HPE Networking Comware
5120v3 Switch
Series
Security Configuration Guide
Software
version: Release 6352P02 and later
Document version: 6W100-20230715
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ···························································································· 1
About AAA·························································································································································· 1
AAA implementation ··································································································································· 1
AAA network diagram ································································································································ 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 5
LDAP ·························································································································································· 8
User management based on ISP domains and user access types·························································· 11
Authentication, authorization, and accounting methods··········································································· 11
AAA extended functions ··························································································································· 12
RADIUS server feature of the device ······································································································· 13
Protocols and standards ·························································································································· 14
FIPS compliance ·············································································································································· 14
AAA tasks at a glance ······································································································································ 14
Configuring local users····································································································································· 15
About local users ······································································································································ 15
Local user configuration tasks at a glance ······························································································· 16
Restrictions and guidelines for local user configuration ··········································································· 16
Configuring attributes for device management users··············································································· 16
Configuring attributes for network access users ······················································································ 18
Configuring user group attributes ············································································································· 20
Configuring the local user auto-delete feature ························································································· 20
Display and maintenance commands for local users and local user groups ··········································· 21
Configuring RADIUS ········································································································································ 21
RADIUS tasks at a glance ························································································································ 21
Restrictions and guidelines for RADIUS configuration ············································································· 22
Configuring an EAP profile ······················································································································· 22
Configuring a test profile for RADIUS server status detection ································································· 23
Creating a RADIUS scheme ···················································································································· 24
Specifying RADIUS authentication servers ······························································································ 24
Specifying the RADIUS accounting servers ····························································································· 25
Specifying the shared keys for secure RADIUS communication ····························································· 26
Setting the status of RADIUS servers ······································································································ 26
Setting RADIUS timers ····························································································································· 27
Specifying the source IP address for outgoing RADIUS packets····························································· 28
Setting the username format and traffic statistics units ············································································ 29
Setting the maximum number of RADIUS request transmission attempts ··············································· 30
Setting the maximum number of real-time accounting attempts ······························································ 31
Setting the DSCP priority for RADIUS packets ························································································ 31
Specifying the format of the NAS-Port attribute ······················································································· 31
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users ······················ 32
Interpreting the RADIUS class attribute as CAR parameters ··································································· 32
Configuring the MAC address format for RADIUS attribute 31 ································································ 33
Specifying the format of the NAS-Port-ID attribute ·················································································· 33
Setting the data measurement unit for the Remanent_Volume attribute ················································· 34
Configuring the RADIUS attribute translation feature ·············································································· 34
Configuring RADIUS stop-accounting packet buffering ··········································································· 36
Enabling forcibly sending stop-accounting packets ················································································· 36
Enabling the RADIUS server load sharing feature ··················································································· 37
Configuring the RADIUS accounting-on feature ······················································································ 37
Configuring the RADIUS session-control feature ····················································································· 38
Configuring the RADIUS DAS feature ······································································································ 39
Enabling SNMP notifications for RADIUS ································································································ 39
Disabling the RADIUS service ················································································································· 40
Display and maintenance commands for RADIUS ·················································································· 41
Configuring HWTACACS ································································································································· 41
HWTACACS tasks at a glance················································································································· 41
ii
Creating an HWTACACS scheme ··········································································································· 42
Specifying the HWTACACS authentication servers ················································································· 42
Specifying the HWTACACS authorization servers ··················································································· 43
Specifying the HWTACACS accounting servers ······················································································ 43
Specifying the shared keys for secure HWTACACS communication ······················································ 44
Setting HWTACACS timers ······················································································································ 44
Specifying the source IP address for outgoing HWTACACS packets······················································ 46
Setting the username format and traffic statistics units ············································································ 47
Configuring HWTACACS stop-accounting packet buffering ···································································· 47
Display and maintenance commands for HWTACACS ··········································································· 48
Configuring LDAP ············································································································································ 48
LDAP tasks at a glance ···························································································································· 48
Creating an LDAP server ························································································································· 49
Configuring the IP address of the LDAP server ······················································································· 49
Specifying the LDAP version ···················································································································· 49
Setting the LDAP server timeout period ··································································································· 49
Configuring administrator attributes ········································································································· 50
Configuring LDAP user attributes············································································································· 50
Configuring an LDAP attribute map ········································································································· 51
Creating an LDAP scheme ······················································································································· 52
Specifying the LDAP authentication server ······························································································ 52
Specifying the LDAP authorization server ································································································ 52
Specifying an LDAP attribute map for LDAP authorization ······································································ 52
Display and maintenance commands for LDAP······················································································· 53
Creating an ISP domain ··································································································································· 53
About ISP domains ·································································································································· 53
Restrictions and guidelines for ISP domain configuration ········································································ 53
Creating an ISP domain ··························································································································· 54
Specifying the default ISP domain ··········································································································· 54
Specifying an ISP domain for users that are assigned to nonexistent domains ······································ 54
Configuring ISP domain attributes ··················································································································· 54
Setting ISP domain status ························································································································ 54
Configuring authorization attributes for an ISP domain············································································ 55
Including the idle timeout period in the user online duration to be sent to the server ······························ 55
Configuring AAA methods for an ISP domain ·································································································· 56
Configuring authentication methods for an ISP domain ··········································································· 56
Configuring authorization methods for an ISP domain ············································································· 57
Configuring accounting methods for an ISP domain ················································································ 58
Display and maintenance commands for ISP domains············································································ 59
Setting the maximum number of concurrent login users ·················································································· 60
Configuring a NAS-ID······································································································································· 60
Configuring the device ID ································································································································· 61
Enabling password change prompt logging ····································································································· 61
Configuring the RADIUS server feature ··········································································································· 62
RADIUS server feature tasks at a glance ································································································ 62
Restrictions and guidelines for the RADIUS server feature ····································································· 62
Configuring RADIUS users ······················································································································ 62
Specifying RADIUS clients ······················································································································· 62
Activating the RADIUS server configuration ···························································································· 63
Display and maintenance commands for RADIUS users and clients ······················································ 63
Configuring the connection recording policy ···································································································· 63
About the connection recording policy ····································································································· 63
