Aruba JG091B Configuration Guide

Brand: Aruba

Model: JG091B

Category: Software

Type: Configuration Guide

HPE Networking Comware

5120v3 Switch

Series

Security Configuration Guide

Software

version: Release 6352P02 and later

Document version: 6W100-20230715

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

Contents

Configuring AAA ···························································································· 1

About AAA·························································································································································· 1

AAA implementation ··································································································································· 1

AAA network diagram ································································································································ 1

RADIUS ······················································································································································ 2

HWTACACS ··············································································································································· 5

LDAP ·························································································································································· 8

User management based on ISP domains and user access types·························································· 11

Authentication, authorization, and accounting methods··········································································· 11

AAA extended functions ··························································································································· 12

RADIUS server feature of the device ······································································································· 13

Protocols and standards ·························································································································· 14

FIPS compliance ·············································································································································· 14

AAA tasks at a glance ······································································································································ 14

Configuring local users····································································································································· 15

About local users ······································································································································ 15

Local user configuration tasks at a glance ······························································································· 16

Restrictions and guidelines for local user configuration ··········································································· 16

Configuring attributes for device management users··············································································· 16

Configuring attributes for network access users ······················································································ 18

Configuring user group attributes ············································································································· 20

Configuring the local user auto-delete feature ························································································· 20

Display and maintenance commands for local users and local user groups ··········································· 21

Configuring RADIUS ········································································································································ 21

RADIUS tasks at a glance ························································································································ 21

Restrictions and guidelines for RADIUS configuration ············································································· 22

Configuring an EAP profile ······················································································································· 22

Configuring a test profile for RADIUS server status detection ································································· 23

Creating a RADIUS scheme ···················································································································· 24

Specifying RADIUS authentication servers ······························································································ 24

Specifying the RADIUS accounting servers ····························································································· 25

Specifying the shared keys for secure RADIUS communication ····························································· 26

Setting the status of RADIUS servers ······································································································ 26

Setting RADIUS timers ····························································································································· 27

Specifying the source IP address for outgoing RADIUS packets····························································· 28

Setting the username format and traffic statistics units ············································································ 29

Setting the maximum number of RADIUS request transmission attempts ··············································· 30

Setting the maximum number of real-time accounting attempts ······························································ 31

Setting the DSCP priority for RADIUS packets ························································································ 31

Specifying the format of the NAS-Port attribute ······················································································· 31

Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ······················ 32

Interpreting the RADIUS class attribute as CAR parameters ··································································· 32

Configuring the MAC address format for RADIUS attribute 31 ································································ 33

Specifying the format of the NAS-Port-ID attribute ·················································································· 33

Setting the data measurement unit for the Remanent_Volume attribute ················································· 34

Configuring the RADIUS attribute translation feature ·············································································· 34

Configuring RADIUS stop-accounting packet buffering ··········································································· 36

Enabling forcibly sending stop-accounting packets ················································································· 36

Enabling the RADIUS server load sharing feature ··················································································· 37

Configuring the RADIUS accounting-on feature ······················································································ 37

Configuring the RADIUS session-control feature ····················································································· 38

Configuring the RADIUS DAS feature ······································································································ 39

Enabling SNMP notifications for RADIUS ································································································ 39

Disabling the RADIUS service ················································································································· 40

Display and maintenance commands for RADIUS ·················································································· 41

Configuring HWTACACS ································································································································· 41

HWTACACS tasks at a glance················································································································· 41

Creating an HWTACACS scheme ··········································································································· 42

Specifying the HWTACACS authentication servers ················································································· 42

Specifying the HWTACACS authorization servers ··················································································· 43

Specifying the HWTACACS accounting servers ······················································································ 43

Specifying the shared keys for secure HWTACACS communication ······················································ 44

Setting HWTACACS timers ······················································································································ 44

Specifying the source IP address for outgoing HWTACACS packets······················································ 46

Setting the username format and traffic statistics units ············································································ 47

Configuring HWTACACS stop-accounting packet buffering ···································································· 47

Display and maintenance commands for HWTACACS ··········································································· 48

Configuring LDAP ············································································································································ 48

LDAP tasks at a glance ···························································································································· 48

Creating an LDAP server ························································································································· 49

Configuring the IP address of the LDAP server ······················································································· 49

Specifying the LDAP version ···················································································································· 49

Setting the LDAP server timeout period ··································································································· 49

Configuring administrator attributes ········································································································· 50

Configuring LDAP user attributes············································································································· 50

Configuring an LDAP attribute map ········································································································· 51

Creating an LDAP scheme ······················································································································· 52

Specifying the LDAP authentication server ······························································································ 52

Specifying the LDAP authorization server ································································································ 52

Specifying an LDAP attribute map for LDAP authorization ······································································ 52

Display and maintenance commands for LDAP······················································································· 53

Creating an ISP domain ··································································································································· 53

About ISP domains ·································································································································· 53

Restrictions and guidelines for ISP domain configuration ········································································ 53

Creating an ISP domain ··························································································································· 54

Specifying the default ISP domain ··········································································································· 54

Specifying an ISP domain for users that are assigned to nonexistent domains ······································ 54

Configuring ISP domain attributes ··················································································································· 54

Setting ISP domain status ························································································································ 54

Configuring authorization attributes for an ISP domain············································································ 55

Including the idle timeout period in the user online duration to be sent to the server ······························ 55

Configuring AAA methods for an ISP domain ·································································································· 56

Configuring authentication methods for an ISP domain ··········································································· 56

Configuring authorization methods for an ISP domain ············································································· 57

Configuring accounting methods for an ISP domain ················································································ 58

Display and maintenance commands for ISP domains············································································ 59

Setting the maximum number of concurrent login users ·················································································· 60

Configuring a NAS-ID······································································································································· 60

Configuring the device ID ································································································································· 61

Enabling password change prompt logging ····································································································· 61

Configuring the RADIUS server feature ··········································································································· 62

RADIUS server feature tasks at a glance ································································································ 62

Restrictions and guidelines for the RADIUS server feature ····································································· 62

