Aruba Security Configuration Guide
- Category
- Software
- Type
- Configuration Guide
HPE FlexFabric 5940 & 5930 Switch Series
Security Configuration Guide
P
art number: 5200-4882c
Software
version: Release 2609 and later
Document version: 6W103-20200310
© Copyright 2020 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ···························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA implementation on the device ·········································································································· 12
AAA for MPLS L3VPNs ···························································································································· 14
Protocols and standards ·························································································································· 14
RADIUS attributes ···································································································································· 14
FIPS compliance ·············································································································································· 19
AAA configuration considerations and task list ································································································ 19
Configuring AAA schemes ······························································································································· 20
Configuring local users ····························································································································· 20
Configuring RADIUS schemes ················································································································· 25
Configuring HWTACACS schemes ·········································································································· 37
Configuring LDAP schemes ····················································································································· 43
Configuring AAA methods for ISP domains ····································································································· 47
Configuration prerequisites ······················································································································ 48
Creating an ISP domain ··························································································································· 48
Configuring ISP domain attributes ··········································································································· 49
Configuring authentication methods for an ISP domain ··········································································· 50
Configuring authorization methods for an ISP domain ············································································· 51
Configuring accounting methods for an ISP domain ················································································ 52
Configuring the RADIUS session-control feature ····························································································· 54
Configuring the RADIUS DAS feature·············································································································· 54
Changing the DSCP priority for RADIUS packets ···························································································· 55
Configuring the RADIUS attribute translation feature ······················································································ 55
Setting the maximum number of concurrent login users ·················································································· 57
Configuring a NAS-ID profile ···························································································································· 57
Configuring the device ID ································································································································· 58
Configuring the connection recording policy ···································································································· 58
Displaying and maintaining AAA ······················································································································ 58
AAA configuration examples ···························································································································· 59
AAA for SSH users by an HWTACACS server ························································································ 59
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 60
Authentication and authorization for SSH users by a RADIUS server ····················································· 62
Authentication for SSH users by an LDAP server ···················································································· 65
AAA for 802.1X users by a RADIUS server ····························································································· 68
Troubleshooting RADIUS ································································································································· 73
RADIUS authentication failure ················································································································· 73
RADIUS packet delivery failure ················································································································ 74
RADIUS accounting error ························································································································· 74
Troubleshooting HWTACACS ·························································································································· 74
Troubleshooting LDAP ····································································································································· 75
LDAP authentication failure ······················································································································ 75
802.1X overview ·························································································· 76
802.1X architecture ·········································································································································· 76
Controlled/uncontrolled port and port authorization status ·············································································· 76
802.1X-related protocols ·································································································································· 77
Packet formats ········································································································································· 77
EAP over RADIUS ··································································································································· 78
802.1X authentication initiation ························································································································ 79
802.1X client as the initiator ····················································································································· 79
Access device as the initiator ··················································································································· 79
802.1X authentication procedures ··················································································································· 80
Comparing EAP relay and EAP termination ····························································································· 80
ii
EAP relay ················································································································································· 81
EAP termination ······································································································································· 82
Configuring 802.1X ······················································································ 84
Access control methods ··································································································································· 84
802.1X VLAN manipulation ······························································································································ 84
Authorization VLAN ·································································································································· 84
Guest VLAN ············································································································································· 87
Auth-Fail VLAN ········································································································································ 88
Critical VLAN ············································································································································ 89
Critical voice VLAN ·································································································································· 90
802.1X VSI manipulation·································································································································· 91
802.1X support for VXLANs ····················································································································· 91
Authorization VSI ····································································································································· 91
Guest VSI ················································································································································· 92
Auth-Fail VSI ············································································································································ 92
Critical VSI ··············································································································································· 93
Using 802.1X authentication with other features······························································································ 93
ACL assignment ······································································································································· 93
User profile assignment ··························································································································· 94
EAD assistant ··········································································································································· 94
Redirect URL assignment ························································································································ 94
802.1X configuration restrictions and guidelines······························································································ 95
Configuration prerequisites ······························································································································ 95
802.1X configuration task list ··························································································································· 95
Enabling 802.1X ··············································································································································· 96
Enabling EAP relay or EAP termination ··········································································································· 97
Setting the port authorization state ·················································································································· 97
Specifying an access control method··············································································································· 98
Setting the maximum number of concurrent 802.1X users on a port ······························································· 98
Setting the maximum number of authentication request attempts ··································································· 98
Setting the 802.1X authentication timeout timers ···························································································· 99
Configuring online user handshake·················································································································· 99
Configuration restrictions and guidelines ······························································································· 100
Configuration procedure ························································································································· 100
Configuring the authentication trigger feature ································································································ 100
Configuration restrictions and guidelines ······························································································· 100
Configuration procedure ························································································································· 101
Specifying a mandatory authentication domain on a port ·············································································· 101
Setting the quiet timer ···································································································································· 101
Configuring 802.1X reauthentication ·············································································································· 102
Overview ················································································································································ 102
Configuration restrictions and guidelines ······························································································· 102
Configuring 802.1X periodic reauthentication ························································································ 103
Configuring 802.1X manual reauthentication ························································································· 103
Enabling the keep-online feature ··········································································································· 103
Configuring an 802.1X guest VLAN ··············································································································· 104
Configuration and restrictions and guidelines ························································································ 104
Configuration prerequisites ···················································································································· 104