Restrictions and guidelines ······················································································································ 63
Procedure ················································································································································· 64
Display and maintenance commands for the connection recording policy ·············································· 64
Configuring the AAA test feature······················································································································ 64
AAA configuration examples ···························································································································· 66
Example: Configuring AAA for SSH users by an HWTACACS server ····················································· 66
Example: Configuring local authentication, HWTACACS authorization, and RADIUS accounting for SSH
users ························································································································································ 68
Example: Configuring authentication and authorization for SSH users by a RADIUS server ·················· 70
Example: Configuring authentication for SSH users by an LDAP server ················································· 73
iii
Example: Configuring AAA for 802.1X users by a RADIUS server ·························································· 76
Example: Configuring authentication and authorization for 802.1X users by the device as a RADIUS server
································································································································································· 81
Troubleshooting AAA ······································································································································· 84
RADIUS authentication failure ················································································································· 84
RADIUS packet delivery failure ················································································································ 84
RADIUS accounting error ························································································································· 85
Troubleshooting HWTACACS ·················································································································· 85
LDAP authentication failure ······················································································································ 85
Appendixes ······················································································································································ 86
Appendix A Commonly used RADIUS attributes ····················································································· 86
Appendix B Descriptions for commonly used standard RADIUS attributes ············································· 87
Appendix C RADIUS subattributes (vendor ID 25506) ············································································ 89
Appendix D Format of dynamic authorization ACLs ················································································ 92
802.1X overview ·························································································· 95
About the 802.1X protocol ······························································································································· 95
802.1X architecture ·································································································································· 95
Controlled/uncontrolled port and port authorization status······································································· 95
Packet exchange methods ······················································································································· 96
Packet formats ········································································································································· 97
802.1X authentication procedures ··········································································································· 99
802.1X authentication initiation ·············································································································· 101
Access control methods ································································································································· 102
802.1X VLAN manipulation ···························································································································· 102
Authorization VLAN ································································································································ 102
Guest VLAN ··········································································································································· 105
Auth-Fail VLAN ······································································································································ 106
Critical VLAN ·········································································································································· 107
Critical voice VLAN ································································································································ 109
ACL assignment ············································································································································· 109
User profile assignment ································································································································· 110
Redirect URL assignment ······························································································································ 110
Periodic 802.1X reauthentication ··················································································································· 111
EAD assistant················································································································································· 111
Configuring 802.1X ···················································································· 113
Restrictions and guidelines: 802.1X configuration ························································································· 113
802.1X tasks at a glance ································································································································ 113
Prerequisites for 802.1X································································································································· 114
Enabling 802.1X ············································································································································· 114
Enabling EAP relay or EAP termination ········································································································· 115
Setting the port authorization state ················································································································ 115
Specifying an access control method············································································································· 116
Specifying a mandatory authentication domain on a port ·············································································· 116
Setting the 802.1X authentication timeout timers ·························································································· 117
Configuring 802.1X reauthentication ·············································································································· 117
Setting the quiet timer ···································································································································· 118
Configuring an 802.1X guest VLAN ··············································································································· 119
Enabling 802.1X guest VLAN assignment delay···························································································· 120
Configuring an 802.1X Auth-Fail VLAN·········································································································· 120
Configuring an 802.1X critical VLAN ·············································································································· 121
Enabling the 802.1X critical voice VLAN feature ··························································································· 122
Configuring 802.1X unauthenticated user aging ···························································································· 123
Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN ··································· 123
Enabling 802.1X online user synchronization ································································································ 124
Configuring the authentication trigger feature ································································································ 125
Discarding duplicate 802.1X EAPOL-Start requests ······················································································ 125
Setting the maximum number of concurrent 802.1X users on a port ····························································· 126
Setting the maximum number of authentication request attempts ································································· 126
Configuring online user handshake················································································································ 126
Configuring packet detection for 802.1X authentication ················································································ 128
iv
Specifying supported domain name delimiters ······························································································ 129
Removing the VLAN tags of 802.1X protocol packets sent out of a port ······················································· 130
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 130
Enabling 802.1X user IP freezing··················································································································· 131
Enabling generation of dynamic IPSG binding entries for 802.1X authenticated users ································· 131
Configuring 802.1X MAC address binding ····································································································· 132
Configuring the EAD assistant feature ··········································································································· 133
Setting the maximum size of EAP-TLS fragments sent to the server ···························································· 134
Logging off 802.1X users ······························································································································· 135
Enabling 802.1X user logging ························································································································ 135
Display and maintenance commands for 802.1X ·························································································· 135
802.1X authentication configuration examples ······························································································ 136
Example: Configuring basic 802.1X authentication················································································ 136
Example: Configuring 802.1X guest VLAN and authorization VLAN ····················································· 138
Example: Configuring 802.1X with ACL assignment ·············································································· 141
Example: Configuring 802.1X with EAD assistant (with DHCP relay agent) ·········································· 143
Example: Configuring 802.1X with EAD assistant (with DHCP server) ················································· 146
Troubleshooting 802.1X ································································································································· 148
EAD assistant URL redirection failure ···································································································· 148
Configuring MAC authentication ································································ 149
About MAC authentication ····························································································································· 149
User account policies ····························································································································· 149
Authentication methods ·························································································································· 150
VLAN assignment ·································································································································· 151
ACL assignment ····································································································································· 156
User profile assignment ························································································································· 157
Redirect URL assignment ······················································································································ 157
Periodic MAC reauthentication ··············································································································· 157
Restrictions and guidelines: MAC authentication configuration ····································································· 158
MAC authentication tasks at a glance ············································································································ 158
Prerequisites for MAC authentication············································································································· 159
Enabling MAC authentication ························································································································· 159
Specifying a MAC authentication method ······································································································ 159
Specifying a MAC authentication domain ······································································································ 160
Configuring user account policy ····················································································································· 160
Configuring MAC authentication timers·········································································································· 161
Configuring periodic MAC reauthentication···································································································· 162