Configuring RADIUS users ······················································································································ 62

Specifying RADIUS clients ······················································································································· 62

Activating the RADIUS server configuration ···························································································· 63

Display and maintenance commands for RADIUS users and clients ······················································ 63

Configuring the connection recording policy ···································································································· 63

About the connection recording policy ····································································································· 63

Restrictions and guidelines ······················································································································ 63

Procedure ················································································································································· 64

Display and maintenance commands for the connection recording policy ·············································· 64

Configuring the AAA test feature······················································································································ 64

AAA configuration examples ···························································································································· 66

Example: Configuring AAA for SSH users by an HWTACACS server ····················································· 66

Example: Configuring local authentication, HWTACACS authorization, and RADIUS accounting for SSH

users ························································································································································ 68

Example: Configuring authentication and authorization for SSH users by a RADIUS server ·················· 70

Example: Configuring authentication for SSH users by an LDAP server ················································· 73

iii

Example: Configuring AAA for 802.1X users by a RADIUS server ·························································· 76

Example: Configuring authentication and authorization for 802.1X users by the device as a RADIUS server

································································································································································· 81

Troubleshooting AAA ······································································································································· 84

RADIUS authentication failure ················································································································· 84

RADIUS packet delivery failure ················································································································ 84

RADIUS accounting error ························································································································· 85

Troubleshooting HWTACACS ·················································································································· 85

LDAP authentication failure ······················································································································ 85

Appendixes ······················································································································································ 86

Appendix A Commonly used RADIUS attributes ····················································································· 86

Appendix B Descriptions for commonly used standard RADIUS attributes ············································· 87

Appendix C RADIUS subattributes (vendor ID 25506) ············································································ 89

Appendix D Format of dynamic authorization ACLs ················································································ 92

802.1X overview ·························································································· 95

About the 802.1X protocol ······························································································································· 95

802.1X architecture ·································································································································· 95

Controlled/uncontrolled port and port authorization status······································································· 95

Packet exchange methods ······················································································································· 96

Packet formats ········································································································································· 97

802.1X authentication procedures ··········································································································· 99

802.1X authentication initiation ·············································································································· 101

Access control methods ································································································································· 102

802.1X VLAN manipulation ···························································································································· 102

Authorization VLAN ································································································································ 102

Guest VLAN ··········································································································································· 105

Auth-Fail VLAN ······································································································································ 106

Critical VLAN ·········································································································································· 107

Critical voice VLAN ································································································································ 109

ACL assignment ············································································································································· 109

User profile assignment ································································································································· 110

Redirect URL assignment ······························································································································ 110

Periodic 802.1X reauthentication ··················································································································· 111

EAD assistant················································································································································· 111

Configuring 802.1X ···················································································· 113

Restrictions and guidelines: 802.1X configuration ························································································· 113

802.1X tasks at a glance ································································································································ 113

Prerequisites for 802.1X································································································································· 114

Enabling 802.1X ············································································································································· 114

Enabling EAP relay or EAP termination ········································································································· 115

Setting the port authorization state ················································································································ 115

Specifying an access control method············································································································· 116

Specifying a mandatory authentication domain on a port ·············································································· 116

Setting the 802.1X authentication timeout timers ·························································································· 117

Configuring 802.1X reauthentication ·············································································································· 117

Setting the quiet timer ···································································································································· 118

Configuring an 802.1X guest VLAN ··············································································································· 119

Enabling 802.1X guest VLAN assignment delay···························································································· 120

Configuring an 802.1X Auth-Fail VLAN·········································································································· 120

Configuring an 802.1X critical VLAN ·············································································································· 121

Enabling the 802.1X critical voice VLAN feature ··························································································· 122

Configuring 802.1X unauthenticated user aging ···························································································· 123

Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN ··································· 123

Enabling 802.1X online user synchronization ································································································ 124

Configuring the authentication trigger feature ································································································ 125

Discarding duplicate 802.1X EAPOL-Start requests ······················································································ 125

Setting the maximum number of concurrent 802.1X users on a port ····························································· 126

Setting the maximum number of authentication request attempts ································································· 126

Configuring online user handshake················································································································ 126

Configuring packet detection for 802.1X authentication ················································································ 128

Specifying supported domain name delimiters ······························································································ 129

Removing the VLAN tags of 802.1X protocol packets sent out of a port ······················································· 130

Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 130

Enabling 802.1X user IP freezing··················································································································· 131

Enabling generation of dynamic IPSG binding entries for 802.1X authenticated users ································· 131

Configuring 802.1X MAC address binding ····································································································· 132

Configuring the EAD assistant feature ··········································································································· 133

Setting the maximum size of EAP-TLS fragments sent to the server ···························································· 134

Logging off 802.1X users ······························································································································· 135

Enabling 802.1X user logging ························································································································ 135

Display and maintenance commands for 802.1X ·························································································· 135

802.1X authentication configuration examples ······························································································ 136

Example: Configuring basic 802.1X authentication················································································ 136

Example: Configuring 802.1X guest VLAN and authorization VLAN ····················································· 138

Example: Configuring 802.1X with ACL assignment ·············································································· 141

Example: Configuring 802.1X with EAD assistant (with DHCP relay agent) ·········································· 143

Example: Configuring 802.1X with EAD assistant (with DHCP server) ················································· 146

Troubleshooting 802.1X ································································································································· 148

EAD assistant URL redirection failure ···································································································· 148

Configuring MAC authentication ································································ 149

About MAC authentication ····························································································································· 149

User account policies ····························································································································· 149

Authentication methods ·························································································································· 150

VLAN assignment ·································································································································· 151

ACL assignment ····································································································································· 156

User profile assignment ························································································································· 157

Redirect URL assignment ······················································································································ 157

Periodic MAC reauthentication ··············································································································· 157

Restrictions and guidelines: MAC authentication configuration ····································································· 158

MAC authentication tasks at a glance ············································································································ 158

Prerequisites for MAC authentication············································································································· 159

Enabling MAC authentication ························································································································· 159

