H3C S5830V2 series Security Configuration Manual

Category
Software
Type
Security Configuration Manual

This manual is also suitable for

H3C S5830V2 & S5820V2 Switch Series
Security Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 22xx
Document version: 6W100-20131105
Copyright © 2013, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H
3
Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V
2
G, V
n
G, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5830V2 & S5820V2 documentation set includes 14 configuration guides, which describe the
software features for the H3C S5830V2 & S5820V2 Switch Series and guide you through the software
configuration procedures. These configuration guides also provide configuration examples to help you
apply software features to different network scenarios.
The Security Configuration Guide describes security fundamentals and configuration. It covers the
identity authentication features (such as AAA and PKI), access security features (such as 802.1X, MAC
authentication, and port security), data security features (such as public key management, SSL, and SSH),
and attack protection features (such as IP source guard, uRPF, and ARP attack protection).
This preface includes:
• Audience
• Added and modified features
• Conventions
• About the H3C S5830V2 & S5820V2 documentation set
• Obtaining documentation
• Technical support
• Documentation feedback
Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the S5830V2 & S5820V2 series
Added and modified features
This documentation set is for Release 22xx. The following describes the feature changes between
releases:
• Release 2210 has the following feature changes over Release 2208P01:
Confi
g
uration
g
uide Added and modified features
SSH
Added features: Authenticating clients through digital certificates on the SSH
server.
Modified features: Changing the maximum length of the host name for the
SCP/SFTP/SSH server.
• Release 2208P01 does not have feature changes over Release 2208.
• Release 2208 has the following feature changes over Release 2108P02:
Confi
g
uration
g
uide Added and modified features
AAA
Added features:
• Configuring a local user to use the LAN access service.
• Configuring AAA methods for LAN users.
• Setting the traffic statistics unit for a RADIUS or HWTACACS server.
• Configuring the IPv6 address and port number of an LDAP server.
• Configuring the local user type.
• Configuring the RADIUS or HWTACACS server to support IPv6.
• Enabling the session-control feature.
Modified features:
• Configuring the local user password.
• Specifying AAA methods in an ISP domain to apply by default or to
login users.
802.1X Added features: 802.1X.
MAC authentication Added features: MAC authentication.
Port security Added features: Port security.
Password control Added features: Password control.
Public key management N/A
PKI Added features: PKI.
SSH
Added features:
• Configuring the service type as SCP for SSH users.
• Configuring the device as an SCP client.
• Specifying the output interface used by a client to connect to the
IPv6 SFTP server.
• Specifying the output interface used by a client to connect to the
IPv6 Stelnet server.
• Specifying 256-bit AES_CBC as a preferred client-to-server
encryption algorithm.
Modified features: Setting an ACL for IPv6 SSH clients.
SSL Added features: SSL.
IP source guard
Added features:
• Displaying IPv4 source guard entries with the specified fields.
• Clearing IPv4 source guard entries with the specified fields.
ARP attack protection
Modified features:
• Setting the aging time of ARP attack entries.
• Setting the threshold for source MAC address-based ARP attack
detection.
uRPF Added features: uRPF.
FIPS Added features: FIPS.
IPsec Added features: IPsec.
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Descri
p
tion
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Descri
p
tion
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Descri
p
tion
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
An alert that contains additional or supplementary information.
TIP
An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your switch.
About the H3C S5830V2 & S5820V2
documentation set
The H3C S5830V2&S5820V2 documentation set includes:
Cate
g
or
y
Documents
Pur
p
oses
Hardware specifications
and installation
Compliance and safety
manual
Provides regulatory information and the safety
instructions that must be followed during installation.
Installation quick start Provides basic installation instructions.
Installation guide
Provides a complete guide to hardware installation
and hardware specifications.
Fan assemblies
installation manual
Describes the appearance, specifications, and
installation and removal of hot-swappable fan
assemblies.
Power modules user
manual
Describes the appearance, specifications, and
installation and removal of hot-swappable power
modules.
Software configuration
Configuration guides
Describe software features and configuration
procedures.
Command references
Provide a quick reference to all available
commands.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com
.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents]
– Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions]
– Provides information about products and technologies.
[Technical Support & Documents > Software Download]
– Provides the documentation released with the
software version.