Configuration procedure ························································································································· 104
Enabling 802.1X guest VLAN assignment delay···························································································· 105
Configuring an 802.1X Auth-Fail VLAN·········································································································· 105
Configuration and restrictions and guidelines ························································································ 105
Configuration prerequisites ···················································································································· 106
Configuration procedure ························································································································· 106
Configuring an 802.1X critical VLAN ·············································································································· 106
Configuration restrictions and guidelines ······························································································· 106
Configuration prerequisites ···················································································································· 107
Configuring the 802.1X critical VLAN on a port······················································································ 107
Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN ··························· 107
Enabling the 802.1X critical voice VLAN ········································································································ 108
Configuration restrictions and guidelines ······························································································· 108
iii
Configuration prerequisites ···················································································································· 108
Configuration procedure ························································································································· 108
Configuring an 802.1X guest VSI ··················································································································· 108
Configuration restrictions and guidelines ······························································································· 108
Configuration prerequisites ···················································································································· 108
Configuration procedure ························································································································· 108
Enabling 802.1X guest VSI assignment delay ······························································································· 109
Overview ················································································································································ 109
Configuration procedure ························································································································· 109
Configuring an 802.1X Auth-Fail VSI ············································································································· 110
Configuration restrictions and guidelines ······························································································· 110
Configuration prerequisites ···················································································································· 110
Configuration procedure ························································································································· 110
Configuring an 802.1X critical VSI ················································································································· 110
Configuration restrictions and guidelines ······························································································· 110
Configuration prerequisites ···················································································································· 110
Configuration procedure ························································································································· 111
Specifying supported domain name delimiters ······························································································ 111
Enabling 802.1X user IP freezing··················································································································· 111
Removing the VLAN tags of 802.1X protocol packets sent out of a port ······················································· 112
Overview ················································································································································ 112
Configuration restrictions and guidelines ······························································································· 112
Configuration prerequisites ···················································································································· 112
Configuration procedure ························································································································· 112
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 113
Configuring 802.1X MAC address binding ····································································································· 113
Overview ················································································································································ 113
Configuration restrictions and guidelines ······························································································· 113
Configuration procedure ························································································································· 114
Enabling 802.1X user logging ························································································································ 114
Overview ················································································································································ 114
Configuration restrictions and guidelines ······························································································· 114
Configuration procedure ························································································································· 114
Configuring the EAD assistant feature ··········································································································· 115
Configuration restrictions and guidelines ······························································································· 115
Configuration procedure ························································································································· 115
Displaying and maintaining 802.1X ················································································································ 115
802.1X authentication configuration examples ······························································································ 116
Basic 802.1X authentication configuration example ·············································································· 116
802.1X guest VLAN and authorization VLAN configuration example ···················································· 118
802.1X with ACL assignment configuration example ············································································· 121
802.1X guest VSI and authorization VSI configuration example···························································· 122
802.1X with EAD assistant configuration example (with DHCP relay agent) ········································· 125
802.1X with EAD assistant configuration example (with DHCP server) ················································· 127
Troubleshooting 802.1X ································································································································· 130
EAD assistant URL redirection failure ···································································································· 130
Configuring MAC authentication ································································ 131
Overview ························································································································································ 131
User account policies ····························································································································· 131
Authentication methods ·························································································································· 131
VLAN assignment ·········································································································································· 132
Authorization VLAN ································································································································ 132
Guest VLAN ··········································································································································· 134
Critical VLAN ·········································································································································· 134
Critical voice VLAN ································································································································ 135
VSI manipulation ············································································································································ 136
MAC authentication support for VXLANs ······························································································· 136
Authorization VSI ··································································································································· 136
Guest VSI ··············································································································································· 137
Critical VSI ············································································································································· 137
ACL assignment ············································································································································· 138
iv
User profile assignment ································································································································· 138
Redirect URL assignment ······························································································································ 138
Blackhole MAC attribute assignment ············································································································· 139
Configuration prerequisites ···························································································································· 139
Configuration restrictions and guidelines ······································································································· 139
Configuration task list ····································································································································· 140
Enabling MAC authentication ························································································································· 140
Specifying a MAC authentication domain ······································································································ 141
Configuring the user account format ·············································································································· 141
Configuring MAC authentication timers·········································································································· 142
Setting the maximum number of concurrent MAC authentication users on a port ········································· 142
Enabling MAC authentication multi-VLAN mode on a port ············································································ 143
Configuring MAC authentication delay ··········································································································· 143
Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 144
Configuration restrictions and guidelines ······························································································· 144
Configuration procedure ························································································································· 144
Configuring a MAC authentication guest VLAN ····························································································· 145
Configuring a MAC authentication critical VLAN ···························································································· 145
Enabling the MAC authentication critical voice VLAN ···················································································· 146
Configuration prerequisites ···················································································································· 146
Configuration procedure ························································································································· 147
Configuring a MAC authentication guest VSI ································································································· 147
Configuration restrictions and guidelines ······························································································· 147
Configuration prerequisites ···················································································································· 147
Configuration procedure ························································································································· 147
Configuring a MAC authentication critical VSI ······························································································· 148
Configuration restrictions and guidelines ······························································································· 148
Configuration prerequisites ···················································································································· 148
Configuration procedure ························································································································· 148