Specifying a MAC authentication method ······································································································ 159

Specifying a MAC authentication domain ······································································································ 160

Configuring user account policy ····················································································································· 160

Configuring MAC authentication timers·········································································································· 161

Configuring periodic MAC reauthentication···································································································· 162

Configuring a MAC authentication guest VLAN ····························································································· 163

Configuring a MAC authentication critical VLAN ···························································································· 164

Enabling the MAC authentication critical voice VLAN feature········································································ 165

Configuring unauthenticated MAC authentication user aging ········································································ 165

Configuring MAC authentication offline detection ·························································································· 166

Configuring packet detection for MAC authentication ···················································································· 167

Enabling online user synchronization for MAC authentication ······································································· 169

Setting the maximum number of concurrent MAC authentication users on a port ········································· 169

Enabling MAC authentication multi-VLAN mode on a port ············································································ 170

Configuring MAC authentication delay ··········································································································· 170

Including user IP addresses in MAC authentication requests ········································································ 171

Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 172

Logging off MAC authentication users ··········································································································· 173

Enabling MAC authentication user logging ···································································································· 173

Display and maintenance commands for MAC authentication ······································································ 174

MAC authentication configuration examples ·································································································· 175

Example: Configuring local MAC authentication ···················································································· 175

Example: Configuring RADIUS-based MAC authentication ··································································· 177

Example: Configuring ACL assignment for MAC authentication ···························································· 179

Configuring portal authentication ······························································· 183

About portal authentication ···························································································································· 183

Advantages of portal authentication ······································································································· 183

Extended portal functions ······················································································································· 183

Portal system ········································································································································· 183

Portal authentication using a remote portal server ················································································· 184

Local portal service ································································································································ 185

Portal authentication modes ··················································································································· 185

Portal authentication process ················································································································· 186

Portal support for EAP ··························································································································· 188

Portal filtering rules ································································································································ 188

Restrictions and guidelines: Portal configuration ··························································································· 189

Portal authentication tasks at a glance ·········································································································· 189

Prerequisites for portal authentication ··········································································································· 190

Configuring a remote portal authentication server ························································································· 191

Configuring a portal Web server ···················································································································· 192

Portal Web server tasks at a glance ······································································································ 192

Configure basic parameters for a portal Web server ············································································· 192

Enabling the captive-bypass feature ······································································································ 192

Configuring a match rule for URL redirection ························································································· 193

Configuring local portal service features ········································································································ 193

About the local portal service ················································································································· 193

Restrictions and guidelines for configuring local portal service features················································ 193

Customizing authentication pages ········································································································· 194

Configuring a local portal Web service··································································································· 196

Enabling portal authentication on an interface ······························································································· 196

Specifying a portal Web server on an interface ····························································································· 197

Specifying a preauthentication IP address pool ····························································································· 197

Specifying a portal authentication domain ····································································································· 198

About portal authentication domains ······································································································ 198

Restrictions and guidelines for specifying a portal authentication domain ············································· 198

Specifying a portal authentication domain on an interface····································································· 199

Controlling portal user access ························································································································ 199

Configuring a portal-free rule ················································································································· 199

Configuring an authentication source subnet ························································································· 200

Configuring an authentication destination subnet ·················································································· 201

Configuring support of Web proxy for portal authentication ··································································· 201

Checking the issuing of category-2 portal filtering rules ········································································· 202

Setting the maximum number of portal users ························································································ 202

Enabling strict-checking on portal authorization information ·································································· 203

Allowing only users with DHCP-assigned IP addresses to pass portal authentication ·························· 204

Enabling portal roaming ························································································································· 204

Configuring the portal fail-permit feature ································································································ 205

Configuring portal detection features ············································································································· 205

Configuring online detection of portal users ··························································································· 205

Configuring portal authentication server detection ················································································· 206

Configuring portal Web server detection ································································································ 207

Configuring portal user synchronization ································································································· 208

Configuring portal packet attributes ··············································································································· 209

Configuring the BAS-IP or BAS-IPv6 attribute ······················································································· 209

Specifying the device ID ························································································································· 209

Configuring attributes for RADIUS packets ···································································································· 210

Specifying a format for the NAS-Port-Id attribute ··················································································· 210

Configuring the NAS-Port-Type attribute ······························································································· 210

Applying a NAS-ID profile to an interface······························································································· 211

Logging out online portal users ······················································································································ 211

Enabling portal user login/logout logging ······································································································· 212

Disabling the Rule ARP or ND entry feature for portal clients ······································································· 212

Configuring Web redirect ······························································································································· 213

Display and maintenance commands for portal ····························································································· 213

Portal configuration examples ························································································································ 214

Example: Configuring direct portal authentication·················································································· 214

Example: Configuring re-DHCP portal authentication ············································································ 219

Example: Configuring cross-subnet portal authentication ······································································ 223

Example: Configuring extended direct portal authentication ·································································· 226

Example: Configuring extended re-DHCP portal authentication ···························································· 230

Example: Configuring extended cross-subnet portal authentication ······················································ 234

Example: Configuring portal server detection and portal user synchronization ····································· 237

Example: Configuring direct portal authentication using a local portal Web service ······························ 243

Troubleshooting portal ··································································································································· 246

No portal authentication page is pushed for users ················································································· 246

Cannot log out portal users on the access device ················································································· 246

Cannot log out portal users on the RADIUS server ··············································································· 247

Users logged out by the access device still exist on the portal authentication server ···························· 247

Re-DHCP portal authenticated users cannot log in successfully ··························································· 247

Configuring Web authentication ································································· 249

About Web authentication ······························································································································ 249

Advantages of Web authentication ········································································································ 249

Web authentication system ···················································································································· 249

Web authentication process ··················································································································· 250

Web authentication support for VLAN assignment ················································································ 250

Web authentication support for authorization ACLs ··············································································· 251

Restrictions and guidelines: Web authentication configuration ······································································ 251

Web authentication tasks at a glance ············································································································ 252

Prerequisites for Web authentication ············································································································· 252