Configuring a MAC authentication guest VLAN ····························································································· 163
Configuring a MAC authentication critical VLAN ···························································································· 164
Enabling the MAC authentication critical voice VLAN feature········································································ 165
Configuring unauthenticated MAC authentication user aging ········································································ 165
Configuring MAC authentication offline detection ·························································································· 166
Configuring packet detection for MAC authentication ···················································································· 167
Enabling online user synchronization for MAC authentication ······································································· 169
Setting the maximum number of concurrent MAC authentication users on a port ········································· 169
Enabling MAC authentication multi-VLAN mode on a port ············································································ 170
Configuring MAC authentication delay ··········································································································· 170
Including user IP addresses in MAC authentication requests ········································································ 171
Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 172
Logging off MAC authentication users ··········································································································· 173
Enabling MAC authentication user logging ···································································································· 173
Display and maintenance commands for MAC authentication ······································································ 174
MAC authentication configuration examples ·································································································· 175
Example: Configuring local MAC authentication ···················································································· 175
Example: Configuring RADIUS-based MAC authentication ··································································· 177
Example: Configuring ACL assignment for MAC authentication ···························································· 179
Configuring portal authentication ······························································· 183
About portal authentication ···························································································································· 183
Advantages of portal authentication ······································································································· 183
Extended portal functions ······················································································································· 183
v
Portal system ········································································································································· 183
Portal authentication using a remote portal server ················································································· 184
Local portal service ································································································································ 185
Portal authentication modes ··················································································································· 185
Portal authentication process ················································································································· 186
Portal support for EAP ··························································································································· 188
Portal filtering rules ································································································································ 188
Restrictions and guidelines: Portal configuration ··························································································· 189
Portal authentication tasks at a glance ·········································································································· 189
Prerequisites for portal authentication ··········································································································· 190
Configuring a remote portal authentication server ························································································· 191
Configuring a portal Web server ···················································································································· 192
Portal Web server tasks at a glance ······································································································ 192
Configure basic parameters for a portal Web server ············································································· 192
Enabling the captive-bypass feature ······································································································ 192
Configuring a match rule for URL redirection ························································································· 193
Configuring local portal service features ········································································································ 193
About the local portal service ················································································································· 193
Restrictions and guidelines for configuring local portal service features················································ 193
Customizing authentication pages ········································································································· 194
Configuring a local portal Web service··································································································· 196
Enabling portal authentication on an interface ······························································································· 196
Specifying a portal Web server on an interface ····························································································· 197
Specifying a preauthentication IP address pool ····························································································· 197
Specifying a portal authentication domain ····································································································· 198
About portal authentication domains ······································································································ 198
Restrictions and guidelines for specifying a portal authentication domain ············································· 198
Specifying a portal authentication domain on an interface····································································· 199
Controlling portal user access ························································································································ 199
Configuring a portal-free rule ················································································································· 199
Configuring an authentication source subnet ························································································· 200
Configuring an authentication destination subnet ·················································································· 201
Configuring support of Web proxy for portal authentication ··································································· 201
Checking the issuing of category-2 portal filtering rules ········································································· 202
Setting the maximum number of portal users ························································································ 202
Enabling strict-checking on portal authorization information ·································································· 203
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ·························· 204
Enabling portal roaming ························································································································· 204
Configuring the portal fail-permit feature ································································································ 205
Configuring portal detection features ············································································································· 205
Configuring online detection of portal users ··························································································· 205
Configuring portal authentication server detection ················································································· 206
Configuring portal Web server detection ································································································ 207
Configuring portal user synchronization ································································································· 208
Configuring portal packet attributes ··············································································································· 209
Configuring the BAS-IP or BAS-IPv6 attribute ······················································································· 209
Specifying the device ID ························································································································· 209
Configuring attributes for RADIUS packets ···································································································· 210
Specifying a format for the NAS-Port-Id attribute ··················································································· 210
Configuring the NAS-Port-Type attribute ······························································································· 210
Applying a NAS-ID profile to an interface······························································································· 211
Logging out online portal users ······················································································································ 211
Enabling portal user login/logout logging ······································································································· 212
Disabling the Rule ARP or ND entry feature for portal clients ······································································· 212
Configuring Web redirect ······························································································································· 213
Display and maintenance commands for portal ····························································································· 213
Portal configuration examples ························································································································ 214
Example: Configuring direct portal authentication·················································································· 214
Example: Configuring re-DHCP portal authentication ············································································ 219
Example: Configuring cross-subnet portal authentication ······································································ 223
Example: Configuring extended direct portal authentication ·································································· 226
Example: Configuring extended re-DHCP portal authentication ···························································· 230
vi
Example: Configuring extended cross-subnet portal authentication ······················································ 234
Example: Configuring portal server detection and portal user synchronization ····································· 237
Example: Configuring direct portal authentication using a local portal Web service ······························ 243
Troubleshooting portal ··································································································································· 246
No portal authentication page is pushed for users ················································································· 246
Cannot log out portal users on the access device ················································································· 246
Cannot log out portal users on the RADIUS server ··············································································· 247
Users logged out by the access device still exist on the portal authentication server ···························· 247
Re-DHCP portal authenticated users cannot log in successfully ··························································· 247
Configuring Web authentication ································································· 249
About Web authentication ······························································································································ 249
Advantages of Web authentication ········································································································ 249
Web authentication system ···················································································································· 249
Web authentication process ··················································································································· 250
Web authentication support for VLAN assignment ················································································ 250
Web authentication support for authorization ACLs ··············································································· 251
Restrictions and guidelines: Web authentication configuration ······································································ 251
Web authentication tasks at a glance ············································································································ 252
Prerequisites for Web authentication ············································································································· 252
Configuring a Web authentication server ······································································································· 253
Configuring a local portal service ··················································································································· 253
Enabling Web authentication ························································································································· 253
Specifying a Web authentication domain ······································································································· 254
Setting the redirection wait time ····················································································································· 254