Configuring periodic MAC reauthentication···································································································· 148
Overview ················································································································································ 148
Configuration restrictions and guidelines ······························································································· 149
Configuration procedure ························································································································· 149
Including user IP addresses in MAC authentication requests ········································································ 150
Overview ················································································································································ 150
Configuration restrictions and guidelines ······························································································· 150
Configuration procedure ························································································································· 151
Enabling MAC authentication offline detection ······························································································ 151
Enabling MAC authentication user logging ···································································································· 151
Overview ················································································································································ 151
Configuration restrictions and guidelines ······························································································· 151
Configuration procedure ························································································································· 151
Displaying and maintaining MAC authentication ···························································································· 152
MAC authentication configuration examples ·································································································· 152
Local MAC authentication configuration example ·················································································· 152
RADIUS-based MAC authentication configuration example ·································································· 154
ACL assignment configuration example ································································································· 157
MAC authentication authorization VSI assignment configuration example ············································ 159
Configuring portal authentication ······························································· 162
Overview ························································································································································ 162
Extended portal functions ······················································································································· 162
Portal system components ····················································································································· 162
Portal system using the local portal Web server ···················································································· 164
Interaction between portal system components ····················································································· 164
Portal authentication modes ··················································································································· 165
Portal support for EAP ··························································································································· 165
Portal authentication process ················································································································· 166
Portal filtering rules ································································································································ 168
Configuration restrictions and guidelines ······································································································· 168
Portal configuration task list ··························································································································· 168
Configuration prerequisites ···························································································································· 169
v
Configuring a portal authentication server ····································································································· 170
Configuring a portal Web server ···················································································································· 170
Enabling portal authentication ························································································································ 172
Configuration restrictions and guidelines ······························································································· 172
Configuration procedure ························································································································· 172
Specifying a portal Web server ······················································································································ 173
Controlling portal user access ························································································································ 173
Configuring a portal-free rule ················································································································· 173
Configuring an authentication source subnet ························································································· 174
Configuring an authentication destination subnet ·················································································· 175
Setting the maximum number of portal users ························································································ 176
Specifying a portal authentication domain ····························································································· 176
Specifying a preauthentication domain ·································································································· 177
Specifying a preauthentication IP address pool for portal users ···························································· 178
Configuring support of Web proxy for portal authentication ··································································· 179
Enabling strict-checking on portal authorization information ·································································· 180
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ·························· 180
Configuring portal detection features ············································································································· 180
Configuring online detection of portal users ··························································································· 180
Configuring portal authentication server detection ················································································· 181
Configuring portal Web server detection ································································································ 182
Configuring portal user synchronization ································································································· 183
Configuring the portal fail-permit feature ········································································································ 184
Configuring BAS-IP for portal packets sent to the portal authentication server ············································· 184
Enabling portal roaming ································································································································· 185
Specifying a format for the NAS-Port-Id attribute ··························································································· 186
Specifying the device ID································································································································· 186
Logging out online portal users ······················································································································ 186
Configuring Web redirect ······························································································································· 187
Applying a NAS-ID profile to an interface ······································································································ 187
Configuring the local portal Web server feature ····························································································· 188
Customizing authentication pages ········································································································· 188
Configuring a local portal Web server ···································································································· 190
Disabling the Rule ARP or ND entry feature for portal clients ······································································· 191
Enabling logging for user logins and logouts ································································································· 191
Displaying and maintaining portal ·················································································································· 192
Portal configuration examples ························································································································ 192
Configuring direct portal authentication·································································································· 192
Configuring re-DHCP portal authentication ···························································································· 200
Configuring cross-subnet portal authentication ······················································································ 204
Configuring extended direct portal authentication ·················································································· 207
Configuring extended re-DHCP portal authentication ············································································ 211
Configuring extended cross-subnet portal authentication ······································································ 215
Configuring portal server detection and portal user synchronization ····················································· 218
Configuring cross-subnet portal authentication for MPLS L3VPNs························································ 226
Configuring direct portal authentication with a preauthentication domain ·············································· 228
Configuring re-DHCP portal authentication with a preauthentication domain ········································ 230
Configuring direct portal authentication using local portal Web server ·················································· 232
Troubleshooting portal ··································································································································· 235
No portal authentication page is pushed for users ················································································· 235
Cannot log out portal users on the access device ················································································· 236
Cannot log out portal users on the RADIUS server ··············································································· 236
Users logged out by the access device still exist on the portal authentication server ···························· 236
Re-DHCP portal authenticated users cannot log in successfully ··························································· 237
Configuring Web authentication ································································· 238
About Web authentication ······························································································································ 238
Advantages of Web authentication ········································································································ 238
Web authentication system ···················································································································· 238
Web authentication process ··················································································································· 239
Web authentication support for VLAN assignment ················································································ 239
Web authentication support for authorization ACLs ··············································································· 240
vi
Restrictions and guidelines: Web authentication configuration ······································································ 240
Web authentication task at a glance ·············································································································· 241
Prerequisites for Web authentication ············································································································· 241
Configuring a Web authentication server ······································································································· 242
Enabling Web authentication ························································································································· 242
Specifying a Web authentication domain ······································································································· 243
Setting the redirection wait time ····················································································································· 243
Configuring a Web authentication-free subnet ······························································································· 244
Setting the maximum number of Web authentication users ·········································································· 244
Configuring online Web authentication user detection ··················································································· 245
Configuring an Auth-Fail VLAN ······················································································································ 245
Configuring Web authentication to support Web proxy ·················································································· 246