Configuring a Web authentication server ······································································································· 253

Configuring a local portal service ··················································································································· 253

Enabling Web authentication ························································································································· 253

Specifying a Web authentication domain ······································································································· 254

Setting the redirection wait time ····················································································································· 254

Configuring the aging timer for temporary MAC address entries for Web authentication ······························ 255

Configuring a Web authentication-free subnet ······························································································· 255

Setting the maximum number of Web authentication users ·········································································· 256

Configuring online Web authentication user detection ··················································································· 256

Configuring an Auth-Fail VLAN ······················································································································ 257

Configuring Web authentication to support Web proxy ·················································································· 257

Display and maintenance commands for Web authentication ······································································· 258

Web authentication configuration examples ·································································································· 258

Example: Configuring Web authentication by using the local authentication method ···························· 258

Example: Configuring Web authentication by using the RADIUS authentication method······················ 260

Troubleshooting Web authentication ············································································································· 262

Failure to come online (local authentication interface using the default ISP domain ····························· 262

Configuring triple authentication ································································ 263

About triple authentication ····························································································································· 263

Typical network of triple authentication ·································································································· 263

Triple authentication mechanism ··········································································································· 263

Triple authentication support for VLAN assignment ··············································································· 264

Triple authentication support for ACL authorization ··············································································· 264

Triple authentication support for online user detection ·········································································· 265

Restrictions and guidelines: Triple authentication ·························································································· 265

Triple authentication tasks at a glance ··········································································································· 265

Triple authentication configuration examples ································································································· 265

Example: Configuring basic triple authentication ··················································································· 265

Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN

Configuring port security ············································································ 275

About port security ········································································································································· 275

Major functions ······································································································································· 275

Port security features ····························································································································· 275

Port security modes ······························································································································· 275

Restrictions and guidelines: Port security configuration················································································· 278

Port security tasks at a glance ······················································································································· 278

Enabling port security····································································································································· 279

Setting the port security mode ······················································································································· 279

Setting port security's limit on the number of secure MAC addresses on a port ············································ 280

vii

Configuring secure MAC addresses ·············································································································· 281

About secure MAC addresses ··············································································································· 281

Prerequisites ·········································································································································· 282

Adding secure MAC addresses·············································································································· 282

Enabling inactivity aging for secure MAC addresses ············································································· 283

Enabling the dynamic secure MAC feature ···························································································· 283

Configuring NTK············································································································································· 283

Configuring intrusion protection ····················································································································· 284

Ignoring authorization information from the server························································································· 284

Configuring MAC move ·································································································································· 285

Enabling the authorization-fail-offline feature ································································································· 286

Setting port security's limit on the number of MAC addresses for specific VLANs on a port ························· 287

Enabling open authentication mode ··············································································································· 287

Configuring free VLANs for port security········································································································ 288

Applying a NAS-ID profile to port security ······································································································ 289

Enabling traffic statistics for MAC authentication and 802.1X users ······························································ 289

Specifying an IP address and mask for calculating the source IP of ARP detection packets ························ 290

Enabling SNMP notifications for port security ································································································ 291

Enabling port security user logging ················································································································ 291

Display and maintenance commands for port security ·················································································· 291

Port security configuration examples ············································································································· 292

Example: Configuring port security in autoLearn mode ········································································· 292

Example: Configuring port security in userLoginWithOUI mode ···························································· 294

Example: Configuring port security in macAddressElseUserLoginSecure mode··································· 297

Troubleshooting port security ························································································································· 301

Cannot set the port security mode ········································································································· 301

Cannot configure secure MAC addresses ····························································································· 301

Configuring user profiles ············································································ 302

About user profiles ········································································································································· 302

Prerequisites for user profile ·························································································································· 302

Configuring a user profile ······························································································································· 302

Display and maintenance commands for user profiles ·················································································· 302

User profile configuration examples ··············································································································· 303

Example: Configuring user profiles and QoS policies ············································································ 303

Configuring password control ···································································· 307

About password control·································································································································· 307

Password setting ···································································································································· 307

Password updating and expiration ········································································································· 308

User login control ··································································································································· 309

Password not displayed in any form ······································································································ 310

Logging ·················································································································································· 310

Restrictions and guidelines: Password control configuration ········································································· 311

Password control tasks at a glance················································································································ 311

Enabling password control ····························································································································· 311

Setting global password control parameters ·································································································· 313

Setting user group password control parameters ·························································································· 315

Setting local user password control parameters ···························································································· 315

Setting super password control parameters··································································································· 316

Display and maintenance commands for password control ··········································································· 317

Password control configuration examples ····································································································· 317

Example: Configuring password control ································································································· 317

Managing public keys ················································································ 321

About public key management ······················································································································· 321

Asymmetric key algorithm overview ······································································································· 321

Usage of asymmetric key algorithms ····································································································· 321

Public key management tasks at a glance ····································································································· 321

Creating a local key pair································································································································· 322

viii

Distributing a local host public key ················································································································· 323

About distribution of local host public keys ···························································································· 323

Exporting a host public key ···················································································································· 323

Displaying a host public key ··················································································································· 324

Configuring a peer host public key ················································································································· 324

About peer host public key configuration ······························································································· 324

Restrictions and guidelines for peer host public key configuration ························································ 325

Importing a peer host public key from a public key file ·········································································· 325

Entering a peer host public key ·············································································································· 325

Destroying a local key pair ····························································································································· 326

Display and maintenance commands for public keys ···················································································· 326

Examples of public key management ············································································································ 326

Example: Entering a peer host public key ······························································································ 326

Example: Importing a public key from a public key file ·········································································· 328

Configuring PKI ························································································· 331

About PKI ······················································································································································· 331

PKI terminology ······································································································································ 331

PKI architecture ······································································································································ 332

Retrieval, usage, and maintenance of a digital certificate ······································································ 333

PKI applications ····································································································································· 333

PKI tasks at a glance ····································································································································· 333

Configuring a PKI entity ································································································································· 334

Configuring a PKI domain ······························································································································ 335