Configuring the aging timer for temporary MAC address entries for Web authentication ······························ 255
Configuring a Web authentication-free subnet ······························································································· 255
Setting the maximum number of Web authentication users ·········································································· 256
Configuring online Web authentication user detection ··················································································· 256
Configuring an Auth-Fail VLAN ······················································································································ 257
Configuring Web authentication to support Web proxy ·················································································· 257
Display and maintenance commands for Web authentication ······································································· 258
Web authentication configuration examples ·································································································· 258
Example: Configuring Web authentication by using the local authentication method ···························· 258
Example: Configuring Web authentication by using the RADIUS authentication method······················ 260
Troubleshooting Web authentication ············································································································· 262
Failure to come online (local authentication interface using the default ISP domain ····························· 262
Configuring triple authentication ································································ 263
About triple authentication ····························································································································· 263
Typical network of triple authentication ·································································································· 263
Triple authentication mechanism ··········································································································· 263
Triple authentication support for VLAN assignment ··············································································· 264
Triple authentication support for ACL authorization ··············································································· 264
Triple authentication support for online user detection ·········································································· 265
Restrictions and guidelines: Triple authentication ·························································································· 265
Triple authentication tasks at a glance ··········································································································· 265
Triple authentication configuration examples ································································································· 265
Example: Configuring basic triple authentication ··················································································· 265
Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN
······························································································································································· 269
Configuring port security ············································································ 275
About port security ········································································································································· 275
Major functions ······································································································································· 275
Port security features ····························································································································· 275
Port security modes ······························································································································· 275
Restrictions and guidelines: Port security configuration················································································· 278
Port security tasks at a glance ······················································································································· 278
Enabling port security····································································································································· 279
Setting the port security mode ······················································································································· 279
Setting port security's limit on the number of secure MAC addresses on a port ············································ 280
vii
Configuring secure MAC addresses ·············································································································· 281
About secure MAC addresses ··············································································································· 281
Prerequisites ·········································································································································· 282
Adding secure MAC addresses·············································································································· 282
Enabling inactivity aging for secure MAC addresses ············································································· 283
Enabling the dynamic secure MAC feature ···························································································· 283
Configuring NTK············································································································································· 283
Configuring intrusion protection ····················································································································· 284
Ignoring authorization information from the server························································································· 284
Configuring MAC move ·································································································································· 285
Enabling the authorization-fail-offline feature ································································································· 286
Setting port security's limit on the number of MAC addresses for specific VLANs on a port ························· 287
Enabling open authentication mode ··············································································································· 287
Configuring free VLANs for port security········································································································ 288
Applying a NAS-ID profile to port security ······································································································ 289
Enabling traffic statistics for MAC authentication and 802.1X users ······························································ 289
Specifying an IP address and mask for calculating the source IP of ARP detection packets ························ 290
Enabling SNMP notifications for port security ································································································ 291
Enabling port security user logging ················································································································ 291
Display and maintenance commands for port security ·················································································· 291
Port security configuration examples ············································································································· 292
Example: Configuring port security in autoLearn mode ········································································· 292
Example: Configuring port security in userLoginWithOUI mode ···························································· 294
Example: Configuring port security in macAddressElseUserLoginSecure mode··································· 297
Troubleshooting port security ························································································································· 301
Cannot set the port security mode ········································································································· 301
Cannot configure secure MAC addresses ····························································································· 301
Configuring user profiles ············································································ 302
About user profiles ········································································································································· 302
Prerequisites for user profile ·························································································································· 302
Configuring a user profile ······························································································································· 302
Display and maintenance commands for user profiles ·················································································· 302
User profile configuration examples ··············································································································· 303
Example: Configuring user profiles and QoS policies ············································································ 303
Configuring password control ···································································· 307
About password control·································································································································· 307
Password setting ···································································································································· 307
Password updating and expiration ········································································································· 308
User login control ··································································································································· 309
Password not displayed in any form ······································································································ 310
Logging ·················································································································································· 310
FIPS compliance ············································································································································ 310
Restrictions and guidelines: Password control configuration ········································································· 311
Password control tasks at a glance················································································································ 311
Enabling password control ····························································································································· 311
Setting global password control parameters ·································································································· 313
Setting user group password control parameters ·························································································· 315
Setting local user password control parameters ···························································································· 315
Setting super password control parameters··································································································· 316
Display and maintenance commands for password control ··········································································· 317
Password control configuration examples ····································································································· 317
Example: Configuring password control ································································································· 317
Managing public keys ················································································ 321
About public key management ······················································································································· 321
Asymmetric key algorithm overview ······································································································· 321
Usage of asymmetric key algorithms ····································································································· 321
FIPS compliance ············································································································································ 321
Public key management tasks at a glance ····································································································· 321
Creating a local key pair································································································································· 322
viii
Distributing a local host public key ················································································································· 323
About distribution of local host public keys ···························································································· 323
Exporting a host public key ···················································································································· 323
Displaying a host public key ··················································································································· 324
Configuring a peer host public key ················································································································· 324
About peer host public key configuration ······························································································· 324
Restrictions and guidelines for peer host public key configuration ························································ 325
Importing a peer host public key from a public key file ·········································································· 325
Entering a peer host public key ·············································································································· 325
Destroying a local key pair ····························································································································· 326
Display and maintenance commands for public keys ···················································································· 326
Examples of public key management ············································································································ 326
Example: Entering a peer host public key ······························································································ 326
Example: Importing a public key from a public key file ·········································································· 328