Display and maintenance commands for Web authentication ······································································· 246
Web authentication configuration examples ·································································································· 247
Example: Configuring Web authentication by using the local authentication method ···························· 247
Example: Configuring Web authentication by using the RADIUS authentication method······················ 248
Troubleshooting Web authentication ············································································································· 250
Failure to come online (local authentication interface using the default ISP domain ····························· 250
Configuring triple authentication ································································ 252
About triple authentication ····························································································································· 252
Typical network of triple authentication ·································································································· 252
Triple authentication mechanism ··········································································································· 252
Triple authentication support for VLAN assignment ··············································································· 253
Triple authentication support for ACL authorization ··············································································· 253
Triple authentication support for online user detection ·········································································· 254
Restrictions and guidelines: Triple authentication ·························································································· 254
Triple authentication tasks at a glance ··········································································································· 254
Triple authentication configuration examples ································································································· 254
Example: Configuring basic triple authentication ··················································································· 254
Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN
······························································································································································· 258
Configuring port security ············································································ 264
Overview ························································································································································ 264
Port security features ····························································································································· 264
Port security modes ······························································································································· 264
Configuration restrictions and guidelines ······································································································· 267
Configuration task list ····································································································································· 267
Enabling port security····································································································································· 268
Setting port security's limit on the number of secure MAC addresses on a port ············································ 268
Setting the port security mode ······················································································································· 269
Configuring port security features ·················································································································· 270
Configuring NTK ····································································································································· 270
Configuring intrusion protection ············································································································· 271
Configuring secure MAC addresses ·············································································································· 271
Configuration prerequisites ···················································································································· 272
Configuration procedure ························································································································· 272
Ignoring authorization information from the server························································································· 273
Enabling MAC move ······································································································································ 273
Enabling the authorization-fail-offline feature ································································································· 274
Overview ················································································································································ 274
Configuration prerequisites ···················································································································· 274
Configuration procedure ························································································································· 274
Setting port security's limit on the number of MAC addresses for specific VLANs on a port ························· 275
Overview ················································································································································ 275
Configuration restrictions and guidelines ······························································································· 275
Configuration procedure ························································································································· 275
Applying a NAS-ID profile to port security ······································································································ 275
Configuring open authentication mode ·········································································································· 276
Overview ················································································································································ 276
Configuration restrictions and guidelines ······························································································· 276
vii
Configuration procedure ························································································································· 277
Configuring the escape critical VSI feature ···································································································· 277
About the escape critical VSI feature ····································································································· 277
Configuration restrictions and guidelines ······························································································· 277
Configuration prerequisites ···················································································································· 278
Configuration procedure ························································································································· 278
Enabling port security user logging ················································································································ 278
Overview ················································································································································ 278
Configuration restrictions and guidelines ······························································································· 278
Configuration procedure ························································································································· 278
Enabling SNMP notifications for port security ································································································ 279
Displaying and maintaining port security········································································································ 279
Port security configuration examples ············································································································· 279
autoLearn configuration example ··········································································································· 279
userLoginWithOUI configuration example······························································································ 282
macAddressElseUserLoginSecure configuration example ···································································· 284
Troubleshooting port security ························································································································· 288
Cannot set the port security mode ········································································································· 288
Cannot configure secure MAC addresses ····························································································· 289
Configuring user profiles ············································································ 290
Overview ························································································································································ 290
Configuration restrictions and guidelines ······································································································· 290
Configuring a user profile ······························································································································· 290
Displaying and maintaining user profiles········································································································ 290
User profile configuration example ················································································································ 291
Network requirements ···························································································································· 291
Configuration procedure ························································································································· 291
Verifying the configuration ······················································································································ 294
Configuring password control ···································································· 295
Overview ························································································································································ 295
Password setting ···································································································································· 295
Password updating and expiration ········································································································· 296
User login control ··································································································································· 297
Password not displayed in any form ······································································································ 298
Logging ·················································································································································· 298
FIPS compliance ············································································································································ 298
Password control configuration task list ········································································································· 298
Enabling password control ····························································································································· 299
Setting global password control parameters ·································································································· 300
Setting user group password control parameters ·························································································· 302
Setting local user password control parameters ···························································································· 303
Setting super password control parameters··································································································· 304
Displaying and maintaining password control ································································································ 304
Password control configuration example ······································································································· 305
Network requirements ···························································································································· 305
Configuration procedure ························································································································· 305
Verifying the configuration ······················································································································ 306
Configuring keychains ··············································································· 308
Overview ························································································································································ 308
Configuration procedure································································································································· 308
Displaying and maintaining keychain ············································································································· 309
Keychain configuration example ···················································································································· 309
Network requirements ···························································································································· 309
Configuration procedure ························································································································· 309
Verifying the configuration ······················································································································ 311