About PKI domain ·································································································································· 335

PKI domain tasks at a glance ················································································································· 335

Creating a PKI domain ··························································································································· 336

Specifying the trusted CA ······················································································································· 336

Specifying the PKI entity name ·············································································································· 336

Specifying the certificate request reception authority············································································· 336

Specifying the certificate request URL ··································································································· 337

Setting the SCEP polling interval and maximum polling attempts ························································· 337

Specifying the LDAP server ··················································································································· 337

Specifying the fingerprint for root CA certificate verification··································································· 337

Specifying the key pair for certificate request ························································································ 338

Specifying the intended purpose for the certificate ················································································ 338

Specifying the source IP address for PKI protocol packets ··································································· 339

Specifying the storage path for certificates and CRLs ··················································································· 339

Requesting a certificate·································································································································· 340

About certificate request configuration ··································································································· 340

Restrictions and guidelines for certificate request configuration ···························································· 340

Prerequisites for certificate request configuration ·················································································· 340

Enabling the automatic online certificate request mode········································································· 340

Manually submitting an online certificate request ·················································································· 341

Manually submitting a certificate request in offline mode ······································································· 342

Aborting a certificate request ························································································································· 342

Obtaining certificates······································································································································ 343

Verifying PKI certificates ································································································································ 344

About certification verification ················································································································ 344

Restrictions and guidelines for certificate verification ············································································ 344

Verifying certificates with CRL checking ································································································ 344

Verifying certificates without CRL checking ··························································································· 345

Exporting certificates ······································································································································ 346

Removing a certificate···································································································································· 346

Configuring a certificate-based access control policy ···················································································· 347

About certificate-based access control policies ····················································································· 347

Display and maintenance commands for PKI ································································································ 348

PKI configuration examples ··························································································································· 348

Example: Requesting a certificate from an RSA Keon CA server ·························································· 349

Example: Requesting a certificate from a Windows Server 2003 CA server ········································· 351

Example: Requesting a certificate from an OpenCA server ··································································· 355

Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server

Example: Configuring a certificate-based access control policy ···························································· 360

Example: Importing and exporting certificates ······················································································· 362

Troubleshooting PKI configuration ················································································································· 367

Failed to obtain the CA certificate ·········································································································· 367

Failed to obtain local certificates ············································································································ 368

Failed to request local certificates ·········································································································· 368

Failed to obtain CRLs ····························································································································· 369

Failed to import the CA certificate ·········································································································· 370

Failed to import the local certificate ········································································································ 370

Failed to export certificates ···················································································································· 371

Failed to set the storage path ················································································································· 371

Configuring IPsec ······················································································ 373

About IPsec ···················································································································································· 373

IPsec framework ···································································································································· 373

IPsec security services ··························································································································· 373

Benefits of IPsec ···································································································································· 373

Security protocols ··································································································································· 373

Encapsulation modes ····························································································································· 374

Security association ······························································································································· 375

Authentication and encryption ················································································································ 375

IPsec-protected traffic ···························································································································· 376

ACL-based IPsec ··································································································································· 376

IPv6 routing protocol-based IPsec ········································································································· 377

IPsec policy and IPsec profile ················································································································ 377

IPsec RRI ··············································································································································· 378

Protocols and standards ························································································································ 379

Restrictions and guidelines: IPsec configuration···························································································· 379

Implementing ACL-based IPsec····················································································································· 379

ACL-based IPsec tasks at a glance ······································································································· 379

Configuring an ACL ································································································································ 380

Configuring an IPsec transform set ········································································································ 382

Configuring a manual IPsec policy ········································································································· 385

Configuring an IKE-based IPsec policy ·································································································· 386

Applying an IPsec policy to an interface ································································································ 389

Enabling ACL checking for de-encapsulated packets ············································································ 389

Configuring IPsec anti-replay ················································································································· 390

Configuring IPsec anti-replay redundancy ····························································································· 390

Binding a source interface to an IPsec policy ························································································ 391

Enabling QoS pre-classify ······················································································································ 392

Configuring the DF bit of IPsec packets ································································································· 392

Configuring IPsec RRI ···························································································································· 393

Configuring IPsec for IPv6 routing protocols ·································································································· 394

IPsec protection for IPv6 routing protocols tasks at a glance ································································ 394

Configuring a manual IPsec profile ········································································································ 394

Applying the IPsec profile to an IPv6 routing protocol ············································································ 395

Configuring the global IPsec SA lifetime and idle timeout·············································································· 395

Configuring IPsec fragmentation ···················································································································· 396

Setting the maximum number of IPsec tunnels ····························································································· 396

Enabling logging for IPsec packets ················································································································ 397

Configuring SNMP notifications for IPsec ······································································································ 397

Display and maintenance commands for IPsec ····························································································· 397

IPsec configuration examples ························································································································ 398

Example: Configuring a manual mode IPsec tunnel for IPv4 packets ··················································· 398

Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ······················································ 401

Example: Configuring IPsec for RIPng ··································································································· 403

Example: Configuring IPsec RRI ············································································································ 407

Configuring IKE ························································································· 411

About IKE ······················································································································································· 411

Benefits of IKE ······································································································································· 411

Relationship between IPsec and IKE ····································································································· 411

IKE negotiation process ························································································································· 411

IKE security mechanism ························································································································· 413

Protocols and standards ························································································································ 413

IKE tasks at a glance ····································································································································· 414

Prerequisites for IKE configuration················································································································· 414

Configuring an IKE profile ······························································································································ 415

Creating an IKE profile ··························································································································· 415

Configuring peer IDs for the IKE profile ································································································· 415

Specifying the IKE keychain or PKI domain ··························································································· 415

Configuring the IKE phase 1 negotiation mode ······················································································ 416

Specifying IKE proposals for the IKE profile ·························································································· 416

Configuring the local ID for the IKE profile ····························································································· 417

Configuring optional features for the IKE profile ···················································································· 417

Configuring an IKE proposal ·························································································································· 418

Configuring an IKE keychain ·························································································································· 419

Configuring the global identity information ····································································································· 420

Configuring the IKE keepalive feature ··········································································································· 420

Configuring the IKE NAT keepalive feature ··································································································· 421

Configuring global IKE DPD ··························································································································· 421

Enabling invalid SPI recovery ························································································································ 422

Setting the maximum number of IKE SAs ······································································································ 423

Configuring SNMP notifications for IKE ········································································································· 423

Display and maintenance commands for IKE ································································································ 424

IKE configuration examples ··························································································································· 424

Example: Configuring main-mode IKE with preshared key authentication ············································ 424

Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ······················································ 427

Troubleshooting IKE······································································································································· 429

IKE negotiation failed because no matching IKE proposals were found ················································ 429

IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 430

IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 430

IPsec SA negotiation failed due to invalid identity information ······························································· 431

Configuring IKEv2 ······················································································ 434

About IKEv2 ··················································································································································· 434

IKEv2 negotiation process ····················································································································· 434

New features in IKEv2 ···························································································································· 435

Protocols and standards ························································································································ 435

IKEv2 tasks at a glance·································································································································· 435

Prerequisites for IKEv2 configuration ············································································································· 436

Configuring an IKEv2 profile ·························································································································· 436

Creating an IKEv2 profile ······················································································································· 436

Specifying the local and remote identity authentication methods ·························································· 437

Configuring the IKEv2 keychain or PKI domain ····················································································· 437

Configuring the local ID for the IKEv2 profile ························································································· 437

Configuring peer IDs for the IKEv2 profile······························································································ 438

Configuring optional features for the IKEv2 profile ················································································· 438

Configuring an IKEv2 policy ··························································································································· 439

Configuring an IKEv2 proposal ······················································································································ 440

Configuring an IKEv2 keychain ······················································································································ 441

Configure global IKEv2 parameters ··············································································································· 442

Enabling the cookie challenging feature ································································································ 442

Configuring the IKEv2 DPD feature ······································································································· 442

Configuring the IKEv2 NAT keepalive feature ························································································ 443

Display and maintenance commands for IKEv2 ···························································································· 443

Troubleshooting IKEv2 ··································································································································· 444

IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 444

IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 444

IPsec tunnel establishment failed ··········································································································· 445

Configuring SSH ························································································ 446

About SSH ····················································································································································· 446

SSH applications ···································································································································· 446

How SSH works ····································································································································· 446

SSH authentication methods ·················································································································· 447

SSH support for Suite B ························································································································· 448

Configuring the device as an SSH server ······································································································ 449

SSH server tasks at a glance ················································································································· 449

Generating local key pairs ······················································································································ 450

Specifying the SSH service port ············································································································· 450

Enabling the Stelnet server ···················································································································· 451

Enabling the SFTP server ······················································································································ 451

Enabling the SCP server ························································································································ 451

Enabling NETCONF over SSH ·············································································································· 452

Configuring the user lines for SSH login ································································································ 452

Configuring a client's host public key ····································································································· 452

Configuring an SSH user ······················································································································· 454

Configuring the SSH management parameters ····················································································· 455

Specifying a PKI domain for the SSH server ························································································· 457

Disconnecting SSH sessions ················································································································· 457

Configuring the device as an Stelnet client ···································································································· 458

Stelnet client tasks at a glance··············································································································· 458

Generating local key pairs ······················································································································ 458

Specifying the source IP address for outgoing SSH packets ································································· 458

Establishing a connection to an Stelnet server ······················································································ 459

Deleting server public keys saved in the public key file on the Stelnet client········································· 461

Establishing a connection to an Stelnet server based on Suite B ·························································· 461

Configuring the device as an SFTP client ······································································································ 461

SFTP client tasks at a glance ················································································································· 461

Generating local key pairs ······················································································································ 462

Specifying the source IP address for outgoing SFTP packets ······························································· 462

Establishing a connection to an SFTP server ························································································ 463

Deleting server public keys saved in the public key file on the SFTP client··········································· 464

Establishing a connection to an SFTP server based on Suite B ···························································· 464

Working with SFTP directories ··············································································································· 465

Working with SFTP files ························································································································· 466

Displaying help information ···················································································································· 467

Terminating the connection with the SFTP server ················································································· 467

Configuring the device as an SCP client ········································································································ 467

SCP client tasks at a glance ·················································································································· 467

Generating local key pairs ······················································································································ 467

Specifying the source IP address for outgoing SCP packets ································································· 468

Establishing a connection to an SCP server ·························································································· 468

Deleting server public keys saved in the public key file on the SCP client ············································ 470

Establishing a connection to an SCP server based on Suite B······························································ 470

Specifying algorithms for SSH2 ····················································································································· 471

About algorithms for SSH2 ····················································································································· 471

Specifying key exchange algorithms for SSH2 ······················································································ 471

Specifying public key algorithms for SSH2 ···························································································· 471

Specifying encryption algorithms for SSH2 ···························································································· 472

Specifying MAC algorithms for SSH2 ···································································································· 472

Display and maintenance commands for SSH ······························································································ 473

Stelnet configuration examples ······················································································································ 473

Example: Configuring the device as an Stelnet server (password authentication) ································ 473

Example: Configuring the device as an Stelnet server (publickey authentication) ································· 476

Example: Configuring the device as an Stelnet client (password authentication) ·································· 481

Example: Configuring the device as an Stelnet client (publickey authentication) ·································· 485

Example: Configuring Stelnet based on 128-bit Suite B algorithms······················································· 487

xii

SFTP configuration examples ························································································································ 491

Example: Configuring the device as an SFTP server (password authentication) ·································· 491

Example: Configuring the device as an SFTP client (publickey authentication) ···································· 493

Example: Configuring SFTP based on 192-bit Suite B algorithms························································· 496

SCP configuration examples ·························································································································· 500

Example: Configuring SCP with password authentication ····································································· 500

Example: Configuring SCP based on Suite B algorithms ······································································ 502

NETCONF over SSH configuration examples ······························································································· 509

Example: Configuring NETCONF over SSH with password authentication ··········································· 509

Configuring SSL ························································································ 511

About SSL ······················································································································································ 511

SSL security services ····························································································································· 511

SSL protocol stack ································································································································· 511

SSL protocol versions ···························································································································· 512

Restrictions and guidelines: SSL configuration ······························································································ 512

SSL tasks at a glance ···································································································································· 512

Configuring the SSL server ···················································································································· 512

Configuring the SSL client ······················································································································ 513

Configuring an SSL server policy ··················································································································· 513

Configuring an SSL client policy ···················································································································· 514

Disabling SSL protocol versions for the SSL server ······················································································ 515

Disabling SSL session renegotiation·············································································································· 515

Display and maintenance commands for SSL ······························································································· 516

SSL server policy configuration examples ····································································································· 516

Example: Configuring an SSL server policy ··························································································· 516

Configuring attack detection and prevention ·············································· 519

Overview ························································································································································ 519

Attacks that the device can prevent ··············································································································· 519

TCP fragment attack ······························································································································ 519

Login dictionary attack ··························································································································· 519

Configuring TCP fragment attack prevention ································································································· 519

Enabling login delay ······································································································································· 520

Configuring TCP attack prevention ···························································· 521

About TCP attack prevention ························································································································· 521

Configuring Naptha attack prevention ············································································································ 521

Configuring IP source guard ······································································ 522

About IPSG ···················································································································································· 522

IPSG operating mechanism ··················································································································· 522

Static IPSG bindings ······························································································································ 522

Dynamic IPSG bindings ························································································································· 523

IPSG tasks at a glance··································································································································· 523

Configuring the IPv4SG feature ····················································································································· 524

Enabling IPv4SG ···································································································································· 524

Configuring a static IPv4SG binding ······································································································ 524

Excluding IPv4 packets from IPSG filtering ···························································································· 525

Configuring the IPv6SG feature ····················································································································· 525

Enabling IPv6SG ···································································································································· 525

Configuring a static IPv6SG binding ······································································································ 526

Display and maintenance commands for IPSG ····························································································· 527

IPSG configuration examples ························································································································ 527

Example: Configuring static IPv4SG ······································································································ 527

Example: Configuring DHCP snooping-based dynamic IPv4SG ··························································· 528

Example: Configuring DHCP relay agent-based dynamic IPv4SG ························································ 529

Example: Configuring static IPv6SG ······································································································ 530

Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings ··························· 531

Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings ······························· 532

Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG ···················································· 533

xiii

Configuring ARP attack protection ····························································· 535

About ARP attack protection ·························································································································· 535

ARP attack protection tasks at a glance ········································································································ 535

Configuring unresolvable IP attack protection ······························································································· 535

About unresolvable IP attack protection································································································· 535

Configuring ARP source suppression ···································································································· 536

Configuring ARP blackhole routing ········································································································ 536

Display and maintenance commands for unresolvable IP attack protection ·········································· 537

Example: Configuring unresolvable IP attack protection········································································ 537

Configuring ARP packet rate limit ·················································································································· 538

Configuring source MAC-based ARP attack detection ·················································································· 539

Display and maintenance commands for source MAC-based ARP attack detection····························· 539

Example: Configuring source MAC-based ARP attack detection ·························································· 540

Configuring ARP packet source MAC consistency check ·············································································· 541

About ARP packet source MAC consistency check ··············································································· 541

Configuring ARP active acknowledgement ···································································································· 541

Configuring authorized ARP··························································································································· 542

About authorized ARP ···························································································································· 542

Configuring ARP attack detection ·················································································································· 542

About ARP attack detection ··················································································································· 542

Configuring user validity check ·············································································································· 542

Configuring ARP packet validity check ·································································································· 544

Configuring ARP restricted forwarding ··································································································· 545

Ignoring ingress ports of ARP packets during user validity check ························································· 545

Enabling ARP attack detection logging ·································································································· 546

Display and maintenance commands for ARP attack detection ···························································· 546

Example: Configuring user validity check ······························································································ 547

Example: Configuring user validity check and ARP packet validity check ············································· 548

Example: Configuring ARP restricted forwarding ··················································································· 549

Configuring ARP scanning and fixed ARP ····································································································· 551

Configuring ARP gateway protection ············································································································· 552

About ARP gateway protection ·············································································································· 552

Restrictions and guidelines ···················································································································· 552

Example: Configuring ARP gateway protection ····················································································· 553

Configuring ARP filtering ································································································································ 553

ARP filtering ··········································································································································· 553

Restrictions and guidelines ···················································································································· 553

Example: Configuring ARP filtering ········································································································ 554

Configuring ND attack defense ·································································· 556

About ND attack defense ······························································································································· 556

ND attack defense tasks at a glance·············································································································· 556

Enabling source MAC consistency check for ND messages ········································································· 557

Configuring ND attack detection ···················································································································· 557

About ND attack detection ····················································································································· 557

Restrictions and guidelines ···················································································································· 558

Enabling ND detection in a VLAN ·········································································································· 558

Enabling ND attack detection logging ···································································································· 558

Display and maintenance commands for ND attack detection······························································· 559

Example: Configuring ND attack detection ···························································································· 559

Configuring RA guard····································································································································· 561

About RA guard ······································································································································ 561

Specifying the role of the attached device ····························································································· 561

Configuring and applying an RA guard policy ························································································ 561

Enabling the RA guard logging feature ·································································································· 562

Display and maintenance commands for RA guard ··············································································· 563

Example: Configuring RA guard ············································································································· 563

xiv

Configuring SAVI ······················································································· 565

About SAVI····················································································································································· 565

SAVI application scenarios ···························································································································· 565

SAVI tasks at a glance ··································································································································· 565

Enabling SAVI ················································································································································ 565

Configuring IPv6 source guard······················································································································· 566

Configuring DHCPv6 snooping ······················································································································ 566

Configuring ND parameters ··························································································································· 566

Setting the entry deletion delay ······················································································································ 566

Enabling packet spoofing logging and filtering entry logging ········································································· 567

SAVI configuration examples ························································································································· 567

Example: Configuring DHCPv6-only SAVI ····························································································· 567

Example: Configuring SLAAC-only SAVI ······························································································· 569

Example: Configuring DHCPv6+SLAAC SAVI ······················································································· 570

Configuring MFF ························································································ 572

About MFF ····················································································································································· 572

MFF network model ······························································································································· 572

Port roles ················································································································································ 572

Processing of ARP packets in MFF ······································································································· 573

MFF default gateway ······························································································································ 573

Protocols and standards ························································································································ 573

MFF tasks at a glance ···································································································································· 573

Enabling MFF ················································································································································· 574

Configuring a network port ····························································································································· 574

Enabling periodic gateway probe ··················································································································· 575

Specifying the IP addresses of servers ·········································································································· 575

Display and maintenance commands for MFF ······························································································ 575

MFF configuration examples ·························································································································· 576

Example: Configuring MFF in a tree network ························································································· 576

Example: Configuring MFF in a ring network ························································································· 577

Configuring crypto engines ········································································ 579

About crypto engines ····································································································································· 579

Display and maintenance commands for crypto engines ·············································································· 579

Configuring FIPS ······················································································· 580

About FIPS ····················································································································································· 580

FIPS security levels ································································································································ 580

FIPS functionality ··································································································································· 580

FIPS self-tests ········································································································································ 580

Restrictions and guidelines: FIPS ·················································································································· 581

Entering FIPS mode ······································································································································· 582

About entering FIPS mode ····················································································································· 582

Restrictions and guidelines ···················································································································· 583

Using the automatic reboot method to enter FIPS mode ······································································· 583

Using the manual reboot method to enter FIPS mode ··········································································· 583

Manually triggering self-tests ························································································································· 584

Exiting FIPS mode ········································································································································· 585

Display and maintenance commands for FIPS ······························································································ 586

FIPS configuration examples ························································································································· 586

Example: Entering FIPS mode through automatic reboot ······································································ 586

Example: Entering FIPS mode through manual reboot·········································································· 588

Example: Exiting FIPS mode through automatic reboot ········································································ 589

Example: Exiting FIPS mode through manual reboot ············································································ 589

Configuring an 802.1X client ······································································ 591

About 802.1X clients ······································································································································ 591

802.1X client tasks at a glance ······················································································································ 591

Enabling the 802.1X client feature ················································································································· 591

Configuring an 802.1X client username and password ················································································· 592

Specifying an 802.1X client EAP authentication method ··············································································· 592

Configuring an 802.1X client MAC address ··································································································· 593

Specifying an 802.1X client mode for sending EAP-Response and EAPOL-Logoff packets ························· 593

Configuring an 802.1X client anonymous identifier ························································································ 594

Specifying an SSL client policy ······················································································································ 594

Display and maintenance commands for 802.1X client ················································································· 595

Document conventions and icons ······························································ 596

Conventions ··················································································································································· 596

Network topology icons ·································································································································· 597

Support and other resources ····································································· 598

Accessing Hewlett Packard Enterprise Support····························································································· 598

Accessing updates ········································································································································· 598

Websites ················································································································································ 599

Customer self repair ······························································································································· 599

Remote support ······································································································································ 599

Documentation feedback ······················································································································· 599

Index ·········································································································· 601

Configuring AAA

About AAA

AAA implementation

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. This feature specifies the following security functions:

•

Authentication—Identifies users and verifies their validity.

•

Authorization—Grants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and

prevent guests from accessing files on the device.

•

Accounting—Records network usage details of users, including the service type, start time,

and traffic. This function enables time-based and traffic-based charging and user behavior

auditing.

AAA network diagram

AAA uses a client/server model. The client runs on the access device, or the network access server

(NAS), which authenticates user identities and controls user access. The server maintains user

information centrally. See Figure 1.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS.

The NAS transparently passes the user information to AAA servers and waits for the authentication,

authorization, and accounting result. Based on the result, the NAS determines whether to permit or

deny the access request.

AAA has various implementations, including HWTACACS, LDAP, and RADIUS. RADIUS is most

often used.

You can use different servers to implement different security functions. For example, you can use an

HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.

You can choose the security functions provided by AAA as needed. For example, if your company

wants employees to be authenticated before they access specific resources, you would deploy an

authentication server. If network usage information is needed, you would also configure an

accounting server.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

The device performs dynamic password authentication.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction

protocol that uses a client/server model. The protocol can protect networks against unauthorized

access and is often used in network environments that require both high security and remote user

access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812

for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support

additional access methods, such as Ethernet and ADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains

information related to user authentication and network service access.

The RADIUS server operates using the following process:

1. Receives authentication, authorization, and accounting requests from RADIUS clients.

2. Performs user authentication, authorization, or accounting.

3. Returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication

proxy services.

The RADIUS server maintains the following databases:

•

Users—Stores user information, such as the usernames, passwords, applied protocols, and IP

addresses.

•

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•

Dictionary—Stores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys,

which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called

Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,

and some other information. The receiver of the packet verifies the signature and accepts the packet

only when the signature is correct. This mechanism ensures the security of information exchanged

between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

RADIUS servers

Users Clients Dictionary

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses in the following workflow:

1. The host sends a connection request that includes the user's username and password to the

RADIUS client.

2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.

The request includes the user's password, which has been processed by the MD5 algorithm

and shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds,

the server sends back an Access-Accept packet that contains the user's authorization

information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result

permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)

packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the

RADIUS server.

9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting

for the user.

10. The RADIUS client notifies the user of the termination.

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

8) Accounting-Request (stop)

9) Accounting-Response

10) Notification of access termination

Host

6) The host accesses the resources

7) Teardown request

Page is loading ...

Aruba JG091B Configuration Guide

Brand: Aruba

Model: JG091B

Category: Software

Type: Configuration Guide

Download PDF

report

Aruba JG091B Configuration Guide

Aruba JG091B Configuration Guide

Related papers

Other documents