Configuring PKI ························································································· 331
About PKI ······················································································································································· 331
PKI terminology ······································································································································ 331
PKI architecture ······································································································································ 332
Retrieval, usage, and maintenance of a digital certificate ······································································ 333
PKI applications ····································································································································· 333
FIPS compliance ············································································································································ 333
PKI tasks at a glance ····································································································································· 333
Configuring a PKI entity ································································································································· 334
Configuring a PKI domain ······························································································································ 335
About PKI domain ·································································································································· 335
PKI domain tasks at a glance ················································································································· 335
Creating a PKI domain ··························································································································· 336
Specifying the trusted CA ······················································································································· 336
Specifying the PKI entity name ·············································································································· 336
Specifying the certificate request reception authority············································································· 336
Specifying the certificate request URL ··································································································· 337
Setting the SCEP polling interval and maximum polling attempts ························································· 337
Specifying the LDAP server ··················································································································· 337
Specifying the fingerprint for root CA certificate verification··································································· 337
Specifying the key pair for certificate request ························································································ 338
Specifying the intended purpose for the certificate ················································································ 338
Specifying the source IP address for PKI protocol packets ··································································· 339
Specifying the storage path for certificates and CRLs ··················································································· 339
Requesting a certificate·································································································································· 340
About certificate request configuration ··································································································· 340
Restrictions and guidelines for certificate request configuration ···························································· 340
Prerequisites for certificate request configuration ·················································································· 340
Enabling the automatic online certificate request mode········································································· 340
Manually submitting an online certificate request ·················································································· 341
Manually submitting a certificate request in offline mode ······································································· 342
Aborting a certificate request ························································································································· 342
Obtaining certificates······································································································································ 343
Verifying PKI certificates ································································································································ 344
About certification verification ················································································································ 344
Restrictions and guidelines for certificate verification ············································································ 344
Verifying certificates with CRL checking ································································································ 344
Verifying certificates without CRL checking ··························································································· 345
Exporting certificates ······································································································································ 346
Removing a certificate···································································································································· 346
Configuring a certificate-based access control policy ···················································································· 347
About certificate-based access control policies ····················································································· 347
Procedure ··············································································································································· 347
Display and maintenance commands for PKI ································································································ 348
PKI configuration examples ··························································································································· 348
Example: Requesting a certificate from an RSA Keon CA server ·························································· 349
Example: Requesting a certificate from a Windows Server 2003 CA server ········································· 351
ix
Example: Requesting a certificate from an OpenCA server ··································································· 355
Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server
······························································································································································· 358
Example: Configuring a certificate-based access control policy ···························································· 360
Example: Importing and exporting certificates ······················································································· 362
Troubleshooting PKI configuration ················································································································· 367
Failed to obtain the CA certificate ·········································································································· 367
Failed to obtain local certificates ············································································································ 368
Failed to request local certificates ·········································································································· 368
Failed to obtain CRLs ····························································································································· 369
Failed to import the CA certificate ·········································································································· 370
Failed to import the local certificate ········································································································ 370
Failed to export certificates ···················································································································· 371
Failed to set the storage path ················································································································· 371
Configuring IPsec ······················································································ 373
About IPsec ···················································································································································· 373
IPsec framework ···································································································································· 373
IPsec security services ··························································································································· 373
Benefits of IPsec ···································································································································· 373
Security protocols ··································································································································· 373
Encapsulation modes ····························································································································· 374
Security association ······························································································································· 375
Authentication and encryption ················································································································ 375
IPsec-protected traffic ···························································································································· 376
ACL-based IPsec ··································································································································· 376
IPv6 routing protocol-based IPsec ········································································································· 377
IPsec policy and IPsec profile ················································································································ 377
IPsec RRI ··············································································································································· 378
Protocols and standards ························································································································ 379
FIPS compliance ············································································································································ 379
Restrictions and guidelines: IPsec configuration···························································································· 379
Implementing ACL-based IPsec····················································································································· 379
ACL-based IPsec tasks at a glance ······································································································· 379
Configuring an ACL ································································································································ 380
Configuring an IPsec transform set ········································································································ 382
Configuring a manual IPsec policy ········································································································· 385
Configuring an IKE-based IPsec policy ·································································································· 386
Applying an IPsec policy to an interface ································································································ 389
Enabling ACL checking for de-encapsulated packets ············································································ 389
Configuring IPsec anti-replay ················································································································· 390
Configuring IPsec anti-replay redundancy ····························································································· 390
Binding a source interface to an IPsec policy ························································································ 391
Enabling QoS pre-classify ······················································································································ 392
Configuring the DF bit of IPsec packets ································································································· 392
Configuring IPsec RRI ···························································································································· 393
Configuring IPsec for IPv6 routing protocols ·································································································· 394
IPsec protection for IPv6 routing protocols tasks at a glance ································································ 394
Configuring a manual IPsec profile ········································································································ 394
Applying the IPsec profile to an IPv6 routing protocol ············································································ 395
Configuring the global IPsec SA lifetime and idle timeout·············································································· 395
Configuring IPsec fragmentation ···················································································································· 396
Setting the maximum number of IPsec tunnels ····························································································· 396
Enabling logging for IPsec packets ················································································································ 397
Configuring SNMP notifications for IPsec ······································································································ 397
Display and maintenance commands for IPsec ····························································································· 397
IPsec configuration examples ························································································································ 398
Example: Configuring a manual mode IPsec tunnel for IPv4 packets ··················································· 398
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ······················································ 401
