flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it.
This mode consumes more system resources when multiple data flows exist between two
subnets to be protected.
382
• Manual IPsec profile—A manual IPsec profile is used to protect IPv6 routing protocols. It
specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by
the SAs.
• IKE-based IPsec profile—An IKE-based IPsec profile is applied to tunnel interfaces to protect
tunneled traffic. It specifies the IPsec transform sets used for protecting data flows, and the IKE
profile used for IKE negotiation.
IPsec RRI
IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add and
delete static routes destined for the protected private networks. It automatically adds the static routes
when the IPsec SAs are established and deletes the static routes when the IPsec SAs are deleted.
This greatly reduces the static route configuration work load on the gateway and increases the
scalability of the IPsec VPN.
IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a
headquarters gateway).
As shown in Figure 100, the traffic between the enterprise center and the branches are protected by
IPsec. The gateway at the enterprise center is configured with static routes to route traffic to the
IPsec-protected interfaces. It is difficult to add or modify static routes on the gateway at the
enterprise center if the IPsec VPN has a large number of branches or if the network structure
changes.
Figure 100 IPsec VPN
After you can enable IPsec RRI on the gateway, the gateway automatically adds a static route to the
routing table each time an IPsec tunnel is established. The destination IP address is the protected
private network, and the next hop is the remote IP address of the IPsec tunnel. Traffic destined for
the peer end is routed to the IPsec tunnel interface and thereby protected by IPsec.
You can advertise the static routes created by IPsec RRI in the internal network, and the internal
network device can use them to forward traffic in the IPsec VPN.
You can set preferences for the static routes created by IPsec RRI to implement flexible route
management. For example, you can set the same preference for multiple routes to the same
destination to implement load sharing, or you can set different preferences to implement route
backup.
You can also set tags for the static routes created by IPsec RRI to implement flexible route control
through routing policies.
383
Protocols and standards
• RFC 2401, Security Architecture for the Internet Protocol
• RFC 2402, IP Authentication Header
• RFC 2406, IP Encapsulating Security Payload
• RFC 4552, Authentication/Confidentiality for OSPFv3
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
384
{ Setting the maximum number of IPsec tunnels
6. (Optional.) Configuring logging and SNMP notification for IPsec.
{ Enabling logging for IPsec packets
{ Configuring SNMP notifications for IPsec
Configuring an ACL
IPsec uses ACLs to identify the traffic to be protected.
Keywords in ACL rules
An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement
identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not
protected by IPsec. IPsec compares a packet against the ACL rules and processes the packet
according to the first rule it matches.
• Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose
there is a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This
rule matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
• In the outbound direction, if a permit statement is matched, IPsec considers that the packet
requires protection and continues to process it. If a deny statement is matched or no match is
found, IPsec considers that the packet does not require protection and delivers it to the next
module.
• In the inbound direction:
{ Non-IPsec packets that match a permit statement are dropped.
{ IPsec packets destined for the device itself are de-encapsulated. By default, the
de-encapsulated packets are compared against the ACL rules. Only those that match a
permit statement are processed. Other packets are dropped. If ACL checking for
de-encapsulated IPsec packets is disabled, the de-encapsulated packets are not compared
against the ACL rules and are directly processed by other modules.
When defining ACL rules for IPsec, follow these guidelines:
• Permit only data flows that need to be protected and use the any keyword with caution. With
the any keyword specified in a permit statement, all outbound traffic matching the permit
statement will be protected by IPsec. All inbound IPsec packets matching the permit statement
will be received and processed, but all inbound non-IPsec packets will be dropped. This will
cause all the inbound traffic that does not need IPsec protection to be dropped.
• Avoid statement conflicts in the scope of IPsec policy entries. When creating a deny statement,
be careful with its match scope and match order relative to permit statements. The policy
entries in an IPsec policy have different match priorities. ACL rule conflicts between them are
prone to cause mistreatment of packets. For example, when configuring a permit statement for
an IPsec policy entry to protect an outbound traffic flow, you must avoid the situation that the
traffic flow matches a deny statement in a higher priority IPsec policy entry. Otherwise, the
packets will be sent out as normal packets. If they match a permit statement at the receiving
end, they will be dropped by IPsec.
The following example shows how an improper statement causes unexpected packet dropping. Only
the ACL-related configuration is presented.
Assume Router A is connected to subnet 1.1.2.0/24 and Router B is connected to subnet 3.3.3.0/24,
and the IPsec policy configuration on Router A and Router B is as follows:
• IPsec configuration on Router A:
acl advanced 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl advanced 3001
385
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority
security acl 3000
ike-profile aa
transform-set 1
#
ipsec policy testa 2 isakmp <---IPsec policy entry with a lower priority
security acl 3001
ike-profile bb
transform-set 1
• IPsec configuration on Router B:
acl advanced 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testb 1 isakmp
security acl 3001
ike-profile aa
transform-set 1
On Router A, apply the IPsec policy testa to the outbound interface of Router A. The IPsec policy
contains two policy entries, testa 1 and testa 2. The ACLs used by the two policy entries each
contain a rule that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one used in the policy entry
testa 1 is a deny statement and the one used in the policy entry testa 2 is a permit statement.
Because testa 1 is matched prior to testa 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny
statement and be sent as normal traffic. When the traffic arrives at Router B, the traffic matches rule
0 (a permit statement) in ACL 3001 used in the applied IPsec policy testb. Because non-IPsec traffic
that matches a permit statement must be dropped on the inbound interface, Router B drops the
traffic.
To make sure subnet 1.1.2.0/24 can access subnet 3.3.3.0/24, you can delete the deny rule in ACL
3000 on Router A.
Mirror image ACLs
To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly
between two IPsec peers, create mirror image ACLs on the IPsec peers. As shown in Figure 101,
ACL rules on Router B are mirror images of the rules on Router A. In this way, SAs can be created
successfully for the traffic between Host A and Host C and for the traffic between Network 1 and
Network 2.
386
Figure 101 Mirror image ACLs
If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only
when both of the following requirements are met:
• The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the
other peer. As shown in Figure 102, the range specified by the ACL rule configured on Router A
is covered by its counterpart on Router B.
• The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request might be rejected because the matching traffic is beyond the
scope of the responder. As shown in Figure 102, the SA negotiation initiated by Host A to Host C
is accepted but the SA negotiations from Host C to Host A, from Host C to Host B, and from
Host D to Host A are rejected.
Figure 102 Non-mirror image ACLs
In addition, you must specify VPN1 as the inside VPN instance in the IKE profile.
#
ike profile vpn1
387
keychain vpn1
match remote identity address 8.8.8.1 255.255.255.255
inside-vpn vpn-instance vpn1
#
Type Algorithms
aes-ctr-128
aes-ctr-192
aes-ctr-256
Encryption algorithm
camellia-cbc-128
camellia-cbc-192
camellia-cbc-256
388
gmac-128
gmac-192
gmac-256
gcm-128
gcm-192
gcm-256
Authentication algorithm aes-xcbc-mac
dh-group19
PFS algorithm
dh-group20
Procedure
1. Enter system view.
system-view
2. Create an IPsec transform set and enter its view.
ipsec transform-set transform-set-name
3. Specify the security protocol for the IPsec transform set.
protocol { ah | ah-esp | esp }
By default, the ESP security protocol is used.
4. Specify the encryption algorithms for ESP. Skip this step if the protocol ah command is
configured.
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 |
camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *
By default, no encryption algorithm is specified for ESP.
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 |
aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256
| gcm-128 | gcm-192 | gcm-256 } *
By default, no encryption algorithm is specified for ESP.
5. Specify the authentication algorithms for ESP. Skip this step if the protocol ah command is
configured.
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 |
sha384 | sha512 } *
By default, no authentication algorithm is specified for ESP.
The aes-xcbc-mac algorithm is available only for IKEv2.
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
By default, no authentication algorithm is specified for ESP.
6. Specify the authentication algorithms for AH. Skip this step if the protocol esp command is
configured.
In non-FIPS mode:
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 |
sha384 | sha512 } *
389
By default, no authentication algorithm is specified for AH.
The aes-xcbc-mac algorithm is available only for IKEv2.
In FIPS mode:
ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
By default, no authentication algorithm is specified for AH.
7. Specify the packet encapsulation mode.
encapsulation-mode { transport | tunnel }
By default, the security protocol encapsulates IP packets in tunnel mode.
8. (Optional.) Enable the PFS feature.
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 |
dh-group19 | dh-group20 }
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 }
By default, the PFS feature is disabled.
For more information about PFS, see "Configuring IKE."
9. (Optional.) Enable the Extended Sequence Number (ESN) feature.
esn enable [ both ]
By default, the ESN feature is disabled.
390
2. Create a manual IPsec policy entry and enter its view.
ipsec { ipv6-policy | policy } policy-name seq-number manual
3. (Optional.) Configure a description for the IPsec policy.
description text
By default, no description is configured.
4. Specify an ACL for the IPsec policy.
security acl [ ipv6 ] { acl-number | name acl-name }
By default, no ACL is specified for an IPsec policy.
You can specify only one ACL for an IPsec policy.
5. Specify an IPsec transform set for the IPsec policy.
transform-set transform-set-name
By default, no IPsec transform set is specified for an IPsec policy.
You can specify only one IPsec transform set for a manual IPsec policy.
6. Specify the remote IP address of the IPsec tunnel.
remote-address { ipv4-address | ipv6 ipv6-address }
By default, the remote IP address of the IPsec tunnel is not specified.
7. Configure an SPI for the inbound IPsec SA.
sa spi inbound { ah | esp } spi-number
By default, no SPI is configured for the inbound IPsec SA.
8. Configure an SPI for the outbound IPsec SA.
sa spi outbound { ah | esp } spi-number
By default, no SPI is configured for the outbound IPsec SA.
9. Configure keys for the IPsec SA.
{ Configure an authentication key in hexadecimal format for AH.
sa hex-key authentication { inbound | outbound } ah { cipher | simple }
string
{ Configure an authentication key in character format for AH.
sa string-key { inbound | outbound } ah { cipher | simple } string
{ Configure a key in character format for ESP.
sa string-key { inbound | outbound } esp { cipher | simple } string
{ Configure an authentication key in hexadecimal format for ESP.
sa hex-key authentication { inbound | outbound } esp { cipher |
simple }
{ Configure an encryption key in hexadecimal format for ESP.
sa hex-key encryption { inbound | outbound } esp { cipher | simple }
string
By default, no keys are configured for the IPsec SA.
Configure keys correctly for the security protocol (AH, ESP, or both) you have specified in the
IPsec transform set used by the IPsec policy.
391
To configure an IKE-based IPsec policy, use one of the following methods:
• Directly configure it by configuring the parameters in IPsec policy view.
• Configure it by using an existing IPsec policy template with the parameters to be negotiated
configured.
A device using an IPsec policy that is configured in this way cannot initiate an SA negotiation,
but it can respond to a negotiation request. The parameters not defined in the template are
determined by the initiator. For example, in an IPsec policy template, the ACL is optional. If you
do not specify an ACL, the IPsec protection range has no limit. So the device accepts all ACL
settings of the negotiation initiator.
When the remote end's information (such as the IP address) is unknown, this method allows the
remote end to initiate negotiations with the local end.
The configurable parameters for an IPsec policy template are the same as those when you directly
configure an IKE-based IPsec policy. The difference is that more parameters are optional for an
IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are
optional.
Restrictions and guidelines for IKE-based IPsec policy configuration
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
An IKE-based IPsec policy can use a maximum of six IPsec transform sets. During an IKE
negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel.
If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional
on the responder. The remote IP address specified on the local end must be the same as the local IP
address specified on the remote end.
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires
when either lifetime expires.
If you specify both an IKEv1 profile and an IKEv2 profile for an IPsec policy, the IKEv2 profile is used
preferentially. For more information about IKEv1 and IKEv2 profiles, see "Configuring IKE" and
"Configuring IKEv2."
Directly configuring an IKE-based IPsec policy
1. Enter system view.
system-view
2. Create an IKE-based IPsec policy entry and enter its view.
ipsec { ipv6-policy | policy } policy-name seq-number isakmp
3. (Optional.) Configure a description for the IPsec policy.
description text
By default, no description is configured.
4. Specify an ACL for the IPsec policy.
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation |
per-host ]
By default, no ACL is specified for an IPsec policy.
You can specify only one ACL for an IPsec policy.
5. Specify IPsec transform sets for the IPsec policy.
transform-set transform-set-name&<1-6>
By default, no IPsec transform sets are specified for an IPsec policy.
392
6. Specify an IKE profile or IKEv2 profile for the IPsec policy.
{ Specify an IKE profile.
ike-profile profile-name
By default, no IKE profile is specified for an IPsec policy.
{ Specify an IKEv2 profile.
ikev2-profile profile-name
By default, no IKEv2 profile is specified for an IPsec policy.
7. Specify the local IP address of the IPsec tunnel.
local-address { ipv4-address | ipv6 ipv6-address }
By default, the local IPv4 address of the IPsec tunnel is the primary IPv4 address of the
interface to which the IPsec policy is applied. The local IPv6 address of the IPsec tunnel is the
first IPv6 address of the interface to which the IPsec policy is applied.
The local IP address specified by this command must be the same as the IP address used as
the local IKE identity.
In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to
which the IPsec-applied interface belongs.
8. Specify the remote IP address of the IPsec tunnel.
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
By default, the remote IP address of the IPsec tunnel is not specified.
9. (Optional.) Set the lifetime or idle timeout for the IPsec SA.
{ Set the IPsec SA lifetime.
sa duration { time-based seconds | traffic-based kilobytes }
By default, the global SA lifetime is used.
{ Set the IPsec SA idle timeout.
sa idle-time seconds
By default, the global IPsec SA idle timeout is used.
10. (Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature.
tfc enable
By default, the TFC padding feature is disabled.
Configuring an IKE-based IPsec policy by using an IPsec policy template
1. Enter system view.
system-view
2. Create an IPsec policy template and enter its view.
ipsec { ipv6-policy-template | policy-template } template-name
seq-number
3. (Optional.) Configure a description for the IPsec policy template.
description text
By default, no description is configured.
4. (Optional.) Specify an ACL for the IPsec policy template.
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation |
per-host ]
By default, no ACL is specified for an IPsec policy template.
You can specify only one ACL for an IPsec policy template.
5. Specify IPsec transform sets for the IPsec policy template.
transform-set transform-set-name&<1-6>
393
By default, no IPsec transform sets are specified for an IPsec policy template.
6. Specify an IKE profile or IKEv2 profile for the IPsec policy template.
{ Specify an IKE profile.
ike-profile profile-name
By default, no IKE profile is specified for an IPsec policy template.
Make sure the specified IKE profile is not used by another IPsec policy or IPsec policy
template.
{ Specify an IKEv2 profile.
ikev2-profile profile-name
By default, no IKEv2 profile is specified for an IPsec policy template.
7. Specify the local IP address of the IPsec tunnel.
local-address { ipv4-address | ipv6 ipv6-address }
The default local IPv4 address and IPv6 address is the primary IPv4 address and first IPv6
address of the interface where the IPsec policy is applied.
The local IP address specified by this command must be the same as the IP address used as
the local IKE identity.
In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to
which the IPsec-applied interface belongs.
8. Specify the remote IP address of the IPsec tunnel.
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
By default, the remote IP address of the IPsec tunnel is not specified.
9. (Optional.) Set the lifetime and idle timeout for the IPsec SA.
{ Set the IPsec SA lifetime.
sa duration { time-based seconds | traffic-based kilobytes }
By default, the global SA lifetime is used.
{ Set the IPsec SA idle timeout.
sa idle-time seconds
By default, the global IPsec SA idle timeout is used.
10. (Optional.) Enable the Traffic Flow Confidentiality (TFC) padding feature.
tfc enable
By default, the TFC padding feature is disabled.
11. Return to system view.
quit
12. Create an IPsec policy by using the IPsec policy template.
ipsec { ipv6-policy | policy } policy-name seq-number isakmp template
template-name
394
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an IPsec policy to the interface.
ipsec apply { ipv6-policy | policy } policy-name
By default, no IPsec policy is applied to an interface.
On one interface, you can apply only one IPv4 IPsec policy and one IPv6 IPsec policy.
4. Specify a traffic processing slot for the interface.
service slot slot-number
By default, no traffic processing slot is specified for an interface. Traffic on an interface is
processed on the slot at which the traffic arrives.
This step is required when the following conditions are met:
{ An IKE-based IPsec policy is applied to a global logical interface, such as VLAN interface.
{ The IPsec anti-replay feature is globally enabled.
395
Restrictions and guidelines
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only
IKE-based IPsec SAs support anti-replay.
Set the anti-replay window size as small as possible to reduce the impact on system performance.
IPsec anti-replay requires that packets on the same interface be processed on the same slot. To
perform IPsec anti-replay on a multichassis IRF fabric for a global interface, use the service
command in interface view to specify a service processing slot for that interface. Global interfaces
(such as VLAN or tunnel interfaces) are virtual interfaces that might have physical ports across the
IRF member devices. For more information about the service command, see VLAN commands in
Layer 2—LAN Switching Command Reference or tunneling commands in Layer 3—IP Services
Command Reference.
Failure to detect anti-replay attacks might result in denial of services. If you want to disable IPsec
anti-replay, make sure you understand the impact of the operation on network security.
Procedure
1. Enter system view.
system-view
2. Enable IPsec anti-replay.
ipsec anti-replay check
By default, IPsec anti-replay is enabled.
3. Set the size of the IPsec anti-replay window.
ipsec anti-replay window width
The default size is 64.
396
4. Set the anti-replay window synchronization interval for inbound packets and the sequence
number synchronization interval for outbound packets.
redundancy replay-interval inbound inbound-interval outbound
outbound-interval
By default, the active device synchronizes the anti-replay window every time it receives 1000
packets and synchronizes the sequence number every time it sends 100000 packets.
397
IPsec traffic classification rules are determined by the rules of the specified ACL. For more
information about QoS policy and classification, see ACL and QoS Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter IPsec policy view or IPsec policy template view.
{ Enter IPsec policy view.
ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp |
manual ]
{ Enter IPsec policy template view.
ipsec { ipv6-policy-template | policy-template } template-name
seq-number
3. Enable QoS pre-classify.
qos pre-classify
By default, QoS pre-classify is disabled.
398
Configuring the DF bit of IPsec packets globally
1. Enter system view.
system-view
2. Configure the DF bit of IPsec packets globally.
ipsec global-df-bit { clear | copy | set }
By default, IPsec copies the DF bit in the original IP header to the new IP header.
399
Configuring IPsec for IPv6 routing protocols
IPsec protection for IPv6 routing protocols tasks at a glance
To configure IPsec protection for IPv6 routing protocols, perform the following tasks:
1. Configuring an IPsec transform set
2. Configuring a manual IPsec profile
3. Applying the IPsec profile to an IPv6 routing protocol
4. (Optional.) Configuring IPsec fragmentation
5. (Optional.) Setting the maximum number of IPsec tunnels
6. (Optional.) Enabling logging for IPsec packets
7. (Optional.) Configuring SNMP notifications for IPsec
400
transform-set transform-set-name
By default, no IPsec transform set is specified in an IPsec profile.
The specified IPsec transform set must use the transport mode.
5. Configure an SPI for an SA.
sa spi { inbound | outbound } { ah | esp } spi-number
By default, no SPI is configured for an SA.
6. Configure keys for the IPsec SA.
{ Configure an authentication key in hexadecimal format for AH.
sa hex-key authentication { inbound | outbound } ah { cipher | simple }
string
{ Configure an authentication key in character format for AH.
sa string-key { inbound | outbound } ah { cipher | simple } string
{ Configure a key in character format for ESP.
sa string-key { inbound | outbound } esp { cipher | simple } string
{ Configure an authentication key in hexadecimal format for ESP.
sa hex-key authentication { inbound | outbound } esp { cipher |
simple }
{ Configure an encryption key in hexadecimal format for ESP.
sa hex-key encryption { inbound | outbound } esp { cipher | simple }
string
By default, no keys are configured for the IPsec SA.
Configure a key for the security protocol (AH, ESP, or both) you have specified.
401
By default, the time-based SA lifetime is 3600 seconds, and the traffic-based SA lifetime is
1843200 kilobytes.
{ Set the global SA idle timeout.
ipsec sa idle-time seconds
By default, the global IPsec SA idle timeout feature is disabled.
402
includes the source and destination IP addresses, SPI value, and sequence number of a discarded
IPsec packet, and the reason for the discard.
Procedure
1. Enter system view.
system-view
2. Enable logging for IPsec packets.
ipsec logging packet enable
By default, logging for IPsec packets is disabled.
Task Command
display ipsec { ipv6-policy | policy }
Display IPsec policy information.
[ policy-name [ seq-number ] ]
display ipsec { ipv6-policy-template |
Display IPsec policy template information. policy-template } [ template-name
[ seq-number ] ]
Display IPsec profile information. display ipsec profile [ profile-name ]
403
Task Command
display ipsec sa [ brief | count |
interface interface-type
interface-number | { ipv6-policy |
Display IPsec SA information.
policy } policy-name [ seq-number ] |
profile profile-name | remote [ ipv6 ]
ip-address ]
display ipsec statistics [ tunnel-id
Display IPsec statistics.
tunnel-id ]
display ipsec transform-set
Display IPsec transform set information.
[ transform-set-name ]
display ipsec tunnel { brief | count |
Display IPsec tunnel information.
tunnel-id tunnel-id }
reset ipsec sa [ { ipv6-policy | policy }
policy-name [ seq-number ] | profile
policy-name | remote { ipv4-address |
Clear IPsec SAs.
ipv6 ipv6-address } | spi
{ ipv4-address | ipv6 ipv6-address }
{ ah | esp } spi-num ]
reset ipsec statistics [ tunnel-id
Clear IPsec statistics.
tunnel-id ]
Procedure
1. Configure Switch A:
# Configure an IP address for VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0
404
[SwitchA-Vlan-interface1] quit
# Configure an IPv4 advanced ACL to identify the data flows between Switch A and Switch B.
[SwitchA] acl advanced 3101
[SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# Create a manual IPsec policy entry. Specify the policy name as map1 and set the sequence
number to 10.
[SwitchA] ipsec policy map1 10 manual
# Specify ACL 3101.
[SwitchA-ipsec-policy-manual-map1-10] security acl 3101
# Specify IPsec transform set tran1.
[SwitchA-ipsec-policy-manual-map1-10] transform-set tran1
# Specify the remote IP address of the IPsec tunnel as 2.2.3.1.
[SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1
# Configure inbound and outbound SPIs for ESP.
[SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
# Configure the inbound and outbound SA keys for ESP.
[SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg
[SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba
[SwitchA-ipsec-policy-manual-map1-10] quit
# Apply IPsec policy map1 to VLAN-interface 1.
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipsec apply policy map1
2. Configure Switch B:
# Configure an IP address for VLAN-interface 1.
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Configure an IPv4 advanced ACL to identify the data flows between Switch B and Switch A.
[SwitchB] acl advanced 3101
[SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
[SwitchB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
405
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence
number to 10.
[SwitchB] ipsec policy use1 10 manual
# Specify ACL 3101.
[SwitchB-ipsec-policy-manual-use1-10] security acl 3101
# Specify IPsec transform set tran1.
[SwitchB-ipsec-policy-manual-use1-10] transform-set tran1
# Specify the remote IP address of the IPsec tunnel as 2.2.2.1.
[SwitchB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1
# Configure the inbound and outbound SPIs for ESP.
[SwitchB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
[SwitchB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
# Configure the inbound and outbound SA keys for ESP.
[SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba
[SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg
[SwitchB-ipsec-policy-manual-use1-10] quit
# Apply IPsec policy use1 to VLAN-interface 1.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec apply policy use1
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: manual
-----------------------------
Tunnel id: 549
Encapsulation mode: tunnel
Path MTU: 1443
Tunnel:
local address: 2.2.2.1
remote address: 2.2.3.1
406
Flow:
as defined in ACL 3101
[Inbound ESP SA]
SPI: 54321 (0x0000d431)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 12345 (0x00003039)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
Procedure
1. Configure Switch A:
# Configure an IP address for VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Configure an IPv4 advanced ACL to identify data flows from Switch A to Switch B.
[SwitchA] acl number 3101
[SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchA-acl-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
407
[SwitchA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[SwitchA] ike keychain keychain1
# Specify 12345zxcvb!@#$%ZXCVB in plain text as the preshared key to be used with the
remote peer at 2.2.3.1.
[SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchA-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[SwitchA] ike profile profile1
[SwitchA-ike-profile-profile1] keychain keychain1
[SwitchA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[SwitchA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the
sequence number to 10.
[SwitchA] ipsec policy map1 10 isakmp
# Apply ACL 3101.
[SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
# Apply IPsec transform set tran1.
[SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1.
[SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1
[SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
# Apply IKE profile profile1.
[SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[SwitchA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to VLAN interface 1.
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipsec apply policy map1
2. Configure Switch B:
# Configure an IP address for VLAN-interface 1.
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Configure an IPv4 advanced ACL to identify data flows from Switch B to Switch A.
[SwitchB] acl number 3101
[SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
[SwitchB-acl-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
408
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[SwitchB] ike keychain keychain1
# Specify 12345zxcvb!@#$%ZXCVB in plain text as the preshared key to be used with the
remote peer at 2.2.2.1.
[SwitchB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchB-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[SwitchB] ike profile profile1
[SwitchB-ike-profile-profile1] keychain keychain1
[SwitchB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[SwitchB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the
sequence number to 10.
[SwitchB] ipsec policy use1 10 isakmp
# Apply ACL 3101.
[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
# Apply IPsec transform set tran1.
[SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.
[SwitchB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1
[SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
# Apply IKE profile profile1.
[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to VLAN-interface 1.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec apply policy use1
409
Requirements analysis
To meet the network configuration requirements, perform the following tasks:
1. Configure basic RIPng.
For more information about RIPng configurations, see Layer 3—IP Routing Configuration
Guide.
2. Configure an IPsec profile.
{ The IPsec profiles on all the switches must have IPsec transform sets that use the same
security protocol, authentication and encryption algorithms, and encapsulation mode.
{ The SPI and key configured for the inbound SA and those for the outbound SA must be the
same on each switch.
{ The SPI and key configured for the SAs on all the switches must be the same.
3. Apply the IPsec profile to a RIPng process or to an interface.
Procedure
1. Configure Switch A:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure basic RIPng.
<SwitchA> system-view
[SwitchA] ripng 1
[SwitchA-ripng-1] quit
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ripng 1 enable
[SwitchA-Vlan-interface100] quit
# Create and configure the IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode transport
[SwitchA-ipsec-transform-set-tran1] protocol esp
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[SwitchA] ipsec profile profile001 manual
[SwitchA-ipsec-profile-manual-profile001] transform-set tran1
[SwitchA-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[SwitchA-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[SwitchA-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[SwitchA-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[SwitchA-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[SwitchA] ripng 1
[SwitchA-ripng-1] enable ipsec-profile profile001
[SwitchA-ripng-1] quit
2. Configure Switch B:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure basic RIPng.
<SwitchB> system-view
[SwitchB] ripng 1
410
[SwitchB-ripng-1] quit
[SwitchB] interface vlan-interface 200
[SwitchB-Vlan-interface200] ripng 1 enable
[SwitchB-Vlan-interface200] quit
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ripng 1 enable
[SwitchB-Vlan-interface100] quit
# Create and configure the IPsec transform set named tran1.
[SwitchB] ipsec transform-set tran1
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode transport
[SwitchB-ipsec-transform-set-tran1] protocol esp
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[SwitchB] ipsec profile profile001 manual
[SwitchB-ipsec-profile-manual-profile001] transform-set tran1
[SwitchB-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[SwitchB-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[SwitchB-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[SwitchB-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[SwitchB-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[SwitchB] ripng 1
[SwitchB-ripng-1] enable ipsec-profile profile001
[SwitchB-ripng-1] quit
3. Configure Switch C:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure basic RIPng.
<SwitchC> system-view
[SwitchC] ripng 1
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit
# Create and configure the IPsec transform set named tran1.
[SwitchC] ipsec transform-set tran1
[SwitchC-ipsec-transform-set-tran1] encapsulation-mode transport
[SwitchC-ipsec-transform-set-tran1] protocol esp
[SwitchC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[SwitchC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchC-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[SwitchC] ipsec profile profile001 manual
[SwitchC-ipsec-profile-manual-profile001] transform-set tran1
[SwitchC-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[SwitchC-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[SwitchC-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
411
[SwitchC-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[SwitchC-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[SwitchC] ripng 1
[SwitchC-ripng-1] enable ipsec-profile profile001
[SwitchC-ripng-1] quit
-----------------------------
IPsec profile: profile001
Mode: Manual
-----------------------------
Encapsulation mode: transport
[Inbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128ESP-AUTH-SHA1
No duration limit for this SA
412
Example: Configuring IPsec RRI
Network configuration
As shown in Figure 107, branches access the enterprise center through an IPsec VPN.
Configure the IPsec VPN as follows:
• Configure an IPsec tunnel between Switch A and each branch gateway (Switch B, Switch C,
and Switch D) to protect traffic between subnets 4.4.4.0/24 and 5.5.5.0/24.
• Configure the tunnels to use security protocol ESP, encryption algorithm DES, and
authentication algorithm SHA1-HMAC-96. Use IKE for IPsec SA negotiation.
• Configure IKE proposal to use the preshared key authentication method, encryption algorithm
3DES, and authentication algorithm HMAC-SHA1.
• Configure IPsec RRI on Switch A to automatically create static routes to the branches based on
the established IPsec SAs.
Figure 107 Network diagram
Procedure
1. Assign IPv4 addresses to the interfaces on the switches according to Figure 107. (Details not
shown.)
2. Configure Switch A:
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES
as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
<SwitchA> system-view
[SwitchA] ipsec transform-set tran1
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[SwitchA-ipsec-transform-set-tran1] protocol esp
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# Create and configure the IKE profile named profile1.
[SwitchA] ike profile profile1
[SwitchA-ike-profile-profile1] keychain key1
[SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[SwitchA-ike-profile-profile1] quit
413
# Create an IPsec policy template named temp1. Specify IPsec transform set tran1 and IKE
profile profile1 for the IPsec policy template.
[SwitchA] ipsec policy-template temp1 1
[SwitchA-ipsec-policy-template-temp1-1] transform-set tran1
[SwitchA-ipsec-policy-template-temp1-1] ike-profile profile1
# Enable IPsec RRI, set the preference to 100 and the tag to 1000 for the static routes created
by IPsec RRI.
[SwitchA-ipsec-policy-template-temp1-1] reverse-route dynamic
[SwitchA-ipsec-policy-template-temp1-1] reverse-route preference 100
[SwitchA-ipsec-policy-template-temp1-1] reverse-route tag 1000
[SwitchA-ipsec-policy-template-temp1-1] quit
# Create an IKE-based IPsec policy entry by using IPsec policy template temp1. Specify the
policy name as map1 and set the sequence number to 10.
[SwitchA] ipsec policy map1 10 isakmp template temp1
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm,
HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.
[SwitchA] ike proposal 1
[SwitchA-ike-proposal-1] encryption-algorithm 3des-cbc
[SwitchA-ike-proposal-1] authentication-algorithm sha
[SwitchA-ike-proposal-1] authentication-method pre-share
[SwitchA-ike-proposal-1] quit
# Create an IKE keychain named key1 and specify 123 in plain text as the preshared key to be
used with the remote peer at 2.2.2.2.
[SwitchA] ike keychain key1
[SwitchA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
[SwitchA-ike-keychain-key1] quit
# Apply IPsec policy map1 to VLAN-interface 100.
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ipsec apply policy map1
[SwitchA-Vlan-interface100] quit
3. Configure Switch B:
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES
as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
[SwitchB] ipsec transform-set tran1
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[SwitchB-ipsec-transform-set-tran1] protocol esp
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# Configure IPv4 advanced ACL 3000 to identify traffic from subnet 5.5.5.0/24 to subnet
4.4.4.0/24.
[SwitchB] acl advanced 3000
[SwitchB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination
4.4.4.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3000] quit
# Create and configure the IKE profile named profile1.
[SwitchB] ike profile profile1
[SwitchB-ike-profile-profile1] keychain key1
[SwitchB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
414
[SwitchB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry named map1 and configure the following settings for
the policy entry:
{ Set the sequence number to 10.
{ Specify transform set tran1 and ACL 3000.
{ Specify the remote IP address for the tunnel as 1.1.1.1.
{ Specify IKE profile profile1.
[SwitchB] ipsec policy map1 10 isakmp
[SwitchB-ipsec-policy-isakmp-map1-10] transform-set tran1
[SwitchB-ipsec-policy-isakmp-map1-10] security acl 3000
[SwitchB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[SwitchB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[SwitchB-ipsec-policy-isakmp-map1-10] quit
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm,
HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.
[SwitchB] ike proposal 1
[SwitchB-ike-proposal-1] encryption-algorithm 3des-cbc
[SwitchB-ike-proposal-1] authentication-algorithm sha
[SwitchB-ike-proposal-1] authentication-method pre-share
[SwitchB-ike-proposal-1] quit
# Create an IKE keychain named key1 and specify 123 in plain text as the preshared key to be
used with the remote peer at 1.1.1.1.
[SwitchB] ike keychain key1
[SwitchB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
[SwitchB-ike-keychain-key1] quit
# Apply IPsec policy map1 to VLAN-interface 100.
[SwitchB] interface vlan-interface 100
[SwitchB-Vlan-interface100] ipsec apply policy map1
[SwitchB-Vlan-interface100] quit
Make sure Switch B has a route to the peer private network, with the outgoing interface as
VLAN-interface 100.
4. Configure Switch C and Switch D in the same way Switch B is configured.
Verifying the configuration
1. Verify that IPsec RRI can automatically create a static route from Switch A to Switch B:
# Initiate a connection from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered
to establish IPsec SAs between Switch A and Switch B. (Details not shown.)
# Verify that IPsec SAs are established on Switch A.
[SwitchA] display ipsec sa
-------------------------------
Interface: Vlan-interface100
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: Template
-----------------------------
415
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1463
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip
416
Configuring IKE
Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1.
About IKE
Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key
negotiation and SA establishment services for IPsec.
Benefits of IKE
IKE provides the following benefits for IPsec:
• Automatically negotiates IPsec parameters.
• Performs DH exchanges to calculate shared keys, making sure each SA has a key that is
independent of other keys.
• Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure IPsec can provide the anti-replay service by using the sequence number.
417
IKE exchange process in main mode
As shown in Figure 109, the main mode of IKE negotiation in phase 1 involves three pairs of
messages:
• SA exchange—Used for negotiating the IKE security policy.
• Key exchange—Used for exchanging the DH public value and other values, such as the
random number. The two peers use the exchanged data to generate key data and use the
encryption key and authentication key to ensure the security of IP packets.
• ID and authentication data exchange—Used for identity authentication.
Figure 109 IKE exchange process in main mode
418
Figure 110 IKE exchange process in aggressive mode
419
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
420
Configuring an IKE profile
Creating an IKE profile
About IKE profile
Perform this task to create an IKE profile.
An IKE profile is intended to provide a set of parameters for IKE negotiation.
Procedure
1. Enter system view.
system-view
2. Create an IKE profile and enter its view.
ike profile profile-name
421
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Specify the keychain for preshared key authentication or the PKI domain used to request a
certificate for digital signature authentication.
{ Specify the keychain.
keychain keychain-name
{ Specify the PKI domain.
certificate domain domain-name
By default, no IKE keychain or PKI domain is specified in an IKE profile.
422
Configuring the local ID for the IKE profile
Restrictions and guidelines
For digital signature authentication, the device can use an ID of any type. If the local ID is an IP
address that is different from the IP address in the local certificate, the device uses the FQDN (the
device name configured by using the sysname command) instead.
For preshared key authentication, the device can use an ID of any type other than the DN.
Procedure
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Configure the local ID.
local-identity { address { ipv4-address | ipv6 ipv6-address } | dn |
fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
By default, no local ID is configured for an IKE profile, and an IKE profile uses the local ID
configured in system view. If the local ID is not configured in system view, the IKE profile uses
the IP address of the interface to which the IPsec policy or IPsec policy template is applied as
the local ID.
423
By default, IKE DPD is not configured for an IKE profile and an IKE profile uses the DPD
settings configured in system view. If IKE DPD is not configured in system view either, the
device does not perform dead IKE peer detection.
The IKE DPD settings configured in the IKE profile view take precedence over those
configured in system view.
{ Specify the local interface or IP address to which the IKE profile can be applied.
match local address { interface-type interface-number |
{ ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] }
By default, an IKE profile can be applied to any local interface or IP address.
An IKE profile configured with this command has a higher priority over those not configured
with this command.
{ Specify a priority for the IKE profile.
priority priority
By default, the priority of an IKE profile is 100.
The device selects a local IKE profile for IKE negotiation as follows:
− First, it selects an IKE profile with the match local address command configured.
− If a tie exists, it selects the IKE profile with a smaller priority number.
− If a tie still exists, it selects the IKE profile configured earlier.
424
3. Configure a description for the IKE proposal.
description
By default, an IKE proposal does not have a description.
4. Specify an encryption algorithm for the IKE proposal.
In non-FIPS mode:
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc }
By default, the 56-bit DES encryption algorithm in CBC mode is used .
In FIPS mode:
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }
By default, the 128-bit AES encryption algorithm in CBC mode is used.
5. Specify an authentication method for the IKE proposal.
authentication-method{ dsa-signature | ecdsa-signature | pre-share |
rsa-signature }
By default, the preshared key authentication method is used.
6. Specify an authentication algorithm for the IKE proposal.
In non-FIPS mode:
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 }
By default, the HMAC-SHA1 authentication algorithm is used.
In FIPS mode:
authentication-algorithm { sha | sha256 | sha384 | sha512 }
By default, the HMAC-SHA256 authentication algorithm is used.
7. Specify a DH group for key negotiation in phase 1.
In non-FIPS mode:
dh{ group1 | group14 | group19 | group2 | group20 | group24 | group5 }
DH group 1 (the 768-bit DH group) is used by default.
In FIPS mode:
dh{ group14 | group19 | group20 | group24 }
DH group 14 (the 2048-bit DH group) is used by default.
8. (Optional.) Set the IKE SA lifetime for the IKE proposal.
sa duration seconds
By default, the IKE SA lifetime is 86400 seconds.
425
a. The device examines the existence of the match local address command. An IKE
keychain with the match local address command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller
priority number has a higher priority.
c. If a tie still exists, the device prefers an IKE keychain configured earlier.
Procedure
1. Enter system view.
system-view
2. Create an IKE keychain and enter its view.
ike keychain keychain-name [ vpn-instance vpn-instance-name ]
3. Configure a preshared key.
In non-FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6
ipv6-address [ prefix-length ] } | hostname host-name } key { cipher |
simple } string
In FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6
ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher
string ]
By default, no preshared key is configured.
4. (Optional.) Specify a local interface or IP address to which the IKE keychain can be applied.
match local address { interface-type interface-number | { ipv4-address
| ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
By default, an IKE keychain can be applied to any local interface or IP address.
5. (Optional.) Specify a priority for the IKE keychain.
priority priority
The default priority is 100.
426
ike signature-identity from-certificate
By default, the local end uses the identity information specified by local-identity or ike
identity for signature authentication.
Configure this command when the aggressive mode and signature authentication are used and
the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN
for signature authentication.
427
Configuring global IKE DPD
About IKE DPD
DPD detects dead peers. It can operate in periodic mode or on-demand mode.
• Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of
dead peers, but consumes more bandwidth and CPU.
• On-demand DPD—Sends a DPD message based on traffic. When the device has traffic to
send and is not aware of the liveness of the peer, it sends a DPD message to query the status of
the peer. If the device has no traffic to send, it never sends DPD messages. As a best practice,
use the on-demand mode.
The IKE DPD works as follows:
1. The local device sends a DPD message to the peer, and waits for a response from the peer.
2. If the peer does not respond within the retry interval specified by the retry seconds parameter,
the local device resends the message.
3. If still no response is received within the retry interval, the local end sends the DPD message
again. The system allows a maximum of two retries.
4. If the local device receives no response after two retries, the device considers the peer to be
dead, and deletes the IKE SA along with the IPsec SAs it negotiated.
5. If the local device receives a response from the peer during the detection process, the peer is
considered alive. The local device performs a DPD detection again when the triggering interval
is reached or it has traffic to send, depending on the DPD mode.
Restrictions and guidelines
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE
profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection
is not triggered during a DPD retry.
Procedure
1. Enter system view.
system-view
2. Enable sending IKE DPD messages.
ike dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, IKE DPD is disabled.
428
Restrictions and guidelines
Use caution when you enable the invalid SPI recovery feature because using this feature can result
in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
Procedure
1. Enter system view.
system-view
2. Enable invalid SPI recovery.
ike invalid-spi-recovery enable
By default, the invalid SPI recovery is disabled.
429
By default, SNMP notifications for IKE are disabled.
3. Enable SNMP notifications for the specified failure or event types.
snmp-agent trap enable ike [ attr-not-support | auth-failure |
cert-type-unsupport | cert-unavailable | decrypt-failure |
encrypt-failure | invalid-cert-auth | invalid-cookie | invalid-id |
invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure |
proposal-add | proposal–delete | tunnel-start | tunnel-stop |
unsupport-exch-type ] *
By default, SNMP notifications for all failure and event types are disabled.
Task Command
Display configuration information about all IKE
display ike proposal
proposals.
430
Procedure
1. Make sure Switch A and Switch B can reach each other.
2. Configure Switch A:
# Configure an IP address for VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.0.0
[SwitchA-vlan-interface1] quit
# Configure IPv4 advanced ACL 3101 to identify the traffic from Switch A to Switch B.
[SwitchA] acl advanced 3101
[SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
[SwitchA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[SwitchA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[SwitchA] ike keychain keychain1
# Specify 12345zxcvb!@#$%ZXCVB in plain text as the preshared key to be used with the
remote peer at 2.2.2.2.
[SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.0.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchA-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[SwitchA] ike profile profile1
# Specify IKE keychain keychain1.
[SwitchA-ike-profile-profile1] keychain keychain1
# Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/16.
[SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[SwitchA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the
sequence number to 10.
[SwitchA] ipsec policy map1 10 isakmp
# Specify the remote IP address 2.2.2.2 for the IPsec tunnel.
[SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify ACL 3101 to identify the traffic to be protected.
[SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify IKE profile profile1 for the IPsec policy.
[SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1
431
[SwitchA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to VLAN-interface 1.
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipsec apply policy map1
3. Configure Switch B:
# Configure an IP address for VLAN-interface 1.
<SwitchB> system-view
[SwitchB] interface Vlan-interface1
[SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.0.0
[SwitchB-Vlan-interface1] quit
# Configure IPv4 advanced ACL 3101 to identify the traffic from Switch B to Switch A.
[SwitchB] acl number 3101
[SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
[SwitchB-acl-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[SwitchB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[SwitchB]ike keychain keychain1
# Specify 12345zxcvb!@#$%ZXCVB in plain text as the preshared key to be used with the
remote peer at 1.1.1.1.
[SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.0.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchB-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[SwitchB] ike profile profile1
# Specify IKE keychain keychain1
[SwitchB-ike-profile-profile1] keychain keychain1
# Configure a peer ID with the identity type as IP address and the value as 1.1.1.1/16.
[SwitchB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
[SwitchB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the
sequence number to 10.
[SwitchB] ipsec policy use1 10 isakmp
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1
432
# Specify IKE profile profile1 for the IPsec policy.
[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to VLAN-interface 1.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec apply policy use1
Procedure
1. Configure Switch A:
# Configure an IP address for VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Configure an IPv4 advanced ACL to identify the data flows from Switch A to Switch B.
[SwitchA] acl advanced 3101
[SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
[SwitchA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[SwitchA-ipsec-transform-set-tran1] quit
433
# Create an IKE keychain named keychain1.
[SwitchA] ike keychain keychain1
# Specify 12345zxcvb!@#$%ZXCVB in plain text as the preshared key to be used with the
remote peer at 2.2.3.1.
[SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchA-ike-keychain-keychain1] quit
# Create and configure an IKE profile named profile1.
[SwitchA] ike profile profile1
[SwitchA-ike-profile-profile1] keychain keychain1
[SwitchA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[SwitchA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the
sequence number to 10.
[SwitchA] ipsec policy map1 10 isakmp
# Specify ACL 3101.
[SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IPsec transform set tran1.
[SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1.
[SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1
[SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
# Specify IKE profile profile1.
[SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[SwitchA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to VLAN-interface 1.
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipsec apply policy map1
2. Configure Switch B:
# Configure an IP address for VLAN-interface 1.
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Configure an IPv4 advanced ACL to identify the data flows from Switch B to Switch A.
[SwitchB] acl advanced 3101
[SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
[SwitchB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[SwitchB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
[SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
434
[SwitchB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[SwitchB] ike keychain keychain1
# Specify 12345zxcvb!@#$%ZXCVB in plain text as the preshared key to be used with the
remote peer at 2.2.2.1.
[SwitchB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key
simple 12345zxcvb!@#$%ZXCVB
[SwitchB-ike-keychain-keychain1] quit
# Create and configure an IKE profile named profile1.
[SwitchB] ike profile profile1
[SwitchB-ike-profile-profile1] keychain keychain1
[SwitchB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[SwitchB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the
sequence number to 10.
[SwitchB] ipsec policy use1 10 isakmp
# Specify ACL 3101.
[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
# Specify IPsec transform set tran1.
[SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.
[SwitchB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1
[SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
# Specify IKE profile profile1.
[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to VLAN-interface 1.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ipsec apply policy use1
Troubleshooting IKE
IKE negotiation failed because no matching IKE proposals
were found
Symptom
1. The IKE SA is in Unknown state.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 192.168.222.5 Unknown IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
435
2. When IKE event debugging and packet debugging are enabled, the following messages
appear:
IKE event debugging message:
The attributes are unacceptable.
IKE packet debugging message:
Construct notification packet: NO_PROPOSAL_CHOSEN.
Analysis
Certain IKE proposal settings are incorrect.
Solution
1. Examine the IKE proposal configuration to see whether the two ends have matching IKE
proposals.
2. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals.
Analysis
• If the following debugging information appeared, the matched IKE profile is not using the
matched IKE proposal:
Failed to find proposal 1 in profile profile1.
• If the following debugging information appeared, the matched IKE profile is not using the
matched IKE keychain:
Failed to find keychain keychain1 in profile profile1.
Solution
• Verify that the matched IKE proposal (IKE proposal 1 in this debugging message example) is
specified for the IKE profile (IKE profile 1 in the example).
• Verify that the matched IKE keychain (IKE keychain 1 in this debugging message example) is
specified for the IKE profile (IKE profile 1 in the example).
436
IPsec SA negotiation failed because no matching IPsec
transform sets were found
Symptom
1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE
SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA
has not been negotiated yet.
2. The following IKE debugging message appeared:
The attributes are unacceptable.
Or:
Construct notification packet: NO_PROPOSAL_CHOSEN.
Analysis
Certain IPsec policy settings are incorrect.
Solution
1. Examine the IPsec configuration to see whether the two ends have matching IPsec transform
sets.
2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets.
Analysis
Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows:
1. Use the display ike sa verbose command to verify that matching IKE profiles were found
in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is using
an IKE profile, the IPsec SA negotiation fails.
# Identify whether matching IKE profiles were found in IKE negotiation phase 1. The following
output shows that no matching IKE profile was found:
<Sysname> display ike sa verbose
-----------------------------------------------
Connection ID: 3
Outside VPN:
Inside VPN:
Profile:
Transmitting entity: Responder
-----------------------------------------------
Local IP: 192.168.222.5
Local ID type: IPV4_ADDR
437
Local ID: 192.168.222.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Description:
Security data flow: 3000
Selector mode: aggregation
Local address: 192.168.222.5
Remote address: 192.168.222.71
Transform set: transform1
IKE profile: profile1
SA duration(time based):
SA duration(traffic based):
SA idle time:
2. Verify that the ACL specified for the IPsec policy is correctly configured. If the flow range
defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec
proposal matching will fail.
For example, if the initiator's ACL defines a flow from one network segment to another but the
responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.
# On the initiator:
[Sysname] display acl 3000
Advanced IPv4 ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
# On the responder:
[Sysname] display acl 3000
438
Advanced IPv4 ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0
3. Verify that the IPsec policy has a remote address and an IPsec transform set configured and
that the IPsec transform set has all necessary settings configured.
If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation
will fail:
[Sysname] display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: Twenty-FiveGigE1/0/1
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Security data flow: 3000
Selector mode: aggregation
Local address: 192.168.222.5
Remote address:
Transform set: transform1
IKE profile: profile1
SA duration(time based):
SA duration(traffic based):
SA idle time:
Solution
1. If the IPsec policy specifies an IKE profile but no matching IKE profiles was found in IKE
negotiation, perform one of the following tasks on the responder:
{ Remove the specified IKE profile from the IPsec policy.
{ Modify the specified IKE profile to match the IKE profile of the initiator.
2. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's
ACL, modify the responder's ACL so the ACL defines a flow range equal to or greater than that
of the initiator's ACL.
For example:
[Sysname] display acl 3000
Advanced IPv4 ACL 3000, 2 rules,
ACL's step is 5
rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
3. Configure the missing settings (for example, the remote address).
439
Configuring IKEv2
About IKEv2
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,
IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable
identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger
protection against attacks and higher key exchange ability and needs fewer message exchanges
than IKEv1.
440
New features in IKEv2
DH guessing
In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to
use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the
responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is
finished. If the guess is wrong, the responder responds with an INVALID_KE_PAYLOAD message
that contains the DH group that it wants to use. The initiator then uses the DH group selected by the
responder to reinitiate the IKE_SA_INIT exchange. The DH guessing mechanism allows for more
flexible DH group configuration and enables the initiator to adapt to different responders.
Cookie challenging
Messages for the IKE_SA_INIT exchange are in plain text. An IKEv1 responder cannot confirm the
validity of the initiators and must maintain half-open IKE SAs, which makes the responder
susceptible to DoS attacks. An attacker can send a large number of IKE_SA_INIT requests with
forged source IP addresses to the responder, exhausting the responder's system resources.
IKEv2 introduces the cookie challenging mechanism to prevent such DoS attacks. When an IKEv2
responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging
mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If
the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder
considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the
responder terminates the negotiation.
The cookie challenging mechanism automatically stops working when the number of half-open IKE
SAs drops below the threshold.
IKEv2 SA rekeying
For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the
lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If
two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the
SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a
rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two
peers.
IKEv2 message retransmission
Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the
Message ID field in the message header to identify the request/response pair. If an initiator sends a
request but receives no response with the same Message ID value within a specific period of time,
the initiator retransmits the request.
It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must
use the same Message ID value.