Managing public keys ················································································ 314
Overview ························································································································································ 314
FIPS compliance ············································································································································ 314
viii
Creating a local key pair································································································································· 314
Distributing a local host public key ················································································································· 316
Exporting a host public key ···················································································································· 316
Displaying a host public key ··················································································································· 316
Destroying a local key pair ····························································································································· 317
Configuring a peer host public key ················································································································· 317
Importing a peer host public key from a public key file ·········································································· 317
Entering a peer host public key ·············································································································· 318
Displaying and maintaining public keys ········································································································· 318
Examples of public key management ············································································································ 318
Example for entering a peer host public key ·························································································· 318
Example for importing a public key from a public key file ······································································ 320
Configuring PKI ························································································· 323
Overview ························································································································································ 323
PKI terminology ······································································································································ 323
PKI architecture ······································································································································ 324
PKI operation ········································································································································· 324
PKI applications ····································································································································· 325
Support for MPLS L3VPN ······················································································································ 325
FIPS compliance ············································································································································ 326
PKI configuration task list ······························································································································· 326
Configuring a PKI entity ································································································································· 326
Configuring a PKI domain ······························································································································ 327
Requesting a certificate·································································································································· 329
Configuration guidelines ························································································································· 329
Configuring automatic certificate request ······························································································· 330
Manually requesting a certificate············································································································ 330
Aborting a certificate request ························································································································· 331
Obtaining certificates······································································································································ 331
Configuration prerequisites ···················································································································· 331
Configuration guidelines ························································································································· 331
Configuration procedure ························································································································· 332
Verifying PKI certificates ································································································································ 332
Verifying certificates with CRL checking ································································································ 333
Verifying certificates without CRL checking ··························································································· 333
Specifying the storage path for the certificates and CRLs ············································································· 334
Exporting certificates ······································································································································ 334
Removing a certificate···································································································································· 335
Configuring a certificate-based access control policy ···················································································· 335
Displaying and maintaining PKI ····················································································································· 336
PKI configuration examples ··························································································································· 336
Requesting a certificate from an RSA Keon CA server·········································································· 337
Requesting a certificate from a Windows Server 2003 CA server ························································· 339
Requesting a certificate from an OpenCA server··················································································· 343
Certificate-based access control policy configuration example······························································ 346
Certificate import and export configuration example ·············································································· 347
Troubleshooting PKI configuration ················································································································· 352
Failed to obtain the CA certificate ·········································································································· 353
Failed to obtain local certificates ············································································································ 353
Failed to request local certificates ·········································································································· 354
Failed to obtain CRLs ····························································································································· 354
Failed to import the CA certificate ·········································································································· 355
Failed to import a local certificate··········································································································· 356
Failed to export certificates ···················································································································· 356
Failed to set the storage path ················································································································· 357
Configuring IPsec ······················································································ 358
Overview ························································································································································ 358
Security protocols and encapsulation modes························································································· 358
Security association ······························································································································· 360
Authentication and encryption ················································································································ 360
ix
IPsec implementation ····························································································································· 361
IPsec RRI ··············································································································································· 362
Protocols and standards ························································································································ 363
FIPS compliance ············································································································································ 363
IPsec tunnel establishment ···························································································································· 363
Implementing ACL-based IPsec····················································································································· 363
Configuring an ACL ································································································································ 364
Configuring an IPsec transform set ········································································································ 365
Configuring a manual IPsec policy ········································································································· 367
Configuring an IKE-based IPsec policy ·································································································· 368
Applying an IPsec policy to an interface ································································································ 372
Enabling ACL checking for de-encapsulated packets ············································································ 372
Configuring IPsec anti-replay ················································································································· 373
Configuring IPsec anti-replay redundancy ····························································································· 373
Binding a source interface to an IPsec policy ························································································ 374
Enabling QoS pre-classify ······················································································································ 375
Enabling logging of IPsec packets ········································································································· 375
Configuring the DF bit of IPsec packets ································································································· 375
Configuring IPsec RRI ···························································································································· 376
Configuring IPsec for IPv6 routing protocols ·································································································· 377
Configuration task list ····························································································································· 377
Configuring a manual IPsec profile ········································································································ 377
Configuring SNMP notifications for IPsec ······································································································ 379
Configuring IPsec fragmentation ···················································································································· 379
Setting the maximum number of IPsec tunnels ····························································································· 380
Displaying and maintaining IPsec ·················································································································· 380
IPsec configuration examples ························································································································ 380
Configuring a manual mode IPsec tunnel for IPv4 packets ··································································· 380
Configuring IPsec for RIPng ··················································································································· 383
Configuring IKE ························································································· 387
Overview ························································································································································ 387
IKE negotiation process ························································································································· 387
IKE security mechanism ························································································································· 388
Protocols and standards ························································································································ 389
FIPS compliance ············································································································································ 389
IKE configuration prerequisites ······················································································································ 389
IKE configuration task list ······························································································································· 389
Configuring an IKE profile ······························································································································ 390
