HPE FlexFabric 5710 Switch Series
Security Configuration Guide
P
art number: 5200-5002b
Software
version: Release 2612 and later
Document version: 6W102-20200310
© Copyright 2020 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ···························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA implementation on the device ·········································································································· 12
AAA for MPLS L3VPNs ···························································································································· 14
Protocols and standards ·························································································································· 14
RADIUS attributes ···································································································································· 14
FIPS compliance ·············································································································································· 19
AAA configuration considerations and task list ································································································ 19
Configuring AAA schemes ······························································································································· 20
Configuring local users ····························································································································· 20
Configuring RADIUS schemes ················································································································· 25
Configuring HWTACACS schemes ·········································································································· 37
Configuring LDAP schemes ····················································································································· 43
Configuring AAA methods for ISP domains ····································································································· 47
Configuration prerequisites ······················································································································ 48
Creating an ISP domain ··························································································································· 48
Configuring ISP domain attributes ··········································································································· 49
Configuring authentication methods for an ISP domain ··········································································· 50
Configuring authorization methods for an ISP domain ············································································· 51
Configuring accounting methods for an ISP domain ················································································ 52
Configuring the RADIUS session-control feature ····························································································· 54
Configuring the RADIUS DAS feature·············································································································· 54
Changing the DSCP priority for RADIUS packets ···························································································· 55
Configuring the RADIUS attribute translation feature ······················································································ 55
Setting the maximum number of concurrent login users ·················································································· 57
Configuring a NAS-ID profile ···························································································································· 57
Configuring the device ID ································································································································· 58
Configuring the connection recording policy ···································································································· 58
Displaying and maintaining AAA ······················································································································ 58
AAA configuration examples ···························································································································· 59
AAA for SSH users by an HWTACACS server ························································································ 59
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 60
Authentication and authorization for SSH users by a RADIUS server ····················································· 62
Authentication for SSH users by an LDAP server ···················································································· 65
AAA for 802.1X users by a RADIUS server ····························································································· 68
Troubleshooting RADIUS ································································································································· 73
RADIUS authentication failure ················································································································· 73
RADIUS packet delivery failure ················································································································ 74
RADIUS accounting error ························································································································· 74
Troubleshooting HWTACACS ·························································································································· 74
Troubleshooting LDAP ····································································································································· 75
LDAP authentication failure ······················································································································ 75
802.1X overview ·························································································· 76
802.1X architecture ·········································································································································· 76
Controlled/uncontrolled port and port authorization status ·············································································· 76
802.1X-related protocols ·································································································································· 77
Packet formats ········································································································································· 77
EAP over RADIUS ··································································································································· 78
802.1X authentication initiation ························································································································ 79
802.1X client as the initiator ····················································································································· 79
Access device as the initiator ··················································································································· 79
802.1X authentication procedures ··················································································································· 80
Comparing EAP relay and EAP termination ····························································································· 80
ii
EAP relay ················································································································································· 81
EAP termination ······································································································································· 82
Configuring 802.1X ······················································································ 84
Access control methods ··································································································································· 84
802.1X VLAN manipulation ······························································································································ 84
Authorization VLAN ·································································································································· 84
Guest VLAN ············································································································································· 87
Auth-Fail VLAN ········································································································································ 88
Critical VLAN ············································································································································ 89
Critical voice VLAN ·································································································································· 91
802.1X VSI manipulation·································································································································· 91
802.1X support for VXLANs ····················································································································· 91
Authorization VSI ····································································································································· 92
Guest VSI ················································································································································· 92
Auth-Fail VSI ············································································································································ 93
Critical VSI ··············································································································································· 93
Using 802.1X authentication with other features······························································································ 94
ACL assignment ······································································································································· 94
User profile assignment ··························································································································· 94
EAD assistant ··········································································································································· 95
Redirect URL assignment ························································································································ 95
802.1X configuration restrictions and guidelines······························································································ 95
802.1X-enabled port configuration restrictions and guidelines ································································ 96
802.1X VLAN and VSI assignment restrictions ························································································ 96
Compatibility of 802.1X guest VSI with other features ············································································· 96
Configuration prerequisites ······························································································································ 97
802.1X configuration task list ··························································································································· 97
Enabling 802.1X ··············································································································································· 98
Enabling EAP relay or EAP termination ··········································································································· 98
Setting the port authorization state ·················································································································· 99
Specifying an access control method··············································································································· 99
Setting the maximum number of concurrent 802.1X users on a port ······························································· 99
Setting the maximum number of authentication request attempts ································································· 100
Setting the 802.1X authentication timeout timers ·························································································· 100
Configuring online user handshake················································································································ 101
Configuration restrictions and guidelines ······························································································· 101
Configuration procedure ························································································································· 101
Configuring the authentication trigger feature ································································································ 102
Configuration restrictions and guidelines ······························································································· 102
Configuration procedure ························································································································· 102
Specifying a mandatory authentication domain on a port ·············································································· 102
Setting the quiet timer ···································································································································· 103
Configuring 802.1X reauthentication ·············································································································· 103
Overview ················································································································································ 103
Configuration restrictions and guidelines ······························································································· 103
Configuring 802.1X periodic reauthentication ························································································ 104
Configuring 802.1X manual reauthentication ························································································· 104
Enabling the keep-online feature ··········································································································· 105
Configuring an 802.1X guest VLAN ··············································································································· 105
Configuration and restrictions and guidelines ························································································ 105
Configuration prerequisites ···················································································································· 106
Configuration procedure ························································································································· 106
Enabling 802.1X guest VLAN assignment delay···························································································· 106
Configuring an 802.1X Auth-Fail VLAN·········································································································· 107
Configuration and restrictions and guidelines ························································································ 107
Configuration prerequisites ···················································································································· 107
Configuration procedure ························································································································· 108
Configuring an 802.1X critical VLAN ·············································································································· 108
Configuration restrictions and guidelines ······························································································· 108
Configuration prerequisites ···················································································································· 108
Configuring the 802.1X critical VLAN on a port······················································································ 108
iii
Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN ··························· 109
Enabling the 802.1X critical voice VLAN ········································································································ 109
Configuration restrictions and guidelines ······························································································· 109
Configuration prerequisites ···················································································································· 109
Configuration procedure ························································································································· 109
Configuring an 802.1X guest VSI ··················································································································· 110
Configuration restrictions and guidelines ······························································································· 110
Configuration prerequisites ···················································································································· 110
Configuration procedure ························································································································· 110
Enabling 802.1X guest VSI assignment delay ······························································································· 110
Overview ················································································································································ 110
Configuration procedure ························································································································· 111
Configuring an 802.1X Auth-Fail VSI ············································································································· 111
Configuration restrictions and guidelines ······························································································· 111
Configuration prerequisites ···················································································································· 111
Configuration procedure ························································································································· 111
Configuring an 802.1X critical VSI ················································································································· 112
Configuration restrictions and guidelines ······························································································· 112
Configuration prerequisites ···················································································································· 112
Configuration procedure ························································································································· 112
Specifying supported domain name delimiters ······························································································ 112
Enabling 802.1X user IP freezing··················································································································· 113
Removing the VLAN tags of 802.1X protocol packets sent out of a port ······················································· 113
Overview ················································································································································ 113
Configuration restrictions and guidelines ······························································································· 114
Configuration prerequisites ···················································································································· 114
Configuration procedure ························································································································· 114
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 114
Configuring 802.1X MAC address binding ····································································································· 115
Overview ················································································································································ 115
Configuration restrictions and guidelines ······························································································· 115
Configuration procedure ························································································································· 115
Enabling 802.1X user logging ························································································································ 115
Overview ················································································································································ 115
Configuration restrictions and guidelines ······························································································· 116
Configuration procedure ························································································································· 116
Configuring the EAD assistant feature ··········································································································· 116
Configuration restrictions and guidelines ······························································································· 116
Configuration procedure ························································································································· 116
Displaying and maintaining 802.1X ················································································································ 117
802.1X authentication configuration examples ······························································································ 117
Basic 802.1X authentication configuration example ·············································································· 117
802.1X guest VLAN and authorization VLAN configuration example ···················································· 119
802.1X with ACL assignment configuration example ············································································· 122
802.1X guest VSI and authorization VSI configuration example···························································· 123
802.1X with EAD assistant configuration example (with DHCP relay agent) ········································· 126
802.1X with EAD assistant configuration example (with DHCP server) ················································· 128
Troubleshooting 802.1X ································································································································· 131
EAD assistant URL redirection failure ···································································································· 131
Configuring MAC authentication ································································ 132
Overview ························································································································································ 132
User account policies ····························································································································· 132
Authentication methods ·························································································································· 132
VLAN assignment ·········································································································································· 133
Authorization VLAN ································································································································ 133
Guest VLAN ··········································································································································· 135
Critical VLAN ·········································································································································· 135
Critical voice VLAN ································································································································ 136
VSI manipulation ············································································································································ 137
MAC authentication support for VXLANs ······························································································· 137
Authorization VSI ··································································································································· 137
iv
Guest VSI ··············································································································································· 138
Critical VSI ············································································································································· 138
ACL assignment ············································································································································· 139
User profile assignment ································································································································· 139
Redirect URL assignment ······························································································································ 139
Blackhole MAC attribute assignment ············································································································· 140
Configuration prerequisites ···························································································································· 140
Configuration restrictions and guidelines ······································································································· 140
MAC authentication-enabled port configuration restrictions··································································· 140
MAC authentication VLAN and VSI assignment restrictions ·································································· 141
Configuration task list ····································································································································· 141
Enabling MAC authentication ························································································································· 142
Specifying a MAC authentication domain ······································································································ 142
Configuring the user account format ·············································································································· 143
Configuring MAC authentication timers·········································································································· 143
Setting the maximum number of concurrent MAC authentication users on a port ········································· 144
Enabling MAC authentication multi-VLAN mode on a port ············································································ 144
Configuring MAC authentication delay ··········································································································· 145
Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 145
Configuration restrictions and guidelines ······························································································· 145
Configuration procedure ························································································································· 146
Configuring a MAC authentication guest VLAN ····························································································· 146
Configuring a MAC authentication critical VLAN ···························································································· 147
Enabling the MAC authentication critical voice VLAN ···················································································· 148
Configuration prerequisites ···················································································································· 148
Configuration procedure ························································································································· 148
Configuring a MAC authentication guest VSI ································································································· 148
Configuration restrictions and guidelines ······························································································· 148
Configuration prerequisites ···················································································································· 148
Configuration procedure ························································································································· 149
Configuring a MAC authentication critical VSI ······························································································· 149
Configuration restrictions and guidelines ······························································································· 149
Configuration prerequisites ···················································································································· 149
Configuration procedure ························································································································· 149
Configuring periodic MAC reauthentication···································································································· 150
Overview ················································································································································ 150
Configuration restrictions and guidelines ······························································································· 150
Configuration procedure ························································································································· 151
Including user IP addresses in MAC authentication requests ········································································ 151
Overview ················································································································································ 151
Configuration restrictions and guidelines ······························································································· 152
Configuration procedure ························································································································· 152
Enabling MAC authentication offline detection ······························································································ 152
Enabling MAC authentication user logging ···································································································· 153
Overview ················································································································································ 153
Configuration restrictions and guidelines ······························································································· 153
Configuration procedure ························································································································· 153
Displaying and maintaining MAC authentication ···························································································· 153
MAC authentication configuration examples ·································································································· 154
Local MAC authentication configuration example ·················································································· 154
RADIUS-based MAC authentication configuration example ·································································· 156
ACL assignment configuration example ································································································· 158
MAC authentication authorization VSI assignment configuration example ············································ 161
Configuring portal authentication ······························································· 164
Overview ························································································································································ 164
Extended portal functions ······················································································································· 164
Portal system components ····················································································································· 164
Portal system using the local portal Web server ···················································································· 166
Interaction between portal system components ····················································································· 166
Portal authentication modes ··················································································································· 167
Portal support for EAP ··························································································································· 167
v
Portal authentication process ················································································································· 168
Portal filtering rules ································································································································ 170
Configuration restrictions and guidelines ······································································································· 170
Portal configuration task list ··························································································································· 170
Configuration prerequisites ···························································································································· 171
Configuring a portal authentication server ····································································································· 172
Configuring a portal Web server ···················································································································· 172
Enabling portal authentication ························································································································ 174
Configuration restrictions and guidelines ······························································································· 174
Configuration procedure ························································································································· 174
Specifying a portal Web server ······················································································································ 175
Controlling portal user access ························································································································ 175
Configuring a portal-free rule ················································································································· 175
Configuring an authentication source subnet ························································································· 176
Configuring an authentication destination subnet ·················································································· 177
Setting the maximum number of portal users ························································································ 178
Specifying a portal authentication domain ····························································································· 178
Specifying a preauthentication IP address pool for portal users ···························································· 179
Configuring support of Web proxy for portal authentication ··································································· 180
Enabling strict-checking on portal authorization information ·································································· 181
Allowing only users with DHCP-assigned IP addresses to pass portal authentication ·························· 181
Configuring portal detection features ············································································································· 182
Configuring online detection of portal users ··························································································· 182
Configuring portal authentication server detection ················································································· 183
Configuring portal Web server detection ································································································ 184
Configuring portal user synchronization ································································································· 184
Configuring the portal fail-permit feature ········································································································ 185
Configuring BAS-IP for portal packets sent to the portal authentication server ············································· 186
Enabling portal roaming ································································································································· 186
Specifying a format for the NAS-Port-Id attribute ··························································································· 187
Specifying the device ID································································································································· 187
Logging out online portal users ······················································································································ 187
Configuring Web redirect ······························································································································· 188
Applying a NAS-ID profile to an interface ······································································································ 188
Configuring the local portal Web server feature ····························································································· 189
Customizing authentication pages ········································································································· 189
Configuring a local portal Web server ···································································································· 191
Disabling the Rule ARP or ND entry feature for portal clients ······································································· 192
Enabling logging for user logins and logouts ································································································· 192
Displaying and maintaining portal ·················································································································· 193
Portal configuration examples ························································································································ 193
Configuring direct portal authentication·································································································· 193
Configuring re-DHCP portal authentication ···························································································· 201
Configuring cross-subnet portal authentication ······················································································ 205
Configuring extended direct portal authentication ·················································································· 208
Configuring extended re-DHCP portal authentication ············································································ 211
Configuring extended cross-subnet portal authentication ······································································ 215
Configuring portal server detection and portal user synchronization ····················································· 219
Configuring direct portal authentication using local portal Web server ·················································· 227
Troubleshooting portal ··································································································································· 230
No portal authentication page is pushed for users ················································································· 230
Cannot log out portal users on the access device ················································································· 230
Cannot log out portal users on the RADIUS server ··············································································· 230
Users logged out by the access device still exist on the portal authentication server ···························· 231
Re-DHCP portal authenticated users cannot log in successfully ··························································· 231
Configuring Web authentication ································································· 233
About Web authentication ······························································································································ 233
Advantages of Web authentication ········································································································ 233
Web authentication system ···················································································································· 233
Web authentication process ··················································································································· 234
Web authentication support for VLAN assignment ················································································ 234
vi
Web authentication support for authorization ACLs ··············································································· 235
Restrictions and guidelines: Web authentication configuration ······································································ 235
Web authentication task at a glance ·············································································································· 236
Prerequisites for Web authentication ············································································································· 236
Configuring a Web authentication server ······································································································· 237
Enabling Web authentication ························································································································· 237
Specifying a Web authentication domain ······································································································· 238
Setting the redirection wait time ····················································································································· 238
Configuring a Web authentication-free subnet ······························································································· 239
Setting the maximum number of Web authentication users ·········································································· 239
Configuring online Web authentication user detection ··················································································· 240
Configuring an Auth-Fail VLAN ······················································································································ 240
Configuring Web authentication to support Web proxy ·················································································· 241
Display and maintenance commands for Web authentication ······································································· 241
Web authentication configuration examples ·································································································· 242
Example: Configuring Web authentication by using the local authentication method ···························· 242
Example: Configuring Web authentication by using the RADIUS authentication method······················ 243
Troubleshooting Web authentication ············································································································· 245
Failure to come online (local authentication interface using the default ISP domain ····························· 245
Configuring triple authentication ································································ 247
About triple authentication ····························································································································· 247
Typical network of triple authentication ·································································································· 247
Triple authentication mechanism ··········································································································· 247
Triple authentication support for VLAN assignment ··············································································· 248
Triple authentication support for ACL authorization ··············································································· 248
Triple authentication support for online user detection ·········································································· 249
Restrictions and guidelines: Triple authentication ·························································································· 249
Triple authentication tasks at a glance ··········································································································· 249
Triple authentication configuration examples ································································································· 249
Example: Configuring basic triple authentication ··················································································· 249
Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN
······························································································································································· 253
Configuring port security ············································································ 259
Overview ························································································································································ 259
Port security features ····························································································································· 259
Port security modes ······························································································································· 259
Configuration restrictions and guidelines ······································································································· 262
Configuration task list ····································································································································· 262
Enabling port security····································································································································· 263
Setting port security's limit on the number of secure MAC addresses on a port ············································ 263
Setting the port security mode ······················································································································· 264
Configuring port security features ·················································································································· 265
Configuring NTK ····································································································································· 265
Configuring intrusion protection ············································································································· 266
Configuring secure MAC addresses ·············································································································· 266
Configuration prerequisites ···················································································································· 267
Configuration procedure ························································································································· 267
Ignoring authorization information from the server························································································· 268
Enabling MAC move ······································································································································ 268
Enabling the authorization-fail-offline feature ································································································· 269
Overview ················································································································································ 269
Configuration prerequisites ···················································································································· 269
Configuration procedure ························································································································· 269
Setting port security's limit on the number of MAC addresses for specific VLANs on a port ························· 270
Overview ················································································································································ 270
Configuration restrictions and guidelines ······························································································· 270
Configuration procedure ························································································································· 270
Applying a NAS-ID profile to port security ······································································································ 270
Configuring open authentication mode ·········································································································· 271
Overview ················································································································································ 271
vii
Configuration restrictions and guidelines ······························································································· 271
Configuration procedure ························································································································· 272
Configuring the escape critical VSI feature ···································································································· 272
About the escape critical VSI feature ····································································································· 272
Configuration restrictions and guidelines ······························································································· 272
Configuration prerequisites ···················································································································· 273
Configuration procedure ························································································································· 273
Enabling port security user logging ················································································································ 273
Overview ················································································································································ 273
Configuration restrictions and guidelines ······························································································· 274
Configuration procedure ························································································································· 274
Enabling SNMP notifications for port security ································································································ 274
Displaying and maintaining port security········································································································ 274
Port security configuration examples ············································································································· 275
autoLearn configuration example ··········································································································· 275
userLoginWithOUI configuration example······························································································ 277
macAddressElseUserLoginSecure configuration example ···································································· 279
Troubleshooting port security ························································································································· 283
Cannot set the port security mode ········································································································· 283
Cannot configure secure MAC addresses ····························································································· 284
Configuring user profiles ············································································ 285
Overview ························································································································································ 285
Configuration restrictions and guidelines ······································································································· 285
Configuring a user profile ······························································································································· 285
Displaying and maintaining user profiles········································································································ 285
User profile configuration example ················································································································ 286
Network requirements ···························································································································· 286
Configuration procedure ························································································································· 286
Verifying the configuration ······················································································································ 289
Configuring password control ···································································· 290
Overview ························································································································································ 290
Password setting ···································································································································· 290
Password updating and expiration ········································································································· 291
User login control ··································································································································· 292
Password not displayed in any form ······································································································ 293
Logging ·················································································································································· 293
FIPS compliance ············································································································································ 293
Password control configuration task list ········································································································· 293
Enabling password control ····························································································································· 294
Setting global password control parameters ·································································································· 295
Setting user group password control parameters ·························································································· 297
Setting local user password control parameters ···························································································· 298
Setting super password control parameters··································································································· 299
Displaying and maintaining password control ································································································ 299
Password control configuration example ······································································································· 300
Network requirements ···························································································································· 300
Configuration procedure ························································································································· 300
Verifying the configuration ······················································································································ 301
Configuring keychains ··············································································· 303
Overview ························································································································································ 303
Configuration procedure································································································································· 303
Displaying and maintaining keychain ············································································································· 304
Keychain configuration example ···················································································································· 304
Network requirements ···························································································································· 304
Configuration procedure ························································································································· 304
Verifying the configuration ······················································································································ 306
Managing public keys ················································································ 309
Overview ························································································································································ 309
viii
FIPS compliance ············································································································································ 309
Creating a local key pair································································································································· 309
Distributing a local host public key ················································································································· 311
Exporting a host public key ···················································································································· 311
Displaying a host public key ··················································································································· 311
Destroying a local key pair ····························································································································· 312
Configuring a peer host public key ················································································································· 312
Importing a peer host public key from a public key file ·········································································· 312
Entering a peer host public key ·············································································································· 313
Displaying and maintaining public keys ········································································································· 313
Examples of public key management ············································································································ 313
Example for entering a peer host public key ·························································································· 313
Example for importing a public key from a public key file ······································································ 315
Configuring PKI ························································································· 318
Overview ························································································································································ 318
PKI terminology ······································································································································ 318
PKI architecture ······································································································································ 319
PKI operation ········································································································································· 319
PKI applications ····································································································································· 320
FIPS compliance ············································································································································ 320
PKI configuration task list ······························································································································· 320
Configuring a PKI entity ································································································································· 321
Configuring a PKI domain ······························································································································ 321
Requesting a certificate·································································································································· 323
Configuration guidelines ························································································································· 324
Configuring automatic certificate request ······························································································· 324
Manually requesting a certificate············································································································ 325
Aborting a certificate request ························································································································· 325
Obtaining certificates······································································································································ 325
Configuration prerequisites ···················································································································· 326
Configuration guidelines ························································································································· 326
Configuration procedure ························································································································· 326
Verifying PKI certificates ································································································································ 327
Verifying certificates with CRL checking ································································································ 327
Verifying certificates without CRL checking ··························································································· 328
Specifying the storage path for the certificates and CRLs ············································································· 328
Exporting certificates ······································································································································ 329
Removing a certificate···································································································································· 329
Configuring a certificate-based access control policy ···················································································· 330
Displaying and maintaining PKI ····················································································································· 331
PKI configuration examples ··························································································································· 331
Requesting a certificate from an RSA Keon CA server·········································································· 331
Requesting a certificate from a Windows Server 2003 CA server ························································· 334
Requesting a certificate from an OpenCA server··················································································· 337
Certificate-based access control policy configuration example······························································ 340
Certificate import and export configuration example ·············································································· 342
Troubleshooting PKI configuration ················································································································· 347
Failed to obtain the CA certificate ·········································································································· 347
Failed to obtain local certificates ············································································································ 348
Failed to request local certificates ·········································································································· 348
Failed to obtain CRLs ····························································································································· 349
Failed to import the CA certificate ·········································································································· 350
Failed to import a local certificate··········································································································· 350
Failed to export certificates ···················································································································· 351
Failed to set the storage path ················································································································· 351
Configuring IPsec ······················································································ 352
Overview ························································································································································ 352
Security protocols and encapsulation modes························································································· 352
Security association ······························································································································· 354
Authentication and encryption ················································································································ 354
ix
IPsec implementation ····························································································································· 355
IPsec RRI ··············································································································································· 356
Protocols and standards ························································································································ 357
FIPS compliance ············································································································································ 357
IPsec tunnel establishment ···························································································································· 357
Implementing ACL-based IPsec····················································································································· 357
Configuring an ACL ································································································································ 358
Configuring an IPsec transform set ········································································································ 359
Configuring a manual IPsec policy ········································································································· 361
Configuring an IKE-based IPsec policy ·································································································· 362
Applying an IPsec policy to an interface ································································································ 366
Enabling ACL checking for de-encapsulated packets ············································································ 366
Configuring IPsec anti-replay ················································································································· 367
Configuring IPsec anti-replay redundancy ····························································································· 367
Binding a source interface to an IPsec policy ························································································ 368
Enabling QoS pre-classify ······················································································································ 369
Enabling logging of IPsec packets ········································································································· 369
Configuring the DF bit of IPsec packets ································································································· 369
Configuring IPsec RRI ···························································································································· 370
Configuring IPsec for IPv6 routing protocols ·································································································· 371
Configuration task list ····························································································································· 371
Configuring a manual IPsec profile ········································································································ 371
Configuring SNMP notifications for IPsec ······································································································ 373
Configuring IPsec fragmentation ···················································································································· 373
Setting the maximum number of IPsec tunnels ····························································································· 374
Displaying and maintaining IPsec ·················································································································· 374
IPsec configuration examples ························································································································ 374
Configuring a manual mode IPsec tunnel for IPv4 packets ··································································· 374
Configuring IPsec for RIPng ··················································································································· 377
Configuring IKE ························································································· 381
Overview ························································································································································ 381
IKE negotiation process ························································································································· 381
IKE security mechanism ························································································································· 382
Protocols and standards ························································································································ 383
FIPS compliance ············································································································································ 383
IKE configuration prerequisites ······················································································································ 383
IKE configuration task list ······························································································································· 383
Configuring an IKE profile ······························································································································ 384
Configuring an IKE proposal ·························································································································· 386
Configuring an IKE keychain ·························································································································· 387
Configuring the global identity information ····································································································· 388
Configuring the IKE keepalive feature ··········································································································· 388
Configuring the IKE NAT keepalive feature ··································································································· 389
Configuring IKE DPD ····································································································································· 389
Enabling invalid SPI recovery ························································································································ 390
Setting the maximum number of IKE SAs ······································································································ 390
Configuring SNMP notifications for IKE ········································································································· 391
Displaying and maintaining IKE ····················································································································· 391
IKE configuration examples ··························································································································· 392
Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································ 392
Main mode IKE with pre-shared key authentication configuration example··········································· 394
Troubleshooting IKE······································································································································· 397
IKE negotiation failed because no matching IKE proposals were found ················································ 397
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 398
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 398
IPsec SA negotiation failed due to invalid identity information ······························································· 399
Configuring IKEv2 ······················································································ 402
Overview ························································································································································ 402
IKEv2 negotiation process ····················································································································· 402
New features in IKEv2 ···························································································································· 403
x
Protocols and standards ························································································································ 403
IKEv2 configuration task list ··························································································································· 403
Configuring an IKEv2 profile ·························································································································· 404
Configuring an IKEv2 policy ··························································································································· 407
Configuring an IKEv2 proposal ······················································································································ 407
Configuring an IKEv2 keychain ······················································································································ 409
Configure global IKEv2 parameters ··············································································································· 410
Enabling the cookie challenging feature ································································································ 410
Configuring the IKEv2 DPD feature ······································································································· 410
Configuring the IKEv2 NAT keepalive feature ························································································ 410
Displaying and maintaining IKEv2·················································································································· 411
IKEv2 configuration examples ······················································································································· 411
IKEv2 with pre-shared key authentication configuration example ·························································· 411
IKEv2 with RSA signature authentication configuration example ·························································· 416
IKEv2 with NAT traversal configuration example ··················································································· 424
Troubleshooting IKEv2 ··································································································································· 428
IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 428
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 429
IPsec tunnel establishment failed ··········································································································· 429
Configuring SSH ························································································ 430
Overview ························································································································································ 430
How SSH works ····································································································································· 430
SSH authentication methods ·················································································································· 431
SSH support for Suite B ························································································································· 432
FIPS compliance ············································································································································ 432
Configuring the device as an SSH server ······································································································ 433
SSH server configuration task list ·········································································································· 433
Generating local key pairs ······················································································································ 433
Specifying the SSH service port ············································································································· 434
Enabling the Stelnet server ···················································································································· 434
Enabling the SFTP server ······················································································································ 435
Enabling the SCP server ························································································································ 435
Enabling NETCONF over SSH ·············································································································· 435
Configuring the user lines for SSH login ································································································ 436
Configuring a client's host public key ····································································································· 436
Configuring an SSH user ······················································································································· 437
Configuring the SSH management parameters ····················································································· 438
Specifying a PKI domain for the SSH server ························································································· 440
Releasing SSH connections ··················································································································· 440
Configuring the device as an Stelnet client ···································································································· 440
Stelnet client configuration task list ········································································································ 440
Generating local key pairs ······················································································································ 441
Specifying the source IP address for SSH packets················································································ 441
Establishing a connection to an Stelnet server ······················································································ 442
Deleting server public keys saved in the public key file on the Stelnet client········································· 444
Establishing a connection to an Stelnet server based on Suite B ·························································· 444
Configuring the device as an SFTP client ······································································································ 444
SFTP client configuration task list ·········································································································· 444
Generating local key pairs ······················································································································ 445
Specifying the source IP address for SFTP packets ·············································································· 445
Establishing a connection to an SFTP server ························································································ 446
Deleting server public keys saved in the public key file on the SFTP client··········································· 448
Establishing a connection to an SFTP server based on Suite B ···························································· 448
Working with SFTP directories ··············································································································· 449
Working with SFTP files ························································································································· 449
Displaying help information ···················································································································· 449
Terminating the connection with the SFTP server ················································································· 450
Configuring the device as an SCP client ········································································································ 450
SCP client configuration task list ············································································································ 450
Generating local key pairs ······················································································································ 450
Specifying the source IP address for SCP packets················································································ 451
xi
Establishing a connection to an SCP server ·························································································· 451
Deleting server public keys saved in the public key file on the SCP client ············································ 453
Establishing a connection to an SCP server based on Suite B······························································ 453
Specifying algorithms for SSH2 ····················································································································· 454
Specifying key exchange algorithms for SSH2 ······················································································ 454
Specifying public key algorithms for SSH2 ···························································································· 455
Specifying encryption algorithms for SSH2 ···························································································· 455
Specifying MAC algorithms for SSH2 ···································································································· 455
Displaying and maintaining SSH ···················································································································· 456
Stelnet configuration examples ······················································································································ 456
Password authentication enabled Stelnet server configuration example ··············································· 456
Publickey authentication enabled Stelnet server configuration example ··············································· 459
Password authentication enabled Stelnet client configuration example ················································ 464
Publickey authentication enabled Stelnet client configuration example ················································· 468
Stelnet configuration example based on 128-bit Suite B algorithms ······················································ 470
SFTP configuration examples ························································································································ 474
Password authentication enabled SFTP server configuration example ················································· 474
Publickey authentication enabled SFTP client configuration example ··················································· 476
SFTP configuration example based on 192-bit Suite B algorithms ························································ 480
SCP configuration examples ·························································································································· 483
SCP configuration example with password authentication ···································································· 484
SCP configuration example based on Suite B algorithms ······································································ 485
NETCONF over SSH configuration example with password authentication ·················································· 492
Network requirements ···························································································································· 492
Configuration procedure ························································································································· 493
Verifying the configuration ······················································································································ 494
Configuring SSL ························································································ 495
Overview ························································································································································ 495
SSL security services ····························································································································· 495
SSL protocol stack ································································································································· 495
FIPS compliance ············································································································································ 496
SSL configuration task list ······························································································································ 496
Configuring an SSL server policy ··················································································································· 496
Configuring an SSL client policy ···················································································································· 498
Displaying and maintaining SSL ···················································································································· 500
Configuring attack detection and prevention ·············································· 501
Overview ························································································································································ 501
Attacks that the device can prevent ··············································································································· 501
Single-packet attacks ····························································································································· 501
Scanning attacks ···································································································································· 502
Flood attacks ·········································································································································· 503
TCP fragment attack ······························································································································ 504
Login dictionary attack ··························································································································· 504
Attack detection and prevention configuration task list ·················································································· 504
Configuring an attack defense policy ············································································································· 505
Creating an attack defense policy ·········································································································· 505
Configuring a single-packet attack defense policy ················································································· 505
Configuring a scanning attack defense policy ························································································ 506
Configuring a flood attack defense policy ······························································································ 507
Configuring attack detection exemption ································································································· 511
Applying an attack defense policy to the device ···················································································· 512
Enabling log non-aggregation for single-packet attack events······························································· 512
Configuring TCP fragment attack prevention ································································································· 512
Enabling the login delay ································································································································· 513
Displaying and maintaining attack detection and prevention ········································································· 513
Attack detection and prevention configuration examples ··············································································· 514
Attack defense policy device application configuration example ··························································· 514
Configuring TCP attack prevention ···························································· 518
Overview ························································································································································ 518
xii
Configuring Naptha attack prevention ············································································································ 518
Configuring IP source guard ······································································ 519
Overview ························································································································································ 519
Static IPSG bindings ······························································································································ 519
Dynamic IPSG bindings ························································································································· 520
IPSG configuration task list ···························································································································· 521
Configuring the IPv4SG feature ····················································································································· 521
Enabling IPv4SG on an interface ··········································································································· 521
Configuring a static IPv4SG binding ······································································································ 522
Configuring the IPv6SG feature ····················································································································· 522
Enabling IPv6SG on an interface ··········································································································· 522
Configuring a static IPv6SG binding ······································································································ 523
Displaying and maintaining IPSG··················································································································· 524
IPSG configuration examples ························································································································ 524
Static IPv4SG configuration example ····································································································· 524
DHCP snooping-based dynamic IPv4SG configuration example ·························································· 526
DHCP relay agent-based dynamic IPv4SG configuration example ······················································· 527
Static IPv6SG configuration example ····································································································· 528
DHCPv6 snooping-based dynamic IPv6SG address binding configuration example ···························· 528
DHCPv6 snooping-based dynamic IPv6SG prefix binding configuration example ································ 529
Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 530
Configuring ARP attack protection ····························································· 532
ARP attack protection configuration task list ·································································································· 532
Configuring unresolvable IP attack protection ······························································································· 532
Configuring ARP source suppression ···································································································· 533
Configuring ARP blackhole routing ········································································································ 533
Displaying and maintaining unresolvable IP attack protection ······························································· 533
Configuration example ··························································································································· 534
Configuring ARP packet rate limit ·················································································································· 534
Configuration guidelines ························································································································· 535
Configuration procedure ························································································································· 535
Configuring source MAC-based ARP attack detection ·················································································· 535
Configuration procedure ························································································································· 536
Displaying and maintaining source MAC-based ARP attack detection ·················································· 536
Configuration example ··························································································································· 537
Configuring ARP packet source MAC consistency check ·············································································· 538
Configuring ARP active acknowledgement ···································································································· 538
Configuring authorized ARP··························································································································· 538
Configuration procedure ························································································································· 539
Configuration example (on a DHCP server)··························································································· 539
Configuration example (on a DHCP relay agent) ··················································································· 540
Configuring ARP attack detection ·················································································································· 541
Configuring user validity check ·············································································································· 542
Configuring ARP packet validity check ·································································································· 543
Configuring ARP restricted forwarding ··································································································· 543
Ignoring ingress ports of ARP packets for user validity check ······························································· 544
Configuring ARP attack detection for a VSI ··························································································· 544
Enabling ARP attack detection logging ·································································································· 546
Displaying and maintaining ARP attack detection·················································································· 546
User validity check configuration example ····························································································· 546
User validity check and ARP packet validity check configuration example ············································ 548
ARP restricted forwarding configuration example ·················································································· 549
Configuring ARP scanning and fixed ARP ····································································································· 551
Configuration restrictions and guidelines ······························································································· 551
Configuration procedure ························································································································· 551
Configuring ARP gateway protection ············································································································· 552
Configuration guidelines ························································································································· 552
Configuration procedure ························································································································· 552
Configuration example ··························································································································· 552
Configuring ARP filtering ································································································································ 553
xiii
Configuration guidelines ························································································································· 553
Configuration procedure ························································································································· 553
Configuration example ··························································································································· 554
Configuring ARP sender IP address checking ······························································································· 555
Configuring ND attack defense ·································································· 556
Overview ························································································································································ 556
ND attack defense configuration task list ······································································································· 556
Enabling source MAC consistency check for ND messages ········································································· 556
Configuring ND attack detection ···················································································································· 557
About ND attack detection ····················································································································· 557
Configuration guidelines ························································································································· 557
Configuration procedure ························································································································· 558
Displaying and maintaining ND attack detection ···················································································· 558
ND attack detection configuration example···························································································· 558
Configuring RA guard····································································································································· 560
About RA guard ······································································································································ 560
Specifying the role of the attached device ····························································································· 560
Configuring an RA guard policy ············································································································· 561
Enabling the RA guard logging feature ·································································································· 561
Displaying and maintaining RA guard ···································································································· 562
RA guard configuration example ············································································································ 562
Configuring uRPF ······················································································ 565
Overview ························································································································································ 565
uRPF check modes ································································································································ 565
uRPF operation ······································································································································ 565
Network application ································································································································ 568
Enabling uRPF ··············································································································································· 568
Displaying and maintaining uRPF ·················································································································· 569
Global uRPF configuration example ·············································································································· 569
Configuring MFF ························································································ 570
Overview ························································································································································ 570
Basic concepts ······································································································································· 571
MFF operation modes ···························································································································· 571
MFF working mechanism ······················································································································· 572
Protocols and standards ························································································································ 572
Configuring MFF ············································································································································ 572
Enabling MFF ········································································································································· 572
Configuring a network port ····················································································································· 572
Enabling periodic gateway probe ··········································································································· 573
Specifying the IP addresses of servers ·································································································· 573
Displaying and maintaining MFF ···················································································································· 574
MFF configuration examples ·························································································································· 574
Manual-mode MFF configuration example in a tree network ································································· 574
Manual-mode MFF configuration example in a ring network ································································· 575
Configuring crypto engines ········································································ 577
Overview ························································································································································ 577
Displaying and maintaining crypto engines ···································································································· 577
Configuring FIPS ······················································································· 578
Overview ························································································································································ 578
Configuration restrictions and guidelines ······································································································· 578
Configuring FIPS mode ·································································································································· 579
Entering FIPS mode ······························································································································· 579
Configuration changes in FIPS mode ···································································································· 580
Exiting FIPS mode ································································································································· 581
FIPS self-tests ················································································································································ 581
Power-up self-tests ································································································································ 582
Conditional self-tests ······························································································································ 582
xiv
Triggering self-tests ································································································································ 583
Displaying and maintaining FIPS ··················································································································· 583
FIPS configuration examples ························································································································· 583
Entering FIPS mode through automatic reboot ······················································································ 583
Entering FIPS mode through manual reboot ·························································································· 584
Exiting FIPS mode through automatic reboot ························································································ 586
Exiting FIPS mode through manual reboot ···························································································· 586
Document conventions and icons ······························································ 588
Conventions ··················································································································································· 588
Network topology icons ·································································································································· 589
Support and other resources ····································································· 590
Accessing Hewlett Packard Enterprise Support····························································································· 590
Accessing updates ········································································································································· 590
Websites ················································································································································ 591
Customer self repair ······························································································································· 591
Remote support ······································································································································ 591
Documentation feedback ······················································································································· 591
Index ·········································································································· 593
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•
Authentication—Identifies users and verifies their validity.
•
Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
•
Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
•
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
RADIUS servers
Users Clients Dictionary
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
•
The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code
Packet type
Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain
the User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user.
The Acct-Status-Type attribute in the packet indicates whether to
start or stop accounting.
5 Accounting-Respons
e
From the server to the client. The server sends a packet of this type
to notify the client that it has received the Accounting-Request and
has successfully recorded the accounting information.
•
The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
•
The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
•
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
•
The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
 Type—Type of the attribute.
 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
 Value—Value of the attribute. Its format and content depend on the Type subfield.
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
/