441
1. Configuring an IKEv2 profile
a. Creating an IKEv2 profile
b. Specifying the local and remote identity authentication methods
c. Configuring the IKEv2 keychain or PKI domain
d. Configuring the local ID for the IKEv2 profile
e. Configuring peer IDs for the IKEv2 profile
f. Specifying a VPN instance for the IKEv2 profile
g. Specifying an inside VPN instance for the IKEv2 profile
h. Configuring optional features for the IKEv2 profile
2. Configuring an IKEv2 policy
3. Configuring an IKEv2 proposal
If you specify an IKEv2 proposal in an IKEv2 policy, you must configure the IKEv2 proposal.
4. Configuring an IKEv2 keychain
This task is required when either end or both ends use the preshared key authentication
method.
5. (Optional.) Enabling the cookie challenging feature
The cookie challenging feature takes effect only on IKEv2 responders.
6. (Optional.) Configuring the IKEv2 DPD feature
7. (Optional.) Configuring the IKEv2 NAT keepalive feature
442
Specifying the local and remote identity authentication
methods
Restrictions and guidelines
The local and remote identity authentication methods must both be specified and they can be
different. You can specify only one local identity authentication method and multiple remote identity
authentication methods.
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Specify the local and remote identity authentication methods.
authentication-method { local | remote } { dsa-signature |
ecdsa-signature | pre-share | rsa-signature }
By default, no local or remote identity authentication method is configured.
443
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Configure the local ID.
identity local { address { ipv4-address | ipv6 ipv6-address } | dn |
email email-string | fqdn fqdn-name | key-id key-id-string }
By default, no local ID is configured, and the device uses the IP address of the interface where
the IPsec policy applies as the local ID.
444
Specifying an inside VPN instance for the IKEv2 profile
About specifying an inside VPN instance for an IKEv2 profile
The inside VPN instance determines where the device should forward received IPsec packets after it
de-encapsulates the packets. If you specify an inside VPN instance, the device looks for a route in
the specified VPN instance to forward the packets. If you do not specify an inside VPN instance, the
internal and external networks are in the same VPN instance. The device looks for a route in this
VPN instance to forward the packets.
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Specify an inside VPN instance.
inside-vrf vrf-name
By default, no inside VPN instance is specified for an IKEv2 profile. The internal and external
networks are in the same VPN instance. The device forwards protected data to this VPN
instance.
445
By default, the IKEv2 SA lifetime is 86400 seconds.
The local and remote ends can use different IKEv2 SA lifetimes and they do not negotiate
the lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the
lifetime expires.
{ Set the IKEv2 NAT keepalive interval.
nat-keepalive seconds
By default, the global IKEv2 NAT keepalive setting is used.
Configure this command when the device is behind a NAT gateway. The device sends NAT
keepalive packets regularly to its peer to prevent the NAT session from being aged because
of no matching traffic.
{ Enable the configuration exchange feature.
config-exchange { request | set { accept | send } }
By default, all configuration exchange options are disabled.
This feature applies to scenarios where the headquarters and branches communicate
through virtual tunnels. It enables exchanges of IP address request and set messages
between the IPsec gateway at a branch and the IPsec gateway at the headquarters.
Table 31 Parameter descriptions
Parameter Description
Enables the IPsec gateway at a branch to submit IP address request messages to
request
the IPsec gateway at the headquarters.
set Enables the IPsec gateway at a branch to accept the IP addresses pushed by the
accept IPsec gateway at the headquarters.
446
ikev2 policy policy-name
By default, an IKEv2 policy named default exists.
3. Specify the local interface or address used for IKEv2 policy matching.
match local address { interface-type interface-number | ipv4-address |
ipv6 ipv6-address }
By default, no local interface or address is used for IKEv2 policy matching, and the policy
matches any local interface or address.
4. Specify a VPN instance for IKEv2 policy matching.
match vrf { name vrf-name | any }
By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches
all local addresses in the public network.
5. Specify an IKEv2 proposal for the IKEv2 policy.
proposal proposal-name
By default, no IKEv2 proposal is specified for an IKEv2 policy.
6. Specify a priority for the IKEv2 policy.
priority priority
By default, the priority of an IKEv2 policy is 100.
447
{ DH groups 14 and 19.
3. Specify the encryption algorithms.
In non-FIPS mode:
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 |
aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 |
camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
In FIPS mode:
encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 } *
By default, an IKEv2 proposal does not have any encryption algorithms.
4. Specify the integrity protection algorithms.
In non-FIPS mode:
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 }
*
In FIPS mode:
integrity { sha1 | sha256 | sha384 | sha512 } *
By default, an IKEv2 proposal does not have any integrity protection algorithms.
5. Specify the DH groups.
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
In FIPS mode:
dh { group14 | group19 | group20 } *
By default, an IKEv2 proposal does not have any DH groups.
6. Specify the PRF algorithms.
In non-FIPS mode:
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
In FIPS mode:
prf { sha1 | sha256 | sha384 | sha512 } *
By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
448
3. Create an IKEv2 peer and enter its view.
peer name
4. Configure a host name for the peer:
hostname name
By default, no host name is configured for an IKEv2 peer.
5. Configure a host IP address or address range for the peer:
address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] }
By default, no host IP address or address range is configured for an IKEv2 peer.
You must configure different host IP addresses/address ranges for different peers.
6. Configure an ID for the peer:
identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn
fqdn-name | email email-string | key-id key-id-string }
By default, no identity information is configured for an IKEv2 peer.
7. Configure a preshared key for the peer.
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
By default, an IKEv2 peer does not have a preshared key.
449
Restrictions and guidelines
If you configure IKEv2 DPD in both IKEv2 profile view and system view, the IKEv2 DPD settings in
IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD
settings in system view apply.
Procedure
1. Enter system view.
system-view
2. Configure global IKEv2 DPD.
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, global DPD is disabled.
Task Command
display ikev2 policy [ policy-name |
Display the IKEv2 policy configuration.
default ]
display ikev2 profile
Display the IKEv2 profile configuration.
[ profile-name ]
display ikev2 proposal [ name |
Display the IKEv2 proposal configuration.
default ]
display ikev2 sa [ count | [ { local |
remote } { ipv4-address | ipv6
Display the IKEv2 SA information. ipv6-address } [ vpn-instance
vpn-instance-name ] ] [ verbose
[ tunnel tunnel-id ] ] ]
Display IKEv2 statistics. display ikev2 statistics
450
Task Command
reset ikev2 sa [ [ { local | remote }
{ ipv4-address | ipv6
Delete IKEv2 SAs and the child SAs negotiated
ipv6-address } [ vpn-instance
through the IKEv2 SAs.
vpn-instance-name ] ] | tunnel
tunnel-id ] [ fast ]
Clear IKEv2 statistics. reset ikev2 statistics
Troubleshooting IKEv2
IKEv2 negotiation failed because no matching IKEv2
proposals were found
Symptom
The IKEv2 SA is in IN-NEGO status.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
5 123.234.234.124/500 123.234.234.123/500 IN-NEGO
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
Analysis
Certain IKEv2 proposal settings are incorrect.
Solution
1. Examine the IKEv2 proposal configuration to see whether the two ends have matching IKEv2
proposals.
2. Modify the IKEv2 proposal configuration to make sure the two ends have matching IKEv2
proposals.
451
IPsec tunnel establishment failed
Symptom
The ACLs and IKEv2 proposals are correctly configured on both ends. The two ends cannot
establish an IPsec tunnel or cannot communicate through the established IPsec tunnel.
Analysis
The IKEv2 SA or IPsec SAs on either end are lost. The reason might be that the network is unstable
and the device reboots.
Solution
1. Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends.
If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset
ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the
next step.
2. Use the display ipsec sa command to examine whether IPsec SAs exist on both ends. If
the IPsec SAs on one end are lost, delete the IPsec SAs on the other end by using the reset
ipsec sa command and trigger new negotiation.
452
Configuring SSH
About SSH
Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can
implement secure remote access and file transfer over an insecure network.
SSH uses the typical client-server model to establish a channel for secure data transfer based on
TCP.
SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which
are not compatible. SSH2 is better than SSH1 in performance and security.
SSH applications
The device supports the following SSH applications:
• Secure Telnet—Stelnet provides secure and reliable network terminal access services.
Through Stelnet, a user can securely log in to a remote server. Stelnet can protect devices
against attacks, such as IP spoofing and plain text password interception. The device can act
as an Stelnet server or an Stelnet client.
• Secure File Transfer Protocol—Based on SSH2, SFTP uses SSH connections to provide
secure file transfer. The device can act as an SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also act as an SFTP
client, enabling a user to log in from the device to a remote device for secure file transfer.
• Secure Copy—Based on SSH2, SCP offers a secure method to copy files. The device can act
as an SCP server, allowing a user to log in to the device for file upload and download. The
device can also act as an SCP client, enabling a user to log in from the device to a remote
device for secure file transfer.
• NETCONF over SSH—Based on SSH2, it enables users to securely log in to the device
through SSH and perform NETCONF operations on the device through the
NETCONF-over-SSH connections. The device can act only as a NETCONF-over-SSH server.
For more information about NETCONF, see Network Management and Monitoring
Configuration Guide.
When acting as an SSH server or client, the device supports the following SSH versions:
• When acting as an Stelnet, SFTP, or SCP server, the device supports both SSH2 and SSH1 in
non-FIPS mode and only SSH2 in FIPS mode.
• When acting as an SSH client, the device supports only SSH2.
• When acting as a NETCONF-over-SSH server, the device supports only SSH2.
Stages Description
The SSH server listens to connection requests on port 22. After a client
Connection establishment initiates a connection request, the server and the client establish a
TCP connection.
Version negotiation The two parties determine a version to use.
453
Stages Description
SSH supports multiple algorithms. Based on the local algorithms, the
two parties negotiate the following algorithms:
• Key exchange algorithm for generating session keys.
Algorithm negotiation
• Encryption algorithm for encrypting data.
• Public key algorithm for the digital signature and authentication.
• HMAC algorithm for protecting data integrity.
The two parties use the DH exchange algorithm to dynamically
generate the session keys and session ID.
Key exchange • The session keys are used for protecting data transfer.
• The session ID is used for identifying the SSH connection.
In this stage, the client also authenticates the server.
The SSH server authenticates the client in response to the client's
Authentication
authentication request.
After passing the authentication, the client sends a session request to
Session request the server to request the establishment of a session (or request the
Stelnet, SFTP, SCP, or NETCONF service).
After the server grants the request, the client and the server start to
communicate with each other in the session.
In this stage, you can paste commands in text format and execute
them at the CLI. The text pasted at one time must be no more than
Interaction 2000 bytes. As a best practice to ensure the correct execution of
commands, paste commands that are in the same view.
To execute commands of more than 2000 bytes, save the commands
in a configuration file, upload the file to the server through SFTP, and
use it to restart the server.
454
Keyboard-interactive authentication
In keyboard-interactive authentication, the remote authentication server and user exchanges
information for authentication as follows:
1. The remote authentication server sends a prompt to the SSH server in an authentication
response.
2. The prompt indicates the information required to be provided by the user.
3. The SSH server transparently transmits the prompt to the client terminal.
4. The user enters the required information as prompted.
This process repeats multiple times if the remote authentication server requires more interactive
information. The remote authentication server returns an authentication success message after the
user provides all required interactive information.
If the remote authentication server does not require interactive information, the keyboard-interactive
authentication process is the same as the password authentication.
Publickey authentication
The server authenticates a client by verifying the digital signature of the client. The publickey
authentication process is as follows:
1. The client sends the server a publickey authentication request that includes the username,
public key, and public key algorithm name.
If the digital certificate of the client is required in authentication, the client also encapsulates the
digital certificate in the authentication request. The digital certificate carries the public key
information of the client.
2. The server verifies the client's public key.
{ If the public key is invalid, the server informs the client of the authentication failure.
{ If the public key is valid, the server requests the digital signature of the client. After receiving
the signature, the server uses the public key to verify the signature and informs the client of
the authentication result.
When acting as an SSH server, the device supports using the public key algorithms DSA, ECDSA,
and RSA to verify digital signatures.
When acting as an SSH client, the device supports using the public key algorithms DSA, ECDSA,
and RSA to generate digital signatures.
For more information about public key configuration, see "Managing public keys."
Password-publickey authentication
The server requires SSH2 clients to pass both password authentication and publickey authentication.
However, an SSH1 client only needs to pass either authentication.
Any authentication
The server requires clients to pass keyboard-interactive authentication, password authentication, or
publickey authentication. Success with any one authentication method is sufficient to connect to the
server.
455
Table 33 Suite B algorithms
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more
information about FIPS mode, see "Configuring FIPS."
456
Generating local key pairs
About local key pairs
The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys
and session ID in the key exchange stage. They can also be used by a client to authenticate the
server. When a client authenticates the server, it compares the public key received from the server
with the server's public key that the client saved locally. If the keys are consistent, the client uses the
locally saved server's public key to decrypt the digital signature received from the server. If the
decryption succeeds, the server passes the authentication.
To support SSH clients that use different types of key pairs, generate DSA, ECDSA, and RSA key
pairs on the SSH server.
• RSA key pairs—The SSH server generates a server key pair and a host key pair for RSA. The
RSA server key pair is only used in SSH1 to encrypt the session key for secure transmission of
the session key. It is not used in SSH2, because no session key transmission is required in
SSH2.
• DSA key pair—The SSH server generates only one DSA host key pair. SSH1 does not support
the DSA algorithm.
• ECDSA key pair—The SSH server generates only one ECDSA host key pair.
Restrictions and guidelines
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the
key pairs.
If the device does not have RSA key pairs with default names, it automatically generates one RSA
server key pair and one RSA host key pair when SSH starts. Both key pairs use their default names.
The SSH application starts when you execute an SSH server command on the device.
The key modulus length must be less than 2048 bits when you generate the DSA key pair on the
SSH server.
When you generate an ECDSA key pair, you can generate only a secp256r1 or secp384r1 ECDSA
key pair.
The SSH server operating in FIPS mode supports only ECDSA and RSA key pairs. Do not generate
a DSA key pair on the SSH server in FIPS mode.
Procedure
1. Enter system view.
system-view
2. Generate local key pairs.
public-key local create { dsa | ecdsa { secp256r1 | secp384r1 } | rsa }
457
Procedure
1. Enter system view.
system-view
2. Specify the SSH service port.
ssh server port port-number
By default, the SSH service port is 22.
458
scp server enable
By default, the SCP server is disabled.
459
For publickey authentication, password-publickey authentication, or any authentication, you must
perform the following tasks:
1. Configure the client's DSA, ECDSA, or RSA host public key on the server.
2. Specify the associated host private key on the client to generate the digital signature.
If the device acts as an SSH client, specify the public key algorithm on the client. The algorithm
determines the associated host private key for generating the digital signature.
Client public key configuration methods
You can configure the client host public key by using the following methods:
• Manually enter the content of a client's host public key on the server.
a. Display the host public key on the client and record the key.
b. Type the client's host public key character by character on the server, or use the copy and
paste method.
The manually entered key must be in DER format without being converted. For the displayed
key to meet the requirement when the client is an HPE device, use the display
public-key local public command. The format of the public key displayed in any other
way (for example, by using the public-key local export command) might be incorrect.
If the key is not in correct format, the system discards the key.
• Import the client host public key from a public key file.
c. Save the client public key file to the server. For example, transfer the client public key file to
the server in binary mode through FTP or TFTP.
d. Import the client public key from the locally saved public key file.
During the import process, the server automatically converts the host public key to a string
in PKCS format.
Restrictions and guidelines
As a best practice, configure no more than 20 SSH client's host public keys on an SSH server.
Import the client's host public key as a best practice.
Entering a client's host public key
1. Enter system view.
system-view
2. Enter public key view.
public-key peer keyname
3. Configure a client's host public key.
Enter the content of the client's host public key character by character, or use the copy and
paste method.
When you enter the content of a client's host public key, you can use spaces and carriage
returns between characters but the system does not save them. For more information, see
"Managing public keys."
4. Exit public key view and save the key.
peer-public-key end
Importing a client's host public key from the public key file
1. Enter system view.
system-view
2. Import a client's public key from the public key file.
public-key peer keyname import sshkey filename
460
Configuring an SSH user
About the SSH user
Configure an SSH user and a local user depending on the authentication method.
• If the authentication method is publickey, you must create an SSH user and a local user on the
SSH server. The two users must have the same username, so that the SSH user can be
assigned the correct working directory and user role.
• If the authentication method is password, you must perform one of the following tasks:
{ For local authentication, configure a local user on the SSH server.
{ For remote authentication, configure an SSH user on a remote authentication server, for
example, a RADIUS server.
You do not need to create an SSH user by using the ssh user command. However, if you
want to display all SSH users, including the password-only SSH users, for centralized
management, you can use this command to create them. If such an SSH user has been created,
make sure you have specified the correct service type and authentication method.
• If the authentication method is keyboard-interactive, password-publickey, or any, you must
create an SSH user on the SSH server and perform one of the following tasks:
{ For local authentication, configure a local user on the SSH server.
{ For remote authentication, configure an SSH user on a remote authentication server, for
example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server
must have the same username as the SSH user.
For information about configuring local users and remote authentication, see "Configuring AAA."
Restrictions and guidelines
If you change the authentication parameters for a logged-in SSH user, the change takes effect on the
user at the next login.
When the device operates as an SSH server in FIPS mode, the device does not support
authentication method any or publickey.
For an SFTP or SCP user, the working directory depends on the authentication method.
• If the authentication method is publickey or password-publickey, the working folder is
specified by the authorization-attribute command in the associated local user view.
• If the authentication method is keyboard-interactive or password, the working directory is
authorized by AAA.
For an SSH user, the user role also depends on the authentication method.
• If the authentication method is publickey or password-publickey, the user role is specified by
the authorization-attribute command in the associated local user view.
• If the authentication method is keyboard-interactive or password, the user role is authorized
by AAA.
For all authentication methods except keyboard-interactive authentication and password
authentication, you must specify a client's host public key or digital certificate.
• For a client that sends the user's public key information directly to the server, specify the client's
host public key on the server. The specified public key must already exist. For more information
about public keys, see "Configuring a client's host public key." If you specify multiple client
public keys, the device verifies the user identity by using the public keys in the order they are
specified. The user is valid if the user passes one public key check.
• For a client that sends the user's public key information to the server through a digital certificate,
specify the PKI domain on the server. This PKI domain verifies the client's digital certificate. For
successful verification, the specified PKI domain must have the correct CA certificate. To
461
specify the PKI domain, use the ssh user or ssh server pki-domain command. For
more information about configuring a PKI domain, see "Configuring PKI."
Procedure
1. Enter system view.
system-view
2. Create an SSH user, and specify the service type and authentication method.
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet }
authentication-type { keyboard-interactive | password | { any |
password-publickey | publickey } [ assign { pki-domain domain-name |
publickey keyname&<1-6> } ] }
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet }
authentication-type { keyboard-interactive | password |
password-publickey [ assign { pki-domain domain-name | publickey
keyname&<1-6> } ] }
An SSH server supports up to 1024 SSH users.
462
Setting the SSH user authentication timeout timer
1. Enter system view.
system-view
2. Set the SSH user authentication timeout timer.
ssh server authentication-timeout time-out-value
The default setting is 60 seconds.
Perform this task to prevent malicious occupation of TCP connections. If a user does not finish
the authentication when the timeout timer expires, the connection cannot be established.
Setting the maximum number of SSH authentication attempts
1. Enter system view.
system-view
2. Set the maximum number of SSH authentication attempts.
ssh server authentication-retries retries
The default setting is 3.
Perform this task to prevent malicious hacking of usernames and passwords. If the
authentication method is any, the total number of publickey authentication attempts and
password authentication attempts cannot exceed the upper limit.
Specifying an SSH login control ACL
1. Enter system view.
system-view
2. Specify an SSH login control ACL.
IPv4:
ssh server acl { advanced-acl-number | basic-acl-number | mac
mac-acl-number }
IPv6:
ssh server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number }
| mac mac-acl-number }
This feature uses an ACL to filter SSH clients that initiate SSH connections to the server. By
default, no ACLs are specified and all SSH users can initiate SSH connections to the server.
Enabling logging for SSH login attempts that are denied by the SSH login control ACL
1. Enter system view.
system-view
2. Enable logging for SSH login attempts that are denied by the SSH login control ACL.
ssh server acl-deny-log enable
By default, logging is disabled for login attempts that are denied by the SSH login control ACL.
This command enables SSH to generate log messages for SSH login attempts that are denied
by the SSH login control ACL and send the messages to the information center.
Setting the DSCP value in the packets that the SSH server sends to SSH clients
1. Enter system view.
system-view
2. Set the DSCP value in the packets that the SSH server sends to the SSH clients.
IPv4:
ssh server dscp dscp-value
IPv6:
463
ssh server ipv6 dscp dscp-value
By default, the DSCP value of SSH packets is 48.
The DSCP value of a packet defines the priority of the packet and affects the transmission
priority of the packet. A bigger DSCP value represents a higher priority.
Setting the SFTP connection idle timeout timer
1. Enter system view.
system-view
2. Set the SFTP connection idle timeout timer.
sftp server idle-timeout time-out-value
By default, the SFTP connection idle timeout is 10 minutes.
When the SFTP connection idle timeout timer expires, the system automatically tears the
connection down and releases the connection resources.
Setting the maximum number of online SSH users
1. Enter system view.
system-view
2. Set the maximum number of online SSH users.
aaa session-limit ssh max-sessions
The default setting is 32.
When the number of online SSH users reaches the upper limit, the system denies new SSH
connection requests. Changing the upper limit does not affect online SSH users.
For more information about this command, see AAA commands in Security Command
Reference.
464
Procedure
Execute the following command in user view to disconnect SSH sessions:
free ssh { user-ip { ip-address | ipv6 ipv6-address } [ port port-number ] |
user-pid pid-number | username username }
465
• Improving the manageability of Stelnet clients in authentication service.
Procedure
1. Enter system view.
system-view
2. Specify the source address for outgoing SSH packets.
IPv4:
ssh client source { interface interface-type interface-number | ip
ip-address }
By default, an IPv4 Stelnet client uses the primary IPv4 address of the output interface in the
matching route as the source address of the outgoing SSH packets.
IPv6:
ssh client ipv6 source { interface interface-type interface-number |
ipv6 ipv6-address }
By default, an IPv6 Stelnet client automatically selects a source IPv6 address for outgoing SSH
packets in compliance with RFC 3484.
466
| des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type
interface-number | ip ip-address } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ]
[ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm }
| prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex
{ dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr |
aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96
| sha2-256 | sha2-512 } ] * [ escape character | { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type
interface-number | ip ip-address } ] *
Establishing a connection to an IPv6 Stelnet server
Execute the following command in user view to establish a connection to an IPv6 Stelnet server:
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] [ identity-key { dsa |
ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc |
aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr
| aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm
| des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type
interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] [ identity-key { ecdsa-sha2-nistp256 |
ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 |
x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress
zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm |
aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac
{ sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 |
ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc |
aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ escape character | { public-key keyname | server-pki-domain
domain-name } | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
467
Deleting server public keys saved in the public key file on the
Stelnet client
About deleting server public keys saved in the public key file on the Stelnet client
When the Stelnet client switches to FIPS mode but the locally saved server public key does not
comply with FIPS, the client cannot connect to the server. To connect to the server, delete the server
public key saved on the client and make sure a FIPS-compliant public key has been generated on
the server.
Procedure
1. Enter system view.
system-view
2. Delete server public keys saved in the public key file on the Stelnet client.
delete ssh client server-public-key [ server-ip ip-address ]
468
9. (Optional.) Terminating the connection with the SFTP server
469
Establishing a connection to an SFTP server
About establishing a connection to an SFTP server
Perform this task to enable the SFTP client feature on the device and establish a connection to the
SFTP server. You can specify the public key algorithm and the preferred encryption, HMAC, and key
exchange algorithms to be used during the connection.
To access the server, a client must use the server's host public key to authenticate the server. As a
best practice, configure the server's host public key on the device in an insecure network. If the
server's host public key is not configured on the client, the client will notify you to confirm whether to
continue with the access.
• If you choose to continue, the client accesses the server and downloads the server's host public
key. The downloaded public key will be used to authenticate the server in subsequent
accesses.
If the server public key is not specified when you connect to the server, the device saves the
server public key to the public key file. It does not save the server public key to the configuration
file.
• If you choose to not continue, the connection cannot be established.
Restrictions and guidelines for establishing a connection to an SFTP server
An SFTP client cannot establish connections to both IPv4 and IPv6 SFTP servers.
Establishing a connection to an IPv4 SFTP server
Execute the following command in user view to establish a connection to an IPv4 SFTP server:
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ]
[ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc |
aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr
| aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm
| des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain
domain-name } | source { interface interface-type interface-number | ip
ip-address } ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ]
[ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm }
| prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex
{ dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr |
aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96
| sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain
domain-name } | source { interface interface-type interface-number | ip
ip-address } ] *
470
Establishing a connection to an IPv6 SFTP server
Execute the following command in user view to establish a connection to an IPv6 SFTP server:
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] [ identity-key { dsa |
ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc |
aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr
| aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm
| des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain
domain-name } | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] [ identity-key { ecdsa-sha2-nistp256 |
ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 |
x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress
zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm |
aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac
{ sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 |
ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc |
aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } |
source { interface interface-type interface-number | ipv6 ipv6-address } ]
*
Deleting server public keys saved in the public key file on the
SFTP client
About deleting server public keys saved in the public key file on the SFTP client
When the SFTP client switches to FIPS mode but the locally saved server public key does not
comply with FIPS, the client cannot connect to the server. To connect to the server, delete the server
public key saved on the client and make sure a FIPS-compliant public key has been generated on
the server.
Procedure
1. Enter system view.
system-view
2. Delete server public keys saved in the public key file on the SFTP client.
delete ssh client server-public-key [ server-ip ip-address ]
471
Establishing a connection to an SFTP server based on Suite
B
Execute the following command in user view to establish a connection to an SFTP server based on
Suite B:
IPv4:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b
[ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain
domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface
interface-type interface-number | ip ip-address } ] *
IPv6:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] suite-b [ 128-bit | 192-bit ] pki-domain
domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ]
[ dscp dscp-value | escape character | source { interface interface-type
interface-number | ipv6 ipv6-address } ] *
472
2. Change the name of a directory on the SFTP server.
rename oldname newname
Creating a new directory on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Create a new directory on the SFTP server.
mkdir remote-path
Deleting directories on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Delete one or more directories from the SFTP server.
rmdir remote-path
473
For more information, see "Establishing a connection to an SFTP server."
2. Delete a file from the SFTP server.
{ delete remote-file
{ remove remote-file
The delete command has the same function as the remove command.
474
Generating local key pairs
About generating local key pairs
You must generate local key pairs on SCP clients when the SCP server uses the publickey,
password-publickey, or any authentication method.
Restrictions and guidelines
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the
key pairs.
The key modulus length must be less than 2048 bits when you generate a DSA key pair.
When you generate an ECDSA key pair, you can generate only a secp256r1 or secp384r1
ECDSA key pair.
The SCP client operating in FIPS mode supports only ECDSA and RSA key pairs.
Procedure
1. Enter system view.
system-view
2. Generate local key pairs.
public-key local create { dsa | ecdsa { secp256r1 | secp384r1 } | rsa }
475
Establishing a connection to an SCP server
About establishing a connection to an SCP server
Perform this task to enable the SCP client feature on the device, establish a connection to the SCP
server, and transfer files with the server. You can specify the public key algorithm and the preferred
encryption, HMAC, and key exchange algorithms to be used during the connection.
To access the server, a client must use the server's host public key to authenticate the server. As a
best practice, configure the server's host public key on the device in an insecure network. If the
server's host public key is not configured on the client, the client will notify you to confirm whether to
continue with the access.
• If you choose to continue, the client accesses the server and downloads the server's host public
key. The downloaded public key will be used to authenticate the server in subsequent
accesses.
If the server public key is not specified when you connect to the server, the device saves the
server public key to the public key file. It does not save the server public key to the configuration
file.
• If you choose to not continue, the connection cannot be established.
Restrictions and guidelines for establishing a connection to an SCP server
An SCP client cannot establish connections to both IPv4 and IPv6 SCP servers.
Establishing a connection to an IPv4 SCP server
Execute the following command in user view to connect to an IPv4 SCP server, and transfer files with
the server:
In non-FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get }
source-file-name [ destination-file-name ] [ identity-key { dsa |
ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc |
aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr
| aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm
| des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } |
source { interface interface-type interface-number | ip ip-address } ] *
[ user username [ password password [ no-more-input ] ] ]
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get }
source-file-name [ destination-file-name ] [ identity-key
{ ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa |
{ x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain
domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc |
aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm }
| prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex
{ dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr |
aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96
| sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain
476
domain-name } | source { interface interface-type interface-number | ip
ip-address } ] * [ user username [ password password [ no-more-input ] ] ]
The no-more-input keyword is supported only in Release 6555 and later.
Establishing a connection to an IPv6 SCP server
Execute the following command in user view to connect to an IPv6 SCP server, and transfer files with
the server.
In non-FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 |
ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 |
x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress
zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm
| aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 |
ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc
| aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc |
aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1
| sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type
interface-number | ipv6 ipv6-address } ] * [ user username [ password
password [ no-more-input ] ] ]
In FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i
interface-type interface-number ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { ecdsa-sha2-nistp256 |
ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 |
x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress
zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm |
aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac
{ sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 |
ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc |
aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } |
source { interface interface-type interface-number | ipv6 ipv6-address } ]
* [ user username [ password password [ no-more-input ] ] ]
The no-more-input keyword is supported only in Release 6555 and later.
Deleting server public keys saved in the public key file on the
SCP client
About deleting server public keys saved in the public key file on the SCP client
When the SCP client switches to FIPS mode but the locally saved server public key does not comply
with FIPS, the client cannot connect to the server. To connect to the server, delete the server public
key saved on the client and make sure a FIPS-compliant public key has been generated on the
server.
Procedure
1. Enter system view.
477
system-view
2. Delete server public keys saved in the public key file on the SCP client.
delete ssh client server-public-key [ server-ip ip-address ]
478
In FIPS mode:
ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } *
By default, SSH2 uses the ecdh-sha2-nistp256, ecdh-sha2-nistp384, and
dh-group14-sha1 key exchange algorithms in descending order of priority for algorithm
negotiation.
479
2. Specify MAC algorithms for SSH2.
In non-FIPS mode:
ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 }
*
By default, SSH2 uses the sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96
MAC algorithms in descending order of priority for algorithm negotiation.
In FIPS mode:
ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *
By default, SSH2 uses the sha2-256, sha2-512, sha1, and sha1-96 MAC algorithms in
descending order of priority for algorithm negotiation.
Task Command
display public-key local { dsa | ecdsa |
Display the public keys of the local key pairs.
rsa } public [ name publickey-name ]
display public-key peer [ brief | name
Display information about peer public keys.
publickey-name ]
Display the source IP address configuration of
display scp client source
the SCP client.
Display the source IP address configuration of
display sftp client source
the SFTP client.
Display server public key information saved in display ssh client server-public-key
the public key file on the SSH client. [ server-ip ip-address ]
Display the source IP address configuration of
display ssh client source
the Stelnet client.
Display SSH server status or sessions. display ssh server { session | status }
Display SSH user information on the SSH display ssh user-information
server. [ username ]
Display algorithms used by SSH2 in the
display ssh2 algorithm
algorithm negotiation stage.
For more information about the display public-key local and display public-key
peer commands, see public key management commands in Security Command Reference.
480
Example: Configuring the device as an Stelnet server
(password authentication)
Network configuration
As shown in Figure 114:
• The switch acts as the Stelnet server and uses password authentication to authenticate the
Stelnet client. The username and password of the client are saved on the switch.
• The host acts as the Stelnet client, using Stelnet client software (SSH2). After the user on the
host logs in to the switch through Stelnet, the user can configure and manage the switch as a
network administrator.
Figure 114 Network diagram
Stelnet client Stelnet server
Vlan-int2
192.168.1.56/24 192.168.1.40/24
Host Switch
Procedure
1. Configure the Stelnet server:
# Generate RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
Create the key pair successfully.
# Generate an ECDSA key pair.
[Switch] public-key local create ecdsa secp256r1
Generating Keys...
.
481
Create the key pair successfully.
# Enable the Stelnet server.
[Switch] ssh server enable
# Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the
destination for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Create a local device management user named client001.
[Switch] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[Switch-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[Switch-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[Switch-luser-manage-client001] authorization-attribute user-role network-admin
[Switch-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as stelnet and the
authentication method as password for the user.
[Switch] ssh user client001 service-type stelnet authentication-type password
2. Establish a connection to the Stelnet server:
There are different types of Stelnet client software, such as PuTTY and OpenSSH. This
example uses an Stelnet client that runs PuTTY version 0.58.
To establish a connection to the Stelnet server:
a. Launch PuTTY.exe to enter the interface shown in Figure 115.
b. In the Host Name (or IP address) field, enter IP address 192.168.1.40 of the Stelnet
server.
c. Click Open.
482
Figure 115 Specifying the host name (or IP address)
a. Enter username client001 and password aabbcc to log in to the Stelnet server.
Host Switch
Procedure
In the server configuration, the client's host public key is required. Use the client software to generate
RSA key pairs on the client before configuring the Stelnet server.
483
There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example
uses an Stelnet client that runs PuTTY version 0.58.
The configuration procedure is as follows:
1. Generate RSA key pairs on the Stelnet client:
a. Run PuTTYGen.exe on the client, select SSH-2 RSA and click Generate.
Figure 117 Generating a key pair on the client
a. Continue moving the mouse during the key generating process, but do not place the mouse
over the green progress bar shown in Figure 118. Otherwise, the progress bar stops moving
and the key pair generating progress stops.
484
Figure 118 Generating process
a. After the key pair is generated, click Save public key to save the public key.
A file saving window appears.
Figure 119 Saving a key pair on the client
485
b. On the page shown in Figure 119, click Save private key to save the private key.
A confirmation dialog box appears.
c. Click Yes.
A file saving window appears.
d. Enter a file name (private.ppk in this example), and click Save.
e. Transmit the public key file to the server through FTP or TFTP. (Details not shown.)
2. Configure the Stelnet server:
# Generate RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[Switch] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[Switch] ssh server enable
# Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the
destination for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
486
# Import the client's public key from the public key file key.pub and name it switchkey.
[Switch] public-key peer switchkey import sshkey key.pub
# Create an SSH user named client002. Specify the authentication method as publickey for
the user, and assign the public key switchkey to the user.
[Switch] ssh user client002 service-type stelnet authentication-type publickey assign
publickey switchkey
# Create a local device management user named client002.
[Switch] local-user client002 class manage
# Authorize local user client002 to use the SSH service.
[Switch-luser-manage-client002] service-type ssh
# Assign the network-admin user role to local user client002.
[Switch-luser-manage-client002] authorization-attribute user-role network-admin
[Switch-luser-manage-client002] quit
3. Specify the private key file and establish a connection to the Stelnet server:
a. Launch PuTTY.exe on the Stelnet client to enter the interface shown in Figure 120.
b. In the Host Name (or IP address) field, enter IP address 192.168.1.40 of the Stelnet
server.
Figure 120 Specifying the host name (or IP address)
487
Figure 121 Setting the preferred SSH version
a. From the navigation tree, select Connection > SSH > Auth.
The window shown in Figure 122 appears.
b. Click Browse… to open the file selection window, and then select the private key file
(private.ppk in this example).
c. Click Open.
488
Figure 122 Specifying the private key file
Procedure
1. Configure the Stelnet server:
# Generate RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
489
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[SwitchB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the
destination address of the SSH connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63
[SwitchB-line-vty0-63] authentication-mode scheme
[SwitchB-line-vty0-63] quit
# Create a local device management user named client001.
[SwitchB] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[SwitchB-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[SwitchB-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as stelnet and the
authentication method as password for the user.
[SwitchB] ssh user client001 service-type stelnet authentication-type password
490
2. Establish a connection to the Stelnet server:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] quit
Before establishing a connection to the server, you can configure the server's host public key
on the client to authenticate the server.
{ To configure the server's host public key on the client, perform the following tasks:
# Use the display public-key local dsa public command on the server to display the
server's host public key. (Details not shown.)
# Enter public key view of the client and copy the host public key of the server to the client.
[SwitchA] public-key peer key1
Enter public key view. Return to system view with "peer-public-key end" command.
[SwitchA-pkey-public-key-key1]308201B73082012C06072A8648CE3804013082011F028181
0
0D757262C4584C44C211F18BD96E5F0
[SwitchA-pkey-public-key-key1]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CEC
E
65BE6C265854889DC1EDBD13EC8B274
[SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B
0
6FD60FE01941DDD77FE6B12893DA76E
[SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B
3
68950387811C7DA33021500C773218C
[SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009
E
14EC474BAF2932E69D3B1F18517AD95
[SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0
2
492B3959EC6499625BC4FA5082E22C5
[SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2
E
88317C1BD8171D41ECB83E210C03CC9
[SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C
C
9B09EEF0381840002818000AF995917
[SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5
D
F257523777D033BEE77FC378145F2AD
[SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7
1
01F7C62621216D5A572C379A32AC290
[SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465
E
8716261214A5A3B493E866991113B2D
[SwitchA-pkey-public-key-key1]485348
[SwitchA-pkey-public-key-key1] peer-public-key end
491
[SwitchA] quit
# Establish an SSH connection to the server, and specify the host public key of the server.
<SwitchA> ssh2 192.168.1.40 public-key key1
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
client001@192.168.1.40's password:
Enter a character ~ and a dot to abort.
******************************************************************************
* Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<SwitchB>
After you enter username client001 and password aabbcc, you can successfully log in to
Switch B.
{ If the client does not have the server's host public key, enter username client001, and then
enter y to access the server and download the server's host public key.
<SwitchA> ssh2 192.168.1.40
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:y
client001@192.168.1.40's password:
Enter a character ~ and a dot to abort.
******************************************************************************
* Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<SwitchB>
After you enter password aabbcc, you can access Switch B successfully. At the next
connection attempt, the client authenticates the server by using the saved server's host
public key on the client.
492
• Switch A acts as the Stelnet client. After the user on Switch A logs in to Switch B through Stelnet,
the user can configure and manage Switch B as a network administrator.
Figure 124 Network diagram
Procedure
In the server configuration, the client's host public key is required. Generate a DSA key pair on the
client before configuring the Stelnet server.
1. Configure the Stelnet client:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
[SwitchA-Vlan-interface2] quit
# Generate a DSA key pair.
[SwitchA] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Export the DSA host public key to a public key file named key.pub.
[SwitchA] public-key local export dsa ssh2 key.pub
[SwitchA] quit
# Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)
2. Configure the Stelnet server:
# Generate RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key modulus is (512 ~ 4096)
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
493
[SwitchB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[SwitchB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the
destination address for SSH connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63
[SwitchB-line-vty0-63] authentication-mode scheme
[SwitchB-line-vty0-63] quit
# Import the peer public key from the public key file key.pub, and name it switchkey.
[SwitchB] public-key peer switchkey import sshkey key.pub
# Create an SSH user named client002. Specify the authentication method as publickey for
the user. Assign the public key switchkey to the user.
[SwitchB] ssh user client002 service-type stelnet authentication-type publickey
assign publickey switchkey
# Create a local device management user named client002.
[SwitchB] local-user client002 class manage
# Authorize local user client002 to use the SSH service.
[SwitchB-luser-manage-client002] service-type ssh
# Assign the network-admin user role to local user client002.
[SwitchB-luser-manage-client002] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client002] quit
3. Establish an SSH connection to the Stelnet server.
<SwitchA> ssh2 192.168.1.40 identity-key dsa
Username: client002
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
Enter a character ~ and a dot to abort.
494
******************************************************************************
* Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<SwitchB>
After you enter username client002 and then enter y to continue accessing the server, you can
log in to the server successfully.
Procedure
1. Generate the client's certificate and the server's certificate. (Details not shown.)
You must first configure the certificates of the server and the client because they are required
for identity authentication between the two parties.
In this example, the server's certificate file is ssh-server-ecdsa256.p12 and the client's
certificate file is ssh-client-ecdsa256.p12.
2. Configure the Stelnet client:
You can modify the pkix version of the client software OpenSSH to support Suite B. This
example uses an HPE switch as an Stelnet client.
# Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file
ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.)
# Create a PKI domain named server256 for verifying the server's certificate and enter its view.
<SwitchA> system-view
[SwitchA] pki domain server256
# Disable CRL checking.
[SwitchA-pki-domain-server256] undo crl check enable
[SwitchA-pki-domain-server256] quit
# Import local certificate file ssh-server-ecdsa256.p12 to PKI domain server256.
[SwitchA] pki import domain server256 p12 local filename ssh-server-ecdsa256.p12
495
The system is going to save the key pair. You must specify a key pair name, which is
a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A
to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: server256]:
# Display information about local certificates in PKI domain server256.
[SwitchA] display pki certificate domain server256 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA
Validity
Not Before: Aug 21 08:39:51 2015 GMT
Not After : Aug 20 08:39:51 2016 GMT
Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Server secp256
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52:
6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef:
0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81:
3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e:
c7:61:4a:52:51
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
496
[SwitchA-pki-domain-client256] quit
# Import local certificate file ssh-client-ecdsa256.p12 to PKI domain client256.
[SwitchA] pki import domain client256 p12 local filename ssh-client-ecdsa256.p12
The system is going to save the key pair. You must specify a key pair name, which is
a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A
to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: client256]:
# Display information about local certificates in PKI domain client256.
[SwitchA] display pki certificate domain client256 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA
Validity
Not Before: Aug 21 08:41:09 2015 GMT
Not After : Aug 20 08:41:09 2016 GMT
Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Client secp256
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5:
96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39:
b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34:
29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16:
12:d0:b4:8a:92
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
497
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
[SwitchA-Vlan-interface2] quit
3. Configure the Stelnet server:
# Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file
ssh-client-ecdsa256.p12 to the Stelnet server through FTP or TFTP. (Details not shown.)
# Create a PKI domain named client256 for verifying the client's certificate and import the file of
the client's certificate to this domain. (Details not shown.)
# Create a PKI domain named server256 for the server's certificate and import the file of the
server's certificate to this domain. (Details not shown.)
# Specify Suite B algorithms for algorithm negotiation.
<SwitchB> system-view
[SwitchB] ssh2 algorithm key-exchange ecdh-sha2-nistp256
[SwitchB] ssh2 algorithm cipher aes128-gcm
[SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
# Specify server256 as the PKI domain of the server's certificate.
[SwitchB] ssh server pki-domain server256
# Enable the Stelnet server.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63
[SwitchB-line-vty0-63] authentication-mode scheme
[SwitchB-line-vty0-63] quit
# Create a local device management user named client001. Authorize the user to use the SSH
service and assign the network-admin user role to the user.
[SwitchB] local-user client001 class manage
[SwitchB-luser-manage-client001] service-type ssh
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client001] quit
# Create an SSH user named client001. Specify the publickey authentication method for the
user and specify client256 as the PKI domain for verifying the client's certificate.
[SwitchB] ssh user client001 service-type stelnet authentication-type publickey
assign pki-domain client256
4. Establish an SSH connection to the Stelnet server based on the 128-bit Suite B algorithms:
# Establish an SSH connection to the server at 192.168.1.40.
<SwitchA> ssh2 192.168.1.40 suite-b 128-bit pki-domain client256 server-pki-domain
server256
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
Enter a character ~ and a dot to abort.
498
******************************************************************************
* Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<SwitchB>
Procedure
1. Configure the SFTP server:
# Generate RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
499
[Switch] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[Switch] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SFTP server.
[Switch] sftp server enable
# Assign an IP address to VLAN-interface 2. The client uses this address as the destination for
SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0
[Switch-Vlan-interface2] quit
# Create a local device management user named client002.
[Switch] local-user client002 class manage
# Set the password to aabbcc in plain text for local user client002.
[Switch-luser-manage-client002] password simple aabbcc
# Authorize local user client002 to use the SSH service.
[Switch-luser-manage-client002] service-type ssh
# Assign the network-admin user role and working directory flash:/ to local user client002.
[Switch-luser-manage-client002] authorization-attribute user-role network-admin
work-directory flash:/
[Switch-luser-manage-client002] quit
# Create an SSH user named client002. Specify the authentication method as password and
service type as sftp for the user.
[Switch] ssh user client002 service-type sftp authentication-type password
2. Establish a connection between the SFTP client and the SFTP server:
This example uses an SFTP client that runs PSFTP of PuTTy version 0.58. PSFTP supports
only password authentication.
To establish a connection to the SFTP server:
a. Run the psftp.exe to launch the client interface shown in Figure 127, and enter the following
command:
open 192.168.1.45
b. Enter username client002 and password aabbcc to log in to the SFTP server.
500
Figure 127 SFTP client interface
Procedure
In the server configuration, the client's host public key is required. Generate RSA key pairs on the
client before configuring the SFTP server.
1. Configure the SFTP client:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0
[SwitchA-Vlan-interface2] quit
# Generate RSA key pairs.
501
[SwitchA] public-key local create rsa
The range of public key size is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Export the host public key to a public key file named pubkey.
[SwitchA] public-key local export rsa ssh2 pubkey
[SwitchA] quit
# Transmit the public key file pubkey to the server through FTP or TFTP. (Details not shown.)
2. Configure the SFTP server:
# Generate RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key size is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[SwitchB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SFTP server.
[SwitchB] sftp server enable
502
# Assign an IP address to VLAN-interface 2. The SSH client uses this address as the
destination for SSH connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Import the peer public key from the public key file pubkey, and name it switchkey.
[SwitchB] public-key peer switchkey import sshkey pubkey
# Create an SSH user named client001. Specify the service type as sftp and the authentication
method as publickey for the user. Assign the public key switchkey to the user.
[SwitchB] ssh user client001 service-type sftp authentication-type publickey assign
publickey switchkey
# Create a local device management user named client001.
[SwitchB] local-user client001 class manage
# Authorize local user client001 to use the SSH service.
[SwitchB-luser-manage-client001] service-type ssh
# Assign the network-admin user role and working directory flash:/ to local user client001.
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
work-directory flash:/
[SwitchB-luser-manage-client001] quit
3. Establish a connection to the SFTP server:
# Establish a connection to the SFTP server and enter SFTP client view.
<SwitchA> sftp 192.168.0.1 identity-key rsa
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
sftp>
# Display files under the current directory of the server, delete file z, and verify the result.
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z
sftp> delete z
Removing /z
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
# Add a directory named new1 and verify the result.
sftp> mkdir new1
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
503
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1
# Change the name of directory new1 to new2 and verify the result.
sftp> rename new1 new2
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
# Download file pubkey2 from the server and save it as a local file named public.
sftp> get pubkey2 public
Fetching / pubkey2 to public
/pubkey2 100% 225 1.4KB/s 00:00
# Upload the local file pu to the server, save it as puk, and verify the result.
sftp> put pu puk
Uploading pu to / puk
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk
sftp>
# Exit SFTP client view.
sftp> quit
<SwitchA>
504
Figure 129 Network diagram
Procedure
1. Generate the client's certificate and the server's certificate. (Details not shown.)
You must first configure the certificates of the server and the client because they are required
for identity authentication between the two parties.
In this example, the server's certificate file is ssh-server-ecdsa384.p12 and the client's
certificate file is ssh-client-ecdsa384.p12.
2. Configure the SFTP client:
You can modify the pkix version of the client software OpenSSH to support Suite B. This
example uses an HPE switch as an SFTP client.
# Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file
ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.)
# Create a PKI domain named server384 for verifying the server's certificate and enter its view.
<SwitchA> system-view
[SwitchA] pki domain server384
# Disable CRL checking.
[SwitchA-pki-domain-server384] undo crl check enable
[SwitchA-pki-domain-server384] quit
# Import local certificate file ssh-server-ecdsa384.p12 to PKI domain server384.
[SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12
The system is going to save the key pair. You must specify a key pair name, which is
a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A
to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: server384]:
# Display information about local certificates in PKI domain server384.
[SwitchA] display pki certificate domain server384 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA
Validity
Not Before: Aug 20 10:08:41 2015 GMT
Not After : Aug 19 10:08:41 2016 GMT
Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=ssh server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed:
b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1:
e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60:
505
10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7:
bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34:
d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7:
07:01:f9:dc:a5:6f:81
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
506
Public-Key: (384 bit)
pub:
04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69:
d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89:
41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc:
df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6:
b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b:
01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13:
91:70:31:2a:92:00:76
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
507
# Assign an IP address to VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63
[SwitchB-line-vty0-63] authentication-mode scheme
[SwitchB-line-vty0-63] quit
# Create a local device management user named client001. Authorize the user to use the SSH
service and assign the network-admin user role to the user.
[SwitchB] local-user client001 class manage
[SwitchB-luser-manage-client001] service-type ssh
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client001] quit
# Create an SSH user named client001. Specify the publickey authentication method for the
user and specify client384 as the PKI domain for verifying the client's certificate.
[SwitchB] ssh user client001 service-type sftp authentication-type publickey assign
pki-domain client384
4. Establish an SFTP connection to the SFTP server based on the 192-bit Suite B algorithms:
# Establish an SFTP connection to the server at 192.168.0.1.
<SwitchA> sftp 192.168.0.1 suite-b 192-bit pki-domain client384 server-pki-domain
server384
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
sftp>
508
Procedure
1. Configure the SCP server:
# Generate RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
Create the key pair successfully.
# Generate an ECDSA key pair.
[SwitchB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SCP server.
[SwitchB] scp server enable
# Configure an IP address for VLAN-interface 2. The client uses this address as the destination
for SCP connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Create a local device management user named client001.
[SwitchB] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[SwitchB-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[SwitchB-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client001] quit
509
# Create an SSH user named client001. Specify the service type as scp and the authentication
method as password for the user.
[SwitchB] ssh user client001 service-type scp authentication-type password
2. Configure an IP address for VLAN-interface 2 on the SCP client.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] quit
3. Connect to the SCP server, download file remote.bin from the server, and save it as a local file
named local.bin.
<SwitchA> scp 192.168.0.1 get remote.bin local.bin
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
client001@192.168.0.1’s password:
remote.bin 100% 2875 2.8KB/s 00:00
Procedure
1. Generate the client's certificates and the server's certificates. (Details not shown.)
You must first configure the certificates of the server and the client because they are required
for identity authentication between the two parties.
In this example, the server's certificate files are ssh-server-ecdsa256.p12 and
ssh-server-ecdsa384.p12. The client's certificate files are ssh-client-ecdsa256.p12 and
ssh-client-ecdsa384.p12.
2. Configure the SCP client:
You can modify the pkix version of the client software OpenSSH to support Suite B. This
example uses an HPE switch as an SCP client.
# Upload the server's certificate files (ssh-server-ecdsa256.p12 and
ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and
ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP. (Details not shown.)
510
# Create a PKI domain named server256 for verifying the server's certificate ecdsa256 and
enter its view.