Configuring an IKE proposal ·························································································································· 392
Configuring an IKE keychain ·························································································································· 393
Configuring the global identity information ····································································································· 394
Configuring the IKE keepalive feature ··········································································································· 394
Configuring the IKE NAT keepalive feature ··································································································· 395
Configuring IKE DPD ····································································································································· 395
Enabling invalid SPI recovery ························································································································ 396
Setting the maximum number of IKE SAs ······································································································ 396
Configuring SNMP notifications for IKE ········································································································· 397
Displaying and maintaining IKE ····················································································································· 397
IKE configuration examples ··························································································································· 398
Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································ 398
Main mode IKE with pre-shared key authentication configuration example··········································· 400
Troubleshooting IKE······································································································································· 403
IKE negotiation failed because no matching IKE proposals were found ················································ 403
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 404
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 404
IPsec SA negotiation failed due to invalid identity information ······························································· 405
Configuring IKEv2 ······················································································ 408
Overview ························································································································································ 408
IKEv2 negotiation process ····················································································································· 408
New features in IKEv2 ···························································································································· 409
x
Protocols and standards ························································································································ 409
IKEv2 configuration task list ··························································································································· 409
Configuring an IKEv2 profile ·························································································································· 410
Configuring an IKEv2 policy ··························································································································· 413
Configuring an IKEv2 proposal ······················································································································ 413
Configuring an IKEv2 keychain ······················································································································ 415
Configure global IKEv2 parameters ··············································································································· 416
Enabling the cookie challenging feature ································································································ 416
Configuring the IKEv2 DPD feature ······································································································· 416
Configuring the IKEv2 NAT keepalive feature ························································································ 416
Displaying and maintaining IKEv2·················································································································· 417
IKEv2 configuration examples ······················································································································· 417
IKEv2 with pre-shared key authentication configuration example ·························································· 417
IKEv2 with RSA signature authentication configuration example ·························································· 422
IKEv2 with NAT traversal configuration example ··················································································· 430
Troubleshooting IKEv2 ··································································································································· 434
IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 434
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 435
IPsec tunnel establishment failed ··········································································································· 435
Configuring SSH ························································································ 436
Overview ························································································································································ 436
How SSH works ····································································································································· 436
SSH authentication methods ·················································································································· 437
SSH support for Suite B ························································································································· 438
FIPS compliance ············································································································································ 438
Configuring the device as an SSH server ······································································································ 439
SSH server configuration task list ·········································································································· 439
Generating local key pairs ······················································································································ 439
Specifying the SSH service port ············································································································· 440
Enabling the Stelnet server ···················································································································· 440
Enabling the SFTP server ······················································································································ 441
Enabling the SCP server ························································································································ 441
Enabling NETCONF over SSH ·············································································································· 441
Configuring the user lines for SSH login ································································································ 442
Configuring a client's host public key ····································································································· 442
Configuring an SSH user ······················································································································· 443
Configuring the SSH management parameters ····················································································· 444
Specifying a PKI domain for the SSH server ························································································· 446
Releasing SSH connections ··················································································································· 446
Configuring the device as an Stelnet client ···································································································· 446
Stelnet client configuration task list ········································································································ 446
Generating local key pairs ······················································································································ 447
Specifying the source IP address for SSH packets················································································ 447
Establishing a connection to an Stelnet server ······················································································ 448
Deleting server public keys saved in the public key file on the Stelnet client········································· 450
Establishing a connection to an Stelnet server based on Suite B ·························································· 450
Configuring the device as an SFTP client ······································································································ 450
SFTP client configuration task list ·········································································································· 450
Generating local key pairs ······················································································································ 451
Specifying the source IP address for SFTP packets ·············································································· 451
Establishing a connection to an SFTP server ························································································ 452
Deleting server public keys saved in the public key file on the SFTP client··········································· 454
Establishing a connection to an SFTP server based on Suite B ···························································· 454
Working with SFTP directories ··············································································································· 455
Working with SFTP files ························································································································· 455
Displaying help information ···················································································································· 455
Terminating the connection with the SFTP server ················································································· 456
Configuring the device as an SCP client ········································································································ 456
SCP client configuration task list ············································································································ 456
Generating local key pairs ······················································································································ 456
Specifying the source IP address for SCP packets················································································ 457
xi
Establishing a connection to an SCP server ·························································································· 457
Deleting server public keys saved in the public key file on the SCP client ············································ 459
Establishing a connection to an SCP server based on Suite B······························································ 459
Specifying algorithms for SSH2 ····················································································································· 460
Specifying key exchange algorithms for SSH2 ······················································································ 460
Specifying public key algorithms for SSH2 ···························································································· 461
Specifying encryption algorithms for SSH2 ···························································································· 461
Specifying MAC algorithms for SSH2 ···································································································· 461
Displaying and maintaining SSH ···················································································································· 462
Stelnet configuration examples ······················································································································ 462
Password authentication enabled Stelnet server configuration example ··············································· 462
Publickey authentication enabled Stelnet server configuration example ··············································· 465
Password authentication enabled Stelnet client configuration example ················································ 470
Publickey authentication enabled Stelnet client configuration example ················································· 474
Stelnet configuration example based on 128-bit Suite B algorithms ······················································ 476
SFTP configuration examples ························································································································ 480
Password authentication enabled SFTP server configuration example ················································· 480
Publickey authentication enabled SFTP client configuration example ··················································· 482
SFTP configuration example based on 192-bit Suite B algorithms ························································ 486
SCP configuration examples ·························································································································· 489
SCP configuration example with password authentication ···································································· 490
SCP configuration example based on Suite B algorithms ······································································ 491
NETCONF over SSH configuration example with password authentication ·················································· 498
Network requirements ···························································································································· 498
Configuration procedure ························································································································· 499