Example: Configuring IPsec for RIPng ··································································································· 403
Example: Configuring IPsec RRI ············································································································ 407
x
Configuring IKE ························································································· 411
About IKE ······················································································································································· 411
Benefits of IKE ······································································································································· 411
Relationship between IPsec and IKE ····································································································· 411
IKE negotiation process ························································································································· 411
IKE security mechanism ························································································································· 413
Protocols and standards ························································································································ 413
FIPS compliance ············································································································································ 414
IKE tasks at a glance ····································································································································· 414
Prerequisites for IKE configuration················································································································· 414
Configuring an IKE profile ······························································································································ 415
Creating an IKE profile ··························································································································· 415
Configuring peer IDs for the IKE profile ································································································· 415
Specifying the IKE keychain or PKI domain ··························································································· 415
Configuring the IKE phase 1 negotiation mode ······················································································ 416
Specifying IKE proposals for the IKE profile ·························································································· 416
Configuring the local ID for the IKE profile ····························································································· 417
Configuring optional features for the IKE profile ···················································································· 417
Configuring an IKE proposal ·························································································································· 418
Configuring an IKE keychain ·························································································································· 419
Configuring the global identity information ····································································································· 420
Configuring the IKE keepalive feature ··········································································································· 420
Configuring the IKE NAT keepalive feature ··································································································· 421
Configuring global IKE DPD ··························································································································· 421
Enabling invalid SPI recovery ························································································································ 422
Setting the maximum number of IKE SAs ······································································································ 423
Configuring SNMP notifications for IKE ········································································································· 423
Display and maintenance commands for IKE ································································································ 424
IKE configuration examples ··························································································································· 424
Example: Configuring main-mode IKE with preshared key authentication ············································ 424
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets ······················································ 427
Troubleshooting IKE······································································································································· 429
IKE negotiation failed because no matching IKE proposals were found ················································ 429
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 430
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 430
IPsec SA negotiation failed due to invalid identity information ······························································· 431
Configuring IKEv2 ······················································································ 434
About IKEv2 ··················································································································································· 434
IKEv2 negotiation process ····················································································································· 434
New features in IKEv2 ···························································································································· 435
Protocols and standards ························································································································ 435
IKEv2 tasks at a glance·································································································································· 435
Prerequisites for IKEv2 configuration ············································································································· 436
Configuring an IKEv2 profile ·························································································································· 436
Creating an IKEv2 profile ······················································································································· 436
Specifying the local and remote identity authentication methods ·························································· 437
Configuring the IKEv2 keychain or PKI domain ····················································································· 437
Configuring the local ID for the IKEv2 profile ························································································· 437
Configuring peer IDs for the IKEv2 profile······························································································ 438
Configuring optional features for the IKEv2 profile ················································································· 438
Configuring an IKEv2 policy ··························································································································· 439
Configuring an IKEv2 proposal ······················································································································ 440
Configuring an IKEv2 keychain ······················································································································ 441
Configure global IKEv2 parameters ··············································································································· 442
Enabling the cookie challenging feature ································································································ 442
Configuring the IKEv2 DPD feature ······································································································· 442
Configuring the IKEv2 NAT keepalive feature ························································································ 443
Display and maintenance commands for IKEv2 ···························································································· 443
Troubleshooting IKEv2 ··································································································································· 444
IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 444
xi
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 444
IPsec tunnel establishment failed ··········································································································· 445
Configuring SSH ························································································ 446
About SSH ····················································································································································· 446
SSH applications ···································································································································· 446
How SSH works ····································································································································· 446
SSH authentication methods ·················································································································· 447
SSH support for Suite B ························································································································· 448
FIPS compliance ············································································································································ 449
Configuring the device as an SSH server ······································································································ 449
SSH server tasks at a glance ················································································································· 449
Generating local key pairs ······················································································································ 450
Specifying the SSH service port ············································································································· 450
Enabling the Stelnet server ···················································································································· 451
Enabling the SFTP server ······················································································································ 451
Enabling the SCP server ························································································································ 451
Enabling NETCONF over SSH ·············································································································· 452
Configuring the user lines for SSH login ································································································ 452
Configuring a client's host public key ····································································································· 452
Configuring an SSH user ······················································································································· 454
Configuring the SSH management parameters ····················································································· 455
Specifying a PKI domain for the SSH server ························································································· 457
Disconnecting SSH sessions ················································································································· 457
Configuring the device as an Stelnet client ···································································································· 458
Stelnet client tasks at a glance··············································································································· 458
Generating local key pairs ······················································································································ 458
Specifying the source IP address for outgoing SSH packets ································································· 458
Establishing a connection to an Stelnet server ······················································································ 459
Deleting server public keys saved in the public key file on the Stelnet client········································· 461
Establishing a connection to an Stelnet server based on Suite B ·························································· 461
Configuring the device as an SFTP client ······································································································ 461
SFTP client tasks at a glance ················································································································· 461
Generating local key pairs ······················································································································ 462
Specifying the source IP address for outgoing SFTP packets ······························································· 462
Establishing a connection to an SFTP server ························································································ 463
Deleting server public keys saved in the public key file on the SFTP client··········································· 464
Establishing a connection to an SFTP server based on Suite B ···························································· 464
Working with SFTP directories ··············································································································· 465
Working with SFTP files ························································································································· 466
Displaying help information ···················································································································· 467
Terminating the connection with the SFTP server ················································································· 467
Configuring the device as an SCP client ········································································································ 467
SCP client tasks at a glance ·················································································································· 467
Generating local key pairs ······················································································································ 467
Specifying the source IP address for outgoing SCP packets ································································· 468
Establishing a connection to an SCP server ·························································································· 468
Deleting server public keys saved in the public key file on the SCP client ············································ 470
Establishing a connection to an SCP server based on Suite B······························································ 470
Specifying algorithms for SSH2 ····················································································································· 471
About algorithms for SSH2 ····················································································································· 471
Specifying key exchange algorithms for SSH2 ······················································································ 471
Specifying public key algorithms for SSH2 ···························································································· 471
Specifying encryption algorithms for SSH2 ···························································································· 472
Specifying MAC algorithms for SSH2 ···································································································· 472
Display and maintenance commands for SSH ······························································································ 473
Stelnet configuration examples ······················································································································ 473
Example: Configuring the device as an Stelnet server (password authentication) ································ 473
Example: Configuring the device as an Stelnet server (publickey authentication) ································· 476
Example: Configuring the device as an Stelnet client (password authentication) ·································· 481
Example: Configuring the device as an Stelnet client (publickey authentication) ·································· 485
Example: Configuring Stelnet based on 128-bit Suite B algorithms······················································· 487
xii
SFTP configuration examples ························································································································ 491
Example: Configuring the device as an SFTP server (password authentication) ·································· 491
Example: Configuring the device as an SFTP client (publickey authentication) ···································· 493
Example: Configuring SFTP based on 192-bit Suite B algorithms························································· 496
SCP configuration examples ·························································································································· 500
Example: Configuring SCP with password authentication ····································································· 500
Example: Configuring SCP based on Suite B algorithms ······································································ 502
NETCONF over SSH configuration examples ······························································································· 509
Example: Configuring NETCONF over SSH with password authentication ··········································· 509
Configuring SSL ························································································ 511
About SSL ······················································································································································ 511
SSL security services ····························································································································· 511
SSL protocol stack ································································································································· 511
SSL protocol versions ···························································································································· 512
FIPS compliance ············································································································································ 512
Restrictions and guidelines: SSL configuration ······························································································ 512
SSL tasks at a glance ···································································································································· 512
Configuring the SSL server ···················································································································· 512
Configuring the SSL client ······················································································································ 513
Configuring an SSL server policy ··················································································································· 513
Configuring an SSL client policy ···················································································································· 514
Disabling SSL protocol versions for the SSL server ······················································································ 515
Disabling SSL session renegotiation·············································································································· 515
Display and maintenance commands for SSL ······························································································· 516
SSL server policy configuration examples ····································································································· 516
Example: Configuring an SSL server policy ··························································································· 516
Configuring attack detection and prevention ·············································· 519
Overview ························································································································································ 519
Attacks that the device can prevent ··············································································································· 519
TCP fragment attack ······························································································································ 519
Login dictionary attack ··························································································································· 519
Configuring TCP fragment attack prevention ································································································· 519
Enabling login delay ······································································································································· 520
Configuring TCP attack prevention ···························································· 521
About TCP attack prevention ························································································································· 521
Configuring Naptha attack prevention ············································································································ 521
Configuring IP source guard ······································································ 522
About IPSG ···················································································································································· 522
IPSG operating mechanism ··················································································································· 522
Static IPSG bindings ······························································································································ 522
Dynamic IPSG bindings ························································································································· 523
IPSG tasks at a glance··································································································································· 523
Configuring the IPv4SG feature ····················································································································· 524
Enabling IPv4SG ···································································································································· 524
Configuring a static IPv4SG binding ······································································································ 524
Excluding IPv4 packets from IPSG filtering ···························································································· 525
Configuring the IPv6SG feature ····················································································································· 525
Enabling IPv6SG ···································································································································· 525
Configuring a static IPv6SG binding ······································································································ 526
Display and maintenance commands for IPSG ····························································································· 527
IPSG configuration examples ························································································································ 527
Example: Configuring static IPv4SG ······································································································ 527
Example: Configuring DHCP snooping-based dynamic IPv4SG ··························································· 528
Example: Configuring DHCP relay agent-based dynamic IPv4SG ························································ 529
Example: Configuring static IPv6SG ······································································································ 530
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings ··························· 531
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings ······························· 532
Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG ···················································· 533
xiii
Configuring ARP attack protection ····························································· 535
About ARP attack protection ·························································································································· 535
ARP attack protection tasks at a glance ········································································································ 535
Configuring unresolvable IP attack protection ······························································································· 535
About unresolvable IP attack protection································································································· 535
Configuring ARP source suppression ···································································································· 536
Configuring ARP blackhole routing ········································································································ 536
Display and maintenance commands for unresolvable IP attack protection ·········································· 537
Example: Configuring unresolvable IP attack protection········································································ 537
Configuring ARP packet rate limit ·················································································································· 538
Configuring source MAC-based ARP attack detection ·················································································· 539
Display and maintenance commands for source MAC-based ARP attack detection····························· 539
Example: Configuring source MAC-based ARP attack detection ·························································· 540
Configuring ARP packet source MAC consistency check ·············································································· 541
About ARP packet source MAC consistency check ··············································································· 541
Procedure ··············································································································································· 541
Configuring ARP active acknowledgement ···································································································· 541
Configuring authorized ARP··························································································································· 542
About authorized ARP ···························································································································· 542
Procedure ··············································································································································· 542
Configuring ARP attack detection ·················································································································· 542
About ARP attack detection ··················································································································· 542
Configuring user validity check ·············································································································· 542
Configuring ARP packet validity check ·································································································· 544
Configuring ARP restricted forwarding ··································································································· 545
Ignoring ingress ports of ARP packets during user validity check ························································· 545
Enabling ARP attack detection logging ·································································································· 546
Display and maintenance commands for ARP attack detection ···························································· 546
Example: Configuring user validity check ······························································································ 547
Example: Configuring user validity check and ARP packet validity check ············································· 548
Example: Configuring ARP restricted forwarding ··················································································· 549
Configuring ARP scanning and fixed ARP ····································································································· 551
Configuring ARP gateway protection ············································································································· 552
About ARP gateway protection ·············································································································· 552
Restrictions and guidelines ···················································································································· 552
Procedure ··············································································································································· 552
Example: Configuring ARP gateway protection ····················································································· 553
Configuring ARP filtering ································································································································ 553
ARP filtering ··········································································································································· 553
Restrictions and guidelines ···················································································································· 553
Procedure ··············································································································································· 554
Example: Configuring ARP filtering ········································································································ 554
Configuring ND attack defense ·································································· 556
About ND attack defense ······························································································································· 556
ND attack defense tasks at a glance·············································································································· 556
Enabling source MAC consistency check for ND messages ········································································· 557
Configuring ND attack detection ···················································································································· 557
About ND attack detection ····················································································································· 557
Restrictions and guidelines ···················································································································· 558
Enabling ND detection in a VLAN ·········································································································· 558
Enabling ND attack detection logging ···································································································· 558
Display and maintenance commands for ND attack detection······························································· 559
Example: Configuring ND attack detection ···························································································· 559
Configuring RA guard····································································································································· 561
About RA guard ······································································································································ 561
Specifying the role of the attached device ····························································································· 561
Configuring and applying an RA guard policy ························································································ 561
Enabling the RA guard logging feature ·································································································· 562
Display and maintenance commands for RA guard ··············································································· 563
Example: Configuring RA guard ············································································································· 563
xiv
Configuring SAVI ······················································································· 565
About SAVI····················································································································································· 565
SAVI application scenarios ···························································································································· 565
SAVI tasks at a glance ··································································································································· 565
Enabling SAVI ················································································································································ 565
Configuring IPv6 source guard······················································································································· 566
Configuring DHCPv6 snooping ······················································································································ 566
Configuring ND parameters ··························································································································· 566
Setting the entry deletion delay ······················································································································ 566
Enabling packet spoofing logging and filtering entry logging ········································································· 567
SAVI configuration examples ························································································································· 567
Example: Configuring DHCPv6-only SAVI ····························································································· 567
Example: Configuring SLAAC-only SAVI ······························································································· 569
Example: Configuring DHCPv6+SLAAC SAVI ······················································································· 570
Configuring MFF ························································································ 572
About MFF ····················································································································································· 572
MFF network model ······························································································································· 572
Port roles ················································································································································ 572
Processing of ARP packets in MFF ······································································································· 573
MFF default gateway ······························································································································ 573
Protocols and standards ························································································································ 573
MFF tasks at a glance ···································································································································· 573
Enabling MFF ················································································································································· 574
Configuring a network port ····························································································································· 574
Enabling periodic gateway probe ··················································································································· 575
Specifying the IP addresses of servers ·········································································································· 575
Display and maintenance commands for MFF ······························································································ 575
MFF configuration examples ·························································································································· 576
Example: Configuring MFF in a tree network ························································································· 576
Example: Configuring MFF in a ring network ························································································· 577
Configuring crypto engines ········································································ 579
About crypto engines ····································································································································· 579
Display and maintenance commands for crypto engines ·············································································· 579
Configuring FIPS ······················································································· 580
About FIPS ····················································································································································· 580
FIPS security levels ································································································································ 580
FIPS functionality ··································································································································· 580
FIPS self-tests ········································································································································ 580
Restrictions and guidelines: FIPS ·················································································································· 581
Entering FIPS mode ······································································································································· 582
About entering FIPS mode ····················································································································· 582
Restrictions and guidelines ···················································································································· 583
Using the automatic reboot method to enter FIPS mode ······································································· 583
Using the manual reboot method to enter FIPS mode ··········································································· 583
Manually triggering self-tests ························································································································· 584
Exiting FIPS mode ········································································································································· 585
Display and maintenance commands for FIPS ······························································································ 586
FIPS configuration examples ························································································································· 586
Example: Entering FIPS mode through automatic reboot ······································································ 586
Example: Entering FIPS mode through manual reboot·········································································· 588
Example: Exiting FIPS mode through automatic reboot ········································································ 589
Example: Exiting FIPS mode through manual reboot ············································································ 589
Configuring an 802.1X client ······································································ 591
About 802.1X clients ······································································································································ 591
802.1X client tasks at a glance ······················································································································ 591
Enabling the 802.1X client feature ················································································································· 591
Configuring an 802.1X client username and password ················································································· 592
xv
Specifying an 802.1X client EAP authentication method ··············································································· 592
Configuring an 802.1X client MAC address ··································································································· 593
Specifying an 802.1X client mode for sending EAP-Response and EAPOL-Logoff packets ························· 593
Configuring an 802.1X client anonymous identifier ························································································ 594
Specifying an SSL client policy ······················································································································ 594
Display and maintenance commands for 802.1X client ················································································· 595
Document conventions and icons ······························································ 596
Conventions ··················································································································································· 596
Network topology icons ·································································································································· 597
Support and other resources ····································································· 598
Accessing Hewlett Packard Enterprise Support····························································································· 598
Accessing updates ········································································································································· 598
Websites ················································································································································ 599
Customer self repair ······························································································································· 599
Remote support ······································································································································ 599
Documentation feedback ······················································································································· 599
Index ·········································································································· 601
1
Configuring AAA
About AAA
AAA implementation
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•
Authentication—Identifies users and verifies their validity.
•
Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•
Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA network diagram
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including HWTACACS, LDAP, and RADIUS. RADIUS is most
often used.
You can use different servers to implement different security functions. For example, you can use an
HWTACACS server for authentication and authorization, and use a RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
The device performs dynamic password authentication.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
RADIUS servers
Users Clients Dictionary
3
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of access termination
Host
6) The host accesses the resources
7) Teardown request
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
Other documents
-
H3C S5820V2 series Security Configuration Manual
-
-
Aruba Security User guide
-
-
HP 6125XLG Configuration manual
-
-
-
-
-
3com 4210G NT Configuration manual