<SwitchA> system-view
[SwitchA] pki domain server256
# Disable CRL checking.
[SwitchA-pki-domain-server256] undo crl check enable
[SwitchA-pki-domain-server256] quit
# Import local certificate file ssh-server-ecdsa256.p12 to PKI domain server256.
[SwitchA] pki import domain server256 p12 local filename ssh-server-ecdsa256.p12
The system is going to save the key pair. You must specify a key pair name, which is
a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A
to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: server256]:
# Display information about local certificates in PKI domain server256.
[SwitchA] display pki certificate domain server256 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA
Validity
Not Before: Aug 21 08:39:51 2015 GMT
Not After : Aug 20 08:39:51 2016 GMT
Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Server secp256
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52:
6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef:
0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81:
3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e:
c7:61:4a:52:51
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
511
00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02:
30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c:
a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c:
9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b
# Create a PKI domain named client256 for the client's certificate ecdsa256 and enter its view.
[SwitchA] pki domain client256
# Disable CRL checking.
[SwitchA-pki-domain-client256] undo crl check enable
[SwitchA-pki-domain-client256] quit
# Import local certificate file ssh-client-ecdsa256.p12 to PKI domain client256.
[SwitchA] pki import domain client256 p12 local filename ssh-client-ecdsa256.p12
The system is going to save the key pair. You must specify a key pair name, which is
a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A
to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: client256]:
# Display information about local certificates in PKI domain client256.
[SwitchA] display pki certificate domain client256 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA
Validity
Not Before: Aug 21 08:41:09 2015 GMT
Not After : Aug 20 08:41:09 2016 GMT
Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Client secp256
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5:
96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39:
b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34:
29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16:
12:d0:b4:8a:92
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
512
Signature Algorithm: ecdsa-with-SHA256
30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad:
5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1:
5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02:
31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6:
18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11:
66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6
# Create a PKI domain named server384 for verifying the server's certificate ecdsa384 and
enter its view.
[SwitchA] pki domain server384
# Disable CRL checking.
[SwitchA-pki-domain-server384] undo crl check enable
[SwitchA-pki-domain-server384] quit
# Import local certificate file ssh-server-ecdsa384.p12 to PKI domain server384.
[SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12
The system is going to save the key pair. You must specify a key pair name, which is
a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A
to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: server384]:
# Display information about local certificates in PKI domain server384.
[SwitchA] display pki certificate domain server384 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA
Validity
Not Before: Aug 20 10:08:41 2015 GMT
Not After : Aug 19 10:08:41 2016 GMT
Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=ssh server
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed:
b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1:
e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60:
10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7:
bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34:
d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7:
07:01:f9:dc:a5:6f:81
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
513
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
514
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0
X509v3 Authority Key Identifier:
keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
515
[SwitchB-line-vty0-63] quit
# Create a local device management user named client001. Authorize the user to use the SSH
service and assign the network-admin user role to the user.
[SwitchB] local-user client001 class manage
[SwitchB-luser-manage-client001] service-type ssh
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client001] quit
# Create a local device management user named client002. Authorize the user to use the SSH
service and assign the network-admin user role to the user.
[SwitchB] local-user client002 class manage
[SwitchB-luser-manage-client002] service-type ssh
[SwitchB-luser-manage-client002] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client002] quit
4. Establish an SCP connection to the SCP server:
{ Based on the 128-bit Suite B algorithms:
# Specify server256 as the PKI domain of the server's certificate.
[SwitchB]ssh server pki-domain server256
# Create an SSH user client001. Specify the publickey authentication method for the user
and specify client256 as the PKI domain for verifying the client's certificate.
[SwitchB] ssh user client001 service-type scp authentication-type publickey assign
pki-domain client256
# Establish an SCP connection to the SCP server at 192.168.0.1 based on the 128-bit Suite
B algorithms.
<SwitchA> scp 192.168.0.1 get src.cfg suite-b 128-bit pki-domain client256
server-pki
-domain server256
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
src.cfg 100% 4814 4.7KB/s 00:00
<SwitchA>
{ Based on the 192-bit Suite B algorithms:
# Specify server384 as the PKI domain of the server's certificate.
[SwitchB] ssh server pki-domain server384
# Create an SSH user client002. Specify the publickey authentication method for the user
and specify client384 as the PKI domain for verifying the client's certificate.
[Switch] ssh user client002 service-type scp authentication-type publickey assign
pki-domain client384
# Establish an SCP connection to the SCP server at 192.168.0.1 based on the 192-bit Suite
B algorithms.
<SwitchA> scp 192.168.0.1 get src.cfg suite-b 192-bit pki-domain client384
server-pki
-domain server384
Username: client002
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
src.cfg 100% 4814 4.7KB/s 00:00
<SwitchA>
516
NETCONF over SSH configuration examples
Unless otherwise noted, devices in the configuration examples are in non-FIPS mode.
When the device acts as a NETCONF-over-SSH server operating in FIPS mode, only ECDSA and
RSA key pairs are supported. Do not generate a DSA key pair on the NETCONF-over-SSH server.
Procedure
# Generate RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key modulus is (512 ~ 4096).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
517
...+.................+..........+...+.
Create the key pair successfully.
# Configure an IP address for VLAN-interface 2. The client uses this address as the destination for
NETCONF-over-SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
# Set the password to aabbcc in plain text for local user client001.
[Switch-luser-manage-client001] password simple aabbcc
# Create an SSH user named client001. Specify the service type as NETCONF and the
authentication method as password for the user.
[Switch] ssh user client001 service-type netconf authentication-type password
518
Configuring SSL
About SSL
Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for
TCP-based application layer protocols such as HTTP. SSL has been widely used in applications
such as e-business and online banking to provide secure data transmission over the Internet.
519
Figure 134 SSL protocol stack
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
520
Configuring the SSL client
Configuring an SSL client policy
521
client-verify { enable | optional }
By default, SSL client authentication is disabled. The SSL server does not perform digital
certificate-based authentication on SSL clients.
When authenticating a client by using the digital certificate, the SSL server verifies the
certificate chain presented by the client. It also verifies that the certificates in the certificate
chain (except the root CA certificate) are not revoked.
7. (Optional.) Enable the SSL server to send the complete certificate chain to the client during SSL
negotiation.
certificate-chain-sending enable
By default, the SSL server sends the server certificate rather than the complete certificate chain
to the client during negotiation.
522
ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 |
ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 |
ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha |
rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha |
rsa_aes_256_cbc_sha256 }
The default preferred cipher suite in FIPS mode is rsa_aes_128_cbc_sha.
5. Specify the SSL protocol version for the SSL client policy.
In non-FIPS mode:
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }
In FIPS mode:
version { tls1.0 | tls1.1 | tls1.2 }
By default, an SSL client policy uses TLS 1.0.
6. Enable the SSL client to authenticate servers through digital certificates.
server-verify enable
By default, SSL server authentication is enabled.
523
Restrictions and guidelines
Disable SSL session renegotiation only when explicitly required.
Procedure
1. Enter system view.
system-view
2. Disable SSL session renegotiation.
ssl renegotiation disable
By default, SSL session renegotiation is enabled.
Task Command
display ssl client-policy
Display SSL client policy information.
[ policy-name ]
display ssl server-policy
Display SSL server policy information.
[ policy-name ]
524
Configuring attack detection and
prevention
About attack detection and prevention
Attack detection and prevention enables a device to detect attacks by inspecting arriving packets,
and to take prevention actions to protect a private network. Prevention actions include logging,
packet dropping, blacklisting, and client verification.
Single-packet attacks
Single-packet attacks are also known as malformed packet attacks. An attacker typically launches
single-packet attacks by using the following methods:
• An attacker sends defective packets to a device, which causes the device to malfunction or
crash.
• An attacker sends normal packets to a device, which interrupts connections or probes network
topologies.
• An attacker sends a large number of forged packets to a target device, which consumes
network bandwidth and causes denial of service (DoS).
Table 34 lists the single-packet attack types that the device can detect and prevent.
Table 34 Types of single-packet attacks
525
Single-packet attack Description
Scanning attacks
Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows
the attacker to find a way into the target network and to disguise the attacker's identity.
Attackers use scanning tools to probe a network, find vulnerable hosts, and discover services that
are running on the hosts. Attackers can use the information to launch attacks.
The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port
scanning from multiple hosts to the target host, distributed port scan attacks occur.
526
Flood attacks
An attacker launches a flood attack by sending a large number of forged requests to the victim in a
short period of time. The victim is too busy responding to these forged requests to provide services
for legal users, and a DoS attack occurs.
The device can detect and prevent the following types of flood attacks.
SYN flood attack
A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim
unresponsive to legal users. An attacker sends a large number of SYN packets with forged source
addresses to a server. This causes the server to open a large number of half-open connections and
respond to the requests. However, the server will never receive the expected ACK packets. The
server is unable to accept new incoming connection requests because all of its resources are bound
to half-open connections.
ACK flood attack
An ACK packet is a TCP packet only with the ACK flag set. Upon receiving an ACK packet from a
client, the server must search half-open connections for a match.
An ACK flood attacker sends a large number of ACK packets to the server. This causes the server to
be busy searching for half-open connections, and the server is unable to process packets for normal
services.
SYN-ACK flood attack
Upon receiving a SYN-ACK packet, the server must search for the matching SYN packet it has sent.
A SYN-ACK flood attacker sends a large number of SYN-ACK packets to the server. This causes the
server to be busy searching for SYN packets, and the server is unable to process packets for normal
services.
FIN flood attack
FIN packets are used to shut down TCP connections.
A FIN flood attacker sends a large number of forged FIN packets to a server. The victim might shut
down correct connections, or be unable to provide services because it is busy searching for
matching connections.
RST flood attack
RST packets are used to abort TCP connections when TCP connection errors occur.
An RST flood attacker sends a large number of forged RST packets to a server. The victim might
shut down correct connections, or be unable to provide services because it is busy searching for
matching connections.
DNS flood attack
The DNS server processes and replies all DNS queries that it receives.
A DNS flood attacker sends a large number of forged DNS queries. This attack consumes the
bandwidth and resources of the DNS server, which prevents the server from processing and replying
legal DNS queries.
HTTP flood attack
Upon receiving an HTTP GET request, the HTTP server performs complex operations, including
character string searching, database traversal, data reassembly, and format switching. These
operations consume a large amount of system resources.
An HTTP flood attacker sends a large number of HTTP GET requests that exceed the processing
capacity of the HTTP server, which causes the server to crash.
527
ICMP flood attack
An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate.
Because the target host is busy replying to these requests, it is unable to provide services.
ICMPv6 flood attack
An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast
rate. Because the target host is busy replying to these requests, it is unable to provide services.
UDP flood attack
A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large
amount of the target host's bandwidth, so the host cannot provide other services.
528
Blacklist feature
IP blacklist
The IP blacklist feature is an attack prevention method that filters packets by source IP addresses in
blacklist entries. Compared with ACL-based packet filtering, IP blacklist filtering is simpler and
provides effective screening at a faster speed.
529
Procedure
1. Enter system view.
system-view
2. Create an attack defense policy and enter its view.
attack-defense policy policy-name
530
signature detect ip-option { option-code | internet-timestamp |
loose-source-routing | record-route | route-alert | security |
stream-id | strict-source-routing } [ action { { drop | logging } * |
none } ]
{ Configure signature detection for IP abnormal option attacks, and specify the actions
against the attacks.
signature detect ipv6-ext-header-abnormal [ action { { drop |
logging } * | none } ]
By default, signature detection is not configured for single-packet attacks.
4. (Optional.) Set the maximum length of safe ICMP or ICMPv6 packets.
signature { large-icmp | large-icmpv6 } max-length length
By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.
5. (Optional.) Specify the actions against single-packet attacks of a specific level.
signature level { high | info | low | medium } action { { drop | logging }
* | none }
The default action is logging for single-packet attacks of the informational and low levels.
The default actions are logging and drop for single-packet attacks of the medium and high
levels.
6. (Optional.) Enable signature detection for single-packet attacks of a specific level.
signature level { high | info | low | medium } detect
By default, signature detection is disabled for all levels of single-packet attacks.
531
Configuring a flood attack defense policy
About flood attack detection and prevention
Apply a flood attack defense policy to the interface that is connected to the external network to
protect internal servers.
Flood attack detection monitors the rate at which connections are initiated to the internal servers.
With flood attack detection enabled, the device is in attack detection state. When the packet sending
rate to an IP address reaches the threshold, the device enters prevention state and takes the
specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the
device returns to the attack detection state.
Restrictions and guidelines for flood attack detection and prevention
If a device has multiple service cards, the global trigger threshold you set takes effect on each
service card. The global trigger threshold of the device is the product of multiplying the value you set
by the service card quantity.
You can configure flood attack detection and prevention for a specific IP address. For non-specific IP
addresses, the device uses the global attack prevention settings.
Configuring a SYN flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global SYN flood attack detection.
syn-flood detect non-specific
By default, global SYN flood attack detection is disabled.
4. Set the global trigger threshold for SYN flood attack prevention.
syn-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against SYN flood attacks.
syn-flood action { drop | logging } *
By default, no global action is specified for SYN flood attacks.
6. Configure IP address-specific SYN flood attack detection.
syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold threshold-value ] [ action { { drop |
logging } * | none } ]
By default, IP address-specific SYN flood attack detection is not configured.
Configuring an ACK flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global ACK flood attack detection.
ack-flood detect non-specific
By default, global ACK flood attack detection is disabled.
4. Set the global trigger threshold for ACK flood attack prevention.
532
ack-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against ACK flood attacks.
ack-flood action { drop | logging } *
By default, no global action is specified for ACK flood attacks.
6. Configure IP address-specific ACK flood attack detection.
ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold threshold-value ] [ action { { drop |
logging } * | none } ]
By default, IP address-specific ACK flood attack detection is not configured.
Configuring a SYN-ACK flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global SYN-ACK flood attack detection.
syn-ack-flood detect non-specific
By default, global SYN-ACK flood attack detection is disabled.
4. Set the global trigger threshold for SYN-ACK flood attack prevention.
syn-ack-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against SYN-ACK flood attacks.
syn-ack-flood action { drop | logging }*
By default, no global action is specified for SYN-ACK flood attacks.
6. Configure IP address-specific SYN-ACK flood attack detection.
syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address }
[ vpn-instance vpn-instance-name ] [ threshold threshold-value ]
[ action { { drop | logging } * | none } ]
By default, IP address-specific SYN-ACK flood attack detection is not configured.
Configuring a FIN flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global FIN flood attack detection.
fin-flood detect non-specific
By default, global FIN flood attack detection is disabled.
4. Set the global trigger threshold for FIN flood attack prevention.
fin-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against FIN flood attacks.
fin-flood action { drop | logging } *
By default, no global action is specified for FIN flood attacks.
6. Configure IP address-specific FIN flood attack detection.
533
fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold threshold-value ] [ action { { drop |
logging } * | none } ]
By default, IP address-specific FIN flood attack detection is not configured.
Configuring an RST flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global RST flood attack detection.
rst-flood detect non-specific
By default, global RST flood attack detection is disabled.
4. Set the global trigger threshold for RST flood attack prevention.
rst-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against RST flood attacks.
rst-flood action { drop | logging } *
By default, no global action is specified for RST flood attacks.
6. Configure IP address-specific RST flood attack detection.
rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold threshold-value ] [ action { { drop |
logging } * | none } ]
By default, IP address-specific RST flood attack detection is not configured.
Configuring an ICMP flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global ICMP flood attack detection.
icmp-flood detect non-specific
By default, global ICMP flood attack detection is disabled.
4. Set the global trigger threshold for ICMP flood attack prevention.
icmp-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against ICMP flood attacks.
icmp-flood action { drop | logging } *
By default, no global action is specified for ICMP flood attacks.
6. Configure IP address-specific ICMP flood attack detection.
icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ]
[ threshold threshold-value ] [ action { { drop | logging } * | none } ]
By default, IP address-specific ICMP flood attack detection is not configured.
Configuring an ICMPv6 flood attack defense policy
1. Enter system view.
system-view
534
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global ICMPv6 flood attack detection.
icmpv6-flood detect non-specific
By default, global ICMPv6 flood attack detection is disabled.
4. Set the global trigger threshold for ICMPv6 flood attack prevention.
icmpv6-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against ICMPv6 flood attacks.
icmpv6-flood action { drop | logging } *
By default, no global action is specified for ICMPv6 flood attacks.
6. Configure IP address-specific ICMPv6 flood attack detection.
icmpv6-flood detect ipv6 ipv6-address [ vpn-instance
vpn-instance-name ] [ threshold threshold-value ] [ action { { drop |
logging } * | none } ]
By default, IP address-specific ICMPv6 flood attack detection is not configured.
Configuring a UDP flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global UDP flood attack detection.
udp-flood detect non-specific
By default, global UDP flood attack detection is disabled.
4. Set the global trigger threshold for UDP flood attack prevention.
udp-flood threshold threshold-value
The default setting is 1000.
5. Specify global actions against UDP flood attacks.
udp-flood action { drop | logging } *
By default, no global action is specified for UDP flood attacks.
6. Configure IP address-specific UDP flood attack detection.
udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold threshold-value ] [ action { { drop |
logging } * | none } ]
By default, IP address-specific UDP flood attack detection is not configured.
Configuring a DNS flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global DNS flood attack detection.
dns-flood detect non-specific
By default, global DNS flood attack detection is disabled.
4. Set the global trigger threshold for DNS flood attack prevention.
535
dns-flood threshold threshold-value
The default setting is 1000.
5. (Optional.) Specify the global ports to be protected against DNS flood attacks.
dns-flood port port-list
By default, DNS flood attack prevention protects port 53.
6. Specify global actions against DNS flood attacks.
dns-flood action { drop | logging } *
By default, no global action is specified for DNS flood attacks.
7. Configure IP address-specific DNS flood attack detection.
dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ port port-list ] [ threshold threshold-value ]
[ action { { drop | logging } * | none } ]
By default, IP address-specific DNS flood attack detection is not configured.
Configuring an HTTP flood attack defense policy
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Enable global HTTP flood attack detection.
http-flood detect non-specific
By default, global HTTP flood attack detection is disabled.
4. Set the global trigger threshold for HTTP flood attack prevention.
http-flood threshold threshold-value
The default setting is 1000.
5. (Optional.) Specify the global ports to be protected against HTTP flood attacks.
http-flood port port-list
By default, HTTP flood attack prevention protects port 80.
6. Specify global actions against HTTP flood attacks.
http-flood action { drop | logging } *
By default, no global action is specified for HTTP flood attacks.
7. Configure IP address-specific HTTP flood attack detection.
http-flood detect { ip ipv4-address | ipv6 ipv6-address }
[ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold
threshold-value ] [ action { { drop | logging } * | none } ]
By default, IP address-specific HTTP flood attack detection is not configured.
536
Restrictions and guidelines
If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit
rules take effect:
• Source IP address.
• Destination IP address.
• Source port.
• Destination port.
• Protocol.
• L3VPN instance.
• The fragment keyword for matching non-first fragments.
Procedure
1. Enter system view.
system-view
2. Enter attack defense policy view.
attack-defense policy policy-name
3. Configure attack detection exemption.
exempt acl [ ipv6 ] { acl-number | name acl-name }
By default, attack detection exemption is not configured.
537
A switch uses hardware to implement packet forwarding and uses software to process packets if the
packets are destined for the switch. The software does not provide any attack defense features, so
you must apply an attack defense policy to the switch to prevent attacks aimed at the switch.
If a device and its interfaces have attack defense policies applied, a packet destined for the device is
processed as follows:
1. The policy applied to the receiving interface processes the packet.
2. If the packet is not dropped by the receiving interface, the policy applied to the device
processes the packet.
Procedure
1. Enter system view.
system-view
2. Apply an attack defense policy to the device.
attack-defense local apply policy policy-name
By default, no attack defense policy is applied to the device.
538
Restrictions and guidelines
TCP fragment attack prevention takes precedence over single-packet attack prevention. When both
are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by
the single-packet attack defense policy.
Procedure
1. Enter system view.
system-view
2. Enable TCP fragment attack prevention.
attack-defense tcp fragment enable
By default, TCP fragment attack prevention is enabled.
539
Configuring login attack prevention
About login attack prevention
The login attack prevention feature detects a login DoS attack if a user fails the maximum number of
successive login attempts. The feature triggers the blacklist feature to add the user's IP to the
blacklist. Following login attempts from the user is blocked for the block period. For login attack
prevention to take effect, you must enable the global blacklist feature.
This feature can effectively prevent login DoS attacks.
Procedure
1. Enter system view.
system-view
2. Enable login attack prevention.
attack-defense login enable
By default, login attack prevention is disabled.
3. Set the maximum number of successive login failures.
attack-defense login max-attempt max-attempt
The default value is three.
4. Set the block period during which a login attempt is blocked.
attack-defense login block-timeout minutes
The default value is 60 minutes.
5. Enable the global blacklist feature.
blacklist global enable
By default, the global blacklist feature is disabled.
540
Task Command
541
Task Command
542
Task Command
543
Task Command
544
Task Command
display blacklist ip
[ source-ip-address [ vpn-instance
Display manually added IPv4 blacklist entries.
vpn-instance-name ] [ ds-lite-peer
ds-lite-peer-address ] | count ]
545
Attack detection and prevention configuration
examples
Example: Configuring attack detection and prevention on the
device
Network configuration
Configure attack detection and prevention on the switch (the gateway) to protect against network
attacks from the user side or the network side.
• To prevent TCP flag attacks and low level scanning attacks that aim at the switch, enable TCP
flag attack prevention and scanning attack prevention. Configure the device to output logs if it
detects such attacks.
• To prevent the SYN flood attacks that aim at the external interface of the switch, enable IP
address-specific SYN flood attack detection for 192.168.2.1/24. When the device receives 5000
or more SYN packets sent to the protected IP address per second, it outputs logs and drops the
packets.
• To prevent the SYN flood attacks that aim at the internal interface of the switch, enable global
SYN flood attack detection. When the device receives 2000 or more SYN packets that are
destined to the switch but not to the protected IP address per second, it outputs logs.
Figure 135 Network diagram
Procedure
# Create attack defense policy a1.
[Switch] attack-defense policy a1
# Enable signature detection for TCP single packet attacks and specify logging as the attack
prevention action. A TCP packet is identified as an attack packet if it has all flags set, only FIN flag
set, invalid flags, no TCP flags set, or both SYN and FIN flags set.
[Switch-attack-defense-policy-a1] signature detect tcp-all-flags action logging
[Switch-attack-defense-policy-a1] signature detect tcp-fin-only action logging
[Switch-attack-defense-policy-a1] signature detect tcp-invalid-flags action logging
[Switch-attack-defense-policy-a1] signature detect tcp-null-flag action logging
[Switch-attack-defense-policy-a1] signature detect tcp-syn-fin action logging
# Enable low level scanning attack detection and specify logging as the attack prevention action.
[Switch-attack-defense-policy-a1] scan detect level low action logging
# Enable SYN flood attack detection for 192.168.2.1. Set the threshold for triggering SYN flood
attack prevention to 5000 and specify logging and drop as the attack prevention actions.
546
[Switch-attack-defense-policy-a1] syn-flood detect ip 192.168.2.1 threshold 5000 action
logging drop
# Enable global SYN flood attack detection, set the global threshold for triggering SYN flood attack
prevention to 2000, and specify logging as the global attack prevention action.
[Switch-attack-defense-policy-a1] syn-flood detect non-specific
[Switch-attack-defense-policy-a1] syn-flood threshold 2000
[Switch-attack-defense-policy-a1] syn-flood action logging
[Switch-attack-defense-policy-a1] quit
547
IP option internet timestamp Disabled info L
IP option security Disabled info L
IP option loose source routing Disabled info L
IP option stream ID Disabled info L
IP option strict source routing Disabled info L
IP option route alert Disabled info L
ICMP echo request Disabled info L
ICMP echo reply Disabled info L
ICMP source quench Disabled info L
ICMP destination unreachable Disabled info L
ICMP redirect Disabled info L
ICMP time exceeded Disabled info L
ICMP parameter problem Disabled info L
ICMP timestamp request Disabled info L
ICMP timestamp reply Disabled info L
ICMP information request Disabled info L
ICMP information reply Disabled info L
ICMP address mask request Disabled info L
ICMP address mask reply Disabled info L
ICMPv6 echo request Disabled info L
ICMPv6 echo reply Disabled info L
ICMPv6 group membership query Disabled info L
ICMPv6 group membership report Disabled info L
ICMPv6 group membership reduction Disabled info L
ICMPv6 destination unreachable Disabled info L
ICMPv6 time exceeded Disabled info L
ICMPv6 parameter problem Disabled info L
ICMPv6 packet too big Disabled info L
548
Address VPN instance Flood type Thres(pps) Actions Ports
192.168.2.1 -- SYN-FLOOD 5000 L,D -
If the device receives TCP flag attack packets or scanning attack packets that are destined for the
device, the device outputs logs. If the device receives TCP SYN flood attack packets that are
destined for the protected IP address, the device outputs logs and drops the attack packets. If the
device receives TCP SYN flood attack packets that are destined for the device but not to the
protected IP address, the device outputs logs.
# Display the attack detection and prevention statistics.
[Swtich] display attack-defense statistics local
Attack policy name: a1
Slot 1:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 4 0
Flood attack defense statistics:
AttackType AttackTimes Dropped
No flood attacks detected.
Signature attack defense statistics:
AttackType AttackTimes Dropped
TCP invalid flags 116 0
TCP null flag 709 0
TCP all flags 251 0
TCP SYN-FIN flags 46 0
TCP FIN only flag 130 0
Procedure
# Configure IP addresses for the interfaces on the router. (Details not shown.)
# Enable the global blacklist feature.
<Router> system-view
[Router] blacklist global enable
549
[Router] blacklist ip 5.5.5.5
# Add an IPv4 blacklist entry for Host C and set the blacklist entry aging time to 50 minutes.
[Router] blacklist ip 192.168.1.4 timeout 50
# Verify that the router drops packets from Host D. (Details not shown.)
# Execute the undo blacklist ip 5.5.5.5 command and verify that the router forwards
packets from Host D. (Details not shown.)
# Verify that the router drops packets from Host C for 50 minutes and forwards packets from Host C
after 50 minutes. (Details not shown.)
550
Configuring TCP attack prevention
About TCP attack prevention
TCP attack prevention can detect and prevent attacks that exploit the TCP connection establishment
process.
551
Configuring IP source guard
About IPSG
IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to filter out
illegitimate packets. This feature is typically configured on user-side interfaces.
IP network
552
Dynamic IPSG bindings
IPSG automatically obtains user information from other modules to generate dynamic bindings. A
dynamic IPSG binding can contain MAC address, IPv4 or IPv6 address, VLAN tag, ingress interface,
and binding type. The binding type identifies the source module for the binding, such as DHCP
snooping, DHCPv6 snooping, DHCP relay agent, or DHCPv6 relay agent.
For example, DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP
addresses through DHCP. IPSG is configured on the DHCP server, the DHCP snooping device, or
the DHCP relay agent. It generates dynamic bindings based on the client bindings on the DHCP
server, the DHCP snooping entries, or the DHCP relay entries. IPSG allows only packets from the
DHCP clients to pass through.
Dynamic IPv4SG
Dynamic bindings generated based on different source modules are for different usages:
For more information about 802.1X, see "Configuring 802.1X." For information about ARP snooping,
DHCP snooping, DHCP relay, and DHCP server, see Layer 3—IP Services Configuration Guide.
Dynamic IPv6SG
Dynamic IPv6SG bindings generated based on different source modules are for different usages:
For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. For
more information about ND snooping, see IPv6 basics configuration in Layer 3—IP Services
Configuration Guide. For more information about DHCPv6 server, see Layer 3—IP Services
Configuration Guide.
553
1. Enabling IPv4SG on an interface
2. (Optional.) Configuring a static IPv4SG binding
To configure IPv6SG, perform the following tasks:
3. Enabling IPv6SG on an interface
4. (Optional.) Configuring a static IPv6SG binding
554
Restrictions and guidelines
Global static bindings take effect on all interfaces on the device.
To configure a static IPv4SG binding for the ARP attack detection feature, make sure the following
conditions are met:
• The ip-address ip-address option, the mac-address mac-address option, and the
vlan vlan-id option must be specified.
• ARP attack detection must be enabled for the specified VLAN.
Configuring a global static IPv4SG binding
1. Enter system view.
system-view
2. Configure a global static IPv4SG binding.
ip source binding ip-address ip-address mac-address mac-address
Configuring a static IPv4SG binding on an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following interface types are supported:
{ Layer 2 Ethernet interface.
{ Layer 3 Ethernet interface.
{ Layer 3 Ethernet subinterface.
{ Layer 3 aggregate interface.
{ Layer 3 aggregate subinterface.
{ VLAN interface.
3. Configure a static IPv4SG binding.
ip source binding { ip-address ip-address | ip-address ip-address
mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
You can configure the same static IPv4SG binding on different interfaces.
555
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
The following interface types are supported:
{ Layer 2 Ethernet interface.
{ Layer 3 Ethernet interface.
{ Layer 3 Ethernet subinterface.
{ Layer 3 aggregate interface.
{ Layer 3 aggregate subinterface.
{ VLAN interface.
3. Enable the IPv6SG feature.
ipv6 verify source { ip-address | ip-address mac-address |
mac-address }
By default, the IPv6SG feature is disabled on an interface.
556
{ VLAN interface.
3. Configure a static IPv6SG binding.
ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address
mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
You can configure the same static IPv6SG binding on different interfaces.
Task Command
display ip source binding [ static | [ vpn-instance
vpn-instance-name ] [ arp-snooping-vlan |
arp-snooping-vsi | dhcp-relay | dhcp-server |
Display IPv4SG bindings. dhcp-snooping | dot1x ] ] [ ip-address ip-address ]
[ mac-address mac-address ] [ vlan vlan-id ]
[ interface interface-type interface-number ] [ slot
slot-number ]
display ipv6 source binding [ static | [ vpn-instance
vpn-instance-name ] [ dhcpv6-relay | dhcpv6-server |
dhcpv6-snooping | dot1x | nd-snooping-vlan ] ]
Display IPv6SG address
[ ip-address ipv6-address ] [ mac-address
bindings.
mac-address ] [ vlan vlan-id ] [ interface
interface-type interface-number ] [ slot
slot-number ]
display ipv6 source binding pd [ vpn-instance
vpn-instance-name ] [ prefix prefix/prefix-length ]
Display IPv6SG prefix
[ mac-address mac-address ] [ vlan vlan-id ]
bindings.
[ interface interface-type interface-number ] [ slot
slot-number ]
557
Figure 138 Network diagram
Procedure
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable IPv4SG on Twenty-FiveGigE 1/0/2.
<DeviceA> system-view
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] ip verify source ip-address mac-address
[DeviceA-Twenty-FiveGigE1/0/2] quit
558
Figure 139 Network diagram
Procedure
1. Configure the DHCP server.
For information about DHCP server configuration, see Layer 3—IP Services Configuration
Guide.
2. Configure the device:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Device> system-view
[Device] dhcp snooping enable
# Configure Twenty-FiveGigE 1/0/2 as a trusted interface.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] dhcp snooping trust
[Device-Twenty-FiveGigE1/0/2] quit
# Enable IPv4SG on Twenty-FiveGigE 1/0/1 and verify the source IP address and MAC
address for dynamic IPSG.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] ip verify source ip-address mac-address
# Enable recording of client information in DHCP snooping entries on Twenty-FiveGigE 1/0/1.
[Device-Twenty-FiveGigE1/0/1] dhcp snooping binding record
[Device-Twenty-FiveGigE1/0/1] quit
559
Figure 140 Network diagram
Procedure
1. Configure dynamic IPv4SG:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for
dynamic IPSG.
<Switch> system-view
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] ip verify source ip-address mac-address
[Switch-Vlan-interface100] quit
2. Configure the DHCP relay agent:
# Enable the DHCP service.
[Switch] dhcp enable
# Enable recording DHCP relay entries.
[Switch] dhcp relay client-information record
# Configure VLAN-interface 100 to operate in DHCP relay mode.
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] dhcp select relay
# Specify the IP address of the DHCP server.
[Switch-Vlan-interface100] dhcp relay server-address 10.1.1.1
[Switch-Vlan-interface100] quit
560
Figure 141 Network diagram
WGE1/0/1
Internet
Host Device
IP: 2001::1
MAC: 0001-0202-0202
Procedure
# Enable IPv6SG on Twenty-FiveGigE 1/0/1.
<Device> system-view
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] ipv6 verify source ip-address mac-address
Procedure
1. Configure DHCPv6 snooping:
# Enable DHCPv6 snooping globally.
<Device> system-view
[Device] ipv6 dhcp snooping enable
561
# Configure Twenty-FiveGigE 1/0/2 as a trusted interface.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] ipv6 dhcp snooping trust
[Device-Twenty-FiveGigE1/0/2] quit
2. Enable IPv6SG:
# Enable IPv6SG on Twenty-FiveGigE 1/0/1 and verify the source IP address and MAC
address for dynamic IPv6SG.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] ipv6 verify source ip-address mac-address
# Enable recording of client information in DHCPv6 snooping entries on Twenty-FiveGigE
1/0/1.
[Device-Twenty-FiveGigE1/0/1] ipv6 dhcp snooping binding record
[Device-Twenty-FiveGigE1/0/1] quit
Procedure
1. Configure DHCPv6 snooping.
# Enable DHCPv6 snooping globally.
<Device> system-view
[Device] ipv6 dhcp snooping enable
# Configure Twenty-FiveGigE 1/0/2 as a trusted interface.
[Device] interface twenty-fivegige 1/0/2
562
[Device-Twenty-FiveGigE1/0/2] ipv6 dhcp snooping trust
[Device-Twenty-FiveGigE1/0/2] quit
# Enable recording DHCPv6 snooping prefix entries on Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] ipv6 dhcp snooping pd binding record
2. Enable IPv6SG.
# Enable IPv6SG on Twenty-FiveGigE 1/0/1 and verify the source IP address and MAC
address for dynamic IPv6SG.
[Device-Twenty-FiveGigE1/0/1] ipv6 verify source ip-address mac-address
[Device-Twenty-FiveGigE1/0/1] quit
Procedure
1. Configure the DHCPv6 relay agent:
# Create VLAN 2 and VLAN 3, assign interfaces to the VLANs, and specify IP addresses for
VLAN-interface 2 and VLAN-interface 3. (Details not shown.)
# Enable the DHCPv6 relay agent on VLAN-interface 3.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ipv6 dhcp select relay
563
# Enable recording of DHCPv6 relay entries on the interface.
[Switch-Vlan-interface3] ipv6 dhcp relay client-information record
# Specify the DHCPv6 server address 2::2 on the relay agent.
[Switch-Vlan-interface3] ipv6 dhcp relay server-address 2::2
[Switch-Vlan-interface3] quit
2. Enable IPv6SG on VLAN-interface 3 and verify the source IP address and MAC address for
dynamic IPv6SG.
<Switch> system-view
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ipv6 verify source ip-address mac-address
[Switch-Vlan-interface3] quit
564
Configuring ARP attack protection
About ARP attack protection
The device can provide multiple features to detect and prevent ARP attacks and viruses in the LAN.
An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
• Sends a large number of unresolvable IP packets to have the receiving device busy with
resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets
for which ARP cannot find corresponding MAC addresses.
• Sends a large number of ARP packets to overload the CPU of the receiving device.
• Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain
incorrect ARP entries.
565
• The device keeps trying to resolve the destination IP addresses, overloading its CPU.
To protect the device from such IP attacks, you can configure the following features:
• ARP source suppression—Stops resolving packets from an IP address if the number of
unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The
device continues ARP resolution when the interval elapses. This feature is applicable if the
attack packets have the same source addresses.
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address.
The device drops all matching packets until the blackhole route is deleted. A blackhole route is
deleted when its aging timer is reached or the route becomes reachable.
After a blackhole route is created for an unresolved IP address, the device immediately starts
the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the
device continues probing according to the probe settings. If the IP address resolution succeeds
in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route
ages out before the device finishes all probes, the device deletes the blackhole route and does
not perform the remaining probes.
This feature is applicable regardless of whether the attack packets have the same source
addresses.
566
arp resolving-route probe-interval interval
The default setting is 1 second.
Task Command
Display ARP source suppression configuration
display arp source-suppression
information.
IP network
Gateway
Device
VLAN 10 VLAN 20
Procedure
• If the attack packets have the same source address, configure ARP source suppression:
# Enable ARP source suppression.
<Device> system-view
[Device] arp source-suppression enable
# Configure the device to process a maximum of 100 unresolvable packets per source IP
address within 5 seconds.
567
[Device] arp source-suppression limit 100
• If the attack packets have different source addresses, configure ARP blackhole routing:
# Enable ARP blackhole routing.
[Device] arp resolving-route enable
568
6. Enable ARP packet rate limit.
arp rate-limit [ pps ]
By default, ARP packet rate limit is enabled.
569
Display and maintenance commands for source MAC-based
ARP attack detection
Execute display commands in any view.
Task Command
display arp source-mac { interface
Display ARP attack entries detected by source
interface-type interface-number [ slot
MAC-based ARP attack detection.
slot-number ] | slot slot-number }
IP network
Procedure
# Enable source MAC-based ARP attack detection, and specify the handling method as filter.
<Device> system-view
[Device] arp source-mac filter
570
[Device] arp source-mac aging-time 60
Procedure
1. Enter system view.
system-view
2. Enable ARP packet source MAC address consistency check.
arp valid-check enable
By default, ARP packet source MAC address consistency check is disabled.
571
Configuring authorized ARP
About authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP
server or dynamic client entries on the DHCP relay agent. For more information about DHCP server
and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
Use this feature to prevent user spoofing and to allow only authorized clients to access network
resources.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 3 Ethernet interface, Layer 3 Ethernet subinterface,
Layer 3 aggregate interface, Layer 3 aggregate subinterface, and VLAN interface.
3. Enable authorized ARP on the interface.
arp authorized enable
By default, authorized ARP is disabled.
Procedure
1. Configure Device A:
# Specify the IP address for Twenty-FiveGigE 1/0/1.
<DeviceA> system-view
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] ip address 10.1.1.1 24
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Configure DHCP.
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] quit
# Enter Layer 3 Ethernet interface view.
572
[DeviceA] interface twenty-fivegige 1/0/1
# Enable authorized ARP.
[DeviceA-Twenty-FiveGigE1/0/1] arp authorized enable
[DeviceA-Twenty-FiveGigE1/0/1] quit
2. Configure Device B:
<DeviceB> system-view
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] ip address dhcp-alloc
[DeviceB-Twenty-FiveGigE1/0/1] quit
The output shows that IP address 10.1.1.2 has been assigned to Device B.
Device B must use the IP address and MAC address in the authorized ARP entry to communicate
with Device A. Otherwise, the communication fails. Thus user validity is ensured.
WGE1/0/1 WGE1/0/2
10.1.1.2/24 10.10.1.1/24
Device B
Device A Device C
Procedure
1. Configure Device A:
# Specify the IP address for Twenty-FiveGigE 1/0/1.
<DeviceA> system-view
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] ip address 10.1.1.1 24
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Configure DHCP.
[DeviceA] dhcp enable
573
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] gateway-list 10.10.1.1
[DeviceA-dhcp-pool-1] quit
[DeviceA] ip route-static 10.10.1.0 24 10.1.1.2
2. Configure Device B:
# Enable DHCP.
<DeviceB> system-view
[DeviceB] dhcp enable
# Specify the IP addresses of Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] ip address 10.1.1.2 24
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] ip address 10.10.1.1 24
# Enable DHCP relay agent on Twenty-FiveGigE 1/0/2.
[DeviceB-Twenty-FiveGigE1/0/2] dhcp select relay
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[DeviceB-Twenty-FiveGigE1/0/2] dhcp relay server-address 10.1.1.1
# Enable authorized ARP.
[DeviceB-Twenty-FiveGigE1/0/2] arp authorized enable
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Enable recording of relay entries on the relay agent.
[DeviceB] dhcp relay client-information record
3. Configure Device C:
<DeviceC> system-view
[DeviceC] ip route-static 10.1.1.0 24 10.10.1.1
[DeviceC] interface twenty-fivegige 1/0/2
[DeviceC-Twenty-FiveGigE1/0/2] ip address dhcp-alloc
[DeviceC-Twenty-FiveGigE1/0/2] quit
The output shows that Device A assigned the IP address 10.10.1.2 to Device C.
Device C must use the IP address and MAC address in the authorized ARP entry to communicate
with Device B. Otherwise, the communication fails. Thus the user validity is ensured.
574
ARP attack detection provides the following features:
• User validity check.
• ARP packet validity check.
• ARP restricted forwarding.
• ARP packet ingress port ignoring during user validity check
• ARP attack detection logging.
If both ARP packet validity check and user validity check are enabled, the former one applies first,
and then the latter applies.
Do not configure ARP attack detection together with ARP snooping. Otherwise, ARP snooping
entries cannot be generated.
575
2. (Optional.) Configure a user validity check rule.
arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any }
mac { mac-address [ mask ] | any } [ vlan vlan-id ]
By default, no user validity check rules are configured.
3. Enter VLAN view.
vlan vlan-id
4. Enable ARP attack detection.
arp detection enable
By default, ARP attack detection is disabled. The device does not perform ARP user validity
check.
5. (Optional.) Configure an interface that does not require ARP user validity check as a trusted
interface.
a. Return to system view.
quit
b. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate
interface.
c. Configure the interface as a trusted interface excluded from ARP attack detection.
arp detection trust
By default, an interface is untrusted.
576
arp detection enable
By default, ARP attack detection is disabled. The device does not perform ARP packet validity
check.
4. Enable ARP packet validity check.
a. Return to system view.
quit
b. Enable ARP packet validity check and specify the objects to be checked.
arp detection validate { dst-mac | ip | src-mac } *
By default, ARP packet validity check is disabled.
5. (Optional.) Configure the interface that does not require ARP packet validity check as a trusted
interface.
a. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate
interface.
b. Configure the interface as a trusted interface excluded from ARP attack detection.
arp detection trust
By default, an interface is untrusted.
577
Ignoring ingress ports of ARP packets during user validity
check
About ignoring ingress ports of ARP packets during user validity check
ARP attack detection performs user validity check on ARP packets from ARP untrusted interfaces.
The sender IP and sender MAC in the received ARP packet are compared with the entries used for
user validity check. In addition, user validity check compares the ingress port of the ARP packet with
the port in the entries. If no matching port is found, the ARP packet is discarded. For more
information about user validity check, see "Configuring user validity check."
Procedure
1. Enter system view.
system-view
2. Ignore ingress ports of ARP packets during user validity check.
arp detection port-match-ignore
By default, ingress ports of ARP packets are checked during user invalidity.
Task Command
Display the VLANs enabled with
display arp detection
ARP attack detection.
578
Task Command
reset arp detection statistics attack-source
Clear ARP attack source statistics.
[ slot slot-number ]
Clear statistics for packets reset arp detection statistics packet-drop
dropped by ARP attack detection. [ interface interface-type interface-number ]
Procedure
1. Add all interfaces on Device B to VLAN 10, and specify the IP address of VLAN-interface 10 on
Device A. (Details not shown.)
2. Configure the DHCP server on Device A, and configure DHCP address pool 0.
<DeviceA> system-view
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 0
[DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for
ARP attack detection. (Details not shown.)
4. Configure Device B:
# Enable 802.1X.
<DeviceB> system-view
[DeviceB] dot1x
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] dot1x
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] dot1x
579
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Add a local user test.
[DeviceB] local-user test
[DeviceB-luser-test] service-type lan-access
[DeviceB-luser-test] password simple test
[DeviceB-luser-test] quit
# Enable ARP attack detection for VLAN 10 to check user validity based on 802.1X entries.
[DeviceB] vlan 10
[DeviceB-vlan10] arp detection enable
# Configure the upstream interface as an ARP trusted interface. By default, an interface is an
untrusted interface.
[DeviceB-vlan10] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] arp detection trust
[DeviceB-Twenty-FiveGigE1/0/3] quit
Procedure
1. Add all interfaces on Device B to VLAN 10, and specify the IP address of VLAN-interface 10 on
Device A. (Details not shown.)
2. Configure the DHCP server on Device A, and configure DHCP address pool 0.
<DeviceA> system-view
580
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 0
[DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Host A (DHCP client) and Host B. (Details not shown.)
4. Configure Device B:
# Enable DHCP snooping.
<DeviceB> system-view
[DeviceB] dhcp snooping enable
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] dhcp snooping trust
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Enable recording of client information in DHCP snooping entries on Twenty-FiveGigE 1/0/1.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] dhcp snooping binding record
[DeviceB-Twenty-FiveGigE1/0/1] quit
# Enable ARP attack detection for VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] arp detection enable
# Configure the upstream interface as a trusted interface. By default, an interface is an
untrusted interface.
[DeviceB-vlan10] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] arp detection trust
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Configure a static IP source guard binding entry on interface Twenty-FiveGigE 1/0/2 for user
validity check.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] ip source binding ip-address 10.1.1.6 mac-address
0001-0203-0607 vlan 10
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP
packets.
[DeviceB] arp detection validate dst-mac ip src-mac
581
Figure 151 Network diagram
Procedure
1. Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of VLAN-interface
10 on Device A. (Details not shown.)
2. Configure the DHCP server on Device A, and configure DHCP address pool 0.
<DeviceA> system-view
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 0
[DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Host A (DHCP client) and Host B. (Details not shown.)
4. Configure Device B:
# Enable DHCP snooping, and configure Twenty-FiveGigE 1/0/3 as a DHCP trusted interface.
<DeviceB> system-view
[DeviceB] dhcp snooping enable
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] dhcp snooping trust
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Enable ARP attack detection for user validity check.
[DeviceB] vlan 10
[DeviceB-vlan10] arp detection enable
# Configure Twenty-FiveGigE 1/0/3 as an ARP trusted interface.
[DeviceB-vlan10] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] arp detection trust
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Configure a static IP source guard entry on interface Twenty-FiveGigE 1/0/2.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] ip source binding ip-address 10.1.1.6 mac-address
0001-0203-0607 vlan 10
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP
packets.
582
[DeviceB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[DeviceB] port-isolate group 1
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port-isolate enable group 1
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port-isolate enable group 1
[DeviceB-Twenty-FiveGigE1/0/2] quit
After the configurations are completed, Device B first checks the validity of ARP packets
received on Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2. If the ARP packets are
confirmed valid, Device B performs user validity check by using the static IP source guard
bindings and finally DHCP snooping entries. However, ARP broadcast requests sent from Host
A can pass the check on Device B and reach Host B. Port isolation fails.
# Enable ARP restricted forwarding.
[DeviceB] vlan 10
[DeviceB-vlan10] arp restricted-forwarding enable
[DeviceB-vlan10] quit
583
To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address
[ vpn-instance-name ] command. You can also use the reset arp all command to delete
all ARP entries or the reset arp static command to delete all static ARP entries.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Trigger an ARP scanning.
arp scan [ start-ip-address to end-ip-address ] [ send-rate pps ]
4. Return to system view.
quit
5. Convert existing dynamic ARP entries to static ARP entries.
arp fixup
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.
3. Enable ARP gateway protection for the specified gateway.
arp filter source ip-address
By default, ARP gateway protection is disabled.
584
Example: Configuring ARP gateway protection
Network configuration
As shown in Figure 152, Host B launches gateway spoofing attacks to Device B. As a result, traffic
that Device B intends to send to Device A is sent to Host B.
Configure Device B to block such attacks.
Figure 152 Network diagram
Procedure
# Configure ARP gateway protection on Device B.
<DeviceB> system-view
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] arp filter source 10.1.1.1
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] arp filter source 10.1.1.1
585
Do not configure both the arp filter source and arp filter binding commands on an
interface.
If ARP filtering works with ARP attack detection, MFF, ARP snooping, and ARP fast-reply, ARP
filtering applies first.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Ethernet interface and Layer 2 aggregate interface.
3. Enable ARP filtering and configure a permitted entry.
arp filter binding ip-address mac-address
By default, ARP filtering is disabled.
Procedure
# Configure ARP filtering on Device B.
<DeviceB> system-view
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] arp filter binding 10.1.1.2 000f-e349-1233
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] arp filter binding 10.1.1.3 000f-e349-1234
586
Verifying the configuration
# Verify that Twenty-FiveGigE 1/0/1 permits ARP packets from Host A and discards other ARP
packets.
# Verify that Twenty-FiveGigE 1/0/2 permits ARP packets from Host B and discards other ARP
packets.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable the ARP sender IP address checking feature and specify the IP address range.
arp sender-ip-range start-ip-address end-ip-address
By default, the ARP sender IP address checking feature is disabled.
587
Figure 154 Network diagram
VLAN 2
Host
VLAN 4
Host
Procedure
IMPORTANT:
By default, interfaces on the device are disabled (in ADM or Administratively Down state). To have
an interface operate, you must use the undo shutdown command to enable that interface.
# Create VLAN 2, and assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to the VLAN.
[Device] vlan 2
[Device-vlan2] port twenty-fivegige 1/0/1 twenty-fivegige 1/0/2
[Device-vlan2] quit
# Create VLAN 3, and assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to the VLAN.
[Device] vlan 3
[Device-vlan3] port twenty-fivegige 1/0/3 twenty-fivegige 1/0/4
[Device-vlan3] quit
# Create VLAN 4, and assign Twenty-FiveGigE 1/0/5 and Twenty-FiveGigE 1/0/6 to the VLAN.
[Device] vlan 4
[Device-vlan4] port twenty-fivegige 1/0/5 twenty-fivegige 1/0/6
[Device-vlan4] quit
# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 4 with the super VLAN.
[Device] vlan 10
[Device-vlan10] supervlan
[Device-vlan10] subvlan 2 3 4
[Device-vlan10] quit
588
# Enable the ARP sender IP address checking feature in VLAN 2 and specify the IP address range
10.1.1.1 to 10.1.1.10.
[Device] vlan 2
[Device-vlan2] arp sender-ip-range 10.1.1.1 10.1.1.10
589
Configuring ND attack defense
About ND attack defense
IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND
attacks.
The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network
attacks. As shown in Figure 155, an attacker can send the following forged ICMPv6 messages to
perform ND attacks:
• Forged NS/NA/RS messages with an IPv6 address of a victim host. The gateway and other
hosts update the ND entry for the victim with incorrect address information. As a result, all
packets intended for the victim are sent to the attacking terminal.
• Forged RA messages with the IPv6 address of a victim gateway. As a result, all hosts attached
to the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.
Figure 155 ND attack diagram
Device
Host A Host C
IP_C
MAC_C
Forged ND Forged ND
messages messages
Host B
IP_B
MAC_B
590
Enabling source MAC consistency check for ND
messages
About source MAC consistency check
The source MAC consistency check feature is typically configured on gateways to prevent ND
attacks.
This feature checks the source MAC address and the source link-layer address for consistency for
each arriving ND message.
• If the source MAC address and the source link-layer address are not the same, the device
drops the packet.
• If the addresses are the same, the device continues learning ND entries.
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the
information center. The information center can then output log messages from different source
modules to different destinations. For more information about the information center, see Network
Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable source MAC consistency check for ND messages.
ipv6 nd mac-check enable
By default, source MAC consistency check is disabled for ND messages.
3. (Optional.) Enable the ND logging feature.
ipv6 nd check log enable
By default, the ND logging feature is disabled.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
591
• If no match is found, the device verifies the user as illegal, and it discards the ND message.
ND attack detection uses static IPv6 source guard binding entries and DHCPv6 snooping entries for
user validity check.
Static IPv6 source guard binding entries are created by using the ipv6 source binding
command. For information about IPv6 source guard, see "Configuring IP source guard." For
information about DHCPv6 snooping, see Layer 3–IP Services Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable ND attack detection.
ipv6 nd detection enable
By default, ND attack detection is disabled.
4. (Optional.) Configure the interface as ND trusted interface:
a. Return to system view.
quit
b. Enter Layer 2 Ethernet or aggregate interface view.
interface interface-type interface-number
c. Configure the interface as ND trusted interface.
ipv6 nd detection trust
By default, all interfaces are ND untrusted interfaces.
592
• Total number of dropped ND packets.
Procedure
1. Enter system view.
system-view
2. Enable ND attack detection logging.
ipv6 nd detection log enable
By default, ND attack detection logging is disabled.
Task Command
display ipv6 nd detection statistics
Display statistics for ND messages
[ interface interface-type
dropped by ND attack detection.
interface-number ]
reset ipv6 nd detection statistics
Clear ND attack detection statistics. [ interface interface-type
interface-number ]
Configuring RA guard
About RA guard
RA guard allows Layer 2 access devices to analyze and block unwanted and forged RA messages.
Upon receiving an RA message, the device makes the forwarding or dropping decision based on the
role of the attached device or the RA guard policy.
1. If the role of the device attached to the receiving interface is router, the device forwards the RA
message. If the role is host, the device drops the RA message.
2. If no attached device role is set, the device uses the RA guard policy applied to the VLAN of the
receiving interface to match the RA message.
{ If the policy does not contain match criteria, the policy will not take effect and the device
forwards the RA message.
{ If the RA message content matches every criterion in the policy, the device forwards the
message. Otherwise, the device drops the message.
593
{ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
{ Enter aggregate interface view.
interface bridge-aggregation interface-number
3. Specify the role of the device attached to the interface.
ipv6 nd raguard role { host | router }
By default, the role of the device attached to the interface is not specified.
594
Enabling the RA guard logging feature
About RA guard logging
This feature allows a device to generate logs when it detects forged RA messages. The log
information helps administrators locate and solve problems. Each log records the following
information:
• Name of the interface that received the forged RA message.
• Source IP address of the forged RA message.
• Number of RA messages dropped on the interface.
The RA guard logging feature sends the log messages to the information center. The information
center can then output log messages from different source modules to different destinations. For
more information about the information center, see Network Management and Monitoring
Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable the RA guard logging feature.
ipv6 nd raguard log enable
By default, the RA guard logging feature is disabled.
Task Command
display ipv6 nd raguard policy
Display the RA guard policy configuration.
[ policy-name ]
display ipv6 nd raguard statistics
Display RA guard statistics. [ interface interface-type
interface-number ]
reset ipv6 nd raguard statistics
Clear RA guard statistics. [ interface interface-type
interface-number ]
595
• Specify router as the role of the Device A. All RA messages received on Twenty-FiveGigE 1/0/3
are forwarded.
Figure 156 Network diagram
Procedure
# Create an RA guard policy named policy1.
<DeviceB> system-view
[DeviceB] ipv6 nd raguard policy policy1
# Set the maximum router preference to high for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match router-preference maximum high
# Set the maximum advertised hop limit to 120 for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match hop-limit maximum 120
# Set the minimum advertised hop limit to 100 for the RA guard policy.
[DeviceB-raguard-policy-policy1] if-match hop-limit minimum 100
[DeviceB-raguard-policy-policy1] quit
596
[DeviceB] vlan 10
[DeviceB-vlan10] ipv6 nd raguard apply policy policy1
[DeviceB-vlan10] quit
597
For more information about DHCPv6 relay entries, see DHCPv6 relay agent configuration in Layer
3—IP Services Configuration Guide. For more information about IP source guard entries, see
"Configuring IP source guard."
Task Command
display ipv6 destination-guard [ interface
Display IPv6 destination guard status.
interface-type interface-number ]
598
599
Configuring uRPF
About uRPF
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing
attacks, such as DoS and DDoS attacks.
As shown in Figure 157, an attacker on Router A sends the server (Router B) requests with a forged
source IP address 2.2.2.1 at a high rate. Router B sends response packets to IP address 2.2.2.1
(Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects
Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that
receives a packet is the output interface of the FIB entry that matches the source address of the
packet. If not, uRPF considers it a spoofing attack and discards the packet.
Network application
As shown in Figure 158, strict uRPF check is configured between an ISP network and a customer
network. Loose uRPF check is configured between ISPs.
600
Figure 158 Network diagram
ISP B
uRPF (loose)
ISP A
ISP C
uRPF (strict)
User
601
3. Enable uRPF.
ip urpf { loose | strict }
By default, uRPF is disabled.
Task Command
display ip urpf [ interface
Display uRPF configuration. interface-type interface-number ] [ slot
slot-number ]
602
Configuring MFF
About MFF
MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between
hosts in the same broadcast domain.
An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or
server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic
monitoring and attack prevention.
MFF works with any of the following features to implement traffic filtering and Layer 2 isolation on the
EANs:
• ARP snooping (see Layer 3—IP Services Configuration Guide).
• IP source guard (see "Configuring IP source guard").
• ARP detection (see "Configuring ARP attack protection").
• VLAN mapping (see Layer 2—LAN Switching Configuration Guide).
Port roles
Two types of ports, user port and network port, exist in an MFF-enabled VLAN.
User port
An MFF user port is directly connected to a host and processes the following packets differently:
• Allows multicast packets to pass.
• Delivers ARP packets to the CPU.
603
• Processes unicast packets as follows:
{ If gateways' MAC addresses have been learned, the user port allows only the unicast
packets with the gateways' MAC addresses as the destination MAC addresses to pass.
{ If no gateways' MAC addresses have been learned, the user port discards all received
unicast packets.
Network port
An MFF network port is connected to any of the following networking devices:
• An access switch.
• A distribution switch.
• A gateway.
• A server.
A network port processes the following packets differently:
• Allows multicast packets to pass.
• Delivers ARP packets to the CPU.
• Denies broadcast packets other than DHCP and ARP packets.
604
1. Enabling MFF
2. Configuring a network port
3. (Optional.) Enabling periodic gateway probe
4. Specifying the IP addresses of servers
If servers exist in the network, you must perform this task to ensure communication between the
servers and hosts.
Enabling MFF
Restrictions and guidelines
• An MFF-enabled device and a host cannot ping each other.
• When MFF works with static IP source guard bindings, you must configure VLAN IDs in the
static bindings. Otherwise, IP packets allowed by IP source guard are permitted even if their
destination MAC addresses are not the MAC address of the gateway.
• MFF is not supported in a network where VRRP load balancing mode is configured.
Prerequisites
For MFF to take effect, make sure ARP snooping is enabled on the VLAN where MFF is enabled.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable MFF.
mac-forced-forwarding default-gateway gateway-ip
By default, MFF is disabled.
605
Enabling periodic gateway probe
About periodic gateway probe
You can configure the MFF device to detect gateways every 30 seconds for the change of MAC
addresses by sending forged ARP packets. The ARP packets use 0.0.0.0 as the sender IP address
and bridge MAC address as the sender MAC address.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable periodic gateway probe.
mac-forced-forwarding gateway probe
By default, this feature is disabled.
606
Task Command
display mac-forced-forwarding
Display MFF port configuration.
interface
display mac-forced-forwarding vlan
Display the MFF configuration for a VLAN.
vlan-id
Procedure
1. Configure the IP addresses of the hosts and the gateway, as shown in Figure 160.
2. Configure Switch A:
# Configure MFF on VLAN 100.
[SwitchA] vlan 100
[SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100
# Specify the IP address of the server.
[SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200
# Enable ARP snooping on VLAN 100.
[SwitchA-vlan100] arp snooping enable
[SwitchA-vlan100] quit
# Configure Twenty-FiveGigE 1/0/1 as a network port.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] mac-forced-forwarding network-port
3. Configure Switch B:
607
# Configure MFF on VLAN 100.
[SwitchB] vlan 100
[SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100
# Specify the IP address of the server.
[SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200
# Enable ARP snooping on VLAN 100.
[SwitchB-vlan100] arp snooping enable
[SwitchB-vlan100] quit
# Configure Twenty-FiveGigE 1/0/2 as a network port.
[SwitchB] interface twenty-fivegige 1/0/2 1/0/6
[SwitchB-Twenty-FiveGigE1/0/2] mac-forced-forwarding network-port
Procedure
1. Configure the IP addresses of the hosts and the gateway, as in shown in Figure 161.
2. Configure Switch A:
# Enable STP globally to make sure STP is enabled on interfaces.
[SwitchA] stp global enable
# Configure MFF on VLAN 100.
[SwitchA] vlan 100
[SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100
# Specify the IP address of the server.
[SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200
# Enable ARP snooping on VLAN 100.
[SwitchA-vlan100] arp snooping enable
608
[SwitchA-vlan100] quit
# Configure Twenty-FiveGigE 1/0/2 and Twenty-FiveGigE 1/0/3 as network ports.
[SwitchA] interface twenty-fivegige 1/0/2
[SwitchA-Twenty-FiveGigE1/0/2] mac-forced-forwarding network-port
[SwitchA-Twenty-FiveGigE1/0/2] quit
[SwitchA] interface twenty-fivegige 1/0/3
[SwitchA-Twenty-FiveGigE1/0/3] mac-forced-forwarding network-port
3. Configure Switch B:
# Enable STP globally to make sure STP is enabled on interfaces.
[SwitchB] stp global enable
# Configure MFF on VLAN 100.
[SwitchB] vlan 100
[SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100
# Specify the IP address of the server.
[SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200
# Enable ARP snooping on VLAN 100.
[SwitchB-vlan100] arp snooping enable
[SwitchB-vlan100] quit
# Configure Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/3 as network ports.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] mac-forced-forwarding network-port
[SwitchB-Twenty-FiveGigE1/0/1] quit
[SwitchB] interface twenty-fivegige 1/0/3
[SwitchB-Twenty-FiveGigE1/0/3] mac-forced-forwarding network-port
4. Enable STP on Switch C globally to make sure STP is enabled on interfaces.
<SwitchC> system-view
[SwitchC] stp global enable
609
Configuring crypto engines
About crypto engines
Crypto engines encrypt and decrypt data for service modules.
The device supports only one software crypto engine, which is a set of software encryption
algorithms. The software crypto engine is always enabled.
When a service module requires data encryption/decryption, it sends the desired data to the crypto
engine. After the crypto engine completes data encryption/decryption, it sends the data back to the
service module.
Task Command
Display crypto engine information. display crypto-engine
display crypto-engine statistics
Display crypto engine statistics. [ engine-id engine-id slot
slot-number ]
reset crypto-engine statistics
Clear crypto engine statistics. [ engine-id engine-id slot
slot-number ]
610
Configuring FIPS
About FIPS
Federal Information Processing Standards (FIPS) was developed by the National Institute of
Standards and Technology (NIST) of the United States. FIPS specifies the requirements for
cryptographic modules.
FIPS functionality
In FIPS mode, the device has strict security requirements. It performs self-tests on cryptography
modules to verify that the modules are operating correctly.
A FIPS device also meets the functionality requirements defined in Network Device Protection Profile
(NDPP) of Common Criteria (CC).
FIPS self-tests
To ensure correct operation of cryptography modules, FIPS provides self-test mechanisms, including
power-up self-tests and conditional self-tests.
If a power-up self-test fails, the device where the self-test process exists reboots. If a conditional
self-test fails, the system outputs a self-test failure message.
NOTE:
If a self-test fails, contact Hewlett Packard Enterprise Support.
Power-up self-tests
The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms.
The device supports the following types of power-up self-tests:
• Known-answer test (KAT)
A cryptographic algorithm is run on data for which the correct output is already known. The
calculated output is compared with the known answer. If they are not identical, the KAT test
fails.
• Pairwise conditional test (PWCT)
{ Signature and authentication test—The test is run when a DSA, RSA, or ECDSA
asymmetrical key pair is generated. The system uses the private key to sign the specific
data, and then uses the public key to authenticate the signed data. If the authentication is
successful, the test succeeds.
{ Encryption and decryption test—The test is run when an RSA asymmetrical key pair is
generated. The system uses the public key to encrypt a plain text string, and then uses the
private key to decrypt the encrypted text. If the decryption result is the same as the original
plain text string, the test succeeds.
611
The power-up self-test examines the cryptographic algorithms listed in Table 35.
Table 35 Power-up self-tests list
Type Operations
Tests the following algorithms:
• SHA1, SHA224, SHA256, SHA384, and SHA512.
• HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
and HMAC-SHA512.
• AES.
KAT
• RSA (signature and authentication).
• ECDH.
• DRBG.
• GCM.
• GMAC.
Tests the following algorithms:
• RSA (signature and authentication).
PWCT • RSA (encryption and decryption).
• DSA (signature and authentication).
• ECDSA (signature and authentication).
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number
generator module is invoked. Conditional self-tests include the following types:
• PWCT signature and authentication—This test is run when a DSA or RSA asymmetrical key
pair is generated. The system uses the private key to sign the specific data, and then uses the
public key to authenticate the signed data. If the authentication is successful, the test succeeds.
• Continuous random number generator test—Runs when a random number is generated.
The system compares the generated random number with the previously generated random
number. If the two numbers are the same, the test fails. This test also runs when a DSA or RSA
asymmetrical key pair is generated.
612
2. Save the current configuration file.
3. Specify the current configuration file as the startup configuration file.
4. Reboot the device. The new configuration takes effect after the reboot. During this process, do
not exit the system or perform other operations.
If a device enters FIPS or non-FIPS mode through automatic reboot, configuration rollback fails. To
support configuration rollback, you must execute the save command after the device enters FIPS or
non-FIPS mode.
IRF compatibility
All devices in an IRF fabric must be operating in the same mode, whether in FIPS mode or non-FIPS
mode.
To enable FIPS mode for an IRF fabric, you must reboot the entire IRF fabric.
Feature changes in FIPS mode
After the system enters FIPS mode, the following feature changes occur:
• The user login authentication mode can only be scheme.
• The FTP/TFTP server and client are disabled.
• The Telnet server and client are disabled.
• The HTTP server is disabled.
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
• The SSL server supports only TLS1.0, TLS1.1, and TLS1.2.
• The SSH server does not support SSHv1 clients or DSA key pairs.
• The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for
the client must also have a modulus length of 2048 bits.
• The generated ECDSA key pairs must have a modulus length of more than 256 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for
the client must also have a modulus length of more than 256 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.
• The password control feature cannot be disabled globally. The undo password-control
enable command does not take effect.
• An AAA shared key, IKE pre-shared key, or SNMPv3 authentication key must have at least 15
characters and must contain uppercase and lowercase letters, digits, and special characters.
• The password for a device management local user and password for switching user roles must
comply with the password control policies. By default, the password must have at least 15
characters and must contain uppercase and lowercase letters, digits, and special characters.
613
• Manual reboot—You must complete the required configuration tasks and reboot the device
manually.
614
b. Configure password control policies.
− Set the number of character types a password must contain to 4.
− Set the minimum number of characters for each type to one character.
− Set the minimum length for a user password to 15 characters.
For more information about the password control feature, see password control in Security
Configuration Guide.
3. Configure a local user.
{ Create a device management local user.
{ Specify a password that complies with the password control policies.
{ Assign the terminal service to the user.
{ Assign the network-admin user role to the user.
Procedure
1. Enter system view.
system-view
2. Enable FIPS mode.
fips mode enable
By default, the FIPS mode is disabled.
3. After the reboot method choice prompt appears, enter N.
The system enables FIPS mode and waits for you to complete the FIPS mode configuration
tasks. Before rebooting the device to enter FIPS mode, do not execute any commands except
for save and commands used to prepare for entering FIPS mode. If you execute any other
commands, the commands might not take effect.
4. Save the running configuration and specify the configuration file as the startup configuration
file.
5. Delete the .mdb startup configuration file.
When loading a .mdb configuration file, the device loads all settings in the file. The settings that
are not supported in FIPS mode might affect device operation.
6. Reboot the device.
The device reboots, loads the startup configuration file, and enters FIPS mode. To log in to the
device, you must enter the configured username and password. After login, you are identified
as the FIPS mode crypto officer.
615
Exiting FIPS mode
About exiting FIPS mode
After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode.
For the device to exit FIPS mode, you can use one of the following reboot methods:
• Automatic reboot—The system automatically creates a default non-FIPS configuration file
named non-fips-startup.cfg, specifies the file as the startup configuration file, and reboots to
enter non-FIPS mode. You can log in to the device without providing username or password.
• Manual reboot—You must manually complete the configuration tasks for entering non-FIPS
mode, and then reboot the device. To log in to the device after the reboot, you must enter user
information as required by the authentication mode settings.
The following are the default authentication mode settings:
{ VTY line—Password authentication.
{ AUX line—Authentication is disabled.
You can modify the authentication settings as needed.
Using the automatic reboot method to exit FIPS mode
1. Enter system view.
system-view
2. Disable FIPS mode.
undo fips mode enable
By default, the FIPS mode is disabled.
3. Select the automatic reboot method.
Using the manual reboot method to exit FIPS mode
1. Enter system view.
system-view
2. Disable FIPS mode.
undo fips mode enable
By default, the FIPS mode is disabled.
3. Select the manual reboot method.
4. Configure login authentication settings.
{ If you logged in to the device through SSH, perform the following tasks without
disconnecting the current user line:
− Set the authentication mode to scheme for VTY lines.
− Specify the username and password. If you do not specify the username or password,
the device uses the current username and password.
{ If you logged in to the device through a console port, configure login authentication settings
for the current type of user lines as described in the following table:
Current login
Login authentication requirements
method
Set the authentication to scheme and specify the username and
Scheme password. If you do not specify the username or password, the device
uses the current username and password.
Set the authentication to password and specify the password. If you do
Password
not specify the password, the device uses the current password.
616
Current login
Login authentication requirements
method
None Set the authentication to none.
5. Save the running configuration and specify the file as the startup configuration file.
6. Delete the .mdb startup configuration file.
7. Reboot the device.
Task Command
Display the version number of the device algorithm
display crypto version
base.
617
Press ENTER to get started.
login: root
Password:
First login or password reset. For security reason, you need to change your password. Please
enter your password.
old password:
new password:
confirm:
Updating user information. Please wait ... ...
…
<Sysname>
<Sysname>
# Set the number of character types a password must contain to 4, and set the minimum number of
characters for each type to one character.
[Sysname] password-control composition type-number 4 type-length 1
# Add a local user account for device management, including a username of test, a password of
12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB
618
[Sysname-luser-manage-test] authorization-attribute user-role network-admin
[Sysname-luser-manage-test] service-type terminal
[Sysname-luser-manage-test] quit
# Enable FIPS mode, and choose the manual reboot method to enter FIPS mode.
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
Reboot the device automatically? [Y/N]:n
Change the configuration to meet FIPS mode requirements, save the configuration to the
next-startup configuration file, and then reboot to enter FIPS mode.
# Save the current configuration to the root directory of the storage medium, and specify it as the
startup configuration file.
[Sysname] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
[Sysname] quit
619
Example: Exiting FIPS mode through automatic reboot
Network configuration
After logging in to the device in FIPS mode through a console port, use the automatic reboot method
to exit FIPS mode.
Procedure
# Disable FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
The system will create a new startup configuration file for non-FIPS mode and then reboot
automatically. Continue? [Y/N]:y
Waiting for reboot... After reboot, the device will enter non-FIPS mode.
# Save the current configuration to the root directory of the storage medium, and specify it as the
startup configuration file.
[Sysname] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
[Sysname] quit
620
# Reboot the device.
<Sysname> reboot
621
Configuring MACsec
About MACsec
Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec
provides services such as data encryption, frame integrity check, and data origin validation for
frames on the MAC sublayer of the Data Link Layer. MACsec usually cooperates with 802.1X
authentication to use the keys generated from MACsec Key Agreement (MKA) negotiation for
authenticated users' data encryption and integrity check. This collaboration can prevent ports from
processing packets from unauthenticated users or tampered packets.
Basic concepts
CA
Connectivity association (CA) is a group of participants that use the same key and key algorithm.
The encryption key used by the CA participants is called a connectivity association key (CAK). The
following types of CAKs are available:
• Pairwise CAK—Used by CAs that have two participants.
• Group CAK—Used by CAs that have more than two participants.
The pairwise CAK is used most often because MACsec is typically applied to point-to-point
networks.
A CAK can be an encryption key generated during 802.1X authentication or a user-configured
preshared key. The user-configured preshared key takes precedence over the 802.1X-generated
key.
SA
Secure association (SA) is an agreement negotiated by CA participants. The agreement includes a
cipher suite and keys for integrity check.
A secure channel can contain more than one SA. Each SA uses a unique secure association key
(SAK). The SAK is generated from the CAK, and MACsec uses the SAK to encrypt data transmitted
along the secure channel.
MACsec Key Agreement (MKA) limits the number of packets that can be encrypted by an SAK.
When the limit is exceeded, the SAK will be refreshed. For example, when packets with the minimum
size are sent on a 10-Gbps link, an SAK rekey occurs about every 300 seconds.
MKA life time
The participants at the two ends of a secure session exchange MKA protocol packets to keep the
session alive.
MKA life time sets the session keepalive timer for participants. The timer starts on a participant when
the participant receives the first MKA protocol packet from its peer. If the participant does not receive
any subsequent MKA protocol packets from that peer before the timer expires, the participant
determines that the session is insecure and then removes the session.
MACsec services
Data encryption
MACsec enables a port to encrypt outbound frames and decrypt MACsec-encrypted inbound frames.
The keys for encryption and decryption are negotiated by MKA.
622
Integrity check
MACsec performs integrity check when the device receives a MACsec-encrypted frame. The
integrity check uses the following process:
• Uses a key negotiated by MKA to calculate an integrity check value (ICV) for the frame.
• Compares the calculated ICV with the ICV in the frame trailer.
{ If the ICVs are the same, the device verifies the frame as legal.
{ If the ICVs are different, the device determines whether to drop the frame based on the
validation mode. The device supports the following validation modes:
− check—Performs validation only, and does not drop illegal frames.
− strict—Performs validation, and drops illegal frames.
Replay protection
When MACsec frames are transmitted over the network, frame disorder might occur. MACsec replay
protection allows the device to accept the out-of-order packets within the replay protection window
size and drop other out-of-order packets.
NOTE:
In client-oriented mode, an MKA-enabled port on the access device must perform port-based
802.1X access control. The authentication method must be EAP relay.
Device-oriented mode
As shown in Figure 163, MACsec secures data transmission between devices. In this mode, the
same preshared key must be configured on the MACsec ports that connect the devices. The devices
use the configured preshared key as the CAK.
623
Figure 163 Device-oriented mode
802.1X
.......
MKA
MACsec
624
3. The client and the access device use the SAK to encrypt packets, and they send and receive
the encrypted packets in secure channels.
4. When the access device receives a logoff request from the client or the MKA life time expires, it
immediately removes the associated secure session from the port. The remove operation
prevents an unauthorized client from using the secure session established by the previous
authorized client to access the network.
In client-oriented mode, the MKA life time is 6 seconds and is not user configurable.
Operating mechanism for device-oriented mode
As shown in Figure 165, the devices use the configured preshared key to start session negotiation.
Figure 165 MACsec interactive process in device-oriented mode
Device A Device B
EAPOL
Session
negotiation
EAPOL-MKA: key name, SAK
Secured frames
Secure
communication
625
Hardware MACsec-capable ports
• The 24 × SFP+ ports on the LSWM124XG2Q (JH181A)
interface module.
HPE FlexFabric 5945 2-slot Switch (JQ075A) • The 24 × 10GBASE-T ports on the LSWM124XGT2Q
HPE FlexFabric 5945 4-slot Switch (JQ076A) (JH182A) interface module.
• The 8 × QSFP28 ports on the LSWM18CQMSEC
(JH957A) interface module.
You cannot use a MACsec-enabled port as an IRF physical interface. All ports on the
LSWM18CQMSEC (JH957A) interface module cannot be used as IRF physical interfaces
regardless of whether MACsec is enabled on these ports.
An interface module is not hot swappable if it has MACsec-capable ports with MACsec enabled.
You cannot enable MKA on a MACsec-incapable port.
Enabling MKA
About MKA
MKA establishes and manages MACsec secure channels on a port. It also negotiates keys used by
MACsec.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable MKA.
mka enable
By default, MKA is disabled on the port.
626
Enabling MACsec desire
About MACsec desire
The MACsec desire feature expects MACsec protection for outbound frames. The key server
determines whether MACsec protects the outbound frames.
MACsec protects the outbound frames of a port when the following requirements are met:
• The key server is MACsec capable.
• Both the local participant and its peer are MACsec capable.
• A minimum of one participant is enabled with MACsec desire.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable MACsec desire.
macsec desire
By default, the port does not expect MACsec protection for outbound frames.
627
• The connected MACsec ports are configured with the same CAK name (CKN) and CAK.
• Only the ports are configured with the same CKN in the network.
A user-configured preshared key has higher priority than the 802.1X-generated CAK. To ensure a
successful MKA session establishment, do not configure a preshared key in client-oriented mode.
Different cipher suites for MACsec encryption have different requirements for the CKN and CAK
configuration.
• The GCM-AES-128 cipher suite requires that the CKN and CAK each must be 32 characters
long. If the configured CKN or CAK is not 32 characters long, the system performs the following
operations when it runs the cipher suite:
{ Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK
contains less than 32 characters.
{ Uses only the first 32 characters if the CKN or CAK contains more than 32 characters.
• The GCM-AES-256 cipher suite requires that the CKN and CAK each must be 64 characters
long. If the configured CKN or CAK contains less than 64 characters, the system automatically
increases the length of the CKN or CAK by zero padding when it runs the cipher suite.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set a preshared key.
mka psk ckn name cak { cipher | simple } string
By default, no MKA preshared key exists.
628
Setting the MKA life time
Restrictions and guidelines
This task is applicable only in device-oriented mode.
Make sure the participants at the two ends of a secure session have the same MKA life time.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the MKA life time.
mka timer mka-life seconds
By default, the MKA life time is 6 seconds.
629
3. Set the MACsec confidentiality offset.
macsec confidentiality-offset offset-value
The default setting is 0, and the entire frame needs to be encrypted.
MACsec uses the confidentiality offset propagated by the key server.
4. Configure MACsec replay protection:
a. Enable MACsec replay protection.
macsec replay-protection enable
By default, MACsec replay protection is enabled on the port.
b. Set the MACsec replay protection window size.
macsec replay-protection window-size size-value
The default setting is 0. The device accepts only frames that arrive in the correct order.
Out-of-order or duplicated frames will be dropped.
The configured replay protection window size takes effect only when MACsec replay
protection is enabled.
5. Set a MACsec validation mode.
macsec validation mode { check | strict }
The default setting is check.
To avoid data loss, use the display macsec command to verify that MKA negotiation with
the peer device has succeeded before you change the mode to strict.
Parameter Description
check Verifies incoming frames but does not drop illegal frames.
630
The settings for parameters in the system-defined policy are the same as the default settings for
the parameters on a port.
You cannot delete or modify the system-defined MKA policy.
You can create multiple MKA policies.
3. Set the MACsec confidentiality offset.
confidentiality-offset offset-value
The default setting is 0, and the entire frame needs to be encrypted.
MACsec uses the confidentiality offset propagated by the key server.
4. Configure MACsec replay protection:
a. Enable MACsec replay protection.
replay-protection enable
By default, MACsec replay protection is enabled.
b. Set the replay protection window size.
replay-protection window-size size-value
The default replay protection window size is 0. The device accepts only frames that arrive in
the correct order. Out-of-order or duplicated frames will be dropped.
5. Set a MACsec validation mode.
validation mode { check | strict }
The default setting is check.
Parameter Description
check Verifies incoming frames but does not drop illegal frames.
631
system-view
2. Enable MKA session logging.
macsec mka-session log enable
By default, MKA session logging is disabled.
Task Command
display macsec [ interface
Display MACsec information on ports. interface-type interface-number ]
[ verbose ]
display mka { default-policy | policy
Display MKA policy information.
[ name policy-name ] }
display mka session [ interface
Display MKA session information. interface-type interface-number |
local-sci sci-id ] [ verbose ]
display mka statistics [ interface
Display MKA statistics on ports.
interface-type interface-number ]
reset mka session [ interface
Reset MKA sessions on ports.
interface-type interface-number ]
reset mka statistics [ interface
Clear MKA statistics on ports.
interface-type interface-number ]
632
Figure 166 Network diagram
Procedure
1. Configure IP addresses for the Ethernet ports. (Details not shown.)
2. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Add a user account for the host. (Details not shown.)
3. Configure AAA:
# Enter system view.
<Device> system-view
# Configure RADIUS scheme radius1.
[Device] radius scheme radius1
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
[Device-radius-radius1] key authentication simple name
[Device-radius-radius1] key accounting simple name
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
# Configure authentication domain bbb for 802.1X users.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access radius-scheme radius1
[Device-isp-bbb] authorization lan-access radius-scheme radius1
[Device-isp-bbb] accounting lan-access radius-scheme radius1
[Device-isp-bbb] quit
4. Configure 802.1X:
# Enable 802.1X on Ten-GigabitEthernet 1/1/1.
[Device] interface ten-gigabitethernet 1/1/1
[Device-Ten-GigabitEthernet1/1/1] dot1x
# Implement port-based access control on Ten-GigabitEthernet 1/1/1.
[Device-Ten-GigabitEthernet1/1/1] dot1x port-method portbased
# Specify bbb as the mandatory authentication domain for 802.1X users on
Ten-GigabitEthernet 1/1/1.
[Device-Ten-GigabitEthernet1/1/1] dot1x mandatory-domain bbb
[Device-Ten-GigabitEthernet1/1/1] quit
# Enable 802.1X globally, and sets the device to relay EAP packets.
[Device] dot1x
[Device] dot1x authentication-method eap
633
5. Configure MACsec:
# Create an MKA policy named pls.
[Device] mka policy pls
# Set the MACsec confidentiality offset to 30 bytes.
[Device-mka-policy-pls] confidentiality-offset 30
# Enable MACsec replay protection.
[Device-mka-policy-pls] replay-protection enable
# Set the MACsec replay protection window size to 100.
[Device-mka-policy-pls] replay-protection window-size 100
# Set the MACsec validation mode to strict.
[Device-mka-policy-pls] validation mode strict
[Device-mka-policy-pls] quit
# Apply the MKA policy to Ten-GigabitEthernet 1/1/1.
[Device] interface ten-gigabitethernet 1/1/1
[Device-Ten-GigabitEthernet1/1/1] mka apply policy pls
# Configure MACsec desire and enable MKA on Ten-GigabitEthernet 1/1/1.
[Device-Ten-GigabitEthernet1/1/1] macsec desire
[Device-Ten-GigabitEthernet1/1/1] mka enable
[Device-Ten-GigabitEthernet1/1/1] quit
# Display MKA session information on Ten-GigabitEthernet 1/1/1 after a user logs in.
[Device] display mka session interface ten-gigabitethernet 1/1/1 verbose
Interface Ten-GigabitEthernet1/1/1
Tx-SCI : 00E00100000A0006
Priority : 0
634
Capability: 3
CKN for participant: 1234
Key server : Yes
MI (MN) : A1E0D2897596817209CD2307 (2509)
Live peers : 1
Potential peers : 0
Principal actor : Yes
MKA session status : Secured
Confidentiality offset: 30 bytes
Current SAK status : Rx & Tx
Current SAK AN : 0
Current SAK KI (KN) : A1E0D2897596817209CD230700000002 (2)
Previous SAK status : N/A
Previous SAK AN : N/A
Previous SAK KI (KN) : N/A
Live peer list:
MI MN Priority Capability Rx-SCI
B2CAF896C9BFE2ABFB135E63 2512 0 3 00E0020000000106
Device A Device B
Procedure
1. Configure Device A:
# Enter system view.
<DeviceA> system-view
# Enter Ten-GigabitEthernet 1/1/1 interface view.
[DeviceA] interface ten-gigabitethernet 1/1/1
# Enable MACsec desire on Ten-GigabitEthernet 1/1/1.
[DeviceA-Ten-GigabitEthernet1/1/1] macsec desire
# Set the MKA key server priority to 5.
[DeviceA-Ten-GigabitEthernet1/1/1] mka priority 5
# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
[DeviceA-Ten-GigabitEthernet1/1/1] mka psk ckn E9AC cak simple 09DB3EF1
635
# Set the MACsec confidentiality offset to 30 bytes.
[DeviceA-Ten-GigabitEthernet1/1/1] macsec confidentiality-offset 30
# Enable MACsec replay protection.
[DeviceA-Ten-GigabitEthernet1/1/1] macsec replay-protection enable
# Set the MACsec replay protection window size to 100.
[DeviceA-Ten-GigabitEthernet1/1/1] macsec replay-protection window-size 100
# Set the MACsec validation mode to strict.
[DeviceA-Ten-GigabitEthernet1/1/1] macsec validation mode strict
# Enable MKA on Ten-GigabitEthernet 1/1/1.
[DeviceA-Ten-GigabitEthernet1/1/1] mka enable
[DeviceA-Ten-GigabitEthernet1/1/1] quit
2. Configure Device B:
# Enter system view.
<DeviceB> system-view
# Enter Ten-GigabitEthernet 1/1/1 interface view.
[DeviceB] interface ten-gigabitethernet 1/1/1
# Enable MACsec desire on Ten-GigabitEthernet 1/1/1.
[DeviceB-Ten-GigabitEthernet1/1/1] macsec desire
# Set the MKA key server priority to 10.
[DeviceB-Ten-GigabitEthernet1/1/1] mka priority 10
# Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
[DeviceB-Ten-GigabitEthernet1/1/1] mka psk ckn E9AC cak simple 09DB3EF1
# Set the MACsec confidentiality offset to 30 bytes.
[DeviceB-Ten-GigabitEthernet1/1/1] macsec confidentiality-offset 30
# Enable MACsec replay protection.
[DeviceB-Ten-GigabitEthernet1/1/1] macsec replay-protection enable
# Set the MACsec replay protection window size to 100.
[DeviceB-Ten-GigabitEthernet1/1/1] macsec replay-protection window-size 100
# Set the MACsec validation mode to strict.
[DeviceB-Ten-GigabitEthernet1/1/1] macsec validation mode strict
# Enable MKA on Ten-GigabitEthernet 1/1/1.
[DeviceB-Ten-GigabitEthernet1/1/1] mka enable
[DeviceB-Ten-GigabitEthernet1/1/1] quit
636
Transmit secure channel:
SCI : 00E00100000A0006
Elapsed time: 00h:05m:00s
Current SA : AN 0 PN 1
Receive secure channels:
SCI : 00E0020000000106
Elapsed time: 00h:03m:18s
Current SA : AN 0 LPN 1
Previous SA : AN N/A LPN N/A
637
Receive secure channels:
SCI : 00E00100000A0006
Elapsed time: 00h:03m:21s
Current SA : AN 0 LPN 1
Previous SA : AN N/A LPN N/A
Troubleshooting MACsec
Cannot establish MKA sessions between MACsec devices
Symptom
The devices cannot establish MKA sessions when the following conditions exist:
• The link connecting the devices is up.
• The ports at the ends of the link are MACsec capable.
Analysis
The symptom might occur for the following reasons:
• The ports at the link are not enabled with MKA.
• A port at the link is not configured with a preshared key or configured with a preshared key
different from the peer.
Solution
To resolve the issue:
1. Enter interface view.
638
2. Use the display this command to check the MACsec configuration:
{ If MKA is not enabled on the port, execute the mka enable command.
{ If a preshared key is not configured or the preshared key is different from the peer, use the
mka psk command to configure a preshared key. Make sure the preshared key is the same
as the preshared key on the peer.
3. If the issue persists, contact Hewlett Packard Enterprise Support.
639
Document conventions and icons
Conventions
This section describes the conventions used in the documentation.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window opens; click OK.
Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.
Symbols
Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.
An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.
640
Network topology icons
Convention Description
641
Support and other resources
Accessing Hewlett Packard Enterprise Support
• For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
www.hpe.com/assistance
• To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website:
www.hpe.com/support/hpesc
Information to collect
• Technical support registration number (if applicable)
• Product name, model or version, and serial number
• Operating system name and version
• Firmware version
• Error messages
• Product-specific reports and logs
• Add-on products or components
• Third-party products or components
Accessing updates
• Some software products provide a mechanism for accessing software updates through the
product interface. Review your product documentation to identify the recommended software
update method.
• To download product updates, go to either of the following:
{ Hewlett Packard Enterprise Support Center Get connected with updates page:
www.hpe.com/support/e-updates
{ Software Depot website:
www.hpe.com/support/softwaredepot
• To view and update your entitlements, and to link your contracts, Care Packs, and warranties
with your profile, go to the Hewlett Packard Enterprise Support Center More Information on
Access to Support Materials page:
www.hpe.com/support/AccessToSupportMaterials
IMPORTANT:
Access to some updates might require product entitlement when accessed through the Hewlett
Packard Enterprise Support Center. You must have an HP Passport set up with relevant
entitlements.
Websites
Website Link
Networking websites
642
Hewlett Packard Enterprise Information Library for
www.hpe.com/networking/resourcefinder
Networking
Hewlett Packard Enterprise Networking website www.hpe.com/info/networking
Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support
Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking
Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty
General websites
Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs
Hewlett Packard Enterprise Support Center www.hpe.com/support/hpesc
Hewlett Packard Enterprise Support Services Central ssc.hpe.com/portal/site/ssc/
Contact Hewlett Packard Enterprise Worldwide www.hpe.com/assistance
Subscription Service/Support Alerts www.hpe.com/support/e-updates
Software Depot www.hpe.com/support/softwaredepot
Customer Self Repair (not applicable to all devices) www.hpe.com/support/selfrepair
Insight Remote Support (not applicable to all devices) www.hpe.com/info/insightremotesupport/docs
Remote support
Remote support is available with supported devices as part of your warranty, Care Pack Service, or
contractual support agreement. It provides intelligent event diagnosis, and automatic, secure
submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast
and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly
recommends that you register your device for remote support.
For more information and device support details, go to the following website:
www.hpe.com/info/insightremotesupport/docs
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help
us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,
part number, edition, and publication date located on the front cover of the document. For online help
content, include the product name, product version, help edition, and publication date located on the
legal notices page.
643
Index
Numerics authorization VSI, 103
basic configuration, 131
3DES
concurrent port users max, 123
IPsec encryption algorithm, 381
configuration, 108, 108
802
configuration restrictions, 108
MACsec configuration, 622, 626, 632
controlled/uncontrolled port, 88
802.1X, 88, See also under 802
critical VLAN, 100
AAA RADIUS server 802.1X user, 73
critical VLAN (MAC-based access control), 101
access control method, 111
critical VLAN (port-based access control), 100
architecture, 88
critical VLAN configuration, 117
authentication, 92
critical VLAN configuration restrictions, 117
authentication (access device initiated), 94
critical VLAN/VSI user EAP-Success packet, 121
authentication (client initiated), 94
critical voice VLAN, 102
authentication configuration, 131
critical voice VLAN (MAC-based access
authentication guest VSI+authorization VSI control), 102
configuration (MAC-based), 138
critical voice VLAN (port-based access
authentication initiation, 94 control), 102
authentication request attempts max, 123 critical voice VLAN enable, 117
authentication timeout timer, 112 critical voice VLAN enable restrictions, 117
authentication timeout timer restrictions, 112 critical VSI, 104
authentication trigger, 122 critical VSI configuration, 119
authentication trigger configuration critical VSI configuration restrictions, 119
restrictions, 123
display, 130
authentication+ACL assignment, 105
EAD assistant configuration, 128
authentication+ACL assignment
EAD assistant configuration restrictions, 128
configuration, 136
EAP over RADIUS, 91
authentication+EAD assistant configuration
(DHCP relay agent), 140 EAP packet format, 90
authentication+EAD assistant configuration EAP relay, 89
(DHCP server), 143 EAP relay authentication, 92
authentication+EAD assistant feature, 107 EAP relay enable, 110
authentication+redirect URL assignment, 106 EAP relay enable restrictions, 110
authentication+user profile assignment, 106 EAP relay/termination, 90
Auth-Fail VLAN, 99 EAP termination, 89
Auth-Fail VLAN (MAC-based access EAP termination enable, 110
control), 100 EAP termination enable restrictions, 110
Auth-Fail VLAN (port-based access EAP termination mode authentication, 93
control), 99 EAPOL packet format, 90
Auth-Fail VLAN configuration, 116 enable, 110
Auth-Fail VLAN configuration restrictions, 116 enable restrictions, 110
Auth-Fail VLAN/VSI user EAP-Success guest VLAN, 98
packet, 121 guest VLAN (MAC-based access control), 99
Auth-Fail VSI, 104 guest VLAN (port-based access control), 98
Auth-Fail VSI configuration, 119 guest VLAN assignment delay, 115
Auth-Fail VSI configuration restrictions, 119 guest VLAN configuration, 114, 133
authorization VLAN, 95 guest VLAN configuration restrictions, 114
authorization VLAN configuration, 133 guest VSI, 103
authorization VLAN port manipulation, 97 guest VSI assignment delay, 118
644
guest VSI configuration, 118 VSI manipulation, 102
guest VSI configuration restrictions, 118 VXLAN support, 102
local VLAN authorization, 96 802.1X authentication
logging off user, 130 periodic reauthentication, 106
MAC address binding, 128 port security client
MAC address binding configuration macAddressElseUserLoginSecure
restrictions, 128 configuration, 294
MAC authentication delay, 168 port security client userLoginWithOUI
MAC authentication+802.1X authentication configuration, 291
parallel processing, 170 port security configuration, 273, 276, 289
MAC user authentication attempts max, 127 port security MAC address autoLearn, 289
MAC-based access control, 95 port security MAC move, 283
maintain, 130 port security open authentication, 285
mandatory port authentication domain, 111 A
offline detection configuration, 125
AAA
online user handshake, 124
AAA test, 61
online user handshake configuration
Appendix A, RADIUS commonly used
restrictions, 124
attributes, 80
online user synchronization enable, 122
Appendix C, RADIUS subattributes (vendor ID
overview, 88 25506), 84
packet exchange method, 89 concurrent login user max, 59
packet format, 90 configuration, 1, 14, 63
port authorization state, 111 connection recording policy, 61
port authorization status, 88 connection recording policy configuration, 60
port security authentication control mode, 273 default ISP domain specifying, 53
port security MAC+802.1X authentication, 275 device ID configuration, 60
port security mode, 277 device management user attribute, 15
port-based access control, 95 displaying local users/user groups, 20
protocol packet VLAN tag removal, 126 EAP profile, 21
protocol packet VLAN tag removal FIPS compliance, 14
restrictions, 126
HWTACACS, 40
quiet timer, 114
HWTACACS accounting server, 42
quiet timer restrictions, 114
HWTACACS authentication server, 41
reauthentication, 113
HWTACACS authorization server, 41
reauthentication restrictions, 113
HWTACACS display, 47
remote VLAN authorization, 95
HWTACACS implementation, 5
server-side EAP-TLS fragment maximum
HWTACACS maintain, 47
size, 129
HWTACACS outgoing packet source IP
supported domain name delimiter, 126
address, 45
supported domain name delimiter
HWTACACS scheme creation, 41
restrictions, 126
HWTACACS scheme VPN instance, 43
troubleshooting, 145
HWTACACS server SSH user, 63
troubleshooting EAD assistant URL
redirection failure, 145 HWTACACS shared keys, 43
unauthenticated user aging, 120 HWTACACS stop-accounting packet
buffering, 47
user IP freezing enable, 127
HWTACACS timer set, 44
user logging configuration restrictions, 130
HWTACACS traffic statistics units, 46
user logging enable, 130
HWTACACS username format, 46
user profile configuration, 301
HWTACACS/RADIUS differences, 5
user profile+QoS policy configuration, 301
ISP domain accounting method, 57
VLAN manipulation, 95
645
ISP domain accounting method configuration RADIUS scheme creation, 23
restrictions, 57 RADIUS scheme VPN instance, 25
ISP domain attribute configuration, 54 RADIUS server 802.1X user, 73
ISP domain authentication method, 55 RADIUS server SSH user
ISP domain authentication method authentication+authorization, 67
configuration restrictions, 55 RADIUS server status, 25
ISP domain authorization method, 56 RADIUS service disable, 39
ISP domain authorization method RADIUS session-control, 37
configuration restrictions, 56 RADIUS session-control configuration
ISP domain configuration restrictions, 53 restrictions, 37
ISP domain creation, 52, 53 RADIUS shared keys, 25
ISP domain display, 59 RADIUS SNMP notification, 38
ISP domain idle timeout period include in user RADIUS stop-accounting packet buffering, 34
online duration, 55 RADIUS stop-accounting packet forcibly
ISP domain method, 55 sending, 35
ISP domain specifying for users that are RADIUS timer configuration restrictions, 27
assigned to nonexistent domains, 53 RADIUS timer set, 27
LDAP, 48 RADIUS traffic statistics units, 29
LDAP administrator attribute, 49 RADIUS username format, 29
LDAP attribute map, 51 SSH user local authentication+HWTACACS
LDAP attribute map for authorization, 52 authorization+RADIUS accounting, 65
LDAP authentication server, 51 troubleshoot AAA, 78
LDAP authorization server, 51 troubleshoot HWTACACS, 80
LDAP display, 52 troubleshoot LDAP authentication failure, 80
LDAP implementation, 8 troubleshoot RADIUS accounting error, 79
LDAP scheme creation, 51 troubleshoot RADIUS authentication failure, 78
LDAP server creation, 48 troubleshoot RADIUS packet delivery failure, 79
LDAP server IP address, 48 troubleshooting, 78
LDAP server SSH user authentication, 70 user group attribute, 19
LDAP user attribute, 50 user management by ISP domains, 11
LDAP versions, 48 user management by user access types, 11
local user auto-delete, 19 user profile configuration, 301
local user configuration, 14 VPN implementation, 13
methods, 11 Web authentication AAA server, 259
NAS-ID configuration, 59 access control
network access user attribute, 17 cross-subnet portal authentication
protocols and standards, 13 configuration, 225
RADIUS accounting server, 24 direct portal authentication configuration, 215
RADIUS accounting-on configuration, 36 direct portal authentication configuration (local
RADIUS attribute translation, 32 portal Web service), 253
RADIUS authentication server, 23 extended cross-subnet portal authentication
RADIUS configuration, 20 configuration, 237
RADIUS DAE server (DAS), 37 extended direct portal authentication
configuration, 229
RADIUS display, 40
extended re-DHCP portal authentication
RADIUS implementation, 2
configuration, 232
RADIUS maintain, 40
portal authentication configuration, 183, 189, 215
RADIUS packet DSCP priority, 30
portal authentication server detection+user
RADIUS real-time accounting attempts synchronization configuration, 240
max, 30
re-DHCP portal authentication configuration, 221
RADIUS request transmission attempts
Web authentication configuration, 259, 262, 268
max, 30
646
Web authentication configuration (local Address Resolution Protocol. Use ARP
authentication server), 268 uRPF configuration, 600
Web authentication configuration (RADIUS address pool
authentication server), 270 portal user preauthentication IP address pool, 199
access control policy AES
PKI certificate-based access control IPsec encryption algorithm, 381
policy, 365
aging
accessing
802.1X unauthenticated user aging, 120
portal authentication device access, 184
MAC authentication unauthenticated user
account idle time (password control), 308 aging, 164
accounting port security secure MAC address inactivity
AAA configuration, 1, 14, 63 aging, 280
AAA connection recording policy AH
configuration, 60 IPsec security protocol 51, 378
AAA device ID configuration, 60 alert protocol (SSL), 519
AAA ISP domain accounting method, 57 algorithm
AAA RADIUS accounting server, 24 IPsec authentication, 380
AAA RADIUS accounting-on, 36 IPsec encryption (3DES), 381
AAA SSH user local IPsec encryption (AES), 381
authentication+HWTACACS
IPsec encryption (DES), 381
authorization+RADIUS accounting, 65
IPsec IKE DH algorithm, 419
ACK flood attack, 532
keychain configuration, 318, 318, 319, 319
ACL
SSH algorithm renegotiation+key
802.1X authentication guest
re-exchange, 462
VSI+authorization VSI configuration
(MAC-based), 138 SSH negotiation, 454
802.1X authentication+ACL assignment, 105 SSH SCP configuration (Suite B algorithm), 510
802.1X authentication+ACL assignment SSH Secure Telnet configuration (128-bit Suite B
configuration, 136 algorithm), 495
attack D&P detection exemption, 536 SSH SFTP configuration (192-bit Suite B
algorithm), 504
IPsec ACL, 385
SSH2, 478
IPsec ACL de-encapsulated packet
check, 395 SSH2 encryption, 479
IPsec ACL rule keywords, 385 SSH2 key exchange, 478
IPsec ACL-based implementation, 381 SSH2 MAC, 479
IPsec implementation (ACL-based), 384 SSH2 public key, 479
IPsec mirror image ACLs, 386 allowing
IPsec MPLS L3VPN protection, 387 only DHCP users to pass portal authorization, 205
IPsec non-mirror image ACLs, 386 only DHCP users to pass portal authorization
(interface), 205
MAC authentication ACL
assignment, 154, 177 anti-replay
MAC authentication authorization VSI IPsec anti-replay redundancy, 396
assignment, 180 IPsec configuration, 395
SSH login control ACL attempts denied any authentication (SSH), 454
logging, 463 Appendix A
SSH management parameters, 462 AAA RADIUS commonly used attributes, 80
SSH user connection control ACL, 463 Appendix C
active AAA RADIUS subattributes (vendor ID 25506), 84
ARP active acknowledgement, 571 application
adding uRPF network, 600
port security secure MAC address, 280 applying
address attack D&P policy application (device), 537, 537
647
attack D&P policy application (interface), 537 source MAC-based detection display, 570
IPsec policy to interface, 394 unresolvable IP attack, 565, 567
IPv6 ND attack defense RA guard policy, 594 unresolvable IP attack blackhole routing, 566
port security NAS-ID profile, 286 unresolvable IP attack blackhole routing
portal authentication interface NAS ID restrictions, 566
profile, 212 unresolvable IP attack protection display, 567
architecture unresolvable IP attack source suppression, 566
802.1X, 88 user validity check, 575
PKI, 336 user validity check configuration, 579
ARP user validity check configuration restrictions, 575
attack protection. See ARP attack protection user validity check ingress port, 578
MFF configuration, 603, 604, 607 assigning
MFF configuration (in ring network), 608 802.1X authentication+ACL assignment, 105
MFF configuration (in tree network), 607 802.1X authentication+user profile
MFFARP packet processing, 604 assignment, 106
portal authentication client Rule ARP entry 802.1X guest VSI assignment delay, 118
feature, 214 MAC authentication ACL, 177
ARP attack protection MAC authentication authorization VSI, 180
active acknowledgement, 571 associating
ARP attack detection display, 578 IPsec SA, 380
ARP attack detection maintain, 578 MACsec connectivity association (CA), 622
authorized ARP configuration, 572 MACsec connectivity association key (CAK), 622
authorized ARP configuration (DHCP relay MACsec secure association (SA), 622
agent), 573 MACsec secure association key (SAK), 622
authorized ARP configuration (DHCP attack
server), 572 ARP attack protection configuration, 565
configuration, 565 TCP attack prevention configuration, 551
configuration (user+packet validity attack D&P
check), 580
blacklist, 529
detection configuration, 574
configuration, 525, 529, 546
detection logging enable, 578
configuration (device application), 546
filtering configuration, 585, 586
defense policy configuration, 529
filtering configuration restrictions, 585
defense policy configuration (ACK flood
gateway protection, 584, 585 attack), 532
gateway protection restrictions, 584 defense policy configuration (DNS flood
packet rate limit configuration, 568 attack), 535
packet rate limit configuration restrictions, 568 defense policy configuration (FIN flood
packet source MAC consistency check, 571 attack), 533
packet validity check configuration, 576 defense policy configuration (flood attack), 532
restricted forwarding, 577 defense policy configuration (HTTP flood
restricted forwarding configuration, 581 attack), 536
restricted forwarding restrictions, 577 defense policy configuration (ICMP flood
scanning+fixed ARP configuration, 583 attack), 534
scanning+fixed ARP configuration defense policy configuration (ICMPv6 flood
restrictions, 583 attack), 534
sender IP address checking defense policy configuration (RST flood
configuration, 587, 587 attack), 534
sender IP address checking restrictions, 587 defense policy configuration (scanning
attack), 531
source MAC-based attack detection, 569, 570
defense policy configuration (single-packet
source MAC-based attack detection
attack), 530
restrictions, 569
648
defense policy configuration (SYN flood AAA RADIUS attribute translation, 32
attack), 532 AAA RADIUS attribute translation (DAS), 33
defense policy configuration (SYN-ACK flood AAA RADIUS attribute translation (single
attack), 533 scheme), 33
defense policy configuration (UDP flood AAA RADIUS common standard attributes, 82
attack), 535 AAA RADIUS configuration, 20
defense policy configuration restrictions (flood AAA RADIUS extended attributes, 5
attack), 532
AAA RADIUS Login-Service attribute check
defense policy creation, 529 method, 31
detection exemption configuration, 536 AAA RADIUS Remanent_Volume attribute data
detection exemption configuration measurement unit, 32
restrictions, 537 AAA user group attribute, 19
device-preventable attacks, 525 MAC authentication blackhole attribute
display, 540 assignment, 155
flood attack, 527 portal authentication NAS-Port-Id attribute
IP blacklist, 529 format, 211
IP blacklist configuration, 539, 549 portal packet attributes configuration, 210
log non-aggregation enable, 538 RADIUS NAS-Port-Type, 212
log non-aggregation enable restrictions, 538 RADIUS packet attributes configuration, 211
login attack prevention configuration, 540 authenticating
login delay, 540 802.1X access device initiated authentication, 94
login dictionary attack, 528 802.1X authentication, 92
login DoS attack, 528 802.1X authentication request attempts max, 123
maintain, 540 802.1X authentication trigger, 122
policy application (device), 537 802.1X client-initiated, 94
policy application (interface), 537 802.1X EAP over RADIUS, 91
scanning attack, 526 802.1X EAP relay authentication, 92
single-packet attack, 525 802.1X EAP relay enable, 110
TCP fragment attack, 528 802.1X EAP termination enable, 110
TCP fragment attack prevention 802.1X EAP termination mode authentication, 93
configuration, 538 802.1X initiation, 94
TCP fragment attack prevention configuration 802.1X MAC user authentication attempts
restrictions, 539 max, 127
attack detection and prevention. See attack D&P 802.1X mandatory port authentication
attacking domain, 111
detection and prevention. See attack D&P 802.1X overview, 88
attribute 802.1X reauthentication, 113
AAA device management user attribute, 15 802.1X timeout timer, 112
AAA HWTACACS, 40 802.1X unauthenticated user aging, 120
AAA ISP domain attribute, 54 802.1X VLAN manipulation, 95
AAA ISP domain authorization attribute, 54 802.1X VSI manipulation, 102
AAA ISP domain idle timeout period include in AAA configuration, 1, 14, 63
user online duration, 55 AAA ISP domain authentication method, 55
AAA LDAP, 48 AAA LDAP authentication, 8
AAA LDAP administrator attribute, 49 AAA LDAP process, 9
AAA LDAP attribute map, 51 AAA LDAP server SSH user authentication, 70
AAA LDAP attribute map for authorization, 52 AAA RADIUS server SSH user
AAA LDAP user attribute, 50 authentication+authorization, 67
AAA local user, 14 AAA RADIUS user authentication methods, 3
AAA network access user attribute, 17 AAA SSH user local authentication+HWTACACS
AAA RADIUS attribute 31 MAC address authorization+RADIUS accounting, 65
format, 32
649
cross-subnet portal authentication SSH Secure Telnet client configuration (publickey
configuration for MPLS L3VPN, 246 authentication), 492
IKE-based IPsec tunnel for IPv4 packets, 407 SSH Secure Telnet server configuration
IPsec, 380 (password authentication), 481
IPsec authentication algorithms, 380 SSH Secure Telnet server configuration
IPsec Authentication Header. Use AH (publickey authentication), 483
IPsec configuration, 378, 404 SSH server configuration, 456
IPsec Encapsulating Security Payload. SSH SFTP client configuration (publickey
Use ESP authentication), 501
IPsec IKE configuration (main SSH SFTP server configuration (password
mode+preshared key authentication), 430 authentication), 499
IPsec IKE DSA signature authentication, 419 SSH user authentication timeout timer, 463
IPsec IKE preshared key authentication, 419 SSL services, 519
IPsec IKE RSA signature authentication, 419 user profile configuration, 300, 301
IPsec RIPng configuration, 409 user profile configuration (single user), 300
IPsec RRI configuration, 399, 413 user profile+QoS policy configuration, 301
IPsec tunnel configuration for IPv4 packets Authentication, Authorization, and Accounting.
(IKE-based), 433 Use AAA
IPsec tunnel for IPv4 packets (manual), 404 Auth-Fail VLAN
keychain configuration, 318, 318, 319, 319 802.1X authentication, 99
MAC authentication, 146, 156, 172 802.1X authentication (MAC-based access
control), 100
MAC authentication (local), 172
802.1X authentication (port-based access
MAC authentication (RADIUS-based), 175
control), 99
MAC authentication unauthenticated user
802.1X Auth-Fail VLAN user EAP-Success
aging, 164
packet, 121
MAC authentication VLAN assignment, 147
802.1X configuration, 116
MAC local authentication method, 147
Web authentication Auth-Fail VLAN, 261, 266
MAC RADIUS authentication method, 147
Auth-Fail VSI
password control configuration, 305, 309, 314
802.1X authentication, 104
periodic 802.1X reauthentication, 106
802.1X Auth-Fail VSI user EAP-Success
periodic MAC reauthentication, 155, 160 packet, 121
port security authentication modes, 273 802.1X configuration, 119
port security client authorization VLAN
macAddressElseUserLoginSecure
802.1X configuration, 133
configuration, 294
MAC authentication, 147
port security client userLoginWithOUI
configuration, 291 MAC authentication port manipulation, 149
port security configuration, 273, 276, 289 port manipulation, 97
port security escape critical VSI, 287 Web authentication authorization VLAN, 260
port security MAC address autoLearn authorization VSI
configuration, 289 802.1X authentication guest VSI+authorization
port security open authentication mode, 285 VSI configuration (MAC-based), 138
portal authentication client, 184 MAC authentication, 152
portal preauthentication domain, 198 authorized ARP
portal server, 184 configuration, 572
SSH authentication attempt max number, 463 configuration (DHCP relay agent), 573
SSH configuration, 453 configuration (DHCP server), 572
SSH methods, 454 authorizing
SSH SCP+password authentication, 508 802.1X authorization VLAN, 95
SSH Secure Telnet client configuration 802.1X authorization VSI, 103
(password authentication), 489 802.1X port authorization state, 111
802.1X port authorization status, 88
650
802.1X port authorized-force state, 111 blacklisting
802.1X port auto state, 111 attack D&P, 529
802.1X port unauthorized-force state, 111 attack D&P IP blacklist, 529
AAA configuration, 1, 14, 63 attack D&P IP blacklist configuration, 539, 549
AAA ISP domain authorization method, 56 broadcast
AAA LDAP authorization, 8 port security NTK configuration, 281
AAA LDAP process, 10 buffering
AAA RADIUS server SSH user AAA HWTACACS stop-accounting packet
authentication+authorization, 67 buffering, 47
AAA RADIUS session-control, 37 AAA RADIUS stop-accounting packet
AAA SSH user local buffering, 34
authentication+HWTACACS C
authorization+RADIUS accounting, 65
MAC authentication authorization VLAN, 147 CA
MAC authentication authorization VLAN port PKI architecture, 336
manipulation, 149 PKI CA policy, 336
MAC authentication authorization VSI, 152 PKI certificate, 335
MAC authentication local VLAN PKI certificate export, 350
authorization, 149 PKI certificate obtain, 347
MAC authentication remote VLAN PKI certificate removal, 351
authorization, 147 PKI certificate request, 344
port security authorization-fail-offline PKI certificate request abort, 347
feature, 284 PKI certificate verification, 348
port security server authorization information PKI CRL, 335
ignore, 282
PKI domain configuration, 340
portal authorization strict-checking mode, 205
PKI entity configuration, 339
auto
PKI online certificate request (manual), 346
FIPS mode (automatic reboot), 613
PKI online certificate request mode
FIPS mode entry (automatic reboot), 617 (automatic), 345
FIPS mode exit (automatic reboot), 616, 620 PKI OpenCA server certificate request, 359
PKI online certificate request mode PKI RSA Keon CA server certificate request, 353
(automatic), 345
PKI storage path, 344
port security MAC address autoLearn
configuration, 289 PKI Windows 2003 CA server certificate
request, 356
B PKI Windows 2003 CA server IKE
BAS-IP negotiation+RSA digital signature, 363
portal authentication BAS-IP, 210 troubleshooting PKI CA certificate import
failure, 375
benefit
troubleshooting PKI CA certificate obtain
IKE, 417
failure, 372
IPsec, 378
CAR
binding
AAA RADIUS class attribute as CAR
IPsec source interface to policy, 397 parameter, 31
IPSG dynamic binding, 553 certificate
IPSG static binding, 552 authority. Use CA
IPv4SG static binding configuration, 554 PKI certificate verification (CRL checking), 349
IPv6SG static binding configuration, 556 PKI certificate verification (w/o CRL
blackhole checking), 350
ARP attack protection blackhole routing PKI certificate-based access control policy, 365
(unresolvable IP attack), 566 revocation list. Use CRL
MAC authentication blackhole attribute challenging
assignment, 155
IPsec IKEv2 cookie challenge, 449
651
changing MACsec operation (client-oriented), 624
SFTP directory name, 472 portal authentication, 184
SFTP file name, 473 portal authentication system, 183
SFTP working directory, 472 SSL client policy configuration, 522
SSL change cipher spec protocol, 519 Web authentication, 259
CHAP Web authentication system components, 259
MAC authentication method, 158 command
CHAP/PAP authentication AAA command accounting method, 11
direct/cross-subnet portal authentication AAA command authorization method, 11
process, 186 comparing
re-DHCP portal authentication process, 187 802.1X EAP relay/termination, 90
checking complexity checking (password control), 306
ARP sender IP address checking, 587, 587 composition checking (password control), 305
category-2 portal filtering rule issuing, 204 conditional self-test, 612
IPsec ACL de-encapsulated packet configuration rollback guidelines, 612
check, 395 configuring
MACsec integrity check, 622, 623 802.1X, 108, 108
PKI certificate verification (CRL 802.1X authentication, 131
checking), 349
802.1X authentication guest VSI+authorization
PKI certificate verification (w/o CRL VSI (MAC-based), 138
checking), 350
802.1X authentication trigger, 122
portal authorization strict-checking mode, 205
802.1X authentication+ACL assignment, 136
uRPF loose check mode, 600
802.1X authentication+EAD assistant (DHCP
uRPF strict check mode, 600 relay agent), 140
cipher suite 802.1X authentication+EAD assistant (DHCP
MACsec encryption cipher suite, 627 server), 143
class 802.1X Auth-Fail VLAN, 99, 116
AAA RADIUS class attribute as CAR 802.1X Auth-Fail VSI, 119
parameter, 31 802.1X authorization VLAN, 133
classifying 802.1X basics, 131
IPsec QoS pre-classify enable, 397 802.1X critical VLAN, 100, 117
clearing 802.1X critical VSI, 119
IPsec packet DF bit clear, 398 802.1X EAD assistant, 128
client 802.1X guest VLAN, 98, 114, 133
802.1X authentication, 92 802.1X guest VSI, 118
802.1X authentication (access device 802.1X MAC address binding, 128
initiated), 94
802.1X offline detection, 125
802.1X authentication (client-initiated), 94
802.1X online user handshake, 124
802.1X authentication client timeout timer, 112
802.1X reauthentication, 113
802.1X authentication configuration, 131
802.1X unauthenticated user aging, 120
802.1X authentication initiation, 94
AAA, 1, 14, 63
802.1X authentication+ACL assignment
AAA connection recording policy, 60
configuration, 136
AAA device ID, 60
802.1X authentication+EAD assistant
configuration (DHCP relay agent), 140 AAA device management user attributes, 15
802.1X authentication+EAD assistant AAA EAP profile, 21
configuration (DHCP server), 143 AAA HWTACACS, 40
802.1X authorization VLAN configuration, 133 AAA HWTACACS server SSH user, 63
802.1X basic configuration, 131 AAA HWTACACS stop-accounting packet
802.1X configuration, 108, 108 buffering, 47
802.1X guest VLAN configuration, 133 AAA ISP domain accounting method, 57
MACsec (client-oriented), 632 AAA ISP domain attribute, 54
652
AAA ISP domain authentication method, 55 ARP attack protection (user+packet validity
AAA ISP domain authorization attribute, 54 check), 580
AAA ISP domain authorization method, 56 ARP attack protection blackhole routing
AAA ISP domain method, 55 (unresolvable IP attack), 566
AAA LDAP, 48 ARP attack protection restricted forwarding, 581
AAA LDAP administrator attributes, 49 ARP attack protection source suppression
(unresolvable IP attack), 566
AAA LDAP attribute map, 51
ARP attack protection user validity check, 579
AAA LDAP server IP address, 48
ARP filtering, 585, 586
AAA LDAP server SSH user
authentication, 70 ARP gateway protection, 584, 585
AAA LDAP user attributes, 50 ARP packet rate limit, 568
AAA local user, 14 ARP packet source MAC consistency check, 571
AAA local user auto-delete, 19 ARP scanning+fixed ARP, 583
AAA NAS-ID, 59 ARP sender IP address checking, 587, 587
AAA network access user attributes, 17 attack D&P, 525, 529, 546
AAA RADIUS, 20 attack D&P (device application), 546
AAA RADIUS accounting-on, 36 attack D&P defense policy, 529
AAA RADIUS attribute 31 MAC address attack D&P defense policy (ACK flood
format, 32 attack), 532
AAA RADIUS attribute translation, 32 attack D&P defense policy (DNS flood
attack), 535
AAA RADIUS attribute translation (DAS), 33
attack D&P defense policy (FIN flood attack), 533
AAA RADIUS attribute translation (single
scheme), 33 attack D&P defense policy (flood attack), 532
AAA RADIUS DAE server (DAS), 37 attack D&P defense policy (HTTP flood
attack), 536
AAA RADIUS Login-Service attribute check
method, 31 attack D&P defense policy (ICMP flood
attack), 534
AAA RADIUS server 802.1X user, 73
attack D&P defense policy (ICMPv6 flood
AAA RADIUS server SSH user
attack), 534
authentication+authorization, 67
attack D&P defense policy (RST flood
AAA RADIUS server status detection test
attack), 534
profile, 22
attack D&P defense policy (scanning attack), 531
AAA RADIUS session-control, 37
attack D&P defense policy (single-packet
AAA RADIUS stop-accounting packet
attack), 530
buffering, 34
attack D&P defense policy (SYN flood
AAA SSH user local
attack), 532
authentication+HWTACACS
authorization+RADIUS accounting, 65 attack D&P defense policy (SYN-ACK flood
attack), 533
AAA test, 61
attack D&P defense policy (UDP flood
AAA user group attributes, 19
attack), 535
ARP active acknowledgement, 571
attack D&P detection exemption, 536
ARP attack detection, 574
attack D&P IP blacklist, 539, 549
ARP attack detection (source
attack D&P login attack prevention, 540
MAC-based), 569, 570
attack D&P policy application (interface), 537
ARP attack detection packet validity
check, 576 attack D&P TCP fragment attack prevention, 538
ARP attack detection restricted authorized ARP, 572
forwarding, 577 authorized ARP (DHCP relay agent), 573
ARP attack detection user validity check, 575 authorized ARP (DHCP server), 572
ARP attack protection, 565 cross-subnet portal authentication, 225
ARP attack protection (unresolvable IP cross-subnet portal authentication configuration
attack), 565, 567 for MPLS L3VPN, 246
crypto engine, 610
653
destination-based portal-free rule, 201 IPsec IKEv2 profile, 442
DHCP relay agent-based dynamic IPsec IKEv2 profile local ID, 443
IPv4SG, 559 IPsec IKEv2 profile peer ID, 444
DHCP snooping-based dynamic IPv4SG, 558 IPsec IKEv2 proposal, 447
DHCPv6 relay agent-based dynamic IPsec IPv6 routing protocol profile (manual), 400
IPv6SG, 563 IPsec packet DF bit, 398
DHCPv6 snooping-based dynamic IPv6SG IPsec policy (IKE-based), 391
address bindings, 561
IPsec policy (IKE-based/direct), 392
DHCPv6 snooping-based dynamic IPv6SG
IPsec policy (IKE-based/template), 393
prefix bindings, 562
IPsec policy (manual), 390
direct portal authentication, 215
IPsec RIPng, 409
direct portal authentication (local portal Web
service), 253 IPsec RRI, 399, 413
direct portal authentication+preauthentication IPsec SNMP notification, 403
domain, 248 IPsec transform set, 388
extended cross-subnet portal IPsec tunnel for IPv4 packets (IKE-based), 433
authentication, 237 IPsec tunnel for IPv4 packets (manual), 404
extended direct portal authentication, 229 IPSG, 552, 553, 557
extended re-DHCP portal authentication, 232 IPv4SG, 554
FIPS, 611, 617 IPv4SG static binding, 554
global IPsec IKE DPD, 428 IPv4SG static binding (global), 555
global IPsec SA lifetime and idle timeout, 401 IPv4SG static binding (on interface), 555
IKE phase 1 negotiation mode, 422 IPv6 destination guard, 597
IKE profile optional features, 423 IPv6 ND attack defense, 590
IKE-based IPsec tunnel for IPv4 packets, 407 IPv6 ND attack defense RA guard, 593, 595
IKEv2 profile optional features, 445 IPv6 ND attack defense RA guard policy, 594
IP-based portal-free rule, 201 IPv6 ND attack detection, 591
IPsec, 378, 404 IPv6SG, 555
IPsec ACL, 385 IPv6SG static binding, 556
IPsec anti-replay, 395 IPv6SG static binding (global), 556
IPsec anti-replay redundancy, 396 IPv6SG static binding (on interface), 556
IPsec for IPv6 routing protocols, 400 keychain, 318, 318, 319, 319
IPsec fragmentation, 402 local portal authentication service, 194
IPsec IKE, 417, 430 local portal service, 263
IPsec IKE (main mode+preshared key MAC authentication, 146, 156, 172
authentication), 430 MAC authentication (local), 172
IPsec IKE global identity information, 426 MAC authentication (RADIUS-based), 175
IPsec IKE keepalive, 427 MAC authentication ACL assignment, 177
IPsec IKE keychain, 425 MAC authentication authorization VSI
IPsec IKE NAT keepalive, 427 assignment, 180
IPsec IKE profile, 421 MAC authentication critical VLAN, 162
IPsec IKE profile local ID, 423 MAC authentication critical VSI, 164
IPsec IKE profile peer ID, 421 MAC authentication delay, 168
IPsec IKE proposal, 424 MAC authentication guest VLAN, 161
IPsec IKE SNMP notification, 429 MAC authentication guest VSI, 163
IPsec IKEv2, 440 MAC authentication offline detection, 165
IPsec IKEv2 DPD, 449 MAC authentication timer, 159
IPsec IKEv2 global parameters, 449 MAC authentication unauthenticated user
IPsec IKEv2 keychain, 448 aging, 164
IPsec IKEv2 NAT keepalive, 450 MAC authentication user account format, 159
IPsec IKEv2 policy, 446 MACsec, 622, 626, 632
MACsec (client-oriented), 632
654
MACsec (device-oriented), 635 portal authentication server BAS-IP
MACsec MKA key server priority, 628 (interface), 210
MACsec preshared key, 627 portal authentication server detection, 208
MACsec protection parameters, 629 portal authentication server detection+user
MACsec protection parameters (interface synchronization, 240
view), 629 portal authentication source subnet, 202
MACsec protection parameters (MKA portal authentication user online detection, 207
policy), 630 portal authentication user synchronization, 209
MFF, 603, 604, 607 portal authentication Web proxy support, 203
MFF (in ring network), 608 portal authentication Web redirect, 214
MFF (in tree network), 607 portal authentication Web server detection, 208
MFF network port, 605 portal packet attributes, 210
NAS-Port-Type attribute, 212 portal preauthentication domain, 198
NETCONF-over-SSH, 517 portal Web server basic parameters, 192
NETCONF-over-SSH client user line, 459 RADIUS packet attributes, 211
NETCONF-over-SSH+password re-DHCP portal authentication, 221
authentication, 517 re-DHCP portal authentication+preauthentication
password control, 305, 309, 314 domain configuration, 250
peer host public key, 328 remote portal authentication server, 191
periodic MAC reauthentication, 160 remote portal authentication Web server, 192
PKI, 335, 338, 353 Secure Telnet client user line, 459
PKI certificate import/export, 367 source-based portal-free rule, 201
PKI certificate request abort, 347 SSH, 453
PKI certificate-based access control SSH client host public key, 459
policy, 352, 365 SSH device as Secure Telnet client, 465
PKI domain, 340 SSH device as server, 456
PKI entity, 339 SSH device as SFTP client, 468
PKI online certificate request (manual), 346 SSH management parameters, 462
PKI OpenCA server certificate request, 359 SSH SCP, 508
PKI RSA Keon CA server certificate SSH SCP (Suite B algorithm), 510
request, 353 SSH SCP client device, 474
PKI Windows 2003 CA server certificate SSH SCP+password authentication, 508
request, 356
SSH Secure Telnet, 480
PKI Windows 2003 CA server IKE
SSH Secure Telnet (128-bit Suite B
negotiation+RSA digital signature, 363
algorithm), 495
port security, 273, 276, 289
SSH Secure Telnet client (password
port security client authentication), 489
macAddressElseUserLoginSecure, 294
SSH Secure Telnet client (publickey
port security client userLoginWithOUI, 291 authentication), 492
port security intrusion protection, 282 SSH Secure Telnet server (password
port security MAC address autoLearn, 289 authentication), 481
port security NTK feature, 281 SSH Secure Telnet server (publickey
port security secure MAC addresses, 279 authentication), 483
portal authentication, 183, 189, 215 SSH SFTP, 499
portal authentication destination subnet, 202 SSH SFTP (192-bit Suite B algorithm), 504
portal authentication detection features, 207 SSH SFTP client (publickey authentication), 501
portal authentication fail-permit, 206 SSH SFTP server (password authentication), 499
portal authentication local portal Web service SSH user, 461
parameter, 196 SSH2 algorithms (encryption), 479
portal authentication portal-free rule, 201 SSH2 algorithms (key exchange), 478
portal authentication server BAS-IP, 210 SSH2 algorithms (MAC), 479
655
SSH2 algorithms (public key), 479 local key pair, 326
SSL, 519, 520 PKI domain, 340
SSL client, 521 security LDAP server, 48
SSL client policy, 522 SFTP new directory, 473
SSL server, 520 critical VLAN
SSL server policy, 521 802.1X authentication, 100
static IPv4SG, 557 802.1X authentication (MAC-based access
static IPv6SG, 560 control), 101
TCP attack prevention, 551 802.1X authentication (port-based access
TCP attack prevention (Naptha attack), 551 control), 100
uRPF, 600 802.1X configuration, 117
user profile, 300, 301 802.1X critical VLAN user EAP-Success
packet, 121
user profile (single user), 300
MAC authentication, 150
user profile+QoS policy, 301
MAC authentication configuration, 162
Web authentication, 259, 262, 268
critical voice VLAN
Web authentication (local authentication
server), 268 802.1X authentication, 102
Web authentication (RADIUS authentication 802.1X authentication (MAC-based access
server), 270 control), 102
Web authentication Auth-Fail VLAN, 266 802.1X authentication (port-based access
control), 102
Web authentication proxy support, 267
802.1X enable, 117
Web authentication server, 263
MAC authentication, 151
Web authentication user online detection, 266
MAC authentication enable, 163
Web authentication-free subnet, 265
critical VSI
connecting
802.1X authentication, 104
MACsec connectivity association (CA), 622
802.1X configuration, 119
MACsec connectivity association key
(CAK), 622 802.1X critical VSI user EAP-Success
packet, 121
SSH session disconnect, 464
MAC authentication, 153
connectivity association (CA)
MAC authentication configuration, 164
MACsec, 622
CRL
connectivity association key (CAK)
PKI, 335
MACsec, 622
PKI architecture, 336
consistency check (ARP attack protection), 571
PKI CA policy, 336
controlling
PKI certificate export, 350
802.1X controlled/uncontrolled port, 88
PKI certificate removal, 351
AAA RADIUS session-control, 37
PKI certificate-based access control policy, 352
port security MAC address learning, 274
PKI storage path, 344
portal authentication user access, 201
troubleshooting PKI CRL obtain failure, 374
cookie
cross-subnet
IPsec IKEv2 cookie challenge, 441, 449
extended cross-subnet portal authentication
copying
configuration, 237
IPsec packet DF bit copy, 398
portal authentication configuration, 225
creating
portal authentication configuration for MPLS
AAA HWTACACS scheme, 41 L3VPN, 246
AAA ISP domain, 52, 53 portal authentication mode, 186
AAA LDAP scheme, 51 crypto engine
AAA RADIUS scheme, 23 configuration, 610
attack D&P defense policy, 529 display, 610
IPsec IKE profile, 421 maintain, 610
IPsec IKEv2 profile, 442
656
cryptography SFTP file, 473
FIPS self-test, 611 SSH SCP server public key, 477
customizing SSH Secure Telnet server public key, 468
portal authentication local portal Web service SSH SFTP server public key, 471
page customization, 185 delimiter (802.1X domain name), 126
portal authentication pages, 194, 194, 194 DES
D IPsec encryption algorithm, 381
desire
DAE
MACsec enable, 627
AAA RADIUS attribute translation (DAS), 33
destination
AAA RADIUS DAE server (DAS), 37
portal authentication destination subnet, 202
data
portal authentication portal-free rule, 201
MACsec configuration, 622, 626, 632
destroying
MACsec configuration (client-oriented), 632
local key pair, 330
MACsec configuration (device-oriented), 635
detecting
SSL configuration, 519, 520
AAA RADIUS server status detection test
data encryption
profile, 22
PKI configuration, 335, 338, 353
ARP attack detection (source
default MAC-based), 569, 570
MFF default gateway, 604 ARP attack detection configuration, 574
defending attack D&P detection exemption, 536
attack D&P defense policy, 529 IPv6 ND attack detection configuration, 591
attack D&P defense policy (flood attack), 532 MAC authentication offline detection
attack D&P defense policy (ICMP flood configuration, 165
attack), 534 portal authentication detection, 207
attack D&P defense policy (ICMPv6 flood portal authentication server, 208
attack), 534
portal authentication server detection+user
attack D&P defense policy (scanning synchronization configuration, 240
attack), 531
portal authentication user online detection, 207
attack D&P defense policy (single-packet
portal authentication user synchronization, 209
attack), 530
portal authentication Web server, 208
attack D&P defense policy (UDP flood
attack), 535 Web authentication user online detection, 266
attack D&P defense policy configuration (ACK device
flood attack), 532 802.1X authentication, 92
attack D&P defense policy configuration (DNS 802.1X authentication configuration, 131
flood attack), 535 802.1X authentication initiation, 94
attack D&P defense policy configuration (FIN 802.1X authentication+ACL assignment
flood attack), 533 configuration, 136
attack D&P defense policy configuration 802.1X authentication+EAD assistant
(HTTP flood attack), 536 configuration (DHCP relay agent), 140
attack D&P defense policy configuration (RST 802.1X authentication+EAD assistant
flood attack), 534 configuration (DHCP server), 143
attack D&P defense policy configuration (SYN 802.1X authorization VLAN configuration, 133
flood attack), 532 802.1X basic configuration, 131
attack D&P defense policy configuration 802.1X configuration, 108, 108
(SYN-ACK flood attack), 533 802.1X EAD assistant, 128
attack D&P policy application (device), 537 802.1X guest VLAN configuration, 133
attack D&P policy application (interface), 537 802.1X server-side EAP-TLS fragment maximum
delaying size, 129
MAC authentication delay, 168 AAA configuration, 1, 14, 63
deleting AAA device ID configuration, 60
SFTP directory, 473
657
AAA device management user, 14 extended direct portal authentication
AAA EAP profile, 21 configuration, 229
AAA HWTACACS, 40 extended re-DHCP portal authentication
AAA HWTACACS accounting server, 42 configuration, 232
AAA HWTACACS authentication server, 41 IPsec RIPng configuration, 409
AAA HWTACACS authorization server, 41 IPv6 ND attack defense device role, 593
AAA HWTACACS implementation, 5 keychain configuration, 318, 319, 319
AAA HWTACACS scheme VPN instance, 43 logging off 802.1X user, 130
AAA HWTACACS server SSH user, 63 logging off MAC authentication user, 171
AAA HWTACACS shared keys, 43 MAC authentication, 156, 172
AAA LDAP, 48 MAC authentication (local), 172
AAA LDAP attribute map for authorization, 52 MAC authentication (RADIUS-based), 175
AAA LDAP authentication server, 51 MAC authentication ACL assignment, 177
AAA LDAP authorization server, 51 MAC authentication authorization VSI
assignment, 180
AAA LDAP implementation, 8
MAC authentication configuration, 146
AAA LDAP server SSH user
authentication, 70 MACsec (device-oriented), 635
AAA LDAP server timeout period, 49 MACsec operation (device-oriented), 624
AAA local user, 14 MFF server IP address, 606
AAA RADIUS accounting server, 24 NETCONF-over-SSH configuration, 517
AAA RADIUS authentication server, 23 NETCONF-over-SSH+password authentication
configuration, 517
AAA RADIUS configuration, 20
password control configuration, 305, 309, 314
AAA RADIUS implementation, 2
password control parameters (global), 310
AAA RADIUS scheme VPN instance, 25
password control parameters (local user), 312
AAA RADIUS server 802.1X user, 73
password control parameters (super), 313
AAA RADIUS server SSH user
authentication+authorization, 67 password control parameters (user group), 312
AAA RADIUS server status, 25 password setting, 305
AAA RADIUS shared keys, 25 port security server authorization information
ignore, 282
AAA SSH user local
authentication+HWTACACS portal authentication AAA server, 184
authorization+RADIUS accounting, 65 portal authentication access device ID, 211
AAA VPN implementation, 13 portal authentication client, 184
attack D&P configuration, 525, 529, 546 portal authentication device access, 184
attack D&P configuration (device portal authentication policy server, 184
application), 546 portal authentication server detection+user
attack D&P defense policy, 529 synchronization configuration, 240
attack D&P device-preventable attacks, 525 portal server, 184
attack D&P IP blacklist configuration, 549 re-DHCP portal authentication configuration, 221
attack D&P policy application (device), 537 re-DHCP portal authentication+preauthentication
authorized ARP configuration (DHCP domain configuration, 250
server), 572 SSH SCP client, 474
cross-subnet portal authentication SSH SCP configuration, 508
configuration, 225 SSH SCP server enable, 458
crypto engine configuration, 610 SSH SCP+password authentication, 508
direct portal authentication configuration, 215 SSH Secure Telnet client, 465
direct portal authentication configuration (local SSH Secure Telnet client configuration (password
portal Web service), 253 authentication), 489
direct portal authentication+preauthentication SSH Secure Telnet client configuration (publickey
domain configuration, 248 authentication), 492
extended cross-subnet portal authentication SSH Secure Telnet configuration, 480
configuration, 237
658
SSH Secure Telnet configuration (128-bit portal authentication re-DHCP process
Suite B algorithm), 495 (CHAP/PAP authentication), 187
SSH Secure Telnet server configuration portal preauthentication domain, 198
(password authentication), 481 re-DHCP portal authentication configuration, 221
SSH Secure Telnet server configuration re-DHCP portal authentication+preauthentication
(publickey authentication), 483 domain configuration, 250
SSH Secure Telnet server connection relay agent-based dynamic IPv4SG
establishment, 466 configuration, 559
SSH Secure Telnet server enable, 458 troubleshooting portal authentication users
SSH server configuration, 456 cannot log in (re-DHCP), 258
SSH SFTP client, 468 DHCP snooping
SSH SFTP client configuration (publickey DHCP snooping-based dynamic IPv4SG
authentication), 501 configuration, 558
SSH SFTP configuration, 499 DHCPv6
SSH SFTP configuration (192-bit Suite B relay agent-based dynamic IPv6SG
algorithm), 504 configuration, 563
SSH SFTP server configuration (password snooping-based dynamic IPv6SG address
authentication), 499 binding configuration, 561
SSH SFTP server enable, 458 snooping-based dynamic IPv6SG prefix binding
SSL client configuration, 521 configuration, 562
SSL server configuration, 520 dictionary
SSL server policy configuration, 521 attack D&P login delay, 540
user profile configuration, 300 attack D&P login dictionary attack, 528
user profile configuration (single user), 300 digital certificate
user profile+QoS policy configuration, 301 PKI CA certificate, 335
Web authentication device access, 259 PKI CA policy, 336
DF bit PKI certificate export, 350
IPsec packet DF bit clear, 398 PKI certificate import/export configuration, 367
IPsec packet DF bit copy, 398 PKI certificate obtain, 347
IPsec packet DF bit set, 398 PKI certificate removal, 351
DH PKI certificate request, 344
IPsec IKEv2 DH guessing, 441 PKI certificate request abort, 347
DH algorithm PKI certificate verification, 348
IPsec IKE, 419 PKI certificate-based access control policy, 352
IPsec PFS, 419 PKI configuration, 335, 338, 353
DHCP PKI CRL, 335
802.1X authentication+EAD assistant PKI domain configuration, 340
configuration (DHCP relay agent), 140 PKI entity configuration, 339
802.1X authentication+EAD assistant PKI local certificate, 335
configuration (DHCP server), 143 PKI online certificate request (manual), 346
allowing only DHCP users to pass portal PKI online certificate request mode
authentication, 205 (automatic), 345
authorized ARP configuration, 572 PKI OpenCA server certificate request, 359
authorized ARP configuration (DHCP relay PKI peer certificate, 335
agent), 573 PKI RA certificate, 335
authorized ARP configuration (DHCP PKI RSA Keon CA server certificate request, 353
server), 572
PKI storage path, 344
extended re-DHCP portal authentication
PKI verification (CRL checking), 349
configuration, 232
PKI verification (w/o CRL checking), 350
portal authentication mode (re-DHCP), 186
PKI Windows 2003 CA server certificate
portal authentication modes, 185
request, 356
portal authentication process, 186
Digital Signature Algorithm. Use DSA
659
direct portal authentication mode, 185 portal authentication, 214
directing public key, 330
portal authentication Web redirect, 214 SFTP directory file, 472, 473
directory SFTP working directory, 472
AAA LDAP directory service, 8 SSH, 480
SFTP directory deletion, 473 SSH SFTP help information, 474
SFTP directory file display, 472, 473 SSL, 524
SFTP directory name change, 472 uRPF, 602
SFTP new directory creation, 473 user profile, 300
SFTP working directory change, 472 Web authentication, 268
SFTP working directory display, 472 distributing
SSH SFTP, 472 local host public key, 327
disabling DNS
AAA RADIUS service, 39 attack D&P defense policy (DNS flood
IPv6 destination guard (globally), 598 attack), 535
IPv6 destination guard (on an interface), 598 domain
SSL session renegotiation, 523 802.1X mandatory port authentication
disconnecting domain, 111
SSH session, 464 802.1X supported domain name delimiter, 126
displaying AAA ISP domain accounting method, 57
802.1X, 130 AAA ISP domain attribute, 54
AAA connection recording policy, 61 AAA ISP domain authentication method, 55
AAA HWTACACS, 47 AAA ISP domain authorization attribute, 54
AAA ISP domain, 59 AAA ISP domain authorization method, 56
AAA LDAP, 52 AAA ISP domain idle timeout period include in
user online duration, 55
AAA local users/user groups, 20
AAA ISP domain status, 54
AAA RADIUS, 40
MAC authentication, 158
ARP attack detection, 578
PKI domain configuration, 340
ARP attack detection (source
MAC-based), 570 portal authentication domain, 200
ARP attack protection (unresolvable IP SSH server PKI domain, 464
attack), 567 Web authentication domain, 264
attack D&P, 540 Don't Fragment bit. See DF bit
crypto engine, 610 DoS
FIPS, 617 attack D&P login attack prevention, 540
host public key, 328 attack D&P login DoS attack, 528
IPsec, 403 downloading
IPsec IKE, 430 SFTP file+local save, 473
IPsec IKEv2, 450 DPD
IPSG, 557 global IPsec IKE DPD, 428
IPv4SG, 557 IPsec IKEv2 DPD, 449
IPv6 ND attack defense RA guard, 595 DSA
IPv6SG, 557 host public key display, 328
keychain, 319 host public key export, 327
MAC authentication, 171 IPsec IKE signature authentication, 419
MACsec, 632 public key management, 325
MFF, 606 SSH client host public key configuration, 459
ND attack detection, 593 SSH Secure Telnet client configuration (publickey
password control, 314 authentication), 492
PKI, 353 DSCP
port security, 289 AAA RADIUS packet DSCP priority setting, 30
660
SSH server packet DSCP value, 463 Elliptic Curve Digital Signature Algorithm. Use ECDSA
dst-mac validity check (ARP attack detection), 576 email (PKI secure), 337
dynamic enable
DHCP relay agent-based IPv4SG captive-bypass feature, 192
configuration, 559 enabling
DHCP snooping-based dynamic IPv4SG 802.1X, 110
configuration, 558 802.1X critical voice VLAN, 117
DHCPv6 relay agent-based dynamic IPv6SG 802.1X EAP relay, 110
configuration, 563
802.1X EAP termination, 110
DHCPv6 snooping-based dynamic IPv6SG
802.1X guest VLAN assignment delay, 115
address binding configuration, 561
802.1X guest VSI assignment delay, 118
DHCPv6 snooping-based dynamic IPv6SG
prefix binding configuration, 562 802.1X online user synchronization, 122
IPSG dynamic binding, 553 802.1X user IP freezing, 127
port security dynamic secure MAC, 281 802.1X user logging, 130
port security secure MAC address, 279 AAA RADIUS server load sharing, 35
AAA RADIUS SNMP notification, 38
E
AAA RADIUS stop-accounting packet forcibly
EAD sending, 35
802.1X authentication+EAD assistant, 107 ARP attack detection logging, 578
802.1X authentication+EAD assistant attack D&P log non-aggregation, 538
configuration (DHCP relay agent), 140 attack D&P login delay, 540
802.1X authentication+EAD assistant IPsec ACL de-encapsulated packet check, 395
configuration (DHCP server), 143 IPsec IKE invalid SPI recovery, 428
802.1X EAD assistant configuration, 128 IPsec IKEv2 cookie challenge, 449
troubleshooting 802.1X EAD assistant URL IPsec packet logging, 402
redirection failure, 145
IPsec QoS pre-classify, 397
EAP
IPv4SG on interface, 554
802.1X Auth-Fail VLAN/VSI user
IPv6 destination guard (globally), 598
EAP-Success packet, 121
IPv6 destination guard (on an interface), 598
802.1X critical VLAN/VSI user EAP-Success
packet, 121 IPv6 ND attack defense RA guard logging, 595
802.1X EAP over RADIUS, 91 IPv6 ND attack defense source MAC consistency
check, 591
802.1X EAP relay enable, 110
IPv6SG on interface, 555
802.1X EAP termination enable, 110
logging for portal user login/logout, 213
802.1X EAP termination mode
authentication, 93 MAC authentication, 157
802.1X packet format, 90 MAC authentication critical voice VLAN, 163
802.1X relay, 89 MAC authentication multi-VLAN mode, 167
802.1X relay authentication, 92 MAC authentication online user
synchronization, 166
802.1X relay/termination, 90
MAC authentication user logging, 171
802.1X server-side EAP-TLS fragment
maximum size, 129 MAC authentication+802.1X authentication
parallel processing, 170
802.1X termination, 89
MACsec desire, 627
portal support, 188
MACsec MKA, 626
EAPOL
MACsec MKA session logging, 631
802.1X authentication (access device
initiated), 94 MFF, 605
802.1X authentication (client-initiated), 94 MFF periodic gateway probe, 606
802.1X packet format, 90 ND attack detection logging, 592
ECDSA NETCONF-over-SSH, 459
public key management, 325 password control, 309
661
PKI online certificate request mode IPsec encryption algorithm (DES), 381
(automatic), 345 IPsec RIPng configuration, 409
port security, 277 IPsec RRI configuration, 399, 413
port security authorization-fail-offline, 284 IPsec tunnel configuration for IPv4 packets
port security dynamic secure MAC, 281 (IKE-based), 433
port security escape critical VSI, 287 IPsec tunnel for IPv4 packets (manual), 404
port security MAC move, 283 MACsec data encryption, 622, 622
port security open authentication mode, 285 public key management, 325, 330
port security secure MAC address inactivity SSH configuration, 453
aging, 280 SSH server configuration, 456
port security SNMP notification, 288 SSL services, 519
port security user logging, 288 encryption
portal authentication (interface), 197 MACsec encryption cipher suite, 627
portal authentication client Rule ARP entry entering
feature, 214 FIPS mode (automatic reboot), 613, 617
portal authentication client Rule ND entry FIPS mode (manual reboot), 613, 618
feature, 214
peer host public key, 329, 330
portal authentication roaming, 206
SSH client host public key, 460
portal authorization strict-checking mode, 205
escape critical VSI
portal authorization strict-checking mode
port security escape feature enable, 287
(interface), 205
ESP
SSH algorithm renegotiation+key
re-exchange, 462 IPsec security protocol 50, 378
SSH login control ACL attempts denied establishing
logging, 463 IPv4 Secure Telnet server connection, 466
SSH SCP server, 458 IPv4 SFTP server connection, 470
SSH Secure Telnet server, 458 IPv6 Secure Telnet server connection, 467
SSH server support for SSH1 clients, 462 IPv6 SFTP server connection, 471
SSH SFTP server, 458 SSH IPv4 SCP server connection, 476
uRPF (global), 601 SSH IPv6 SCP server connection, 477
uRPF (interface), 601 SSH SCP server connection, 476
Web authentication, 264 SSH SCP server connection (Suite B), 478
encapsulating SSH Secure Telnet server connection, 466
IKE-based IPsec tunnel for IPv4 packets, 407 SSH Secure Telnet server connection (Suite
IPsec ACL de-encapsulated packet B), 468
check, 395 SSH SFTP server connection, 470
IPsec anti-replay, 395 SSH SFTP server connection (Suite B), 472
IPsec configuration, 378, 404 Ethernet
IPsec RIPng configuration, 409 802.1X overview, 88
IPsec RRI configuration, 399, 413 ARP attack protection configuration, 565
IPsec transport mode, 379 exempting
IPsec tunnel configuration for IPv4 packets attack D&P detection exemption, 536
(IKE-based), 433 exiting
IPsec tunnel for IPv4 packets (manual), 404 FIPS mode (automatic reboot), 616, 620
IPsec tunnel mode, 379 FIPS mode (manual reboot), 616, 620
encrypting exporting
crypto engine configuration, 610 host public key, 327
IKE-based IPsec tunnel for IPv4 packets, 407 PKI certificate, 350
IPsec, 380 PKI certificate import/export configuration, 367
IPsec configuration, 378, 404 troubleshooting PKI certificate export failure, 376
IPsec encryption algorithm (3DES), 381 extending
IPsec encryption algorithm (AES), 381
662
extended cross-subnet portal authentication SSL, 520
configuration, 237 FIPS functionality, 611
extended direct portal authentication fixed ARP
configuration, 229 ARP scanning+fixed ARP configuration, 583
extended re-DHCP portal authentication flood attack
configuration, 232
attack D&P defense policy, 532
F attack D&P defense policy (ACK flood
fail attack), 532
portal fail-permit feature, 206 attack D&P defense policy (DNS flood
attack), 535
failing
attack D&P defense policy (FIN flood attack), 533
portal authentication fail-permit feature, 206
attack D&P defense policy (HTTP flood
Federal Information Processing Standard.
attack), 536
Use FIPS
attack D&P defense policy (ICMP flood
file
attack), 534
portal authentication file name rules, 194
attack D&P defense policy (ICMPv6 flood
SFTP directory file display, 472, 473 attack), 534
SFTP file deletion, 473 attack D&P defense policy (RST flood
SFTP file download+local save, 473 attack), 534
SFTP file name change, 473 attack D&P defense policy (SYN flood
SFTP local file upload, 473 attack), 532
SSH SCP+password authentication, 508 attack D&P defense policy (SYN-ACK flood
SSH SFTP, 473 attack), 533
filtering attack D&P defense policy (UDP flood
ARP packet filtering configuration, 585, 586 attack), 535
attack D&P blacklist, 529 attack D&P device-preventable attacks, 527
attack D&P IP blacklist, 529 forcibly sending
FIN flood attack, 533 AAA RADIUS stop-accounting packet forcibly
sending, 35
fingerprint
format
root CA certificate, 335
802.1X EAP packet format, 90
FIPS
802.1X EAPOL packet format, 90
configuration, 611, 617
802.1X packet, 90
configuration restrictions, 612
AAA HWTACACS username, 46
display, 617
AAA RADIUS attribute 31 MAC address
mode entry, 613 format, 32
mode entry (automatic reboot), 617 AAA RADIUS packet format, 4
mode entry (manual reboot), 618 AAA RADIUS username, 29
mode exit, 616 MAC authentication user account, 159
mode exit (automatic reboot), 620 portal authentication NAS-Port-Id attribute
mode exit (manual reboot), 620 format, 211
mode system changes, 613 forwarding
self-test, 611 ARP attack detection restricted forwarding, 577
self-test trigger, 615 ARP attack protection restricted forwarding
FIPS compliance configuration, 581
AAA, 14 DHCP relay agent-based dynamic IPv4SG
IPsec, 384 configuration, 559
IPsec IKE, 420 DHCP snooping-based dynamic IPv4SG
password control, 308 configuration, 558
PKI, 338 DHCPv6 relay agent-based dynamic IPv6SG
public key, 325 configuration, 563
SSH, 456 DHCPv6 snooping-based dynamic IPv6SG
address binding configuration, 561
663
DHCPv6 snooping-based dynamic IPv6SG generating
prefix binding configuration, 562 Secure Telnet client local key pair, 465
IPSG configuration, 552, 553, 557 SSH SCP client local key pair, 475
IPv6 ND attack defense configuration, 590 SSH server local key pair, 457
IPv6 ND attack defense RA guard SSH SFTP client local key pair, 469
configuration, 593, 595 global
static IPv4SG configuration, 557 IPsec IKE global identity information, 426
static IPv6SG configuration, 560 global parameter
fragment IPsec IKEv2 global parameters, 449
IPsec packet DF bit, 398 group
fragmenting MACsec group CAK, 622
attack D&P TCP fragment attack guest VLAN
prevention, 538
802.1X authentication, 98
IPsec packet fragmentation, 402
802.1X authentication (MAC-based access
frame control), 99
port security configuration, 273, 276 802.1X authentication (port-based access
framework control), 98
IPsec, 378 802.1X configuration, 114, 133
freezing 802.1X guest VLAN assignment delay, 115
802.1X user IP freezing enable, 127 MAC authentication, 150
FTP MAC authentication configuration, 161
AAA RADIUS Login-Service attribute check guest VSI
method, 31 802.1X authentication, 103
local host public key distribution, 327 802.1X authentication guest VSI+authorization
SFTP server public key deletion, 471 VSI configuration (MAC-based), 138
SSH SCP server connection 802.1X configuration, 118
establishment, 476 MAC authentication, 153
SSH SFTP client configuration (publickey MAC authentication configuration, 163
authentication), 501
SSH SFTP client device, 468 H
SSH SFTP configuration, 499 handshaking
SSH SFTP configuration (192-bit Suite B 802.1X online user handshake, 124
algorithm), 504 SSL handshake protocol, 519
SSH SFTP directories, 472 hardware
SSH SFTP files, 473 crypto engine configuration, 610
SSH SFTP outgoing packet source IP history
address, 469 password history, 307
SSH SFTP server configuration (password host
authentication), 499
local host public key distribution, 327
SSH SFTP server connection
establishment, 470 peer host public key configuration, 328
SSH SFTP server connection termination, 474 peer host public key entry, 329, 330
Fully Qualified Domain Name. Use FQDN peer host public key import from file, 329
function public key display, 328
portal authentication extended functions, 183 public key export, 327
SSH client host public key configuration, 459
G HTTP
gateway attack D&P defense policy (HTTP flood
ARP gateway protection, 584, 585 attack), 536
IPsec RRI, 383 portal URL redirection match rules, 193
MFF default gateway, 604 SSL configuration, 519, 520
MFF periodic gateway probe, 606 HTTP redirect
664
HTTPS redirect listening port number identity
specifying, 193, 263 IPsec IKE global identity information, 426
HTTPS ignoring
portal URL redirection match rules, 193 ARP attack detection user validity check ingress
HW Terminal Access Controller Access Control port, 578
System. Use HWTACACS port security server authorization information, 282
HWTACACS IKE, 417, See also ISAKMP
AAA configuration, 1, 14, 63 benefit, 417
AAA for SSH user, 63 configuration, 417, 430
AAA implementation, 5 configuration (main mode+preshared key
AAA local user configuration, 14 authentication), 430
AAA VPN implementation, 13 DH algorithm, 419
accounting server, 42 display, 430
authentication server, 41 FIPS compliance, 420
authorization server, 41 global DPD configuration, 428
configuration, 40 global identity information, 426
connection recording policy, 61 identity authentication, 419
display, 47 IKE-based IPsec tunnel for IPv4 packets, 407
HWTACACS/RADIUS differences, 5 invalid SPI recovery, 428
maintain, 47 IPsec negotiation mode, 380
outgoing packet source interface (all IPsec policy (IKE-based/direct), 392
schemes), 45 IPsec policy (IKE-based/template), 393
outgoing packet source interface (single IPsec policy configuration (IKE-based), 391
scheme), 46 IPsec SA, 380
outgoing packet source IP address, 45 IPsec tunnel configuration for IPv4 packets
outgoing packet source IP address (all (IKE-based), 433
schemes), 45 keepalive configuration, 427
outgoing packet source IP address (single keychain configuration, 425
scheme), 46
maintain, 430
packet exchange process, 6
NAT keepalive configuration, 427
protocols and standards, 13
negotiation, 417
scheme creation, 41
PFS, 419
scheme VPN instance, 43
prerequisites, 420
shared keys, 43
profile configuration, 421
SSH user local authentication+HWTACACS
profile creation, 421, 442
authorization+RADIUS accounting, 65
proposal configuration, 424
stop-accounting packet buffering, 47
protocols and standards, 419
timer set), 44
SA max, 429
traffic statistics units, 46
security mechanism, 419
troubleshooting, 80
SNMP notification, 429
username format, 46
troubleshoot, 435
Hypertext Transfer Protocol. Use HTTP
troubleshoot negotiation failure (no proposal
I match), 435
ICMP troubleshoot negotiation failure (no proposal or
attack D&P defense policy (ICMP flood keychain specified correctly), 436
attack), 534 IKE and IPsec
attack D&P defense policy (ICMPv6 flood relationship, 417
attack), 534 IKE profile
ID IKE keychain configuration, 421
AAA device ID configuration, 60 IKE phase 1 negotiation mode configuration, 422
portal authentication access device ID, 211 IKE proposals configuration, 422
665
inside VPN instance configuration, 423 troubleshooting PKI CA certificate import
local ID configuration, 423 failure, 375
optional features configuration, 423 troubleshooting PKI local certificate import
peer ID configuration, 421 failure, 375
PKI domain configuration, 421 including
IKEv2, 440, See also ISAKMP AAA ISP domain idle timeout period in user online
duration, 55
configuration, 440
MAC authentication request user IP address, 169
cookie challenge, 441, 449
initiating
DH guessing, 441
802.1X authentication, 92, 94
display, 450
injecting
DPD configuration, 449
IPsec RRI, 383
global parameter configuration, 449
IPsec RRI configuration, 399
keychain configuration, 448
Internet
maintain, 450
Internet Key Exchange. Use IKE
message retransmission, 441
Internet Key Exchange version 2. Use IKEv2
NAT keepalive, 450
SSL configuration, 519, 520
negotiation, 440
interpreting
policy configuration, 446
AAA RADIUS class attribute as CAR
profile configuration, 442
parameter, 31
proposal configuration, 447
interval
protocols and standards, 441
SSH update interval for RSA server key pair, 462
SA rekeying, 441
intrusion detection/protection
troubleshoot, 451
port security blockmac mode, 282
troubleshoot negotiation failure (no proposal
port security disableport mode, 282
match), 451
port security disableport-temporarily mode, 282
IKEv2 profile
port security feature, 273
IKE keychain configuration, 443
IP
inside VPN instance configuration, 445
portal authentication portal-free rule, 201
local ID configuration, 443
security. Use IPsec
optional features configuration, 445
IP addressing
peer ID configuration, 444
802.1X user IP freezing enable, 127
PKI domain configuration, 443
AAA HWTACACS outgoing packet source
IMC
interface (all schemes), 45
AAA RADIUS session-control, 37
AAA HWTACACS outgoing packet source
implementing interface (single scheme), 46
802.1X MAC-based access control, 95 AAA HWTACACS outgoing packet source IP
802.1X port-based access control, 95 address, 45
AAA for VPNs, 13 AAA HWTACACS outgoing packet source IP
AAA HWTACACS, 5 address (all schemes), 45
AAA LDAP, 8 AAA HWTACACS outgoing packet source IP
AAA RADIUS, 2 address (single scheme), 46
IPsec (ACL-based), 384 AAA LDAP server IP address, 48
IPsec ACL-based implementation, 381 AAA RADIUS outgoing packet source interface
IPsec IPv6 routing protocol-based (all schemes), 28
implementation, 382 AAA RADIUS outgoing packet source interface
importing (single scheme), 29
peer host public key from file, 329 AAA RADIUS outgoing packet source IP
address, 28
PKI certificate import/export
configuration, 367 AAA RADIUS outgoing packet source IP address
(all schemes), 28
public key from file, 332
SSH client host public key, 460
666
AAA RADIUS outgoing packet source IP anti-replay configuration, 395
address (single scheme), 29 anti-replay redundancy, 396
ARP attack detection ip validity check, 576 authentication, 380
ARP attack protection (unresolvable IP authentication algorithms, 380
attack), 565, 567 benefit, 378
ARP attack protection configuration, 565 configuration, 378, 404
ARP attack protection configuration display, 403
(user+packet validity check), 580
encryption, 380
ARP attack protection restricted forwarding
encryption algorithms, 381
configuration, 581
FIPS compliance, 384
ARP attack protection user validity check, 579
fragmentation configuration, 402
ARP filtering configuration, 586
framework, 378
ARP gateway protection, 585
global IKE DPD, 428
ARP scanning+fixed ARP configuration, 583
global IPsec SA lifetime and idle timeout
ARP sender IP address checking, 587, 587
configuration, 401
attack D&P blacklist, 529
IKE configuration, 417, 430
attack D&P IP blacklist, 529, 539
IKE configuration (main mode+preshared key
attack D&P IP blacklist configuration, 549 authentication), 430
authorized ARP configuration (DHCP relay IKE global identity information, 426
agent), 573
IKE identity authentication, 419
authorized ARP configuration (DHCP
IKE invalid SPI recovery, 428
server), 572
IKE keepalive, 427
MAC authentication request user IP
address, 169 IKE keychain configuration, 425
MFF server IP address, 606 IKE NAT keepalive, 427
portal preauthentication domain, 198 IKE negotiation, 417
portal user preauthentication IP address IKE negotiation mode, 380
pool, 199 IKE profile configuration, 421
SSH SCP outgoing packet source IP IKE proposal, 424
address, 475 IKE SA max, 429
SSH Secure Telnet outgoing packet source IP IKE security mechanism, 419
address, 465 IKE SNMP notification, 429
SSH SFTP outgoing packet source IP IKE-based IPsec tunnel for IPv4 packets, 407
address, 469 IKEv2 configuration, 440
uRPF configuration, 600 IKEv2 cookie challenge, 449
IP source guard (IPSG) IKEv2 DPD configuration, 449
configuration, 552, 553, 557 IKEv2 global parameters, 449
configuration restrictions, 553 IKEv2 keychain configuration, 448
display, 557 IKEv2 NAT keepalive, 450
dynamic binding, 553 IKEv2 negotiation, 440
IPv4. See IPv4 source guard IKEv2 policy configuration, 446
IPv6. See IPv6 source guard IKEv2 profile configuration, 442
operating mechanism, 552 IKEv2 proposal configuration, 447
IPoE IPsec policy, 382
user profile configuration, 300 IPsec profile, 382
IPsec IPv6 routing protocol-based IPsec, 382
ACL configuration, 385 IPv6 routing protocols configuration, 400
ACL de-encapsulated packet check, 395 maintain, 403
ACL for MPLS L3VPN protection, 387 mirror image ACLs, 386
ACL rule keywords, 385 non-mirror image ACLs, 386
ACL-based implementation, 384 packet DF bit configuration, 398
ACL-based IPsec, 381 packet logging enable, 402
667
PKI configuration, 335, 338, 353 SSH SCP client device, 474
policy application to interface, 394 SSH SCP server connection
policy configuration (IKE-based), 391 establishment, 476, 476
policy configuration (IKE-based/direct), 392 SSH SCP server connection establishment (Suite
policy configuration B), 478
(IKE-based/template), 393 SSH Secure Telnet server connection
policy configuration (manual), 390 establishment, 466
policy configuration restrictions, 390 SSH Secure Telnet server connection
establishment (Suite B), 468
policy configuration restrictions
(IKE-based), 392 SSH SFTP server connection establishment, 470
protected traffic, 381 SSH SFTP server connection establishment
(Suite B), 472
protocols and standards, 384
IPv4 source guard (IPv4SG)
QoS pre-classify enable, 397
configuration, 552, 553, 554, 557
RIPng configuration, 409
DHCP relay agent-based dynamic
RRI, 383
configuration, 559
RRI configuration, 399, 413
DHCP snooping-based dynamic
SA, 380 configuration, 558
security services, 378 display, 557
SNMP notification configuration, 403 interface enable, 554
source interface policy bind, 397 interface enable restrictions, 554
transform set configuration, 388 static binding configuration, 554
troubleshoot IKE, 435 static binding configuration restrictions, 555
troubleshoot IKE negotiation failure (no static configuration, 557
proposal match), 435
IPv6
troubleshoot IKE negotiation failure (no
IPsec IPv6 routing protocol profile (manual), 400
proposal or keychain specified correctly), 436
ND attack defense. See IPv6 ND attack defense
troubleshoot IKEv2, 451
portal authentication enable (interface), 197
troubleshoot IKEv2 negotiation failure (no
proposal match), 451 portal authentication Web server (interface), 198
troubleshoot SA negotiation failure (invalid remote portal authentication server, 191
identity info), 437 Secure Telnet server connection
troubleshoot SA negotiation failure (no establishment, 467
transform set match), 437, 451 SFTP server connection establishment, 471
troubleshoot SA negotiation failure (tunnel source guard. See IPv6 source guard
failure), 452 SSH SCP client device, 474
tunnel configuration for IPv4 packets SSH SCP server connection
(IKE-based), 433 establishment, 476, 477
tunnel for IPv4 packets (manual), 404 SSH SCP server connection establishment (Suite
tunnel max, 402 B), 478
IPv4 SSH Secure Telnet server connection
IKE-based IPsec tunnel for IPv4 packets, 407 establishment, 466
IPsec tunnel configuration for IPv4 packets SSH Secure Telnet server connection
(IKE-based), 433 establishment (Suite B), 468
IPsec tunnel for IPv4 packets (manual), 404 SSH SFTP server connection establishment, 470
portal authentication enable (interface), 197 SSH SFTP server connection establishment
(Suite B), 472
portal authentication Web server
(interface), 198 IPv6 destination guard configuration
remote portal authentication server, 191 configuration restrictions, 598
Secure Telnet server connection IPv6 ND attack defense
establishment, 466 attack detection display, 593
SFTP server connection establishment, 470 attack detection maintain, 593
source guard. See IPv4 source guard configuration, 590
668
configuring ND attack detection, 591 default ISP domain specifying, 53
device role, 593 ISP domain creation, 53
device role restrictions, 593 ISP domain specifying for users that are assigned
IPv6 destination guard configuration, 597 to nonexistent domains, 53
IPv6 destination guard maintain, 598 K
IPv6 destination guard verify, 598
keepalive
RA guard configuration, 593, 595
IPsec IKE configuration, 427
RA guard display, 595
IPsec IKE NAT configuration, 427
RA guard logging enable, 595
IPsec IKEv2 NAT, 450
RA guard maintain, 595
key
RA guard policy application, 594
IPsec IKE preshared key authentication, 419
RA guard policy configuration, 594
MACsec MKA key server priority, 628
source MAC consistency check, 591
MACsec preshared key, 627
IPv6 ND attack detection
PKI configuration, 335, 338, 353
configuration restrictions, 592
SSH algorithm renegotiation+key
IPv6 routing protocol re-exchange, 462
IPsec IPv6 routing protocol-based key pair
implementation, 382
Secure Telnet client server key pair, 465
IPv6 source guard (IPv6SG)
SSH SCP client server key pair, 475
configuration, 552, 553, 555, 557
SSH server local key pair generation, 457
DHCPv6 relay agent-based dynamic
SSH SFTP client server key pair, 469
configuration, 563
keychain
DHCPv6 snooping-based dynamic address
binding configuration, 561 configuration, 318, 318, 319, 319
DHCPv6 snooping-based dynamic prefix display, 319
binding configuration, 562 IPsec IKE keychain configuration, 425
display, 557 IPsec IKEv2 keychain configuration, 448
interface enable, 555 troubleshooting IPsec IKE negotiation failure (no
interface enable restrictions, 555 keychain specified correctly), 436
static binding configuration, 556 keyword
static binding configuration restrictions, 556 IPsec ACL rule keywords, 385
static configuration, 560 L
IRF compatibility, 613 LAN
ISAKAMP 802.1X overview, 88
protocols and standards, 419, 441 MACsec configuration, 622, 626, 632
ISAKMP, 417, 440, See also IKE MACsec configuration (client-oriented), 632
IPsec IKE configuration, 417, 430 MACsec configuration (device-oriented), 635
IPsec IKE configuration (main Layer 2
mode+preshared key authentication), 430
IPv6 ND attack defense RA guard
IPsec IKEv2 configuration, 440 configuration, 593, 595
ISP MFF configuration, 603, 604, 607
AAA ISP domain accounting method, 57 MFF configuration (in ring network), 608
AAA ISP domain attribute, 54 MFF configuration (in tree network), 607
AAA ISP domain authentication method, 55 Layer 3
AAA ISP domain authorization attribute, 54 IKE-based IPsec tunnel for IPv4 packets, 407
AAA ISP domain authorization method, 56 IPsec configuration, 378, 404
AAA ISP domain creation, 52 IPsec RIPng configuration, 409
AAA ISP domain idle timeout period include in IPsec RRI configuration, 399, 413
user online duration, 55
IPsec tunnel configuration for IPv4 packets
AAA ISP domain method, 55 (IKE-based), 433
AAA ISP domain status, 54 IPsec tunnel for IPv4 packets (manual), 404
669
PKI MPLS L3VPN support, 337 host public key distribution, 327
LDAP key pair creation, 326
AAA configuration, 1, 14, 63 key pair destruction, 330
AAA implementation, 8 local portal Web service, 185
AAA local user configuration, 14 MAC authentication (local), 172
administrator attribute, 49 MAC authentication method, 147
attribute map, 51 password control parameters (local user), 312
attribute map for authorization, 52 PKI digital certificate, 335
authentication, 8 portal authentication local portal Web service
authentication process, 9 parameter configuration, 196
authentication server, 51 troubleshooting PKI certificate obtain failure, 373
authorization, 8 troubleshooting PKI certificate request
authorization process, 10 failure, 373
authorization server, 51 troubleshooting PKI local certificate import
failure, 375
configuration, 48
local portal Web service
directory service, 8
local portal Web service page customization, 185
display, 52
system components, 185
protocols and standards, 13
local VLAN
scheme creation, 51
MAC authentication local VLAN
server creation, 48
authorization, 149
server IP address, 48
log non-aggregation, 538
server SSH user authentication, 70
logging
server timeout period, 49
802.1X user logging enable, 130
troubleshooting authentication failure, 80
ARP attack detection logging enable, 578
user attribute, 50
attack D&P log non-aggregation, 538
versions, 48
attack D&P login dictionary attack, 528
life time
enabling logging for portal user login/logout, 213
MACsec MKA life time, 629
IPsec packet logging enable, 402
Lightweight Directory Access Protocol. Use LDAP
MAC authentication user logging enable, 171
limiting
MACsec MKA session logging enable, 631
ARP packet rate limit, 568
password events, 308
port security MAC address limit per port
port security user logging enable, 288
VLAN, 284
logging in
port security secure MAC addresses, 278
AAA concurrent login user max, 59
listening
attack D&P login attack prevention
HTTPS redirect listening port
configuration, 540
number, 193, 263
attack D&P login delay, 540
load sharing
attack D&P login DoS attack, 528
AAA RADIUS server load sharing, 35
password expired login, 307
local
password user first login, 307
802.1X authorization VLAN, 95
password user login attempt limit, 307
802.1X authorization VSI, 103
password user login control, 307
802.1X VLAN authorization, 96
RADIUS Login-Service attribute, 31
AAA local accounting method, 11
logging off
AAA local authentication, 11
802.1X user, 130
AAA local authentication configuration, 14
MAC authentication user, 171
AAA local authorization method, 11
logging out
AAA local user, 14
portal authentication online user logout, 213
AAA SSH user local
authentication+HWTACACS M
authorization+RADIUS accounting, 65
670
MAC port security MAC address autoLearn
802.1X MAC-based access control, 95 configuration, 289
address. See MAC addressing port security MAC address limit per port
authentication. See MAC authentication VLAN, 284
RADIUS attribute 31 format, 32 port security macAddressWithRadius, 275
security. Use MACsec port security secure MAC address, 279
SSL services, 519 port security secure MAC address add, 280
user profile configuration, 301 port security secure MAC address inactivity
aging, 280
MAC address
port security secure MAC address port limit, 278
802.1X authentication (client-initiated), 94
static IPv4SG configuration, 557
MAC addressing
static IPv6SG configuration, 560
802.1X authentication (access device
initiated), 94 troubleshooting port security secure MAC
addresses, 299
802.1X Auth-Fail VLAN (MAC-based access
control), 100 MAC authentication
802.1X critical VLAN (MAC-based access ACL assignment, 154, 177
control), 101 authentication method, 158
802.1X critical voice VLAN (MAC-based authorization VLAN, 147
access control), 102 authorization VLAN port manipulation, 149
802.1X guest VLAN (MAC-based access authorization VSI, 152
control), 99 authorization VSI assignment, 180
802.1X MAC address binding, 128 blackhole MAC attribute assignment, 155
ARP attack detection (source concurrent port users max, 167
MAC-based), 569, 570 configuration, 146, 156, 172
ARP attack protection configuration, 565 configuration restrictions, 156
ARP packet source MAC consistency critical VLAN, 150
check, 571
critical VLAN configuration, 162
ARP scanning+fixed ARP configuration, 583
critical VLAN configuration restrictions, 162
DHCP relay agent-based dynamic IPv4SG
critical voice VLAN, 151
configuration, 559
critical voice VLAN enable, 163
DHCP snooping-based dynamic IPv4SG
configuration, 558 critical VSI, 153
DHCPv6 relay agent-based dynamic IPv6SG critical VSI configuration, 164
configuration, 563 critical VSI configuration restrictions, 164
DHCPv6 snooping-based dynamic IPv6SG delay configuration, 168
address binding configuration, 561 delay configuration restrictions, 168
DHCPv6 snooping-based dynamic IPv6SG display, 171
prefix binding configuration, 562 domain specification, 158
IPSG configuration, 552, 553, 557 enable, 157
MAC authentication, 156, 172 enable restrictions, 157
MAC authentication (local), 172 guest VLAN, 150
MAC authentication (RADIUS-based), 175 guest VLAN configuration, 161
MAC authentication blackhole attribute guest VLAN configuration restrictions, 161
assignment, 155 guest VSI, 153
MAC authentication configuration, 146 guest VSI configuration, 163
MFF configuration, 603, 604, 607 guest VSI configuration restrictions, 163
MFF configuration (in ring network), 608 local authentication, 172
MFF configuration (in tree network), 607 local VLAN authorization, 149
port security client logging off user, 171
macAddressElseUserLoginSecure
configuration, 294 MAC authentication+802.1X authentication
parallel processing, 170
port security dynamic secure MAC, 281
671
MAC authentication+802.1X authentication device-oriented configuration, 635
parallel processing enable restrictions, 170 display, 632
maintain, 171 hardware compatibility restrictions, 625
methods, 147 integrity check, 623
multi-VLAN mode configuration, 167 MACsec encryption cipher suite, 627
offline detection configuration, 165 maintain, 632
online user synchronization enable, 166 MKA enable, 626
periodic reauthentication, 155, 160 MKA key server priority configuration, 628
periodic reauthentication restrictions, 160 MKA key server priority configuration
port security authentication control mode, 273 restrictions, 628
port security client MKA life time configuration, 629
macAddressElseUserLoginSecure MKA session logging enable, 631
configuration, 294 MKA session logging enable restrictions, 631
port security client userLoginWithOUI operation (client-oriented), 624
configuration, 291
operation (device-oriented), 624
port security configuration, 273, 276, 289
preshared key configuration, 627
port security MAC address autoLearn
preshared key configuration restrictions, 627
configuration, 289
protection parameter configuration, 629
port security MAC move, 283
protection parameter configuration
port security MAC+802.1X authentication, 275
restrictions, 629
port security mode, 277
protection parameter configuration restrictions
port security open authentication, 285 (MKA policy), 630
RADIUS-based, 175 protocols and standards, 625
redirect URL assignment, 154 replay protection, 623
remote VLAN authorization, 147 services, 622
request user IP address, 169 troubleshoot, 638
request user IP address inclusion troubleshoot device cannot establish MKA
restrictions, 169 session, 638
timer configuration, 159 maintaining
unauthenticated user aging, 164 802.1X, 130
user account format, 159 AAA HWTACACS, 47
user account policies, 146 AAA RADIUS, 40
user logging configuration restrictions, 171 ARP attack detection, 578
user logging enable, 171 attack D&P, 540
user profile assignment, 154 crypto engine, 610
VLAN assignment, 147 IPsec, 403
VSI manipulation, 152 IPsec IKE, 430
VXLAN support, 152 IPsec IKEv2, 450
MAC learning IPv6 destination guard, 598
port security autoLearn MAC learning IPv6 ND attack defense RA guard, 595
control, 274
IPv6 ND attack detection, 593
port security MAC learning control modes, 273
MAC authentication, 171
port security secure MAC learning control, 274
MACsec, 632
MAC-forced forwarding. Use MFF
password control, 314
MACsec
portal authentication, 214
application mode, 623
managing
basic concepts, 622
public key, 325, 330
client-oriented configuration, 632
manipulating
configuration, 622, 626, 632
MAC authentication VSI manipulation, 152
data encryption, 622
manual
desire enable, 627
FIPS mode (manual reboot), 613
672
FIPS mode entry (manual reboot), 618 IPsec encapsulation transport, 379
FIPS mode exit (manual reboot), 616, 620 IPsec encapsulation tunnel, 379
IPsec IPv6 routing protocol profile IPsec IKE negotiation, 380
(manual), 400 IPsec IKE negotiation (time-based lifetime), 380
Media Access Control Security. Use MACsec IPsec IKE negotiation (traffic-based lifetime), 380
message IPsec IPv6 routing protocol-based
ARP attack protection configuration, 565 implementation, 382
IPsec IKEv2 message retransmission, 441 MAC authentication multi-VLAN, 167
Message Authentication Code. Use MAC MACsec application client-oriented, 623
MFF MACsec application device-oriented, 623
ARP packet processing, 604 PKI offline, 344
configuration, 603, 604, 607 PKI online, 344
configuration (in ring network), 608 port security, 277
configuration (in tree network), 607 port security authentication control, 273
default gateway, 604 port security autoLearn MAC learning control, 274
display, 606 port security intrusion protection blockmac, 282
enable, 605 port security intrusion protection disableport, 282
enable restrictions, 605 port security intrusion protection
network model, 603 disableport-temporarily, 282
network port, 604 port security MAC learning control, 273
network port configuration, 605 port security MAC learning control autoLearn, 273
periodic gateway probe enable, 606 port security MAC learning control secure, 273
port roles, 603 port security macAddressWithRadius
protocols and standards, 604 authentication, 275
server IP address, 606 port security NTK ntkonly, 281
server IP address restrictions, 606 port security NTK ntk-withbroadcasts, 281
user port, 603 port security NTK ntk-withmulticasts, 281
minimum password length, 305 port security open authentication, 285
mirroring port security secure MAC learning control, 274
IPsec mirror image ACLs, 386 port security userLogin 802.1X
authentication, 275
IPsec non-mirror image ACLs, 386
port security userLoginSecure 802.1X
MKA
authentication, 275
MACsec enable, 626
port security userLoginSecureExt 802.1X
MACsec MKA key server priority, 628 authentication, 275
MACsec MKA life time, 629 port security userLoginWithOUI 802.1X
MACsec MKA session logging enable, 631 authentication, 275
MACsec protection parameters, 629 portal authentication, 185
troubleshooting MACsec device cannot portal authentication (cross-subnet), 186
establish MKA session, 638 portal authentication (direct), 185
mode portal authentication (re-DHCP), 186
802.1X multicast trigger, 94, 122 troubleshooting port security mode cannot be
802.1X unicast trigger, 94, 122 set, 298
global IPsec IKE DPD periodic, 428 uRPF loose check, 600
IKEv2 DPD on-demand, 449 uRPF strict check, 600
IKEv2 DPD periodic, 449 MPLS L3VPN
IPsec ACL-based implementation ACL for IPsec protection, 387
aggregation, 381 cross-subnet portal authentication configuration
IPsec ACL-based implementation for MPLS L3VPN, 246
per-host, 381 PKI support, 337
IPsec ACL-based implementation multicast
standard, 381
802.1X multicast trigger mode, 94, 122
673
port security NTK configuration, 281 802.1X authentication, 92
N 802.1X authentication guest VSI+authorization
VSI configuration (MAC-based), 138
naming 802.1X authentication initiation, 94
SFTP directory name change, 472 802.1X authentication request attempts max, 123
SFTP file name change, 473 802.1X authentication server timeout timer, 112
Naptha 802.1X authentication trigger, 122
TCP attack prevention (Naptha attack), 551 802.1X authentication+ACL assignment
NAS configuration, 136
AAA configuration, 14 802.1X authentication+EAD assistant
AAA HWTACACS implementation, 5 configuration (DHCP relay agent), 140
AAA LDAP implementation, 8 802.1X authentication+EAD assistant
AAA NAS-ID configuration, 59 configuration (DHCP server), 143
AAA RADIUS implementation, 2 802.1X Auth-Fail VLAN, 99, 116
AAA VPN implementation, 13 802.1X Auth-Fail VSI, 104, 119
port security NAS-ID profile, 286 802.1X authorization state, 111
portal authentication interface NAS-ID profile 802.1X authorization VLAN configuration, 133
(RADIUS), 212 802.1X basic configuration, 131
portal authentication NAS-Port-Id attribute 802.1X concurrent port users max, 123
format, 211 802.1X critical VLAN, 100, 117
NAT 802.1X critical voice VLAN, 102, 117
IPsec IKE keepalive, 427 802.1X critical VSI, 104, 119
IPsec IKEv2 keepalive, 450 802.1X EAD assistant, 128
ND 802.1X EAP over RADIUS, 91
portal authentication client Rule ND entry 802.1X EAP relay, 89
feature, 214 802.1X EAP relay authentication, 92
ND attack defense 802.1X EAP relay enable, 110
IPv6. See IPv6 ND attack defense 802.1X EAP relay/termination, 90
ND attack detection logging 802.1X EAP termination, 89
enabling, 592 802.1X EAP termination enable, 110
need to know. Use NTK 802.1X EAP termination mode authentication, 93
negotiating 802.1X guest VLAN, 98, 114
IPsec IKE negotiation, 417 802.1X guest VLAN assignment delay, 115
IPsec IKE negotiation mode, 380 802.1X guest VLAN configuration, 133
IPsec IKEv2 negotiation, 440 802.1X guest VSI, 103, 118
neighbor discovery (ND) 802.1X guest VSI assignment delay, 118
IPv6 ND attack defense configuration, 590 802.1X MAC address binding, 128
IPv6 ND attack defense source MAC 802.1X MAC user authentication attempts
consistency check, 591 max, 127
NETCONF 802.1X offline detection configuration, 125
enable over SSH, 459 802.1X online user handshake, 124
enable over SSH restrictions, 459 802.1X online user synchronization, 122
Secure Telnet client user line 802.1X packet exchange method, 89
configuration, 459
802.1X packet format, 90
SSH application, 453
802.1X reauthentication, 113
SSH client user line configuration, 459
802.1X server-side EAP-TLS fragment maximum
SSH configuration, 517 size, 129
SSH+password authentication 802.1X unauthenticated user aging, 120
configuration, 517
802.1X user IP freezing enable, 127
network
802.1X user logging enable, 130
802.1X access control method, 111
802.1X VLAN manipulation, 95
802.1X architecture, 88
674
802.1X VSI manipulation, 102 ARP attack protection source suppression
AAA device ID configuration, 60 (unresolvable IP attack), 566
AAA EAP profile, 21 ARP attack protection user validity check, 579
AAA HWTACACS, 40 ARP filtering configuration, 585, 586
AAA HWTACACS implementation, 5 ARP gateway protection, 584, 585
AAA HWTACACS server SSH user, 63 ARP packet rate limit, 568
AAA ISP domain accounting method, 57 ARP packet source MAC consistency check, 571
AAA ISP domain attribute, 54 ARP scanning+fixed ARP configuration, 583
AAA ISP domain authentication method, 55 ARP sender IP address checking, 587, 587
AAA ISP domain authorization method, 56 attack D&P configuration (device
AAA ISP domain creation, 52 application), 546
AAA ISP domain method, 55 attack D&P device-preventable attacks, 525
AAA LDAP, 48 attack D&P IP blacklist configuration, 549
AAA LDAP implementation, 8 attack D&P log non-aggregation, 538
AAA LDAP server SSH user attack D&P policy application (device), 537
authentication, 70 authorized ARP configuration, 572
AAA local user, 14 authorized ARP configuration (DHCP relay
AAA NAS-ID configuration, 59 agent), 573
AAA network access user, 14 authorized ARP configuration (DHCP server), 572
AAA RADIUS configuration, 20 captive-bypass feature enabling, 192
AAA RADIUS implementation, 2 cross-subnet portal authentication
configuration, 225
AAA RADIUS server 802.1X user, 73
DHCP relay agent-based dynamic IPv4SG
AAA RADIUS server SSH user
configuration, 559
authentication+authorization, 67
DHCP snooping-based dynamic IPv4SG
AAA SSH user local
configuration, 558
authentication+HWTACACS
authorization+RADIUS accounting, 65 DHCPv6 relay agent-based dynamic IPv6SG
configuration, 563
AAA test, 61
DHCPv6 snooping-based dynamic IPv6SG
AAA VPN implementation, 13
address binding configuration, 561
allowing only DHCP users to pass portal
DHCPv6 snooping-based dynamic IPv6SG prefix
authorization, 205
binding configuration, 562
ARP active acknowledgement, 571
digital certificate retrieval, usage, and
ARP attack detection (source maintenance, 337
MAC-based), 569, 570
disabling IPv6 destination guard (globally), 598
ARP attack detection configuration, 574
disabling IPv6 destination guard (on an
ARP attack detection logging enable, 578 interface), 598
ARP attack detection packet validity enabling IPv6 destination guard (globally), 598
check, 576
enabling IPv6 destination guard (on an
ARP attack detection restricted interface), 598
forwarding, 577
FIPS mode entry (automatic reboot), 617
ARP attack detection user validity check, 575
FIPS mode entry (manual reboot), 618
ARP attack detection user validity check
FIPS mode exit (automatic reboot), 620
ingress port, 578
FIPS mode exit (manual reboot), 620
ARP attack protection (unresolvable IP
attack), 565, 567 HTTPS redirect listening port number, 193
ARP attack protection blackhole routing IKE-based IPsec tunnel for IPv4 packets, 407
(unresolvable IP attack), 566 IPsec ACL, 385
ARP attack protection configuration IPsec ACL de-encapsulated packet check, 395
(user+packet validity check), 580 IPsec ACL-based implementation, 381
ARP attack protection restricted forwarding IPsec anti-replay, 395
configuration, 581 IPsec anti-replay redundancy, 396
IPsec fragmentation, 402
675
IPsec IKE configuration (main MAC authentication ACL assignment, 154, 177
mode+preshared key authentication), 430 MAC authentication authorization VLAN, 147
IPsec IKE SNMP notification, 429 MAC authentication authorization VLAN port
IPsec implementation (ACL-based), 384 manipulation, 149
IPsec IPv6 routing protocol profile MAC authentication authorization VSI, 152
(manual), 400 MAC authentication authorization VSI
IPsec IPv6 routing protocol-based assignment, 180
implementation, 382 MAC authentication blackhole attribute
IPsec IPv6 routing protocols, 400 assignment, 155
IPsec packet DF bit, 398 MAC authentication concurrent port users
IPsec packet logging enable, 402 max, 167
IPsec policy (IKE-based/direct), 392 MAC authentication critical VLAN, 150, 162
IPsec policy (IKE-based/template), 393 MAC authentication critical voice VLAN, 151, 163
IPsec policy application to interface, 394 MAC authentication critical VSI, 153, 164
IPsec policy configuration (IKE-based), 391 MAC authentication delay, 168
IPsec policy configuration (manual), 390 MAC authentication domain, 158
IPsec QoS pre-classify enable, 397 MAC authentication guest VLAN, 150, 161
IPsec RIPng configuration, 409 MAC authentication guest VSI, 153, 163
IPsec RRI, 383 MAC authentication method, 158
IPsec RRI configuration, 399, 413 MAC authentication multi-VLAN mode, 167
IPsec SNMP notification, 403 MAC authentication offline detection
IPsec source interface policy bind, 397 configuration, 165
IPsec transform set configuration, 388 MAC authentication online user
synchronization, 166
IPsec tunnel configuration for IPv4 packets
(IKE-based), 433 MAC authentication redirect URL
assignment, 154
IPsec tunnel for IPv4 packets (manual), 404
MAC authentication request user IP address, 169
IPsec-protected traffic, 381
MAC authentication timer, 159
IPSG dynamic binding, 553
MAC authentication unauthenticated user
IPSG static binding, 552
aging, 164
IPv4SG configuration, 554
MAC authentication user account format, 159
IPv4SG interface enable, 554
MAC authentication user logging enable, 171
IPv4SG static binding configuration, 554
MAC authentication user profile assignment, 154
IPv6 destination guard configuration, 597
MAC authentication VLAN assignment, 147
IPv6 ND attack defense device role, 593
MAC authentication VSI manipulation, 152
IPv6 ND attack defense RA guard
MAC authentication+802.1X authentication
configuration, 593, 595
parallel processing, 170
IPv6 ND attack defense RA guard logging
MACsec application mode, 623
enable, 595
MACsec configuration (client-oriented), 632
IPv6 ND attack defense RA guard policy, 594
MACsec configuration (device-oriented), 635
IPv6 ND attack defense source MAC
consistency check, 591 MACsec desire enable, 627
IPv6 ND attack detection, 591 MACsec MKA enable, 626
IPv6SG configuration, 555 MACsec MKA session logging enable, 631
IPv6SG interface enable, 555 MACsec preshared key, 627
IPv6SG static binding configuration, 556 MACsec services, 622
local portal authentication service, 194 MFF configuration (in ring network), 608
local portal Web service, 185 MFF configuration (in tree network), 607
logging off 802.1X user, 130 MFF network model, 603
logging off MAC authentication user, 171 MFF network port, 604, 605
MAC authentication (local), 172 MFF periodic gateway probe, 606
MAC authentication (RADIUS-based), 175 MFF port roles, 603
NETCONF-over-SSH client user line, 459
676
NETCONF-over-SSH configuration, 517 port security NAS-ID profile, 286
NETCONF-over-SSH enable, 459 port security NTK, 281
NETCONF-over-SSH+password port security secure MAC address, 279
authentication configuration, 517 port security secure MAC address add, 280
password control parameters (global), 310 port security secure MAC address port limit, 278
password control parameters (local user), 312 port security SNMP notification, 288
password control parameters (super), 313 port security user logging enable, 288
password control parameters (user portal authentication AAA server, 184
group), 312 portal authentication BAS-IP, 210
peer host public key entry, 330 portal authentication client, 184
periodic 802.1X reauthentication, 106 portal authentication client Rule ARP entry
periodic MAC reauthentication, 155, 160 feature, 214
PKI applications, 337 portal authentication client Rule ND entry
PKI architecture, 336 feature, 214
PKI CA policy, 336 portal authentication destination subnet, 202
PKI certificate import/export portal authentication detection, 207
configuration, 367 portal authentication domain, 200
PKI certificate request, 344 portal authentication EAP support, 188
PKI certificate-based access control portal authentication enable (interface), 197
policy, 365 portal authentication fail-permit, 206
PKI CRL, 335 portal authentication filtering rules, 188
PKI digital certificate, 335 portal authentication interface NAS-ID profile, 212
PKI domain configuration, 340 portal authentication local portal Web service
PKI entity configuration, 339 parameter configuration, 196
PKI MPLS L3VPN support, 337 portal authentication NAS-Port-Id attribute
PKI OpenCA server certificate request, 359 format, 211
PKI RSA Keon CA server certificate portal authentication online user logout, 213
request, 353 portal authentication portal-free rule, 201
PKI storage path, 344 portal authentication process, 186
PKI Windows 2003 CA server certificate portal authentication server detection, 208
request, 356 portal authentication source subnet, 202
PKI Windows 2003 CA server IKE portal authentication system, 183
negotiation+RSA digital signature, 363
portal authentication system component
port security authorization-fail-offline, 284 interaction, 184
port security client portal authentication user access control, 201
macAddressElseUserLoginSecure
portal authentication user online detection, 207
configuration, 294
portal authentication user setting max, 204
port security client userLoginWithOUI
configuration, 291 portal authentication Web redirect, 214
port security dynamic secure MAC, 281 portal authentication Web server (interface), 198
port security escape critical VSI, 287 portal authentication Web server detection, 208
port security features, 273 portal packet attributes configuration, 210
port security functions, 273 portal preauthentication domain, 198
port security intrusion protection, 282 portal URL redirection match rules
configuration, 193
port security MAC address autoLearn
configuration, 289 portal user preauthentication IP address pool, 199
port security MAC address learning portal Web server basic parameters, 192
control, 274 public key import from file, 332
port security MAC address limit per port RADIUS packet attributes configuration, 211
VLAN, 284 re-DHCP portal authentication configuration, 221
port security MAC move, 283 remote portal authentication server, 191
port security mode, 273, 277 remote portal authentication Web server, 192
677
Secure Telnet client user line, 459 SSH SFTP server enable, 458
SSH client host public key configuration, 459 SSH user configuration, 461
SSH management parameters, 462 SSH2 algorithms, 478
SSH SCP client device, 474 SSH2 algorithms (encryption), 479
SSH SCP configuration, 508 SSH2 algorithms (key exchange), 478
SSH SCP configuration (Suite B SSH2 algorithms (MAC), 479
algorithm), 510 SSH2 algorithms (public key), 479
SSH SCP outgoing packet source IP SSL client configuration, 521
address, 475 SSL client policy configuration, 522
SSH SCP server connection SSL protocol stack, 519
establishment, 476
SSL server configuration, 520
SSH SCP server connection establishment
SSL server policy configuration, 521
(Suite B), 478
static IPv4SG configuration, 557
SSH SCP server enable, 458
static IPv6SG configuration, 560
SSH SCP+password authentication, 508
TCP attack prevention (Naptha attack), 551
SSH Secure Telnet client configuration
(password authentication), 489 uRPF application, 600
SSH Secure Telnet client configuration uRPF application scenario, 600
(publickey authentication), 492 uRPF check modes, 600
SSH Secure Telnet client device, 465 uRPF enable (global), 601
SSH Secure Telnet configuration, 480 uRPF enable (interface), 601
SSH Secure Telnet configuration (128-bit user profile+QoS policy configuration, 301
Suite B algorithm), 495 Web authentication Auth-Fail VLAN, 266
SSH Secure Telnet outgoing packet source IP Web authentication configuration (local
address, 465 authentication server), 268
SSH Secure Telnet server configuration Web authentication configuration (RADIUS
(password authentication), 481 authentication server), 270
SSH Secure Telnet server configuration Web authentication domain, 264
(publickey authentication), 483 Web authentication enable, 264
SSH Secure Telnet server connection Web authentication process, 260
establishment, 466 Web authentication proxy support, 267
SSH Secure Telnet server connection Web authentication server, 263
establishment (Suite B), 468
Web authentication system components, 259
SSH Secure Telnet server enable, 458
Web authentication user online detection, 266
SSH server configuration, 456
Web authentication user setting max, 266
SSH server port, 457
Web authentication-free subnet, 265
SSH SFTP client configuration (publickey
authentication), 501 network management
SSH SFTP client device, 468 802.1X authentication configuration, 131
SSH SFTP configuration, 499 802.1X configuration, 108, 108
SSH SFTP configuration (192-bit Suite B 802.1X overview, 88
algorithm), 504 AAA configuration, 1, 14, 63
SSH SFTP directories, 472 AAA HWTACACS/RADIUS differences, 5
SSH SFTP files, 473 ARP attack protection configuration, 565
SSH SFTP outgoing packet source IP attack D&P configuration, 525, 529, 546
address, 469 crypto engine configuration, 610
SSH SFTP server configuration (password FIPS configuration, 611, 617
authentication), 499 IPsec configuration, 378, 404
SSH SFTP server connection IPsec IKE configuration, 417, 430
establishment, 470 IPsec IKEv2 configuration, 440
SSH SFTP server connection establishment IPSG configuration, 552, 553, 557
(Suite B), 472
IPv6 ND attack defense configuration, 590
SSH SFTP server connection termination, 474
keychain configuration, 318, 318, 319, 319
678
MAC authentication, 156, 172 portal authentication user online detection, 207
MAC authentication configuration, 146 SSH online user max number, 464
MACsec configuration, 622, 626, 632 Web authentication user online detection, 266
MFF configuration, 603, 604, 607 OpenCA
password control configuration, 305, 309, 314 PKI CA server certificate request, 359
PKI configuration, 335, 338, 353 P
port security configuration, 273, 276, 289
packet
portal authentication
configuration, 183, 189, 189, 215 802.1X Auth-Fail VLAN/VSI user EAP-Success
packet, 121
public key management, 325, 330
802.1X critical VLAN/VSI user EAP-Success
SSH configuration, 453
packet, 121
SSL configuration, 519, 520
802.1X EAP format, 90
SSL services, 519
802.1X EAPOL format, 90
TCP attack prevention configuration, 551
802.1X format, 90
uRPF configuration, 600
802.1X packet exchange method, 89
user profile configuration, 300, 301
802.1X protocol packet VLAN tag removal, 126
Web authentication
AAA HWTACACS outgoing packet source IP
configuration, 259, 262, 268, 268
address, 45
no
AAA HWTACACS packet exchange process, 6
AAA no accounting method, 11
AAA RADIUS outgoing packet source IP
AAA no authentication, 11 address, 28
AAA no authorization, 11 AAA RADIUS packet exchange process, 3
notifying AAA RADIUS packet format, 4
AAA RADIUS SNMP notification, 38 ARP active acknowledgement, 571
IPsec IKE SNMP notification, 429 ARP ARP sender IP address checking, 587
IPsec SNMP notification, 403 ARP attack detection packet validity check, 576
port security SNMP notification, 288 ARP attack protection (unresolvable IP
NTK attack), 565, 567
ntkauto mode, 281, 281 ARP attack protection blackhole routing
ntkonly mode, 281 (unresolvable IP attack), 566
ntk-withbroadcasts mode, 281 ARP attack protection configuration (user+packet
ntk-withmulticasts mode, 281 validity check), 580
port security feature, 273 ARP attack protection source suppression
numbering (unresolvable IP attack), 566
IPsec IKE SA max, 429 ARP filtering configuration, 585, 586
IPsec tunnel max, 402 ARP packet rate limit, 568
ARP packet source MAC consistency check, 571
O
ARP sender IP address checking, 587
obtaining attack D&P blacklist, 529
PKI certificate, 347 attack D&P IP blacklist, 529, 539
offline attack D&P TCP fragment attack prevention, 538
802.1X offline detection configuration, 125 IPsec ACL de-encapsulated packet check, 395
MAC authentication offline detect, 159 IPsec anti-replay, 395
MAC authentication offline detection IPsec packet DF bit, 398
configuration, 165 IPsec packet fragmentation, 402
PKI offline mode, 344 IPsec packet logging enable, 402
port security authorization-fail-offline IPsec QoS pre-classify enable, 397
feature, 284
IPsec-protected traffic, 381
online
MFF ARP packet processing, 604
802.1X online user handshake, 124
portal authentication BAS-IP for portal
PKI online mode, 344 packets, 210
679
portal packet attributes configuration, 210 configuration, 305, 309, 314
RADIUS packet attributes configuration, 211 configuration restrictions, 308
uRPF configuration, 600 display, 314
packet filtering enable, 309
DHCP relay agent-based dynamic IPv4SG enable restrictions, 309
configuration, 559 event logging, 308
DHCP snooping-based dynamic IPv4SG expired password login, 307
configuration, 558 FIPS compliance, 308
DHCPv6 relay agent-based dynamic IPv6SG maintain, 314
configuration, 563
max user account idle time, 308
DHCPv6 snooping-based dynamic IPv6SG
parameter restrictions (global), 310
address binding configuration, 561
parameters (global), 310
DHCPv6 snooping-based dynamic IPv6SG
prefix binding configuration, 562 parameters (local user), 312
IPSG configuration, 552, 553, 557 parameters (super), 313
IPv6 ND attack defense configuration, 590 parameters (user group), 312
IPv6 ND attack defense RA guard password complexity checking, 306
configuration, 593, 595 password composition checking, 305
static IPv4SG configuration, 557 password expiration, 306, 306
static IPv6SG configuration, 560 password expiration early notification, 307
page password history, 307
portal authentication authenticated user password min length, 305
redirection, 196 password not displayed, 308
portal authentication page file password setting, 305
compression+saving rules, 195 password updating, 306, 306
portal authentication page request rules, 195 user first login, 307
portal authentication post request rules, 195 user login attempt limit, 307
pairwise CAK (MACsec), 622 user login control, 307
PAP path
MAC authentication method, 158 troubleshooting PKI storage path set failure, 376
parameter peer
AAA RADIUS class attribute as CAR host public key configuration, 328
parameter, 31 host public key entry, 329, 330
configuring SSH management host public key import from file, 329
parameters, 462
IPsec SA, 380
MACsec protection parameters, 629
IPsec-protected traffic, 381
password control parameters (global), 310
PKI digital certificate, 335
password control parameters (local user), 312
Perfect Forward Secrecy. See PFS
password control parameters (super), 313
periodic
password control parameters (user
group), 312 MFF periodic gateway probe, 606
password periodic 802.1X reauthentication, 106
SSH password authentication, 454 periodic MAC reauthentication, 155
SSH password-publickey authentication, 454 PFS (IKE), 419
PKI
SSH SCP+password authentication, 508
applications, 337
SSH Secure Telnet client configuration
(password authentication), 489 architecture, 336
SSH Secure Telnet server configuration CA digital certificate, 335
(password authentication), 481 CA policy, 336
SSH SFTP server configuration (password certificate export, 350
authentication), 499 certificate import/export configuration, 367
password control certificate obtain, 347
680
certificate removal, 351 specifying certificate request key pair, 342
certificate request, 344 specifying certificate request reception
certificate request abort, 347 authority, 341
certificate verification, 348 specifying certificate request URL, 341
certificate verification (CRL checking), 349 specifying intended purpuse for certificate, 343
certificate verification (w/o CRL specifying LDAP server, 342
checking), 350 specifying PKI entity name, 341
certificate-based access control specifying PKI protocol packets source IP
policy, 352, 365 address, 343
configuration, 335, 338, 353 specifying SCEP polling interval and maximum
CRL, 335 polling attempts, 342
digital certificate retrieval, usage, and specifying trusted CA, 341
maintenance, 337 policy
display, 353 AAA connection recording policy configuration, 60
domain configuration, 340 attack D&P defense policy, 529
entity configuration, 339 attack D&P defense policy (flood attack), 532
fingerprint of root CA certificate, 335 attack D&P defense policy (scanning attack), 531
FIPS compliance, 338 attack D&P defense policy (single-packet
local digital certificate, 335 attack), 530
MPLS L3VPN support, 337 attack D&P defense policy creation, 529
online certificate request (manual), 346 IPsec application to interface, 394
online certificate request mode IPsec configuration (manual), 390
(automatic), 345 IPsec IKEv2 configuration, 446
OpenCA server certificate request, 359 IPsec policy (IKE-based/direct), 392
peer digital certificate, 335 IPsec policy (IKE-based/template), 393
public key management, 325 IPsec policy configuration (IKE-based), 391
RA digital certificate, 335 IPsec QoS pre-classify enable, 397
RSA Keon CA server certificate request, 353 IPsec source interface policy bind, 397
SSH server PKI domain, 464 IPsec transform set configuration, 388
storage path, 344 IPv6 ND attack defense RA guard logging
submitting certificate request in offline enable, 595
mode, 346 IPv6 ND attack defense RA guard policy, 594
terminology, 335 MAC authentication user account policies, 146
troubleshoot CA certificate import failure, 375 password control configuration, 305, 309, 314
troubleshoot CA certificate obtain failure, 372 PKI CA policy, 336
troubleshoot certificate export failure, 376 PKI certificate-based access control policy, 352
troubleshoot configuration, 372 portal authentication extended functions, 183
troubleshoot CRL obtain failure, 374 portal authentication policy server, 184
troubleshoot local certificate import portal preauthentication domain, 198
failure, 375 SSL client policy configuration, 522
troubleshoot local certificate obtain SSL server policy configuration, 521
failure, 373 port
troubleshoot local certificate request 802.1X Auth-Fail VLAN, 116
failure, 373
802.1X Auth-Fail VLAN (port-based access
troubleshoot storage path set failure, 376 control), 99
Windows 2003 CA server certificate request 802.1X Auth-Fail VSI, 119
configuration, 356
802.1X authorization VLAN port manipulation, 97
Windows 2003 CA server IKE
802.1X critical VLAN, 117
negotiation+RSA digital signature, 363
802.1X critical VLAN (port-based access
PKI domain
control), 100
creation, 340
802.1X critical voice VLAN, 117
root CA certificate verification fingerprint, 342
681
802.1X critical voice VLAN (port-based 802.1X authentication guest VSI+authorization
access control), 102 VSI configuration (MAC-based), 138
802.1X critical VSI, 119 802.1X authentication+ACL assignment
802.1X guest VLAN, 114 configuration, 136
802.1X guest VLAN (port-based access 802.1X authentication+EAD assistant
control), 98 configuration (DHCP relay agent), 140
802.1X guest VSI, 118 802.1X authentication+EAD assistant
ARP attack detection user validity check configuration (DHCP server), 143
ingress port, 578 802.1X authorization state, 111
cross-subnet portal authentication 802.1X authorization status, 88
configuration, 225 802.1X authorization VLAN configuration, 133
direct portal authentication configuration, 215 802.1X basic configuration, 131
direct portal authentication configuration (local 802.1X concurrent port users max, 123
portal Web service), 253 802.1X configuration, 108, 108
extended cross-subnet portal authentication 802.1X controlled/uncontrolled port, 88
configuration, 237 802.1X guest VLAN configuration, 133
extended direct portal authentication 802.1X mandatory port authentication
configuration, 229 domain, 111
extended re-DHCP portal authentication 802.1X overview, 88
configuration, 232
authentication modes, 273
MAC authentication, 156, 172
authorization-fail-offline, 284
MAC authentication (local), 172
client macAddressElseUserLoginSecure
MAC authentication (RADIUS-based), 175 configuration, 294
MAC authentication authorization VLAN port client userLoginWithOUI configuration, 291
manipulation, 149
configuration, 273, 276, 289
MAC authentication concurrent port users
configuration restrictions, 276
max, 167
display, 289
MAC authentication configuration, 146
dynamic secure MAC, 281
MAC authentication critical VLAN, 162
enable, 277
MAC authentication critical voice VLAN, 163
enable restrictions, 277
MAC authentication critical VSI, 164
escape critical VSI, 287
MAC authentication delay, 168
escape critical VSI configuration restrictions, 287
MAC authentication guest VLAN, 161
features, 273
MAC authentication guest VSI, 163
functions, 273
MAC authentication multi-VLAN mode, 167
intrusion protection, 282
MFF network port, 604, 605
intrusion protection configuration restrictions, 282
MFF port roles, 603
intrusion protection feature, 273
MFF user port, 603
MAC address autoLearn configuration, 289
portal authentication
configuration, 183, 189, 215 MAC address learning control, 274
portal authentication interface NAS-ID MAC address limit per port VLAN, 284
profile, 212 MAC address limit per port VLAN restrictions, 285
portal authentication server detection+user MAC authentication, 275
synchronization configuration, 240 MAC move configuration restrictions, 283
re-DHCP portal authentication MAC move enable, 283
configuration, 221 MAC+802.1X authentication, 275
security. See port security mode configuration restrictions, 277
SSH server port, 457 mode set, 277
port security NAS-ID profile application, 286
802.1X access control method, 111 NAS-ID profile application restrictions, 286
802.1X authentication, 275 NTK configuration, 281
802.1X authentication configuration, 131 NTK configuration restrictions, 281
682
NTK feature, 273 enabling logging for portal user login/logout, 213
open authentication mode configuration extended cross-subnet configuration, 237
restrictions, 285 extended direct configuration, 229
open authentication mode enable, 285 extended functions, 183
secure MAC address add, 280 extended re-DHCP configuration, 232
secure MAC address configuration, 279 fail-permit configuration, 206
secure MAC address inactivity aging, 280 file name rules, 194
secure MAC address port limit, 278 filtering rules, 188
server authorization information ignore, 282 interface NAS-ID profile, 212
SNMP notification enable, 288 local portal service configuration, 194
troubleshoot, 298 local portal Web service, 185
troubleshoot mode cannot be set, 298 local portal Web service parameter
troubleshoot secure MAC addresses, 299 configuration, 196
user logging enable, 288 maintain, 214
user logging enable restrictions, 288 modes, 185
portal NAS-Port-Id attribute format, 211
user profile configuration, 300 NAS-Port-Type attribute configuration, 212
Web authentication local portal Web online user logout, 213
server, 259 page customization, 194
portal authentication page file compression+saving rules, 195
AAA server, 184 page request rules, 195
access device, 184 policy server, 184
access device ID, 211 portal authorization strict-checking mode, 205
advantages, 183 portal user preauthentication IP address pool, 199
allowing only DHCP users to pass portal-free rule configuration, 201
authentication, 205 post request rules, 195
authenticated user redirection, 196 process, 186
authentication destination subnet, 202 re-DHCP configuration, 221
authentication source subnet, 202 re-DHCP+preauthentication domain
BAS-IP, 210 configuration, 250
checking category-2 portal filtering rule remote portal Web server configuration, 192
issuing, 204 remote server configuration, 191
client, 184 roaming enable, 206
client Rule ARP entry feature enable, 214, 214 server, 184
configuration, 183, 189, 215 server detection, 208
cross-subnet configuration, 225 server detection+user synchronization
cross-subnet for MPLS L3VPN configuration, 240
configuration, 246 system, 183
detection, 207 system component interaction, 184
direct authentication+preauthentication troubleshoot, 256
domain configuration, 248
troubleshoot cannot log out users (access
direct configuration, 215 device), 256
direct configuration (local portal Web troubleshoot cannot log out users (RADIUS
service), 253 server), 257
direct/cross-subnet authentication process troubleshoot no page pushed for users, 256
(CHAP/PAP authentication), 186
troubleshoot users cannot log in (re-DHCP), 258
display, 214
troubleshoot users logged out still exist on
domain configuration, 198 server, 257
domain specification, 200 URL redirection match rules, 193
EAP support, 188 user access control, 201
enable (interface), 197 user online detection, 207
683
user setting max, 204 configuring 802.1X Auth-Fail VLAN, 116
user synchronization configuration, 209 configuring 802.1X Auth-Fail VSI, 119
Web proxy support, 203 configuring 802.1X authorization VLAN, 133
Web redirect configuration, 214 configuring 802.1X basics, 131
Web server detection configuration, 208 configuring 802.1X critical VLAN, 117
Web server specify (interface), 198 configuring 802.1X critical VSI, 119
portal filtering rule configuring 802.1X EAD assistant, 128
portal authentication category-2 portal filtering configuring 802.1X guest VLAN, 114, 133
rule issuing check, 204 configuring 802.1X guest VSI, 118
power-up self-test, 611 configuring 802.1X guest VSI+authorization VSI
prerequisites (MAC-based), 138
IPsec IKE, 420 configuring 802.1X MAC address binding, 128
preshared key (PSK) configuring 802.1X offline detection, 125
MACsec configuration, 627 configuring 802.1X online user handshake, 124
preventing configuring 802.1X protocol packet VLAN tag
attack detection and prevention. See attack removal, 126
D&P configuring 802.1X reauthentication, 113
TCP attack prevention configuration, 551 configuring 802.1X unauthenticated user
priority aging, 120
AAA RADIUS packet DSCP priority setting, 30 configuring AAA, 14
MACsec MKA key server priority, 628 configuring AAA connection recording policy, 60
procedure configuring AAA device ID, 60
adding port security secure MAC address, 280 configuring AAA device management user
allowing DHCP users to pass portal attributes, 15
authentication, 205 configuring AAA EAP profile, 21
allowing only DHCP users to pass portal configuring AAA HWTACACS, 40
authorization (interface), 205 configuring AAA HWTACACS server SSH
applying attack D&P policy application user, 63
(device), 537 configuring AAA HWTACACS stop-accounting
applying IPsec policy to interface, 394 packet buffering, 47
applying IPv6 ND attack defense RA guard configuring AAA ISP domain accounting
policy, 594 method, 57
applying port security NAS-ID profile, 286 configuring AAA ISP domain attribute, 54
applying portal authentication interface configuring AAA ISP domain authentication
NAS-ID profile, 212 method, 55
authenticating with 802.1X EAP relay, 92 configuring AAA ISP domain authorization
authenticating with 802.1X EAP termination attribute, 54
mode, 93 configuring AAA ISP domain authorization
binding IPsec source interface to policy, 397 method, 56
changing SFTP directory name, 472 configuring AAA ISP domain method, 55
changing SFTP file name, 473 configuring AAA LDAP, 48
changing SFTP working directory, 472 configuring AAA LDAP administrator
attributes, 49
checking category-2 portal filtering rule
issuing, 204 configuring AAA LDAP attribute map, 51
configuring 802.1X, 108 configuring AAA LDAP server IP address, 48
configuring 802.1X authentication trigger, 122 configuring AAA LDAP server SSH user
authentication, 70
configuring 802.1X authentication+ACL
assignment, 136 configuring AAA LDAP user attributes, 50
configuring 802.1X authentication+EAD configuring AAA local user, 14
assistant (DHCP relay agent), 140 configuring AAA local user auto-delete, 19
configuring 802.1X authentication+EAD configuring AAA NAS-ID, 59
assistant (DHCP server), 143
684
configuring AAA network access user configuring ARP filtering, 585, 586
attributes, 17 configuring ARP gateway protection, 584, 585
configuring AAA RADIUS, 20 configuring ARP packet rate limit, 568
configuring AAA RADIUS accounting-on, 36 configuring ARP packet source MAC consistency
configuring AAA RADIUS attribute 31 MAC check, 571
address format, 32 configuring ARP scanning+fixed ARP, 583
configuring AAA RADIUS attribute configuring ARP sender IP address
translation, 32 checking, 587, 587
configuring AAA RADIUS attribute translation configuring attack D&P, 529
(DAS), 33 configuring attack D&P (device application), 546
configuring AAA RADIUS attribute translation configuring attack D&P defense policy, 529
(single scheme), 33
configuring attack D&P defense policy (ACK flood
configuring AAA RADIUS DAE server attack), 532
(DAS), 37
configuring attack D&P defense policy (DNS flood
configuring AAA RADIUS Login-Service attack), 535
attribute check method, 31
configuring attack D&P defense policy (FIN flood
configuring AAA RADIUS server 802.1X attack), 533
user, 73
configuring attack D&P defense policy (flood
configuring AAA RADIUS server SSH user attack), 532
authentication+authorization, 67
configuring attack D&P defense policy (HTTP
configuring AAA RADIUS server status flood attack), 536
detection test profile, 22
configuring attack D&P defense policy (ICMP
configuring AAA RADIUS session-control, 37 flood attack), 534
configuring AAA RADIUS stop-accounting configuring attack D&P defense policy (ICMPv6
packet buffering, 34 flood attack), 534
configuring AAA SSH user local configuring attack D&P defense policy (RST flood
authentication+HWTACACS attack), 534
authorization+RADIUS accounting, 65
configuring attack D&P defense policy (scanning
configuring AAA test, 61 attack), 531
configuring AAA user group attributes, 19 configuring attack D&P defense policy
configuring ARP active (single-packet attack), 530
acknowledgement, 571 configuring attack D&P defense policy (SYN flood
configuring ARP attack detection, 574 attack), 532
configuring ARP attack detection (source configuring attack D&P defense policy (SYN-ACK
MAC-based), 569, 570 flood attack), 533
configuring ARP attack detection packet configuring attack D&P defense policy (UDP flood
validity check, 576 attack), 535
configuring ARP attack detection restricted configuring attack D&P detection exemption, 536
forwarding, 577 configuring attack D&P IP blacklist, 539, 549
configuring ARP attack detection user validity configuring attack D&P login attack
check, 575 prevention, 540
configuring ARP attack protection, 565 configuring attack D&P policy application
configuring ARP attack protection (interface), 537
(unresolvable IP attack), 565, 567 configuring attack D&P TCP fragment attack
configuring ARP attack protection prevention, 538
(user+packet validity check), 580 configuring Auth-Fail VLAN, 266
configuring ARP attack protection blackhole configuring authorized ARP (DHCP relay
routing (unresolvable IP attack), 566 agent), 573
configuring ARP attack protection restricted configuring authorized ARP (DHCP server), 572
forwarding, 581
configuring authorized ARP configuration, 572
configuring ARP attack protection source
configuring cross-subnet portal
suppression (unresolvable IP attack), 566
authentication, 225
configuring ARP attack protection user validity
check, 579
685
configuring cross-subnet portal authentication configuring IPsec IKE SA max, 429
for MPLS L3VPN, 246 configuring IPsec IKE SNMP notification, 429
configuring destination-based portal-free configuring IPsec IKEv2 DPD, 449
rule, 201 configuring IPsec IKEv2 global parameters, 449
configuring DHCP relay agent-based configuring IPsec IKEv2 keychain, 448
IPv4SG, 559
configuring IPsec IKEv2 NAT keepalive, 450
configuring DHCP snooping-based dynamic
configuring IPsec IKEv2 policy, 446
IPv4SG, 558
configuring IPsec IKEv2 profile, 442
configuring DHCPv6 relay agent-based
dynamic IPv6SG, 563 configuring IPsec IKEv2 proposal, 447
configuring DHCPv6 snooping-based configuring IPsec IPv6 routing protocol profile
dynamic IPv6SG address bindings, 561 (manual), 400
configuring DHCPv6 snooping-based configuring IPsec packet DF bit, 398
dynamic IPv6SG prefix bindings, 562 configuring IPsec policy (IKE-based), 391
configuring direct portal authentication, 215 configuring IPsec policy (IKE-based/direct), 392
configuring direct portal authentication (local configuring IPsec policy
portal Web service), 253 (IKE-based/template), 393
configuring direct portal configuring IPsec policy (manual), 390
authentication+preauthentication domain, 248 configuring IPsec RIPng, 409
configuring extended cross-subnet portal configuring IPsec RRI, 399, 413
authentication, 237 configuring IPsec SNMP notification, 403
configuring extended direct portal configuring IPsec transform set, 388
authentication, 229 configuring IPsec tunnel for IPv4 packets
configuring extended re-DHCP portal (IKE-based), 433
authentication, 232 configuring IPsec tunnel for IPv4 packets
configuring global IPsec IKE DPD, 428 (manual), 404
configuring global IPsec SA lifetime and idle configuring IPSG, 553
timeout, 401 configuring IPv4SG, 554
configuring IKE keychain or PKI configuring IPv4SG static binding, 554
domain, 421, 443
configuring IPv4SG static binding (global), 555
configuring IKE phase 1 negotiation
configuring IPv4SG static binding (on
mode, 422
interface), 555
configuring IKE profile optional features, 423
configuring IPv6 destination guard, 597
configuring IKE-based IPsec tunnel for IPv4
packets, 407 configuring IPv6 ND attack defense, 590
configuring IKEv2 profile optional configuring IPv6 ND attack defense RA
features, 445 guard, 593, 595
configuring IP-based portal-free rule, 201 configuring IPv6 ND attack defense RA guard
policy, 594
configuring IPsec ACL, 385
configuring IPv6 ND attack detection, 591
configuring IPsec anti-replay, 395
configuring IPv6SG, 555
configuring IPsec anti-replay redundancy, 396
configuring IPv6SG static binding, 556
configuring IPsec for IPv6 routing
protocols, 400 configuring IPv6SG static binding (global), 556
configuring IPsec fragmentation, 402 configuring IPv6SG static binding (on
interface), 556
configuring IPsec IKE (main mode+preshared
key authentication), 430 configuring keychain, 318, 318, 319, 319
configuring IPsec IKE global identity configuring local ID for IKE profile, 423
information, 426 configuring local ID for IKEv2 profile, 443
configuring IPsec IKE keepalive, 427 configuring local portal authentication
service, 194
configuring IPsec IKE keychain, 425
configuring MAC authentication, 156
configuring IPsec IKE NAT keepalive, 427
configuring MAC authentication (local), 172
configuring IPsec IKE profile, 421
configuring MAC authentication
configuring IPsec IKE proposal, 424
(RADIUS-based), 175
686
configuring MAC authentication ACL configuring PKI certificate-based access control
assignment, 177 policy, 352, 365
configuring MAC authentication authorization configuring PKI domain, 340
VSI assignment, 180 configuring PKI entity, 339
configuring MAC authentication critical configuring PKI online certificate request
VLAN, 162 (manual), 346
configuring MAC authentication critical configuring PKI OpenCA server certificate
VSI, 164 request, 359
configuring MAC authentication delay, 168 configuring PKI RSA Keon CA server certificate
configuring MAC authentication guest request, 353
VLAN, 161 configuring PKI Windows 2003 CA server
configuring MAC authentication guest certificate request, 356
VSI, 163 configuring PKI Windows 2003 CA server IKE
configuring MAC authentication multi-VLAN negotiation+RSA digital signature, 363
mode, 167 configuring port security, 276
configuring MAC authentication offline configuring port security client
detection, 165 macAddressElseUserLoginSecure, 294
configuring MAC authentication timer, 159 configuring port security client
configuring MAC authentication userLoginWithOUI, 291
unauthenticated user aging, 164 configuring port security intrusion protection, 282
configuring MAC authentication user account configuring port security MAC address
format, 159 autoLearn, 289
configuring MACsec, 626 configuring port security NTK, 281
configuring MACsec (client-oriented), 632 configuring port security secure MAC
configuring MACsec (device-oriented), 635 addresses, 279
configuring MACsec MKA key server configuring portal authentication, 189
priority, 628 configuring portal authentication destination
configuring MACsec preshared key, 627 subnet, 202
configuring MACsec protection configuring portal authentication detection, 207
parameters, 629 configuring portal authentication fail-permit, 206
configuring MACsec protection parameters configuring portal authentication local portal Web
(interface view), 629 service parameter, 196
configuring MACsec protection parameters configuring portal authentication portal-free
(MKA policy), 630 rule, 201
configuring MFF, 604 configuring portal authentication server
configuring MFF (in ring network), 608 BAS-IP, 210
configuring MFF (in tree network), 607 configuring portal authentication server BAS-IP
configuring MFF network port, 605 (interface), 210
configuring NAS-Port-Type attribute, 212 configuring portal authentication server
configuring NETCONF-over-SSH client user detection, 208
line, 459 configuring portal authentication server
configuring NETCONF-over-SSH+password detection+user synchronization, 240
authentication, 517 configuring portal authentication source
configuring password control, 309 subnet, 202
configuring peer host public key, 328 configuring portal authentication user online
detection, 207
configuring peer IDs for IKE profile, 421
configuring portal authentication user
configuring peer IDs for IKEv2 profile, 444
synchronization, 209
configuring periodic MAC
configuring portal authentication Web proxy
reauthentication, 160
support, 203
configuring PKI, 338
configuring portal authentication Web
configuring PKI certificate import/export, 367 redirect, 214
configuring PKI certificate request abort, 347 configuring portal authentication Web server
detection, 208
687
configuring portal packet attributes, 210 configuring SSH2 algorithms (public key), 479
configuring portal preauthentication configuring SSL, 520
domain, 198 configuring SSL client, 521
configuring portal RADIUS packet configuring SSL client policy, 522
attributes, 211 configuring SSL server, 520
configuring portal URL redirection match configuring SSL server policy, 521
rules, 193
configuring static IPv4SG, 557
configuring portal Web server basic
configuring static IPv6SG, 560
parameters, 192
configuring TCP attack prevention (Naptha
configuring re-DHCP portal
attack), 551
authentication, 221
configuring user profile (single user), 300
configuring re-DHCP portal
authentication+preauthentication domain configuring user profile+QoS policy, 301
configuration, 250 configuring Web authentication, 262
configuring remote portal authentication configuring Web authentication (local
server, 191 authentication server), 268
configuring remote portal authentication Web configuring Web authentication (RADIUS
server, 192 authentication server), 270
configuring Secure Telnet client user line, 459 configuring Web authentication proxy
configuring security password control, 314 support, 267
configuring source-based portal-free rule, 201 configuring Web authentication server, 263
configuring SSH client host public key, 459 configuring Web authentication user online
detection, 266
configuring SSH device as Secure Telnet
client, 465 configuring Web authentication-free subnet, 265
configuring SSH device as server, 456 controlling portal authentication user access, 201
configuring SSH device as SFTP client, 468 creating AAA HWTACACS scheme, 41
configuring SSH management creating AAA ISP domain, 52
parameters, 462 creating AAA ISP domain creation, 53
configuring SSH SCP (Suite B algorithm), 510 creating AAA LDAP scheme, 51
configuring SSH SCP client device, 474 creating AAA LDAP server, 48
configuring SSH SCP+password creating AAA RADIUS scheme, 23
authentication, 508 creating attack D&P defense policy, 529
configuring SSH Secure Telnet (128-bit Suite creating IPsec IKE profile, 421
B algorithm), 495 creating IPsec IKEv2 profile, 442
configuring SSH Secure Telnet client creating local key pair, 326
(password authentication), 489 creating PKI domain, 340
configuring SSH Secure Telnet client creating SFTP new directory, 473
(publickey authentication), 492
deleting SFTP directory, 473
configuring SSH Secure Telnet server
(publickey authentication), 483 deleting SFTP file, 473
configuring SSH Secure Telnet server deleting SSH SCP server public key, 477
configuration (password authentication), 481 deleting SSH Secure Telnet server public key, 468
configuring SSH SFTP (192-bit Suite B deleting SSH SFTP server public key, 471
algorithm), 504 destroying local key pair, 330
configuring SSH SFTP client (publickey disabling AAA RADIUS service, 39
authentication), 501 disabling IPv6 destination guard (globally), 598
configuring SSH SFTP server (password disabling IPv6 destination guard (on an
authentication), 499 interface), 598
configuring SSH user, 461 disabling SSL protocol version, 523
configuring SSH2 algorithms (encryption), 479 disabling SSL session renegotiation, 523
configuring SSH2 algorithms (key disconnecting SSH session, 464
exchange), 478 displaying 802.1X, 130
configuring SSH2 algorithms (MAC), 479 displaying AAA connection recording policy, 61
688
displaying AAA HWTACACS, 47 enabling 802.1X online user synchronization, 122
displaying AAA ISP domain, 59 enabling 802.1X user IP freezing, 127
displaying AAA LDAP, 52 enabling 802.1X user logging, 130
displaying AAA local users/user groups, 20 enabling AAA RADIUS server load sharing, 35
displaying AAA RADIUS, 40 enabling AAA RADIUS SNMP notification, 38
displaying ARP attack detection, 578 enabling AAA RADIUS stop-accounting packet
displaying ARP attack detection (source forcibly sending, 35
MAC-based), 570 enabling ARP attack detection logging, 578
displaying ARP attack protection enabling attack D&P log non-aggregation, 538
(unresolvable IP attack), 567 enabling attack D&P login delay, 540
displaying attack D&P, 540 enabling automatic online certificate request
displaying crypto engine, 610 mode, 345
displaying FIPS, 617 enabling IPsec ACL de-encapsulated packet
displaying host public key, 328 check, 395
displaying IPsec, 403 enabling IPsec IKE invalid SPI recovery, 428
displaying IPsec IKE, 430 enabling IPsec IKEv2 cookie challenge, 449
displaying IPsec IKEv2, 450 enabling IPsec packet logging, 402
displaying IPSG, 557 enabling IPsec QoS pre-classify, 397
displaying IPv4SG, 557 enabling IPv4SG on interface, 554
displaying IPv6 ND attack defense RA enabling IPv6 destination guard (globally), 598
guard, 595 enabling IPv6 destination guard (on an
displaying IPv6 ND attack detection, 593 interface), 598
displaying IPv6SG, 557 enabling IPv6 ND attack defense RA guard
displaying keychain, 319 logging, 595
displaying MAC authentication, 171 enabling IPv6 ND attack defense source MAC
consistency check, 591
displaying MACsec, 632
enabling IPv6SG on interface, 555
displaying MFF, 606
enabling logging for portal user login/logout, 213
displaying port security, 289
enabling MAC authentication, 157
displaying portal authentication, 214
enabling MAC authentication critical voice
displaying public key, 330
VLAN, 163
displaying security password control, 314
enabling MAC authentication online user
displaying security PKI, 353 synchronization, 166
displaying SFTP directory file, 472, 473 enabling MAC authentication user logging, 171
displaying SFTP working directory, 472 enabling MAC authentication+802.1X
displaying SSH, 480 authentication parallel processing, 170
displaying SSH SFTP help information, 474 enabling MACsec desire, 627
displaying SSL, 524 enabling MACsec MKA, 626
displaying uRPF, 602 enabling MACsec MKA session logging, 631
displaying user profile, 300 enabling MFF, 605
displaying Web authentication, 268 enabling MFF periodic gateway probe, 606
distributing local host public key, 327 enabling ND attack detection logging, 592
downloading SFTP file+local save, 473 enabling NETCONF-over-SSH, 459
enabling 802.1X, 110 enabling password control, 309
enabling 802.1X critical voice VLAN, 117 enabling port security, 277
enabling 802.1X EAP relay, 110 enabling port security
enabling 802.1X EAP termination, 110 authorization-fail-offline, 284
enabling 802.1X guest VLAN assignment enabling port security dynamic secure MAC, 281
delay, 115 enabling port security escape critical VSI, 287
enabling 802.1X guest VSI assignment enabling port security MAC move, 283
delay, 118 enabling port security open authentication
mode, 285
689
enabling port security secure MAC address establishing SSH SFTP server connection, 470
inactivity aging, 280 establishing SSH SFTP server connection (Suite
enabling port security SNMP notification, 288 B), 472
enabling port security user logging, 288 exiting FIPS mode, 616
enabling portal authentication (interface), 197 exiting FIPS mode (automatic reboot), 616, 620
enabling portal authentication client Rule ARP exiting FIPS mode (manual reboot), 616, 620
entry feature, 214 exporting host public key, 327
enabling portal authentication client Rule ND exporting PKI certificate, 350
entry feature, 214 generating SCP client local key pair, 475
enabling portal authorization strict-checking generating Secure Telnet client local key pair, 465
mode, 205
generating SFTP client local key pair, 469
enabling portal authorization strict-checking
generating SSH server local key pair, 457
mode (interface), 205
ignoring ARP attack detection user validity check
enabling security portal authentication
ingress port, 578
roaming, 206
ignoring port security server authorization
enabling SSH algorithm renegotiation+key
information, 282
re-exchange, 462
implementing IPsec (ACL-based), 384
enabling SSH login control ACL attempts
denied logging, 463 importing peer host public key from file, 329
enabling SSH SCP server, 458 importing public key from file, 332
enabling SSH Secure Telnet server, 458 importing SSH client host public key, 460
enabling SSH server support for SSH1 including AAA ISP domain idle timeout period in
clients, 462 user online duration, 55
enabling SSH SFTP server, 458 including MAC authentication request user IP
address, 169
enabling the captive-bypass feature, 192
interpreting AAA RADIUS class attribute as CAR
enabling uRPF (global), 601
parameter, 31
enabling uRPF (interface), 601
limiting port security secure MAC addresses, 278
enabling Web authentication, 264
logging off 802.1X user, 130
entering FIPS mode (automatic
logging off MAC authentication user, 171
reboot), 613, 617
logging out portal authentication online users, 213
entering FIPS mode (manual
reboot), 613, 618 maintaining 802.1X, 130
entering peer host public key, 329 maintaining AAA HWTACACS, 47
entering SSH client host public key, 460 maintaining AAA RADIUS, 40
establishing IPv4 Secure Telnet server maintaining ARP attack detection, 578
connection, 466 maintaining attack D&P, 540
establishing IPv4 SFTP server maintaining crypto engine, 610
connection, 470 maintaining IPsec, 403
establishing IPv6 Secure Telnet server maintaining IPsec IKE, 430
connection, 467 maintaining IPsec IKEv2, 450
establishing IPv6 SFTP server maintaining IPv6 destination guard, 598
connection, 471 maintaining IPv6 ND attack defense RA
establishing SSH IPv4 SCP server guard, 595
connection, 476 maintaining IPv6 ND attack detection, 593
establishing SSH IPv6 SCP server maintaining MAC authentication, 171
connection, 477
maintaining MACsec, 632
establishing SSH SCP server connection, 476
maintaining portal authentication, 214
establishing SSH SCP server connection
(Suite B), 478 maintaining security password control, 314
establishing SSH Secure Telnet server obtaining PKI certificate, 347
connection, 466 removing PKI certificate, 351
establishing SSH Secure Telnet server requesting PKI certificate request, 344
connection (Suite B), 468
690
sending 802.1X Auth-Fail VLAN/VSI user setting SSH authentication attempt max
EAP-Success packet, 121 number, 463
sending 802.1X critical VLAN/VSI user setting SSH online user max number, 464
EAP-Success packet, 121 setting SSH server packet DSCP value, 463
setting 802.1X authentication request setting SSH SFTP connection idle timeout
attempts max, 123 timer, 464
setting 802.1X authentication timeout setting SSH update interval for RSA server key
timer, 112 pair, 462
setting 802.1X concurrent port users max, 123 setting SSH user authentication timeout
setting 802.1X MAC user authentication timer, 463
attempts max, 127 setting Web authentication redirection wait
setting 802.1X port authorization state, 111 time, 265
setting 802.1X quiet timer, 114 setting Web authentication users max, 266
setting 802.1X server-side EAP-TLS fragment settingAAA RADIUS packet DSCP priority, 30
maximum size, 129 specifying 802.1X access control method, 111
setting AAA concurrent login user max, 59 specifying 802.1X mandatory port authentication
setting AAA HWTACACS timer, 44 domain, 111
setting AAA HWTACACS traffic statistics specifying 802.1X supported domain name
unit, 46 delimiter, 126
setting AAA HWTACACS username specifying AAA default ISP domain, 53
format, 46 specifying AAA HWTACACS accounting
setting AAA ISP domain status, 54 server, 42
setting AAA LDAP server timeout period, 49 specifying AAA HWTACACS authentication
setting AAA RADIUS real-time accounting server, 41
attempts max, 30 specifying AAA HWTACACS authorization
setting AAA RADIUS Remanent_Volume server, 41
attribute data measurement unit, 32 specifying AAA HWTACACS outgoing packet
setting AAA RADIUS request transmission source interface (all schemes), 45
attempts max, 30 specifying AAA HWTACACS outgoing packet
setting AAA RADIUS server status, 25 source interface (single scheme), 46
setting AAA RADIUS timer, 27 specifying AAA HWTACACS outgoing packet
setting AAA RADIUS traffic statistics unit, 29 source IP address, 45
setting AAA RADIUS username format, 29 specifying AAA HWTACACS outgoing packet
source IP address (all schemes), 45
setting IPsec tunnel max, 402
specifying AAA HWTACACS outgoing packet
setting MAC authentication concurrent port
source IP address (single scheme), 46
users max, 167
specifying AAA HWTACACS scheme VPN
setting MACsec MKA life time, 629
instance, 43
setting password control parameters
specifying AAA HWTACACS shared keys, 43
(global), 310
specifying AAA ISP domain for users that are
setting password control parameters (local
assigned to nonexistent domains, 53
user), 312
specifying AAA LDAP attribute map for
setting password control parameters
authorization, 52
(super), 313
specifying AAA LDAP authentication server, 51
setting password control parameters (user
group), 312 specifying AAA LDAP authorization server, 51
setting port security MAC addresses limit per specifying AAA LDAP version, 48
port VLAN, 284 specifying AAA RADIUS accounting server, 24
setting port security mode, 277 specifying AAA RADIUS authentication server, 23
setting portal authentication users max, 204 specifying AAA RADIUS outgoing packet source
setting portal authentication users max interface (all schemes), 28
(global), 204 specifying AAA RADIUS outgoing packet source
setting portal authentication users max interface (single scheme), 29
(interface), 204
691
specifying AAA RADIUS outgoing packet specifying SSH Secure Telnet outgoing packet
source IP address, 28 source IP address, 465
specifying AAA RADIUS outgoing packet specifying SSH server PKI domain, 464
source IP address (all schemes), 28 specifying SSH server port, 457
specifying AAA RADIUS outgoing packet specifying SSH SFTP outgoing packet source IP
source IP address (single scheme), 29 address, 469
specifying AAA RADIUS scheme VPN specifying SSH user connection control ACL, 463
instance, 25 specifying SSH2 algorithms, 478
specifying AAA RADIUS server selection specifying trusted CA, 341
mode for reauthentication, 36
specifying Web authentication domain, 264
specifying AAA RADIUS shared keys, 25
submitting PKI certificate request in offline
specifying certificate intended purpuse, 343 mode, 346
specifying certificate request key pair, 342 terminating SSH SFTP server connection, 474
specifying certificate request reception triggering FIPS self-test, 615
authority, 341
troubleshooting 802.1X EAD assistant URL
specifying certificate request URL, 341 redirection failure, 145
specifying HTTPS redirect listening port troubleshooting AAA LDAP authentication
number, 193, 263, 263 failure, 80
specifying IKE proposals for IKE profile, 422 troubleshooting AAA RADIUS accounting
specifying inside VPN instance for IKE error, 79
profile, 423 troubleshooting AAA RADIUS authentication
specifying inside VPN instance for IKEv2 failure, 78
profile, 445 troubleshooting AAA RADIUS packet delivery
specifying IPv6 ND attack defense device failure, 79
role, 593 troubleshooting IPsec IKE negotiation failure (no
specifying LDAP server, 342 proposal match), 435
specifying MAC authentication domain, 158 troubleshooting IPsec IKE negotiation failure (no
specifying MAC authentication method, 158 proposal or keychain specified correctly), 436
specifying MACsec encryption cipher troubleshooting IPsec IKEv2 negotiation failure
suite, 627 (no proposal match), 451
specifying MFF server IP address, 606 troubleshooting IPsec SA negotiation failure
specifying PKI entity name, 341 (invalid identity info), 437
specifying PKI protocol packets source IP troubleshooting IPsec SA negotiation failure (no
address, 343 transform set match), 437, 451
specifying PKI storage path, 344 troubleshooting IPsec SA negotiation failure
specifying portal authentication access device (tunnel failure), 452
ID, 211 troubleshooting MACsec device cannot establish
specifying portal authentication domain, 200 MKA session, 638
specifying portal authentication domain troubleshooting PKI CA certificate import
(interface), 200 failure, 375
specifying portal authentication NAS-Port-Id troubleshooting PKI CA certificate obtain
attribute format, 211 failure, 372
specifying portal authentication Web server troubleshooting PKI certificate export failure, 376
(interface), 198 troubleshooting PKI CRL obtain failure, 374
specifying portal user preauthentication IP troubleshooting PKI local certificate import
address pool, 199 failure, 375
specifying root CA certificate verification troubleshooting PKI local certificate obtain
fingerprint, 342 failure, 373
specifying SCEP polling interval and troubleshooting PKI local certificate request
maximum polling attempts, 342 failure, 373
specifying SSH SCP outgoing packet source troubleshooting PKI storage path set failure, 376
IP address, 475 troubleshooting port security mode cannot be
set, 298
692
troubleshooting port security secure MAC 802.1X protocol packet VLAN tag removal, 126
addresses, 299 AAA, 13
troubleshooting portal authentication cannot AAA HWTACACS, 5, 13
log out users (access device), 256 AAA LDAP, 8, 13
troubleshooting portal authentication no page AAA RADIUS, 2, 13
pushed for users, 256
IPsec, 384
troubleshooting portal authentication users
IPsec IKE, 419
cannot log in (re-DHCP), 258
IPsec IKEv2, 441
troubleshooting portal authentication users
logged out still exist on server, 257 IPsec IPv6 routing protocols configuration, 400
troubleshooting security portal authentication IPsec security protocol 50 (ESP), 378
cannot log out users (RADIUS server), 257 IPsec security protocol 51 (AH), 378
troubleshooting Web authentication failure to MACsec, 625
come online, 272 MFF, 604
uploading SFTP local file, 473 SSL configuration, 519, 520
verifying IPv6 destination guard, 598 SSL protocol stack, 519
verifying PKI certificate, 348 proxying
verifying PKI certificate verification (CRL Web authentication proxy support, 267
checking), 349 public key
verifying PKI certificate verification (w/o CRL display, 330
checking), 350 file import, 332
working with SSH SFTP directories, 472 FIPS compliance, 325
working with SSH SFTP files, 473 host public key display, 328
process host public key export, 327
AAA LDAP authentication, 9 local host public key distribution, 327
AAA LDAP authorization process, 10 local key pair creation, 326
processing local key pair creation restrictions, 326
MAC authentication+802.1X authentication local key pair destruction, 330
parallel processing, 170
management, 325, 330
profile
peer host public key configuration, 328
AAA RADIUS server status detection test
profile, 22 peer host public key entry, 329, 330
IPsec IKE configuration, 421 peer host public key import from file, 329
IPsec IKEv2 configuration, 442 SSH client host public key configuration, 459
IPsec IPv6 routing protocol profile SSH password-publickey authentication, 454
(manual), 400 SSH publickey authentication, 454
port security NAS-ID profile, 286 SSH SCP server public key deletion, 477
proposal SSH Secure Telnet server configuration
(publickey authentication), 483
IPsec IKE proposal, 424
SSH Secure Telnet server public key
IPsec IKEv2 proposal configuration, 447
deletion, 468
troubleshooting IPsec IKE negotiation failure
(no proposal match), 435 SSH SFTP client configuration (publickey
authentication), 501
troubleshooting IPsec IKE negotiation failure
(no proposal specified correctly), 436 SSH SFTP server public key deletion, 471
SSH user configuration, 461
troubleshooting IPsec IKEv2 negotiation
failure (no proposal match), 451 SSH v client configuration (publickey
protecting authentication), 492
ARP attack protection configuration, 565 Public Key Infrastructure. Use PKI
ARP gateway protection, 585 Q
MACsec replay protection, 622, 623 QoS
protocols and standards IPsec QoS pre-classify enable, 397
802.1X overview, 88 quiet
693
802.1X timer, 114 maintain, 40
MAC authentication quiet timer, 159 NAS-Port-Type attribute, 212
R outgoing packet source interface (all
schemes), 28
RA outgoing packet source interface (single
IPv6 ND attack defense device role, 593 scheme), 29
IPv6 ND attack defense RA guard outgoing packet source IP address, 28
configuration, 593, 595 outgoing packet source IP address (all
IPv6 ND attack defense RA guard logging schemes), 28
enable, 595 outgoing packet source IP address (single
IPv6 ND attack defense RA guard policy, 594 scheme), 29
PKI architecture, 336 packet DSCP priority setting, 30
PKI certificate, 335 packet exchange process, 3
RADIUS packet format, 4
802.1X authentication+redirect URL port security macAddressWithRadius, 275
assignment, 106 port security NAS-ID profile, 286
802.1X EAP over RADIUS, 91 portal authentication interface NAS-ID profile, 212
802.1X EAP relay enable, 110 portal authentication NAS-Port-Id attribute
802.1X EAP termination enable, 110 format, 211
AAA Appendix A, commonly used protocols and standards, 13
attributes, 80 real-time accounting attempts max, 30
AAA Appendix C, subattributes (vendor ID Remanent_Volume attribute data measurement
25506), 84 unit, 32
AAA configuration, 1, 14, 63 request transmission attempts max, 30
AAA implementation, 2 scheme creation, 23
AAA local user configuration, 14 scheme VPN instance specification, 25
AAA VPN implementation, 13 server 802.1X user AAA, 73
accounting server, 24 server load sharing, 35
accounting-on configuration, 36 server selection mode for reauthentication, 36
attribute MAC address format, 32 server status, 25
attribute translation, 32 server status detection test profile, 22
attribute translation (DAS), 33 service disable, 39
attribute translation (single scheme), 33 session-control, 37
authentication server, 23 shared keys, 25
class attribute as CAR parameter, 31 SNMP notification enable, 38
client/server model, 2 SSH user authentication+authorization, 67
common standard attributes, 82 SSH user local authentication+HWTACACS
configuration, 20 authorization+RADIUS accounting, 65
DAE server (DAS), 37 stop-accounting packet buffering, 34
display, 40 stop-accounting packet forcibly sending, 35
extended attributes, 5 timer set, 27
HWTACACS/RADIUS differences, 5 traffic statistics units, 29
information exchange security, 2 troubleshooting accounting error, 79
Login-Service attribute check method, 31 troubleshooting authentication failure, 78
MAC authentication (RADIUS-based), 175 troubleshooting packet delivery failure, 79
MAC authentication authorization VLAN, 147 troubleshooting security portal authentication
MAC authentication authorization VSI, 152 cannot log out users (RADIUS server), 257
MAC authentication blackhole attribute user authentication methods, 3
assignment, 155 username format, 29
MAC authentication method, 147 Web authentication configuration (RADIUS
MAC authentication redirect URL authentication server), 270
assignment, 154 RADIUS scheme
694
AAA EAP profile, 21 AAA remote authentication, 11
rate limiting AAA remote authentication configuration, 14
ARP packet rate limit, 568 AAA remote authorization method, 11
real-time Remote Authentication Dial-In User Service.
AAA HWTACACS real-time accounting Use RADIUS
timer, 44 remote server
AAA RADIUS real-time accounting attempts portal authentication configuration, 191
max, 30 remote VLAN
AAA RADIUS real-time accounting timer, 27 MAC authentication remote VLAN
reauthentication authorization, 147
AAA RADIUS RADIUS server selection removing
mode, 36 802.1X protocol packet VLAN tag, 126
rebooting PKI certificate, 351
FIPS mode (automatic reboot), 620 request
FIPS mode (manual reboot), 620 PKI certificate request abort, 347
FIPS mode entry (manual reboot), 618 requesting
record protocol (SSL), 519 PKI certificate request, 344
recovering requirements
IPsec IKE invalid SPI recovery, 428 key pairs and passwords, 612
re-DHCP resource access restriction (portal authentication), 183
portal authentication mode, 186 restrictions
portal authentication mode (CHAP/PAP 802.1X authentication timeout timer, 112
authentication), 187 802.1X authentication trigger configuration, 123
portal authentication+preauthentication 802.1X Auth-Fail VLAN configuration, 116
domain configuration, 250
802.1X Auth-Fail VSI configuration, 119
redirect
802.1X configuration, 108
HTTPS redirect listening port
802.1X critical VLAN configuration, 117
number, 193, 263
802.1X critical voice VLAN enable, 117
redirecting
802.1X critical VSI configuration, 119
portal authentication Web redirect, 214
802.1X EAD assistant configuration, 128
Web authentication redirection wait time, 265
802.1X EAP relay enable, 110
redundancy
802.1X EAP termination enable, 110
IPsec anti-replay redundancy, 396
802.1X enable, 110
registration authority. Use RA
802.1X guest VLAN configuration, 114
rekeying
802.1X guest VSI configuration, 118
IKEv2 SA rekeying, 441
802.1X MAC address binding configuration, 128
relationship
802.1X online user handshake configuration, 124
IKE and IPsec, 417
802.1X protocol packet VLAN tag removal, 126
relay agent
802.1X quiet timer, 114
802.1X authentication+EAD assistant
configuration (DHCP relay agent), 140 802.1X reauthentication, 113
authorized ARP configuration (DHCP relay 802.1X supported domain name delimiters, 126
agent), 573 802.1X user logging configuration, 130
DHCP relay agent-based dynamic IPv4SG AAA ISP domain accounting method
configuration, 559 configuration, 57
DHCPv6 relay agent-based dynamic IPv6SG AAA ISP domain authentication method
configuration, 563 configuration, 55
remote AAA ISP domain authorization method
802.1X authorization VLAN, 95 configuration, 56
802.1X authorization VSI, 103 AAA ISP domain configuration, 53
802.1X remote VLAN authorization, 95 AAA RADIUS session-control configuration, 37
AAA remote accounting method, 11 AAA RADIUS timer configuration, 27
695
ARP attack detection restricted MAC authentication request user IP address
forwarding, 577 inclusion, 169
ARP attack protection filtering MAC authentication user logging
configuration, 585 configuration, 171
ARP attack protection gateway MAC authentication+802.1X authentication
protection, 584 parallel processing enable, 170
ARP attack protection packet rate limit MACsec hardware compatibility, 625
configuration, 568 MACsec MKA key server priority
ARP attack protection restricted configuration, 628
forwarding, 577 MACsec MKA session logging enable, 631
ARP attack protection restricted forwarding MACsec preshared key configuration, 627
configuration, 581 MACsec protection parameter configuration, 629
ARP attack protection scanning+fixed ARP MACsec protection parameter configuration (MKA
configuration, 583 policy), 630
ARP attack protection source MAC-based MFF enable, 605
attack detection, 569
MFF server IP address, 606
ARP attack protection unresolvable IP attack
NETCONF-over-SSH enable, 459
blackhole routing, 566
password control configuration, 308
ARP attack protection user validity check
configuration, 575 password control enable, 309
ARP sender IP address checking, 587 password control parameters (global), 310
attack D&P defense policy configuration (flood port security configuration, 276
attack), 532 port security enable, 277
attack D&P detection exemption port security escape critical VSI
configuration, 537 configuration, 287
attack D&P log non-aggregation enable, 538 port security intrusion protection
attack D&P TCP fragment attack prevention configuration, 282
configuration, 539 port security MAC address limit per port VLAN
FIPS configuration, 612 configuration, 285
IPsec policy configuration, 390 port security MAC move configuration, 283
IPsec policy configuration (IKE-based), 392 port security mode configuration, 277
IPSG configuration, 553 port security NAS-ID profile application, 286
IPv4SG interface enable, 554 port security NTK configuration, 281
IPv4SG static binding configuration, 555 port security open authentication mode
configuration, 285
IPv6 destination guard configuration, 598
port security user logging enable, 288
IPv6 ND attack defense device role, 593
public key ocal key pair creation, 326
IPv6 ND attack detection, 592
Secure Telnet client local key pair generation, 465
IPv6SG interface enable, 555
SSH client host public key configuration, 460
IPv6SG static binding configuration, 556
SSH local key pair configuration, 457
MAC authentication configuration, 156
SSH SCP client local key pair generation, 475
MAC authentication critical VLAN
configuration, 162 SSH SCP outgoing packet source IP address
restrictions, 475
MAC authentication critical VSI
configuration, 164 SSH SCP server connection establishment, 476
MAC authentication delay configuration, 168 SSH SCP server enable, 458
MAC authentication enable, 157 SSH Secure Telnet outgoing packet source IP
address, 465
MAC authentication guest VLAN
configuration, 161 SSH Secure Telnet server connection
establishment, 466
MAC authentication guest VSI
configuration, 163 SSH server port specification, 457
MAC authentication periodic SSH SFTP client local key pair generation, 469
reauthentication, 160 SSH SFTP outgoing packet source IP
address, 469
696
SSH SFTP server connection PKI certificate export, 350
establishment, 470 PKI OpenCA server certificate request, 359
SSH SFTP server enable, 458 PKI RSA Keon CA server certificate request, 353
SSH user configuration, 461 PKI Windows 2003 CA server certificate
uRPF configuration, 601 request, 356
uRPF enable (global), 601 PKI Windows 2003 CA server IKE
reverse route injection. Use RRI negotiation+RSA digital signature, 363
Revest-Shamir-Adleman Algorithm. Use RSA public key import from file, 332
RIPng public key management, 325, 330
IPsec RIPng configuration, 409 SSH client host public key configuration, 459
roaming SSH management parameters, 462
portal authentication roaming, 206 SSH Secure Telnet server configuration
role (publickey authentication), 483
IPv6 ND attack defense device role, 593 SSH SFTP client configuration (publickey
authentication), 501
MFF port roles, 603
SSH update interval for RSA server key pair, 462
root CA certificate
RST flood attack, 534
fingerprint, 335
rule
route
IPsec ACL rule keywords, 385
IPsec RRI, 383
portal authentication file name rules, 194
IPsec RRI configuration, 399
portal authentication filtering, 188
routing
portal authentication page file
802.1X authentication configuration, 131
compression+saving rules, 195
802.1X authentication guest
portal authentication page request rules, 195
VSI+authorization VSI configuration
(MAC-based), 138 portal authentication portal-free rule, 201
802.1X authentication+ACL assignment portal authentication post request rules, 195
configuration, 136 portal URL redirection match rules
802.1X authentication+EAD assistant configuration, 193
configuration (DHCP relay agent), 140 S
802.1X authentication+EAD assistant
S/MIME (PKI secure email), 337
configuration (DHCP server), 143
SA
802.1X basic configuration, 131
IPsec IKEv2 SA rekeying, 441
802.1X configuration, 108, 108
IPsec transform set configuration, 388
802.1X guest VLAN configuration, 133
security IKE SA max, 429
IPsec IPv6 routing protocol profile
(manual), 400 troubleshooting IPsec SA negotiation failure
(invalid identity info), 437
IPsec IPv6 routing protocols
configuration, 400 troubleshooting IPsec SA negotiation failure (no
transform set match), 437, 451
MFF configuration, 603, 604, 607
troubleshooting IPsec SA negotiation failure
MFF configuration (in ring network), 608
(tunnel failure), 452
MFF configuration (in tree network), 607
saving
MFF periodic gateway probe, 606
SFTP file download+local save, 473
SSH configuration, 453
scanning attack
SSH server configuration, 456
attack D&P defense policy, 531
RRI
attack D&P device-preventable attacks, 526
IPsec RRI configuration, 399, 413
scheme
RSA
AAA HWTACACS, 40
host public key display, 328
AAA HWTACACS scheme VPN instance, 43
host public key export, 327
AAA LDAP, 48
IPsec IKE signature authentication, 419
AAA LDAP scheme creation, 51
peer host public key entry, 330
AAA RADIUS configuration, 20
697
AAA RADIUS scheme VPN instance, 25 SSH application, 453
SCP SSH outgoing packet source IP address, 465
client device configuration, 474 SSH outgoing packet source IP address
client local key pair generation, 475 restrictions, 465
client local key pair generation security
restrictions, 475 802.1X access control method, 111
configuration, 508 802.1X authentication, 92
configuration (Suite B algorithm), 510 802.1X authentication configuration, 131
IPv4 server connection establishment, 476 802.1X authentication guest VSI+authorization
IPv6 server connection establishment, 477 VSI configuration (MAC-based), 138
outgoing packet source IP address, 475 802.1X authentication initiation, 94
outgoing packet source IP address 802.1X authentication request attempts max, 123
restrictions, 475 802.1X authentication server timeout timer, 112
password authentication, 508 802.1X authentication timeout timer
server connection establishment, 476 restrictions, 112
server connection establishment (Suite 802.1X authentication trigger, 122
B), 478 802.1X authentication trigger configuration
server connection establishment restrictions, 123
restrictions, 476 802.1X authentication+ACL assignment
server enable, 458 configuration, 136
server enable restrictions, 458 802.1X authentication+EAD assistant
server public key deletion, 477 configuration (DHCP relay agent), 140
SSH application, 453 802.1X authentication+EAD assistant
configuration (DHCP server), 143
secure association (SA)
802.1X Auth-Fail VLAN, 99, 116
MACsec, 622
802.1X Auth-Fail VLAN configuration
secure association key (SAK)
restrictions, 116
MACsec, 622
802.1X Auth-Fail VLAN/VSI user EAP-Success
secure shell. Use SSH packet, 121
Secure Sockets Layer. Use SSL 802.1X Auth-Fail VSI, 104, 119
Secure Telnet 802.1X Auth-Fail VSI configuration
client configuration (password restrictions, 119
authentication), 489 802.1X authorization VLAN, 95
client configuration (publickey 802.1X authorization VLAN configuration, 133
authentication), 492
802.1X authorization VSI, 103
client device configuration, 465
802.1X basic configuration, 131
client local key pair generation, 465
802.1X concurrent port users max, 123
client local key pair generation
802.1X configuration restrictions, 108
restrictions, 465
802.1X critical VLAN, 100, 117
configuration, 480
802.1X critical VLAN configuration
configuration (128-bit Suite B algorithm), 495
restrictions, 117
IPv4 server connection establishment, 466
802.1X critical VLAN/VSI user EAP-Success
IPv6 server connection establishment, 467 packet, 121
server configuration (password 802.1X critical voice VLAN, 102, 117
authentication), 481
802.1X critical voice VLAN enable
server configuration (publickey restrictions, 117
authentication), 483
802.1X critical VSI, 104, 119
server connection establishment, 466
802.1X critical VSI configuration restrictions, 119
server connection establishment (Suite
802.1X display, 130
B), 468
802.1X EAD assistant, 128
server connection establishment
restrictions, 466 802.1X EAD assistant configuration
restrictions, 128
server public key deletion, 468
698
802.1X EAP relay enable, 110 AAA HWTACACS implementation, 5
802.1X EAP relay enable restrictions, 110 AAA HWTACACS protocols and standards, 13
802.1X EAP termination enable, 110 AAA HWTACACS scheme, 41
802.1X EAP termination enable AAA HWTACACS server SSH user, 63
restrictions, 110 AAA ISP domain accounting method, 57
802.1X enable, 110 AAA ISP domain accounting method
802.1X enable restrictions, 110 configuration restrictions, 57
802.1X guest VLAN, 98, 114 AAA ISP domain attribute, 54
802.1X guest VLAN assignment delay, 115 AAA ISP domain authentication method, 55
802.1X guest VLAN configuration, 133 AAA ISP domain authentication method
802.1X guest VLAN configuration configuration restrictions, 55
restrictions, 114 AAA ISP domain authorization method, 56
802.1X guest VSI, 103, 118 AAA ISP domain authorization method
802.1X guest VSI assignment delay, 118 configuration restrictions, 56
802.1X guest VSI configuration AAA ISP domain configuration restrictions, 53
restrictions, 118 AAA ISP domain creation, 52
802.1X MAC address binding, 128 AAA ISP domain display, 59
802.1X MAC address binding configuration AAA ISP domain method, 55
restrictions, 128 AAA LDAP, 48
802.1X MAC user authentication attempts AAA LDAP implementation, 8
max, 127 AAA LDAP protocols and standards, 13
802.1X maintain, 130 AAA LDAP server SSH user authentication, 70
802.1X mandatory port authentication AAA local user, 14
domain, 111
AAA protocols and standards, 13
802.1X offline detection configuration, 125
AAA RADIUS attribute translation, 32
802.1X online user handshake, 124
AAA RADIUS configuration, 20
802.1X online user handshake configuration
AAA RADIUS DAE server (DAS), 37
restrictions, 124
AAA RADIUS implementation, 2
802.1X online user synchronization, 122
AAA RADIUS information exchange security
802.1X overview, 88
mechanism, 2
802.1X packet exchange method, 89
AAA RADIUS packet DSCP priority, 30
802.1X port authorization state, 111
AAA RADIUS protocols and standards, 13
802.1X protocol packet VLAN tag removal
AAA RADIUS server 802.1X user, 73
restrictions, 126
AAA RADIUS server SSH user
802.1X quiet timer restrictions, 114
authentication+authorization, 67
802.1X reauthentication, 113
AAA RADIUS server status detection test
802.1X reauthentication restrictions, 113 profile, 22
802.1X server-side EAP-TLS fragment AAA RADIUS session-control, 37
maximum size, 129
AAA RADIUS session-control configuration
802.1X supported domain name delimiter, 126 restrictions, 37
802.1X supported domain name delimiter AAA RADIUS timer configuration restrictions, 27
restrictions, 126
AAA SSH user local authentication+HWTACACS
802.1X unauthenticated user aging, 120 authorization+RADIUS accounting, 65
802.1X user IP freezing enable, 127 AAA VPN implementation, 13
802.1X user logging configuration allowing only DHCP users to pass portal
restrictions, 130 authorization, 205
AAA concurrent login user max, 59 ARP active acknowledgement, 571
AAA configuration, 1, 14, 63 ARP attack detection (source
AAA connection recording policy MAC-based), 569, 570
configuration, 60 ARP attack detection configuration, 574
AAA EAP profile, 21 ARP attack detection display, 578
AAA HWTACACS, 40 ARP attack detection logging enable, 578
699
ARP attack detection maintain, 578 attack D&P defense policy configuration
ARP attack detection packet validity restrictions (flood attack), 532
check, 576 attack D&P detection exemption, 536
ARP attack detection restricted attack D&P detection exemption configuration
forwarding, 577 restrictions, 537
ARP attack detection user validity check attack D&P device-preventable attacks, 525
configuration, 575 attack D&P display, 540
ARP attack detection user validity check attack D&P IP blacklist, 529
ingress port, 578 attack D&P IP blacklist configuration, 549
ARP attack protection (unresolvable IP attack D&P log non-aggregation, 538
attack), 565, 567
attack D&P log non-aggregation enable
ARP attack protection blackhole routing restrictions, 538
(unresolvable IP attack), 566
attack D&P maintain, 540
ARP attack protection configuration, 565
attack D&P policy application (device), 537
ARP attack protection configuration
attack D&P policy application (interface), 537
(user+packet validity check), 580
attack D&P TCP fragment attack prevention
ARP attack protection filtering configuration
configuration restrictions, 539
restrictions, 585
authorized ARP configuration, 572
ARP attack protection gateway protection
restrictions, 584 authorized ARP configuration (DHCP relay
agent), 573
ARP attack protection packet rate limit
configuration restrictions, 568 authorized ARP configuration (DHCP server), 572
ARP attack protection restricted forwarding captive-bypass feature enabling, 192
configuration, 581 cross-subnet portal authentication
ARP attack protection restricted forwarding configuration, 225
restrictions, 577 crypto engine configuration, 610
ARP attack protection scanning+fixed ARP crypto engine display, 610
configuration restrictions, 583 crypto engine maintain, 610
ARP attack protection source MAC-based DHCP relay agent-based dynamic IPv4SG
attack detection restrictions, 569 configuration, 559
ARP attack protection source suppression DHCP snooping-based dynamic IPv4SG
(unresolvable IP attack), 566 configuration, 558
ARP attack protection unresolvable IP attack DHCPv6 relay agent-based dynamic IPv6SG
blackhole routing restrictions, 566 configuration, 563
ARP attack protection user validity check, 579 DHCPv6 snooping-based dynamic IPv6SG
ARP attack protection user validity check address binding configuration, 561
configuration restrictions, 575 DHCPv6 snooping-based dynamic IPv6SG prefix
ARP filtering configuration, 585, 586 binding configuration, 562
ARP gateway protection, 584, 585 digital certificate retrieval, usage, and
ARP packet rate limit, 568 maintenance, 337
ARP packet source MAC consistency direct portal authentication configuration, 215
check, 571 direct portal authentication configuration (local
ARP scanning+fixed ARP configuration, 583 portal Web service), 253
ARP sender IP address checking, 587, 587 direct portal authentication+preauthentication
domain configuration, 248
ARP sender IP address checking
restrictions, 587 disabling IPv6 destination guard (globally), 598
association. See SA disabling IPv6 destination guard (on an
interface), 598
attack D&P blacklist, 529
disabling SSL protocol version, 523
attack D&P configuration, 525, 529, 546
enabling IPv6 destination guard (globally), 598
attack D&P configuration (device
application), 546 enabling IPv6 destination guard (on an
interface), 598
attack D&P defense policy, 529
enabling logging for portal user login/logout, 213
expired password login, 307
700
extended cross-subnet portal authentication IPSG configuration restrictions, 553
configuration, 237 IPSG dynamic binding, 553
extended direct portal authentication IPSG static binding, 552
configuration, 229 IPv4SG configuration, 554
extended re-DHCP portal authentication IPv4SG interface enable, 554
configuration, 232
IPv4SG interface enable restrictions, 554
FIPS, 611
IPv4SG static binding configuration, 554
FIPS configuration, 611, 617
IPv4SG static binding configuration
FIPS configuration restrictions, 612 restrictions, 555
FIPS display, 617 IPv6 destination guard configuration, 597, 598
FIPS mode entry, 613 IPv6 destination guard maintain, 598
FIPS mode entry (automatic reboot), 617 IPv6 destination guard verify, 598
FIPS mode entry (manual reboot), 618 IPv6 ND attack defense configuration, 590
FIPS mode exit, 616 IPv6 ND attack defense device role, 593
FIPS mode exit (automatic reboot), 620 IPv6 ND attack defense device role
FIPS mode exit (manual reboot), 620 restrictions, 593
FIPS mode system changes, 613 IPv6 ND attack defense RA guard
global IPsec IKE DPD, 428 configuration, 593, 595
host public key export, 327 IPv6 ND attack defense RA guard display, 595
IP, 378, See also IPsec IPv6 ND attack defense RA guard logging
IPsec anti-replay configuration, 395 enable, 595
IPsec configuration, 378, 404 IPv6 ND attack defense RA guard maintain, 595
IPsec display, 403 IPv6 ND attack defense RA guard policy, 594
IPsec fragmentation, 402 IPv6 ND attack detection configuration
IPsec IKE configuration, 417, 430 restrictions, 592
IPsec IKE display, 430 IPv6SG configuration, 555
IPsec IKE keepalive, 427 IPv6SG interface enable, 555
IPsec IKE maintain, 430 IPv6SG interface enable restrictions, 555
IPsec IKE mechanism, 419 IPv6SG static binding configuration, 556
IPsec IKE profile configuration, 421 IPv6SG static binding configuration
restrictions, 556
IPsec IKE protocols and standards, 419
keychain configuration, 318, 318, 319, 319
IPsec IKEv2 configuration, 440
keychain display, 319
IPsec IKEv2 display, 450
local host public key distribution, 327
IPsec IKEv2 maintain, 450
local key pair creation, 326
IPsec IKEv2 policy configuration, 446
local key pair destruction, 330
IPsec IKEv2 profile configuration, 442
local portal Web service, 185
IPsec IKEv2 protocols and standards, 441
logging off 802.1X user, 130
IPsec implementation (ACL-based), 384
logging off MAC authentication user, 171
IPsec IPv6 routing protocols, 400
MAC authentication, 156, 172
IPsec maintain, 403
MAC authentication (local), 172
IPsec packet DF bit, 398
MAC authentication (RADIUS-based), 175
IPsec packet logging enable, 402
MAC authentication ACL assignment, 154, 177
IPsec policy configuration restrictions, 390
MAC authentication authorization VSI
IPsec policy configuration restrictions
assignment, 180
(IKE-based), 392
MAC authentication blackhole attribute
IPsec protocols and standards, 384
assignment, 155
IPsec QoS pre-classify enable, 397
MAC authentication concurrent port users
IPsec RRI, 383 max, 167
IPsec RRI configuration, 399 MAC authentication configuration, 146
IPsec SNMP notification, 403 MAC authentication configuration
IPSG configuration, 552, 553, 557 restrictions, 156
701
MAC authentication critical VLAN, 162 MACsec desire enable, 627
MAC authentication critical VLAN MACsec display, 632
configuration restrictions, 162 MACsec encryption cipher suite, 627
MAC authentication critical voice VLAN, 163 MACsec hardware compatibility restrictions, 625
MAC authentication critical VSI, 164 MACsec maintain, 632
MAC authentication critical VSI configuration MACsec MKA enable, 626
restrictions, 164 MACsec MKA key server priority, 628
MAC authentication delay, 168, 168 MACsec MKA key server priority configuration
MAC authentication delay configuration restrictions, 628
restrictions, 168 MACsec MKA life time, 629
MAC authentication display, 171 MACsec MKA session logging enable
MAC authentication domain, 158 restrictions, 631
MAC authentication enable, 157 MACsec preshared key, 627
MAC authentication enable restrictions, 157 MACsec preshared key configuration
MAC authentication guest VLAN, 161 restrictions, 627
MAC authentication guest VLAN configuration MACsec protection parameter configuration
restrictions, 161 restrictions, 629
MAC authentication guest VSI, 163 MACsec protection parameter configuration
MAC authentication guest VSI configuration restrictions (MKA policy), 630
restrictions, 163 MACsec protection parameters, 629
MAC authentication maintain, 171 MACsec protocols and standards, 625
MAC authentication method, 158 MACsec secure association (SA), 622
MAC authentication multi-VLAN mode, 167 MACsec secure association key (SAK), 622
MAC authentication multi-VLAN mode MACsec services, 622
configuration, 167 MFF configuration, 603, 604, 607
MAC authentication offline detection MFF configuration (in ring network), 608
configuration, 165 MFF configuration (in tree network), 607
MAC authentication online user MFF default gateway, 604
synchronization, 166
MFF display, 606
MAC authentication redirect URL
MFF enable, 605
assignment, 154
MFF enable restrictions, 605
MAC authentication request user IP
address, 169 MFF network port, 604, 605
MAC authentication request user IP address MFF periodic gateway probe, 606
inclusion restrictions, 169 MFF port roles, 603
MAC authentication timer, 159 MFF protocols and standards, 604
MAC authentication unauthenticated user MFF server IP address, 606
aging, 164 MFF server IP address restrictions, 606
MAC authentication user account format, 159 MFF user port, 603
MAC authentication user account NETCONF-over-SSH client user line, 459
policies, 146 NETCONF-over-SSH configuration, 517
MAC authentication user logging configuration NETCONF-over-SSH enable, 459
restrictions, 171 NETCONF-over-SSH enable restrictions, 459
MAC authentication user profile NETCONF-over-SSH+password authentication
assignment, 154 configuration, 517
MAC authentication VLAN assignment, 147 password control configuration, 305, 309, 314
MAC authentication+802.1X authentication password control configuration restrictions, 308
parallel processing, 170
password control display, 314
MAC security. Use MACsec
password control enable, 309
MACsec application mode, 623
password control enable restrictions, 309
MACsec configuration, 622, 626, 632
password control maintain, 314
MACsec configuration (client-oriented), 632
MACsec configuration (device-oriented), 635
702
password control parameter restrictions PKI RSA Keon CA server certificate request, 353
(global), 310 PKI storage path, 344
password control parameters (global), 310 PKI terminology, 335
password control parameters (local user), 312 PKI Windows 2003 CA server certificate
password control parameters (super), 313 request, 356
password control parameters (user PKI Windows 2003 CA server IKE
group), 312 negotiation+RSA digital signature, 363
password event logging, 308 port. See port security
password expiration, 306, 306 port security display, 289
password expiration early notification, 307 portal authentication access device ID, 211
password history, 307 portal authentication advantages, 183
password not displayed, 308 portal authentication BAS-IP, 210
password setting, 305 portal authentication check category-2 portal
password updating, 306, 306 filtering rule issuing, 204
password user first login, 307 portal authentication client Rule ARP entry
password user login control, 307 feature, 214
peer host public key configuration, 328 portal authentication client Rule ND entry
feature, 214
peer host public key entry, 329, 330
portal authentication configuration, 183, 189, 215
peer host public key import from file, 329
portal authentication destination subnet, 202
periodic 802.1X reauthentication, 106
portal authentication detection, 207
periodic MAC reauthentication, 155, 160
portal authentication display, 214
PKI applications, 337
portal authentication domain, 200
PKI architecture, 336
portal authentication EAP support, 188
PKI CA policy, 336
portal authentication enable (interface), 197
PKI certificate export, 350
portal authentication fail-permit, 206
PKI certificate import/export
configuration, 367 portal authentication filtering rules, 188
PKI certificate obtain, 347 portal authentication local portal Web service
parameter configuration, 196
PKI certificate removal, 351
portal authentication maintain, 214
PKI certificate request, 344, 344
portal authentication online user logout, 213
PKI certificate request abort, 347
portal authentication page customization, 194
PKI certificate request submission in offline
mode, 346 portal authentication policy server, 184
PKI certificate verification, 348 portal authentication process, 186
PKI certificate verification (CRL portal authentication roaming, 206
checking), 349 portal authentication security check function, 183
PKI certificate verification (w/o CRL portal authentication server detection, 208
checking), 350 portal authentication server detection+user
PKI certificate-based access control synchronization configuration, 240
policy, 352, 365 portal authentication source subnet, 202
PKI configuration, 335, 338, 353 portal authentication system component
PKI CRL, 335 interaction, 184
PKI digital certificate, 335 portal authentication troubleshooting, 256
PKI display, 353 portal authentication user access control, 201
PKI domain configuration, 340, 340 portal authentication user online detection, 207
PKI entity configuration, 339, 339 portal authentication user setting max, 204
PKI MPLS L3VPN support, 337 portal authentication user synchronization, 209
PKI online certificate request (manual), 346 portal authentication Web proxy support, 203
PKI online certificate request mode portal authentication Web redirect, 214
(automatic), 345, 345 portal authentication Web server detection, 208
PKI OpenCA server certificate request, 359 portal authorization strict-checking mode, 205
703
portal packet attributes configuration, 210 SSH Secure Telnet outgoing packet source IP
portal preauthentication domain, 198 address, 465
portal URL redirection match rules SSH Secure Telnet outgoing packet source IP
configuration, 193 address restrictions, 465
portal user preauthentication IP address SSH Secure Telnet server configuration
pool, 199 (password authentication), 481
public key display, 330 SSH Secure Telnet server configuration
public key import from file, 332 (publickey authentication), 483
public key local key pair creation SSH Secure Telnet server connection
restrictions, 326 establishment, 466
public key management, 325, 330 SSH Secure Telnet server connection
establishment (Suite B), 468
RADIUS packet attributes configuration, 211
SSH Secure Telnet server connection
re-DHCP portal authentication
establishment restrictions, 466
configuration, 221
SSH Secure Telnet server enable, 458
re-DHCP portal
authentication+preauthentication domain SSH Secure Telnet server public key
configuration, 250 deletion, 468
remote portal authentication server, 191 SSH server configuration, 456
Secure Telnet client local key pair SSH server local key pair generation, 457
generation, 465 SSH server PKI domain, 464
Secure Telnet client user line, 459 SSH server port, 457
SSH authentication methods, 454 SSH server port specification restrictions, 457
SSH client host public key configuration, 459 SSH session disconnect, 464
SSH client host public key configuration SSH SFTP client configuration (publickey
restrictions, 460 authentication), 501
SSH configuration, 453 SSH SFTP client device, 468
SSH display, 480 SSH SFTP client local key pair generation, 469
SSH local key pair configuration SSH SFTP configuration, 499
restrictions, 457 SSH SFTP configuration (192-bit Suite B
SSH management parameters, 462 algorithm), 504
SSH SCP client device, 474 SSH SFTP directories, 472
SSH SCP client local key pair generation, 475 SSH SFTP files, 473
SSH SCP configuration, 508 SSH SFTP help information display, 474
SSH SCP configuration (Suite B SSH SFTP outgoing packet source IP
algorithm), 510 address, 469
SSH SCP outgoing packet source IP SSH SFTP outgoing packet source IP address
address, 475 restrictions, 469
SSH SCP server connection SSH SFTP server configuration (password
establishment, 476 authentication), 499
SSH SCP server connection establishment SSH SFTP server connection establishment, 470
(Suite B), 478 SSH SFTP server connection establishment
SSH SCP server enable, 458 (Suite B), 472
SSH SCP server enable restrictions, 458 SSH SFTP server connection establishment
SSH SCP server public key deletion, 477 restrictions, 470
SSH SCP+password authentication, 508 SSH SFTP server connection termination, 474
SSH Secure Telnet client configuration SSH SFTP server enable, 458
(password authentication), 489 SSH SFTP server enable restrictions, 458
SSH Secure Telnet client configuration SSH SFTP server public key deletion, 471
(publickey authentication), 492 SSH Suite B support, 455
SSH Secure Telnet client device, 465 SSH user configuration, 461
SSH Secure Telnet configuration, 480 SSH user configuration restrictions, 461
SSH Secure Telnet configuration based on SSH X.509v3 certificate, 455
(128-bit Suite B algorithm), 495
704
SSH2 algorithms, 478 uRPF configuration restrictions, 601
SSH2 algorithms (encryption), 479 uRPF display, 602
SSH2 algorithms (key exchange), 478 uRPF enable (global), 601
SSH2 algorithms (MAC), 479 uRPF enable (interface), 601
SSH2 algorithms (public key), 479 uRPF enable restrictions (global), 601
SSL client configuration, 521 user profile configuration, 300, 301
SSL client policy configuration, 522 user profile display, 300
SSL configuration, 519, 520 user profile single user configuration, 300
SSL display, 524 user profile+QoS policy configuration, 301
SSL security services, 519 Web authentication Auth-Fail VLAN, 266
SSL server configuration, 520 Web authentication configuration, 259, 262, 268
SSL server policy configuration, 521 Web authentication configuration (local
SSL session renegotiation disable, 523 authentication server), 268
static IPv4SG configuration, 557 Web authentication configuration (RADIUS
static IPv6SG configuration, 560 authentication server), 270
TCP attack prevention (Naptha attack), 551 Web authentication display, 268
TCP attack prevention configuration, 551 Web authentication domain, 264
troubleshooting 802.1X EAD assistant URL Web authentication enable, 264
redirection failure, 145 Web authentication process, 260
troubleshooting AAA, 78 Web authentication proxy support, 267
troubleshooting AAA HWTACACS, 80 Web authentication server, 263
troubleshooting AAA LDAP authentication Web authentication troubleshooting, 272
failure, 80 Web authentication user online detection, 266
troubleshooting AAA RADIUS accounting Web authentication user setting max, 266
error, 79 security services
troubleshooting AAA RADIUS authentication IPsec, 378
failure, 78 sending
troubleshooting AAA RADIUS packet delivery 802.1X Auth-Fail VLAN/VSI user EAP-Success
failure, 79 packet, 121
troubleshooting IPsec IKE, 435 802.1X critical VLAN/VSI user EAP-Success
troubleshooting IPsec IKEv2, 451 packet, 121
troubleshooting MACsec, 638 server
troubleshooting MACsec device cannot 802.1X authentication configuration, 131
establish MKA session, 638 802.1X authentication server timeout timer, 112
troubleshooting PKI CA certificate failure, 372 802.1X authentication+ACL assignment
troubleshooting PKI CA certificate import configuration, 136
failure, 375 802.1X authentication+EAD assistant
troubleshooting PKI certificate export configuration (DHCP relay agent), 140
failure, 376 802.1X authentication+EAD assistant
troubleshooting PKI configuration, 372 configuration (DHCP server), 143
troubleshooting PKI CRL obtain failure, 374 802.1X authorization VLAN configuration, 133
troubleshooting PKI local certificate 802.1X basic configuration, 131
failure, 373 802.1X configuration, 108, 108
troubleshooting PKI local certificate import 802.1X guest VLAN configuration, 133
failure, 375
AAA HWTACACS quiet timer, 44
troubleshooting PKI local certificate request
AAA HWTACACS response timeout timer, 44
failure, 373
AAA LDAP timeout period, 49
troubleshooting PKI storage path set
failure, 376 AAA RADIUS quiet timer, 27
troubleshooting Web authentication failure to AAA RADIUS response timeout timer, 27
come online, 272 AAA RADIUS server load sharing, 35
uRPF configuration, 600 local portal authentication service, 194
705
MAC authentication server timeout timer, 159 AAA RADIUS Remanent_Volume attribute data
MACsec MKA key server priority, 628 measurement unit, 32
MFF server IP address, 606 AAA RADIUS request transmission attempts
PKI OpenCA server certificate request, 359 max, 30
PKI Windows 2003 CA server certificate AAA RADIUS server status, 25
request, 356 AAA RADIUS timer, 27
port security authorization information AAA RADIUS traffic statistics unit, 29
ignore, 282 AAA RADIUS username format, 29
portal authentication AAA server, 184 IPsec IKE SA max, 429
portal authentication fail-permit, 206 IPsec packet DF bit set, 398
portal authentication local portal Web service IPsec tunnel max, 402
parameter, 196 MAC authentication concurrent port users
portal authentication policy server, 184 max, 167
portal authentication server detection, 208 MACsec MKA life time, 629
portal authentication system, 183 password, 305
portal authentication Web server password control parameters (global), 310
(interface), 198 password control parameters (local user), 312
portal authentication Web server password control parameters (super), 313
detection, 208 password control parameters (user group), 312
portal server, 184 port security MAC address limit per port
remote portal authentication Web server, 192 VLAN, 284
SSL server policy configuration, 521 port security mode, 277
Web authentication server configuration, 263 portal authentication users max, 204
Web authentication system components, 259 portal authentication users max (global), 204
service portal authentication users max (interface), 204
MACsec data encryption, 622 SSH authentication attempt max number, 463
MACsec integrity check, 622 SSH online user max number, 464
MACsec replay protection, 622 SSH server packet DSCP value, 463
session SSH SFTP connection idle timeout timer, 464
AAA RADIUS session-control, 37 SSH update interval for RSA server key pair, 462
SSH SCP client key pair, 475 SSH user authentication timeout timer, 463
SSH SFTP client key pair, 469 Web authentication redirection wait time, 265
setting Web authentication users max, 266
802.1X authentication request attempts SFTP
max, 123 client configuration (publickey
802.1X authentication timeout timer, 112 authentication), 501
802.1X concurrent port users max, 123 client device configuration, 468
802.1X MAC user authentication attempts client local key pair generation, 469
max, 127 client local key pair generation restrictions, 469
802.1X port authorization state, 111 configuration, 499
802.1X quiet timer, 114 configuration (192-bit Suite B algorithm), 504
802.1X server-side EAP-TLS fragment connection idle timeout timer, 464
maximum size, 129
directories, 472
AAA concurrent login user max, 59
directory deletion, 473
AAA HWTACACS timer, 44
directory file display, 472, 473
AAA HWTACACS traffic statistics unit, 46
directory name change, 472
AAA HWTACACS username format, 46
file deletion, 473
AAA ISP domain status, 54
file download+local save, 473
AAA LDAP server timeout period, 49
file name change, 473
AAA RADIUS packet DSCP priority, 30
files, 473
AAA RADIUS real-time accounting attempts
help information display, 474
max, 30
706
IPv4 server connection establishment, 470 802.1X mandatory port authentication
IPv6 server connection establishment, 471 domain, 111
local file upload, 473 802.1X supported domain name delimiter, 126
new directory creation, 473 AAA HWTACACS accounting server, 42
outgoing packet source IP address, 469 AAA HWTACACS authentication server, 41
outgoing packet source IP address AAA HWTACACS authorization server, 41
restrictions, 469 AAA HWTACACS outgoing packet source
server configuration (password interface (all schemes), 45
authentication), 499 AAA HWTACACS outgoing packet source
server connection establishment, 470 interface (single scheme), 46
server connection establishment (Suite AAA HWTACACS outgoing packet source IP
B), 472 address, 45
server connection establishment AAA HWTACACS outgoing packet source IP
restrictions, 470 address (all schemes), 45
server connection termination, 474 AAA HWTACACS outgoing packet source IP
server enable, 458 address (single scheme), 46
server enable restrictions, 458 AAA HWTACACS scheme VPN instance, 43
server public key deletion, 471 AAA HWTACACS shared keys, 43
SSH application, 453 AAA ISP domain, 53
SSH management parameters, 462 AAA ISP domain for users that are assigned to
nonexistent domains, 53
working directory change, 472
AAA LDAP attribute map for authorization, 52
working directory display, 472
AAA LDAP authentication server, 51
shared key
AAA LDAP authorization server, 51
AAA HWTACACS, 43
AAA LDAP version, 48
AAA RADIUS, 25
AAA RADIUS accounting server, 24
signature authentication (IKE), 419
AAA RADIUS authentication server, 23
single-packet attack
AAA RADIUS outgoing packet source interface
attack D&P defense policy, 530
(all schemes), 28
attack D&P device-preventable attacks, 525
AAA RADIUS outgoing packet source interface
attack D&P log non-aggregation enable, 538 (single scheme), 29
SNMP AAA RADIUS outgoing packet source IP
AAA RADIUS notifications, 38 address, 28
IPsec IKE SNMP notification, 429 AAA RADIUS outgoing packet source IP address
IPsec SNMP notification, 403 (all schemes), 28
port security enable, 288 AAA RADIUS outgoing packet source IP address
software (single scheme), 29
crypto engine configuration, 610 AAA RADIUS scheme VPN instance, 25
source AAA RADIUS server selection mode for
ARP attack detection (source reauthentication, 36
MAC-based), 569, 570 AAA RADIUS shared keys, 25
ARP attack detection src-mac validity certificate intended purpuse, 343
check, 576 certificate request key pair, 342
IPsec source interface policy bind, 397 certificate request reception authority, 341
portal authentication portal-free rule, 201 certificate request URL, 341
portal authentication subnet, 202 HTTPS redirect listening port number, 193, 263
source MAC IKE IKE proposals for IKE profile, 422
IPv6 ND attack defense source consistency inside VPN instance for IKE profile, 423
check configuration, 591 inside VPN instance for IKEv2 profile, 445
specifying IPv6 ND attack defense device role, 593
802.1X access control method, 111 LDAP server, 342
MAC authentication domain, 158
707
MAC authentication method, 158 how it works, 453
MACsec encryption cipher suite, 627 IPv4 SCP server connection establishment, 476
MFF server IP address, 606 IPv4 Secure Telnet server connection
PKI entity name, 341 establishment, 466
PKI protocol packets source IP address, 343 IPv4 SFTP server connection establishment, 470
PKI storage path, 344 IPv6 SCP server connection establishment, 477
portal authentication access device ID, 211 IPv6 Secure Telnet server connection
portal authentication domain, 200 establishment, 467
portal authentication domain (interface), 200 IPv6 SFTP server connection establishment, 471
portal authentication NAS-Port-Id attribute local key pair configuration restrictions, 457
format, 211 login control ACL attempts denied logging, 463
portal authentication Web server management parameter configuration, 462
(interface), 198 NETCONF, 453
portal user preauthentication IP address NETCONF-over-SSH client user line, 459
pool, 199 NETCONF-over-SSH configuration, 517
root CA certificate verification fingerprint, 342 NETCONF-over-SSH enable, 459
SCEP polling interval and maximum polling NETCONF-over-SSH enable restrictions, 459
attempts, 342 NETCONF-over-SSH+password authentication
SSH SCP outgoing packet source IP configuration, 517
address, 475 public key management, 325
SSH Secure Telnet outgoing packet source IP SCP, 453
address, 465
SCP client device, 474
SSH server PKI domain, 464
SCP client local key pair generation, 475
SSH server port, 457
SCP client local key pair generation
SSH SFTP outgoing packet source IP restrictions, 475
address, 469
SCP configuration, 508
SSH user connection control ACL, 463
SCP configuration (Suite B algorithm), 510
SSH2 algorithms, 478
SCP outgoing packet source IP address, 475
trusted CA, 341
SCP outgoing packet source IP address
Web authentication domain, 264 restrictions restrictions, 475
SPI SCP server connection establishment, 476
IPsec IKE invalid SPI recovery, 428 SCP server connection establishment (Suite
spoofing B), 478
uRPF configuration, 600 SCP server connection establishment
SSH restrictions, 476
AAA HWTACACS server SSH user, 63 SCP server enable, 458
AAA LDAP server SSH user SCP server enable restrictions, 458
authentication, 70 SCP server public key deletion, 477
AAA RADIUS Login-Service attribute check SCP+password authentication, 508
method, 31 Secure Copy. Use SCP
AAA RADIUS server SSH user Secure FTP. Use SFTP
authentication+authorization, 67
Secure Telnet, 453
AAA SSH user local
Secure Telnet client configuration (password
authentication+HWTACACS
authentication), 489
authorization+RADIUS accounting, 65
Secure Telnet client configuration (publickey
authentication methods, 454
authentication), 492
client host public key configuration, 459
Secure Telnet client device, 465
client host public key configuration
Secure Telnet client local key pair generation
restrictions, 460
restrictions, 465
configuration, 453
Secure Telnet client user line, 459
display, 480
Secure Telnet configuration, 480
FIPS compliance, 456
708
Secure Telnet configuration (128-bit Suite B SSH2 algorithms (public key), 479
algorithm), 495 Suite B support, 455
Secure Telnet outgoing packet source IP user configuration, 461
address, 465 user configuration restrictions, 461
Secure Telnet outgoing packet source IP versions, 453
address restrictions, 465
X.509v3 certificate, 455
Secure Telnet server configuration (password
SSH2
authentication), 481
algorithms, 478
Secure Telnet server configuration (publickey
authentication), 483 algorithms (encryption), 479
Secure Telnet server connection algorithms (key exchange), 478
establishment, 466 algorithms (MAC), 479
Secure Telnet server connection algorithms (public key), 479
establishment (Suite B), 468 SSL
Secure Telnet server connection client configuration, 521
establishment restrictions, 466 client policy configuration, 522
Secure Telnet server enable, 458 configuration, 519, 520
Secure Telnet server public key deletion, 468 disabling session renegotiation, 523
server configuration, 456 display, 524
server PKI domain, 464 FIPS compliance, 520
server port specification, 457 PKI configuration, 335, 338, 353
server port specification restrictions, 457 PKI Web application, 337
session disconnect, 464 protocol stack, 519
SFTP, 453 public key management, 325
SFTP client configuration (publickey security services, 519
authentication), 501 server configuration, 520
SFTP client device, 468 server policy configuration, 521
SFTP client local key pair, 469 SSL protocol version
SFTP configuration, 499 disabling, 523
SFTP configuration (192-bit Suite B static
algorithm), 504
IPSG static binding, 552
SFTP directories, 472
IPv4SG configuration, 557
SFTP files, 473
IPv4SG static binding configuration, 554
SFTP help information display, 474
IPv6SG configuration, 560
SFTP outgoing packet source IP address, 469
IPv6SG static binding configuration, 556
SFTP outgoing packet source IP address
restrictions, 469 port security static secure MAC address, 279
SFTP server configuration (password statistics
authentication), 499 AAA HWTACACS traffic statistics units, 46
SFTP server connection establishment, 470 AAA RADIUS traffic statistics units, 29
SFTP server connection establishment (Suite sticky
B), 472 port security secure MAC address, 279
SFTP server connection establishment port security secure MAC address add, 280
restrictions, 470 storage
SFTP server connection termination, 474 PKI storage path, 344
SFTP server enable, 458 troubleshooting PKI storage path set failure, 376
SFTP server enable restrictions, 458 strict-checking mode (portal authentication), 205
SFTP server public key deletion, 471 submitting
SSH2 algorithms, 478 PKI certificate request in offline mode, 346
SSH2 algorithms (encryption), 479 subnetting
SSH2 algorithms (key exchange), 478 cross-subnet portal authentication
SSH2 algorithms (MAC), 479 configuration, 225
709
cross-subnet portal authentication IPsec IKE invalid SPI recovery, 428
configuration for MPLS L3VPN, 246 IPsec IKE keychain, 425
extended cross-subnet portal authentication IPsec IKE proposal, 424
configuration, 237 IPsec IKE SA max, 429
portal authentication cross-subnet mode, 186 IPsec IKE SNMP notification, 429
portal authentication destination subnet, 202 IPsec IKEv2 configuration, 440
portal authentication direct/cross-subnet IPsec IKEv2 cookie challenge, 449
authentication process (CHAP/PAP
IPsec IKEv2 global parameters, 449
authentication), 186
IPsec IKEv2 keychain, 448
portal authentication source subnet, 202
IPsec IKEv2 proposal, 447
Web authentication-free subnet, 265
IPsec tunnel max, 402
super password control parameters, 313
password control configuration, 305, 309, 314
suppressing
portal authentication configuration, 183
ARP attack protection source suppression
(unresolvable IP attack), 566 Secure Telnet client local key pair generation, 465
SYN flood attack, 532 SSH authentication methods, 454
SYN-ACK flood attack, 533 SSH configuration, 453
synchronizing SSH SCP client local key pair generation, 475
802.1X online user synchronization SSH server local key pair generation, 457
enable, 122 SSH SFTP client local key pair generation, 469
MAC authentication online user Web authentication configuration, 259, 262
synchronization enable, 166 Web authentication configuration (local
portal authentication server detection+user authentication server), 268
synchronization configuration, 240 Web authentication configuration (RADIUS
portal authentication user authentication server), 270
synchronization, 209 T
system administration
TCP
attack D&P configuration, 525, 529, 546
AAA HWTACACS implementation, 5
attack D&P configuration (device
application), 546 attack D&P TCP fragment attack, 528
attack D&P defense policy, 529 attack D&P TCP fragment attack prevention
attack D&P detection exemption, 536 configuration, 538
attack D&P IP blacklist, 539 attack prevention configuration, 551
attack D&P IP blacklist configuration, 549 SSL configuration, 519, 520
attack D&P log non-aggregation, 538 TCP attack prevention
attack D&P login attack prevention, 540 configuration, 551
attack D&P login delay, 540 Telnet
attack D&P policy application (device), 537 Secure Telnet server public key deletion, 468
attack D&P policy application (interface), 537 SSH SCP server connection establishment (Suite
B), 478
attack D&P TCP fragment attack
prevention, 538 SSH Secure Telnet client configuration (password
authentication), 489
FIPS configuration, 611, 617
SSH Secure Telnet client configuration (publickey
FIPS mode entry (automatic reboot), 617 authentication), 492
FIPS mode entry (manual reboot), 618 SSH Secure Telnet client device, 465
FIPS mode exit (automatic reboot), 620 SSH Secure Telnet configuration, 480
FIPS mode exit (manual reboot), 620 SSH Secure Telnet configuration (128-bit Suite B
FIPS mode system changes, 613 algorithm), 495
IPsec authentication, 380 SSH Secure Telnet outgoing packet source IP
IPsec configuration, 378 address, 465
IPsec encryption, 380 SSH Secure Telnet server configuration
IPsec IKE configuration, 417, 430 (password authentication), 481
IPsec IKE global identity information, 426
710
SSH Secure Telnet server configuration IPsec configuration, 378, 404
(publickey authentication), 483 IPsec IKE negotiation (traffic-based lifetime), 380
SSH Secure Telnet server connection IPsec RIPng configuration, 409
establishment, 466 IPsec RRI configuration, 399, 413
SSH Secure Telnet server connection IPsec tunnel configuration for IPv4 packets
establishment (Suite B), 468 (IKE-based), 433
SSH SFTP server connection establishment IPsec tunnel for IPv4 packets (manual), 404
(Suite B), 472
traffic monitoring
terminal
MFF configuration, 603, 604, 607
AAA RADIUS Login-Service attribute check
MFF configuration (in ring network), 608
method, 31
MFF configuration (in tree network), 607
terminating
transform set (IPsec), 388
SSH SFTP server connection, 474
Transmission Control Protocol. Use TCP
test profile
transporting
AAA EAP profile, 21
IPsec encapsulation transport mode, 379
testing
trapping
AAA RADIUS server status detection test
profile, 22 AAA RADIUS SNMP notification, 38
FIPS conditional self-test, 611 IPsec IKE SNMP notification, 429
FIPS power-up self-test, 611 IPsec SNMP notification, 403
TFTP port security SNMP notification, 288
local host public key distribution, 327 triggering
time 802.1X authentication trigger, 122
IPsec IKE negotiation (time-based FIPS self-test, 615
lifetime), 380 troubleshooting
Web authentication redirection wait time, 265 802.1X, 145
timeout AAA AAA, 78
802.1X authentication timeout, 112 AAA HWTACACS, 80
MAC authentication server timeout, 159 AAA LDAP authentication failure, 80
SSH server packet DSCP value, 464 AAA RADIUS accounting error, 79
SSH user authentication timeout timer, 463 AAA RADIUS authentication failure, 78
timer AAA RADIUS packet delivery failure, 79
802.1X authentication timeout, 112 IPsec IKE, 435
802.1X quiet, 114 IPsec IKE negotiation failure (no proposal
AAA HWTACACS real-time accounting, 44 match), 435
AAA HWTACACS server quiet, 44 IPsec IKE negotiation failure (no proposal or
keychain specified correctly), 436
AAA HWTACACS server response
timeout, 44 IPsec IKEv2, 451
AAA RADIUS real-time accounting, 27 IPsec IKEv2 negotiation failure (no proposal
match), 451
AAA RADIUS server quiet, 27
IPsec SA negotiation failure (invalid identity
AAA RADIUS server response timeout, 27
info), 437
MAC authentication offline detect, 159
IPsec SA negotiation failure (no transform set
MAC authentication quiet, 159 match), 437, 451
MAC authentication server timeout, 159 IPsec SA negotiation failure (tunnel failure), 452
topology MACsec, 638
MFF configuration (in ring network), 608 MACsec device cannot establish MKA
MFF configuration (in tree network), 607 session, 638
traffic PKI CA certificate import failure, 375
AAA HWTACACS traffic statistics units, 46 PKI CA certificate obtain failure, 372
AAA RADIUS traffic statistics units, 29 PKI certificate export failure, 376
IKE-based IPsec tunnel for IPv4 packets, 407 PKI configuration, 372
711
PKI CRL obtain failure, 374 updating
PKI local certificate import failure, 375 passwords, 306, 306
PKI local certificate obtain failure, 373 uploading
PKI local certificate request failure, 373 SFTP local file, 473
PKI storage path set failure, 376 URL
port security, 298 802.1X authentication+redirect URL
port security mode cannot be set, 298 assignment, 106
port security secure MAC addresses, 299 MAC authentication redirect URL
portal authentication, 256 assignment, 154
portal authentication cannot log out users uRPF
(access device), 256 application scenario, 600
portal authentication cannot log out users check modes, 600
(RADIUS server), 257 configuration, 600
portal authentication no page pushed for configuration restrictions, 601
users, 256 display, 602
portal authentication users cannot log in enable (global), 601
(re-DHCP), 258 enable (interface), 601
portal authentication users logged out still enable restrictions (global), 601
exist on server, 257
network application, 600
Web authentication, 272
user
Web authentication failure to come online, 272
802.1X concurrent port users max, 123
tunnel
802.1X online user synchronization enable, 122
IPsec tunnel max, 402
802.1X reauthentication, 113
tunneling
802.1X user logging enable, 130
IKE-based IPsec tunnel for IPv4 packets, 407
AAA concurrent login user max, 59
IPsec configuration, 378, 404
AAA local user, 14
IPsec encapsulation tunnel mode, 379
AAA management by ISP domains, 11
IPsec RIPng configuration, 409
AAA management by user access types, 11
IPsec RRI, 383
AAA user role authentication, 11
IPsec RRI configuration, 399, 413
allowing only DHCP users to pass portal
IPsec tunnel configuration for IPv4 packets authorization, 205
(IKE-based), 433
ARP attack detection user validity check, 575
IPsec tunnel for IPv4 packets (manual), 404
ARP attack protection configuration (user+packet
troubleshooting IPsec SA negotiation failure validity check), 580
(tunnel failure), 452
ARP attack protection user validity check, 579
U direct portal authentication+preauthentication
UDP domain configuration, 248
AAA RADIUS implementation, 2 enabling logging for login/logout, 213
AAA RADIUS packet format, 4 MAC authentication online user synchronization
enable, 166
AAA RADIUS request transmission attempts
max, 30 MAC authentication request user IP address, 169
AAA RADIUS session-control, 37 MAC authentication user logging enable, 171
attack D&P defense policy (UDP flood port security client userLoginWithOUI
attack), 535 configuration, 291
uncontrolled port (802.1X), 88 port security user logging enable, 288
unicast port security userLogin 802.1X authentication
mode, 275
802.1X unicast trigger mode, 94, 122
port security userLoginSecure 802.1X
Unicast Reverse Path Forwarding. Use uRPF
authentication mode, 275
unit
port security userLoginSecureExt 802.1X
AAA RADIUS Remanent_Volume attribute authentication mode, 275
data measurement unit, 32
712
port security userLoginWithOUI 802.1X password not displayed, 308
authentication mode, 275 password setting, 305
portal authentication authenticated user password updating, 306, 306
redirection, 196 password user first login, 307
portal authentication online user logout, 213 password user login attempt limit, 307
portal authentication roaming, 206 password user login control, 307
portal authentication user access control, 201 user profile
portal authentication user online 802.1X authentication+user profile
detection, 207 assignment, 106
portal authentication user setting max, 204 configuration, 300, 301
portal authentication user display, 300
synchronization, 209
MAC authentication user profile assignment, 154
re-DHCP portal
single user configuration, 300
authentication+preauthentication domain
configuration, 250 user policy+QoS policy configuration, 301
SSH online user max number, 464 username
SSH session disconnect, 464 AAA HWTACACS format, 46
SSH user configuration, 461 AAA RADIUS format, 29
SSH user connection control ACL, 463 V
Web authentication user online detection, 266 validity check
Web authentication user setting max, 266 ARP attack detection packet, 576
user access ARP attack detection user, 575
DHCP relay agent-based dynamic IPv4SG ARP attack detection user validity check ingress
configuration, 559 port, 578
DHCP snooping-based dynamic IPv4SG ARP attack protection configuration (user+packet
configuration, 558 validity check), 580
DHCPv6 relay agent-based dynamic IPv6SG ARP attack protection user, 579
configuration, 563
verifying
DHCPv6 snooping-based dynamic IPv6SG
address binding configuration, 561 PKI certificate, 348
DHCPv6 snooping-based dynamic IPv6SG PKI certificate verification (w/o CRL
prefix binding configuration, 562 checking), 350
IPSG configuration, 552, 557 PKI certificate with CRL checking, 349
static IPv4SG configuration, 557 version
static IPv6SG configuration, 560 AAA LDAP, 48
user account VLAN
MAC authentication user account format, 159 802.1X authentication guest VSI+authorization
VSI configuration (MAC-based), 138
MAC authentication user account
802.1X authentication+ACL assignment
policies, 146
configuration, 136
user authentication
802.1X Auth-Fail VLAN, 99, 116
password control configuration, 305, 309, 314
802.1X Auth-Fail VLAN (MAC-based access
password control parameters (global), 310 control), 100
password control parameters (local user), 312 802.1X Auth-Fail VLAN (port-based access
password control parameters (super), 313 control), 99
password control parameters (user 802.1X Auth-Fail VSI, 104
group), 312 802.1X authorization VLAN, 95
password event logging, 308 802.1X authorization VLAN configuration, 133
password expiration, 306, 306 802.1X authorization VLAN port manipulation, 97
password expiration early notification, 307 802.1X critical VLAN, 100, 117
password expired login, 307 802.1X critical VLAN (MAC-based access
password history, 307 control), 101
password max user account idle time, 308
713
802.1X critical VLAN (port-based access VPN
control), 100 AAA HWTACACS scheme VPN instance, 43
802.1X critical voice VLAN, 102, 117 AAA implementation, 13
802.1X critical voice VLAN (MAC-based AAA RADIUS scheme VPN instance, 25
access control), 102 AAA VPN implementation, 13
802.1X critical voice VLAN (port-based cross-subnet portal authentication configuration
access control), 102 for MPLS L3VPN, 246
802.1X guest VLAN, 98, 114 IKE-based IPsec tunnel for IPv4 packets, 407
802.1X guest VLAN (MAC-based access IPsec configuration, 378, 404
control), 99
IPsec RIPng configuration, 409
802.1X guest VLAN (port-based access
IPsec RRI, 383
control), 98
IPsec RRI configuration, 399, 413
802.1X guest VLAN assignment delay, 115
IPsec tunnel configuration for IPv4 packets
802.1X guest VLAN configuration, 133
(IKE-based), 433
802.1X local VLAN authorization, 96
IPsec tunnel for IPv4 packets (manual), 404
802.1X protocol packet VLAN tag
PKI application, 337
removal, 126
VSI
802.1X remote VLAN authorization, 95
802.1X authentication guest VSI+authorization
802.1X VLAN manipulation, 95
VSI configuration (MAC-based), 138
802.1X VSI manipulation, 102
802.1X Auth-Fail VSI, 119
DHCP snooping-based dynamic IPv4SG
802.1X authorization VSI, 103
configuration, 558
802.1X critical VSI, 104, 119
IPSG configuration, 552, 553, 557
802.1X guest VSI, 103, 118
IPv6 ND attack defense configuration, 590
802.1X guest VSI assignment delay, 118
IPv6 ND attack defense RA guard
configuration, 593, 595 802.1X manipulation, 102
MAC authentication authorization VLAN, 147 MAC authentication authorization VSI, 152
MAC authentication authorization VLAN port MAC authentication critical VSI, 153
manipulation, 149 MAC authentication critical VSI configuration, 164
MAC authentication critical VLAN, 150 MAC authentication guest VSI, 153, 163
MAC authentication critical VLAN MAC authentication manipulation, 152
configuration, 162 port security escape critical VSI, 287
MAC authentication critical voice VLAN, 151 VXLAN
MAC authentication critical voice VLAN 802.1X support, 102
enable, 163 MAC authentication support, 152
MAC authentication guest VLAN, 150, 161
W
MAC authentication local VLAN
authorization, 149 WAPI
MAC authentication remote VLAN PKI configuration, 335, 338, 353
authorization, 147 Web
MAC authentication VLAN assignment, 147 cross-subnet portal authentication
MAC authentication VSI manipulation, 152 configuration, 225
MFF configuration, 603, 604, 607 direct portal authentication configuration, 215
MFF configuration (in ring network), 608 direct portal authentication configuration (local
MFF configuration (in tree network), 607 portal Web service), 253
port security secure MAC address, 279 direct portal authentication+preauthentication
port security secure MAC address add, 280 domain configuration, 248
portal authentication roaming, 206 extended cross-subnet portal authentication
configuration, 237
static IPv4SG configuration, 557
extended direct portal authentication
static IPv6SG configuration, 560 configuration, 229
Web authentication Auth-Fail VLAN, 261, 266 extended re-DHCP portal authentication
Web authentication authorization VLAN, 260 configuration, 232
714
local portal authentication service, 194 system components, 259
local portal Web service, 185 troubleshoot, 272
PKI, 337 Windows
portal authentication 2000 PKI CA server SCEP add-on, 339
configuration, 183, 189, 215 2000 PKI entity configuration, 339
portal authentication extended functions, 183 2003 PKI CA server certificate request, 356
portal authentication local portal Web service 2003 PKI CA server IKE negotiation+RSA digital
page customization, 185 signature, 363
portal authentication local portal Web service WLAN
parameter, 196 802.1X overview, 88
portal authentication redirect, 214 port security client
portal authentication server detection+user macAddressElseUserLoginSecure
synchronization configuration, 240 configuration, 294
portal authentication system, 183 port security client userLoginWithOUI
portal authentication Web proxy support, 203 configuration, 291
portal authentication Web server port security configuration, 273, 276, 289
(interface), 198 port security MAC address autoLearn
portal authentication Web server configuration, 289
detection, 208 working with
re-DHCP portal authentication SSH SFTP directories, 472
configuration, 221 SSH SFTP files, 473
re-DHCP portal
authentication+preauthentication domain X
configuration, 250 X.500
remote portal authentication Web server, 192 AAA LDAP implementation, 8
troubleshooting 802.1X EAD assistant URL
redirection failure, 145
Web authentication configuration, 268
Web authentication
authentication-free subnet configuration, 265
Auth-Fail VLAN configuration, 266
authorization ACL support, 261
configuration, 259, 262, 268
configuration (local authentication
server), 268
configuration (RADIUS authentication
server), 270
display, 268
domain specification, 264
enable, 264
local portal service, 263
process, 260
proxy support configuration, 267
redirection wait time, 265
server configuration, 263
troubleshoot failure to come online, 272
user online detection, 266
user setting max, 266
VLAN assignment support, 260
web authentication
HTTPS redirect listening port number, 263
Web authentication
715