Verifying the configuration ······················································································································ 500
Configuring SSL ························································································ 501
Overview ························································································································································ 501
SSL security services ····························································································································· 501
SSL protocol stack ································································································································· 501
FIPS compliance ············································································································································ 502
SSL configuration task list ······························································································································ 502
Configuring an SSL server policy ··················································································································· 502
Configuring an SSL client policy ···················································································································· 504
Displaying and maintaining SSL ···················································································································· 506
Configuring attack detection and prevention ·············································· 507
Overview ························································································································································ 507
Attacks that the device can prevent ··············································································································· 507
Single-packet attacks ····························································································································· 507
Scanning attacks ···································································································································· 508
Flood attacks ·········································································································································· 509
TCP fragment attack ······························································································································ 510
Login dictionary attack ··························································································································· 510
Attack detection and prevention configuration task list ·················································································· 510
Configuring an attack defense policy ············································································································· 511
Creating an attack defense policy ·········································································································· 511
Configuring a single-packet attack defense policy ················································································· 511
Configuring a scanning attack defense policy ························································································ 512
Configuring a flood attack defense policy ······························································································ 513
Configuring attack detection exemption ································································································· 517
Applying an attack defense policy to the device ···················································································· 517
Enabling log non-aggregation for single-packet attack events······························································· 518
Configuring TCP fragment attack prevention ································································································· 518
Enabling the login delay ································································································································· 519
Displaying and maintaining attack detection and prevention ········································································· 519
Attack detection and prevention configuration examples ··············································································· 520
Attack defense policy device application configuration example ··························································· 520
Configuring TCP attack prevention ···························································· 524
Overview ························································································································································ 524
xii
Configuring Naptha attack prevention ············································································································ 524
Configuring IP source guard ······································································ 525
Overview ························································································································································ 525
Static IPSG bindings ······························································································································ 525
Dynamic IPSG bindings ························································································································· 526
IPSG configuration task list ···························································································································· 527
Configuring the IPv4SG feature ····················································································································· 527
Enabling IPv4SG on an interface ··········································································································· 527
Configuring a static IPv4SG binding ······································································································ 527
Configuring the IPv6SG feature ····················································································································· 528
Enabling IPv6SG on an interface ··········································································································· 528
Configuring a static IPv6SG binding ······································································································ 529
Displaying and maintaining IPSG··················································································································· 530
IPSG configuration examples ························································································································ 530
Static IPv4SG configuration example ····································································································· 530
DHCP snooping-based dynamic IPv4SG configuration example ·························································· 532
DHCP relay agent-based dynamic IPv4SG configuration example ······················································· 533
Static IPv6SG configuration example ····································································································· 534
DHCPv6 snooping-based dynamic IPv6SG address binding configuration example ···························· 534
DHCPv6 snooping-based dynamic IPv6SG prefix binding configuration example ································ 535
Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 536
Configuring ARP attack protection ····························································· 538
ARP attack protection configuration task list ·································································································· 538
Configuring unresolvable IP attack protection ······························································································· 538
Configuring ARP source suppression ···································································································· 539
Configuring ARP blackhole routing ········································································································ 539
Displaying and maintaining unresolvable IP attack protection ······························································· 539
Configuration example ··························································································································· 540
Configuring ARP packet rate limit ·················································································································· 540
Configuration guidelines ························································································································· 541
Configuration procedure ························································································································· 541
Configuring source MAC-based ARP attack detection ·················································································· 541
Configuration procedure ························································································································· 542
Displaying and maintaining source MAC-based ARP attack detection ·················································· 542
Configuration example ··························································································································· 543
Configuring ARP packet source MAC consistency check ·············································································· 544
Configuring ARP active acknowledgement ···································································································· 544
Configuring authorized ARP··························································································································· 544
Configuration procedure ························································································································· 545
Configuration example (on a DHCP server)··························································································· 545
Configuration example (on a DHCP relay agent) ··················································································· 546
Configuring ARP attack detection ·················································································································· 547
Configuring user validity check ·············································································································· 548
Configuring ARP packet validity check ·································································································· 549
Configuring ARP restricted forwarding ··································································································· 549
Ignoring ingress ports of ARP packets for user validity check ······························································· 550
Configuring ARP attack detection for a VSI ··························································································· 550
Enabling ARP attack detection logging ·································································································· 552
Displaying and maintaining ARP attack detection·················································································· 552
User validity check configuration example ····························································································· 552
User validity check and ARP packet validity check configuration example ············································ 554
ARP restricted forwarding configuration example ·················································································· 555
Configuring ARP scanning and fixed ARP ····································································································· 557
Configuration restrictions and guidelines ······························································································· 557
Configuration procedure ························································································································· 557
Configuring ARP gateway protection ············································································································· 558
Configuration guidelines ························································································································· 558
Configuration procedure ························································································································· 558
Configuration example ··························································································································· 558
Configuring ARP filtering ································································································································ 559
xiii
Configuration guidelines ························································································································· 559
Configuration procedure ························································································································· 559
Configuration example ··························································································································· 560
Configuring ARP sender IP address checking ······························································································· 561
Configuring ND attack defense ·································································· 562
Overview ························································································································································ 562
ND attack defense configuration task list ······································································································· 562
Enabling source MAC consistency check for ND messages ········································································· 562
Configuring ND attack detection ···················································································································· 563
About ND attack detection ····················································································································· 563
Configuration guidelines ························································································································· 563
Configuration procedure ························································································································· 564
Displaying and maintaining ND attack detection ···················································································· 564
ND attack detection configuration example···························································································· 564
Configuring RA guard····································································································································· 566
About RA guard ······································································································································ 566
Specifying the role of the attached device ····························································································· 566
Configuring an RA guard policy ············································································································· 567
Enabling the RA guard logging feature ·································································································· 567
Displaying and maintaining RA guard ···································································································· 568
RA guard configuration example ············································································································ 568
Configuring uRPF ······················································································ 571
Overview ························································································································································ 571
uRPF check modes ································································································································ 571
uRPF operation ······································································································································ 571
Network application ································································································································ 574
Enabling uRPF ··············································································································································· 574
Displaying and maintaining uRPF ·················································································································· 574
Global uRPF configuration example ·············································································································· 575
Configuring MFF ························································································ 576
Overview ························································································································································ 576
Basic concepts ······································································································································· 577
MFF operation modes ···························································································································· 577
MFF working mechanism ······················································································································· 578
Protocols and standards ························································································································ 578
Configuring MFF ············································································································································ 578
Enabling MFF ········································································································································· 578
Configuring a network port ····················································································································· 578
Enabling periodic gateway probe ··········································································································· 579
Specifying the IP addresses of servers ·································································································· 579
Displaying and maintaining MFF ···················································································································· 580
MFF configuration examples ·························································································································· 580
Manual-mode MFF configuration example in a tree network ································································· 580
Manual-mode MFF configuration example in a ring network ································································· 581
Configuring crypto engines ········································································ 583
Overview ························································································································································ 583
Displaying and maintaining crypto engines ···································································································· 583
Configuring FIPS ······················································································· 584
Overview ························································································································································ 584
Configuration restrictions and guidelines ······································································································· 584
Configuring FIPS mode ·································································································································· 585
Entering FIPS mode ······························································································································· 585
Configuration changes in FIPS mode ···································································································· 586
Exiting FIPS mode ································································································································· 587
FIPS self-tests ················································································································································ 587
Power-up self-tests ································································································································ 588
Conditional self-tests ······························································································································ 588
xiv
Triggering self-tests ································································································································ 589
Displaying and maintaining FIPS ··················································································································· 589
FIPS configuration examples ························································································································· 589
Entering FIPS mode through automatic reboot ······················································································ 589
Entering FIPS mode through manual reboot ·························································································· 590
Exiting FIPS mode through automatic reboot ························································································ 592
Exiting FIPS mode through manual reboot ···························································································· 592
Configuring MACsec ·················································································· 594
Overview ························································································································································ 594
Basic concepts ······································································································································· 594
MACsec services ··································································································································· 594
MACsec applications ······························································································································ 595
MACsec operating mechanism ·············································································································· 595
Protocols and standards ························································································································ 597
Feature and hardware compatibility ··············································································································· 597
MACsec configuration task list ······················································································································· 598
Enabling MKA ················································································································································ 598
Enabling MACsec desire ································································································································ 599
Specifying the cipher suite for MACsec encryption ························································································ 599
Configuring a preshared key ·························································································································· 600
Configuring the MKA key server priority ········································································································ 600
Configuring MACsec protection parameters in interface view ······································································· 601
Configuring the MACsec confidentiality offset························································································ 601
Configuring MACsec replay protection··································································································· 601
Configuring the MACsec validation mode ······························································································ 602
Configuring MACsec protection parameters by MKA policy ·········································································· 602
Configuring an MKA policy ····················································································································· 602
Applying an MKA policy ························································································································· 603
Enabling MKA session logging······················································································································· 603
Overview ················································································································································ 603
Configuration restrictions and guidelines ······························································································· 603
Configuration procedure ························································································································· 604
Displaying and maintaining MACsec·············································································································· 604
MACsec configuration examples···················································································································· 604
Client-oriented MACsec configuration example ····················································································· 604
Device-oriented MACsec configuration example ··················································································· 607
Troubleshooting MACsec ······························································································································· 610
Cannot establish MKA sessions between MACsec devices ·································································· 610
Document conventions and icons ······························································ 612
Conventions ··················································································································································· 612
Network topology icons ·································································································································· 613
Support and other resources ····································································· 614
Accessing Hewlett Packard Enterprise Support····························································································· 614
Accessing updates ········································································································································· 614
Websites ················································································································································ 615
Customer self repair ······························································································································· 615
Remote support ······································································································································ 615
Documentation feedback ······················································································································· 615
Index ·········································································································· 617
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•
Authentication—Identifies users and verifies their validity.
•
Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•
Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
RADIUS servers
Users Clients Dictionary
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•
The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code
Packet type
Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or stop
accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
•
The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•
The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•
The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
 Type—Type of the attribute.
 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
 Value—Value of the attribute. Its format and content depend on the Type subfield.
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
Aruba Security Configuration Guide
- Category
- Software
- Type
- Configuration Guide
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI