Aruba JE072A Configuration Guide

Category
Software
Type
Configuration Guide
HPE Networking Comware
5120v3 Switch
Series
Security Configuration Guide
Software
version: Release 6352P02 and later
Document version: 6W100-20230715
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ···························································································· 1
About AAA·························································································································································· 1
AAA implementation ··································································································································· 1
AAA network diagram ································································································································ 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 5
LDAP ·························································································································································· 8
User management based on ISP domains and user access types·························································· 11
Authentication, authorization, and accounting methods··········································································· 11
AAA extended functions ··························································································································· 12
RADIUS server feature of the device ······································································································· 13
Protocols and standards ·························································································································· 14
FIPS compliance ·············································································································································· 14
AAA tasks at a glance ······································································································································ 14
Configuring local users····································································································································· 15
About local users ······································································································································ 15
Local user configuration tasks at a glance ······························································································· 16
Restrictions and guidelines for local user configuration ··········································································· 16
Configuring attributes for device management users··············································································· 16
Configuring attributes for network access users ······················································································ 18
Configuring user group attributes ············································································································· 20
Configuring the local user auto-delete feature ························································································· 20
Display and maintenance commands for local users and local user groups ··········································· 21
Configuring RADIUS ········································································································································ 21
RADIUS tasks at a glance ························································································································ 21
Restrictions and guidelines for RADIUS configuration ············································································· 22
Configuring an EAP profile ······················································································································· 22
Configuring a test profile for RADIUS server status detection ································································· 23
Creating a RADIUS scheme ···················································································································· 24
Specifying RADIUS authentication servers ······························································································ 24
Specifying the RADIUS accounting servers ····························································································· 25
Specifying the shared keys for secure RADIUS communication ····························································· 26
Setting the status of RADIUS servers ······································································································ 26
Setting RADIUS timers ····························································································································· 27
Specifying the source IP address for outgoing RADIUS packets····························································· 28
Setting the username format and traffic statistics units ············································································ 29
Setting the maximum number of RADIUS request transmission attempts ··············································· 30
Setting the maximum number of real-time accounting attempts ······························································ 31
Setting the DSCP priority for RADIUS packets ························································································ 31
Specifying the format of the NAS-Port attribute ······················································································· 31
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ······················ 32
Interpreting the RADIUS class attribute as CAR parameters ··································································· 32
Configuring the MAC address format for RADIUS attribute 31 ································································ 33
Specifying the format of the NAS-Port-ID attribute ·················································································· 33
Setting the data measurement unit for the Remanent_Volume attribute ················································· 34
Configuring the RADIUS attribute translation feature ·············································································· 34
Configuring RADIUS stop-accounting packet buffering ··········································································· 36
Enabling forcibly sending stop-accounting packets ················································································· 36
Enabling the RADIUS server load sharing feature ··················································································· 37
Configuring the RADIUS accounting-on feature ······················································································ 37
Configuring the RADIUS session-control feature ····················································································· 38
Configuring the RADIUS DAS feature ······································································································ 39
Enabling SNMP notifications for RADIUS ································································································ 39
Disabling the RADIUS service ················································································································· 40
Display and maintenance commands for RADIUS ·················································································· 41
Configuring HWTACACS ································································································································· 41
HWTACACS tasks at a glance················································································································· 41
ii
Creating an HWTACACS scheme ··········································································································· 42
Specifying the HWTACACS authentication servers ················································································· 42
Specifying the HWTACACS authorization servers ··················································································· 43
Specifying the HWTACACS accounting servers ······················································································ 43
Specifying the shared keys for secure HWTACACS communication ······················································ 44
Setting HWTACACS timers ······················································································································ 44
Specifying the source IP address for outgoing HWTACACS packets······················································ 46
Setting the username format and traffic statistics units ············································································ 47
Configuring HWTACACS stop-accounting packet buffering ···································································· 47
Display and maintenance commands for HWTACACS ··········································································· 48
Configuring LDAP ············································································································································ 48
LDAP tasks at a glance ···························································································································· 48
Creating an LDAP server ························································································································· 49
Configuring the IP address of the LDAP server ······················································································· 49
Specifying the LDAP version ···················································································································· 49
Setting the LDAP server timeout period ··································································································· 49
Configuring administrator attributes ········································································································· 50
Configuring LDAP user attributes············································································································· 50
Configuring an LDAP attribute map ········································································································· 51
Creating an LDAP scheme ······················································································································· 52
Specifying the LDAP authentication server ······························································································ 52
Specifying the LDAP authorization server ································································································ 52
Specifying an LDAP attribute map for LDAP authorization ······································································ 52
Display and maintenance commands for LDAP······················································································· 53
Creating an ISP domain ··································································································································· 53
About ISP domains ·································································································································· 53
Restrictions and guidelines for ISP domain configuration ········································································ 53
Creating an ISP domain ··························································································································· 54
Specifying the default ISP domain ··········································································································· 54
Specifying an ISP domain for users that are assigned to nonexistent domains ······································ 54
Configuring ISP domain attributes ··················································································································· 54
Setting ISP domain status ························································································································ 54
Configuring authorization attributes for an ISP domain············································································ 55
Including the idle timeout period in the user online duration to be sent to the server ······························ 55
Configuring AAA methods for an ISP domain ·································································································· 56
Configuring authentication methods for an ISP domain ··········································································· 56
Configuring authorization methods for an ISP domain ············································································· 57
Configuring accounting methods for an ISP domain ················································································ 58
Display and maintenance commands for ISP domains············································································ 59
Setting the maximum number of concurrent login users ·················································································· 60
Configuring a NAS-ID······································································································································· 60
Configuring the device ID ································································································································· 61
Enabling password change prompt logging ····································································································· 61
Configuring the RADIUS server feature ··········································································································· 62
RADIUS server feature tasks at a glance ································································································ 62
Restrictions and guidelines for the RADIUS server feature ····································································· 62
Configuring RADIUS users ······················································································································ 62
Specifying RADIUS clients ······················································································································· 62
Activating the RADIUS server configuration ···························································································· 63
Display and maintenance commands for RADIUS users and clients ······················································ 63
Configuring the connection recording policy ···································································································· 63
About the connection recording policy ····································································································· 63
Restrictions and guidelines ······················································································································ 63
Procedure ················································································································································· 64
Display and maintenance commands for the connection recording policy ·············································· 64
Configuring the AAA test feature······················································································································ 64
AAA configuration examples ···························································································································· 66
Example: Configuring AAA for SSH users by an HWTACACS server ····················································· 66
Example: Configuring local authentication, HWTACACS authorization, and RADIUS accounting for SSH
users ························································································································································ 68
Example: Configuring authentication and authorization for SSH users by a RADIUS server ·················· 70
Example: Configuring authentication for SSH users by an LDAP server ················································· 73
iii
Example: Configuring AAA for 802.1X users by a RADIUS server ·························································· 76
Example: Configuring authentication and authorization for 802.1X users by the device as a RADIUS server
································································································································································· 81
Troubleshooting AAA ······································································································································· 84
RADIUS authentication failure ················································································································· 84
RADIUS packet delivery failure ················································································································ 84
RADIUS accounting error ························································································································· 85
Troubleshooting HWTACACS ·················································································································· 85
LDAP authentication failure ······················································································································ 85
Appendixes ······················································································································································ 86
Appendix A Commonly used RADIUS attributes ····················································································· 86
Appendix B Descriptions for commonly used standard RADIUS attributes ············································· 87
Appendix C RADIUS subattributes (vendor ID 25506) ············································································ 89
Appendix D Format of dynamic authorization ACLs ················································································ 92
802.1X overview ·························································································· 95
About the 802.1X protocol ······························································································································· 95
802.1X architecture ·································································································································· 95
Controlled/uncontrolled port and port authorization status······································································· 95
Packet exchange methods ······················································································································· 96
Packet formats ········································································································································· 97
802.1X authentication procedures ··········································································································· 99
802.1X authentication initiation ·············································································································· 101
Access control methods ································································································································· 102
802.1X VLAN manipulation ···························································································································· 102
Authorization VLAN ································································································································ 102
Guest VLAN ··········································································································································· 105
Auth-Fail VLAN ······································································································································ 106
Critical VLAN ·········································································································································· 107
Critical voice VLAN ································································································································ 109
ACL assignment ············································································································································· 109
User profile assignment ································································································································· 110
Redirect URL assignment ······························································································································ 110
Periodic 802.1X reauthentication ··················································································································· 111
EAD assistant················································································································································· 111
Configuring 802.1X ···················································································· 113
Restrictions and guidelines: 802.1X configuration ························································································· 113
802.1X tasks at a glance ································································································································ 113
Prerequisites for 802.1X································································································································· 114
Enabling 802.1X ············································································································································· 114
Enabling EAP relay or EAP termination ········································································································· 115
Setting the port authorization state ················································································································ 115
Specifying an access control method············································································································· 116
Specifying a mandatory authentication domain on a port ·············································································· 116
Setting the 802.1X authentication timeout timers ·························································································· 117
Configuring 802.1X reauthentication ·············································································································· 117
Setting the quiet timer ···································································································································· 118
Configuring an 802.1X guest VLAN ··············································································································· 119
Enabling 802.1X guest VLAN assignment delay···························································································· 120
Configuring an 802.1X Auth-Fail VLAN·········································································································· 120
Configuring an 802.1X critical VLAN ·············································································································· 121
Enabling the 802.1X critical voice VLAN feature ··························································································· 122
Configuring 802.1X unauthenticated user aging ···························································································· 123
Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN ··································· 123
Enabling 802.1X online user synchronization ································································································ 124
Configuring the authentication trigger feature ································································································ 125
Discarding duplicate 802.1X EAPOL-Start requests ······················································································ 125
Setting the maximum number of concurrent 802.1X users on a port ····························································· 126
Setting the maximum number of authentication request attempts ································································· 126
Configuring online user handshake················································································································ 126
Configuring packet detection for 802.1X authentication ················································································ 128
iv
Specifying supported domain name delimiters ······························································································ 129
Removing the VLAN tags of 802.1X protocol packets sent out of a port ······················································· 130
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 130
Enabling 802.1X user IP freezing··················································································································· 131
Enabling generation of dynamic IPSG binding entries for 802.1X authenticated users ································· 131
Configuring 802.1X MAC address binding ····································································································· 132
Configuring the EAD assistant feature ··········································································································· 133
Setting the maximum size of EAP-TLS fragments sent to the server ···························································· 134
Logging off 802.1X users ······························································································································· 135
Enabling 802.1X user logging ························································································································ 135
Display and maintenance commands for 802.1X ·························································································· 135
802.1X authentication configuration examples ······························································································ 136
Example: Configuring basic 802.1X authentication················································································ 136
Example: Configuring 802.1X guest VLAN and authorization VLAN ····················································· 138
Example: Configuring 802.1X with ACL assignment ·············································································· 141
Example: Configuring 802.1X with EAD assistant (with DHCP relay agent) ·········································· 143
Example: Configuring 802.1X with EAD assistant (with DHCP server) ················································· 146
Troubleshooting 802.1X ································································································································· 148
EAD assistant URL redirection failure ···································································································· 148
Configuring MAC authentication ································································ 149
About MAC authentication ····························································································································· 149
User account policies ····························································································································· 149
Authentication methods ·························································································································· 150
VLAN assignment ·································································································································· 151
ACL assignment ····································································································································· 156
User profile assignment ························································································································· 157
Redirect URL assignment ······················································································································ 157
Periodic MAC reauthentication ··············································································································· 157
Restrictions and guidelines: MAC authentication configuration ····································································· 158
MAC authentication tasks at a glance ············································································································ 158
Prerequisites for MAC authentication············································································································· 159
Enabling MAC authentication ························································································································· 159
Specifying a MAC authentication method ······································································································ 159
Specifying a MAC authentication domain ······································································································ 160
Configuring user account policy ····················································································································· 160
Configuring MAC authentication timers·········································································································· 161
Configuring periodic MAC reauthentication···································································································· 162
Configuring a MAC authentication guest VLAN ····························································································· 163
Configuring a MAC authentication critical VLAN ···························································································· 164
Enabling the MAC authentication critical voice VLAN feature········································································ 165
Configuring unauthenticated MAC authentication user aging ········································································ 165
Configuring MAC authentication offline detection ·························································································· 166
Configuring packet detection for MAC authentication ···················································································· 167
Enabling online user synchronization for MAC authentication ······································································· 169
Setting the maximum number of concurrent MAC authentication users on a port ········································· 169
Enabling MAC authentication multi-VLAN mode on a port ············································································ 170
Configuring MAC authentication delay ··········································································································· 170
Including user IP addresses in MAC authentication requests ········································································ 171
Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 172
Logging off MAC authentication users ··········································································································· 173
Enabling MAC authentication user logging ···································································································· 173
Display and maintenance commands for MAC authentication ······································································ 174
MAC authentication configuration examples ·································································································· 175
Example: Configuring local MAC authentication ···················································································· 175
Example: Configuring RADIUS-based MAC authentication ··································································· 177
Example: Configuring ACL assignment for MAC authentication ···························································· 179
Configuring portal authentication ······························································· 183
About portal authentication ···························································································································· 183
Advantages of portal authentication ······································································································· 183
Extended portal functions ······················································································································· 183
v
Portal system ········································································································································· 183
Portal authentication using a remote portal server ················································································· 184
Local portal service ································································································································ 185
Portal authentication modes ··················································································································· 185
Portal authentication process ················································································································· 186
Portal support for EAP ··························································································································· 188
Portal filtering rules ································································································································ 188
Restrictions and guidelines: Portal configuration ··························································································· 189
Portal authentication tasks at a glance ·········································································································· 189
Prerequisites for portal authentication ··········································································································· 190
Configuring a remote portal authentication server ························································································· 191
Configuring a portal Web server ···················································································································· 192
Portal Web server tasks at a glance ······································································································ 192
Configure basic parameters for a portal Web server ············································································· 192
Enabling the captive-bypass feature ······································································································ 192
Configuring a match rule for URL redirection ························································································· 193
Configuring local portal service features ········································································································ 193
About the local portal service ················································································································· 193
Restrictions and guidelines for configuring local portal service features················································ 193
Customizing authentication pages ········································································································· 194
Configuring a local portal Web service··································································································· 196
Enabling portal authentication on an interface ······························································································· 196
Specifying a portal Web server on an interface ····························································································· 197
Specifying a preauthentication IP address pool ····························································································· 197
Specifying a portal authentication domain ····································································································· 198
About portal authentication domains ······································································································ 198
Restrictions and guidelines for specifying a portal authentication domain ············································· 198
Specifying a portal authentication domain on an interface····································································· 199
Controlling portal user access ························································································································ 199
Configuring a portal-free rule ················································································································· 199
Configuring an authentication source subnet ························································································· 200
Configuring an authentication destination subnet ·················································································· 201
Configuring support of Web proxy for portal authentication ··································································· 201
Checking the issuing of category-2 portal filtering rules ········································································· 202
Setting the maximum number of portal users ························································································ 202
Enabling strict-checking on portal authorization information ·································································· 203
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ·························· 204
Enabling portal roaming ························································································································· 204
Configuring the portal fail-permit feature ································································································ 205
Configuring portal detection features ············································································································· 205
Configuring online detection of portal users ··························································································· 205
Configuring portal authentication server detection ················································································· 206
Configuring portal Web server detection ································································································ 207
Configuring portal user synchronization ································································································· 208
Configuring portal packet attributes ··············································································································· 209
Configuring the BAS-IP or BAS-IPv6 attribute ······················································································· 209
Specifying the device ID ························································································································· 209
Configuring attributes for RADIUS packets ···································································································· 210
Specifying a format for the NAS-Port-Id attribute ··················································································· 210
Configuring the NAS-Port-Type attribute ······························································································· 210
Applying a NAS-ID profile to an interface······························································································· 211
Logging out online portal users ······················································································································ 211
Enabling portal user login/logout logging ······································································································· 212
Disabling the Rule ARP or ND entry feature for portal clients ······································································· 212
Configuring Web redirect ······························································································································· 213
Display and maintenance commands for portal ····························································································· 213
Portal configuration examples ························································································································ 214
Example: Configuring direct portal authentication·················································································· 214
Example: Configuring re-DHCP portal authentication ············································································ 219
Example: Configuring cross-subnet portal authentication ······································································ 223
Example: Configuring extended direct portal authentication ·································································· 226
Example: Configuring extended re-DHCP portal authentication ···························································· 230
vi
Example: Configuring extended cross-subnet portal authentication ······················································ 234
Example: Configuring portal server detection and portal user synchronization ····································· 237
Example: Configuring direct portal authentication using a local portal Web service ······························ 243
Troubleshooting portal ··································································································································· 246
No portal authentication page is pushed for users ················································································· 246
Cannot log out portal users on the access device ················································································· 246
Cannot log out portal users on the RADIUS server ··············································································· 247
Users logged out by the access device still exist on the portal authentication server ···························· 247
Re-DHCP portal authenticated users cannot log in successfully ··························································· 247
Configuring Web authentication ································································· 249
About Web authentication ······························································································································ 249
Advantages of Web authentication ········································································································ 249
Web authentication system ···················································································································· 249
Web authentication process ··················································································································· 250
Web authentication support for VLAN assignment ················································································ 250
Web authentication support for authorization ACLs ··············································································· 251
Restrictions and guidelines: Web authentication configuration ······································································ 251
Web authentication tasks at a glance ············································································································ 252
Prerequisites for Web authentication ············································································································· 252
Configuring a Web authentication server ······································································································· 253
Configuring a local portal service ··················································································································· 253
Enabling Web authentication ························································································································· 253
Specifying a Web authentication domain ······································································································· 254
Setting the redirection wait time ····················································································································· 254
Configuring the aging timer for temporary MAC address entries for Web authentication ······························ 255
Configuring a Web authentication-free subnet ······························································································· 255
Setting the maximum number of Web authentication users ·········································································· 256
Configuring online Web authentication user detection ··················································································· 256
Configuring an Auth-Fail VLAN ······················································································································ 257
Configuring Web authentication to support Web proxy ·················································································· 257
Display and maintenance commands for Web authentication ······································································· 258
Web authentication configuration examples ·································································································· 258
Example: Configuring Web authentication by using the local authentication method ···························· 258
Example: Configuring Web authentication by using the RADIUS authentication method······················ 260
Troubleshooting Web authentication ············································································································· 262
Failure to come online (local authentication interface using the default ISP domain ····························· 262
Configuring triple authentication ································································ 263
About triple authentication ····························································································································· 263
Typical network of triple authentication ·································································································· 263
Triple authentication mechanism ··········································································································· 263
Triple authentication support for VLAN assignment ··············································································· 264
Triple authentication support for ACL authorization ··············································································· 264
Triple authentication support for online user detection ·········································································· 265
Restrictions and guidelines: Triple authentication ·························································································· 265
Triple authentication tasks at a glance ··········································································································· 265
Triple authentication configuration examples ································································································· 265
Example: Configuring basic triple authentication ··················································································· 265
Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN
······························································································································································· 269
Configuring port security ············································································ 275
About port security ········································································································································· 275
Major functions ······································································································································· 275
Port security features ····························································································································· 275
Port security modes ······························································································································· 275
Restrictions and guidelines: Port security configuration················································································· 278
Port security tasks at a glance ······················································································································· 278
Enabling port security····································································································································· 279
Setting the port security mode ······················································································································· 279
Setting port security's limit on the number of secure MAC addresses on a port ············································ 280
vii
Configuring secure MAC addresses ·············································································································· 281
About secure MAC addresses ··············································································································· 281
Prerequisites ·········································································································································· 282
Adding secure MAC addresses·············································································································· 282
Enabling inactivity aging for secure MAC addresses ············································································· 283
Enabling the dynamic secure MAC feature ···························································································· 283
Configuring NTK············································································································································· 283
Configuring intrusion protection ····················································································································· 284
Ignoring authorization information from the server························································································· 284
Configuring MAC move ·································································································································· 285
Enabling the authorization-fail-offline feature ································································································· 286
Setting port security's limit on the number of MAC addresses for specific VLANs on a port ························· 287
Enabling open authentication mode ··············································································································· 287
Configuring free VLANs for port security········································································································ 288
Applying a NAS-ID profile to port security ······································································································ 289
Enabling traffic statistics for MAC authentication and 802.1X users ······························································ 289
Specifying an IP address and mask for calculating the source IP of ARP detection packets ························ 290
Enabling SNMP notifications for port security ································································································ 291
Enabling port security user logging ················································································································ 291
Display and maintenance commands for port security ·················································································· 291
Port security configuration examples ············································································································· 292
Example: Configuring port security in autoLearn mode ········································································· 292
Example: Configuring port security in userLoginWithOUI mode ···························································· 294
Example: Configuring port security in macAddressElseUserLoginSecure mode··································· 297
Troubleshooting port security ························································································································· 301
Cannot set the port security mode ········································································································· 301
Cannot configure secure MAC addresses ····························································································· 301
Configuring user profiles ············································································ 302
About user profiles ········································································································································· 302
Prerequisites for user profile ·························································································································· 302
Configuring a user profile ······························································································································· 302
Display and maintenance commands for user profiles ·················································································· 302
User profile configuration examples ··············································································································· 303
Example: Configuring user profiles and QoS policies ············································································ 303
Configuring password control ···································································· 307
About password control·································································································································· 307
Password setting ···································································································································· 307
Password updating and expiration ········································································································· 308
User login control ··································································································································· 309
Password not displayed in any form ······································································································ 310
Logging ·················································································································································· 310
FIPS compliance ············································································································································ 310
Restrictions and guidelines: Password control configuration ········································································· 311
Password control tasks at a glance················································································································ 311
Enabling password control ····························································································································· 311
Setting global password control parameters ·································································································· 313
Setting user group password control parameters ·························································································· 315
Setting local user password control parameters ···························································································· 315
Setting super password control parameters··································································································· 316
Display and maintenance commands for password control ··········································································· 317
Password control configuration examples ····································································································· 317
Example: Configuring password control ································································································· 317
Managing public keys ················································································ 321
About public key management ······················································································································· 321
Asymmetric key algorithm overview ······································································································· 321
Usage of asymmetric key algorithms ····································································································· 321
FIPS compliance ············································································································································ 321
Public key management tasks at a glance ····································································································· 321
Creating a local key pair································································································································· 322
viii
Distributing a local host public key ················································································································· 323
About distribution of local host public keys ···························································································· 323
Exporting a host public key ···················································································································· 323
Displaying a host public key ··················································································································· 324
Configuring a peer host public key ················································································································· 324
About peer host public key configuration ······························································································· 324
Restrictions and guidelines for peer host public key configuration ························································ 325
Importing a peer host public key from a public key file ·········································································· 325
Entering a peer host public key ·············································································································· 325
Destroying a local key pair ····························································································································· 326
Display and maintenance commands for public keys ···················································································· 326
Examples of public key management ············································································································ 326
Example: Entering a peer host public key ······························································································ 326
Example: Importing a public key from a public key file ·········································································· 328
Configuring PKI ························································································· 331
About PKI ······················································································································································· 331
PKI terminology ······································································································································ 331
PKI architecture ······································································································································ 332
Retrieval, usage, and maintenance of a digital certificate ······································································ 333
PKI applications ····································································································································· 333
FIPS compliance ············································································································································ 333
PKI tasks at a glance ····································································································································· 333
Configuring a PKI entity ································································································································· 334
Configuring a PKI domain ······························································································································ 335
About PKI domain ·································································································································· 335
PKI domain tasks at a glance ················································································································· 335
Creating a PKI domain ··························································································································· 336
Specifying the trusted CA ······················································································································· 336
Specifying the PKI entity name ·············································································································· 336
Specifying the certificate request reception authority············································································· 336
Specifying the certificate request URL ··································································································· 337
Setting the SCEP polling interval and maximum polling attempts ························································· 337
Specifying the LDAP server ··················································································································· 337
Specifying the fingerprint for root CA certificate verification··································································· 337
Specifying the key pair for certificate request ························································································ 338
Specifying the intended purpose for the certificate ················································································ 338
Specifying the source IP address for PKI protocol packets ··································································· 339
Specifying the storage path for certificates and CRLs ··················································································· 339
Requesting a certificate·································································································································· 340
About certificate request configuration ··································································································· 340
Restrictions and guidelines for certificate request configuration ···························································· 340
Prerequisites for certificate request configuration ·················································································· 340
Enabling the automatic online certificate request mode········································································· 340
Manually submitting an online certificate request ·················································································· 341
Manually submitting a certificate request in offline mode ······································································· 342
Aborting a certificate request ························································································································· 342
Obtaining certificates······································································································································ 343
Verifying PKI certificates ································································································································ 344
About certification verification ················································································································ 344
Restrictions and guidelines for certificate verification ············································································ 344
Verifying certificates with CRL checking ································································································ 344
Verifying certificates without CRL checking ··························································································· 345
Exporting certificates ······································································································································ 346
Removing a certificate···································································································································· 346
Configuring a certificate-based access control policy ···················································································· 347
About certificate-based access control policies ····················································································· 347
Procedure ··············································································································································· 347
Display and maintenance commands for PKI ································································································ 348
PKI configuration examples ··························································································································· 348
Example: Requesting a certificate from an RSA Keon CA server ·························································· 349
Example: Requesting a certificate from a Windows Server 2003 CA server ········································· 351
ix
Example: Requesting a certificate from an OpenCA server ··································································· 355
Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server
······························································································································································· 358
Example: Configuring a certificate-based access control policy ···························································· 360
Example: Importing and exporting certificates ······················································································· 362
Troubleshooting PKI configuration ················································································································· 367
Failed to obtain the CA certificate ·········································································································· 367
Failed to obtain local certificates ············································································································ 368
Failed to request local certificates ·········································································································· 368
Failed to obtain CRLs ····························································································································· 369
Failed to import the CA certificate ·········································································································· 370
Failed to import the local certificate ········································································································ 370
Failed to export certificates ···················································································································· 371
Failed to set the storage path ················································································································· 371
Configuring IPsec ······················································································ 373
About IPsec ···················································································································································· 373
IPsec framework ···································································································································· 373
IPsec security services ··························································································································· 373
Benefits of IPsec ···································································································································· 373
Security protocols ··································································································································· 373
Encapsulation modes ····························································································································· 374
Security association ······························································································································· 375
Authentication and encryption ················································································································ 375
IPsec-protected traffic ···························································································································· 376
ACL-based IPsec ··································································································································· 376
IPv6 routing protocol-based IPsec ········································································································· 377
IPsec policy and IPsec profile ················································································································ 377
IPsec RRI ··············································································································································· 378
Protocols and standards ························································································································ 379
FIPS compliance ············································································································································ 379
Restrictions and guidelines: IPsec configuration···························································································· 379
Implementing ACL-based IPsec····················································································································· 379
ACL-based IPsec tasks at a glance ······································································································· 379
Configuring an ACL ································································································································ 380
Configuring an IPsec transform set ········································································································ 382
Configuring a manual IPsec policy ········································································································· 385
Configuring an IKE-based IPsec policy ·································································································· 386
Applying an IPsec policy to an interface ································································································ 389
Enabling ACL checking for de-encapsulated packets ············································································ 389
Configuring IPsec anti-replay ················································································································· 390
Configuring IPsec anti-replay redundancy ····························································································· 390
Binding a source interface to an IPsec policy ························································································ 391
Enabling QoS pre-classify ······················································································································ 392
Configuring the DF bit of IPsec packets ································································································· 392
Configuring IPsec RRI ···························································································································· 393
Configuring IPsec for IPv6 routing protocols ·································································································· 394
IPsec protection for IPv6 routing protocols tasks at a glance ································································ 394
Configuring a manual IPsec profile ········································································································ 394
Applying the IPsec profile to an IPv6 routing protocol ············································································ 395
Configuring the global IPsec SA lifetime and idle timeout·············································································· 395
Configuring IPsec fragmentation ···················································································································· 396
Setting the maximum number of IPsec tunnels ····························································································· 396
Enabling logging for IPsec packets ················································································································ 397
Configuring SNMP notifications for IPsec ······································································································ 397
Display and maintenance commands for IPsec ····························································································· 397
IPsec configuration examples ························································································································ 398
Example: Configuring a manual mode IPsec tunnel for IPv4 packets ··················································· 398
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ······················································ 401
Example: Configuring IPsec for RIPng ··································································································· 403
Example: Configuring IPsec RRI ············································································································ 407
x
Configuring IKE ························································································· 411
About IKE ······················································································································································· 411
Benefits of IKE ······································································································································· 411
Relationship between IPsec and IKE ····································································································· 411
IKE negotiation process ························································································································· 411
IKE security mechanism ························································································································· 413
Protocols and standards ························································································································ 413
FIPS compliance ············································································································································ 414
IKE tasks at a glance ····································································································································· 414
Prerequisites for IKE configuration················································································································· 414
Configuring an IKE profile ······························································································································ 415
Creating an IKE profile ··························································································································· 415
Configuring peer IDs for the IKE profile ································································································· 415
Specifying the IKE keychain or PKI domain ··························································································· 415
Configuring the IKE phase 1 negotiation mode ······················································································ 416
Specifying IKE proposals for the IKE profile ·························································································· 416
Configuring the local ID for the IKE profile ····························································································· 417
Configuring optional features for the IKE profile ···················································································· 417
Configuring an IKE proposal ·························································································································· 418
Configuring an IKE keychain ·························································································································· 419
Configuring the global identity information ····································································································· 420
Configuring the IKE keepalive feature ··········································································································· 420
Configuring the IKE NAT keepalive feature ··································································································· 421
Configuring global IKE DPD ··························································································································· 421
Enabling invalid SPI recovery ························································································································ 422
Setting the maximum number of IKE SAs ······································································································ 423
Configuring SNMP notifications for IKE ········································································································· 423
Display and maintenance commands for IKE ································································································ 424
IKE configuration examples ··························································································································· 424
Example: Configuring main-mode IKE with preshared key authentication ············································ 424
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ······················································ 427
Troubleshooting IKE······································································································································· 429
IKE negotiation failed because no matching IKE proposals were found ················································ 429
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 430
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 430
IPsec SA negotiation failed due to invalid identity information ······························································· 431
Configuring IKEv2 ······················································································ 434
About IKEv2 ··················································································································································· 434
IKEv2 negotiation process ····················································································································· 434
New features in IKEv2 ···························································································································· 435
Protocols and standards ························································································································ 435
IKEv2 tasks at a glance·································································································································· 435
Prerequisites for IKEv2 configuration ············································································································· 436
Configuring an IKEv2 profile ·························································································································· 436
Creating an IKEv2 profile ······················································································································· 436
Specifying the local and remote identity authentication methods ·························································· 437
Configuring the IKEv2 keychain or PKI domain ····················································································· 437
Configuring the local ID for the IKEv2 profile ························································································· 437
Configuring peer IDs for the IKEv2 profile······························································································ 438
Configuring optional features for the IKEv2 profile ················································································· 438
Configuring an IKEv2 policy ··························································································································· 439
Configuring an IKEv2 proposal ······················································································································ 440
Configuring an IKEv2 keychain ······················································································································ 441
Configure global IKEv2 parameters ··············································································································· 442
Enabling the cookie challenging feature ································································································ 442
Configuring the IKEv2 DPD feature ······································································································· 442
Configuring the IKEv2 NAT keepalive feature ························································································ 443
Display and maintenance commands for IKEv2 ···························································································· 443
Troubleshooting IKEv2 ··································································································································· 444
IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 444
xi
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 444
IPsec tunnel establishment failed ··········································································································· 445
Configuring SSH ························································································ 446
About SSH ····················································································································································· 446
SSH applications ···································································································································· 446
How SSH works ····································································································································· 446
SSH authentication methods ·················································································································· 447
SSH support for Suite B ························································································································· 448
FIPS compliance ············································································································································ 449
Configuring the device as an SSH server ······································································································ 449
SSH server tasks at a glance ················································································································· 449
Generating local key pairs ······················································································································ 450
Specifying the SSH service port ············································································································· 450
Enabling the Stelnet server ···················································································································· 451
Enabling the SFTP server ······················································································································ 451
Enabling the SCP server ························································································································ 451
Enabling NETCONF over SSH ·············································································································· 452
Configuring the user lines for SSH login ································································································ 452
Configuring a client's host public key ····································································································· 452
Configuring an SSH user ······················································································································· 454
Configuring the SSH management parameters ····················································································· 455
Specifying a PKI domain for the SSH server ························································································· 457
Disconnecting SSH sessions ················································································································· 457
Configuring the device as an Stelnet client ···································································································· 458
Stelnet client tasks at a glance··············································································································· 458
Generating local key pairs ······················································································································ 458
Specifying the source IP address for outgoing SSH packets ································································· 458
Establishing a connection to an Stelnet server ······················································································ 459
Deleting server public keys saved in the public key file on the Stelnet client········································· 461
Establishing a connection to an Stelnet server based on Suite B ·························································· 461
Configuring the device as an SFTP client ······································································································ 461
SFTP client tasks at a glance ················································································································· 461
Generating local key pairs ······················································································································ 462
Specifying the source IP address for outgoing SFTP packets ······························································· 462
Establishing a connection to an SFTP server ························································································ 463
Deleting server public keys saved in the public key file on the SFTP client··········································· 464
Establishing a connection to an SFTP server based on Suite B ···························································· 464
Working with SFTP directories ··············································································································· 465
Working with SFTP files ························································································································· 466
Displaying help information ···················································································································· 467
Terminating the connection with the SFTP server ················································································· 467
Configuring the device as an SCP client ········································································································ 467
SCP client tasks at a glance ·················································································································· 467
Generating local key pairs ······················································································································ 467
Specifying the source IP address for outgoing SCP packets ································································· 468
Establishing a connection to an SCP server ·························································································· 468
Deleting server public keys saved in the public key file on the SCP client ············································ 470
Establishing a connection to an SCP server based on Suite B······························································ 470
Specifying algorithms for SSH2 ····················································································································· 471
About algorithms for SSH2 ····················································································································· 471
Specifying key exchange algorithms for SSH2 ······················································································ 471
Specifying public key algorithms for SSH2 ···························································································· 471
Specifying encryption algorithms for SSH2 ···························································································· 472
Specifying MAC algorithms for SSH2 ···································································································· 472
Display and maintenance commands for SSH ······························································································ 473
Stelnet configuration examples ······················································································································ 473
Example: Configuring the device as an Stelnet server (password authentication) ································ 473
Example: Configuring the device as an Stelnet server (publickey authentication) ································· 476
Example: Configuring the device as an Stelnet client (password authentication) ·································· 481
Example: Configuring the device as an Stelnet client (publickey authentication) ·································· 485
Example: Configuring Stelnet based on 128-bit Suite B algorithms······················································· 487
xii
SFTP configuration examples ························································································································ 491
Example: Configuring the device as an SFTP server (password authentication) ·································· 491
Example: Configuring the device as an SFTP client (publickey authentication) ···································· 493
Example: Configuring SFTP based on 192-bit Suite B algorithms························································· 496
SCP configuration examples ·························································································································· 500
Example: Configuring SCP with password authentication ····································································· 500
Example: Configuring SCP based on Suite B algorithms ······································································ 502
NETCONF over SSH configuration examples ······························································································· 509
Example: Configuring NETCONF over SSH with password authentication ··········································· 509
Configuring SSL ························································································ 511
About SSL ······················································································································································ 511
SSL security services ····························································································································· 511
SSL protocol stack ································································································································· 511
SSL protocol versions ···························································································································· 512
FIPS compliance ············································································································································ 512
Restrictions and guidelines: SSL configuration ······························································································ 512
SSL tasks at a glance ···································································································································· 512
Configuring the SSL server ···················································································································· 512
Configuring the SSL client ······················································································································ 513
Configuring an SSL server policy ··················································································································· 513
Configuring an SSL client policy ···················································································································· 514
Disabling SSL protocol versions for the SSL server ······················································································ 515
Disabling SSL session renegotiation·············································································································· 515
Display and maintenance commands for SSL ······························································································· 516
SSL server policy configuration examples ····································································································· 516
Example: Configuring an SSL server policy ··························································································· 516
Configuring attack detection and prevention ·············································· 519
Overview ························································································································································ 519
Attacks that the device can prevent ··············································································································· 519
TCP fragment attack ······························································································································ 519
Login dictionary attack ··························································································································· 519
Configuring TCP fragment attack prevention ································································································· 519
Enabling login delay ······································································································································· 520
Configuring TCP attack prevention ···························································· 521
About TCP attack prevention ························································································································· 521
Configuring Naptha attack prevention ············································································································ 521
Configuring IP source guard ······································································ 522
About IPSG ···················································································································································· 522
IPSG operating mechanism ··················································································································· 522
Static IPSG bindings ······························································································································ 522
Dynamic IPSG bindings ························································································································· 523
IPSG tasks at a glance··································································································································· 523
Configuring the IPv4SG feature ····················································································································· 524
Enabling IPv4SG ···································································································································· 524
Configuring a static IPv4SG binding ······································································································ 524
Excluding IPv4 packets from IPSG filtering ···························································································· 525
Configuring the IPv6SG feature ····················································································································· 525
Enabling IPv6SG ···································································································································· 525
Configuring a static IPv6SG binding ······································································································ 526
Display and maintenance commands for IPSG ····························································································· 527
IPSG configuration examples ························································································································ 527
Example: Configuring static IPv4SG ······································································································ 527
Example: Configuring DHCP snooping-based dynamic IPv4SG ··························································· 528
Example: Configuring DHCP relay agent-based dynamic IPv4SG ························································ 529
Example: Configuring static IPv6SG ······································································································ 530
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings ··························· 531
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings ······························· 532
Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG ···················································· 533
xiii
Configuring ARP attack protection ····························································· 535
About ARP attack protection ·························································································································· 535
ARP attack protection tasks at a glance ········································································································ 535
Configuring unresolvable IP attack protection ······························································································· 535
About unresolvable IP attack protection································································································· 535
Configuring ARP source suppression ···································································································· 536
Configuring ARP blackhole routing ········································································································ 536
Display and maintenance commands for unresolvable IP attack protection ·········································· 537
Example: Configuring unresolvable IP attack protection········································································ 537
Configuring ARP packet rate limit ·················································································································· 538
Configuring source MAC-based ARP attack detection ·················································································· 539
Display and maintenance commands for source MAC-based ARP attack detection····························· 539
Example: Configuring source MAC-based ARP attack detection ·························································· 540
Configuring ARP packet source MAC consistency check ·············································································· 541
About ARP packet source MAC consistency check ··············································································· 541
Procedure ··············································································································································· 541
Configuring ARP active acknowledgement ···································································································· 541
Configuring authorized ARP··························································································································· 542
About authorized ARP ···························································································································· 542
Procedure ··············································································································································· 542
Configuring ARP attack detection ·················································································································· 542
About ARP attack detection ··················································································································· 542
Configuring user validity check ·············································································································· 542
Configuring ARP packet validity check ·································································································· 544
Configuring ARP restricted forwarding ··································································································· 545
Ignoring ingress ports of ARP packets during user validity check ························································· 545
Enabling ARP attack detection logging ·································································································· 546
Display and maintenance commands for ARP attack detection ···························································· 546
Example: Configuring user validity check ······························································································ 547
Example: Configuring user validity check and ARP packet validity check ············································· 548
Example: Configuring ARP restricted forwarding ··················································································· 549
Configuring ARP scanning and fixed ARP ····································································································· 551
Configuring ARP gateway protection ············································································································· 552
About ARP gateway protection ·············································································································· 552
Restrictions and guidelines ···················································································································· 552
Procedure ··············································································································································· 552
Example: Configuring ARP gateway protection ····················································································· 553
Configuring ARP filtering ································································································································ 553
ARP filtering ··········································································································································· 553
Restrictions and guidelines ···················································································································· 553
Procedure ··············································································································································· 554
Example: Configuring ARP filtering ········································································································ 554
Configuring ND attack defense ·································································· 556
About ND attack defense ······························································································································· 556
ND attack defense tasks at a glance·············································································································· 556
Enabling source MAC consistency check for ND messages ········································································· 557
Configuring ND attack detection ···················································································································· 557
About ND attack detection ····················································································································· 557
Restrictions and guidelines ···················································································································· 558
Enabling ND detection in a VLAN ·········································································································· 558
Enabling ND attack detection logging ···································································································· 558
Display and maintenance commands for ND attack detection······························································· 559
Example: Configuring ND attack detection ···························································································· 559
Configuring RA guard····································································································································· 561
About RA guard ······································································································································ 561
Specifying the role of the attached device ····························································································· 561
Configuring and applying an RA guard policy ························································································ 561
Enabling the RA guard logging feature ·································································································· 562
Display and maintenance commands for RA guard ··············································································· 563
Example: Configuring RA guard ············································································································· 563
xiv
Configuring SAVI ······················································································· 565
About SAVI····················································································································································· 565
SAVI application scenarios ···························································································································· 565
SAVI tasks at a glance ··································································································································· 565
Enabling SAVI ················································································································································ 565
Configuring IPv6 source guard······················································································································· 566
Configuring DHCPv6 snooping ······················································································································ 566
Configuring ND parameters ··························································································································· 566
Setting the entry deletion delay ······················································································································ 566
Enabling packet spoofing logging and filtering entry logging ········································································· 567
SAVI configuration examples ························································································································· 567
Example: Configuring DHCPv6-only SAVI ····························································································· 567
Example: Configuring SLAAC-only SAVI ······························································································· 569
Example: Configuring DHCPv6+SLAAC SAVI ······················································································· 570
Configuring MFF ························································································ 572
About MFF ····················································································································································· 572
MFF network model ······························································································································· 572
Port roles ················································································································································ 572
Processing of ARP packets in MFF ······································································································· 573
MFF default gateway ······························································································································ 573
Protocols and standards ························································································································ 573
MFF tasks at a glance ···································································································································· 573
Enabling MFF ················································································································································· 574
Configuring a network port ····························································································································· 574
Enabling periodic gateway probe ··················································································································· 575
Specifying the IP addresses of servers ·········································································································· 575
Display and maintenance commands for MFF ······························································································ 575
MFF configuration examples ·························································································································· 576
Example: Configuring MFF in a tree network ························································································· 576
Example: Configuring MFF in a ring network ························································································· 577
Configuring crypto engines ········································································ 579
About crypto engines ····································································································································· 579
Display and maintenance commands for crypto engines ·············································································· 579
Configuring FIPS ······················································································· 580
About FIPS ····················································································································································· 580
FIPS security levels ································································································································ 580
FIPS functionality ··································································································································· 580
FIPS self-tests ········································································································································ 580
Restrictions and guidelines: FIPS ·················································································································· 581
Entering FIPS mode ······································································································································· 582
About entering FIPS mode ····················································································································· 582
Restrictions and guidelines ···················································································································· 583
Using the automatic reboot method to enter FIPS mode ······································································· 583
Using the manual reboot method to enter FIPS mode ··········································································· 583
Manually triggering self-tests ························································································································· 584
Exiting FIPS mode ········································································································································· 585
Display and maintenance commands for FIPS ······························································································ 586
FIPS configuration examples ························································································································· 586
Example: Entering FIPS mode through automatic reboot ······································································ 586
Example: Entering FIPS mode through manual reboot·········································································· 588
Example: Exiting FIPS mode through automatic reboot ········································································ 589
Example: Exiting FIPS mode through manual reboot ············································································ 589
Configuring an 802.1X client ······································································ 591
About 802.1X clients ······································································································································ 591
802.1X client tasks at a glance ······················································································································ 591
Enabling the 802.1X client feature ················································································································· 591
Configuring an 802.1X client username and password ················································································· 592
xv
Specifying an 802.1X client EAP authentication method ··············································································· 592
Configuring an 802.1X client MAC address ··································································································· 593
Specifying an 802.1X client mode for sending EAP-Response and EAPOL-Logoff packets ························· 593
Configuring an 802.1X client anonymous identifier ························································································ 594
Specifying an SSL client policy ······················································································································ 594
Display and maintenance commands for 802.1X client ················································································· 595
Document conventions and icons ······························································ 596
Conventions ··················································································································································· 596
Network topology icons ·································································································································· 597
Support and other resources ····································································· 598
Accessing Hewlett Packard Enterprise Support····························································································· 598
Accessing updates ········································································································································· 598
Websites ················································································································································ 599
Customer self repair ······························································································································· 599
Remote support ······································································································································ 599
Documentation feedback ······················································································································· 599
Index ·········································································································· 601
1
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•
Authentication—Identifies users and verifies their validity.
•
Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•
Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA network diagram
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including HWTACACS, LDAP, and RADIUS. RADIUS is most
often used.
You can use different servers to implement different security functions. For example, you can use an
HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
RADIUS servers
Users Clients Dictionary
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of access termination
Host
6) The host accesses the resources
7) Teardown request
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502
  • Page 503 503
  • Page 504 504
  • Page 505 505
  • Page 506 506
  • Page 507 507
  • Page 508 508
  • Page 509 509
  • Page 510 510
  • Page 511 511
  • Page 512 512
  • Page 513 513
  • Page 514 514
  • Page 515 515
  • Page 516 516
  • Page 517 517
  • Page 518 518
  • Page 519 519
  • Page 520 520
  • Page 521 521
  • Page 522 522
  • Page 523 523
  • Page 524 524
  • Page 525 525
  • Page 526 526
  • Page 527 527
  • Page 528 528
  • Page 529 529
  • Page 530 530
  • Page 531 531
  • Page 532 532
  • Page 533 533
  • Page 534 534
  • Page 535 535
  • Page 536 536
  • Page 537 537
  • Page 538 538
  • Page 539 539
  • Page 540 540
  • Page 541 541
  • Page 542 542
  • Page 543 543
  • Page 544 544
  • Page 545 545
  • Page 546 546
  • Page 547 547
  • Page 548 548
  • Page 549 549
  • Page 550 550
  • Page 551 551
  • Page 552 552
  • Page 553 553
  • Page 554 554
  • Page 555 555
  • Page 556 556
  • Page 557 557
  • Page 558 558
  • Page 559 559
  • Page 560 560
  • Page 561 561
  • Page 562 562
  • Page 563 563
  • Page 564 564
  • Page 565 565
  • Page 566 566
  • Page 567 567
  • Page 568 568
  • Page 569 569
  • Page 570 570
  • Page 571 571
  • Page 572 572
  • Page 573 573
  • Page 574 574
  • Page 575 575
  • Page 576 576
  • Page 577 577
  • Page 578 578
  • Page 579 579
  • Page 580 580
  • Page 581 581
  • Page 582 582
  • Page 583 583
  • Page 584 584
  • Page 585 585
  • Page 586 586
  • Page 587 587
  • Page 588 588
  • Page 589 589
  • Page 590 590
  • Page 591 591
  • Page 592 592
  • Page 593 593
  • Page 594 594
  • Page 595 595
  • Page 596 596
  • Page 597 597
  • Page 598 598
  • Page 599 599
  • Page 600 600
  • Page 601 601
  • Page 602 602
  • Page 603 603
  • Page 604 604
  • Page 605 605
  • Page 606 606
  • Page 607 607
  • Page 608 608
  • Page 609 609
  • Page 610 610
  • Page 611 611
  • Page 612 612
  • Page 613 613
  • Page 614 614
  • Page 615 615
  • Page 616 616
  • Page 617 617
  • Page 618 618
  • Page 619 619
  • Page 620 620
  • Page 621 621
  • Page 622 622
  • Page 623 623
  • Page 624 624
  • Page 625 625
  • Page 626 626
  • Page 627 627
  • Page 628 628
  • Page 629 629
  • Page 630 630
  • Page 631 631
  • Page 632 632

Aruba JE072A Configuration Guide

Category
Software
Type
Configuration Guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI