Aruba Security Configuration Guide

HPE FlexFabric 5710 Switch Series

Security Configuration Guide

P

art number: 5200-5002b

Software

version: Release 2612 and later

Document version: 6W102-20200310

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

Configuring AAA ···························································································· 1

Overview ···························································································································································· 1

RADIUS ······················································································································································ 2

HWTACACS ··············································································································································· 6

LDAP ·························································································································································· 9

AAA implementation on the device ·········································································································· 12

AAA for MPLS L3VPNs ···························································································································· 14

Protocols and standards ·························································································································· 14

RADIUS attributes ···································································································································· 14

FIPS compliance ·············································································································································· 19

AAA configuration considerations and task list ································································································ 19

Configuring AAA schemes ······························································································································· 20

Configuring local users ····························································································································· 20

Configuring RADIUS schemes ················································································································· 25

Configuring HWTACACS schemes ·········································································································· 37

Configuring LDAP schemes ····················································································································· 43

Configuring AAA methods for ISP domains ····································································································· 47

Configuration prerequisites ······················································································································ 48

Creating an ISP domain ··························································································································· 48

Configuring ISP domain attributes ··········································································································· 49

Configuring authentication methods for an ISP domain ··········································································· 50

Configuring authorization methods for an ISP domain ············································································· 51

Configuring accounting methods for an ISP domain ················································································ 52

Configuring the RADIUS session-control feature ····························································································· 54

Configuring the RADIUS DAS feature·············································································································· 54

Changing the DSCP priority for RADIUS packets ···························································································· 55

Configuring the RADIUS attribute translation feature ······················································································ 55

Setting the maximum number of concurrent login users ·················································································· 57

Configuring a NAS-ID profile ···························································································································· 57

Configuring the device ID ································································································································· 58

Configuring the connection recording policy ···································································································· 58

Displaying and maintaining AAA ······················································································································ 58

AAA configuration examples ···························································································································· 59

AAA for SSH users by an HWTACACS server ························································································ 59

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 60

Authentication and authorization for SSH users by a RADIUS server ····················································· 62

Authentication for SSH users by an LDAP server ···················································································· 65

AAA for 802.1X users by a RADIUS server ····························································································· 68

Troubleshooting RADIUS ································································································································· 73

RADIUS authentication failure ················································································································· 73

RADIUS packet delivery failure ················································································································ 74

RADIUS accounting error ························································································································· 74

Troubleshooting HWTACACS ·························································································································· 74

Troubleshooting LDAP ····································································································································· 75

LDAP authentication failure ······················································································································ 75

802.1X overview ·························································································· 76

802.1X architecture ·········································································································································· 76

Controlled/uncontrolled port and port authorization status ·············································································· 76

802.1X-related protocols ·································································································································· 77

Packet formats ········································································································································· 77

EAP over RADIUS ··································································································································· 78

802.1X authentication initiation ························································································································ 79

802.1X client as the initiator ····················································································································· 79

Access device as the initiator ··················································································································· 79

802.1X authentication procedures ··················································································································· 80

Comparing EAP relay and EAP termination ····························································································· 80

ii

EAP relay ················································································································································· 81

EAP termination ······································································································································· 82

Configuring 802.1X ······················································································ 84

Access control methods ··································································································································· 84

802.1X VLAN manipulation ······························································································································ 84

Authorization VLAN ·································································································································· 84

Guest VLAN ············································································································································· 87

Auth-Fail VLAN ········································································································································ 88

Critical VLAN ············································································································································ 89

Critical voice VLAN ·································································································································· 91

802.1X VSI manipulation·································································································································· 91

802.1X support for VXLANs ····················································································································· 91

Authorization VSI ····································································································································· 92

Guest VSI ················································································································································· 92

Auth-Fail VSI ············································································································································ 93

Critical VSI ··············································································································································· 93

Using 802.1X authentication with other features······························································································ 94

ACL assignment ······································································································································· 94

User profile assignment ··························································································································· 94

EAD assistant ··········································································································································· 95

Redirect URL assignment ························································································································ 95

802.1X configuration restrictions and guidelines······························································································ 95

802.1X-enabled port configuration restrictions and guidelines ································································ 96

802.1X VLAN and VSI assignment restrictions ························································································ 96

Compatibility of 802.1X guest VSI with other features ············································································· 96

Configuration prerequisites ······························································································································ 97

802.1X configuration task list ··························································································································· 97

Enabling 802.1X ··············································································································································· 98

Enabling EAP relay or EAP termination ··········································································································· 98

Setting the port authorization state ·················································································································· 99

Specifying an access control method··············································································································· 99

Setting the maximum number of concurrent 802.1X users on a port ······························································· 99

Setting the maximum number of authentication request attempts ································································· 100

Setting the 802.1X authentication timeout timers ·························································································· 100

Configuring online user handshake················································································································ 101

Configuration restrictions and guidelines ······························································································· 101

Configuration procedure ························································································································· 101

Configuring the authentication trigger feature ································································································ 102

Configuration restrictions and guidelines ······························································································· 102

Configuration procedure ························································································································· 102

Specifying a mandatory authentication domain on a port ·············································································· 102

Setting the quiet timer ···································································································································· 103

Configuring 802.1X reauthentication ·············································································································· 103

Overview ················································································································································ 103

Configuration restrictions and guidelines ······························································································· 103

Configuring 802.1X periodic reauthentication ························································································ 104

Configuring 802.1X manual reauthentication ························································································· 104

Enabling the keep-online feature ··········································································································· 105

Configuring an 802.1X guest VLAN ··············································································································· 105

Configuration and restrictions and guidelines ························································································ 105

Configuration prerequisites ···················································································································· 106

Configuration procedure ························································································································· 106

Enabling 802.1X guest VLAN assignment delay···························································································· 106

Configuring an 802.1X Auth-Fail VLAN·········································································································· 107

Configuration and restrictions and guidelines ························································································ 107

Configuration prerequisites ···················································································································· 107

Configuration procedure ························································································································· 108

Configuring an 802.1X critical VLAN ·············································································································· 108

Configuration restrictions and guidelines ······························································································· 108

Configuration prerequisites ···················································································································· 108

Configuring the 802.1X critical VLAN on a port······················································································ 108

iii

Sending EAP-Success packets on assignment of users to the 802.1X critical VLAN ··························· 109

Enabling the 802.1X critical voice VLAN ········································································································ 109

Configuration restrictions and guidelines ······························································································· 109

Configuration prerequisites ···················································································································· 109

Configuration procedure ························································································································· 109

Configuring an 802.1X guest VSI ··················································································································· 110

Configuration restrictions and guidelines ······························································································· 110

Configuration prerequisites ···················································································································· 110

Configuration procedure ························································································································· 110

Enabling 802.1X guest VSI assignment delay ······························································································· 110

Overview ················································································································································ 110

Configuration procedure ························································································································· 111

Configuring an 802.1X Auth-Fail VSI ············································································································· 111

Configuration restrictions and guidelines ······························································································· 111

Configuration prerequisites ···················································································································· 111

Configuration procedure ························································································································· 111

Configuring an 802.1X critical VSI ················································································································· 112

Configuration restrictions and guidelines ······························································································· 112

Configuration prerequisites ···················································································································· 112

Configuration procedure ························································································································· 112

Specifying supported domain name delimiters ······························································································ 112

Enabling 802.1X user IP freezing··················································································································· 113

Removing the VLAN tags of 802.1X protocol packets sent out of a port ······················································· 113

Overview ················································································································································ 113

Configuration restrictions and guidelines ······························································································· 114

Configuration prerequisites ···················································································································· 114

Configuration procedure ························································································································· 114

Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 114

Configuring 802.1X MAC address binding ····································································································· 115

Overview ················································································································································ 115

Configuration restrictions and guidelines ······························································································· 115

Configuration procedure ························································································································· 115

Enabling 802.1X user logging ························································································································ 115

Overview ················································································································································ 115

Configuration restrictions and guidelines ······························································································· 116

Configuration procedure ························································································································· 116

Configuring the EAD assistant feature ··········································································································· 116

Configuration restrictions and guidelines ······························································································· 116

Configuration procedure ························································································································· 116

Displaying and maintaining 802.1X ················································································································ 117

802.1X authentication configuration examples ······························································································ 117

Basic 802.1X authentication configuration example ·············································································· 117

802.1X guest VLAN and authorization VLAN configuration example ···················································· 119

802.1X with ACL assignment configuration example ············································································· 122

802.1X guest VSI and authorization VSI configuration example···························································· 123

802.1X with EAD assistant configuration example (with DHCP relay agent) ········································· 126

802.1X with EAD assistant configuration example (with DHCP server) ················································· 128

Troubleshooting 802.1X ································································································································· 131

EAD assistant URL redirection failure ···································································································· 131

Configuring MAC authentication ································································ 132

Overview ························································································································································ 132

User account policies ····························································································································· 132

Authentication methods ·························································································································· 132

VLAN assignment ·········································································································································· 133

Authorization VLAN ································································································································ 133

Guest VLAN ··········································································································································· 135

Critical VLAN ·········································································································································· 135

Critical voice VLAN ································································································································ 136

VSI manipulation ············································································································································ 137

MAC authentication support for VXLANs ······························································································· 137

Authorization VSI ··································································································································· 137

iv

Guest VSI ··············································································································································· 138

Critical VSI ············································································································································· 138

ACL assignment ············································································································································· 139

User profile assignment ································································································································· 139

Redirect URL assignment ······························································································································ 139

Blackhole MAC attribute assignment ············································································································· 140

Configuration prerequisites ···························································································································· 140

Configuration restrictions and guidelines ······································································································· 140

MAC authentication-enabled port configuration restrictions··································································· 140

MAC authentication VLAN and VSI assignment restrictions ·································································· 141

Configuration task list ····································································································································· 141

Enabling MAC authentication ························································································································· 142

Specifying a MAC authentication domain ······································································································ 142

Configuring the user account format ·············································································································· 143

Configuring MAC authentication timers·········································································································· 143

Setting the maximum number of concurrent MAC authentication users on a port ········································· 144

Enabling MAC authentication multi-VLAN mode on a port ············································································ 144

Configuring MAC authentication delay ··········································································································· 145

Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 145

Configuration restrictions and guidelines ······························································································· 145

Configuration procedure ························································································································· 146

Configuring a MAC authentication guest VLAN ····························································································· 146

Configuring a MAC authentication critical VLAN ···························································································· 147

Enabling the MAC authentication critical voice VLAN ···················································································· 148

Configuration prerequisites ···················································································································· 148

Configuration procedure ························································································································· 148

Configuring a MAC authentication guest VSI ································································································· 148

Configuration restrictions and guidelines ······························································································· 148

Configuration prerequisites ···················································································································· 148

Configuration procedure ························································································································· 149

Configuring a MAC authentication critical VSI ······························································································· 149

Configuration restrictions and guidelines ······························································································· 149

Configuration prerequisites ···················································································································· 149

Configuration procedure ························································································································· 149

Configuring periodic MAC reauthentication···································································································· 150

Overview ················································································································································ 150

Configuration restrictions and guidelines ······························································································· 150

Configuration procedure ························································································································· 151

Including user IP addresses in MAC authentication requests ········································································ 151

Overview ················································································································································ 151

Configuration restrictions and guidelines ······························································································· 152

Configuration procedure ························································································································· 152

Enabling MAC authentication offline detection ······························································································ 152

Enabling MAC authentication user logging ···································································································· 153

Overview ················································································································································ 153

Configuration restrictions and guidelines ······························································································· 153

Configuration procedure ························································································································· 153

Displaying and maintaining MAC authentication ···························································································· 153

MAC authentication configuration examples ·································································································· 154

Local MAC authentication configuration example ·················································································· 154

RADIUS-based MAC authentication configuration example ·································································· 156

ACL assignment configuration example ································································································· 158

MAC authentication authorization VSI assignment configuration example ············································ 161

Configuring portal authentication ······························································· 164

Overview ························································································································································ 164

Extended portal functions ······················································································································· 164

Portal system components ····················································································································· 164

Portal system using the local portal Web server ···················································································· 166

Interaction between portal system components ····················································································· 166

Portal authentication modes ··················································································································· 167

Portal support for EAP ··························································································································· 167

v

Portal authentication process ················································································································· 168

Portal filtering rules ································································································································ 170

Configuration restrictions and guidelines ······································································································· 170

Portal configuration task list ··························································································································· 170

Configuration prerequisites ···························································································································· 171

Configuring a portal authentication server ····································································································· 172

Configuring a portal Web server ···················································································································· 172

Enabling portal authentication ························································································································ 174

Configuration restrictions and guidelines ······························································································· 174

Configuration procedure ························································································································· 174

Specifying a portal Web server ······················································································································ 175

Controlling portal user access ························································································································ 175

Configuring a portal-free rule ················································································································· 175

Configuring an authentication source subnet ························································································· 176

Configuring an authentication destination subnet ·················································································· 177

Setting the maximum number of portal users ························································································ 178

Specifying a portal authentication domain ····························································································· 178

Specifying a preauthentication IP address pool for portal users ···························································· 179

Configuring support of Web proxy for portal authentication ··································································· 180

Enabling strict-checking on portal authorization information ·································································· 181

Allowing only users with DHCP-assigned IP addresses to pass portal authentication ·························· 181

Configuring portal detection features ············································································································· 182

Configuring online detection of portal users ··························································································· 182

Configuring portal authentication server detection ················································································· 183

Configuring portal Web server detection ································································································ 184

Configuring portal user synchronization ································································································· 184

Configuring the portal fail-permit feature ········································································································ 185

Configuring BAS-IP for portal packets sent to the portal authentication server ············································· 186

Enabling portal roaming ································································································································· 186

Specifying a format for the NAS-Port-Id attribute ··························································································· 187

Specifying the device ID································································································································· 187

Logging out online portal users ······················································································································ 187

Configuring Web redirect ······························································································································· 188

Applying a NAS-ID profile to an interface ······································································································ 188

Configuring the local portal Web server feature ····························································································· 189

Customizing authentication pages ········································································································· 189

Configuring a local portal Web server ···································································································· 191

Disabling the Rule ARP or ND entry feature for portal clients ······································································· 192

Enabling logging for user logins and logouts ································································································· 192

Displaying and maintaining portal ·················································································································· 193

Portal configuration examples ························································································································ 193

Configuring direct portal authentication·································································································· 193

Configuring re-DHCP portal authentication ···························································································· 201

Configuring cross-subnet portal authentication ······················································································ 205

Configuring extended direct portal authentication ·················································································· 208

Configuring extended re-DHCP portal authentication ············································································ 211

Configuring extended cross-subnet portal authentication ······································································ 215

Configuring portal server detection and portal user synchronization ····················································· 219

Configuring direct portal authentication using local portal Web server ·················································· 227

Troubleshooting portal ··································································································································· 230

No portal authentication page is pushed for users ················································································· 230

Cannot log out portal users on the access device ················································································· 230

Cannot log out portal users on the RADIUS server ··············································································· 230

Users logged out by the access device still exist on the portal authentication server ···························· 231

Re-DHCP portal authenticated users cannot log in successfully ··························································· 231

Configuring Web authentication ································································· 233

About Web authentication ······························································································································ 233

Advantages of Web authentication ········································································································ 233

Web authentication system ···················································································································· 233

Web authentication process ··················································································································· 234

Web authentication support for VLAN assignment ················································································ 234

vi

Web authentication support for authorization ACLs ··············································································· 235

Restrictions and guidelines: Web authentication configuration ······································································ 235

Web authentication task at a glance ·············································································································· 236

Prerequisites for Web authentication ············································································································· 236

Configuring a Web authentication server ······································································································· 237

Enabling Web authentication ························································································································· 237

Specifying a Web authentication domain ······································································································· 238

Setting the redirection wait time ····················································································································· 238

Configuring a Web authentication-free subnet ······························································································· 239

Setting the maximum number of Web authentication users ·········································································· 239

Configuring online Web authentication user detection ··················································································· 240

Configuring an Auth-Fail VLAN ······················································································································ 240

Configuring Web authentication to support Web proxy ·················································································· 241

Display and maintenance commands for Web authentication ······································································· 241

Web authentication configuration examples ·································································································· 242

Example: Configuring Web authentication by using the local authentication method ···························· 242

Example: Configuring Web authentication by using the RADIUS authentication method······················ 243

Troubleshooting Web authentication ············································································································· 245

Failure to come online (local authentication interface using the default ISP domain ····························· 245

Configuring triple authentication ································································ 247

About triple authentication ····························································································································· 247

Typical network of triple authentication ·································································································· 247

Triple authentication mechanism ··········································································································· 247

Triple authentication support for VLAN assignment ··············································································· 248

Triple authentication support for ACL authorization ··············································································· 248

Triple authentication support for online user detection ·········································································· 249

Restrictions and guidelines: Triple authentication ·························································································· 249

Triple authentication tasks at a glance ··········································································································· 249

Triple authentication configuration examples ································································································· 249

Example: Configuring basic triple authentication ··················································································· 249

Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN

······························································································································································· 253

Configuring port security ············································································ 259

Overview ························································································································································ 259

Port security features ····························································································································· 259

Port security modes ······························································································································· 259

Configuration restrictions and guidelines ······································································································· 262

Configuration task list ····································································································································· 262

Enabling port security····································································································································· 263

Setting port security's limit on the number of secure MAC addresses on a port ············································ 263

Setting the port security mode ······················································································································· 264

Configuring port security features ·················································································································· 265

Configuring NTK ····································································································································· 265

Configuring intrusion protection ············································································································· 266

Configuring secure MAC addresses ·············································································································· 266

Configuration prerequisites ···················································································································· 267

Configuration procedure ························································································································· 267

Ignoring authorization information from the server························································································· 268

Enabling MAC move ······································································································································ 268

Enabling the authorization-fail-offline feature ································································································· 269

Overview ················································································································································ 269

Configuration prerequisites ···················································································································· 269

Configuration procedure ························································································································· 269

Setting port security's limit on the number of MAC addresses for specific VLANs on a port ························· 270

Overview ················································································································································ 270

Configuration restrictions and guidelines ······························································································· 270

Configuration procedure ························································································································· 270

Applying a NAS-ID profile to port security ······································································································ 270

Configuring open authentication mode ·········································································································· 271

Overview ················································································································································ 271

vii

Configuration restrictions and guidelines ······························································································· 271

Configuration procedure ························································································································· 272

Configuring the escape critical VSI feature ···································································································· 272

About the escape critical VSI feature ····································································································· 272

Configuration restrictions and guidelines ······························································································· 272

Configuration prerequisites ···················································································································· 273

Configuration procedure ························································································································· 273

Enabling port security user logging ················································································································ 273

Overview ················································································································································ 273

Configuration restrictions and guidelines ······························································································· 274

Configuration procedure ························································································································· 274

Enabling SNMP notifications for port security ································································································ 274

Displaying and maintaining port security········································································································ 274

Port security configuration examples ············································································································· 275

autoLearn configuration example ··········································································································· 275

userLoginWithOUI configuration example······························································································ 277

macAddressElseUserLoginSecure configuration example ···································································· 279

Troubleshooting port security ························································································································· 283

Cannot set the port security mode ········································································································· 283

Cannot configure secure MAC addresses ····························································································· 284

Configuring user profiles ············································································ 285

Overview ························································································································································ 285

Configuration restrictions and guidelines ······································································································· 285

Configuring a user profile ······························································································································· 285

Displaying and maintaining user profiles········································································································ 285

User profile configuration example ················································································································ 286

Network requirements ···························································································································· 286

Configuration procedure ························································································································· 286

Verifying the configuration ······················································································································ 289

Configuring password control ···································································· 290

Overview ························································································································································ 290

Password setting ···································································································································· 290

Password updating and expiration ········································································································· 291

User login control ··································································································································· 292

Password not displayed in any form ······································································································ 293

Logging ·················································································································································· 293

FIPS compliance ············································································································································ 293

Password control configuration task list ········································································································· 293

Enabling password control ····························································································································· 294

Setting global password control parameters ·································································································· 295

Setting user group password control parameters ·························································································· 297

Setting local user password control parameters ···························································································· 298

Setting super password control parameters··································································································· 299

Displaying and maintaining password control ································································································ 299

Password control configuration example ······································································································· 300

Network requirements ···························································································································· 300

Configuration procedure ························································································································· 300

Verifying the configuration ······················································································································ 301

Configuring keychains ··············································································· 303

Overview ························································································································································ 303

Configuration procedure································································································································· 303

Displaying and maintaining keychain ············································································································· 304

Keychain configuration example ···················································································································· 304

Network requirements ···························································································································· 304

Configuration procedure ························································································································· 304

Verifying the configuration ······················································································································ 306

Managing public keys ················································································ 309

Overview ························································································································································ 309

viii

FIPS compliance ············································································································································ 309

Creating a local key pair································································································································· 309

Distributing a local host public key ················································································································· 311

Exporting a host public key ···················································································································· 311

Displaying a host public key ··················································································································· 311

Destroying a local key pair ····························································································································· 312

Configuring a peer host public key ················································································································· 312

Importing a peer host public key from a public key file ·········································································· 312

Entering a peer host public key ·············································································································· 313

Displaying and maintaining public keys ········································································································· 313

Examples of public key management ············································································································ 313

Example for entering a peer host public key ·························································································· 313

Example for importing a public key from a public key file ······································································ 315

Configuring PKI ························································································· 318

Overview ························································································································································ 318

PKI terminology ······································································································································ 318

PKI architecture ······································································································································ 319

PKI operation ········································································································································· 319

PKI applications ····································································································································· 320

FIPS compliance ············································································································································ 320

PKI configuration task list ······························································································································· 320

Configuring a PKI entity ································································································································· 321

Configuring a PKI domain ······························································································································ 321

Requesting a certificate·································································································································· 323

Configuration guidelines ························································································································· 324

Configuring automatic certificate request ······························································································· 324

Manually requesting a certificate············································································································ 325

Aborting a certificate request ························································································································· 325

Obtaining certificates······································································································································ 325

Configuration prerequisites ···················································································································· 326

Configuration guidelines ························································································································· 326

Configuration procedure ························································································································· 326

Verifying PKI certificates ································································································································ 327

Verifying certificates with CRL checking ································································································ 327

Verifying certificates without CRL checking ··························································································· 328

Specifying the storage path for the certificates and CRLs ············································································· 328

Exporting certificates ······································································································································ 329

Removing a certificate···································································································································· 329

Configuring a certificate-based access control policy ···················································································· 330

Displaying and maintaining PKI ····················································································································· 331

PKI configuration examples ··························································································································· 331

Requesting a certificate from an RSA Keon CA server·········································································· 331

Requesting a certificate from a Windows Server 2003 CA server ························································· 334

Requesting a certificate from an OpenCA server··················································································· 337

Certificate-based access control policy configuration example······························································ 340

Certificate import and export configuration example ·············································································· 342

Troubleshooting PKI configuration ················································································································· 347

Failed to obtain the CA certificate ·········································································································· 347

Failed to obtain local certificates ············································································································ 348

Failed to request local certificates ·········································································································· 348

Failed to obtain CRLs ····························································································································· 349

Failed to import the CA certificate ·········································································································· 350

Failed to import a local certificate··········································································································· 350

Failed to export certificates ···················································································································· 351

Failed to set the storage path ················································································································· 351

Configuring IPsec ······················································································ 352

Overview ························································································································································ 352

Security protocols and encapsulation modes························································································· 352

Security association ······························································································································· 354

Authentication and encryption ················································································································ 354

ix

IPsec implementation ····························································································································· 355

IPsec RRI ··············································································································································· 356

Protocols and standards ························································································································ 357

FIPS compliance ············································································································································ 357

IPsec tunnel establishment ···························································································································· 357

Implementing ACL-based IPsec····················································································································· 357

Configuring an ACL ································································································································ 358

Configuring an IPsec transform set ········································································································ 359

Configuring a manual IPsec policy ········································································································· 361

Configuring an IKE-based IPsec policy ·································································································· 362

Applying an IPsec policy to an interface ································································································ 366

Enabling ACL checking for de-encapsulated packets ············································································ 366

Configuring IPsec anti-replay ················································································································· 367

Configuring IPsec anti-replay redundancy ····························································································· 367

Binding a source interface to an IPsec policy ························································································ 368

Enabling QoS pre-classify ······················································································································ 369

Enabling logging of IPsec packets ········································································································· 369

Configuring the DF bit of IPsec packets ································································································· 369

Configuring IPsec RRI ···························································································································· 370

Configuring IPsec for IPv6 routing protocols ·································································································· 371

Configuration task list ····························································································································· 371

Configuring a manual IPsec profile ········································································································ 371

Configuring SNMP notifications for IPsec ······································································································ 373

Configuring IPsec fragmentation ···················································································································· 373

Setting the maximum number of IPsec tunnels ····························································································· 374

Displaying and maintaining IPsec ·················································································································· 374

IPsec configuration examples ························································································································ 374

Configuring a manual mode IPsec tunnel for IPv4 packets ··································································· 374

Configuring IPsec for RIPng ··················································································································· 377

Configuring IKE ························································································· 381

Overview ························································································································································ 381

IKE negotiation process ························································································································· 381

IKE security mechanism ························································································································· 382

Protocols and standards ························································································································ 383

FIPS compliance ············································································································································ 383

IKE configuration prerequisites ······················································································································ 383

IKE configuration task list ······························································································································· 383

Configuring an IKE profile ······························································································································ 384

Configuring an IKE proposal ·························································································································· 386

Configuring an IKE keychain ·························································································································· 387

Configuring the global identity information ····································································································· 388

Configuring the IKE keepalive feature ··········································································································· 388

Configuring the IKE NAT keepalive feature ··································································································· 389

Configuring IKE DPD ····································································································································· 389

Enabling invalid SPI recovery ························································································································ 390

Setting the maximum number of IKE SAs ······································································································ 390

Configuring SNMP notifications for IKE ········································································································· 391

Displaying and maintaining IKE ····················································································································· 391

IKE configuration examples ··························································································································· 392

Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································ 392

Main mode IKE with pre-shared key authentication configuration example··········································· 394

Troubleshooting IKE······································································································································· 397

IKE negotiation failed because no matching IKE proposals were found ················································ 397

IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 398

IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 398

IPsec SA negotiation failed due to invalid identity information ······························································· 399

Configuring IKEv2 ······················································································ 402

Overview ························································································································································ 402

IKEv2 negotiation process ····················································································································· 402

New features in IKEv2 ···························································································································· 403

x

Protocols and standards ························································································································ 403

IKEv2 configuration task list ··························································································································· 403

Configuring an IKEv2 profile ·························································································································· 404

Configuring an IKEv2 policy ··························································································································· 407

Configuring an IKEv2 proposal ······················································································································ 407

Configuring an IKEv2 keychain ······················································································································ 409

Configure global IKEv2 parameters ··············································································································· 410

Enabling the cookie challenging feature ································································································ 410

Configuring the IKEv2 DPD feature ······································································································· 410

Configuring the IKEv2 NAT keepalive feature ························································································ 410

Displaying and maintaining IKEv2·················································································································· 411

IKEv2 configuration examples ······················································································································· 411

IKEv2 with pre-shared key authentication configuration example ·························································· 411

IKEv2 with RSA signature authentication configuration example ·························································· 416

IKEv2 with NAT traversal configuration example ··················································································· 424

Troubleshooting IKEv2 ··································································································································· 428

IKEv2 negotiation failed because no matching IKEv2 proposals were found ········································ 428

IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 429

IPsec tunnel establishment failed ··········································································································· 429

Configuring SSH ························································································ 430

Overview ························································································································································ 430

How SSH works ····································································································································· 430

SSH authentication methods ·················································································································· 431

SSH support for Suite B ························································································································· 432

FIPS compliance ············································································································································ 432

Configuring the device as an SSH server ······································································································ 433

SSH server configuration task list ·········································································································· 433

Generating local key pairs ······················································································································ 433

Specifying the SSH service port ············································································································· 434

Enabling the Stelnet server ···················································································································· 434

Enabling the SFTP server ······················································································································ 435

Enabling the SCP server ························································································································ 435

Enabling NETCONF over SSH ·············································································································· 435

Configuring the user lines for SSH login ································································································ 436

Configuring a client's host public key ····································································································· 436

Configuring an SSH user ······················································································································· 437

Configuring the SSH management parameters ····················································································· 438

Specifying a PKI domain for the SSH server ························································································· 440

Releasing SSH connections ··················································································································· 440

Configuring the device as an Stelnet client ···································································································· 440

Stelnet client configuration task list ········································································································ 440

Generating local key pairs ······················································································································ 441

Specifying the source IP address for SSH packets················································································ 441

Establishing a connection to an Stelnet server ······················································································ 442

Deleting server public keys saved in the public key file on the Stelnet client········································· 444

Establishing a connection to an Stelnet server based on Suite B ·························································· 444

Configuring the device as an SFTP client ······································································································ 444

SFTP client configuration task list ·········································································································· 444

Generating local key pairs ······················································································································ 445

Specifying the source IP address for SFTP packets ·············································································· 445

Establishing a connection to an SFTP server ························································································ 446

Deleting server public keys saved in the public key file on the SFTP client··········································· 448

Establishing a connection to an SFTP server based on Suite B ···························································· 448

Working with SFTP directories ··············································································································· 449

Working with SFTP files ························································································································· 449

Displaying help information ···················································································································· 449

Terminating the connection with the SFTP server ················································································· 450

Configuring the device as an SCP client ········································································································ 450

SCP client configuration task list ············································································································ 450

Generating local key pairs ······················································································································ 450

Specifying the source IP address for SCP packets················································································ 451

xi

Establishing a connection to an SCP server ·························································································· 451

Deleting server public keys saved in the public key file on the SCP client ············································ 453

Establishing a connection to an SCP server based on Suite B······························································ 453

Specifying algorithms for SSH2 ····················································································································· 454

Specifying key exchange algorithms for SSH2 ······················································································ 454

Specifying public key algorithms for SSH2 ···························································································· 455

Specifying encryption algorithms for SSH2 ···························································································· 455

Specifying MAC algorithms for SSH2 ···································································································· 455

Displaying and maintaining SSH ···················································································································· 456

Stelnet configuration examples ······················································································································ 456

Password authentication enabled Stelnet server configuration example ··············································· 456

Publickey authentication enabled Stelnet server configuration example ··············································· 459

Password authentication enabled Stelnet client configuration example ················································ 464

Publickey authentication enabled Stelnet client configuration example ················································· 468

Stelnet configuration example based on 128-bit Suite B algorithms ······················································ 470

SFTP configuration examples ························································································································ 474

Password authentication enabled SFTP server configuration example ················································· 474

Publickey authentication enabled SFTP client configuration example ··················································· 476

SFTP configuration example based on 192-bit Suite B algorithms ························································ 480

SCP configuration examples ·························································································································· 483

SCP configuration example with password authentication ···································································· 484

SCP configuration example based on Suite B algorithms ······································································ 485

NETCONF over SSH configuration example with password authentication ·················································· 492

Network requirements ···························································································································· 492

Configuration procedure ························································································································· 493

Verifying the configuration ······················································································································ 494

Configuring SSL ························································································ 495

Overview ························································································································································ 495

SSL security services ····························································································································· 495

SSL protocol stack ································································································································· 495

FIPS compliance ············································································································································ 496

SSL configuration task list ······························································································································ 496

Configuring an SSL server policy ··················································································································· 496

Configuring an SSL client policy ···················································································································· 498

Displaying and maintaining SSL ···················································································································· 500

Configuring attack detection and prevention ·············································· 501

Overview ························································································································································ 501

Attacks that the device can prevent ··············································································································· 501

Single-packet attacks ····························································································································· 501

Scanning attacks ···································································································································· 502

Flood attacks ·········································································································································· 503

TCP fragment attack ······························································································································ 504

Login dictionary attack ··························································································································· 504

Attack detection and prevention configuration task list ·················································································· 504

Configuring an attack defense policy ············································································································· 505

Creating an attack defense policy ·········································································································· 505

Configuring a single-packet attack defense policy ················································································· 505

Configuring a scanning attack defense policy ························································································ 506

Configuring a flood attack defense policy ······························································································ 507

Configuring attack detection exemption ································································································· 511

Applying an attack defense policy to the device ···················································································· 512

Enabling log non-aggregation for single-packet attack events······························································· 512

Configuring TCP fragment attack prevention ································································································· 512

Enabling the login delay ································································································································· 513

Displaying and maintaining attack detection and prevention ········································································· 513

Attack detection and prevention configuration examples ··············································································· 514

Attack defense policy device application configuration example ··························································· 514

Configuring TCP attack prevention ···························································· 518

Overview ························································································································································ 518

xii

Configuring Naptha attack prevention ············································································································ 518

Configuring IP source guard ······································································ 519

Overview ························································································································································ 519

Static IPSG bindings ······························································································································ 519

Dynamic IPSG bindings ························································································································· 520

IPSG configuration task list ···························································································································· 521

Configuring the IPv4SG feature ····················································································································· 521

Enabling IPv4SG on an interface ··········································································································· 521

Configuring a static IPv4SG binding ······································································································ 522

Configuring the IPv6SG feature ····················································································································· 522

Enabling IPv6SG on an interface ··········································································································· 522

Configuring a static IPv6SG binding ······································································································ 523

Displaying and maintaining IPSG··················································································································· 524

IPSG configuration examples ························································································································ 524

Static IPv4SG configuration example ····································································································· 524

DHCP snooping-based dynamic IPv4SG configuration example ·························································· 526

DHCP relay agent-based dynamic IPv4SG configuration example ······················································· 527

Static IPv6SG configuration example ····································································································· 528

DHCPv6 snooping-based dynamic IPv6SG address binding configuration example ···························· 528

DHCPv6 snooping-based dynamic IPv6SG prefix binding configuration example ································ 529

Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 530

Configuring ARP attack protection ····························································· 532

ARP attack protection configuration task list ·································································································· 532

Configuring unresolvable IP attack protection ······························································································· 532

Configuring ARP source suppression ···································································································· 533

Configuring ARP blackhole routing ········································································································ 533

Displaying and maintaining unresolvable IP attack protection ······························································· 533

Configuration example ··························································································································· 534

Configuring ARP packet rate limit ·················································································································· 534

Configuration guidelines ························································································································· 535

Configuration procedure ························································································································· 535

Configuring source MAC-based ARP attack detection ·················································································· 535

Configuration procedure ························································································································· 536

Displaying and maintaining source MAC-based ARP attack detection ·················································· 536

Configuration example ··························································································································· 537

Configuring ARP packet source MAC consistency check ·············································································· 538

Configuring ARP active acknowledgement ···································································································· 538

Configuring authorized ARP··························································································································· 538

Configuration procedure ························································································································· 539

Configuration example (on a DHCP server)··························································································· 539

Configuration example (on a DHCP relay agent) ··················································································· 540

Configuring ARP attack detection ·················································································································· 541

Configuring user validity check ·············································································································· 542

Configuring ARP packet validity check ·································································································· 543

Configuring ARP restricted forwarding ··································································································· 543

Ignoring ingress ports of ARP packets for user validity check ······························································· 544

Configuring ARP attack detection for a VSI ··························································································· 544

Enabling ARP attack detection logging ·································································································· 546

Displaying and maintaining ARP attack detection·················································································· 546

User validity check configuration example ····························································································· 546

User validity check and ARP packet validity check configuration example ············································ 548

ARP restricted forwarding configuration example ·················································································· 549

Configuring ARP scanning and fixed ARP ····································································································· 551

Configuration restrictions and guidelines ······························································································· 551

Configuration procedure ························································································································· 551

Configuring ARP gateway protection ············································································································· 552

Configuration guidelines ························································································································· 552

Configuration procedure ························································································································· 552

Configuration example ··························································································································· 552

Configuring ARP filtering ································································································································ 553

xiii

Configuration guidelines ························································································································· 553

Configuration procedure ························································································································· 553

Configuration example ··························································································································· 554

Configuring ARP sender IP address checking ······························································································· 555

Configuring ND attack defense ·································································· 556

Overview ························································································································································ 556

ND attack defense configuration task list ······································································································· 556

Enabling source MAC consistency check for ND messages ········································································· 556

Configuring ND attack detection ···················································································································· 557

About ND attack detection ····················································································································· 557

Configuration guidelines ························································································································· 557

Configuration procedure ························································································································· 558

Displaying and maintaining ND attack detection ···················································································· 558

ND attack detection configuration example···························································································· 558

Configuring RA guard····································································································································· 560

About RA guard ······································································································································ 560

Specifying the role of the attached device ····························································································· 560

Configuring an RA guard policy ············································································································· 561

Enabling the RA guard logging feature ·································································································· 561

Displaying and maintaining RA guard ···································································································· 562

RA guard configuration example ············································································································ 562

Configuring uRPF ······················································································ 565

Overview ························································································································································ 565

uRPF check modes ································································································································ 565

uRPF operation ······································································································································ 565

Network application ································································································································ 568

Enabling uRPF ··············································································································································· 568

Displaying and maintaining uRPF ·················································································································· 569

Global uRPF configuration example ·············································································································· 569

Configuring MFF ························································································ 570

Overview ························································································································································ 570

Basic concepts ······································································································································· 571

MFF operation modes ···························································································································· 571

MFF working mechanism ······················································································································· 572

Protocols and standards ························································································································ 572

Configuring MFF ············································································································································ 572

Enabling MFF ········································································································································· 572

Configuring a network port ····················································································································· 572

Enabling periodic gateway probe ··········································································································· 573

Specifying the IP addresses of servers ·································································································· 573

Displaying and maintaining MFF ···················································································································· 574

MFF configuration examples ·························································································································· 574

Manual-mode MFF configuration example in a tree network ································································· 574

Manual-mode MFF configuration example in a ring network ································································· 575

Configuring crypto engines ········································································ 577

Overview ························································································································································ 577

Displaying and maintaining crypto engines ···································································································· 577

Configuring FIPS ······················································································· 578

Overview ························································································································································ 578

Configuration restrictions and guidelines ······································································································· 578

Configuring FIPS mode ·································································································································· 579

Entering FIPS mode ······························································································································· 579

Configuration changes in FIPS mode ···································································································· 580

Exiting FIPS mode ································································································································· 581

FIPS self-tests ················································································································································ 581

Power-up self-tests ································································································································ 582

Conditional self-tests ······························································································································ 582

xiv

Triggering self-tests ································································································································ 583

Displaying and maintaining FIPS ··················································································································· 583

FIPS configuration examples ························································································································· 583

Entering FIPS mode through automatic reboot ······················································································ 583

Entering FIPS mode through manual reboot ·························································································· 584

Exiting FIPS mode through automatic reboot ························································································ 586

Exiting FIPS mode through manual reboot ···························································································· 586

Document conventions and icons ······························································ 588

Conventions ··················································································································································· 588

Network topology icons ·································································································································· 589

Support and other resources ····································································· 590

Accessing Hewlett Packard Enterprise Support····························································································· 590

Accessing updates ········································································································································· 590

Websites ················································································································································ 591

Customer self repair ······························································································································· 591

Remote support ······································································································································ 591

Documentation feedback ······················································································································· 591

Index ·········································································································· 593

1

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. This feature specifies the following security functions:

•

Authentication—Identifies users and verifies their validity.

•

Authorization—Grants different users different rights, and controls the users' access to

resources and services. For example, you can permit office users to read and print files and

prevent guests from accessing files on the device.

•

Accounting—Records network usage details of users, including the service type, start time,

and traffic. This function enables time-based and traffic-based charging and user behavior

auditing.

AAA uses a client/server model. The client runs on the access device, or the network access server

(NAS), which authenticates user identities and controls user access. The server maintains user

information centrally. See Figure 1.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS.

The NAS transparently passes the user information to AAA servers and waits for the authentication,

authorization, and accounting result. Based on the result, the NAS determines whether to permit or

deny the access request.

AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most

often used.

The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different

servers to implement different security functions. For example, you can use the HWTACACS server

for authentication and authorization, and use the RADIUS server for accounting.

You can choose the security functions provided by AAA as needed. For example, if your company

wants employees to be authenticated before they access specific resources, you would deploy an

authentication server. If network usage information is needed, you would also configure an

accounting server.

The device performs dynamic password authentication.

Remote user NAS RADIUS server

HWTACACS server

Internet

Network

2

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction

protocol that uses a client/server model. The protocol can protect networks against unauthorized

access and is often used in network environments that require both high security and remote user

access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812

for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access, and has been extended to support

additional access methods, such as Ethernet and ADSL.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.

The RADIUS server runs on the computer or workstation at the network center and maintains

information related to user authentication and network service access.

The RADIUS server operates using the following process:

1. Receives authentication, authorization, and accounting requests from RADIUS clients.

2. Performs user authentication, authorization, or accounting.

3. Returns user access control information (for example, rejecting or accepting the user access

request) to the clients.

The RADIUS server can also act as the client of another RADIUS server to provide authentication

proxy services.

The RADIUS server maintains the following databases:

•

Users—Stores user information, such as the usernames, passwords, applied protocols, and IP

addresses.

•

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•

Dictionary—Stores RADIUS protocol attributes and their values.

Figure 2 RADIUS server databases

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys,

which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called

Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,

and some other information. The receiver of the packet verifies the signature and accepts the packet

only when the signature is correct. This mechanism ensures the security of information exchanged

between the RADIUS client and server.

The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.

RADIUS servers

Users Clients Dictionary

3

Basic RADIUS packet exchange process

Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.

Figure 3 Basic RADIUS packet exchange process

RADIUS uses in the following workflow:

1. The host sends a connection request that includes the user's username and password to the

RADIUS client.

2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.

The request includes the user's password, which has been processed by the MD5 algorithm

and shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds,

the server sends back an Access-Accept packet that contains the user's authorization

information. If the authentication fails, the server returns an Access-Reject packet.

4. The RADIUS client permits or denies the user according to the authentication result. If the result

permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)

packet to the RADIUS server.

5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection.

8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the

RADIUS server.

9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting

for the user.

10. The RADIUS client notifies the user of the termination.

RADIUS packet format

RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure

smooth packet exchange between the RADIUS server and the client. These mechanisms include the

timer mechanism, the retransmission mechanism, and the backup server mechanism.

RADIUS client RADIUS server

1) Username and password

3) Access-Accept/Reject

2) Access-Request

4) Accounting-Request (start)

5) Accounting-Response

8) Accounting-Request (stop)

9) Accounting-Response

10) Notification of termination

Host

6) The host access the resources

7) Teardown request

4

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

•

The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main

values and their meanings.

Table 1 Main values of the Code field

Code

Packet type

Description

1 Access-Request

From the client to the server. A packet of this type includes user

information for the server to authenticate the user. It must contain

the User-Name attribute and can optionally contain the attributes of

NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept From the server to the client. If all attribute values included in the

Access-Request are acceptable, the authentication succeeds, and

the server sends an Access-Accept response.

3 Access-Reject From the server to the client. If any attribute value included in the

Access-Request is unacceptable, the authentication fails, and the

server sends an Access-Reject response.

4 Accounting-Request

From the client to the server. A packet of this type includes user

information for the server to start or stop accounting for the user.

The Acct-Status-Type attribute in the packet indicates whether to

start or stop accounting.

5 Accounting-Respons

e

From the server to the client. The server sends a packet of this type

to notify the client that it has received the Accounting-Request and

has successfully recorded the accounting information.

•

The Identifier field (1 byte long) is used to match response packets with request packets and to

detect duplicate request packets. The request and response packets of the same exchange

process for the same purpose (such as authentication or accounting) have the same identifier.

•

The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the

Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are

considered padding and are ignored by the receiver. If the length of a received packet is less

than this length, the packet is dropped.

•

The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS

server and to encrypt user passwords. There are two types of authenticators: request

authenticator and response authenticator.

•

The Attributes field (variable in length) includes authentication, authorization, and accounting

information. This field can contain multiple attributes, each with the following subfields:

 Type—Type of the attribute.

 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.

 Value—Value of the attribute. Its format and content depend on the Type subfield.

Code

Attributes

Identifier

0

7

Length

Authenticator (16bytes)

7 15 31

Page is loading ...