Technical support
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
i
Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA implementation on the device ····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list ·········································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 30
Configuring LDAP schemes ·································································································································· 36
Configuring AAA methods for ISP domains ················································································································ 39
Configuration prerequisites ·································································································································· 40
Creating an ISP domain ······································································································································· 40
Configuring ISP domain status ····························································································································· 40
Configuring authentication methods for an ISP domain ··················································································· 41
Configuring authorization methods for an ISP domain ····················································································· 42
Configuring accounting methods for an ISP domain ························································································· 43
Enabling the session-control feature ····························································································································· 44
Displaying and maintaining AAA ································································································································ 44
AAA configuration examples ········································································································································ 44
AAA for SSH users by an HWTACACS server ·································································································· 44
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 46
Authentication and authorization for SSH users by a RADIUS server ····························································· 47
Authentication for SSH users by an LDAP server ······························································································· 51
Troubleshooting RADIUS ··············································································································································· 56
RADIUS authentication failure ······························································································································ 56
RADIUS packet delivery failure ···························································································································· 56
RADIUS accounting error ····································································································································· 57
Troubleshooting HWTACACS ······································································································································ 57
Troubleshooting LDAP ···················································································································································· 57
802.1X overview ······················································································································································· 59
802.1X architecture ······················································································································································· 59
Controlled/uncontrolled port and port authorization status ······················································································ 59
802.1X-related protocols ·············································································································································· 60
Packet formats ························································································································································ 61
EAP over RADIUS ·················································································································································· 62
Initiating 802.1X authentication ··································································································································· 62
802.1X client as the initiator································································································································ 62
Access device as the initiator ······························································································································· 63
802.1X authentication procedures ······························································································································ 63
Comparing EAP relay and EAP termination ······································································································· 64
EAP relay ································································································································································ 64
ii
EAP termination ····················································································································································· 66
Configuring 802.1X ·················································································································································· 68
H3C implementation of 802.1X ··································································································································· 68
Configuration prerequisites ··········································································································································· 68
802.1X configuration task list ······································································································································· 68
Enabling 802.1X ···························································································································································· 69
Enabling EAP relay or EAP termination ······················································································································· 69
Setting the port authorization state ······························································································································ 70
Specifying an access control method ·························································································································· 70
Setting the maximum number of concurrent 802.1X users on a port ······································································· 70
Setting the maximum number of authentication request attempts ············································································· 71
Setting the 802.1X authentication timeout timers ······································································································· 71
Configuring the online user handshake function ········································································································ 72
Configuring the authentication trigger function ·········································································································· 72
Configuration guidelines ······································································································································ 73
Configuration procedure ······································································································································ 73
Specifying a mandatory authentication domain on a port ························································································ 73
Configuring the quiet timer ··········································································································································· 74
Enabling the periodic online user re-authentication function ····················································································· 74
Displaying and maintaining 802.1X ··························································································································· 74
802.1X authentication configuration example ··········································································································· 75
Network requirements ··········································································································································· 75
Configuration procedure ······································································································································ 75
Verifying the configuration ··································································································································· 77
Configuring MAC authentication ······························································································································ 78
Overview ········································································································································································· 78
User account policies ············································································································································ 78
Authentication methods········································································································································· 78
Configuration prerequisites ··········································································································································· 79
Configuration task list ···················································································································································· 79
Enabling MAC authentication ······································································································································ 79
Specifying a MAC authentication domain ·················································································································· 80
Configuring the user account format ···························································································································· 80
Configuring MAC authentication timers ······················································································································ 81
Setting the maximum number of concurrent MAC authentication users on a port ·················································· 81
Displaying and maintaining MAC authentication ······································································································ 82
MAC authentication configuration examples ·············································································································· 82
Local MAC authentication configuration example····························································································· 82
RADIUS-based MAC authentication configuration example············································································· 84
Configuring port security ··········································································································································· 86
Overview ········································································································································································· 86
Port security features ············································································································································· 86
Port security modes ··············································································································································· 86
Configuration task list ···················································································································································· 89
Enabling port security ···················································································································································· 89
Setting port security's limit on the number of secure MAC addresses on a port ···················································· 90
Setting the port security mode ······································································································································ 91
Configuring port security features ································································································································ 92
Configuring NTK ··················································································································································· 92
Configuring intrusion protection ·························································································································· 92
Configuring secure MAC addresses ···························································································································· 93
Configuration prerequisites ·································································································································· 93
Configuration procedure ······································································································································ 94
iii
Ignoring authorization information from the server ···································································································· 94
Displaying and maintaining port security ···················································································································· 94
Port security configuration examples ··························································································································· 95
autoLearn configuration example ························································································································ 95
userLoginWithOUI configuration example ········································································································· 96
macAddressElseUserLoginSecure configuration example ················································································· 99
Troubleshooting port security ······································································································································ 102
Cannot set the port security mode ····················································································································· 102
Cannot configure secure MAC addresses ········································································································ 103
Configuring password control ································································································································ 104
Overview ······································································································································································· 104
Password setting ·················································································································································· 104
Password updating and expiration ··················································································································· 105
User login control ················································································································································ 106
Password not displayed in any form ················································································································· 106
Logging ································································································································································· 107
FIPS compliance ··························································································································································· 107
Password control configuration task list ····················································································································· 107
Enabling password control ········································································································································· 107
Setting global password control parameters ············································································································ 108
Setting user group password control parameters ····································································································· 109
Setting local user password control parameters ······································································································· 109
Setting super password control parameters ·············································································································· 110
Displaying and maintaining password control ········································································································· 111
Password control configuration example ·················································································································· 111
Network requirements ········································································································································· 111
Configuration procedure ···································································································································· 112
Verifying the configuration ································································································································· 113
Managing public keys ············································································································································ 115
Overview ······································································································································································· 115
FIPS compliance ··························································································································································· 115
Creating a local key pair ············································································································································ 116
Configuration guidelines ···································································································································· 116
Configuration procedure ···································································································································· 116
Distributing a local host public key ···························································································································· 117
Exporting a host public key in a specific format to a file ················································································ 117
Displaying a host public key in a specific format and saving it to a file ······················································ 118
Displaying a host public key ······························································································································ 118
Destroying a local key pair ········································································································································· 118
Configuring a peer public key ···································································································································· 119
Importing a peer host public key from a public key file ·················································································· 119
Entering a peer public key ································································································································· 119
Displaying and maintaining public keys ··················································································································· 120
Examples of public key management ························································································································ 120
Example for entering a peer public key ············································································································ 120
Example for importing a public key from a public key file ············································································· 122
Configuring PKI ······················································································································································· 125
Overview ······································································································································································· 125
PKI terminology ···················································································································································· 125
PKI architecture ···················································································································································· 126
PKI operation ······················································································································································· 127
PKI applications ··················································································································································· 127
PKI across VPNs ·················································································································································· 127
iv
FIPS compliance ··························································································································································· 128
PKI configuration task list ············································································································································ 128
Configuring a PKI entity ·············································································································································· 128
Configuring a PKI domain ··········································································································································· 129
Requesting a certificate ··············································································································································· 131
Configuring automatic certificate request ········································································································· 132
Manually requesting a certificate ······················································································································ 133
Aborting a certificate request ····································································································································· 134
Obtaining certificates ·················································································································································· 134
Configuration prerequisites ································································································································ 134
Configuration guidelines ···································································································································· 135
Configuration procedure ···································································································································· 135
Verifying PKI certificates ·············································································································································· 135
Verifying certificates with CRL checking ··········································································································· 135
Verifying certificates without CRL checking ······································································································ 136
Specifying the storage path for the certificates and CRLs ······················································································· 136
Exporting certificates ··················································································································································· 137
Removing a certificate ················································································································································· 138
Configuring a certificate access control policy ········································································································· 138
Displaying and maintaining PKI ································································································································· 139
PKI configuration examples ········································································································································· 139
Certificate request from an RSA Keon CA server ···························································································· 140
Certificate request from a Windows 2003 CA server ···················································································· 142
Certificate request from an OpenCA server ····································································································· 146
Certificate import and export configuration example ····················································································· 149
Troubleshooting PKI configuration ······························································································································ 155
Failed to obtain the CA certificate ····················································································································· 155
Failed to obtain local certificates ······················································································································· 155
Failed to request local certificates ····················································································································· 156
Failed to obtain CRLs ·········································································································································· 157
Failed to import the CA certificate ····················································································································· 157
Failed to import a local certificate ····················································································································· 158
Failed to export certificates ································································································································ 158
Failed to set the storage path ····························································································································· 159
Configuring SSH ····················································································································································· 160
Overview ······································································································································································· 160
How SSH works ··················································································································································· 160
SSH authentication methods ······························································································································· 161
FIPS compliance ··························································································································································· 162
Configuring the device as an SSH server ·················································································································· 162
SSH server configuration task list ······················································································································ 162
Generating local DSA or RSA key pairs ··········································································································· 162
Enabling the SSH server function ······················································································································· 163
Enabling the SFTP server function ······················································································································ 164
Configuring the user interfaces for Stelnet clients ···························································································· 164
Configuring a client's host public key ··············································································································· 164
Configuring an SSH user ···································································································································· 165
Setting the SSH management parameters ········································································································ 167
Configuring the device as an Stelnet client ··············································································································· 168
Stelnet client configuration task list ···················································································································· 168
Specifying a source IP address or source interface for the Stelnet client ······················································ 168
Establishing a connection to an Stelnet server ································································································· 168
Configuring the device as an SFTP client ·················································································································· 171
SFTP client configuration task list ······················································································································· 171
v
Specifying a source IP address or source interface for the SFTP client ························································· 171
Establishing a connection to an SFTP server ···································································································· 171
Working with SFTP directories ··························································································································· 173
Working with SFTP files ······································································································································ 173
Displaying help information ······························································································································· 173
Terminating the connection with the SFTP server ····························································································· 174
Configuring the device as an SCP client ··················································································································· 174
Displaying and maintaining SSH ······························································································································· 176
Stelnet configuration examples ··································································································································· 176
Password authentication enabled Stelnet server configuration example ······················································ 176
Publickey authentication enabled Stelnet server configuration example ······················································· 179
Password authentication enabled Stelnet client configuration example ························································ 184
Publickey authentication enabled Stelnet client configuration example ························································ 187
SFTP configuration examples ······································································································································ 189
Password authentication enabled SFTP server configuration example ·························································· 189
Publickey authentication enabled SFTP client configuration example ··························································· 191
SCP file transfer with password authentication ········································································································· 194
Network requirements ········································································································································· 194
Configuration procedure ···································································································································· 195
Configuring SSL ······················································································································································· 197
Overview ······································································································································································· 197
SSL security mechanism ······································································································································ 197
SSL protocol stack ··············································································································································· 197
FIPS compliance ··························································································································································· 198
SSL configuration task list ············································································································································ 198
Configuring an SSL server policy ······························································································································· 198
Configuring an SSL client policy ································································································································ 199
Displaying and maintaining SSL ································································································································· 200
Configuring IP source guard ·································································································································· 202
Overview ······································································································································································· 202
Static IP source guard binding entries ··············································································································· 202
Dynamic IPv4 source binding entries ················································································································ 203
IP source guard configuration task list ······················································································································· 203
Configuring the IPv4 source guard function ·············································································································· 203
Enabling IPv4 source guard on an interface ···································································································· 203
Configuring a static IPv4 source guard binding entry on an interface ························································· 204
Configuring the IPv6 source guard function ·············································································································· 205
Enabling IPv6 source guard on an interface ···································································································· 205
Configuring a static IPv6 source guard binding entry on an interface ························································· 205
Displaying and maintaining IP source guard ············································································································ 206
IP source guard configuration examples ··················································································································· 206
Static IPv4 source guard configuration example ····························································································· 206
Dynamic IPv4 source guard using DHCP snooping configuration example ················································· 208
Dynamic IPv4 source guard using DHCP relay configuration example ························································ 210
Static IPv6 source guard configuration example ····························································································· 211
Configuring ARP attack protection ························································································································· 212
ARP attack protection configuration task list ············································································································· 212
Configuring unresolvable IP attack protection ·········································································································· 212
Configuring ARP source suppression ················································································································ 213
Enabling ARP blackhole routing ························································································································ 213
Displaying and maintaining unresolvable IP attack protection ······································································ 213
Configuration example ······································································································································· 213
Configuring ARP packet rate limit ······························································································································ 214
vi
Configuration guidelines ···································································································································· 215
Configuration procedure ···································································································································· 215
Configuring source MAC-based ARP attack detection ···························································································· 215
Configuration procedure ···································································································································· 215
Displaying and maintaining source MAC-based ARP attack detection ························································· 216
Configuration example ······································································································································· 216
Configuring ARP packet source MAC consistency check ························································································ 218
Configuring ARP active acknowledgement ··············································································································· 218
Configuring ARP detection ·········································································································································· 218
Configuring user validity check ························································································································· 218
Configuring ARP packet validity check ············································································································· 219
Configuring ARP restricted forwarding ············································································································· 220
Displaying and maintaining ARP detection ······································································································ 220
User validity check and ARP packet validity check configuration example ·················································· 221
Configuring ARP automatic scanning and fixed ARP ······························································································· 222
Configuration guidelines ···································································································································· 222
Configuration procedure ···································································································································· 223
Configuring ARP gateway protection ························································································································ 223
Configuration guidelines ···································································································································· 223
Configuration procedure ···································································································································· 223
Configuration example ······································································································································· 224
Configuring ARP filtering ············································································································································· 224
Configuration guidelines ···································································································································· 224
Configuration procedure ···································································································································· 225
Configuration example ······································································································································· 225
Configuring uRPF ····················································································································································· 227
uRPF check modes ························································································································································ 227
uRPF operation ····························································································································································· 227
Network application ···················································································································································· 230
Configuration procedure ············································································································································· 230
Displaying and maintaining uRPF ······························································································································ 231
Configuration example ················································································································································ 231
Network requirements ········································································································································· 231
Configuration procedure ···································································································································· 231
Configuring FIPS······················································································································································ 232
Overview ······································································································································································· 232
Configuration restrictions and guidelines ·················································································································· 232
Configuring FIPS mode ················································································································································ 233
Entering FIPS mode ············································································································································· 233
Configuration changes in FIPS mode ················································································································ 234
FIPS self-tests ································································································································································· 235
Power-up self-tests ················································································································································ 235
Conditional self-tests ············································································································································ 235
Triggering self-tests ·············································································································································· 236
Displaying and maintaining FIPS ······························································································································· 236
FIPS configuration examples ······································································································································· 236
Entering FIPS mode through automatic reboot ································································································· 236
Entering FIPS mode through manual reboot ····································································································· 237
Configuring IPsec ···················································································································································· 240
Overview ······································································································································································· 240
Security protocols and encapsulation modes ··································································································· 241
Security association ············································································································································· 242
Authentication and encryption ··························································································································· 243
vii
IPsec implementation ··········································································································································· 243
Protocols and standards ····································································································································· 244
FIPS compliance ··························································································································································· 244
IPsec tunnel establishment ··········································································································································· 244
Implementing ACL-based IPsec ··································································································································· 244
Feature restrictions and guidelines ···················································································································· 244
ACL-based IPsec configuration task list ············································································································· 245
Configuring an ACL ············································································································································ 245
Configuring an IPsec transform set ···················································································································· 246
Configuring a manual IPsec policy···················································································································· 248
Configuring an IKE-based IPsec policy ············································································································· 250
Applying an IPsec policy to an interface ·········································································································· 253
Enabling ACL checking for de-encapsulated packets ······················································································ 254
Configuring the IPsec anti-replay function ········································································································ 254
Binding a source interface to an IPsec policy ·································································································· 255
Enabling QoS pre-classify ·································································································································· 256
Enabling logging of IPsec packets ····················································································································· 256
Configuring the DF bit of IPsec packets ············································································································ 256
Displaying and maintaining IPsec ······························································································································ 257
IPsec configuration examples······································································································································ 258
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 258
Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 261
Configuring IKE ······················································································································································· 264
Overview ······································································································································································· 264
IKE negotiation process ······································································································································ 264
IKE security mechanism ······································································································································· 265
Protocols and standards ····································································································································· 266
FIPS compliance ··························································································································································· 266
IKE configuration prerequisites ··································································································································· 266
IKE configuration task list ············································································································································ 266
Configuring an IKE profile ·········································································································································· 267
Configuring an IKE proposal ······································································································································ 269
Configuring an IKE keychain ······································································································································ 270
Configuring the global identity information ·············································································································· 271
Configuring the IKE keepalive function ······················································································································ 272
Configuring the IKE NAT keepalive function ············································································································ 272
Configuring IKE DPD···················································································································································· 273
Enabling invalid SPI recovery ····································································································································· 273
Setting the maximum number of IKE SAs ··················································································································· 274
Displaying and maintaining IKE ································································································································· 274
Main mode IKE with pre-shared key authentication configuration example ························································· 275
Network requirements ········································································································································· 275
Configuration procedure ···································································································································· 275
Verifying the configuration ································································································································· 277
Troubleshooting IKE ····················································································································································· 278
IKE negotiation failed because no matching IKE proposals were found ······················································· 278
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly····················· 278
IPsec SA negotiation failed because no matching IPsec transform sets were found ···································· 279
IPsec SA negotiation failed due to invalid identity information ······································································ 279
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It specifies the following security functions:
• Authentication—Identifies users and verifies their validity.
• Authorization—Grants different users different rights and controls their access to resources and
services. For example, you can use this function to grant a user who has successfully logged in to the
device read and print permissions to the files on the device, and prevent a guest from reading or
printing the files.
• Accounting—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.
Typically, AAA uses a client/server model. The client runs on the access device, or the network access
server (NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network
diagram
A user who wants to access networks or resources beyond the NAS sends its identity information to the
NAS, which transparently passes the user information to the servers. The servers perform user
authentication, authorization, and accounting and return the result to the NAS. Based on the result, the
NAS determines whether to permit or deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP, of which RADIUS is most
often used.
The network in Figure 1 ha
s o
ne RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, you only need to deploy
an authentication server. If network usage information is needed, you must also configure an accounting
server.
Remote user
NAS
RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments that require both high security and remote user access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for
authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It receives authentication, authorization, and
accounting requests from RADIUS clients, performs user authentication, authorization, or accounting,
and returns user access control information (for example, rejecting or accepting the user access request)
to the clients. In addition, the RADIUS server can act as the client of another RADIUS server to provide
authentication proxy services.
The RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server databases
• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys, which
are pre-configured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.
This field includes a signature generated by using the MD5 algorithm, the shared key, and some other
information. The receiver of the packet verifies the signature and accepts the packet only when the
signature is correct. This mechanism ensures the security of information exchanged between the RADIUS
client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS operates in the following manner:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client encrypts the user password by using the MD5 algorithm, the shared key, and
some other information, encapsulates the username and the encrypted password to an
authentication request (Access-Request), and sends the request to the RADIUS server.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept packet that contains the user's authorization information. If
the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If it permits the
user, it sends a start-accounting request (Accounting-Request) packet to the RADIUS server.
5. The RADIUS server returns an acknowledgement (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the RADIUS
server.
9. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for
the user.
10. The RADIUS client notifies the user of the termination.
4
RADIUS packet format
RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server
and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission
mechanism, and the backup server mechanism. Figure 4 sho
w
s the RADIUS packet format.
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
• The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values
and the
ir meanings.
Table 1 Main values of the Code field
Code Packet t
yp
e Descri
tion
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or stop
accounting.
5 Accounting-Response
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
• The Identifier field (1 byte long) is used to match response packets with request packets and to detect
duplicate request packets. The request and response packets of the same exchange process for the
same purpose (such as authentication or accounting) have the same identifier.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the Code,
Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered
padding and are ignored at the receiver. If the length of a received packet is less than this length,
the packet is dropped.
5
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and
to encrypt user passwords. There are two types of authenticators: request authenticator and
response authenticator.
• The Attributes field (variable in length) includes specific authentication, authorization, and
accounting information. This field can contain multiple attributes, each with three sub-fields:
{ Type—Type of the attribute.
{ Length—Length of the attribute in bytes, including the Type, Length, and Value sub-fields.
{ Value—Value of the attribute. Its format and content depend on the Type sub-field.
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No. Attribute
No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
6
No. Attribute No.
Attribute
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined
in RFC 2865, allows a vendor to define extended attributes to implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a sub-at
tr
ibute encapsulated in attribute 26 consists of the following
parts:
• Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code
compliant to RFC 1700.
• Vendor-Type—Type of the sub-attribute.
• Vendor-Length—Length of the sub-attribute.
• Vendor-Data—Contents of the sub-attribute.
For more information about the proprietary RADIUS sub-attributes of H3C, see "H3C proprietary
RA
D
IUS sub-attributes."
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332

H3C S5830V2 series Security Configuration Manual

Category
Software
Type
Security Configuration Manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI