Documente Academic
Documente Profesional
Documente Cultură
Contents
Security overview 1
Network security threats 1
Network security services 1
Network security technologies 1
Identity authentication 1
Access security 2
Data security 3
Firewall 3
Attack detection and protection 4
Additional security technologies 4
Configuring AAA 6
Overview 6
RADIUS 7
HWTACACS 12
LDAP 14
Domain-based user management 16
Protocols and standards 17
RADIUS attributes 17
FIPS compliance 20
AAA configuration considerations and task list 20
Configuring AAA schemes 22
Configuring local users 22
Configuring RADIUS schemes 27
Configuring HWTACACS schemes 39
Configuring LDAP schemes 45
Configuring AAA methods for ISP domains 49
Creating an ISP domain 50
Configuring ISP domain attributes 51
Configuring authentication methods for an ISP domain 52
Configuring authorization methods for an ISP domain 54
Configuring accounting methods for an ISP domain 56
Tearing down user connections 58
Configuring local EAP authentication 58
Configuration procedure 58
Configuring the local EAP authentication server 58
Configuring a NAS ID-VLAN binding 59
Specifying the device ID 60
Displaying and maintaining AAA 60
AAA configuration examples 60
HWTACACS authentication and authorization for Telnet users 61
Local authentication and HWTACACS authorization for Telnet users 62
LDAP authentication for Telnet users 64
Authentication and authorization for portal users by a RADIUS server 68
Authentication and authorization for 802.1X users by a RADIUS server 74
Local EAP authentication and authorization for 802.1X users 80
RADIUS offload for 802.1X users 82
Level switching authentication for Telnet users by an HWTACACS server 85
Local EAP authentication for 802.1X users by an LDAP server 88
i
802.1X overview 96
802.1X architecture 96
Controlled/uncontrolled port and port authorization status 96
802.1X-related protocols 97
Packet formats 98
EAP over RADIUS 99
Initiating 802.1X authentication 99
802.1X client as the initiator 99
Access device as the initiator 100
802.1X authentication procedures 100
Comparing EAP relay and EAP termination 101
EAP relay 101
EAP termination 103
Index 451
Security overview
Network security services provide solutions to solve or reduce security threats. Network security threats
are existing or potential threats to data confidentiality, data integrity, and data availability.
Identity authenticationIdentifies users and determines if a user is valid. Typical methods include
AAA-based username plus password authentication, and PKI digital certificate-based
authentication.
Data securityEncrypts and decrypts data during data transmission and storage. Typical
encryption mechanisms include symmetric encryption and asymmetric encryption, and their
common applications are IPsec, SSL, and SSH. IPsec secures IP communications. SSL and SSH
protect data transfer based on TCP.
FirewallA highly effective network security model to block unauthorized Internet access to a
protected network. Major firewall implementations are ACL based packet filter, ASPF, and ALG.
AuthorizationGrants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
AccountingRecords all network service usage information, including the service type, start time,
and traffic. The accounting function provides information for charging and user behavior auditing.
AAA can be implemented through multiple protocols, such as RADIUS, HWTACACS, and LDAP, among
which RADIUS is used most often.
PKI
PKI is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. PKI uses
digital certificates to distribute and employ public keys, and provides network communication and
e-commerce with security services such as user authentication, data confidentiality, and data integrity.
HP's PKI system provides digital certificate management for IPsec and SSL.
Access security
802.1X
802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has
also been widely used on Ethernet networks for access control. 802.1X controls network access by
authenticating the devices connected to 802.1X-enabled LAN ports.
MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port. It does
not require client software and users do not need to enter a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on
a MAC authentication enabled port. If the MAC address passes authentication, the user can access
authorized network resources.
Port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. It applies to networks that require different authentication methods for different users on
a port, such as a WLAN. Port security prevents unauthorized access to a network by checking the source
MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination
MAC address of outbound traffic.
Portal authentication
Portal authentication, also called "Web authentication," controls user access at the access layer and
other data entrance that needs protection. It does not require client software to authenticate users. Users
only need to enter a username and a password on the webpage for authentication.
With portal authentication, an access device redirects all unauthenticated users to a webpage. All users
can access resources on the webpage without passing portal authentication. However, to access the
Internet, a user must pass portal authentication on the portal authentication page.
Data security
Managing public keys
Public key configuration enables you to manage the local asymmetric key pairs (for example, creating or
destroying a local asymmetric key pair, and displaying or exporting a local host public key), and
configure the peer host public keys on the local device.
SSL
SSL is a security protocol that provides communication security for TCP-based application layer protocols
by using the public key mechanism and digital certificates. SSL is independent of the application layer
protocol, and enables an application layer protocol to use an SSL-based secure connection. A common
application is HTTPSHTTP over SSL or HTTP Secure.
SSH
SSH is a network security protocol that provides secure remote login and file transfer over an insecure
network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing
and plaintext password interception.
Firewall
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before forwarding an IP packet, the device obtains the following header information:
Source address
Destination address
The device compares the head information against the preset ACL rules and processes (discards or
forwards) the packet based on the comparison result.
ASPF
An ASPF implements status-based packet filtering, and provides the following functions:
Transport layer protocol inspection (generic TCP and UDP inspection)ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Application layer protocol inspectionASPF checks application layer information for packets, such
as the protocol type and port number, and monitors the application layer protocol status for each
connection. ASPF maintains status information for each connection, and based on status
information, determines whether to permit a packet to pass through the firewall into the internal
network, thus defending the internal network against attacks.
ASPF also supports other security functions, such as port to application mapping, ICMP error message
inspection and first packet inspection for TCP connection.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
ALG
ALG processes payload information for application layer packets.
Working with NAT, ALG implements address translation in packet payloads. Working with ASPF, ALG
implements data connection detection and application layer status checking.
Session management
Session management is a common feature designed to implement session-based services such as NAT
and ASPF. Session management tracks the connection status by inspecting the transport layer protocol
(TCP or UDP) information, and regards packet exchanges at transport layer as sessions, performing
unified status maintenance and management of all connections.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
The session management function only implements connection status tracking. It does not block potential
attack packets.
Web filtering
Web filtering can help devices prevent internal users from accessing unauthorized websites and block
Java applets and ActiveX objects from webpages to improve internal network security.
User profile
A user profile provides a configuration template to save predefined configurations, such as a CAR policy
or a QoS policy. Different user profiles are applicable to different application scenarios.
The user profile works with PPPoE, 802.1X, MAC authentication, and portal authentication. It is capable
of restricting authenticated users' behaviors. After the authentication server verifies a user, it sends the
device the name of the user profile that is associated with the user.
Password control
Password control is a set of functions for enhancing the local password security. It controls user login
passwords, super passwords, and user login status based on predefined policies. Those policies include
minimum password length, minimum password update interval, password aging, and early notice on
pending password expiration.
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
AuthorizationGrants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
AccountingRecords all network service usage information, including service type, start time, and
traffic. It provides information required for accounting and allows for network security surveillance.
AAA typically uses a client/server model, as shown in Figure 1. The client runs on the network access
server (NAS), which is also called the access device. The server maintains user information centrally. In
an AAA network, the NAS is a server for users but a client for AAA servers.
Figure 1 AAA application scenario
Internet
Network
Remote user
NAS
RADIUS server
HWTACACS server
The NAS uses the authentication server to authenticate any user who tries to log in, use network resources,
or access other networks. The NAS transparently transmits authentication, authorization, and accounting
information between the user and the servers. The RADIUS and HWTACACS protocols define how a
NAS and a remote server exchange user information.
The network shown in Figure 1 includes a RADIUS server and an HWTACACS server. You can use
different servers to implement different security functions. For example, you can use the HWTACACS
server for authentication and authorization, and the RADIUS server for accounting.
You can implement any of the security functions provided by AAA as needed. For example, if your
company wants employees to be authenticated before they access specific resources, you would
configure an authentication server. If network usage information is needed, you would also configure an
accounting server.
AAA can be implemented through multiple protocols. The device supports RADIUS, HWTACACS, and
LDAP, and RADIUS is used most often.
6
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments that require both high security and remote user access.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. RADIUS has been extended to support
additional access methods, including Ethernet and ADSL. RADIUS provides access authentication,
authorization, and accounting services. The accounting function collects and records network resource
usage information.
Client/server model
RADIUS clients run on NASs located throughout the network. NASs pass user information to RADIUS
servers, and reject or accept user access requests depending on the responses from RADIUS servers.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network access. It receives connection requests, authenticates users,
and returns access control information (for example, rejecting or accepting the user access request) to the
clients.
The RADIUS server typically maintains the following databases: Users, Clients, and Dictionary, as shown
in Figure 2.
Figure 2 RADIUS server databases
RADIUS servers
Users
Clients
Dictionary
ClientsStores information about RADIUS clients, such as shared keys and IP addresses.
The host initiates a connection request that includes the user's username and password to the
RADIUS client.
2.
The RADIUS client sends an authentication request (Access-Request) to the RADIUS server after it
received the username and password. The user password is encrypted with the MD5 algorithm
and the shared key.
3.
The RADIUS server authenticates the username and password. If the authentication succeeds, the
server returns an Access-Accept message that includes the user's authorization information. If the
authentication fails, the server returns an Access-Reject message.
4.
The RADIUS client permits or denies the user according to the returned authentication result. If the
result permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) to
the RADIUS server.
5.
6.
7.
The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8.
The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for
the user.
7
Code
15
31
7
Length
Identifier
Authenticator
Attributes
The Code field (1 byte long) indicates the type of the RADIUS packet.
Table 1 Main values of the Code field
Packet type
Description
Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
Access-Accept
From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and the
server sends an Access-Accept response.
Access-Reject
From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the server
sends an Access-Reject response.
Accounting-Request
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or stop
accounting.
Accounting-Response
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
Code
The Identifier field (1 byte long) is used to match request packets and response packets and to detect
duplicate request packets. Request and response packets of the same type have the same identifier.
The Length field (2 bytes long) indicates the length of the entire packet, including the Code,
Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are considered
padding and are ignored by the receiver. If the length of a received packet is less than this length,
the packet is dropped. The value of this field is in the range 20 to 4096.
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and
to encrypt user passwords. There are two types of authenticators: request authenticator and
response authenticator.
The Attributes field (variable in length) includes the specified authentication, authorization, and
accounting information that defines the configuration details of the request or response. This field
may contain multiple attributes, each with three sub-fields:
9
Type(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS
attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list
of the attributes. For more information, see "Commonly used standard RADIUS attributes."
Length(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value
sub-fields.
Value(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and
Length sub-fields.
Attribute
No.
Attribute
User-Name
45
Acct-Authentic
User-Password
46
Acct-Session-Time
CHAP-Password
47
Acct-Input-Packets
NAS-IP-Address
48
Acct-Output-Packets
NAS-Port
49
Acct-Terminate-Cause
Service-Type
50
Acct-Multi-Session-Id
Framed-Protocol
51
Acct-Link-Count
Framed-IP-Address
52
Acct-Input-Gigawords
Framed-IP-Netmask
53
Acct-Output-Gigawords
10
Framed-Routing
54
(unassigned)
11
Filter-ID
55
Event-Timestamp
12
Framed-MTU
56-59
(unassigned)
13
Framed-Compression
60
CHAP-Challenge
14
Login-IP-Host
61
NAS-Port-Type
15
Login-Service
62
Port-Limit
16
Login-TCP-Port
63
Login-LAT-Port
17
(unassigned)
64
Tunnel-Type
18
Reply-Message
65
Tunnel-Medium-Type
19
Callback-Number
66
Tunnel-Client-Endpoint
20
Callback-ID
67
Tunnel-Server-Endpoint
21
(unassigned)
68
Acct-Tunnel-Connection
22
Framed-Route
69
Tunnel-Password
23
Framed-IPX-Network
70
ARAP-Password
24
State
71
ARAP-Features
25
Class
72
ARAP-Zone-Access
26
Vendor-Specific
73
ARAP-Security
27
Session-Timeout
74
ARAP-Security-Data
28
Idle-Timeout
75
Password-Retry
29
Termination-Action
76
Prompt
10
No.
Attribute
No.
Attribute
30
Called-Station-Id
77
Connect-Info
31
Calling-Station-Id
78
Configuration-Token
32
NAS-Identifier
79
EAP-Message
33
Proxy-State
80
Message-Authenticator
34
Login-LAT-Service
81
Tunnel-Private-Group-id
35
Login-LAT-Node
82
Tunnel-Assignment-id
36
Login-LAT-Group
83
Tunnel-Preference
37
Framed-AppleTalk-Link
84
ARAP-Challenge-Response
38
Framed-AppleTalk-Network
85
Acct-Interim-Interval
39
Framed-AppleTalk-Zone
86
Acct-Tunnel-Packets-Lost
40
Acct-Status-Type
87
NAS-Port-Id
41
Acct-Delay-Time
88
Framed-Pool
42
Acct-Input-Octets
89
(unassigned)
43
Acct-Output-Octets
90
Tunnel-Client-Auth-id
44
Acct-Session-Id
91
Tunnel-Server-Auth-id
Vendor-IDID of the vendor. Its most significant byte is 0. The other three bytes contains a code
that is compliant to RFC 1700. The vendor ID of HP is 25506. For more information about the
proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."
11
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol
based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for
information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the
NAS sends users' usernames and passwords to the HWTACACS sever for authentication. After passing
authentication and obtaining authorized rights, a user logs in to the device and performs operations. The
HWTACACS server records the operations that each user performs.
RADIUS
12
2.
The HWTACACS client sends a start-authentication packet to the HWTACACS server when it
receives the request.
3.
The HWTACACS server sends back an authentication response to request the username.
4.
Upon receiving the response, the HWTACACS client asks the user for the username.
5.
6.
After receiving the username from the user, the HWTACACS client sends the server a
continue-authentication packet that includes the username.
7.
The HWTACACS server sends back an authentication response to request the login password.
8.
Upon receipt of the response, the HWTACACS client prompts the user for the login password.
13
9.
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11. The HWTACACS server sends back an authentication response to indicate that the user has
passed authentication.
12. The HWTACACS client sends the user authorization request packet to the HWTACACS server.
13. The HWTACACS server sends back the authorization response, indicating that the user is now
authorized.
14. The HWTACACS client pushes its CLI to the user.
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
LDAP
Based on TCP/IP, the Lightweight Directory Access Protocol (LDAP) provides standard multi-platform
directory service. LDAP was developed on the basis of the X.500 protocol, and improves the read/write
interactive access, and browse and search functions of X.500. It is suitable for storing data that is not
often changed.
LDAP is typically used to store user information. For example, Microsoft Windows uses Active Directory
Server to store user information and user group information for login authentication and authorization.
Bind operationAllows an LDAP client to establish a connection with the LDAP server, obtain the
access rights to the LDAP server, and check the validity of user information.
Search operationConstructs search conditions and obtains the directory resource information of
the LDAP server.
An LDAP client uses the LDAP server administrator DN to bind with the LDAP server, establishes a
connection to the server, and obtains the search rights.
14
2.
The LDAP client, using the username in the authentication information of a user, constructs search
conditions to search for the user in the specified root directory of the server, and obtains a user DN
list.
3.
The LDAP client uses each user DN in the obtained user DN list and the user password to bind with
the LDAP server. If a binding succeeds, the user is legal.
The LDAP authorization process is similar to the LDAP authentication process, except that the client
obtains the authorization information and the user DN list at step 2 in the workflow.
If the authorization information meets the authorization requirements, the authorization process
ends.
If the authorization information does not meet the authorization requirements, the client sends an
administrator bind request to the LDAP server to obtain search right for authorization information
about users on the user DN list.
LDAP client
LDAP server
The basic message exchange process during LDAP authentication and authorization is as follows:
1.
A Telnet user initiates a connection request and sends the username and password to the LDAP
client.
2.
After receiving the request, the LDAP client establishes a TCP connection with the LDAP server.
3.
To obtain the search right, the LDAP client uses the administrator DN and password to send an
administrator bind request to the LDAP server.
4.
The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an
acknowledgement to the LDAP client.
15
5.
The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP
server.
6.
After receiving the request, the LDAP server searches for the user DN by the base DN, search
scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the
LDAP client of the successful search. There may be one or more user DNs found.
7.
The LDAP client uses the obtained user DN and the entered user password as parameters to send
a user DN bind request to the LDAP server, which checks whether the user password is correct.
8.
The LDAP server processes the request, and sends a response to notify the LDAP client of the bind
operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the
parameter to send a user DN bind request to the LDAP server. This process continues until a DN is
bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client
notifies the user of the login failure and denies the access request.
9.
The LDAP client and server exchange authorization messages. If another scheme, for example, an
HWTACACS scheme, is expected for authorization, the LDAP client exchanges authorization
messages with the HWTACACS authorization server instead.
10. After successful authorization, the LDAP client notifies the user of the successful login.
Authentication, authorization, and accounting of a user depends on the AAA methods configured for the
domain that the user belongs to. If no specific AAA methods are configured for the domain, the default
methods are used. By default, a domain uses local authentication, local authorization, and local
accounting.
AAA allows you to manage users based on their access types:
LAN usersUsers on a LAN who must pass 802.1X or MAC address authentication to access the
network.
16
Login usersUsers who want to log in to the device, including SSH users, Telnet users, Web users,
FTP users, and terminal users.
Portal usersUsers who must pass portal authentication to access the network.
PPP usersUsers who access the network through PPP. Support for PPP users depends on the device
model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN
Products.
In addition, AAA provides the following login services to enhance device security:
Level switching authenticationAllows the authentication server to authenticate users who perform
privilege level switching. When users pass level switching authentication, they can switch their user
privilege levels without logging out and disconnecting current connections. For more information
about user privilege level switching, see Fundamentals Configuration Guide.
You can configure different AAA methods for different types of users in a domain. See "Configuring AAA
methods for ISP domains."
RADIUS attributes
This section provides tables of commonly used standard RADIUS attributes and HP proprietary RADIUS
sub-attributes.
Attribute
Description
User-Name
User-Password
17
No.
Attribute
Description
CHAP-Password
NAS-IP-Address
NAS-Port
Service-Type
2802.1X authentication.
10MAC authentication.
Framed-Protocol
Framed-IP-Address
11
Filter-ID
12
Framed-MTU
MTU for the data link between the user and NAS. For example, with 802.1X
EAP authentication, NAS uses this attribute to notify the server of the MTU for
EAP packets, so as to avoid oversized EAP packets.
14
Login-IP-Host
15
Login-Service
18
Reply-Message
26
Vendor-Specific
27
Session-Timeout
Maximum service duration for the user before termination of the session.
28
Idle-Timeout
Maximum idle time permitted for the user before termination of the session.
31
Calling-Station-Id
User identification that the NAS sends to the server. For the LAN access
service provided by an HP device, this attribute includes the MAC address of
the user in the format HH-HH-HH-HH-HH-HH.
32
NAS-Identifier
Identification that the NAS uses to identify itself to the RADIUS server.
Type of the Accounting-Request packet. Possible values include:
40
Acct-Status-Type
1Start.
2Stop.
3Interim-Update.
4Reset-Charge.
7Accounting-On. (Defined in the 3rd Generation Partnership Project.)
8Accounting-Off. (Defined in the 3rd Generation Partnership Project.)
9 to 14Reserved for tunnel accounting.
15Reserved for failed.
Acct-Authentic
1RADIUS.
2Local.
3Remote.
18
No.
Attribute
Description
60
CHAP-Challenge
CHAP challenge generated by the NAS for MD5 calculation during CHAP
authentication.
Type of the physical port of the NAS that is authenticating the user. Possible
values include:
61
NAS-Port-Type
15Ethernet.
16Any type of ADSL.
17Cable (with cable for cable TV).
19WLAN-IEEE 802.11.
201VLAN.
202ATM.
If the port is an ATM or Ethernet one and VLANs are implemented on it, the
value of this attribute is 201.
79
EAP-Message
80
Message-Authenticator
87
NAS-Port-Id
String for describing the port of the NAS that is authenticating the user.
Sub-attribute
Description
Input-Peak-Rate
Peak rate in the direction from the user to the NAS, in bps.
Input-Average-Rate
Average rate in the direction from the user to the NAS, in bps.
Input-Basic-Rate
Basic rate in the direction from the user to the NAS, in bps.
Output-Peak-Rate
Peak rate in the direction from the NAS to the user, in bps.
Output-Average-Rate
Average rate in the direction from the NAS to the user, in bps.
Output-Basic-Rate
Basic rate in the direction from the NAS to the user, in bps.
15
Remanent_Volume
Total remaining available traffic for the connection, in different units for
different server types.
Operation for the session, used for session control. Possible values
include:
20
24
Command
Control_Identifier
1Trigger-Request.
2Terminate-Request.
3SetPolicy.
4Result.
5PortalClear.
No.
Sub-attribute
Description
25
Result_Code
26
Connect_ID
28
Ftp_Directory
FTP user working directory. When the RADIUS client acts as the FTP server,
this attribute is used to set the FTP directory for an FTP user on the RADIUS
client.
29
Exec_Privilege
59
NAS_Startup_Timestamp
60
Ip_Host_Addr
61
User_Notify
Information that must be sent from the server to the client transparently.
User_HeartBeat
140
User_Group
User groups assigned after the SSL VPN user passes authentication. A user
might belong to more than one user group, which are separated by
semi-colons. This attribute is used to communicate with the SSL VPN
device.
141
Security_Level
Security level assigned after the SSL VPN user passes security
authentication.
201
Input-Interval-Octets
202
Output-Interval-Octets
203
Input-Interval-Packets
Number of packets input within an accounting interval in the unit set on the
NAS.
204
Output-Interval-Packets
205
Input-Interval-Gigawords
206
Output-Interval-Gigawords
207
Backup-NAS-IP
255
Product_ID
Product name.
62
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
1.
2.
Local authenticationConfigure local users and the related attributes, including the usernames
and passwords for the users to be authenticated.
Remote authenticationConfigure the required RADIUS, HWTACACS, and LDAP schemes.
You must configure user attributes on the servers accordingly.
Remarks
Configuring local users
Configuring AAA
schemes
21
Required.
Complete at least
one task.
Task
Configuring AAA
methods for ISP domains
Remarks
Creating an ISP domain
Required.
Optional.
Required.
Complete at least
one task.
Optional.
Required.
Optional.
Optional.
NOTE:
To use AAA methods to control access of login users, you must configure the authentication-mode
command. For more information, see Fundamentals Configuration Guide.
Service type.
Services that the user can use. Local authentication checks the service types of a local user. If none
of the service types is available, the user cannot pass authentication.
Service types include FTP, LAN access, portal, PPP, SSH, Telnet, terminal, and Web. Support for
the PPP service depends on the device model. For more information, see About the Configuration
Guides for HP Unified Wired-WLAN Products.
User state.
Indicates whether or not a local user can request network services. There are two user states: active
and blocked. A user in active state can request network services, but a user in blocked state
cannot.
User group.
22
Each local user belongs to a local user group and has all attributes of the group, such as the
password control attributes and authorization attributes. For more information about local user
group, see "Configuring user group attributes."
Binding attributes.
Binding attributes control the scope of users, and are checked during local authentication of a user.
If the attributes of a user do not match the binding attributes configured for the local user account,
the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address,
access port, MAC address, and native VLAN.
Authorization attributes.
Authorization attributes indicate the user's rights after it passes local authentication. Authorization
attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile,
VLAN, and FTP/SFTP work directory. For more information about authorization attributes, see
"Configuring local user attributes."
Every configurable authorization attribute has its definite application environments and purposes.
When you configure authorization attributes for a local user, consider which attributes are needed
and which are not. For example, for PPP users, you do not need to configure the work directory
attribute.
You can configure an authorization attribute in user group view or local user view to make the
attribute effective for all local users in the group or for only the local user. The setting of an
authorization attribute in local user view takes precedence over that in user group view.
Remarks
Required.
Optional.
Optional.
When you use the password-control enable command to globally enable the password control
feature, local user passwords are not displayed. At the same time, you cannot use the password
hash cipher command to configure passwords for local users.
If the user interface authentication mode set by the authentication-mode command in user interface
view is AAA (scheme), command access for the login user depends on the privilege level
authorized to the user. If the user interface authentication mode is password (password) or no
authentication (none), command access for the login user depends on the level configured for the
23
user interface by using the user privilege level command in user interface view. For an SSH user
using public key authentication, command access for the login user depends on the level
configured for the user interface. For more information about user interface authentication mode
and user interface command level, see Fundamentals Configuration Guide.
You can configure the user profile authorization attribute in local user view, user group view, and ISP
domain view. The setting in local user view has the highest priority, and the setting in ISP domain
view has the lowest priority. For more information about user profiles, see "Configuring a user
profile."
If a local user is the only one security log manager in the system, this local user cannot be deleted.
You cannot change or delete the security log manager role of this user unless you specify another
local user as a security log manager.
Command
Remarks
1.
system-view
N/A
2.
local-user user-name
3.
4.
5.
6.
access-limit max-user-number
24
Step
Command
Remarks
Optional.
Configure password
control attributes for the
local user.
length:
password-control length
length
composition policy:
password-control composition
type-number type-number
[ type-length type-length ]
8.
Configure binding
attributes for the local user.
bind-attribute { call-number
call-number [ : subcall-number ] |
ip ip-address | location port
slot-number subslot-number
port-number | mac mac-address |
vlan vlan-id } *
Optional.
By default, no binding attribute is
configured for a local user.
Optional.
By default, no authorization attribute is
configured for a local user.
9.
Configure authorization
attributes for the local user.
authorization-attribute { acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | user-role { guest |
guest-manager | security-audit }
| vlan vlan-id | work-directory
directory-name } *
validity-date time
expiration-date time
group group-name
Optional.
Not set by default.
Optional.
Not set by default.
Optional.
25
Command
Remarks
1.
system-view
N/A
2.
user-group group-name
N/A
Optional.
password-control aging
aging-time
length:
password-control length length
composition policy:
password-control composition
type-number type-number
[ type-length type-length ]
authorization-attribute { acl
acl-number | callback-number
4.
Configure authorization
attributes for the user group.
5.
group-attribute allow-guest
Command
Remarks
Available in any view.
26
Remarks
Required.
Required.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
27
Command
Remarks
1.
system-view
N/A
2.
N/A
Configure at least one
command.
By default, no
authentication/authorization
server is specified.
3.
Specify RADIUS
authentication/authorization
servers.
authentication/authorization server:
primary authentication { ip-address
| ipv6 ipv6-address } [ port-number
| key [ cipher | simple ] key | probe
username name [ interval interval ] ]
*
authentication/authorization server:
secondary authentication
{ ip-address | ipv6 ipv6-address }
[ port-number | key [ cipher |
simple ] key | probe username
name [ interval interval ] ] *
28
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
Configure at least one command.
3.
accounting server:
primary accounting
{ ip-address | ipv6
ipv6-address } [ port-number |
key [ cipher | simple ] key |
probe username name
[ interval interval ] ] *
accounting server:
secondary accounting
{ ip-address | ipv6
ipv6-address } [ port-number |
key [ cipher | simple ] key |
probe username name
[ interval interval ] ] *
4.
5.
retry realtime-accounting
retry-times
Enable buffering of
stop-accounting requests to
which no responses are
received.
stop-accounting-buffer enable
29
Step
6.
Command
Set the maximum number of
stop-accounting attempts.
Remarks
Optional.
The default setting is 500.
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
By default, no shared key is specified.
3.
key { accounting |
authentication } [ cipher |
simple ] key
Command
Remarks
1.
system-view
N/A
2.
Enter RADIUS
scheme view.
radius scheme
radius-scheme-name
N/A
30
Step
Command
Remarks
Optional.
By default, the ISP domain name is included in
a username.
3.
user-name-format
{ keep-original | with-domain |
without-domain }
4.
Optional.
The default unit is byte for data flows and
one-packet for data packets.
StandardUses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later.
When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the
RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
Changing the RADIUS server type will restore the units for data flows and data packets that are sent to
the RADIUS server to be the defaults.
To set the RADIUS server type:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Optional.
The default RADIUS server type
is standard.
servers in active state. If no other servers are in active state at the time, the NAS considers the
authentication or accounting attempt a failure. For more information about RADIUS server states, see
"Setting the status of RADIUS servers."
The maximum number of transmission attempts of RADIUS packets multiplied by the RADIUS server
response timeout period cannot be greater than 75 seconds. For more information about the RADIUS
server response timeout timer, see "Setting RADIUS timers."
To set the maximum number of RADIUS request transmission attempts for a scheme:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
retry retry-times
Optional.
The default setting is 3.
When the primary server is in active state, the device communicates with the primary server.
If the primary server fails, the device changes the server's status to blocked, starts a quiet timer for
the server, and tries to communicate with a secondary server in active state (a secondary server
configured earlier has a higher priority).
If the secondary server is unreachable, the device changes the server's status to blocked, starts a
quiet timer for the server, and continues to check the next secondary server in active state. This
search process continues until the device finds an available secondary server or has checked all
secondary servers in active state.
If the quiet timer of a server expires or an authentication or accounting response is received from
the server, the status of the server automatically changes back to active, but the device does not
check the server again during the authentication or accounting process.
If no server is found reachable during one search process, the device considers the authentication
or accounting attempt a failure.
Once the accounting process of a user starts, the device continues to send the user's real-time
accounting requests and stop-accounting requests to the same accounting server.
If you remove the accounting server, real-time accounting requests and stop-accounting requests for
the user are no longer delivered to the server.
If you remove an authentication or accounting server in use, the communication of the device with
the server will soon time out, and the device will look for a server in active state by checking the
primary server first and then the secondary servers in the order they are configured.
When the primary server and secondary servers are all in blocked state, the device communicates
with the primary server. If the primary server is available, its status changes to active. Otherwise, its
status remains to be blocked.
If one server is in active state and all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
32
After receiving an authentication/accounting response from a server, the device changes the status
of the server identified by the source IP address of the response to active if the current status of the
server is blocked.
The device does not change the status of an unreachable authentication or accounting server if the server
quiet timer is set to 0. Instead, the device keeps the server status as active and sends authentication or
accounting packets to another server in active state, so subsequent authentication or accounting packets
can still be sent to that server. For more information about the server quiet timer, see "Setting RADIUS
timers."
By default, the device sets the status of all RADIUS servers to active. In some situations, you might need
to change the status of a server. For example, if a server fails, you can change the status of the server to
blocked to avoid communication attempts to the server.
To set the status of RADIUS servers in a RADIUS scheme:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
server:
state primary accounting { active | block }
3.
authentication/authorization server:
state secondary authentication [ ip ipv4-address
| ipv6 ipv6-address ] { active | block }
4.
Optional.
N/A
2.
3.
Command
Remarks
1.
system-view
N/A
2.
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
3.
2.
If no backup source IP address is specified in the views, the NAS sends no backup source IP address to
the server.
To specify a backup source IP address for all RADIUS schemes:
34
Step
Command
Remarks
1.
system-view
N/A
2.
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
3.
nas-backup-ip ip-address
Server quiet timer (quiet)Defines the duration to keep an unreachable server in blocked state. If
one server is not reachable, the device changes the server's status to blocked, starts this timer for the
server, and tries to communicate with another server in active state. After the server quiet timer
expires, the device changes the status of the server back to active.
Real-time accounting timer (realtime-accounting)Defines the interval for the device to send
real-time accounting packets to the RADIUS accounting server for online users. To implement
real-time accounting, the device must periodically send real-time accounting packets to the
accounting server for online users.
For the same type of users, the maximum number of transmission attempts multiplied by the RADIUS
server response timeout period must be less than the client connection timeout time and cannot
exceed 75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the
primary/secondary server switchover cannot take place. For example, the product of the two
parameters must be less than 10 seconds for voice users and less than 30 seconds for Telnet users,
because the client connection timeout period for voice users is 10 seconds and that for Telnet users
is 30 seconds.
When you configure the maximum number of RADIUS packet transmission attempts and the
RADIUS server response timeout timer, consider the number of secondary servers. If the
retransmission process takes too long, the client connection in the access module may time out
while the device is trying to find an available server. For more information about the maximum
number of RADIUS packet transmission attempts, see "Setting the maximum number of RADIUS
request transmission attempts."
When a number of secondary servers are configured, the client connections of access modules that
have a short client connection timeout period may still be timed out during initial authentication or
accounting, even if the packet transmission attempt limit and server response timeout period are
configured with small values. In this case, the next authentication or accounting attempt can
35
succeed because the device has set the status of the unreachable servers to blocked and the amount
of time for finding a reachable server has been shortened.
Properly set the server quiet timer. Too short a quiet timer can result in frequent authentication or
accounting failures because the device has to repeatedly attempt to communicate with an
unreachable server that is in active state.
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
3.
timer response-timeout
seconds
4.
5.
timer
realtime-accounting
minutes
Optional.
The default RADIUS server response timeout
timer is 3 seconds.
Optional.
The default server quiet timer is 5 minutes.
Optional.
The default real-time accounting interval is 12
minutes.
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
3.
accounting-on enable
[ interval seconds | send
send-times ] *
Disabled by default.
The default interval is 3 seconds, and the
default number of send-times is 50.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
security-policy-server ip-address
After receiving EAP packets from an EAP client, the local EAP authentication server interacts with
the client, encapsulates the authentication information of the client into the RADIUS MS-CHAPv2
attribute and sends the attribute in a RADIUS authentication request to the RADIUS server.
2.
When a RADIUS server receives the requests, it resolves the authentication information in the
request, performs authentication, and then encapsulates and sends the authentication result in a
RADIUS packet to the local EAP authentication server.
To deploy the RADIUS offload feature, complete the following tasks on the device:
Configure the local EAP authentication server to use PEAP-MSCHAPv2 as the EAP authentication
method. For more information about the configuration, see "Configuring local EAP authentication."
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Disabled by default.
37
Step
Command
Remarks
1.
system-view
N/A
2.
radius scheme
radius-scheme-name
N/A
3.
attribute 25 car
The status of a RADIUS server changes. If the NAS receives no response to an accounting or
authentication request before the specified maximum number of RADIUS request transmission
attempts is exceeded, it considers the server unreachable, sets the status of the server to block, and
sends a trap message. If the NAS receives a response from a RADIUS server that it considers
unreachable, the NAS considers that the RADIUS server is reachable again, sets the status of the
server to active, and sends a trap message.
The ratio of failed transmission attempts to the total authentication request transmission attempts
exceeds a threshold. The threshold ranges from 1% to 100% and defaults to 30%. The threshold
can only be configured through the MIB.
Typically, the failure ratio is small. If a trap message is triggered because the failure ratio is higher than
the threshold, troubleshoot the configuration on and the communication between the NAS and the
RADIUS server.
To enable the trap function for RADIUS:
Step
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
38
Step
Command
Remarks
N/A
1.
system-view
2.
Optional.
Enabled by default.
Command
Remarks
display stop-accounting-buffer
{ radius-scheme radius-scheme-name |
session-id session-id | time-range start-time
stop-time | user-name user-name } [ | { begin
| exclude | include } regular-expression ]
Remarks
Required.
Required.
Optional.
Optional.
Required.
Optional.
Optional.
Optional.
Optional.
39
Command
Remarks
1.
system-view
N/A
2.
hwtacacs scheme
hwtacacs-scheme-name
Command
Remarks
1.
system-view
N/A
2.
N/A
Specify HWTACACS
authentication servers.
authentication server:
primary authentication ip-address
[ port-number ]
authentication server:
secondary authentication ip-address
[ port-number ]
Command
Remarks
1.
system-view
N/A
2.
N/A
Specify HWTACACS
authorization servers.
authorization server:
primary authorization ip-address
[ port-number ]
No authorization server
is specified by default.
authorization server:
secondary authorization ip-address
[ port-number ]
Command
Remarks
1.
system-view
N/A
2.
hwtacacs scheme
hwtacacs-scheme-name
N/A
Specify HWTACACS
accounting servers.
accounting server:
primary accounting ip-address
[ port-number ]
41
Step
4.
5.
Command
Remarks
Enable buffering of
stop-accounting requests to
which no responses are
received.
stop-accounting-buffer enable
Optional.
Enabled by default.
Optional.
The default setting is 100.
Command
Remarks
1.
system-view
N/A
2.
hwtacacs scheme
hwtacacs-scheme-name
N/A
By default, no shared key is specified.
3.
key { accounting |
authentication |
authorization } [ cipher |
simple ] key
Command
Remarks
1.
system-view
N/A
2.
hwtacacs scheme
hwtacacs-scheme-name
N/A
42
Step
Command
Remarks
Optional.
By default, the ISP domain name
is included in a username.
3.
4.
user-name-format { keep-original |
with-domain | without-domain }
2.
3.
Command
Remarks
1.
system-view
N/A
2.
Step
Command
Remarks
1.
system-view
N/A
2.
hwtacacs scheme
hwtacacs-scheme-name
N/A
3.
nas-ip ip-address
Primary server quiet timer (quiet)Defines the duration to keep an unreachable primary server in
blocked state. If a primary server is not reachable, the device changes the server's status to blocked,
starts this timer for the server, and tries to communicate with the secondary server if the secondary
server is configured and in active state. After the primary server quiet timer expires, the device
changes the status of the primary server back to active.
Command
Remarks
1.
system-view
N/A
2.
hwtacacs scheme
hwtacacs-scheme-name
N/A
3.
4.
Optional.
timer response-timeout seconds
Command
Remarks
display stop-accounting-buffer
hwtacacs-scheme hwtacacs-scheme-name
[ | { begin | exclude | include }
regular-expression ]
44
Task
Command
Remarks
reset stop-accounting-buffer
hwtacacs-scheme hwtacacs-scheme-name
Remarks
Required.
Required.
Optional.
Optional.
Optional.
Optional.
Required.
Required.
Optional.
Optional.
Command
Remarks
1.
system-view
N/A
2.
ldap scheme
ldap-scheme-name
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
authentication-server ip-address
[ port-number ]
45
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
authorization-server ip-address
[ port-number ]
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
protocol-version { v2 | v3 }
Optional.
LDAPv3 is used by default.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Optional.
The default LDAP server type is microsoft.
Command
Remarks
1.
system-view
N/A
2.
N/A
46
Step
Command
Set the LDAP server timeout
period.
3.
Remarks
Optional.
server-timeout time-interval
Command
Remarks
1.
system-view
N/A
2.
N/A
Not specified by default.
3.
login-dn dn-string
4.
Search base DN
Search scope
Username attribute
Username format
If the user group attribute is configured on the LDAP server, the user group attribute setting on the device
must match the setting on the LDAP server.
A user DN search starting from the root directory might take a long time if the LDAP server has many
levels of directories. To improve search efficiency, you can change the start point by specifying the search
base DN.
If the usernames configured on the LDAP server do not contain domain names, configure the device to
remove domain names from the usernames to be sent to the LDAP server. Otherwise, configure the device
to send usernames containing domain names to the LDAP server.
The Microsoft LDAP server defines a default user group attribute named memberOf. If the Microsoft LDAP
server is used, the device obtains the user group by searching for the user DN.
47
The IBM LDAP server and Sun LDAP server have no default user group attribute, and you can configure
a user group attribute by modifying the schema file on the LDAP server. If the IBM server or Sun server is
used and there is no user-defined user group attribute, the device figures out the user group by checking
each user group to see whether it contains the user DN. For more information about user group attribute
configuration, see "Configuring LDAP group attributes."
To configure LDAP user attributes:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
user-parameters search-base-dn
base-dn
4.
user-parameters search-scope
{ all-level | single-level }
Optional.
The default user search scope is
all-level.
Optional.
5.
user-parameters user-group-attribute
attribute-name
6.
user-parameters user-name-attribute
{ name-attribute | cn | uid }
7.
user-parameters user-name-format
{ with-domain | without-domain }
8.
user-parameters user-object-class
object-class-name
Search base DN
Search scope
48
Typically, the group object class and member name attribute take the default values defined by the server
manufacturers. If no default values are specified or you want to customize them, you can use commands
to configure the values.
A user group search starting from the root directory might take a long time if the LDAP server has many
levels of directories. To improve search efficiency, you can change the start point by specifying the search
base DN. Support for the group object class default and member name attribute default depends on the
LDAP server manufacturers. IBM and Sun support the default group object class and member name
attribute, but Microsoft does not have these defaults.
To configure LDAP group attributes:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
group-parameters search-base-dn
base-dn
4.
group-parameters search-scope
{ all-level | single-level }
5.
Specify a user-defined
group object class for
group search.
group-parameters group-object-class
object-class-name
Optional.
group-parameters
member-name-attribute
attribute-name
Optional.
group-parameters
group-name-attribute
{ name-attribute | cn | uid }
Optional.
6.
7.
Optional.
The default search scope for group
search is all-level.
Command
Remarks
49
The ISP domain specified for users with unknown domain names
Command
Remarks
1.
system-view
N/A
2.
domain isp-name
N/A
3.
quit
N/A
Optional.
By default, the default ISP domain is the
system-defined ISP domain system.
4.
5.
domain if-unknown
isp-name
To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default
ISP domain by using the undo domain default enable command.
50
Domain statusBy placing the ISP domain to the active or blocked state, you allow or deny
network service requests from users in the domain.
Maximum number of online usersThe device controls the number of online users in a domain to
ensure reliable system performance and services.
Idle cutEnables the device to check the traffic of each online user in the domain at the idle timeout
interval, and to log out any user in the domain whose traffic during the idle timeout period is less
than the specified minimum traffic.
Self-service server locationAllows users to access the self-service server to manage their own
accounts and passwords. A self-service RADIUS server running on IMC is required for the
self-service server location function to work.
IP address pool for allocating addresses to PPP usersThe device assigns IP addresses from the
pool to PPP users in the domain.
Default authorization user profileIf a user passes authentication but is not authorized with a user
profile, the device authorizes the default user profile of the ISP domain to the user and restricts the
user's behavior based on the profile. For more information about user profiles, see "Configuring a
user profile."
Command
Remarks
1.
system-view
N/A
2.
domain isp-name
N/A
3.
4.
access-limit enable
max-user-number
Optional.
Optional.
5.
6.
51
Optional.
Disabled by default.
Step
Command
Remarks
ip pool pool-number
low-ip-address [ high-ip-address ]
8.
authorization-attribute
user-profile profile-name
9.
7.
Optional.
By default, no IP address pool is
configured for PPP users.
Optional.
By default, an ISP domain has no
default authorization user profile.
Optional.
session-time include-idle-time
No authentication (none)The method trusts all users and does not perform authentication. For
security purposes, do not use the method.
Local authentication (local)Authentication is performed by the NAS, which is configured with the
user information, including the usernames, passwords, and attributes. Local authentication provides
high speed and low cost benefits, but the amount of information that can be stored is limited by the
size of the storage space.
Remote authentication (scheme)The NAS works with a RADIUS, HWTACACS, or LDAP server to
authenticate users. Remote authentication provides centralized information management, high
capacity, high reliability, and support for centralized authentication service for multiple NASs. You
can configure local or no authentication as the backup method, which will be used when the remote
server is not available. The no authentication method can only be configured for LAN users as the
backup method of remote authentication.
You can configure AAA authentication to work alone without authorization and accounting.
By default, an ISP domain uses the local authentication method.
Configuration prerequisites
Before configuring authentication methods, complete the following tasks:
For RADIUS, HWTACACS, or LDAP authentication, configure the RADIUS, HWTACACS, or LDAP
scheme to be referenced first. Local and none authentication methods do not require a scheme.
Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each access type and service type to limit the authentication protocols
that users can use for access.
Determine whether to configure the default authentication method for all access types or service
types.
52
Configuration guidelines
When configuring authentication methods, follow these guidelines:
If you configure an authentication method that references a RADIUS scheme and an authorization
method that does not reference a RADIUS scheme, AAA accepts only the authentication result from
the RADIUS server. The Access-Accept message from the RADIUS server also includes the
authorization information, but the device ignores the information.
You can configure a default authentication method for an ISP domain. The default method will be
used for all users who support the authentication method and have no specific authentication
method configured.
You can configure local authentication (local) or no authentication (none) as the backup for remote
authentication that is used when the remote authentication server is unavailable.
Local authentication (local) and no authentication (none) cannot have a backup method.
By default, the device uses the login username of the user for level switching authentication if the
method for level switching authentication references an HWTACACS scheme. If the method for level
switching authentication references a RADIUS scheme, the system uses the username configured for
the corresponding privilege level on the RADIUS server for level switching authentication, rather
than the login username. A username configured on the RADIUS server is in the format $enablevel$,
where level specifies the privilege level that the user wants to enter. For example, if user user1 of
domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for
authentication when the domain name is required and uses $enab3$ for authentication when the
domain name is not required.
Configuration procedure
To configure authentication methods for an ISP domain:
Step
Command
Remarks
1.
system-view
N/A
2.
domain isp-name
N/A
3.
Optional.
4.
Specify the
authentication method
for LAN users.
Optional.
Specify the
authentication method
for login users.
Specify the
authentication method
for portal users.
5.
6.
53
Step
Command
Remarks
Optional.
7.
Specify the
authentication method
for PPP users.
8.
Specify the
authentication method
for privilege level
switching.
Specify the
authentication method
for users accessing
through APs.
9.
Local authorization (local)The NAS performs authorization according to the user attributes
configured for users.
Remote authorization (scheme)The NAS works with a RADIUS, HWTACACS, or LDAP server to
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization
can work only after RADIUS authentication is successful, and the authorization information is
included in the Access-Accept message. HWTACACS/LDAP authorization is separate from
HWTACACS/LDAP authentication, and the authorization information is included in the
authorization response after successful authentication. You can configure local authorization or no
authorization as the backup method. The backup method will be used when the remote server is not
available.
Configuration prerequisites
Before configuring authorization methods, complete the following tasks:
1.
2.
Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type to limit the authorization protocols that
can be used for access.
54
3.
Determine whether to configure an authorization method for all access types or service types.
Configuration guidelines
When configuring authorization methods, follow these guidelines:
To configure RADIUS authorization, you must also configure RADIUS authentication, and reference
the same RADIUS scheme for RADIUS authentication and authorization. If the RADIUS
authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also
fails. If RADIUS authorization fails, the server sends an error message to the NAS, indicating that
the server itself is not responding.
You can configure a default authorization method for an ISP domain. This method will be used for
all users who support the authentication method and have no specific authorization method
configured.
You can configure local authorization (local) or no authorization (none) as the backup for remote
authorization that is used when the remote authorization server is unavailable.
Local authorization (local) and no authorization (none) cannot have a backup method.
Configuration procedure
To configure authorization methods for an ISP domain:
Step
Command
Remarks
1.
system-view
N/A
2.
domain isp-name
N/A
3.
Optional.
4.
Optional.
5.
Optional.
6.
7.
55
Step
Command
Remarks
Optional.
8.
No accounting (none)The NAS does not perform accounting for the users.
Local accounting (local)Local accounting is implemented on the NAS. It counts and controls the
number of concurrent users who use the same local user account. It does not provide statistics for
charging. The maximum number of concurrent users using the same local user account is set by the
access-limit command in local user view.
Remote accounting (scheme)The NAS works with a RADIUS server or HWTACACS server for
accounting. You can configure local or no accounting as the backup method, which will be used
when the remote server is not available.
Configuration prerequisites
Before configuring accounting methods, complete the following tasks:
1.
2.
Determine the access type or service type to be configured. With AAA, you can configure an
accounting method for each access type and service type to limit the accounting protocols that can
be used for access.
3.
Determine whether to configure an accounting method for all access types or service types.
Configuration guidelines
When configuring accounting methods, follow these guidelines:
You can configure a default accounting method for an ISP domain. This method will be used for all
users who support the accounting method and have no specific accounting method configured.
You can configure local accounting (local) or no accounting (none) as the backup for remote
accounting that is used when the remote accounting server is unavailable.
Local accounting (local) and no accounting (none) cannot have a backup method.
56
If you enable the accounting optional feature, the limit on the number of local user connections
does not take effect.
Configuration procedure
To configure accounting methods for an ISP domain:
Step
Command
Remarks
1.
system-view
N/A
2.
domain isp-name
N/A
Optional.
Disabled by default.
With the accounting optional
feature, a device allows users
to use network resources when
no accounting server is
available or communication
with all accounting servers
fails.
3.
accounting optional
4.
Optional.
5.
accounting command
hwtacacs-scheme
hwtacacs-scheme-name
Optional.
6.
Optional.
7.
Optional.
8.
Optional.
9.
57
2.
Command
Remarks
system-view
N/A
The command
applies only to LAN,
portal, and PPP user
connections.
Configuration procedure
To implement local EAP authentication, complete these tasks:
1.
Configure the local EAP authentication server. See "Configuring the local EAP authentication
server."
2.
Configure the device to use local authentication for LAN users. This step is optional. See
"Configuring authentication methods for an ISP domain."
3.
Configure local users on the device, or add users on an LDAP server and configure an LDAP
scheme on the device. See "Configuring local users," "Configuring LDAP schemes," or the user
manuals of the LDAP server.
4.
MD5 challenge
PEAP-GTC
PEAP-MSCHAPv2
58
TLS
TTLS
The device supports these user information query mechanisms: local query, LDAP query, and LDAP query
plus local query. With the last mechanism, local query is used when the LDAP server is not reachable, the
specified LDAP scheme does not exist, or the LDAP server does not support the query.
You can cannot modify or remove an EAP profile that is referenced by the local authentication server.
To configure the local EAP authentication server:
Step
Command
Remarks
1.
system-view
N/A
2.
eap-profile profile-name
N/A
By default, no EAP authentication
method is specified for an EAP profile.
3.
4.
5.
user-credentials { ldap-scheme
ldap-scheme-name [ local ] |
local }
Optional.
By default, the local user database is
used for user credential verification.
Perform this step when the EAP
authentication method of PEAP-GTC,
PEAP-MSCHAPv2, TLS, or TTLS is
configured.
ssl-server-policy policy-name
6.
quit
N/A
7.
local-server authentication
eap-profile profile-name
N/A
59
Step
Command
Remarks
system-view
N/A
1.
2.
3.
Command
Remarks
1.
system-view
N/A
2.
Command
Remarks
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Use the shared key expert to authenticate packets exchanged with the server.
IP network
Telnet user
AP
AC
Configuration procedure
1.
On the HWTACACS server, set the shared key to expert and add the Telnet user account
information. (Details not shown.)
2.
# Create an ISP domain bbb and set it as the default ISP domain.
[AC] domain bbb
61
[AC-isp-bbb] quit
[AC] domain default enable bbb
# Specify the primary authentication server and the service port number.
[AC-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Specify the primary authorization server and the service port number.
[AC-hwtacacs-hwtac] primary authorization 10.1.1.1 49
# Configure the scheme to remove the domain name from a username before sending the
username to the HWTACACS server.
[AC-hwtacacs-hwtac] user-name-format without-domain
[AC-hwtacacs-hwtac] quit
# Use either of the following methods to configure the authentication and authorization methods:
{
Create an ISP domain, and configure authentication and authorization methods for all login
users in the domain.
[AC] domain bbb
[AC-isp-bbb] authentication login hwtacacs-scheme hwtac
[AC-isp-bbb] authorization login hwtacacs-scheme hwtac
[AC-isp-bbb] quit
Create an ISP domain, and configure the default authentication and authorization methods for
all types of users in the domain.
[AC] domain bbb
[AC-isp-bbb] authentication default hwtacacs-scheme hwtac
[AC-isp-bbb] authorization default hwtacacs-scheme hwtac
Telnet to the AC, and enter the correct username and password.
2.
Use the display connection command on the AC to display information about the user connection.
Use the shared key expert to authenticate packets exchanged with the server.
62
Add a local user account on the AC, and set both the username and password to telnet. The user uses
this account to Telnet to the AC.
Figure 11 Network diagram
Configuration procedure
The local authentication and HWTACACS authorization configuration described in this section applies to
other types of users if you correctly modify the service type in the commands.
# Assign IP addresses to the interfaces. (Details not shown.)
# Enable the Telnet server on the AC.
<AC> system-view
[AC] telnet server enable
# Create an ISP domain named bbb and set it as the default ISP domain.
[AC] domain bbb
[AC-isp-bbb] quit
[AC] domain default enable bbb
# Specify the primary authorization server and the service port number.
[AC-hwtacacs-hwtac] primary authorization 10.1.1.2 49
# Configure the scheme to remove the domain name from a username before sending the username to
the HWTACACS server.
[AC-hwtacacs-hwtac] user-name-format without-domain
[AC-hwtacacs-hwtac] quit
# Configure a local user with the name telnet and password telnet.
[AC] local-user telnet
[AC-luser-telnet] service-type telnet
[AC-luser-telnet] password simple telnet
Create an ISP domain, and configure authentication and authorization methods for all login users
in the domain.
Create an ISP domain, and configure the default authentication and authorization methods for all
types of users.
Telnet to the AC, and enter the username telnet and password telnet.
2.
Use the display connection command on the AC to display information about the user connection.
Vlan-int2
10.1.1.2/24
IP network
Telnet user
192.168.1.21/24
Configuration procedure
The AC does not support LDAP authorization. You can configure an HWTACACS scheme as the
authorization scheme to work with LDAP authentication. For more information about HWTACACS
scheme configuration, see "Configuring HWTACACS schemes."
1.
Configure user aaa and the administrator password on the LDAP server:
a. Select Administrative Tools > Active Directory Users and Computers from the Start menu or
launch it from the Windows Control Panel.
The Active Directory Users and Computers window appears.
b. Select Action > New > User in the top menu bar.
The New Object - User window appears.
64
c. Enter aaa in the First name, Full name, User logon name, and User logon name (pre-Windows
2000) fields, as shown in Figure 13, and then click Next.
Figure 13 Creating user aaa
d. Enter ldap!123456 in both the Password and Confirm password fields, select the password
strategy options as needed, and then click Next.
The New Object - User window closes.
Figure 14 Setting the user's password
h. Enter Users in the Enter the object names to select field and click OK.
User aaa is added to the group Users.
Figure 16 Adding user aaa to group Users
i.
Right-click Administrator and select Set Password from the shortcut menu.
j.
In the dialog box, set the password to admin!123456. (Details not shown.)
66
2.
# Assign the IP address 10.1.1.2/24 to interface VLAN-interface 2, through which Telnet users
access the AC.
[AC] vlan 2
[AC-vlan2] quit
[AC] interface vlan-interface 2
[AC-Vlan-interface2] ip address 10.1.1.2 24
[AC-Vlan-interface2] quit
# Create ISP domain bbb and set it as the default ISP domain.
[AC] domain bbb
[AC-isp-bbb] quit
[AC] domain default enable bbb
Configure the LDAP scheme to provide the authentication method for login users.
[AC] domain bbb
[AC-isp-bbb] authentication login ldap-scheme ldap1
[AC-isp-bbb] quit
Configure the LDAP scheme to provide the default authentication method for all types of users.
[AC] domain bbb
[AC-isp-bbb] authentication default ldap-scheme ldap1
67
Direct portal authentication so that the client can access the Internet only when portal authentication
is passed.
Include the domain name in the usernames sent to the RADIUS server.
Set the shared keys for secure RADIUS communication to expert, and set the ports for
authentication/authorization to 1812.
Figure 17 Network diagram
Configuration prerequisites
Configure IP addresses for the devices as shown in Figure 17 and make sure the devices can reach each
other. (Details not shown.)
e. In the Device List area, select the access device from the device list or manually add the device
with the IP address 10.1.1.2.
The IP address of the access device must be the same as the source IP address of the RADIUS
packets sent from the AC, which is chosen in the following order:
f. Click OK.
Figure 18 Adding an access device
2.
Add a service:
a. Click the Service tab.
b. From the navigation tree, select User Access Manager > Service Configuration.
The Service Configuration page appears.
c. Click Add.
The Add Service Configuration page appears, as shown in Figure 19.
d. Enter Portal-auth in the Service Name field.
e. Enter dm1 in the Service Suffix field.
Make sure the service suffix is the same as the name of the domain in which portal users are
authenticated.
f. Click OK.
69
3.
Add an account for portal users and assign the previous service to the account:
a. Click the User tab.
b. From the navigation tree, select Access User View > All Access Users.
The All Access Users page appears.
c. Click Add.
The Add Access User page appears, as shown in Figure 20.
d. In the Access Information area, configure the user account:
e. In the Access Service area, select Portal auth on the Access Service list.
f. Click OK.
Figure 20 Adding an access user account
70
c. In the Portal Page field, enter the URL address of the portal authentication main page, in the
format of http://ip:port/portal, where ip and port are those configured during IMC UAM
installation. The default setting of port 8080 is typically used.
d. Click OK.
Figure 21 Portal server configuration
2.
71
3.
4.
72
5.
Select User Access Manager > Service Parameters > Validate System Configuration from the
navigation tree to validate the portal server configuration.
Configuring the AC
1.
# Set the server type for the RADIUS scheme. To support IMC, set the server type to extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication server and the service port number.
[AC-radius-rs1] primary authentication 10.1.1.1 1812
# Set the shared key to expert in plain text for secure RADIUS communication.
[AC-radius-rs1] key authentication simple expert
# Specify the scheme to include the domain names in usernames to be sent to the RADIUS server.
[AC-radius-rs1] user-name-format with-domain
[AC-radius-rs1] quit
2.
3.
73
IP
Vlan
Interface
--------------------------------------------------------------------0015-e9a6-7cfe
192.168.1.58
Vlan-interface2
# Use the display connection command to view the connection information on the AC.
[AC] display connection
Index=20
,Username=portal@dm1
MAC=00-15-E9-A6-7C-FE
IP=192.168.1.58
IPv6=N/A
Online=03h01m37s
Implement authentication and authorization for the 802.1X user on the client through the RADIUS
server.
Include the domain name in the username sent to the RADIUS server. The username is dot1x@bbb.
Set the shared key for secure RADIUS communication to expert, and set the port for
authentication/authorization to 1812.
Configure the RADIUS server to assign the client to VLAN 4 when authentication is passed.
74
Configuration prerequisites
Configure the interfaces and VLANs as shown in Figure 26. Make sure the client can get a new IP
address manually or automatically and can access resources in the authorized VLAN after passing
authentication.
e. In the Device List area, select the access device from the device list or manually add the device
with the IP address 10.1.1.2.
The IP address of the access device must be the same as the source IP address of the RADIUS
packets sent from the AC, which is chosen in the following order:
f. Click OK.
75
2.
Add a service:
a. Click the Service tab.
b. From the navigation tree, select User Access Manager > Service Configuration.
The Service Configuration page appears.
c. Click Add.
The Add Service Configuration page appears, as shown in Figure 28.
d. Enter Dot1x auth in the Service Name field.
e. Enter bbb in the Service Suffix field.
Make sure the service suffix is the same as the name of the domain in which the 802.1X user
is authenticated.
f. If certificate authentication is required, configure parameters in the Authorization Information
area:
g. Click OK.
76
3.
Add an account for portal users and assign the previous service to the account:
a. Click the User tab.
b. From the navigation tree, select Access User View > All Access Users.
The All Access Users page appears.
c. Click Add.
The Add Access User page appears, as shown in Figure 29.
d. In the Access Information area, configure the access user:
e. In the Access Service area, select Dot1x auth on the Access Service list.
f. Click OK.
77
Configuring the AC
1.
# Set the server type for the RADIUS scheme. To support IMC, set the server type to extended.
[AC-radius-rad] server-type extended
# Specify the primary authentication server and the service port number.
[AC-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key to expert in plain text for secure RADIUS communication.
[AC-radius-rad] key authentication simple expert
# Specify the scheme to include the domain names in usernames to be sent to the RADIUS server.
[AC-radius-rad] user-name-format with-domain
[AC-radius-rad] quit
2.
3.
# Create a WLAN-ESS interface and configure the port security mode as userLoginSecureExt.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
78
# Configure the port to use mandatory authentication domain bbb. The AC will use the
authentication and authorization methods of this domain for all users accessing this port. This step
is optional.
[AC-WLAN-ESS1] dot1x mandatory-domain bbb
[AC-WLAN-ESS1] quit
# Create an AP template named ap1, and specify its model as MSM460-WW and serial number
as CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
Click the Authentication tab on the Properties dialog box of 802.1X connection, select the Enable
IEEE 802.1X authentication for this network option and select Protected EAP (PEAP) from the EAP
Type list.
2.
To use the iNode client, enter username dot1x@bbb and the correct password in the client property
window.
After the user passes authentication, the server assigns the port connecting the client to VLAN 4.
# Use the display connect command to view the connection information on the AC.
[AC] display connection
Index=22
, Username=dot1x@bbb
MAC=0015-e9a6-7cfe
IP=192.168.1.58
IPv6=N/A
Online=00h01m37s
Total 1 connection(s) matched.
79
, Username=dot1x@bbb
MAC=0015-e9a6-7cfe
IP=192.168.1.58
IPv6=N/A
Access=8021X
,AuthMethod=EAP
=12121212
InputGigawords=1
OutputOctets
=12120
OutputGigawords=0
Priority=Disable
SessionTimeout=60(s), Terminate-Action=Radius-Request
Start=2013-05-26 19:41:12 ,Current=2013-05-26 19:41:25 ,Online=00h00m14s
Total 1 connection matched.
The Authorized VLAN field in the output shows VLAN 4 has been assigned to the user.
Configure the authorized VLAN of VLAN 100 for the user group.
AP
Vlan-int2
192.168.1.1/24
AC
Configuration procedure
1.
Configure the 802.1X connection properties if the 802.1X client of Windows XP is used:
a. Open the Properties dialog box of the 802.1X connection.
b. On the Authentication tab, select the Enable IEEE 802.1X authentication for this network option
and select MD5-Challenge from the EAP Type list.
c. Click OK.
80
2.
# Create local user usera, and add the user to user group dot1x.
[AC] local-user usera
[AC-luser-usera] group dot1x
[AC-luser-usera] password simple 1234
[AC-luser-usera] service-type lan-access
[AC-luser-usera] quit
# Configure the local EAP authentication server, specifying to use EAP profile eapsvr.
[AC] local-server authentication eap-profile eapsvr
# Create a WLAN interface and configure the port security mode as userLoginSecureExt.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
# Configure the port to use mandatory authentication domain mydomain. The AC will use the
authentication, authorization, and accounting methods of this domain for all users accessing this
port. This step is optional.
[AC-WLAN-ESS1] dot1x mandatory-domain mydomain
[AC-WLAN-ESS1] quit
81
# Create an AP template named ap1, and specify its model as MSM460-WW and serial number
as CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
Trigger EAP authentication and enter the 802.1X username usera@mydomain and password
1234.
2.
Use the display connection command on the AC to view the user's connection information.
3.
Use the display interface wlan-dbss command to check that the WLAN-DBSS access port belongs
to VLAN 100.
Configure PEAP-MSCHAPv2 authentication between the 802.1X client and the AC.
Configure the AC and the RADIUS server to use the shared key expert to secure RADIUS
authentication and accounting.
82
Configuration prerequisites
To use the 802.1X client of Windows XP, configure the 802.1X connection properties as follows:
a. Open the Properties dialog box of the 802.1X connection.
b. On the Authentication tab, select the Enable IEEE 802.1X authentication for this network option
and select Protected EAP (PEAP) from the EAP Type list.
c. Click Properties, and in the popup dialog box, select Secured password (EAP-MSCHAP v2)
from the Select Authentication Method list and click OK.
d. Click OK.
To use the iNode client, configure the 802.1X connection properties as follows:
a. Open the Properties dialog box of the 802.1X connection in the iNode client.
b. On the General tab, select the Enable advanced authentication option and select the Certificate
authentication option.
c. Click OK.
On the RADIUS server, configure the shared key for authenticating packets exchanged with the AC
to expert, and add a username and password for the 802.1X user. (Details not shown.)
Configuration procedure
1.
2.
Create SSL server policy eapsvr and configure it to use PKI domain eappki.
<AC> system-view
[AC] ssl server-policy eapsvr
[AC-ssl-server-policy-eapsvr] pki-domain eappki
[AC-ssl-server-policy-eapsvr] quit
3.
# Configure the EAP profile to use SSL server policy eapsvr for EAP authentication.
[AC-eap-prof-eapsvr] ssl-server-policy eapsvr
[AC-eap-prof-eapsvr] quit
# Configure the local EAP authentication server, specifying to use EAP profile eapsvr.
[AC] local-server authentication eap-profile eapsvr
4.
Configure AAA:
# Configure a RADIUS scheme that supports the EAP offload function.
[AC] radius scheme radoff
[AC-radius-radoff] primary authentication 10.1.1.1
[AC-radius-radoff] primary accounting 10.1.1.1
[AC-radius-radoff] key authentication simple expert
[AC-radius-radoff] key accounting simple expert
83
5.
Configure 802.1X:
# Enable port security globally.
[AC] port-security enable
# Create a WLAN interface and configure the port security mode as userLoginSecureExt.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
# Configure the port to use mandatory authentication domain bbb. The AC will use the
authentication, authorization, and accounting methods of this domain for all users accessing this
port. This step is optional.
[AC-WLAN-ESS1] dot1x mandatory-domain bbb
[AC-WLAN-ESS1] quit
# Create an AP template named ap1, and specify its model as MSM460-WW and serial number
as CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
84
Use the display radius scheme radoff and display domain bbb commands to view AAA
configuration.
2.
Use the display dot1x interface wlan-ess1 command to view 802.1X configuration.
3.
After the 802.1X user passes EAP authentication by using the username in the username@bbb
format and successfully logs in, use the display connection command to display the user's
connection information.
Configure an ACS server to act as an HWTACACS server for Telnet user authentication. The IP
address of the server is 10.1.1.1/24.
Set the shared key for authenticating authentication packets to expert, and specify that usernames
sent to the HWTACACS server do not include domain names.
Configure the AC to use local authentication for the Telnet user and assign the privilege level of 0
for the user after login.
Configure the AC to use the HWTACACS server and, if HWTACACS authentication is not available,
use local authentication for level switching authenticate of the Telnet user.
Configuration procedure
1.
2.
# Create an ISP domain bbb and set it as the default ISP domain.
[AC] domain bbb
[AC-isp-bbb] quit
[AC] domain default enable bbb
# Specify the IP address of the primary authentication server as 10.1.1.1 and the port for
authentication as 49.
[AC-hwtacacs-hwtac] primary authentication 10.1.1.1 49
86
# Specify that usernames sent to the HWTACACS server do not include domain names.
[AC-hwtacacs-hwtac] user-name-format without-domain
[AC-hwtacacs-hwtac] quit
# Configure ISP domain bbb to use local authentication for Telnet users.
[AC] domain bbb
[AC-isp-bbb] authentication login local
# Configure to use HWTACACS scheme hwtac for privilege level switching authentication.
[AC-isp-bbb] authentication super hwtacacs-scheme hwtac
[AC-isp-bbb] quit
# Configure the user level of the Telnet user as 0 after user login.
[AC-luser-test] authorization-attribute level 0
[AC-luser-test] quit
# Configure the AC to use the HWTACACS server for level switching authentication, and to use
local authentication as the backup method.
[AC] super authentication-mode scheme local
Telnet to the AC from the client, and enter the username test and password aabbcc. After login,
you can access level 0 commands.
2.
# If the ACS server is not reachable, enter password 654321 as prompted for local authentication.
<AC> super 3
Password:
87
Configuration prerequisites
Configure the 802.1X connection properties if the 802.1X client of Windows XP is used:
a. Open the Properties dialog box of the 802.1X connection.
b. On the Authentication tab, select the Enable IEEE 802.1X authentication for this network option
and select the smart card or other certificates as the EAP authentication type.
To use the iNode client, configure the 802.1X connection properties as follows:
a. Open the Properties dialog box of the 802.1X connection in the iNode client.
b. On the General tab, select the Enable advanced authentication option and select the Certificate
authentication option.
c. Click Settings, and in the popup dialog box, select the EAP-TLS in the Authentication Type area
and click OK.
d. Click OK.
Configuration procedure
1.
2.
# Specify the domain to use local authentication/authorization. (Authorization for 802.1X users
by an LDAP server is not supported. Local authorization is used here)
[AC] domain bbb
[AC-isp-bbb] authentication lan-access local
[AC-isp-bbb] authorization lan-access local
[AC-isp-bbb] quit
# Configure the SSL server policy sp1, specifying the PKI domain to be used as eappki.
[AC] ssl server-policy sp1
[AC-ssl-server-policy-sp1] pki-domain eappki
[AC-ssl-server-policy-sp1] quit
# Use the LDAP database for user credential verification and reference the LDAP scheme ldap1.
[AC-eap-prof-eapsvr] user-credentials ldap-scheme ldap1
[AC-eap-prof-eapsvr] quit
# Configure the local EAP authentication server, specifying to use EAP profile eapsvr.
[AC] local-server authentication eap-profile eapsvr
# Create a WLAN interface and configure the port security mode as userLoginSecureExt.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
89
# Configure the port to use mandatory authentication domain bbb. The AC will use the
authentication, authorization, and accounting methods of this domain for all users accessing this
port. This step is optional.
[AC-WLAN-ESS1] dot1x mandatory-domain bbb
[AC-WLAN-ESS1] quit
# Create an AP template named ap1, and specify its model as MSM460-WW and serial number
as CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
Use the display dot1x interface wlan-ess 1 command to check the configuration.
2.
After the 802.1X user passes certificate-based EAP authentication, check the user's connectivity
status by using the display connection command.
Only users with the SSID aabbcc can use the guest account for login.
90
Internet
Client
AP
L2 switch
Client
Configuration prerequisites
Configure the 802.1X connection properties if the 802.1X client of Windows XP is used:
a. Open the Properties dialog box of the 802.1X connection.
b. On the Authentication tab, select the Enable IEEE 802.1X authentication for this network option
and select the smart card or other certificates as the EAP authentication type.
To use the iNode client, configure the 802.1X connection properties as follows:
a. Open the Properties dialog box of the 802.1X connection in the iNode client.
b. On the General tab, select the Enable advanced authentication option and select the Certificate
authentication option.
c. Click Settings, and in the popup dialog box, select the EAP-TLS in the Authentication Type area
and click OK.
d. Click OK.
Configuration procedure
1.
2.
Create the SSL server side policy eapsvr and specify the PKI domain as eappki.
<AC> system-view
[AC] ssl server-policy eapsvr
[AC-ssl-server-policy-eapsvr] pki-domain eappki
[AC-ssl-server-policy-eapsvr] quit
3.
91
# Configure the port to use mandatory authentication domain test. With this configuration, the AC
will use the authentication, authorization, and accounting methods of this domain for all 802.1X
users accessing the port. This configuration is optional.
[AC-WLAN-ESS1] dot1x mandatory-domain test
[AC-WLAN-ESS1] quit
4.
5.
# Specify the SSL server side policy for EAP authentication as eapsvr.
[AC-eap-prof-eapsvr] ssl-server-policy eapsvr
[AC-eap-prof-eapsvr] quit
# Configure the local EAP authentication server, specifying to use EAP profile eapsvr.
[AC] local-server authentication eap-profile eapsvr
6.
7.
Create a user profile and configure it to permit users with an SSID of aabbcc. For more information
about SSID-based WLAN access control, see WLAN Configuration Guide.
[AC] user-profile manager
92
# Create guest account guest and specify the password and service type.
[AC] local-user guest
[AC-luser-guest] password simple guest
[AC-luser-guest] service-type lan-access
# Set the expiration time of the guest account to 12:00:00 on August 8, 2013.
[AC-luser-guest] expiration-date 12:00:00-2013/08/08
Troubleshooting AAA
Troubleshooting RADIUS
Symptom 1
User authentication/authorization always fails.
Analysis
Possible reasons include:
A communication failure exists between the NAS and the RADIUS server.
The username is not in the format userid@isp-name or the ISP domain is not correctly configured on
the NAS.
The RADIUS server and the NAS are configured with different shared keys.
Solution
Check the following:
The NAS and the RADIUS server can ping each other.
The username is in the userid@isp-name format and the ISP domain is correctly configured on the
NAS.
The same shared key is configured on both the RADIUS server and the NAS.
93
Symptom 2
RADIUS packets cannot reach the RADIUS server.
Analysis
Possible reasons include:
A communication failure exists between the NAS and the RADIUS server.
The NAS is not configured with the IP address of the RADIUS server.
The authentication/authorization and accounting UDP ports configured on the NAS are incorrect.
The RADIUS server's authentication/authorization and accounting port numbers are being used by
other applications.
Solution
Check the following:
The link between the NAS and the RADIUS server work well at both the physical and data link
layers.
The authentication/authorization and accounting UDP ports configured on the NAS are the same
as those of the RADIUS server.
The RADIUS server's authentication/authorization and accounting port numbers are available.
Symptom 3
A user is authenticated and authorized, but accounting for the user is not normal.
Analysis
The accounting server configuration on the NAS is not correct. Possible reasons include:
The accounting server IP address configured on the NAS is incorrect. For example, the NAS is
configured to use a single server to provide authentication, authorization, and accounting services,
but in fact the services are provided by different servers.
Solution
Check the following:
Troubleshooting HWTACACS
Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."
Troubleshooting LDAP
Symptom
User authentication/authorization fails.
94
Analysis
Possible reasons include:
A communication failure exists between the NAS and the LDAP server.
The LDAP server IP address or port number configured on the NAS is not correct.
The username is not in the format userid@isp-name, or the ISP domain is not correctly configured on
the NAS.
Some user attributes (for example, the username attribute) and the group attributes configured on
the NAS are not consistent with those configured on the server.
No user search base DN for authentication is specified for the LDAP scheme.
No group search base DN for authorization is specified for the LDAP scheme.
Solution
Check the following:
The NAS and the LDAP server can ping each other.
The IP addresses and port numbers of authentication and authorization servers configured on the
NAS match those of the servers.
The username is in the correct format and the ISP domain is correctly configured on the NAS.
The user attributes (for example, the username attribute) and group attributes configured on the
NAS are consistent with those configured on the LDAP servers.
95
802.1X overview
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for securing WLANs, and it has also been widely used on Ethernet networks for access
control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
802.1X architecture
802.1X operates in the client/server model. It comprises three entities: the client (the supplicant), the
network access device (the authenticator), and the authentication server.
Figure 36 802.1X architecture
ClientA user terminal seeking access to the LAN. It must have 802.1X software to authenticate to
the network access device.
Network access deviceAuthenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
Authentication serverProvides authentication services for the network access device. The
authentication server authenticates 802.1X clients by using the data sent from the network access
device, and returns the authentication results for the network access device to make access
decisions. The authentication server is typically a RADIUS server. In a small LAN, you can also use
the network access device as the authentication server.
Controlled portAllows incoming and outgoing traffic to pass through when it is in the authorized
state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown
in Figure 37. The controlled port is set in the authorized state if the client has passed authentication,
and in the unauthorized state, if the client has failed authentication.
96
In unauthorized state, a controlled port controls traffic in one of the following ways:
Performs bidirectional traffic control to deny traffic to and from the client.
802.1X-related protocols
802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the
client, the network access device, and the authentication server. EAP is an authentication framework that
uses the client/server model. It supports a variety of authentication methods, including MD5-Challenge,
EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the network
access device over a wired or wireless LAN. Between the network access device and the authentication
server, 802.1X delivers authentication information in one of the following methods:
Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in "EAP
relay."
Extracts authentication information from the EAP packets and encapsulates the information in
standard RADIUS packets, as described in "EAP termination."
97
Packet formats
EAP packet format
Figure 38 shows the EAP packet format.
Figure 38 EAP packet format
CodeType of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure
(4).
LengthLength (in bytes) of the EAP packet. The length is the sum of the Code, Identifier, Length,
and Data fields.
DataContent of the EAP packet. This field appears only in a Request or Response EAP packet. The
Data field comprises the request type (or the response type) and the type data. Type 1 (Identify) and
type 4 (MD5-challenge) are two examples for the type field.
15
7
PAE Ethernet type
Protocol version
2
Type
Length
4
6
Packet body
N
PAE Ethernet typeProtocol type. It takes the value 0x888E for EAPOL.
Protocol versionThe EAPOL protocol version used by the EAPOL packet sender.
TypeType of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by HP
implementation of 802.1X.
Table 5 Types of EAPOL packets
Value
Type
Description
0x00
EAP-Packet
0x01
EAPOL-Start
98
Value
Type
Description
0x02
EAPOL-Logoff
LengthData length in bytes, or length of the Packet body. If packet type is EAPOL-Start or
EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
Packet bodyContent of the packet. When the EAPOL packet type is EAP-Packet, the Packet body
field contains an EAP packet.
EAP-Message
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 40. The Type field
takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS
encapsulates it in multiple EAP-Message attributes.
Figure 40 EAP-Message attribute format
Message-Authenticator
RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute
to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum
is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP
authentication packets from being tampered with during EAP authentication.
Figure 41 Message-Authenticator attribute format
the authentication server does not support the multicast address, use an 802.1X client, the HP iNode
802.1X client for example, that can send broadcast EAPOL-Start packets.
Multicast trigger modeThe access device multicasts Identity EAP-Request packets periodically
(every 30 seconds by default) to initiate 802.1X authentication.
Unicast trigger modeUpon receiving a frame with the source MAC address not in the MAC
address table, the access device sends an Identity EAP-Request packet out of the receiving port to
the unknown MAC address. It retransmits the packet if no response has been received within a
certain time interval.
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On
the network access device, you only need to use the dot1x authentication-method eap command
to enable EAP relay.
Some network access devices provide the EAP server function so you can use EAP relay even if the
RADIUS server does not support any EAP authentication method or no RADIUS server is available.
For the local EAP authentication configuration procedure, see "Configuring AAA."
100
Benefits
Limitations
authentication methods.
EAP relay
EAP termination
EAP relay
Figure 44 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5
is used.
101
Device
Authentication server
EAPOR
EAPOL
(1) EAPOL-Start
(2) EAP-Request/Identity
(3) EAP-Response/Identity
(10) EAP-Success
Port authorized
(11) EAP-Request/Identity
(12) EAP-Response/Identity
...
(13) EAPOL-Logoff
Port unauthorized
(14) EAP-Failure
1.
When a user launches the 802.1X client software and enters a registered username and password,
the 802.1X client software sends an EAPOL-Start packet to the network access device.
2.
The network access device responds with an Identity EAP-Request packet to ask for the client
username.
3.
In response to the Identity EAP-Request packet, the client sends the username in an Identity
EAP-Response packet to the network access device.
4.
The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request
packet to the authentication server.
5.
The authentication server uses the identity information in the RADIUS Access-Request to search its
user database. If a matching entry is found, the server uses a randomly generated challenge
(EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a
RADIUS Access-Challenge packet to the network access device.
6.
The network access device relays the EAP-Request/MD5 Challenge packet in a RADIUS
Access-Request packet to the client.
7.
The client uses the received challenge to encrypt the password, and sends the encrypted password
in an EAP-Response/MD5 Challenge packet to the network access device.
8.
The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS
Access-Request packet to the authentication server.
102
9.
The authentication server compares the received encrypted password with the one it generated at
step 5. If the two are identical, the authentication server considers the client valid and sends a
RADIUS Access-Accept packet to the network access device.
10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an
EAP-Success packet to the client, and sets the controlled port in the authorized state so the client
can access the network.
11. After the client comes online, the network access device periodically sends handshake requests to
check whether the client is still online. By default, if two consecutive handshake attempts fail, the
device logs off the client.
12. Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a certain number of consecutive handshake attempts (two by default), the network
access device logs off the client. This handshake mechanism enables timely release of the network
resources used by 802.1X users that have abnormally gone offline.
13. The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff.
14. In response to the EAPOL-Logoff packet, the network access device changes the status of the
controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.
EAP termination
Figure 45 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that
CHAP authentication is used.
103
In EAP termination mode, the network access device rather than the authentication server generates an
MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5
challenge together with the username and encrypted password in a standard RADIUS packet to the
RADIUS server.
104
Configuring 802.1X
This chapter describes how to configure 802.1X on an HP device. You can also configure the port security
feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It
applies to a network (for example, a WLAN) that requires different authentication methods for different
users on a port. For more information about port security, see "Configuring port security."
HP implementation of 802.1X
Access control methods
HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to
support MAC-based access control.
Port-based access controlOnce an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.
MAC-based access controlEach user is separately authenticated on a port. When a user logs off,
no other online users are affected.
VLAN manipulation
Assigns the VLAN to the port as the port VLAN (PVID). The authenticated 802.1X user
and all subsequent 802.1X users can access the VLAN without authentication.
When the user logs off, the previous PVID restores, and all other online users are
logged off.
105
Access control
VLAN manipulation
If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address
of each user to the VLAN assigned by the authentication server. The PVID of the port
does not change. When a user logs off, the MAC-to-VLAN mapping for the user is
removed.
MAC-based
If the port is an access, trunk, or MAC-based VLAN disabled hybrid port, assigns
the first authenticated user's VLAN to the port as the PVID. If a different VLAN is
assigned to a subsequent user, the user cannot pass the authentication. To avoid the
authentication failure of subsequent users, be sure to assign the same VLAN to all
802.1X users on these ports.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After
the assignment, do not reconfigure the port as a tagged member in the VLAN.
On a periodic online user re-authentication enabled port, if a user has been online before you enable the
MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user
unless the user passes re-authentication and the VLAN for the user has changed.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2 Configuration
Guide.
Guest VLAN
You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X
authentication, so they can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches. Once a user in the guest VLAN passes 802.1X
authentication, it is removed from the guest VLAN and can access authorized network resources.
Guest VLAN is supported only on ports that perform MAC-based access control. The following table
describes how the network access device handles VLANs on these ports.
Authentication status
VLAN manipulation
Creates a mapping between the MAC address of the user and the 802.1X guest
VLAN. The user can access resources in the guest VLAN.
If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user
to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN.
If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest
VLAN.
Re-maps the MAC address of the user to the VLAN specified for the user.
If the authentication server assigns no VLAN, re-maps the MAC address of the
user to the initial PVID on the port.
To use the 802.1X guest VLAN function on a port that performs MAC-based access control, make sure
that the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2 Configuration
Guide.
Auth-Fail VLAN
You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication
because of the failure to comply with the organization security strategy, such as using a wrong password.
106
Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to
download anti-virus software and system patches.
The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for
authentication timeouts or network connection problems.
Auth-Fail VLAN is supported only on ports that perform MAC-based access control. The following table
describes how the network access device handles VLANs on these ports.
Authentication status
VLAN manipulation
Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can
access only resources in the Auth-Fail VLAN.
To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you
must ensure that the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2 Configuration
Guide.
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user
passes 802.1X authentication, the authentication server, either the local access device or a RADIUS
server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the
ACL on the access device. You can change ACL rules while the user is online.
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
If local authentication is used, create local user accounts on the access device and set the service
type to lan-access.
If you want to use EAP relay when the RADIUS server does not support any EAP authentication
method or no RADIUS server is available, configure the EAP server function on your network access
device.
For information about RADIUS client and local EAP authentication configuration, see "Configuring
AAA."
107
Remarks
Required.
By default, the 802.1X function of
port security is disabled.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
The authentication methods supported by the 802.1X client and the RADIUS server
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make
your decision, see "Comparing EAP relay and EAP termination" for help.
For more information about EAP relay and EAP termination, see "802.1X authentication procedures."
To configure EAP relay or EAP termination:
108
Step
Enter system
view.
1.
Configure EAP
relay or EAP
termination.
2.
Command
Remarks
system-view
N/A
dot1x authentication-method
{ chap | eap | pap }
NOTE:
If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not
take effect. The access device sends the authentication data from the client to the server without any
modification.
authorized-forcePlaces the port in the authorized state, enabling users on the port to access the
network without authentication.
unauthorized-forcePlaces the port in the unauthorized state, denying any access requests from
users on the port.
autoPlaces the port initially in the unauthorized state to allow only EAPOL packets to pass, and
after a user passes authentication, sets the port in the authorized state to allow access to the network.
You can use this option in most scenarios.
You can set authorization state for one port in interface view, or for multiple ports in system view. If
different authorization state is set for a port in system view and interface view, the one set later takes
effect.
To set the authorization state of a port:
Step
1.
Enter system
view.
2.
Command
Remarks
system-view
N/A
In system view:
dot1x port-control { authorized-force | auto |
unauthorized-force } [ interface interface-list ]
109
2.
Specify an access
control method in
system view, Layer
2 Ethernet
interface view, or
WLAN-ESS
interface view.
Command
Remarks
system-view
N/A
In system view:
dot1x port-method { macbased |
portbased } [ interface interface-list ]
a. interface interface-type
interface-number
b. dot1x port-method { macbased |
portbased }
Command
Remarks
system-view
N/A
In system view:
2.
a. interface interface-type
interface-number
b. dot1x max-user user-number
[ interface interface-list ]
110
Command
Remarks
1.
system-view
N/A
2.
Client timeout timerStarts when the access device sends an EAP-Request/MD5 Challenge packet
to a client. If no response is received when this timer expires, the access device retransmits the
request to the client.
Server timeout timerStarts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
You can set the client timeout timer to a high value in a low-performance network, and adjust the server
timeout timer to adapt to the performance of different authentication servers. In most cases, the default
settings are sufficient.
To set the 802.1X authentication timeout timers:
Step
Command
Remarks
1.
system-view
N/A
2.
3.
111
of handshake attempts (set by the dot1x retry command), the network access device sets the user in the
offline state.
If iNode clients are deployed, you can also enable the online handshake security function to check for
802.1X users that use illegal client software to bypass security inspection such as dual network interface
cards (NICs) detection. This function checks the authentication information in client handshake messages.
If a user fails the authentication, the network access device logs the user off.
Configuration guidelines
Follow these guidelines when you configure the online user handshake function:
To use the online handshake security function, make sure the online user handshake function is
enabled. HP recommends that you use the iNode client software and IMC server to ensure the
normal operation of the online user handshake security function.
If the network has 802.1X clients that cannot exchange handshake packets with the network access
device, disable the online user handshake function to prevent their connections from being
inappropriately torn down.
Configuration procedure
To configure the online user handshake function:
Step
Command
Remarks
1.
system-view
N/A
2.
Optional.
3.
interface interface-type
interface-number
dot1x handshake
4.
5.
Multicast triggerPeriodically multicasts Identity EAP-Request packets out of a port to detect 802.1X
clients and trigger authentication.
Unicast triggerEnables the network device to initiate 802.1X authentication when it receives a
data frame from an unknown source MAC address. The device sends a unicast Identity
EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has
received no response within a period of time. This process continues until the maximum number of
112
request attempts set with the dot1x retry command (see "Setting the maximum number of
authentication request attempts") is reached.
The identity request timeout timer sets both the identity request interval for the multicast trigger and the
identity request timeout interval for the unicast trigger.
Configuration guidelines
Follow these guidelines when you configure the authentication trigger function:
Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start
packets to initiate 802.1X authentication.
Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the
network access device can both initiate 802.1X authentication.
Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these
clients cannot initiate authentication.
Configuration procedure
To configure the authentication trigger function on a port:
Step
Command
Remarks
1.
system-view
N/A
2.
Optional.
interface interface-type
interface-number
3.
N/A
Enable an
authentication trigger.
dot1x { multicast-trigger |
unicast-trigger }
113
Step
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
dot1x mandatory-domain
domain-name
Command
Remarks
1.
system-view
N/A
2.
dot1x quiet-period
3.
Optional.
The default setting is 60 seconds.
Command
Remarks
N/A
1.
system-view
2.
3.
interface interface-type
interface-number
N/A
dot1x re-authenticate
4.
114
Optional.
The default setting is 3600
seconds.
The periodic online user re-authentication timer can also be set by the authentication server in the
session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and
enables periodic online user re-authentication, even if the function is not configured. Support for the
server assignment of re-authentication timer and the re-authentication timer configuration on the server
vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If the authentication
server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If
the authentication server has assigned no VLAN before re-authentication, it must not assign one at
re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an
online user before and after re-authentication can be the same or different.
RADIUS server unreachable can cause an online user being re-authenticated to be logged off.
802.1X guest VLAN is supported only on a port that performs MAC-based access control.
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
Assign different IDs to the PVID and the 802.1X guest VLAN on a port, so the port can correctly
process incoming VLAN tagged traffic.
Relationship description
Reference
MAC authentication
guest VLAN on a port that
performs MAC-based
access control
Configuration prerequisites
115
On the 802.1X-enabled port that performs MAC-based access control, configure the port as a
hybrid port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN
as an untagged member. For more information about the MAC-based VLAN function, see Layer 2
Configuration Guide.
Configuration procedure
To configure an 802.1X guest VLAN:
Step
Command
Remarks
N/A
1.
system-view
2.
Configure an 802.1X
guest VLAN for one or
more ports in system
view, Layer 2 Ethernet
interface view, or
WLAN-ESS interface
view.
In system view:
By default, no 802.1X
guest VLAN is
configured on any
port.
802.1X Auth-Fail VLAN is supported only on ports that perform MAC-based access control.
Assign different IDs to the PVID and the 802.1X Auth-Fail VLAN on a port, so the port can correctly
process VLAN tagged incoming traffic.
You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
different ports can be different.
Relationship description
Reference
MAC authentication
guest VLAN on a port that
performs MAC-based
access control
Configuration prerequisites
On the 802.1X-enabled port that performs MAC-based access control, configure the port as a
hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an
untagged member. For more information about the MAC-based VLAN function, see Layer 2
Configuration Guide.
Configuration procedure
To configure an Auth-Fail VLAN:
Step
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
Command
Remarks
1.
system-view
N/A
2.
NOTE:
If you configure the access device to include the domain name in the username sent to the RADIUS server,
make sure the domain delimiter in the username can be recognized by the RADIUS server. For username
format configuration, see the user-name-format command in Security Command Reference.
117
If the iNode clients can upload their IP addresses during authentication, disable the accounting
delay feature for efficiency.
If the iNode clients cannot upload their IP addresses, make sure the delay setting is equal to or less
than the accounting delay that the EAD policy allows to prevent access failures. HP recommends a
delay equal to or less than 20 seconds.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Command
Remarks
118
Network requirements
As shown in Figure 46, the client at 192.168.1.10 connects to port WLAN-ESS 1 of the AC.
Perform 802.1X authentication on the port. Set the port security mode to userlogin-secure-ext.
Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server
at 10.1.1.2 as the accounting server.
Assign an ACL to WLAN-ESS 1 to deny the access of 802.1X users to the FTP server at 10.0.0.1.
Figure 46 Network diagram
Authentication servers
(RADIUS server cluster)
10.1.1.1
10.1.1.2
IP network
Client
AP
FTP server
192.168.1.10
10.0.0.1
AC
Configuration procedure
# Assign IP addresses to interfaces. (Details not shown.)
119
# Configure the RADIUS server and specify the ACL to be assigned. (Details not shown.)
# Configure the RADIUS scheme.
<AC> system-view
[AC] radius scheme 2000
[AC-radius-2000] primary authentication 10.1.1.1
[AC-radius-2000] primary accounting 10.1.1.2
[AC-radius-2000] key authentication abc
[AC-radius-2000] key accounting abc
[AC-radius-2000] user-name-format without-domain
[AC-radius-2000] quit
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the
domain.
[AC] domain 2000
[AC-isp-2000] authentication default radius-scheme 2000
[AC-isp-2000] authorization
# Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1.
[AC] acl number 3000
[AC-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
# Set the port security mode to userlogin-secure-ext, and enable port-security tx-key-type 11key.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port link-type hybrid
[AC-WLAN-ESS1] port hybrid vlan 2 untagged
[AC-WLAN-ESS1] port hybrid pvid vlan 2
[AC-WLAN-ESS1] mac-vlan enable
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
[AC-WLAN-ESS1] port-security tx-key-type 11key
[AC-WLAN-ESS1] dot1x mandatory-domain 2000
# Disable the multicast trigger function and online user handshake function.
[AC-WLAN-ESS1] undo dot1x multicast-trigger
[AC-WLAN-ESS1] undo dot1x handshake
[AC-WLAN-ESS1] quit
# Create service template 1 of crypto type, configure its SSID as dot1x, and configure the tkip and ccmp
cipher suite.
[AC] wlan service-template 1 crypto
[AC-wlan-st-1] ssid dot1x
[AC-wlan-st-1] bind wlan-ess 1
[AC-wlan-st-1] cipher-suite tkip
[AC-wlan-st-1] cipher-suite ccmp
[AC-wlan-st-1] security-ie rsn
[AC-wlan-st-1] service-template enable
120
[AC-wlan-st-1] quit
# Create an AP template named ap1 and its model is MSM460-WW, and configure the serial ID of the
AP as CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
[AC-wlan-ap-ap1] radio 1 type dot11an
Index=1,Username=localuser@2000
MAC=00-40-96-B3-8A-77
IP=192.168.1.10
IPv6=N/A
Online=00h00m53s
Total 1 connection(s) matched.
[AC] display connection ucibindex 1
Index=1, Username= localuser@2000
MAC=00-40-96-B3-8A-77
IP=192.168.1.10
IPv6=N/A
Access=8021X
,AuthMethod=EAP
=12121212
InputGigawords=1
OutputOctets
=12120
OutputGigawords=0
Priority=Disable
Start=2013-06-30 17:29:39 ,Current=2013-06-30 17:30:51 ,Online=00h01m13s
Total 1 connection matched.
# Use the user account to pass authentication, and then ping the FTP server.
C:\>ping 10.0.0.1
121
The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.
122
One MAC-based user account for each user. The access device uses the source MAC addresses in
packets as the usernames and passwords of users for MAC authentication. This policy is suitable for
an insecure environment.
One shared user account for all users. You specify one username and password, which are not
necessarily a MAC address, for all MAC authentication users on the access device. This policy is
suitable for a secure environment.
Authentication approaches
You can perform MAC authentication on the access device (local authentication) or through a RADIUS
server.
Suppose a source MAC unknown packet arrives at a MAC authentication enabled port.
Local authentication:
If MAC-based accounts are used, the access device uses the source MAC address of the packet as
the username and password to search its local account database for a match.
If a shared account is used, the access device uses the shared account username and password to
search its local account database for a match.
RADIUS authentication:
If MAC-based accounts are used, the access device sends the source MAC address as the
username and password to the RADIUS server for authentication.
If a shared account is used, the access device sends the shared account username and password
to the RADIUS server for authentication.
123
For more information about configuring local authentication and RADIUS authentication, see
"Configuring AAA."
Offline detect timerSets the interval that the device waits for traffic from a user before it regards
the user idle. If a user connection has been idle within the interval, the device logs the user out and
stops accounting for the user.
Quiet timerSets the interval that the device must wait before it can perform MAC authentication
for a user that has failed MAC authentication. All packets from the MAC address are dropped
during the quiet time. This quiet mechanism prevents repeated authentication from affecting system
performance.
Server timeout timerSets the interval that the access device waits for a response from a RADIUS
server before it regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
ACL assignment
You can specify an ACL in the user account for a MAC authentication user to control its access to network
resources. After the user passes MAC authentication, the authentication server, either the local access
device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must
configure the ACL on the access device for the ACL assignment function. You can change ACL rules while
the user is online.
Guest VLAN
You can configure a guest VLAN to accommodate MAC authentication users that have failed MAC
authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of
network resources, such as a software server, to download anti-virus software and system patches. If no
124
MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any
network resources.
If a user in the guest VLAN passes MAC authentication, that user is removed from the guest VLAN and
can access all authorized network resources. If not, the user is still in the MAC authentication guest
VLAN.
A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not
re-configure the port as a tagged member in the VLAN.
MAC-after-portal
The MAC-after-portal feature triggers MAC authentication for only portal-authenticated users. The AC
allows only these users to pass MAC authentication and assigns them to VLANs that perform local
forwarding on an AP. For more information about local forwarding, see WLAN Configuration Guide.
When a user accesses the wireless network for the first time, the AC uses the process to implement the
MAC-after-portal feature:
1.
Identifies that the user is not portal authenticated and assigns the user to the MAC authentication
guest VLAN on the access interface.
2.
3.
4.
Assigns the user to the server-authorized VLAN that performs local forwarding. The AC issues the
MAC-VLAN entry of the user to the AP for local forwarding.
The portal module tags a portal-authenticated user as always online unless the idle-cut period is reached.
When the user accesses the network during the idle-cut period, the user passes MAC authentication
directly. The AC does not perform portal authentication because the user is tagged as portal
authenticated.
Remarks
Required.
Optional.
Optional.
Optional.
Create and configure an authentication domain, also called "an ISP domain."
125
For local authentication, create local user accounts, and specify the lan-access service for the
accounts.
For RADIUS authentication, check that the device and the RADIUS server can reach each other, and
create user accounts on the RADIUS server.
If you are using MAC-based accounts, make sure the username and password for each account is the
same as the MAC address of the MAC authentication users.
Command
Remarks
system-view
N/A
1.
2.
Enable MAC
authentication
globally.
mac-authentication
Configure MAC
authentication
timers.
mac-authentication timer
{ offline-detect offline-detect-value |
quiet quiet-value | server-timeout
server-timeout-value }
Optional.
Optional.
Configure the
properties of MAC
authentication user
accounts.
mac-authentication
user-name-format { fixed [ account
name ] [ password { cipher |
simple } password ] | mac-address
[ { with-hyphen | without-hyphen }
[ lowercase | uppercase ] ] }
3.
4.
Command
Remarks
system-view
N/A
126
Step
Command
Remarks
2.
a. interface interface-type
interface-number
b. mac-authentication
On a WLAN-ESS or WLAN-MESH
interface:
See "Configuring port security").
3.
Optional.
mac-authentication max-user user-number
Specify a global authentication domain in system view. This domain setting applies to all ports.
MAC authentication chooses an authentication domain for users on a port in the following order: the
port-specific domain, the global domain, and the default domain. For more information about
authentication domains, see "Configuring AAA."
To specify an authentication domain for MAC authentication users:
Step
1.
Command
Remarks
system-view
N/A
In system view:
2.
Specify an authentication
domain for MAC
authentication users in
system view or interface
view.
mac-authentication domain
domain-name
In interface view:
a. interface interface-type
interface-number
b. mac-authentication domain
domain-name
Command
Remarks
1.
system-view
N/A
2.
Enter WLAN-ESS
interface view.
interface interface-type
interface-number
N/A
3.
Specify a MAC
authentication guest
VLAN.
mac-authentication guest-vlan
guest-vlan-id
Follow the guidelines in Table 8 when configuring a MAC authentication guest VLAN on a port.
Table 8 Relationships of the MAC authentication guest VLAN with other security features
Feature
Relationship description
Reference
Enable the local portal server function in the MAC authentication guest VLAN.
Configure the MAC authentication guest VLAN, and specify it as the VLAN to perform centralized
forwarding.
Configure VLAN assignment for MAC-authenticated users, and specify the VLAN to perform local
forwarding.
128
Step
Command
Remarks
1.
system-view
N/A
2.
Enter WLAN-ESS
interface view.
interface interface-type
interface-number
N/A
3.
Configure
MAC-after-portal.
mac-authentication trigger
after-portal
Command
Remarks
Local users use their MAC address as the username and password for MAC authentication. The
MAC addresses are hyphen separated and in lower case.
The AC detects whether a user has gone offline every 180 seconds.
129
Authenticator
IP network
Client
AP
L2switch
MAC: 00-e0-fc-12-34-56
AC
Configuration procedure
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address
of the user host, and enable LAN access service for the account.
<AC> system-view
[AC] local-user 00-e0-fc-12-34-56
[AC-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
[AC-luser-00-e0-fc-12-34-56] service-type lan-access
[AC-luser-00-e0-fc-12-34-56] quit
# Configure ISP domain aabbcc.net to perform local authentication for access users.
[AC] domain aabbcc.net
[AC-isp-aabbcc.net] authentication lan-access local
[AC-isp-aabbcc.net] quit
# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and
passwords are hyphenated and in lower case.
[AC] mac-authentication user-name-format mac-address with-hyphen lowercase
# Create service template 2 of crypto type, configure its SSID as mac-authentication-local, and bind port
WLAN-ESS 0 to service template 2.
[AC] wlan service-template 2 crypto
[AC-wlan-st-2] ssid mac-authentication-local
[AC-wlan-st-2] bind wlan-ess 0
[AC-wlan-st-2] authentication-method open-system
[AC-wlan-st-2] cipher-suite ccmp
130
# Create an AP template named ap1, specify the model as MSM460-WW and serial number as
CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
From Port
Port Index
WLAN-DBSS0:0 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0
Max number of on-line users is 4096
Current online user number is 1
MAC Addr
Authenticate State
00e0-fc12-3456
MAC_AUTHENTICATOR_AUTHOR
Index=1299,Username=00-e0-fc-l2-34-56@aabbcc.net
MAC=00-E0-FC-12-34-56
IP=N/A
IPv6=N/A
Online=00h00m53s
Total 1 connection(s) matched.
131
Auth Index
1299
The AC detects whether a user has gone offline every 180 seconds.
All MAC authentication users belong to ISP domain 2000 and share the user account aaa with
password 123456.
Configuration procedure
Make sure the RADIUS server and the AC can reach each other.
# Create a shared account for MAC authentication users on the RADIUS server, and set the username
aaa and password 123456 for the account. (Details not shown.)
# Configure IP addresses of the interfaces. (Details not shown.)
# Configure a RADIUS scheme.
<AC> system-view
[AC] radius scheme 2000
[AC-radius-2000] primary authentication 10.1.1.1 1812
[AC-radius-2000] primary accounting 10.1.1.2 1813
[AC-radius-2000] key authentication simple abc
[AC-radius-2000] key accounting simple abc
[AC-radius-2000] user-name-format without-domain
[AC-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.
[AC] domain 2000
[AC-isp-2000] authentication default radius-scheme 2000
[AC-isp-2000] authorization default radius-scheme 2000
[AC-isp-2000] accounting default radius-scheme 2000
132
[AC-isp-2000] quit
# Configure the WLAN port security, using MAC and PSK authentication, and specify the domain 2000
as the authentication domain for MAC authentication users on the port.
[AC] interface wlan-ess 0
[AC-WLAN-ESS0] port-security port-mode mac-and-psk
[AC-WLAN-ESS0] port-security tx-key-type 11key
[AC-WLAN-ESS0] port-security preshared-key pass-phrase 12345678
[AC-WLAN-ESS0] mac-authentication domain 2000
[AC-WLAN-ESS0] quit
# Create service template 2 of crypto type, configure its SSID as mac-authentication-radius and bind
port WLAN-ESS 0 to service template 2.
[AC] wlan service-template 2 crypto
[AC-wlan-st-2] ssid mac-authentication-radius
[AC-wlan-st-2] bind wlan-ess 0
[AC-wlan-st-2] authentication-method open-system
[AC-wlan-st-2] cipher-suite ccmp
[AC-wlan-st-2] security-ie rsn
[AC-wlan-st-2] service-template enable
[AC-wlan-st-2] quit
# Create an AP template named ap1, specify the model as MSM460-WW and serial number as
CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
# Specify username aaa and plaintext password 123456 for the account shared by MAC authentication
users.
[AC] mac-authentication user-name-format fixed account aaa password simple 123456
133
From Port
Port Index
WLAN-DBSS0:7 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0
Max number of on-line users is 4096
Current online user number is 1
MAC Addr
Authenticate State
000e-35b2-8be9
MAC_AUTHENTICATOR_SUCCESS
Auth Index
1297
Index=1297,Username=aaa@2000
MAC=00-0E-35-B2-8B-E9
IP=N/A
IPv6=N/A
Online=00h00m53s
Total 1 connection(s) matched.
134
IP network
Client
AP
FTP server
192.168.1.10
10.0.0.1
AC
Configuration procedure
Make sure the RADIUS server and the AC can reach each other.
1.
Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS
server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)
2.
3.
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
[AC] domain 2000
[AC-isp-2000] authentication default radius-scheme 2000
[AC-isp-2000] authorization default radius-scheme 2000
[AC-isp-2000] accounting default radius-scheme 2000
[AC-isp-2000] quit
# Configure the AC to use MAC-based user accounts, the MAC addresses are hyphen separated
and in lower case.
[AC] mac-authentication user-name-format mac-address with-hyphen lowercase
135
# Configure the WLAN port security, using MAC and PSK authentication, and specify the domain
2000 as the authentication domain for MAC authentication users on the port.
[AC] interface wlan-ess 0
[AC-WLAN-ESS0] port-security port-mode mac-and-psk
[AC-WLAN-ESS0] port-security tx-key-type 11key
[AC-WLAN-ESS0] port-security preshared-key pass-phrase 12345678
[AC-WLAN-ESS0] mac-authentication domain 2000
[AC-WLAN-ESS0] quit
# Create service template 2 of crypto type, configure its SSID as mac-authentication-acl, and bind
port WLAN-ESS 0 to service template 2.
[AC] wlan service-template 2 crypto
[AC-wlan-st-2] ssid mac-authentication-acl
[AC-wlan-st-2] bind wlan-ess 0
[AC-wlan-st-2] authentication-method open-system
[AC-wlan-st-2] cipher-suite ccmp
[AC-wlan-st-2] security-ie rsn
[AC-wlan-st-2] service-template enable
[AC-wlan-st-2] quit
# Create an AP template named ap1, specify the model as MSM460-WW and serial number as
CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
From Port
Port Index
WLAN-DBSS0:9 is link-up
136
Authenticate State
00e0-fc12-3456
MAC_AUTHENTICATOR_SUCCESS
Auth Index
1301
Index=1301,Username=00-e0-fc-12-34-56@2000
MAC=00-E0-FC-L2-34-56
IP=N/A
IPv6=N/A
Online=00h00m53s
Total 1 connection(s) matched.
# Ping the FTP server from the client to verify that the ACL 3000 has been assigned to port WLAN-ESS
0 to deny access to the FTP server.
<Client> ping 10.0.0.1
PING 10.0.0.1: 56
137
Security checkWorks after identity authentication succeeds to check whether the required
anti-virus software, virus definition file, and operating system patches are installed, and whether
there is any unauthorized software installed on the user host.
Resource access restrictionAllows users passing identity authentication to access only network
resources in the quarantined area, such as the anti-virus server and the patch server. Only users
passing both identity authentication and security check can access restricted network resources.
Authentication client
Access device
Portal server
Authentication/accounting server
138
Authentication client
Authentication client
Access device
Portal server
Authentication/accounting
server
Authentication client
Authentication client
An authentication client is an entity seeking access to network resources. It is typically an end-user
terminal such as a PC. A client can use a browser or portal client software for portal authentication. Client
security check is implemented through communications between the client and the security policy server.
To implement security check, the client must be the HP iNode client.
Access device
Access devices control user access. An access device can be a switch or router that provides the
following functions:
Redirecting all HTTP requests from unauthenticated users to the portal server.
Interacting with the portal server, the security policy server, and the authentication/accounting
server for identity authentication, security check, and accounting.
Allowing users who have passed identity authentication and security check to access granted
Internet resources.
Portal server
A portal server listens to authentication requests from authentication clients and exchanges client
authentication information with the access device. It provides free portal services and pushes Web
authentication pages to users.
A portal server can be an entity independent of the access device or an entity embedded in the access
device. In this document, the term "portal server" refers to an independent portal server, and the term
"local portal server" refers to an embedded portal server.
Authentication/accounting server
An authentication/accounting server implements user authentication and accounting through interaction
with the access device.
Only a RADIUS server can serve as the remote authentication/accounting server in a portal system.
When an unauthenticated user enters a website address in the browser's address bar to access the
Internet, the system creates an HTTP request and sends it to the access device. The access device
then redirects the HTTP request to the portal server's Web authentication homepage. For extended
portal functions, authentication clients must run the portal client software.
2.
On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3.
Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4.
After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes the security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client.
When the portal authentication client is on a private network, but the portal server is on a public network
and the access device is enabled with NAT, network address translations performed on the access device
do not affect portal authentication. However, in such a case, HP recommends using an interface's public
IP address as the source address of outgoing portal packets.
No security policy server is needed for local portal service because the portal system using the local
portal server does not support extended portal functions.
The local portal server function of the access device implements only some simple portal server functions.
It only allows users to log on and log off through the Web interface. It cannot take the place of an
independent portal server.
Protocols used for interaction between the client and local portal server
You can use HTTP and HTTPS for interaction between an authentication client and an access device
providing the local portal server function. If you use HTTP, there are potential security problems because
HTTP packets are transferred in plain text. If you use HTTPS, secure data transmission is ensured because
HTTPS packets are transferred in cipher text based on SSL.
140
Logon page
Online page
A local portal server pushes a corresponding authentication page at each authentication phase. If you
do not customize the authentication pages, the local portal server pushes the default authentication
pages. For information about authentication page customization rules, see "Customizing authentication
pages."
Direct authentication
Before authentication, a user manually configures a public IP address or directly obtains a public IP
address through DHCP, and can access only the portal server and predefined free websites. After
passing authentication, the user can access the network resources. The process of direct authentication
is simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the portal
server and predefined free websites. After passing authentication, the user is allocated a public IP
address and can access the network resources. No public IP address is allocated to those who fail
authentication. This solves the IP address planning and allocation problem. For example, a service
provider can allocate public IP addresses to broadband users only when they access networks beyond
the residential community network.
The local portal server does not support re-DHCP portal authentication. IPv6 portal authentication does
not support the re-DHCP authentication mode.
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to
be present between the authentication client and the access device.
141
In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address
is used for client identification. After a client passes authentication, the access device generates an ACL
for the client based on the client's IP address to permit packets from the client to go through the access
port. Because no Layer 3 devices are present between the authentication clients and the access device in
direct authentication and re-DHCP authentication, the access device can directly learn the clients' MAC
addresses, and can enhance the capability of controlling packet forwarding by also using the learned
MAC addresses.
As shown in Figure 52, the authentication client and the portal server exchange EAP authentication
packets. The portal server and the access device exchange portal authentication packets that carry the
EAP-Message attributes. The access device and the RADIUS server exchange RADIUS packets that carry
the EAP-Message attributes. The RADIUS server that supports the EAP server function processes the EAP
packets encapsulated in the EAP-Message attributes, and provides the EAP authentication result. During
the whole EAP authentication process, the access device does not process the packets that carry the
EAP-Message attributes, but only transports them between the portal server and the RADIUS server.
Therefore, no additional configuration is needed on the access device.
NOTE:
To use portal authentication that supports EAP, the portal server and client must be the HP IMC portal
server and the HP iNode portal client.
142
An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal
server or a predefined free website, or redirects it to the portal server if it is destined for other
websites. The portal server pushes a Web authentication page to the user, and the user enters the
username and password.
2.
The portal server and the access device exchange CHAP messages. This step is skipped for PAP
authentication.
3.
The portal server assembles the username and password into an authentication request message,
and it sends the message to the access device. Meanwhile, the portal server starts a timer to wait
for an authentication acknowledgment message.
4.
The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
5.
6.
The portal server sends an authentication success message to the authentication client to notify it of
logon success.
7.
The portal server sends an authentication reply acknowledgment message to the access device.
The security policy server exchanges security check information with the authentication client to
check whether the authentication client meets the security requirements.
9.
Based on the security check result, the security policy server authorizes the user to access certain
resources, and sends the authorization information to the access device. The access device then
controls access of the user based on the authorization information.
143
Portal server
Access device
Authentication/
accounting server
Security
policy server
1) Initiate a connection
2) CHAP authentication
3) Authentication request
4) RADIUS
authentication
Timer
5) Authentication reply
6) Authentication
succeeds
7) The user obtains
a new IP address
8) Discover user IP change
11) IP change
acknowledgment
12) Security check
13) Authorization
After receiving the authentication success message, the authentication client obtains a new public
IP address through DHCP and notifies the portal server that it now has a public IP address.
8.
The portal server notifies the access device that the authentication client has obtained a new public
IP address.
9.
Detecting the change of the IP address by examining ARP packets received, the access device
notifies the portal server of the change.
10. The portal server notifies the authentication client of logon success.
11. The portal server sends a user IP address change acknowledgment message to the access device.
With extended portal functions, the process includes additional steps:
12. The security policy server exchanges security check information with the authentication client to
check whether the authentication client meets the security requirements.
13. Based on the security check result, the security policy server authorizes the user to access certain
resources, and sends the authorization information to the access device. The access device then
controls access of the user based on the authorization information.
144
With the local portal server, the direct/cross-subnet authentication process is as follows:
1.
A portal client initiates authentication by sending an HTTP request. When the HTTP packet arrives
at an access device using the local portal server, it is redirected to the local portal server, which
then pushes a Web authentication page for the user to enter the username and password. The
listening IP address of the local portal server is the IP address of a Layer 3 interface on the access
device that can communicate with the portal authentication client.
2.
The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
3.
If the user passes authentication, the local portal server pushes a logon success page to the
authentication client, informing the user of the authentication (logon) success.
All portal authentication modes share the same EAP authentication steps. The following example uses
direct portal authentication to show the EAP authentication process:
1.
The authentication client sends an EAP Request/Identity message to the portal server to initiate an
EAP authentication process.
145
2.
The portal server sends a portal authentication request to the access device, and starts a timer to
wait for the portal authentication reply. The portal authentication request contains several
EAP-Message attributes, which are used to encapsulate the EAP packet sent from the
authentication client and carry the certificate information of the client.
3.
After the access device receives the portal authentication request, it constructs a RADIUS
authentication request and sends the request to the RADIUS server. The EAP-Message attributes in
the RADIUS authentication request are those carried in the received portal authentication request.
4.
The access device sends a certificate request to the portal server according to the reply received
from the RADIUS server. The certificate request also contains several EAP-Message attributes,
which are used to transfer the certificate information of the RADIUS server. The EAP-Message
attributes in the certificate request are those carried in the RADIUS authentication reply.
5.
After receiving the certificate request, the portal server sends an EAP authentication reply to the
authentication client, carrying the EAP-Message attribute values.
6.
The authentication client sends another EAP request to continue the EAP authentication with the
RADIUS server, during which there may be several portal authentication requests. The subsequent
authentication processes are the same as that initiated by the first EAP request, except that the EAP
request types vary with the EAP authentication phases.
7.
After the authentication client passes the EAP authentication, the RADIUS server sends an
authentication reply to the access device. This reply carries the EAP-Success message in the
EAP-Message attribute.
8.
The access device sends an authentication reply to the portal server. This reply carries the
EAP-Success message in the EAP-Message attribute.
9.
The portal server notifies the authentication client of the authentication success.
10. The portal server sends an authentication reply acknowledgment to the access device.
The remaining steps are for extended portal authentication. For more information about the steps, see the
portal authentication process with CHAP/PAP authentication.
The access device sends a MAC binding query to the MAC binding server.
2.
When the MAC binding server receives the query, it checks whether the MAC address is bound
with a portal user account.
{
If yes, the MAC binding server obtains the account information of the portal user, and sends the
username and password of the user to the access device to initiate portal authentication. The
user can pass portal authentication without entering the username and password.
146
If not, the MAC binding server notifies the access device to perform normal portal
authentication for the user. The access device redirects the subsequent HTTP packet of the user
to the portal server, which provides a portal authentication page for the user. The user must enter
the username and password to pass portal authentication.
MAC-triggered authentication provides a quick, effective portal authentication for users whose MAC
addresses have been bound with portal user accounts on the MAC binding servers.
A MAC binding server is required for MAC-triggered authentication. An HP IMC portal server should be
used as the MAC binding server. The MAC-to-account bindings of portal users are recorded on the MAC
binding server.
A MAC binding server performs the following functions:
Records bindings between endpoints (identified by MAC addresses) and user accounts. The
bindings facilitate user auditing.
Endpoint-to-account bindings are added to the endpoint device list of the MAC binding server in
the following ways:
{
The MAC binding server automatically learns and records the binding between an endpoint
and an account. The binding does not update automatically. The endpoint is bound only to the
first account that passes authentication on the endpoint, no matter how many accounts pass
authentication later. To unbind the endpoint and the account, you need to delete the binding
from the endpoint device list.
A user manually adds endpoint-to-account bindings on the user self-service center. This method
allows multiple endpoints to be bound to an account.
On an HP IMC portal server, you can configure the fast authentication on smart terminals function to
implement MAC-triggered authentication. For more information about the configuration procedure, see
the configuration manuals for the IMC portal server.
Overview
Stateful failover supports hot backup of services on two devices. Stateful failover can be configured on
key devices to avoid service interruptions caused by single point failures. When operating normally, the
two devices synchronize service information. If one device fails, the other device takes over the services.
147
To implement stateful failover, specify an stateful failover interface on each device and connect the two
stateful failover interfaces through a failover link, or specify a dedicated VLAN (called the backup VLAN)
on each device for stateful failover packets. When both a failover link and a backup VLAN are
configured, add the physical ports at the two ends of the failover link to the backup VLAN. For more
information about the stateful failover feature, see High Availability Configuration Guide.
Figure 57 Network diagram for portal stateful failover configuration
As shown in Figure 57, users have to pass portal authentication to access the Internet. To avoid portal
service interruption caused by single point failures, deploy two access devices (Gateway A and
Gateway B) and configure the portal stateful failover function so that they back up the portal online user
information of each other through the failover link. If either one (Gateway A or Gateway B) fails, the
other can guarantee the normal data communication of the online portal users and perform portal
authentication for new portal users.
Basic concepts
1.
Device states:
{
2.
IndependenceA stable running status of a device when it does not establish the failover link
with the other device.
SynchronizationA stable running status of a device when it establishes the failover link with
the other device successfully and is ready for data backup.
User modes:
{
Stand-aloneIndicates that the user data is stored on the local device only. Currently, the local
device is in independence state or it is in synchronization state, but it has not synchronized the
user data to the peer device yet.
148
PrimaryIndicates that the user logs in from the local device, and the user data is generated on
the local device. The local device is in synchronization state and ready for receiving and
processing packets from the server.
SecondaryIndicates that the user logs in from the peer device, and the user data is
synchronized from the peer device to the local device. The local device is in synchronization
state. It only receives and processes the synchronization messages and does not process
packets from the server.
Remarks
Required.
Optional.
Required.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
Optional.
149
Task
Remarks
Optional.
Optional.
Optional.
Configuration prerequisites
Although the portal feature provides a solution for user identity authentication and security check, the
portal feature cannot implement this solution by itself. RADIUS authentication must be configured on the
access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
The portal server and the RADIUS server have been installed and configured properly. Local portal
authentication requires no independent portal server be installed.
With re-DHCP authentication, the IP address check function of the DHCP relay agent is enabled on
the access device, and the DHCP server is installed and configured properly.
The portal client, access device, and servers can reach each other.
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring AAA."
To implement extended portal functions, install and configure IMC EAD, and make sure that the
ACLs configured on the access device correspond to those specified for the resources in the
quarantined area and for the restricted resources on the security policy server. For information
about security policy server configuration on the access device, see "Configuring AAA."
For installation and configuration about the security policy server, see IMC EAD Security Policy Help.
The ACL for resources in the quarantined area and that for restricted resources correspond to isolation
ACL and security ACL on the security policy server.
You can modify the authorized ACLs on the access device. However, your changes take effect only for
portal users logging on after the modification.
To configure a remote portal server, specify the IP address of the remote portal server.
To use the local portal server of the access device, specify the IP address of a Layer 3 interface on
the device as the portal server's IP address. The specified interface must be reachable to the client.
Follow these guidelines when you specify a portal server for Layer 3 authentication:
150
The specified parameters of a portal server can be modified or deleted only if the portal server is
not referenced on any interface.
For local portal server configuration, the keywords key, port, and url are usually not required and,
if configured, do not take effect. When using local portal servers for stateful failover in wireless
environments, however, the keyword url is required and the address format must be
http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm. Which address
format is used depends the protocol type (HTTP or HTTPS, configured by the portal local-server
command) supported by the local portal servers. The ip-address is the virtual IP address of the VRRP
group to which the downlink belongs.
When a local portal server is used, the re-DHCP portal authentication mode (redhcp) can be
configured but, if configured, does not take effect.
The maximum number of portal servers that you can specify on the access device depends on the
device model. For more information, see About the Command References for HP Unified
Wired-WLAN Products.
2.
Command
Remarks
system-view
N/A
By default, no portal server is specified.
Specify a portal
server and configure
related parameters.
only some of the main authentication pages, the system uses the default authentication pages for the
undefined ones.
For the local portal server to operate normally and steadily, use the following rules when customizing
authentication pages:
File name
Logon page
logon.htm
logonSuccess.htm
logonFail.htm
Online page
Pushed after the user gets online for online notification
System busy page
Pushed when the system is busy or the user is in the logon process
Logoff success page
online.htm
busy.htm
logoffSuccess.htm
Get requestsUsed to get the static files in the authentication pages and allow no recursion. For
example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file Logon.htm.
Post requestsUsed when users submit username and password pairs, log on the system, and log
off the system.
2.
An authentication page can have multiple forms, but there must be one and only one form
whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
The username attribute is fixed as PtUser. The password attribute is fixed as PtPwd.
Attribute PtButton is required to indicate the action that the user requests, either Logon or Logoff.
A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.
<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px"
maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px"
maxlength=32>
152
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.
<form action=logon.cgi method = post >
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>
A set of authentication page files must be compressed into a standard zip file. The name of a zip
file can contain only letters, numerals, and underscores. The zip file of the default authentication
pages must be saved with name defaultfile.zip.
The set of authentication pages must be located in the root directory of the zip file.
You can transfer zip files to the device through FTP or TFTP. You must save the default authentication
pages file in the root directory of the device. You can save other authentication files in the root
directory or the portal directory under the root directory of the device.
Examples of zip files on the device:
<Sysname> dir
Directory of flash:/portal/
0
-rw-
1405
ssid2.zip
-rw-
1405
ssid1.zip
-rw-
1405
ssid3.zip
-rw-
1405
ssid4.zip
The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
The size of a single page, including the main authentication page and its page elements, must be
no more than 50 KB before being compressed.
Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page named logonSuccess.htm.
If the user initiates another authentication through the logon page, the system pushes the online page
named online.htm. You can configure the device to forcibly log off the user when the user closes either of
these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
2.
3.
4.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
153
If a user refreshes the logon success or online page, or jumps to another website from either of the pages,
the device also logs off the user.
Only Microsoft IE, Mozilla Firefox, and Apple Safari browsers support the device to log off the user when
the user closes the logon success or online page. Google Chrome, Opera, and other browsers do not
support this function.
Make sure the browser of an authentication client permits pop-ups or permits pop-ups from the access
device. Otherwise, the user cannot log off by closing the logon success or online page, and can only
click Cancel to return back to the logon success or online page.
2.
NOTE:
HP recommends using Microsoft IE 6.0 or later on the authentication clients.
Configuration prerequisites
To configure the local portal server to support HTTPS, complete the following configurations first:
154
Configure PKI policies, obtain the CA certificate, and apply for a local certificate. For more
information, see "Configuring PKI."
Configure the SSL server policy, and specify the PKI domain to be used, which is configured in the
above step. For more information, see "Configuring SSL."
When you specify the protocol for the local portal server to support, the local portal server loads the
default authentication page file, which is supposed to be saved in the root directory of the device.
Therefore, to make sure the local portal server uses the user-defined default authentication pages, you
must edit and save them properly or else the system default authentication pages are used.
Configuration procedure
To configure the local portal server:
Step
Command
Remarks
1.
system-view
N/A
2.
3.
4.
By default, no binding is
configured.
The file to be bound to the SSIDs
must exist.
Optional.
No welcome banner by default.
In Layer 3 cross-subnet portal authentication mode, an AC cannot obtain the SSID of a client associated
with an AP. In this case, the system does not support binding SSIDs to an authentication page file. For
more information about SSID, see WLAN Configuration Guide.
Configuration guidelines
The destination port number that the access device uses for sending unsolicited packets to the portal
server must be the same as the port number that the remote portal server actually uses.
The portal server and its parameters can be deleted or modified only when the portal server is not
referenced by any interface.
Cross-subnet authentication mode (portal server server-name method layer3) does not require
Layer 3 forwarding devices between the access device and the authentication clients. However, if
Layer 3 forwarding devices exist between the authentication client and the access device, you must
select the cross-subnet portal authentication mode.
In re-DHCP authentication mode, a client can use a public IP address to send packets before
passing portal authentication. However, responses to the packets are restricted.
155
An IPv6 portal server does not support the re-DHCP portal authentication mode.
You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal
authentication on an interface, but you cannot enable two IPv4 or two IPv6 portal servers on the
interface.
Configuration prerequisites
Before enabling Layer 3 portal authentication on an interface, make sure that:
Configuration procedure
To enable Layer 3 portal authentication:
Step
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
3.
Configuration guidelines
If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the
VLAN. Otherwise, the rule does not take effect.
You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the
system prompts that the rule already exists.
Regardless of whether portal authentication is enabled or not, you can only add or remove a
portal-free rule. You cannot modify it.
Configuration procedure
To configure a portal-free rule:
Step
1.
Enter system
view.
Command
Remarks
system-view
N/A
156
Step
Command
Remarks
2.
Configure a
portal-free rule.
Command
1.
system-view
2.
Configure a
portal-forbidden rule.
Command
Remarks
1.
system-view
N/A
2.
Enter interface
view.
interface interface-type
interface-number
N/A
157
Step
3.
Command
Configure an
authentication
source subnet.
Remarks
portal auth-network
{ ipv4-network-address
{ mask-length | mask } | ipv6
ipv6-network-address prefix-length }
Optional.
By default, the authentication source IPv4
and IPv6 subnets are 0.0.0.0/0 and ::/0,
respectively, which mean that users from any
subnets must pass portal authentication.
You can configure up to 32 authentication source subnets by executing the portal auth-network
command.
2.
Command
Remarks
system-view
N/A
portal max-user
max-number
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
Specify an authentication
domain for portal users on the
interface.
The device selects the authentication domain for a portal user on an interface in this order: the
authentication domain specified for the interface, the authentication domain carried in the username,
and the system default authentication domain. For information about the default authentication domain,
see "Configuring AAA."
158
Configuration prerequisites
Different clients may have different Web proxy configurations. The following prerequisites must be met
for these clients to trigger portal authentication:
Web proxy configuration on clients
Configuration prerequisites
If you use an IMC portal server, perform the following
configurations on the IMC portal server:
{
Scenario 1:
All or some clients use a Web proxy, and
the portal server's IP address is not a
proxy exception.
The portal server and the Web proxy server have IP connectivity
to each other.
Scenario 2:
All or some clients use a Web proxy, and
the portal server's IP address is a proxy
exception.
If you use an IMC portal server, configure the IP group and port
group to not support NAT.
The portal server and the Web proxy server have IP connectivity
to each other.
Configuration procedure
To configure Layer 3 portal authentication to support a Web proxy:
Step
1.
2.
Command
Remarks
system-view
N/A
If a user's browser uses the WPAD protocol to discover Web proxy servers, add the port numbers of the
Web proxy servers on the device, and configure portal-free rules to allow user packets destined for the
IP address of the WPAD server to pass without authentication.
159
If the Web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger
portal authentication only when they access a reachable host enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must contain a rule that
permits the Web proxy server's IP address. Otherwise, the users cannot receive heartbeat packets from
the remote portal server.
Command
Remarks
system-view
N/A
In system view:
2.
In interface view:
a. interface interface-type
interface-number
b. portal nas-id
nas-identifier.
160
Step
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
If the NAS ID is configured using the portal nas-id command, the device uses the configured NAS
ID as that of the interface.
If the interface has no NAS ID configured, the device uses the device name as the interface NAS ID.
161
Step
Command
Remarks
1.
system-view
N/A
2.
3.
4.
quit
N/A
5.
interface interface-type
interface-number
N/A
6.
Command
Remarks
1.
system-view
N/A
2.
Enter interface
view.
interface interface-type
interface-number
N/A
Optional.
3.
Specify a source IP
address for
outgoing portal
packets.
Specify the MAC binding server as a portal server. For configuration information, see "Specifying
a portal server for Layer 3 portal authentication."
After MAC-triggered authentication takes effect, the access device checks a user's traffic at a specific
interval (specified by the period period-value option). Before the user traffic reaches the threshold
(specified by the threshold threshold-value option), the user can access the external network without
authentication. When the user traffic reaches the threshold, the device performs MAC-triggered
authentication.
To configure MAC-triggered authentication:
Step
Command
Remarks
1.
system-view
N/A
2.
3.
interface interface-type
interface-number
N/A
4.
Enable MAC-triggered
authentication.
By default, MAC-triggered
authentication is disabled.
5.
Specify an interface for backing up portal services, which is referred to as portal service backup
interface in this document, and enable portal on the portal service backup interface.
Specify the portal group to which the portal service backup interface belongs. Be sure to specify the
same portal group for the portal service backup interfaces that back up each other on the two
devices.
Specify the device ID. Make sure the device ID of the local device is different from that of the peer
device.
163
Specify the backup source IP address for outgoing RADIUS packets as the source IP address for
RADIUS packets that is configured on the peer device, so that the peer device can receive packets
from the server. (This configuration is optional.)
Specify the backup VLAN, and enable stateful failover on the VLAN interface. For related
configuration, see High Availability Configuration Guide.
After the stateful failover state of the two devices changes from independence to synchronization and the
portal group takes effect, the two devices start to back up the data of online portal users for each other.
Configuration guidelines
In stateful failover mode, the device does not support re-DHCP portal authentication on the portal
service backup interface.
In stateful failover mode, if a user on either device is logged out, information about the user on the
other device is deleted, too. You can log off a user on the device or on the portal server. For example,
you can use the cut connection and portal delete-user commands on the device to log off users.
The AAA and portal configuration must be consistent on the two devices that back up each other.
For example, you must configure the same portal server on the two devices.
Configuration procedure
To configure stateful failover:
Step
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
By default, the portal service
backup interface does not belong
to any portal group.
4.
quit
N/A
5.
3.
164
Step
Command
Remarks
Optional.
Use either method.
Method 1:
6.
radius nas-backup-ip
ip-address
Method 2:
a. radius scheme
radius-scheme-name
b. nas-backup-ip ip-address
Command
Remarks
1.
system-view
N/A
2.
local portal authentication, if the URL a user entered in the address bar before portal authentication is
more than 255 characters, the user cannot be redirected to the page of the URL after passing portal
authentication.
To use this feature for remote Layer 3 portal authentication, the portal server must be an IMC portal server
that supports the page auto-redirection function.
To specify an autoredirection URL for authenticated portal users:
Step
1.
2.
Specify an autoredirection
URL for authenticated portal
users.
Command
Remarks
system-view
N/A
If the device receives a reply from a portal user before sending probe packets to the portal user for
the maximum number of times, it considers that the portal user is online and keeps sending probe
packets to the portal user.
If the device receives no reply from a portal user after sending probe packets to the portal user for
the maximum number of times, it considers that the portal user is offline, stops sending probe
packets to the portal user, and deletes the user.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
Not configured by default.
3.
NOTE:
Adjust the maximum number of transmission attempts and the interval of sending probe packets
according to the actual network conditions.
166
2.
Probing portal heartbeat packetsA portal server that supports the portal heartbeat function
(only the IMC portal server supports this function) sends portal heartbeat packets to portal
access devices periodically. If an access device receives a portal heartbeat packet or an
authentication packet within a probe interval, the access device considers that the probe
succeeds and the portal server is reachable. Otherwise, it considers that the probe fails and the
portal server is unreachable.
Probe parameters
{
{
3.
Probing HTTP connectionsThe access device periodically sends TCP connection requests to
the HTTP service port of the portal servers configured on its interfaces. If the TCP connection with
a portal server can be established, the access device considers that the probe succeeds (the
HTTP service of the portal server is open and the portal server is reachable). If the TCP
connection cannot be established, the access device considers that the probe fails and the
portal server is unreachable.
Actions to be taken when the server reachability status changes (you can choose one or more)
{
Sending a trap messageWhen the status of a portal server changes, the access device sends
a trap message to the NMS. The trap message contains the portal server name and the current
state of the portal server.
Sending a logWhen the status of a portal server changes, the access device sends a log
message. The log message indicates the portal server name and the current state and original
state of the portal server.
Disabling portal authentication (enabling portal authentication bypass)When the device
detects that a portal server is unreachable, it disables portal authentication on the interfaces
that use the portal server (allows all portal users on the interfaces to access network resources).
When the device receives from the portal server portal heartbeat packets or authentication
packets (such as logon requests and logout requests), it re-enables the portal authentication
function.
You can configure any combination of the configuration items described as needed, with respect to the
following:
167
If both detection methods are specified, a portal server is regarded as unreachable as long as one
detection method fails, and an unreachable portal server is regarded as recovered only when both
detection methods succeed.
If multiple actions are specified, the access device executes all the specified actions when the status
of a portal server changes.
The detection function configured for a portal server takes effect on an interface only after you
enable portal authentication and reference the portal server on the interface.
The portal authentication bypass function is not supported on an interface where different portal
servers are specified for different SSID-and-AP associations.
Command
Remarks
1.
system-view
N/A
2.
The portal heartbeat detection method works only when the portal server supports the portal server
heartbeat function. Only the IMC portal server supports the portal server heartbeat function. To
implement detection with this method, you also need to configure the portal server heartbeat function on
the IMC portal server and make sure that the product of interval and retry is greater than or equal to the
portal server heartbeat interval. HP recommends configuring the interval to be greater than the portal
server heartbeat interval configured on the portal server.
The portal server sends the online user information to the access device in a user synchronization
packet at the user heartbeat interval, which is set on the portal server.
2.
Upon receiving the user synchronization packet, the access device checks the user information
carried in the packet with its own. If the device finds a nonexistent user in the packet, it informs the
portal server of the information, and the portal server deletes the user. If the device finds that one
of its users does not appear in the user synchronization packets within N consecutive
synchronization probe intervals (N is equal to the value of retries configured in the portal server
user-sync command), it considers that the user does not exist on the portal server and logs the user
off.
Command
Remarks
system-view
N/A
168
Step
2.
Command
Configure the portal
user information
synchronization
function.
Remarks
Not configured by default.
The user information synchronization function requires that a portal server supports the portal user
heartbeat function. Only the IMC portal server supports the portal user heartbeat function. To implement
the portal user synchronization function, you also need to configure the user heartbeat function on the
portal server and make sure that the product of interval and retry is greater than or equal to the portal
user heartbeat interval. HP recommends configuring the interval to be greater than the portal user
heartbeat interval configured on the portal server.
For redundant user information on the deviceinformation for users who are considered nonexistent on
the portal server, the device deletes the information during the (N+1)th interval, where N is equal to the
value of retries configured in the portal server user-sync command.
Command
1.
system-view
2.
Command
Remarks
1.
system-view
N/A
2.
169
Step
Command
Remarks
1.
system-view
N/A
2.
des-encryptSpecifies DES to encrypt user MAC address in the redirection URL. If you do not
specify this keyword, the redirection URL contains plaintext user MAC address.
Command
Remarks
1.
system-view
N/A
2.
Configure carrying
parameters in the
redirection URL.
Command
Remarks
1.
system-view
N/A
2.
170
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
By default, mandatory webpage
pushing is disabled.
3.
Command
Remarks
171
Task
Command
Remarks
172
Portal server
192.168.0.111/24
Client
2.2.2.2/24
Gateway : 2.2.2.1/24
AP
L2 switch
Vlan-int1
2.2.2.1/24
Vlan-int2
192.168.0.100/24
RADIUS server
192.168.0.112/24
AC
Configure IP addresses for the client, AC, and servers as shown in Figure 58, and make sure they
have IP connectivity between each other.
Configure the RADIUS server properly to provide authentication/authorization services for users.
173
2.
3.
4.
b. On the port group configuration page, click Add to enter the page shown in Figure 63.
c. Enter the port group name.
d. Select the configured IP address group. The client's IP address must be within this IP address
group.
e. Use the default settings for other parameters.
f. Click OK.
175
5.
From the navigation tree, select User Access Manager > Service Parameters > Validate System
Configuration to validate the configurations.
Configuring the AC
1.
# Configure the server type for the RADIUS scheme. When using the IMC server, you must
configure the RADIUS server type as extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 192.168.0.112
[AC-radius-rs1] key authentication simple radius
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[AC-radius-rs1] user-name-format without-domain
[AC-radius-rs1] quit
2.
3.
Name: newpt
IP address: 192.168.0.111
URL: http://192.168.0.111/portal
176
[AC] portal server newpt ip 192.168.0.111 key simple portal port 50100 url
http://192.168.0.111:8080/portal
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
[AC] interface vlan-interface 1
[ACVlan-interface1] portal domain dm1
[ACVlan-interface1] portal server newpt method direct
[ACVlan-interface1] quit
Configure IP addresses for the AC and servers as shown in Figure 64, and make sure that the client,
AC, and servers have IP connectivity between each other.
Configure a public address pool (20.20.20.0/24, in this example) and a private address pool
(10.0.0.0/24, in this example) on the DHCP server. The configuration steps are omitted. For more
information about DHCP configuration information, see Layer 3 Configuration Guide.
Configure the AC as a DHCP relay agent and configure a primary IP address (a public IP address)
and a secondary IP address (a private IP address) for the portal-enabled interface.
Configuration procedure
1.
# Set the server type for the RADIUS scheme. When using the IMC server, you must set the server
type to extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 192.168.0.113
[AC-radius-rs1] key authentication simple radius
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[AC-radius-rs1] user-name-format without-domain
[AC-radius-rs1] quit
2.
3.
Name: newpt
IP address: 192.168.0.111
URL: http://192.168.0.111/portal
[AC] portal server newpt ip 192.168.0.111 key simple portal port 50100 url
http://192.168.0.111:8080/portal
# Configure the AC as a DHCP relay agent, and enable the invalid address check function.
[AC] dhcp enable
[AC] dhcp relay server-group 0 ip 192.168.0.112
[AC] interface vlan-interface 10
[ACVlan-interface10] ip address 20.20.20.1 255.255.255.0
[ACVlan-interface10] ip address 10.0.0.1 255.255.255.0 sub
[AC-Vlan-interface10] dhcp select relay
[AC-Vlan-interface10] dhcp relay server-select 0
[AC-Vlan-interface10] dhcp relay address-check enable
# On the interface connected to the client, specify the authentication domain dm1 for portal users,
and enable re-DHCP portal authentication.
[AC-Vlan-interface10] portal domain dm1
[ACVlan-interface10] portal server newpt method redhcp
[ACVlan-interface10] quit
178
Configuration prerequisites
Configure IP addresses for the client, AC, and servers as shown in Figure 65 and make sure they have IP
connectivity between each other.
Configure the RADIUS server to provide authentication/authorization services for users.
Configuration procedure
1.
# Set the server type for the RADIUS scheme. When using the IMC server, you must set the server
type to extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 192.168.0.112
[AC-radius-rs1] key authentication simple radius
[AC-radius-rs1] user-name-format without-domain
179
2.
3.
On the AC, configure the ACL (ACL 3000) for resources on subnet 192.168.0.0/24 and the ACL
(ACL 3001) for Internet resources.
[AC] acl number 3000
[AC-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[AC-acl-adv-3000] quit
[AC] acl number 3001
[AC-acl-adv-3001] rule permit ip
[AC-acl-adv-3001] quit
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
4.
Name: newpt
IP address: 192.168.0.111
URL: http://192.168.0.111/portal
[AC] portal server newpt ip 192.168.0.111 key simple portal port 50100 url
http://192.168.0.111:8080/portal
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable extended portal authentication.
[AC] interface vlan-interface 10
[ACVlan-interface10] portal domain dm1
[ACVlan-interface10] portal server newpt method direct
[AC] quit
Portal server
192.168.0.111/24
DHCP server
192.168.0.112/24
AP
Client
automatically obtains an IP address
L2 switch
Vlan-int100
20.20.20.1/24 Vlan-int2
10.0.0.1/24 sub 192.168.0.100/24
RADIUS server
192.168.0.113/24
AC
Security policy server
192.168.0.114/24
Configure IP addresses for the AC and servers as shown in Figure 66, and make sure the client, AC,
and servers have IP connectivity between each other.
Configure the RADIUS server to provide authentication and authorization services for users.
Configure a public address pool (20.20.20.0/24, in this example) and a private address pool
(10.0.0.0/24, in this example) on the DHCP server. (Details not shown.)
Configure the AC as a DHCP relay agent and configure a primary IP address (a public IP address)
and a secondary IP address (a private IP address) for the portal-enabled interface. For DHCP relay
configuration information, see Layer 3IP Services Configuration Guide.
Configuration procedure
1.
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 192.168.0.113
[AC-radius-rs1] key authentication simple radius
[AC-radius-rs1] user-name-format without-domain
2.
3.
On the AC, configure the ACL (ACL 3000) for resources on subnet 192.168.0.0/24 and the ACL
(ACL 3001) for Internet resources.
[AC] acl number 3000
[AC-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[AC-acl-adv-3000] quit
[AC] acl number 3001
[AC-acl-adv-3001] rule permit ip
[AC-acl-adv-3001] quit
Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the
security policy server.
4.
Name: newpt
IP address: 192.168.0.111
URL: http://192.168.0.111/portal
[AC] portal server newpt ip 192.168.0.111 key simple portal port 50100 url
http://192.168.0.111:8080/portal
# Configure the AC as a DHCP relay agent, and enable the invalid address check function.
[AC] dhcp enable
[AC] dhcp relay server-group 0 ip 192.168.0.112
[AC] interface vlan-interface 100
[ACVlan-interface100] ip address 20.20.20.1 255.255.255.0
[ACVlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
[AC-Vlan-interface100] dhcp select relay
[AC-Vlan-interface100] dhcp relay server-select 0
[AC-Vlan-interface100] dhcp relay address-check enable
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
[ACVlan-interface100] portal domain dm1
[ACVlan-interface100] portal server newpt method redhcp
[ACVlan-interface100] quit
182
When AC 1 operates normally, Host accesses AC 1 for portal authentication before accessing the
Internet. When AC 1 fails, Host accesses the Internet through AC 2. The VRRP uplink/downlink
detection mechanism is used to ensure non-stop traffic forwarding.
Use the RADIUS server as the authentication/authorization server. In this example, Server takes the
responsibilities of the portal server and the RADIUS server.
AC 1 and AC 2 use the failover link to transmit stateful failover related packets and specify VLAN
8 on the ACs as the VLAN dedicated for stateful failover related packets.
L3 switch
Gateway9.9.1.1/ 24
Master
Vlan-int 20
192.168.0.5/ 24
Virtual IP address
:
Backup
192.168.0.1/24
Failover link
AC1
Vlan-int20
192. 168.0.6/ 24
AC 2
Vlan-int 10
9.9.1.6/ 24
Vlan-int 10
9.9.1.5/24
L 2 switch
AP
1.1.1.3/24
Client
IP : 9.9.1.2/24
Gateway: 9.9.1.1/24
For information about stateful failover configuration, see High Availability Configuration Guide.
2.
184
3.
4.
185
b. On the port group configuration page, click Add to enter the page shown in Figure 72.
Perform the following configurations.
c. Enter the port group name.
d. Select the configured IP address group.
The client's IP address must be within this IP address group.
e. Use the default settings for other parameters.
f. Click OK.
Figure 72 Adding a port group
5.
From the navigation tree, select User Access Manager > User Access Manager > Service
Parameters > Validate System Configuration to validate the configurations.
Configuring AC 1
1.
Configure VRRP:
# Create a VRRP group, and configure the virtual IP address of the VRRP group as 192.168.0.1.
<AC1> system-view
[AC1] interface vlan-interface 20
[AC1Vlan-interface20] vrrp vrid 1 virtual-ip 192.168.0.1
2.
# Configure the server type for the RADIUS scheme. When using the IMC server, you must
configure the RADIUS server type as extended.
[AC1-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC1-radius-rs1] primary authentication 192.168.0.111
186
# Configure the access device to not carry the ISP domain name in the username sent to the
RADIUS server. (Optional, configure the username format as needed.)
[AC1-radius-rs1] user-name-format without-domain
[AC1-radius-rs1] quit
3.
4.
# Configure a portal-free rule on AC 1, allowing packets from AC 2 to pass through without portal
authentication. This configuration is required only when the roles (master/backup) of the ACs for
stateful failover are different from those for VRRP.
[AC1] portal free-rule 0 source interface bridge-aggregation 1 destination any
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
[AC1] interface vlan-interface 10
[AC1Vlan-interface10] portal domain dm1
[AC1Vlan-interface10] portal server newpt method direct
# Specify the source IP address of outgoing portal packets as 192.168.0.1, the virtual IP address
of the VRRP group.
[AC1Vlan-interface10] portal nas-ip 192.168.0.1
5.
# Specify the source IP address of outgoing RADIUS packets as 192.168.0.1, the virtual IP
address of the VRRP group.
[AC1] radius nas-ip 192.168.0.1
NOTE:
Make sure you add the access device with IP address 192.168.0.1 on the RADIUS server.
6.
# Configure a WLAN service template, and bind the WLAN service template with interface
WLAN-ESS 1.
[AC1] wlan service-template 1 clear
[AC1-wlan-st-1] ssid abc
[AC1-wlan-st-1] bind wlan-ess 1
[AC1-wlan-st-1] service-template enable
[AC1-wlan-st-1] quit
7.
Configuring AC 2
1.
Configure VRRP:
# Create a VRRP group, and configure the virtual IP address of the VRRP group as 192.168.0.1.
[AC2] system-view
[AC2] interface vlan-interface 20
[AC2Vlan-interface20] vrrp vrid 1 virtual-ip 192.168.0.1
2.
188
# Configure the server type for the RADIUS scheme. When using the IMC server, you must
configure the RADIUS server type as extended.
[AC2-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC2-radius-rs1] primary authentication 192.168.0.111
[AC2-radius-rs1] key authentication simple expert
# Configure the access device to not carry the ISP domain name in the username sent to the
RADIUS server. (Optional. Configure the username format as needed.)
[AC2-radius-rs1] user-name-format without-domain
[AC2-radius-rs1] quit
3.
4.
# Configure a portal-free rule on AC 2, allowing packets from AC 1 to pass through without portal
authentication. This configuration is required only when the roles (master/backup) of the ACs for
stateful failover are different from those for VRRP.
[AC2] portal free-rule 0 source interface bridge-aggregation 1 destination any
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
[AC2] interface vlan-interface 10
[AC2-Vlan-interface10] portal domain dm1
[AC2Vlan-interface10] portal server newpt method direct
# Specify the source IP address of outgoing portal packets as 192.168.0.1, the virtual IP address
of the VRRP group.
[AC2Vlan-interface10] portal nas-ip 192.168.0.1
5.
# Specify the source IP address of outgoing RADIUS packets as 192.168.0.1, the virtual IP
address of the VRRP group.
[AC2] radius nas-backup-ip 192.168.0.1
189
NOTE:
Make sure that you have added the access device with IP address 192.168.0.1 on the RADIUS server.
6.
# Configure a WLAN service template, and bind the WLAN service template with interface
WLAN-ESS 1.
[AC2] wlan service-template 1 clear
[AC2-wlan-st-1] ssid abc
[AC2-wlan-st-1] bind wlan-ess 1
[AC2-wlan-st-1] service-template enable
[AC2-wlan-st-1] quit
7.
190
Work-mode: primary
MAC
IP
Vlan
Interface
--------------------------------------------------------------------000d-88f8-0eac
9.9.1.2
10
Vlan-interface10
Vlan
Interface
IP
--------------------------------------------------------------------000d-88f8-0eac
9.9.1.2
10
Vlan-interface10
The output shows that the portal information of the client is stored on both AC 1 and AC 2. The user mode
is primary on AC 1 and secondary on AC 2, indicating that the client logged in from AC 1 and the
client's authentication information has been synchronized to AC 2.
Configure a public IP address for the client or configure the client to obtain a public IP address from
the DHCP server. Before passing portal authentication, the client can access only the portal server.
After passing portal authentication, the client can access the Internet.
The access device (AC) can detect whether the portal server is reachable and send trap messages
upon state changes. When the portal server is unreachable due to, for example, a connection
failure, network device failure, or portal server failure, the access device can disable portal
authentication, allowing users to access the Internet without authentication.
The access device can synchronize portal user information with the portal server periodically.
191
Configuration considerations
Configure the portal server and enable portal server heartbeat function and the portal user
heartbeat function.
Configure direct portal authentication on interface VLAN-interface 10, which is connected to the
client.
Configure the portal server detection function on the access device, so that the access device can
detect the status of the portal server by cooperating with the portal server heartbeat function.
Configure the portal user information synchronization function, so that the access device can
synchronize portal user information with the portal server by cooperating with the portal user
heartbeat function.
Configuration prerequisites
Configure IP addresses for the client, AP, AC, and servers as shown in Figure 73, and make sure they
have IP connectivity between each other.
Configure the RADIUS server to provide authentication and authorization services for users.
192
2.
3.
4.
b. On the port group configuration page, click Add to enter the page shown in Figure 78.
Perform the following configurations:
c. Enter the port group name.
d. Select the configured IP address group. The IP address used by the user to access the network
must be within this IP address group.
e. Use the default settings for other parameters.
f. Click OK.
194
5.
From the navigation tree, select User Access Manager > Service Parameters > Validate System
Configuration to validate the configurations.
Configuring the AC
1.
# Configure the server type for the RADIUS scheme. When using the IMC server, you must
configure the RADIUS server type as extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 192.168.0.112
[AC-radius-rs1] key authentication simple radius
# Configure the access device to not carry the ISP domain name in the username sent to the
RADIUS server.
[AC-radius-rs1] user-name-format without-domain
[AC-radius-rs1] quit
2.
3.
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
195
4.
NOTE:
The product of interval and retry must be greater than or equal to the portal server heartbeat interval,
and HP recommends configuring the interval as a value greater than the portal server heartbeat
interval configured on the portal server.
5.
NOTE:
The product of interval and retry must be greater than or equal to the portal user heartbeat interval,
and HP recommends configuring the interval as a value greater than the portal user heartbeat
interval configured on the portal server.
: 192.168.0.111
Port : 50100
Key
: ******
URL
: http://192.168.0.111:8080/portal
Status
: Up
The Up state of the portal server indicates that the portal server is reachable. If the AC detects that the
portal server is unreachable, you can see the portal server status is Down in the output, and the AC
generates a server unreachable trap "portal server newpt lost," and disables portal authentication on the
access interface, so the client can access the external network without authentication.
196
Configure IP addresses for the client, AC, and server as shown in Figure 79, and make sure they
have IP connectivity between each other.
Configure the RADIUS server properly to provide authentication and authorization services for
users.
Complete the PKI domain configuration, and get the local certificate and the CA certificate. For
more configuration information, see "Configuring PKI."
Configure the SSL server policy access-policy. For more configuration information, see "Configuring
SSL."
Edit the authentication page files to be bound with the client SSID.
Do not configure the wireless client and the AP to be in the same subnet. Otherwise, after portal
authentication is enabled for the subnet, the AP cannot establish a connection with the AC.
Configuration procedure
1.
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended.
197
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 1.1.1.2
[AC-radius-rs1] key authentication simple radius
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[AC-radius-rs1] user-name-format without-domain
[AC-radius-rs1] quit
2.
3.
# Configure a WLAN service template, and bind the WLAN service template with the WLAN-ESS
interface.
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid abc
[AC-wlan-st-1] bind wlan-ess 1
[AC-wlan-st-1] authentication-method open-system
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
4.
# Bind client SSID abc with the customized authentication page file ssid1.zip, which is saved in
directory flash:/portal/ of the AC. This configuration is optional. If you do not configure the
binding, the AC pushes the system default authentication pages for users.
198
# Configure the local portal server name as newpt and IP address as 192.168.1.1. Other
parameters do not need to be configured.
[AC] portal server newpt ip 192.168.1.1
# On VLAN-interface 2, the interface connected to the client, specify the authentication domain
dm1 and portal server newpt for portal users and enable direct portal authentication.
[AC] interface vlan-interface 2
[ACVlan-interface2] portal domain dm1
[ACVlan-interface2] portal server newpt method direct
[ACVlan-interface2] quit
199
Configure IP addresses for the server, client, switches, and ACs and make sure they have IP
connectivity between each other.
Make sure the client can access the authentication server through AC 1 and AC 2.
Configure VRRP group 1 and VRRP group 2 to implement backup for downstream and upstream
links respectively. For more information about VRRP, see High Availability Configuration Guide.
On the RADIUS server, specify the access device's IP address as the virtual IP address of VRRP
group 2.
You must use consistent device roles for AC stateful failover and VRRP. If you use an AC as the
master for stateful failover, use the AC as the master in a VRRP group, too. Otherwise, in local portal
authentication, the access device cannot push the authentication page according to the SSID. If
your network cannot meet the requirement, for example, the two ACs are configured for load
balancing, related portal-free rules should be configured. For more information about stateful
failover, see High Availability Configuration Guide.
Configuring AC 1
1.
Configure VRRP:
# Create VRRP group 1, and configure the virtual IP address of VRRP group 1 as 16.16.0.8.
<AC1> system-view
[AC1] interface vlan-interface 100
[AC1Vlan-interface100] vrrp vrid 1 virtual-ip 16.16.0.8
200
# Create VRRP group 2, and configure the virtual IP address of VRRP group 2 as 8.1.1.68.
[AC1] interface vlan-interface 8
[AC1Vlan-interface8] vrrp vrid 2 virtual-ip 8.1.1.68
2.
# Configure the server type for the RADIUS scheme. When using the IMC server, configure the
RADIUS server type as extended.
[AC1-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC1-radius-rs1] primary authentication 8.1.1.2
[AC1-radius-rs1] key authentication simple expert
# Configure the scheme to remove the ISP domain name in the username sent to the RADIUS server.
(By default, the ISP domain name is carried in the username. Configure the username format as
needed.)
[AC1-radius-rs1] user-name-format without-domain
[AC1-radius-rs1] quit
3.
4.
# Configure a portal-free rule on AC 1, allowing packets from AC 2 to pass through without portal
authentication. This configuration is required only when the roles (master/backup) of the ACs for
stateful failover are different from those for VRRP.
[AC1] portal free-rule 0 source interface bridge-aggregation 1 destination any
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
[AC1] interface vlan-interface 100
[AC1Vlan-interface100] portal domain dm1
[AC1Vlan-interface100] portal server local method direct
# Specify the source IP address for outgoing portal packets as 16.16.0.8, the virtual IP address of
VRRP group 1.
[AC1Vlan-interface100] portal nas-ip 16.16.0.8
5.
# Configure the source IP address of RADIUS packets to be sent as 8.1.1.68, the virtual IP address
of VRRP group 2.
[AC1] radius nas-ip 8.1.1.68
6.
# Configure a WLAN service template, and bind the WLAN service template with interface
WLAN-ESS 1.
[AC1] wlan service-template 1 clear
[AC1-wlan-st-1] ssid abc
[AC1-wlan-st-1] bind wlan-ess 1
[AC1-wlan-st-1] service-template enable
[AC1-wlan-st-1] quit
# Configure AP on AC 1.
[AC1] wlan ap ap1 model MSM460-WW
[AC1-wlan-ap-ap1] serial-id CN2AD330S8
[AC1-wlan-ap-ap1] radio 1
[AC1-wlan-ap-ap1-radio-1] service-template 1
[AC1-wlan-ap-ap1-radio-1] radio enable
202
[AC1-wlan-ap-ap1-radio-1] quit
[AC1-wlan-ap-ap1] quit
7.
Configuring AC 2
1.
Configure VRRP:
# Create VRRP group 1, and configure the virtual IP address of VRRP group 1 as 16.16.0.8.
<AC2> system-view
[AC2] interface vlan-interface 100
[AC2Vlan-interface100] vrrp vrid 1 virtual-ip 16.16.0.8
[AC2Vlan-interface100] quit
# Create VRRP group 2, and configure the virtual IP address of VRRP group 2 as 8.1.1.68.
[AC2] interface vlan-interface 8
[AC2Vlan-interface8] vrrp vrid 2 virtual-ip 8.1.1.68
[AC2Vlan-interface8] quit
2.
# Configure the server type for the RADIUS scheme. When using the IMC server, configure the
RADIUS server type as extended.
[AC2-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC2-radius-rs1] primary authentication 8.1.1.2
[AC2-radius-rs1] key authentication simple expert
# Configure the scheme to remove the ISP domain name in the username sent to the RADIUS server.
(By default, the ISP domain name is carried in the username. Configure the username format as
needed.)
[AC2-radius-rs1] user-name-format without-domain
[AC2-radius-rs1] quit
3.
4.
203
# Configure a portal-free rule on AC 2, allowing packets from AC 1 to pass through without portal
authentication. This configuration is required only when the roles (master/backup) of the ACs for
stateful failover are different from those for VRRP.
[AC2]portal free-rule 0 source interface bridge-aggregation 1 destination any
# On the interface connected to the client, specify the authentication domain dm1 for portal users
and enable portal authentication.
[AC2] interface vlan-interface 100
[AC2Vlan-interface100] portal domain dm1
[AC2Vlan-interface100] portal server local method direct
# Specify the source IP address for outgoing portal packets as 16.16.0.8, the virtual IP address of
VRRP group 1.
[AC2Vlan-interface100] portal nas-ip 16.16.0.8
5.
# Configure the source IP address for outgoing RADIUS packets as 8.1.1.68, the virtual IP address
of VRRP group 2.
[AC2] radius nas-ip 8.1.1.68
6.
# Configure a WLAN service template, and bind the WLAN service template with interface
WLAN-ESS 1.
[AC2] wlan service-template 1 clear
[AC2-wlan-st-1] ssid abc
[AC2-wlan-st-1] bind wlan-ess 1
[AC2-wlan-st-1] service-template enable
[AC2-wlan-st-1] quit
7.
IP
Vlan
Interface
--------------------------------------------------------------------000d-88f8-0eac
16.16.0.12
100
Vlan-interface100
Vlan
Interface
IP
--------------------------------------------------------------------000d-88f8-0eac
16.16.0.12
100
Vlan-interface100
The output shows that the portal information of the user is stored on both AC 1 and AC 2. The user mode
is primary on AC 1 and secondary on AC 2, indicating that the user logged in from AC 1 and the user's
authentication information has been synchronized to AC 2.
The client can access only the portal server before authentication and can access the external
network after passing portal authentication.
When reconnecting to the external network, the authenticated client can pass portal authentication
without the username and password.
Configuring the AC
1.
# Set the server type for the RADIUS scheme. When you use the IMC server, set the server type to
extended.
[AC-radius-rs1] server-type extended
# Specify the primary authentication/authorization server, and configure the shared key for
secure communication with the server.
[AC-radius-rs1] primary authentication 8.1.1.40
[AC-radius-rs1] key authentication simple 123456789
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[AC-radius-rs1] user-name-format without-domain
[AC-radius-rs1] quit
2.
3.
Name: 5
IP address: 8.1.1.40
URL: http://8.1.1.40:8080/portal
[AC] portal server 5 ip 8.1.1.40 key simple 123456789 port 50100 url
http://8.1.1.40:8080/portal
# On the interface connected to the client, specify the authentication domain as dm1 for portal
users, and enable direct portal authentication.
[ACVlan-interface3] portal domain dm1
[ACVlan-interface3] portal server 5 method direct
207
2.
3.
d. Select the IP address 112.113.1.1, which is the IP address of the AC interface that connects to
the client.
e. Enter the key 123456789, which must be the same as that configured on the AC.
f. Select No for both Support Server Heartbeat and Support User Heartbeat.
g. Click OK.
Figure 84 Adding a portal device
4.
c. On the port group configuration page, click Add to enter the page shown in Figure 86.
d. Enter the port group name hp_portal.
e. Select the configured IP address group IP_group.
The client's IP address must be within this IP address group.
f. Select Supported for Fast Authentication on Smart Terminals.
g. Use default values for other parameters.
209
h. Click OK.
Figure 86 Adding a port group
5.
210
6.
211
7.
8.
212
9.
213
11. From the navigation tree, select User Access Manager > Service Parameters > Validate to validate
the configurations.
IP
Vlan
Interface
---------------------------------------------------------------------------3ca9-f414-4c20
112.113.0.1
Vlan-interface3
# Disconnect from the external network and then access the network again. The portal authentication
page does not appear. On the AC, display portal user information. The output shows that the client has
logged in.
[AC] display portal user all
Index:3
State:ONLINE
SubState:NONE
ACL:NONE
Work-mode:stand-alone
MAC
IP
Vlan
Interface
---------------------------------------------------------------------------3ca9-f414-4c20
112.113.0.1
Vlan-interface3
214
Troubleshooting portal
Inconsistent keys on the access device and the portal server
Symptom
When a user is forced to access the portal server, the portal server displays a blank webpage, rather
than the portal authentication page or an error message.
Analysis
The keys on the access device and those on the portal server are not configured consistently, causing
CHAP message exchange failure. As a result, the portal server does not display the authentication page.
Solution
Use the display portal server command to display the key for the portal server on the access device
and view the key for the access device on the portal server.
Use the portal server command to modify the key on the access device or modify the key for the
access device on the portal server to make sure that the keys are consistent.
Analysis
When you execute the portal delete-user command on the access device to force the user to log off, the
access device actively sends a REQ_LOGOUT message to the portal server. The default listening port of
the portal server is 50100. However, if the listening port configured on the access device is not 50100,
the destination port of the REQ_LOGOUT message is not the actual listening port on the server, and the
portal server cannot receive the REQ_LOGOUT message. As a result, you cannot force the user to log off
the portal server.
When the user uses the disconnect attribute on the client to log off, the portal server actively sends a
REQ_LOGOUT message to the access device. The source port is 50100 and the destination port of the
ACK_LOGOUT message from the access device is the source port of the REQ_LOGOUT message so that
the portal server can receive the ACK_LOGOUT message correctly, no matter whether the listening port
is configured on the access device. The user can log off the portal server.
Solution
Use the display portal server command to display the listening port of the portal server configured on the
access device and use the portal server command in the system view to modify it to make sure that it is
the actual listening port of the portal server.
215
Overview
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. HP recommends that you configure port security in a WLAN network.
Port security prevents unauthorized access to a network by checking the source MAC address of inbound
traffic and prevents access to unauthorized devices by checking the destination MAC address of
outbound traffic.
Port security can control MAC address learning and authentication on a port to make sure the port learns
only source trusted MAC addresses.
A frame is illegal if its source MAC address cannot be learned in a port security mode, or if it is from a
client that has failed 802.1X or MAC authentication. The port security feature automatically takes a
pre-defined action on illegal frames. This automatic mechanism enhances network security and reduces
human intervention.
For more information about 802.1X and MAC authentication, see "Configuring 802.1X" and
"Configuring MAC authentication."
NTK
NTK prevents traffic interception by checking the destination MAC address in outbound frames. The
feature ensures that frames are sent only to hosts that have passed authentication or whose MAC
addresses have been learned or configured on the access device.
Intrusion protection
The intrusion protection feature checks the source MAC address in inbound frames for illegal frames and
takes a pre-defined action on each detected illegal frame. The action can be disabling the port
temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for three
minutes (not user configurable).
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC
address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC
address or performs authentication, depending on the security mode. If the frame is illegal, the port takes
the pre-defined NTK, intrusion protection, or trapping action.
The maximum number of users a port supports equals the maximum number of MAC addresses that port
security allows or the maximum number of concurrent users the authentication mode in use allows,
whichever is smaller. For example, if 802.1X allows more concurrent users than port security's limit on the
number of MAC addresses on the port in userLoginSecureExt mode, port security's limit takes effect.
Table 10 describes the port security modes and the security features.
Table 10 Port security modes
Purpose
Turning off the port security
feature
Controlling MAC address
learning
Performing 802.1X
authentication
Security mode
N/A
secure
NTK/intrusion
protection
userLogin
N/A
userLoginSecure
userLoginSecureExt
NTK/intrusion
protection
userLoginWithOUI
Performing MAC authentication
Performing a combination of
MAC authentication and
802.1X authentication
macAddressWithRadius
Or
Else
NTK/intrusion
protection
macAddressOrUserLoginSecure
macAddressOrUserLoginSecureExt
macAddressElseUserLoginSecure
NTK/intrusion
protection
macAddressElseUserLoginSecureExt
TIP:
userLogin specifies 802.1X authentication and port-based access control.
macAddress specifies MAC authentication.
Else specifies that the authentication method before Else is applied first. If the authentication fails,
whether to turn to the authentication method following Else depends on the protocol type of the
authentication request.
Typically, in a security mode with Or, the authentication method to be used depends on the protocol type
of the authentication request. For wireless users, the network access device always use 802.1X
authentication first.
userLogin with Secure specifies 802.1X authentication and MAC-based access control.
Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A
security mode without Ext allows only one user to pass 802.1X authentication.
217
userLogin
A port in this mode performs 802.1X authentication and implements port-based access control.
The port can service multiple 802.1X users. Once an 802.1X user passes authentication on the
port, any subsequent 802.1X users can access the network through the port without
authentication.
userLoginSecure
A port in this mode performs 802.1X authentication and implements MAC-based access control.
The port services only one user passing 802.1X authentication.
userLoginSecureExt
This mode is similar to the userLoginSecure mode except that this mode supports multiple online
802.1X users.
userLoginWithOUI
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also
permits frames from one user whose MAC address contains a specific OUI.
{
For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and
performs OUI check upon receiving non-802.1X frames.
For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs
802.1X authentication.
NOTE:
An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC
addresses, the first three octets are the OUI.
macAddressOrUserLoginSecure
This mode is the combination of the macAddressWithRadius and userLoginSecure modes.
{
For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X
frames and performs 802.1X authentication upon receiving 802.1X frames.
For wireless users, the port performs 802.1X authentication first. If 802.1X authentication fails,
MAC authentication is performed.
macAddressOrUserLoginSecureExt
This mode is similar to the macAddressOrUserLoginSecure mode except that this mode supports
multiple 802.1X and MAC authentication users.
macAddressElseUserLoginSecure
218
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with
MAC authentication having a higher priority as the Else keyword implies.
{
For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X
frames.
For wireless users, the port performs MAC authentication upon receiving non-802.1X frames.
Upon receiving 802.1X frames, the port performs MAC authentication, and if the MAC
authentication fails, it performs 802.1X authentication.
macAddressElseUserLoginSecureExt
This mode is similar to the macAddressElseUserLoginSecure mode except that this mode supports
multiple 802.1X and MAC authentication users as the keyword Ext implies.
Security mode
Description
presharedKey
macAddressAndPr
esharedKey
userLoginSecureExt
OrPresharedKey
NTK/intrusion protection
PSK users refer to users that have passed authentication in presharedKey mode. The maximum number of
PSK users on a port varies with security modes.
presharedKey modeThe maximum number of PSK users on the port is the port specification limit
on the number of wireless users or port security's limit on the number of MAC addresses, whichever
is smaller. The actual maximum number of PSK users on the port also depends on the total number
of PSK users that the system can support. For more information, see About the Configuration Guides
for HP Unified Wired-WLAN Products.
macAddressAndPresharedKey modeThe maximum number of PSK users on the port is the MAC
authentication feature's limit on the number of concurrent users or port security's limit on the number
of MAC addresses, whichever is smaller. The actual maximum number of PSK users on the port also
depends on the total number of PSK users that the system can support.
219
You can use the 802.1X guest VLAN and 802.1X Auth-Fail VLAN features together with port security
modes that support 802.1X authentication. For more information about the 802.1X guest VLAN and
Auth-Fail VLAN on a port that performs MAC-based access control, see "Configuring 802.1X."
You can use the MAC authentication VLAN feature together with security modes that support MAC
authentication. For more information about the MAC authentication guest VLAN, see "Configuring
MAC authentication."
If you configure both an 802.1X Auth-Fail VLAN and a MAC authentication guest VLAN on a port
that performs MAC-based access control, the 802.1X Auth-Fail VLAN has a higher priority.
Remarks
Required.
Optional.
Required.
220
Task
Remarks
Optional.
Configuring NTK
Configuring intrusion protection
Enabling port security traps
Optional.
Optional.
Optional.
Command
Remarks
1.
system-view
N/A
2.
port-security enable
You can use the undo port-security enable command to disable port security when no online users are
present.
Enabling or disabling port security resets the following security settings to the default:
802.1X access control mode is MAC-based, and the port authorization state is auto.
221
The port security's limit on the number of MAC addresses on a port is independent of the MAC learning
limit described in MAC address table configuration in the Layer 2 Configuration Guide.
To set the maximum number of secure MAC addresses allowed on a port:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Check that the port does not belong to any aggregation group.
Command
Remarks
N/A
1.
system-view
2.
interface interface-type
interface-number
port-security port-mode
{ mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-e
xt | secure | userlogin |
userlogin-secure |
userlogin-secure-ext |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext
| userlogin-withoui }
3.
4.
222
ntk-withmulticastsForwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }
blockmacAdds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.
disableport-temporarilyDisables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
223
Step
Command
Remarks
By default, intrusion protection is
disabled.
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
4.
quit
N/A
5.
port-security timer
disableport time-value
Optional.
3.
20 seconds by default.
Command
Remarks
1.
system-view
N/A
2.
Enable port
security traps.
Description
On WPA or RSN networks using any of these modes, key
negotiation must be enabled.
presharedKey, userLoginSecureExt,
userLoginSecureExtOrPresharedKey, and
macAddressAndPresharedKey
224
Description
For more information about WLAN service templates, see WLAN Configuration Guide.
By default, an 802.1X-enabled access device periodically multicasts Identity EAP-Request packets out of
ports to detect 802.1X clients and trigger authentication. To save the bandwidth of WLAN ports, HP
recommends you disable the multicast trigger function (see "Configuring 802.1X").
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
port-security port-mode
{ mac-and-psk |
mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-ext |
psk | userlogin-secure |
userlogin-secure-ext |
userlogin-secure-ext-or-psk |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext |
userlogin-withoui }
3.
If key negotiation is enabled, an authenticated user is allowed to access to the port only after the
key negotiation succeeds.
If key negotiation is disabled, a user can directly access the port after passing authentication.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
Disabled by default.
225
Configuring a PSK
A PSK pre-configured on the device is used to negotiate the session key between the user and the device.
To configure a PSK:
Step
Command
Remarks
1.
system-view
N/A
2.
Enter interface
view.
N/A
3.
Configure a PSK.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
2.
3.
4.
5.
Device name
Command
Remarks
system-view
N/A
226
Step
Command
2.
port-security nas-id-profile
profile-name
Remarks
Optional.
By default, no NAS ID profile is
specified in system view.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
port-security nas-id-profile
profile-name
Optional.
By default, no NAS ID profile is
specified on an interface.
Configure AC hot backup (stateful failover). For more information, see WLAN Configuration Guide.
Configure WLAN client information backup. For more information, see WLAN Configuration
Guide.
Configure VRRP. You need to configure a VRRP group on the interface connected to the
authentication server. For more information, see High Availability Configuration Guide.
Configure stateful failover. You need to configure a backup VLAN for the stateful failover function.
For more information, see High Availability Configuration Guide.
Configure different device IDs for the ACs that back up each other. For more information, see
"Configuring AAA."
Specify the virtual IP address of the VRRP group as the source address of outgoing RADIUS packets.
For more information, see "Configuring AAA."
Command
Remarks
1.
system-view
N/A
2.
interface wlan-ess
interface-number
N/A
227
Step
Enable stateful failover for
port security.
3.
Command
Remarks
port-security synchronization
enable
Command
Remarks
The RADIUS server at 192.168.1.2/24 functions as the primary authentication server and the
secondary accounting server. The RADIUS server at 192.168.1.3/24 functions as the secondary
authentication server and the primary accounting server. The shared key for authentication is name,
and the shared key for accounting is money.
228
All users use the default authentication, authorization, and accounting methods of ISP domain sun,
which can accommodate up to 30 users.
The RADIUS server response timeout time is 5 seconds. The maximum number of RADIUS packet
retransmission attempts is five. The AC sends real-time accounting packets to the RADIUS server at
an interval of 15 minutes, and sends user names without domain names to the RADIUS server.
Allow up to five OUI values to be configured and allow one terminal that uses any of the OUI values
to access the port in addition to an 802.1X user.
Configuration procedure
The following configuration steps cover some AAA/RADIUS configuration commands. For more
information about the commands, see Security Command Reference.
Configuration procedures for the client and RADIUS servers are not shown.
1.
# Specify the IP address of the primary authentication RADIUS server as 192.168.1.2/24, and
that of the primary accounting RADIUS server as 192.168.1.3/24.
[AC-radius-radsun] primary authentication 192.168.1.2
[AC-radius-radsun] primary accounting 192.168.1.3
# Specify the IP address of the secondary authentication RADIUS server as 192.168.1.3/24, and
that of the secondary accounting RADIUS server as 192.168.1.2/24.
[AC-radius-radsun] secondary authentication 192.168.1.3
[AC-radius-radsun] secondary accounting 192.168.1.2
# Set the shared key for authenticating RADIUS authentication/authorization packets as name.
[AC-radius-radsun] key authentication name
# Set the shared key for authenticating RADIUS accounting packets as money.
[AC-radius-radsun] key accounting money
# Set the RADIUS server response timeout to 5 seconds, and set the maximum transmission
attempts of RADIUS packets to 5.
[AC-radius-radsun] timer response-timeout 5
[AC-radius-radsun] retry 5
229
# Set the interval between sending real time accounting packets to the RADIUS server to 15
minutes.
[AC-radius-radsun] timer realtime-accounting 15
# Exclude the ISP domain name in the username sent to the RADIUS server.
[AC-radius-radsun] user-name-format without-domain
[AC-radius-radsun] quit
# Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and
accounting of all types of users.
[AC] domain sun
[AC-isp-sun] authentication default radius-scheme radsun
[AC-isp-sun] authorization default radius-scheme radsun
[AC-isp-sun] accounting default radius-scheme radsun
2.
Set the 802.1X authentication method to CHAP. By default, the authentication method is CHAP for
802.1X.
[AC] dot1x authentication-method chap
3.
# Configure the mandatory authentication domain sun for 802.1X users on WLAN-ESS 1. Set the
port security mode to userLoginWithOUI.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] dot1x mandatory-domain sun
[AC-WLAN-ESS1] port-security port-mode userlogin-withoui
[AC-WLAN-ESS1] quit
# Create service template 2, set its template type to clear and SSID to mactest, bind interface
WLAN-ESS 1 to it, and enable open system authentication.
[AC] wlan service-template 2 clear
[AC-wlan-st-2] ssid mactest
[AC-wlan-st-2] bind wlan-ess 1
[AC-wlan-st-2] authentication-method open-system
[AC-wlan-st-2] service-template enable
[AC-wlan-st-2] quit
# Create an AP template named ap1, and set its model to MSM460-WW and serial ID to
CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
[AC-wlan-ap-ap1] radio 1 type dot11an
230
: radsun
Index = 1
Type : standard
Port: 1812
State: active
Port: 1813
State: active
Port: 1812
State: active
Port: 1813
State: active
: 5
: 5
: 15
: 5
: 500
Quiet-interval(min)
: 5
Username format
: without-domain
: Byte
Packet unit
: one
231
: radius=radsun
: radius=radsun
: radius=radsun
Index is 2,
Index is 3,
Index is 4,
Index is 5,
WLAN-ESS1 is link-up
Port mode is userLoginWithOUI
NeedToKnow mode is disabled
Intrusion Protection mode is NoAction
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
Synchronization is disabled
After an 802.1X user gets online, you can see that the number of MAC addresses stored is 1.
# Display the 802.1X user connection.
<AC> display connection
Index=1,Username= test@sun
MAC=12-34-01-00-11-11
IP=10.1.0.1
IPv6=N/A
Online=00h00m53s
Total 1 connection(s) matched.
<AC> display connection ucibinedx 1
Index=2054, Username= test@sun
MAC=12-34-01-00-11-11
IP=10.1.0.1
IPv6=N/A
Access=8021X
,AuthMethod=CHAP
232
User Profile=N/A
CAR=Disable
Traffic Statistic:
InputOctets
=12121212
InputGigawords=1
OutputOctets
=12120
OutputGigawords=0
Priority=Disable
SessionTimeout=86236(s), Terminate-Action=Default
Start=2013-07-01 15:39:49 ,Current=2013-07-01 15:50:07 ,Online=00h10m18s
Total 1 connection matched.
SSID 1
AP
IP network
Client A
AC
Client B
Configuration procedure
This example covers only some of the required AAA and RADIUS configuration commands. For more
information, see Security Command Reference.
The client-side and RADIUS server-side configuration procedures are not shown in this example.
For more information about WLAN configuration, see WLAN Configuration Guide.
1.
2.
Configure RADIUS:
# Configure RADIUS scheme 2000.
[AC] radius scheme 2000
233
# Specify the IP address of the primary authentication RADIUS server as 192.168.1.2/24, and
that of the primary accounting RADIUS server as 192.168.1.3/24.
[AC-radius-2000] primary authentication 192.168.1.2
[AC-radius-2000] primary accounting 192.168.1.3
# Specify the IP address of the secondary authentication RADIUS server as 192.168.1.3/24, and
that of the secondary accounting RADIUS server as 192.168.1.2/24.
[AC-radius-2000] secondary authentication 192.168.1.3
[AC-radius-2000] secondary accounting 192.168.1.2
# Set the shared keys for authenticating RADIUS authentication and accounting packets as name.
[AC-radius-2000] key authentication name
[AC-radius-2000] key accounting name
# Exclude the ISP domain name in the username sent to the RADIUS server.
[AC-radius-2000] user-name-format without-domain
[AC-radius-2000] quit
# Configure ISP domain sun, and configure the domain to use RADIUS scheme 2000 for
authentication, authorization, and accounting of all types of users.
[AC] domain sun
[AC-isp-sun] authentication default radius-scheme 2000
[AC-isp-sun] authorization default radius-scheme 2000
[AC-isp-sun] accounting default radius-scheme 2000
[AC-isp-sun] quit
# Disable the 802.1X multicast trigger and online user handshake functions.
[AC-WLAN-ESS1] undo dot1x multicast-trigger
[AC-WLAN-ESS1] undo dot1x handshake
[AC-WLAN-ESS1] quit
3.
# Enable open system authentication, the AES-CCMP cipher suite, and the RSN-IE in the beacon
and probe responses.
[AC-wlan-st-1] authentication-method open-system
[AC-wlan-st-1] cipher-suite ccmp
234
# Create an AP template named ap1, and set its model to MSM460-WW and serial ID to
CN2AD330S8.
[AC] wlan ap ap1 model MSM460-WW
[AC-wlan-ap-ap1] serial-id CN2AD330S8
# Bind the service template 1 to the port radio 1, and enable the radio.
[AC-wlan-ap-ap1] radio 1 type dot11an
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
# If a user comes online, you can use the display connection and display wlan client commands to
display information about the user.
<AC> display connection ucibindex 315
Index=315 , Username=test@sectest.com
MAC=00-17-9A-00-7B-2F
IP=N/A
IPv6=N/A
Access=8021X
,AuthMethod=EAP
=12121212
InputGigawords=1
OutputOctets
=12120
OutputGigawords=0
Priority=Disable
SessionTimeout=86236(s), Terminate-Action=Default
235
: 0017-9a00-7b2f
AID
: 1
AP Name
: AP1
Radio Id
: 1
SSID
: sectest
BSSID
: 000f-e278-8020
Port
: WLAN-DBSS1:0
VLAN
: 1
State
: Running
: Active
Wireless Mode
: 11g
QoS Mode
: WMM
: 37
Rx/Tx Rate
: 5.5/18
Client Type
: WPA
Authentication Method
: Open System
AKM Method
: 802.1X
: PTKINITDONE
: IDLE
Encryption Cipher
: TKIP
Roam Status
: Normal
Roam Count
: 0
Up Time (hh:mm:ss)
: 00:43:19
236
Configuration procedure
This example covers only some of the required AAA and RADIUS configuration commands. For more
information, see Security Command Reference.
The client-side and RADIUS server-side configuration procedures are not shown in this example.
For more information about WLAN configuration, see WLAN Configuration Guide.
1.
2.
# Set the port security mode of WLAN-ESS 1 to userLoginSecureExt. In this mode, the port performs
802.1X authentication, implements MAC-based access control, and allows more than one
802.1X user.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
# Enable the MAC-based VLAN function and configure VLAN 1 as the guest VLAN.
[AC-WLAN-ESS1] port link-type hybrid
[AC-WLAN-ESS1] port hybrid vlan 1 to 2 untagged
[AC-WLAN-ESS1] port hybrid pvid vlan 2
[AC-WLAN-ESS1] mac-vlan enable
[AC-WLAN-ESS1] dot1x guest-vlan 1
# Disable the 802.1X multicast trigger and online user handshake functions.
[AC-WLAN-ESS1] undo dot1x handshake
[AC-WLAN-ESS1] undo dot1x multicast-trigger
[AC-WLAN-ESS1] quit
237
D:Dynamic
MAC ADDR
MASK
VLAN ID
PRIO
STATE
-------------------------------------------------------000f-e2cc-6a21
ffff-ffff-ffff
# If Client 1 initiates authentication and passes the authentication, you can use the display connection
command to display the user information, and use the display mac-vlan all command to verify that the
MAC-to-VLAN mapping entry has been removed.
<AC> display connection user-name mac@sun
Index=18
, Username=mac@sun
MAC=000f-e2cc-6a21
IP=8.4.4.199
IPv6=N/A
Online=00h00m31s
Total 1 connection matched.
238
AP
AN
VL
Client
VLAN
10
VLAN 5
Update server
Client
IP network
As shown in Figure 97, enable 802.1X and set VLAN 10 as the guest VLAN on port WLAN-ESS 1. If the
AC sends an EAP-Request/Identity packet from the port for the maximum number of times but still receives
no response, the AC adds the MAC address of the client to its guest VLAN. In this case, the client and the
update server are both in VLAN 10, and therefore the host can access the update server and download
the 802.1X client.
Figure 97 Network diagram
As shown in Figure 98, after the host passes the authentication and logs in, the client is added to VLAN
5. In this case, the client and WLAN-ESS 1 are both in VLAN 5, and therefore the client can access the
Internet.
239
Configuration procedure
Use the iNode client in this example. The client that comes with Windows does not support the function.
This example covers only some of the required AAA and RADIUS configuration commands. For more
information, see Security Command Reference.
# Configure RADIUS scheme 2000.
<AC> system-view
[AC] radius scheme 2000
[AC-radius-2000] primary authentication 10.11.1.1 1812
[AC-radius-2000] primary accounting 10.11.1.1 1813
[AC-radius-2000] key authentication abc
[AC-radius-2000] key accounting abc
[AC-radius-2000] user-name-format without-domain
[AC-radius-2000] quit
# Create ISP domain test, and set it as the default ISP domain. By default, the system default ISP domain
is system.
[AC] domain test
[AC-isp-test] quit
[AC] domain default enable test
# Create ISP domain test, and configure the domain to use RADIUS scheme 2000 for authentication,
authorization, and accounting of LAN users.
[AC] domain test
[AC-isp-test] authentication lan-access radius-scheme 2000
[AC-isp-test] authorization lan-access radius-scheme 2000
[AC-isp-test] accounting lan-access radius-scheme 2000
[AC-isp-test] quit
240
D:Dynamic
MAC ADDR
MASK
VLAN ID
PRIO
STATE
-------------------------------------------------------000f-e2cc-6a21
ffff-ffff-ffff
10
# If Client 1 initiates authentication and passes the authentication, you can use the display connection
command to display the user information, and use the display mac-vlan all command to verify that the
MAC-to-VLAN mapping entry has been removed.
<AC> display connection user-name mac@test
Index=18
, Username=mac@test
MAC=000f-e2cc-6a21
IP=8.4.4.199
IPv6=N/A
Online=00h00m31s
Total 1 connection matched.
241
Configuration considerations
Complete the following tasks:
Configure IP addresses for interfaces. Create VLAN 8 and VLAN 10. Configure the RADIUS server.
(Details not shown.)
Create the WLAN-ESS interface, set a port security mode for 802.1X authentication on the interface,
and enable stateful failover for port security.
Configuring AC 1
1.
# Disable the 802.1X multicast trigger and online user handshake functions.
[AC1-WLAN-ESS1] undo dot1x multicast-trigger
[AC1-WLAN-ESS1] undo dot1x handshake
[AC1-WLAN-ESS1] quit
2.
3.
4.
Configure AAA:
# Specify the device ID to be used in stateful failover mode as 1.
[AC1] nas device-id 1
243
[AC1-radius-2003] quit
5.
# Configure a WLAN service template, configure the SSID as abc, encryption mode as AES-CCMP,
and bind interface WLAN-ESS 1 to the service template.
[AC1] wlan service-template 1 crypto
[AC1-wlan-st-1] ssid abc
[AC1-wlan-st-1] bind wlan-ess 1
[AC1-wlan-st-1] authentication-method open-system
[AC1-wlan-st-1] cipher-suite ccmp
[AC1-wlan-st-1] security-ie rsn
[AC1-wlan-st-1] service-template enable
[AC1-wlan-st-1] quit
# Configure the source IP address of the IACTP tunnel as 1.1.1.4 (the address of AC 1) and the IP
address of the IACTP tunnel member (AC 2) as 1.1.1.5.
[AC1] wlan mobility-group roam
[AC1-wlan-mg-roam] source ip 1.1.1.4
[AC1-wlan-mg-roam] member ip 1.1.1.5
Configuring AC 2
1.
<AC2> system-view
[AC2] dot1x authentication-method eap
# Disable the 802.1X multicast trigger and online user handshake functions.
[AC2-WLAN-ESS1] undo dot1x multicast-trigger
[AC2-WLAN-ESS1] undo dot1x handshake
[AC2-WLAN-ESS1] quit
2.
3.
4.
Configure AAA:
# Specify the device ID to be used in stateful failover mode as 2.
[AC2] nas device-id 2
245
[AC2-isp-2003] quit
5.
# Configure a WLAN service template, configure the SSID as abc, encryption mode as AES-CCMP,
and bind interface WLAN-ESS 1 to the service template.
[AC2] wlan service-template 1 crypto
[AC2-wlan-st-1] ssid abc
[AC2-wlan-st-1] bind wlan-ess 1
[AC2-wlan-st-1] authentication-method open-system
[AC2-wlan-st-1] cipher-suite ccmp
[AC2-wlan-st-1] security-ie rsn
[AC2-wlan-st-1] service-template enable
[AC2-wlan-st-1] quit
# Configure the source IP address of the IACTP tunnel as 1.1.1.5 (the address of AC 2) and the IP
address of the IACTP tunnel member (AC 1) as 1.1.1.4.
[AC2] wlan mobility-group roam
[AC2-wlan-mg-roam] source ip 1.1.1.5
[AC2-wlan-mg-roam] member ip 1.1.1.4
the primary and backup link states are different, indicating that the ACs have synchronized the client
information.
When AC 1 fails, AC 2 becomes active. In case of a primary/backup AC switchover, the client can
access the network through AC 2 without being re-authenticated.
Analysis
Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user
is online.
Solution
1.
2.
3.
Use the undo port-security port-mode command to set the port security mode to noRestrictions.
4.
247
After the authentication server verifies a user, the server sends the device the name of the user
profile associated with the user.
{
2.
If the profile is enabled, the device applies the configurations in the user profile, and allows user
access based on all valid configurations.
If the user profile is disabled, the device denies the user access.
After the user logs out, the device automatically disables the configurations in the user profile, and
the restrictions on the user access are removed.
Remarks
Required.
Required.
Required.
Perform configurations on the client, the device, and the authentication server. For example,
configure the username, password, authentication scheme, domain, and bind the user profile with
a user.
248
Step
Command
Remarks
1.
system-view
N/A
2.
user-profile profile-name
Command
Remarks
1.
system-view
N/A
2.
Command
Remarks
249
Password aging
Password aging imposes a lifecycle on a user password. After the password aging time expires,
the user needs to change the password.
If a user enters an expired password when logging in, the system displays an error message and
prompts the user to provide a new password and to confirm it by entering it again. The new
password must be a valid one and the user must enter exactly the same password when confirming
it.
Password history
With this feature enabled, the system maintains certain entries of passwords that a user has used.
When a user changes the password, the system checks the new password against the used ones.
The new password must be different from the used ones by at least four characters and the four
characters must not be the same. Otherwise, the user will fail to change the password and the
system displays an error message.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the latest record
overwrites the earliest one.
Prohibiting the user from logging in until the user is removed from the password control blacklist
manually.
Allowing the user to try continuously and removing the user from the password control blacklist
when the user logs in to the system successfully or the blacklist entry times out (a blacklist entry
times out after 1 minute).
Prohibiting the user from logging in within a configurable period of time, and allowing the user
to log in again after the period of time elapses or the user is removed from the password control
blacklist.
Uppercase letters A to Z.
Lowercase letters a to z.
Digits 0 to 9.
Special characters. For information about special characters, see the password command in
Security Command Reference.
Depending on the system's security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters for each type, as shown
in Table 13.
Table 13 Password composition policy
Password combination
level
Minimum number of
character types
Level 1
One
One
Level 2
Two
One
251
Password combination
level
Minimum number of
character types
Level 3
Three
One
Level 4
Four
One
In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the
level 4 combination is available for a password.
When a user sets or changes a password, the system checks if the password meets the composition
requirement. If not, the system displays an error message.
A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is not complex enough.
No character of the password appears three or more times consecutively. For example,
password a111 is not complex enough.
Logging
The system logs all successful password changing events and the events of adding users to the
password control blacklist.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
252
Global settings in system view apply to all local user passwords and super passwords.
Settings in user group view apply to the passwords of all local users in the user group.
Settings in local user view apply to only the password of the local user.
For local user passwords, the settings with a smaller application scope have a higher priority.
For super passwords, the settings configured specifically for super passwords, if any, override those
configured in system view.
2.
Password aging
Password history
Command
Remarks
system-view
N/A
253
Step
Command
Remarks
In non-FIPS mode, the global
2.
3.
password-control enable
password-control { aging |
composition | history | length }
enable
Optional.
By default, all of the four password
control functions are enabled.
After global password control is enabled, local user passwords configured on the device are not
displayed when you use the corresponding display command.
Command
Remarks
N/A
1.
system-view
2.
3.
password-control password
update interval interval
4.
Optional.
90 days by default.
Optional.
24 hours by default.
Optional.
10 characters by default.
Optional.
6.
password-control composition
type-number type-number
[ type-length type-length ]
password-control complexity
{ same-character | user-name }
check
254
Optional.
By default, the system does not
perform password complexity
checking.
Step
7.
8.
9.
Command
Remarks
password-control history
max-record-num
Optional.
4 by default.
Optional.
password-control login-attempt
login-times [ exceed { lock |
lock-time time | unlock } ]
password-control
alert-before-expire alert-time
Optional.
7 days by default.
Optional.
password-control
expired-user-login delay delay
times times
password-control
authentication-timeout
authentication-timeout
Optional.
Optional.
60 seconds by default.
90 days by default.
Command
Remarks
1.
system-view
N/A
2.
user-group group-name
N/A
3.
Optional.
password-control aging aging-time
4.
password-control composition
type-number type-number
[ type-length type-length ]
5.
255
Command
Remarks
1.
system-view
N/A
2.
local-user user-name
N/A
Optional.
3.
4.
5.
password-control composition
type-number type-number
[ type-length type-length ]
2.
Command
Remarks
system-view
N/A
Optional.
256
Step
Command
Remarks
Optional.
3.
4.
password-control super
composition type-number
type-number [ type-length
type-length ]
Command
1.
system-view
2.
local-user user-name
3.
password
Command
Remarks
reset password-control
history-record [ user-name name |
super [ level level ] ]
257
Network requirements
Configure a global password control policy to meet the following requirements:
An FTP or VTY user failing to provide the correct password in two successive login attempts is
permanently prohibited from logging in.
A user can log in five times within 60 days after the password expires.
Configure a super password control policy to meet the following requirements: A super password must
contain at least three character types and at least five characters for each type.
Configure a password control policy for the local Telnet user test to meet the following requirements:
The password must contain at least two character types and at least five characters for each type.
Configuration procedure
# Enable the password control feature globally.
<AC> system-view
[AC] password-control enable
# Prohibit the user from logging in forever after two successive login failures.
[AC] password-control login-attempt 2 exceed lock
# Specify that a user can log in five times within 60 days after the password expires.
[AC] password-control expired-user-login delay 60 times 5
# Refuse any password that contains the username or the reverse of the username.
[AC] password-control complexity user-name check
# Specify that no character can appear three or more times consecutively in a password.
[AC] password-control complexity same-character check
# Specify that a super password must contain at least three character types and at least five characters
for each type.
[AC] password-control super composition type-number 3 type-length 5
# Specify that the password of the local user must contain at least two character types and at least five
characters for each type.
[AC-luser-test] password-control composition type-number 2 type-length 5
# Set the password for the local user to expire after 20 days.
[AC-luser-test] password-control aging 20
Enabled
Password aging:
Password length:
Password composition:
Enabled (1 types,
Password history:
60 seconds
2 times
Lock
36 hours
30 days
5 times in 60 day(s)
Password complexity:
259
Password length:
Password composition:
Enabled (3 types,
Active
ServiceType:
telnet
Access-limit:
Disable
User-group:
system
Current AccessNum: 0
Bind attributes:
Authorization attributes:
Password aging:
Password length:
Password composition:
Enabled (2 types,
260
The keys that participate in the conversion between plain text and cipher text can be the same or different,
dividing the encryption and decryption algorithms into the following types:
Symmetric key algorithmThe keys for encryption and decryption are the same.
Asymmetric key algorithmThe keys for encryption and decryption are different. One is the public
key, and the other is the private key. The information encrypted with the public key can only be
decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the
public key may be distributed widely. The private key cannot be practically derived from the public
key. The device supports RSA and DSA asymmetric key algorithms.
The asymmetric key algorithms can be used for the following purposes:
To encrypt and decrypt dataAny public key receiver can use the public key to encrypt information,
but only the private key owner can decrypt the information. This mechanism ensures confidentiality.
To authenticate a senderAlso called "digital signature." The key owner uses the private key to
"sign" information to be sent, and the receiver decrypts the information with the sender's public key
to verify information authenticity.
Asymmetric key algorithms are widely used in various applications. For example, SSH, SSL, and PKI use
the algorithms for digital signature. For information about SSH, SSL, and PKI, see "Configuring SSH,"
"Configuring SSL," and "Configuring PKI."
Remarks
Creating a local asymmetric key pair
Displaying or exporting the local host public key
Destroying a local asymmetric key pair
261
Task
Remarks
The key algorithm must be the same as required by the security application.
Modulus length
Remarks
RSA
To achieve high
security, specify at least
768 bits in non-FIPS
mode.
DSA
To achieve high
security, specify at least
768 bits in non-FIPS
mode.
IMPORTANT:
Only SSH1.5 uses the RSA server key pair.
To create a local asymmetric key pair:
Step
1.
Command
Remarks
system-view
N/A
By default, no asymmetric key pair exists.
2.
Create a local
asymmetric key pair.
Displaying the host public key in a specific format and saving it to a file
If your local device functions to authenticate the peer device, you must specify the peer public key on the
local device. For more information, see "Specifying the peer public key on the local device."
Command
Remarks
The display public-key local rsa public command displays both the RSA server and host public keys.
Recording the RSA host public key is enough.
After you display the host public key, record the key information for manual configuration of the key on
the peer device.
Command
Remarks
system-view
N/A
2.
In non-FIPS mode:
public-key local export rsa { openssh | ssh1 |
ssh2 }
In FIPS mode:
public-key local export rsa { openssh | ssh2 }
Command
Remarks
system-view
N/A
2.
In non-FIPS mode:
public-key local export rsa { openssh | ssh1 |
ssh2 } filename
In FIPS mode:
public-key local export rsa { openssh | ssh2 }
filename
Command
1.
system-view
2.
264
Prerequisites
Remarks
1.
2.
To import the host public key from a public key file to the local device:
Step
Command
1.
system-view
2.
Import the host public key from the public key file.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
public-key-code begin
N/A
4.
5.
public-key-code end
6.
peer-public-key end
N/A
Command
Remarks
265
Configure the AC to use the asymmetric key algorithm of RSA to authenticate the device.
Manually specify the host public key of the device's public key pair on the AC.
Configuration procedure
1.
266
=====================================================
Time of Key pair created: 09:50:06
2013/08/07
=====================================================
Time of Key pair created: 09:50:07
2013/08/07
2.
# Display the host public key of the device saved on the AC.
[AC] display public-key peer name device
=====================================
Key Name
: device
Key Type
: RSA
267
The output shows that the host public key of the device saved on the AC is consistent with the one
created on the device.
Configure the AC to use the asymmetric key algorithm of RSA to authenticate Device A.
Import the host public key of the device from the public key file to the AC.
Configuration procedure
1.
Create key pairs on the device and export the host public key:
# Create local RSA key pairs on the device, setting the modulus length to the default, 1024 bits.
<Device> system-view
[Device] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
=====================================================
Time of Key pair created: 09:50:06
2013/08/07
=====================================================
268
2013/08/07
# Export the RSA host public key HOST_KEY to a file named device.pub.
[Device] public-key local export rsa ssh2 device.pub
2.
3.
4.
269
=====================================
Key Name
: device
Key Type
: RSA
The output shows that the host public key of the device saved on the AC is consistent with the one
created on the device.
270
Configuring PKI
Overview
The PKI uses a general security infrastructure to provide information security through public key
technologies.
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key
pair consists of a private key and a public key. The private key must be kept secret, but the public key
needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem with PKI is how to manage the public keys. PKI employs the digital certificate mechanism
to solve this problem. The digital certificate mechanism binds public keys to their owners, helping
distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
HP's PKI system provides certificate management for IPsec and SSL.
PKI terms
Digital certificate
A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the
identity information of the entity, the public key of the entity, the name and signature of the CA, and the
validity period of the certificate, where the signature of the CA ensures the validity and authority of the
certificate. A digital certificate must comply with the international standard of ITU-T X.509. The most
common standard is X.509 v3.
This document involves local certificate and CA certificate. A local certificate is a digital certificate
signed by a CA for an entity, and a CA certificate is the certificate of a CA. If multiple CAs are trusted
by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root
CA has a CA certificate signed by itself and each lower level CA has a CA certificate signed by the CA
at the next higher level.
CRL
An existing certificate might need to be revoked when, for example, the username changes, the private
key leaks, or the user stops the business. Revoking a certificate will remove the binding of the public key
with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).
Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have
been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an effective
way for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL might degrade network performance, and it uses CRL distribution points to indicate
the URLs of these CRLs.
271
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking
certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and
email. Because different CAs might use different methods to examine the binding of a public key with an
entity, make sure you understand the CA policy before selecting a trusted CA for certificate request.
PKI architecture
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown
in Figure 103.
Figure 103 PKI architecture
Entity
An entity is an end user of PKI products or services, such as a person, an organization, a device like a
router or a switch, or a process running on a computer.
CA
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues
certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing
CRLs.
RA
A registration authority (RA) is an extended part of a CA or an independent authority. An RA can
implement functions including identity authentication, CRL management, key pair generation and key
pair backup. The PKI standard recommends that an independent RA be used for registration
management to achieve higher security of application systems.
PKI repository
A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database.
It stores and manages information like certificate requests, certificates, keys, CRLs and logs when it
provides a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user information
and digital certificates from the RA server and provides directory navigation service. From an LDAP server,
an entity can obtain local and CA certificates of its own as well as certificates of other entities.
272
PKI operation
In a PKI-enabled network, an entity can request a local certificate from the CA, and the device can check
the validity of certificates. Here is how it works:
1.
2.
The RA reviews the identity of the entity, and then sends the identity information and the public key
with a digital signature to the CA.
3.
The CA verifies the digital signature, approves the application, and issues a certificate.
4.
The RA receives the certificate from the CA, sends it to the LDAP server or other distribution points
to provide directory navigation service, and notifies the entity that the certificate is successfully
issued.
5.
The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
6.
The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server or other distribution points.
PKI applications
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. The following lists some common application examples:
VPNA VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in
conjunction with PKI-based encryption and digital signature technologies for confidentiality.
Web securityFor web security, two peers can establish an SSL connection first for transparent and
secure communications at the application layer. With PKI, SSL enables encrypted communications
between a browser and a server. Both of the communication parties can verify each other's identity
through digital certificates.
Remarks
Required.
Required.
Requesting a certificate
Required.
Obtaining certificates
Optional.
Optional.
Optional.
Removing a certificate
Optional.
273
Task
Remarks
Optional.
Country code of the entity, a standard 2-character code. For example, CN represents China and US
represents the United States.
FQDN of the entity, a unique identifier of an entity on the network. It consists of a host name and
a domain name and can be resolved to an IP address. For example, www.whatever.com is an
FQDN, where www is a host name and whatever.com a domain name.
The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine,
for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate
requests might be rejected.
To configure a PKI entity:
Step
Command
Remarks
N/A
1.
system-view
2.
3.
common-name name
country country-code-str
fqdn name-str
ip ip-address
locality locality-name
4.
5.
6.
7.
274
Step
8.
9.
Command
Configure the organization
name for the entity.
organization org-name
organization-unit
org-unit-name
Remarks
Optional.
No organization is specified by default.
Optional.
No unit is specified by default.
Optional.
state state-name
NOTE:
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity
DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
EntityA certificate applicant uses an entity to provide its identity information to a CA.
URL of the registration serverAn entity sends a certificate request to the registration server
through SCEP, a dedicated protocol for an entity to communicate with a CA.
Polling interval and countAfter an applicant makes a certificate request, the CA might need a
long period of time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed. You can configure the polling interval and count to query the request status.
IP address of the LDAP serverAn LDAP server is usually deployed to store certificates and CRLs.
If this is the case, you need to configure the IP address of the LDAP server.
Fingerprint for root certificate verificationAfter receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate
content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not
match the one configured for the PKI domain, the entity will reject the root certificate.
Command
Remarks
system-view
N/A
275
Step
2.
Command
Create a PKI domain and
enter its view.
Remarks
No PKI domain exists by default.
3.
ca identifier name
4.
5.
6.
7.
8.
ldap-server ip ip-address
[ port port-number ]
[ version version-number ]
9.
root-certificate fingerprint
{ md5 | sha1 } string
Requesting a certificate
When you request a certificate for an entity, the entity introduces itself to the CA by providing its identity
information and public key, which will be the major components of the certificate. A certificate request
can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is
submitted to a CA by an out-of-band means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.
276
If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request
to the CA automatically, and the services using the certificate might be interrupted.
To configure automatic certificate request:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Manual by default.
Configuration guidelines
If a PKI domain already has a local certificate, creating an RSA key pair might result in
inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the
local certificate, and then execute the public-key local create command. For more information
about the public-key local create command, see Security Command Reference.
A newly created key pair overwrites the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system asks you whether you want to
overwrite the existing one.
If a PKI domain already has a local certificate, you cannot request another certificate for it. This
helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate command
to delete the existing local certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file, and then send the printed information or
saved file to the CA by an out-of-band means. To print the request information, use the pki
request-certificate domain command with the pkcs10 keyword. To save the request information to
a local file, use the pki request-certificate domain command with the pkcs10 filename filename
option.
Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
certificate is abnormal.
Configuration procedure
To manually request a certificate:
277
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
4.
quit
N/A
5.
Retrieve a CA certificate
manually.
N/A
6.
7.
Optional.
Manual by default.
Obtaining certificates
You can download CA certificates or local certificates from the CA server and save them locally. To do
so, use either the offline mode or the online mode. In offline mode, you must obtain a certificate by an
out-of-band means such as FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count.
Before retrieving a local certificate in online mode, make sure to complete LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot obtain another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulting from
configuration changes. To obtain a new CA certificate, use the pki delete-certificate command to delete
the existing CA certificate and the local certificate first.
Be sure that the device system time falls in the validity period of the certificate so that the certificate is
valid.
To obtain certificates:
Step
1.
Command
Remarks
system-view
N/A
In online mode:
2.
Retrieve a certificate
manually
In offline mode:
278
Command
Remarks
1.
system-view
N/A
2.
N/A
Optional.
3.
4.
5.
6.
quit
N/A
7.
N/A
8.
9.
pki validate-certificate { ca |
local } domain domain-name
N/A
Optional.
Enabled by default.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Enabled by default.
279
Step
Command
Remarks
4.
quit
N/A
5.
N/A
6.
N/A
Command
1.
system-view
2.
Removing a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
To remove a certificate:
Step
Command
1.
system-view
2.
Delete certificates.
Command
Remarks
1.
system-view
N/A
2.
280
Step
Command
Remarks
3.
attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } }
{ ctn | equ | nctn | nequ }
attribute-value
Optional.
4.
quit
N/A
5.
6.
Command
Remarks
Display CRLs.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
You can use the default values for the other attributes.
2.
3.
282
Configure the AC
1.
Synchronize the system time of the AC with the CA server, so that the AC can correctly request a
certificate.
2.
Configure the entity name as aaa and the common name as name.
<AC> system-view
[AC] pki entity aaa
[AC-pki-entity-aaa] common-name name
[AC-pki-entity-aaa] quit
3.
4.
5.
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8
Is the finger print correct?(Y/N):y
Saving CA/RA certificates chain, please wait a moment......
CA certificates retrieval success.
283
Subject:
CN=aaa
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00D67D50 41046F6A 43610335 CA6C4B11
F8F89138 E4E905BD 43953BA2 623A54C0
EA3CB6E0 B04649CE C9CDDD38 34015970
981E96D9 FF4F7B73 A5155649 E583AC61
D3A5C849 CBDE350D 2A1926B7 0AE5EF5E
D1D8B08A DBF16205 7C2A4011 05F11094
73EB0549 A65D9E74 0F2953F2 D4F0042F
19103439 3D4F9359 88FB59F3 8D4B2F6C
2B
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
284
URI:http://4.4.4.133:447/myca.crl
Signature Algorithm: sha1WithRSAEncryption
836213A4 F2F74C1A 50F4100D B764D6CE
B30C0133 C4363F2F 73454D51 E9F95962
EDE9E590 E7458FA6 765A0D3F C4047BC2
9C391FF0 7383C4DF 9A0CCFA9 231428AF
987B029C C857AD96 E4C92441 9382E798
8FCC1E4A 3E598D81 96476875 E2F86C33
75B51661 B6556C5E 8F546E97 5197734B
C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C
You can also use some other display commands to view detailed information about the CA certificate
and CRLs. For more information about the display pki certificate ca domain and display pki crl domain
commands, see Security Command Reference.
2.
3.
c. Click Properties, and then select Follow the settings in the certificate template, if applicable.
Otherwise, automatically issue the certificate.
4.
Configure the AC
1.
Synchronize the system time of the AC with the CA server, so that the AC can properly request a
certificate.
2.
3.
4.
286
+++++++++++++++++++++++
5.
SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4
287
1.3.6.1.4.1.311.20.2:
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
Signature Algorithm: sha1WithRSAEncryption
81029589 7BFA1CBD 20023136 B068840B
(Omitted)
You can also use some other display commands to view detailed information about the CA certificate.
For more information about the display pki certificate ca domain command, see Security Command
Reference.
As shown in Figure 106, the client accesses the remote HTTP Secure (HTTPS) server through the
HTTPS protocol.
SSL is configured to make sure that only legal clients log into the HTTPS server.
Create a certificate access control policy to control access to the HTTPS server.
288
Configuration procedure
For more information about SSL configuration, see "Configuring SSL."
The PKI domain to be referenced by the SSL policy must be created in advance. For more information
about PKI domain configuration, see "Configure the PKI domain" in Configure the AC.
1.
2.
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule specifies
that the FQDN of the alternative subject name does not include the string of apple, and the second
rule specifies that the DN of the certificate issuer name includes the string aabbcc.
[AC] pki certificate attribute-group mygroup2
[AC-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple
[AC-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
[AC-pki-cert-attribute-group-mygroup2] quit
3.
4.
Apply the SSL server policy and certificate access control policy to HTTPS service and enable
HTTPS service.
# Apply SSL server policy myssl to HTTPS service.
[AC] ip https ssl-server-policy myssl
289
Troubleshooting PKI
Failed to obtain the CA certificate
Symptom
Failed to obtain a CA certificate.
Analysis
Possible reasons include:
The network connection is not proper. For example, the network cable might be damaged or loose.
No trusted CA is specified.
The URL of the registration server for certificate request is not correct or not configured.
The system clock of the device is not synchronized with that of the CA.
1.
2.
3.
4.
5.
Synchronize the system clock of the device with that of the CA.
Solution
Analysis
Possible reasons include:
The network connection is not proper. For example, the network cable might be damaged or loose.
No trusted CA is specified.
The URL of the registration server for certificate request is not correct or not configured.
1.
2.
Retrieve a CA certificate.
3.
4.
Solution
290
5.
6.
7.
Analysis
Possible reasons include:
The network connection is not proper. For example, the network cable might be damaged or loose.
1.
2.
Retrieve a CA certificate.
3.
4.
5.
Solution
291
Configuring SSH
Overview
Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements
remote login and file transfer securely over an insecure network.
SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are
not compatible. SSH2 is better than SSH1 in performance and security.
The device can work as an SSH server or as an SSH client. When acting as an SSH server, the device
provides services to SSH clients and supports the following SSH versions:
When acting as an SSH client, the device supports SSH2 only. It allows users to establish SSH
connections with an SSH server.
The device supports the following SSH applications:
StelnetProvides secure and reliable network terminal access services. Through Stelnet, a user can
log in to a remote server securely. Stelnet protects devices against attacks such as IP spoofing and
plain text password interception. The device can act as both the Stelnet server and Stelnet client.
SFTPBased on SSH2, it uses the SSH connection to provide secure file transfer. The device can
serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file
management and transfer. The device can also serve as an SFTP client, enabling a user to log in
from the device to a remote device for secure file transfer.
SCPBased on SSH2, it offers a secure approach to copying files. The device can act as the SCP
server, allowing a user to log in to the device for file upload and download. The device can also act
as an SCP client, enabling a user to log in from the device to a remote server for secure file transfer.
Description
Connection establishment
The SSH server listens to the connection requests on port 22. After a client
initiates a connection request, the server and the client establish a TCP
connection.
Version negotiation
292
Stages
Description
SSH supports multiple algorithms. Based on the local algorithms, the two parties
determine to use the following algorithms:
Algorithm negotiation
The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically
generate the session keys and session ID:
Key exchange
Authentication
The SSH server authenticates the client in response to the client's authentication
request.
Session request
After passing authentication, the client sends a session request to the server to
request the establishment of a session (Stelnet, SFTP, or SCP).
After the server grants the request, the client and the server start to communicate
with each other in the session.
Interaction
In this stage, you can execute commands from the client by pasting the
commands in text format. The text must be within 2000 bytes. To execute the
commands successfully, HP recommends that you paste the commands that are
in the same view.
If you want to execute commands of more than 2000 bytes, you can save the
commands in a configuration file, upload it to the server through SFTP, and use
it to restart the server.
SSH authentication
When the device acts as an SSH server, it supports the following authentication methods:
Password authenticationThe SSH server uses AAA to authenticate the client. During password
authentication, the SSH client performs the following operations:
a. Encrypts its username and password.
b. Encapsulates the encrypted information into an authentication request.
c. Sends the request to the server.
After receiving the request, the SSH server performs the following operations:
a. Decrypts the request to get the username and password in plain text.
b. Checks the validity of the username and password locally or through remote AAA
authentication.
c. Informs the client of the authentication result.
If the AAA server requires the user for a secondary password authentication, it sends the SSH
server an authentication response with a prompt. The prompt is transparently transmitted to the
client to notify the user to enter a specific password. When the user enters the correct password,
the AAA sever examines the password validity. If the password is valid, an authentication success
message is sent to the client.
293
NOTE:
Only clients that run SSH2 or a later version support secondary password authentication that is
initiated by the AAA server.
Publickey authenticationThe server authenticates the client through the digital signature. During
publickey authentication, the client sends the server a publickey authentication request that contains
the following information:
{
Username.
Publickey algorithm information (or the digital certificate that carries the public key information).
The server examines the validity of the public key. If the public key is invalid, the authentication
fails. If the public key is valid, the server authenticates the client by using the digital signature.
Finally, it informs the client of the authentication result. The device supports using the publickey
algorithms RSA and DSA for digital signature.
A client can send public key information to the SSH server for validity check by using one of the
following methods:
{
The client directly sends the user's public key information to the server. The server checks the
validity of the user's public key.
The client sends the user's public key information to the server through a digital certificate. The
server checks the validity of the digital certificate. When acting as a client, the device does not
support this method.
Any authenticationThe server requires the client to pass password authentication or publickey
authentication.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about
FIPS mode, see "Configuring FIPS."
Remarks
Required.
Task
Remarks
Required.
Required if the following conditions exist:
Optional.
Configuration guidelines
When you generate local DSA and RSA key pairs, follow these restrictions and guidelines:
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs
on the SSH server.
The public-key local create rsa command generates a server RSA key pair and a host RSA key pair.
Each of the key pairs consists of a public key and a private key. In SSH1, the public key in the server
key pair is used to encrypt the session key for secure transmission of the session key. Because SSH2
uses the DH algorithm to generate each session key on the SSH server and the client, no session key
transmission is required. The server key pair is not used in SSH2.
The public-key local create dsa command generates only a host key pair. SSH1 does not support
the DSA algorithm.
Configuration procedure
To generate local RSA and DSA key pairs on the SSH server:
Step
Command
Remarks
1.
system-view
N/A
2.
295
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
authentication-mode scheme
4.
Optional.
protocol inbound { all | ssh }
296
For more information about the authentication-mode and protocol inbound commands, see
Fundamentals Command Reference.
Configure the client's DSA and RSA host public key on the server.
You can configure up to 20 SSH client's public keys on an SSH server.
2.
Specify the associated host private key on the client to generate the digital signature. If the device
serves as an SSH client, specify the public key algorithm on the client. The algorithm determines
the associated host private key for generating the digital signature.
You can enter the content of a client's host public key or import the client's host public key from the public
key file. HP recommends that you import the client's host public key.
For more information about client public key configuration, see "Managing public keys."
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
public-key-code begin
N/A
4.
5.
6.
public-key-code end
peer-public-key end
N/A
Importing the client's host public key from the public key file
Before you import the host public key, upload the client's public key file (in binary) to the server, for
example, through FTP or TFTP. During the import process, the server automatically converts the host
public key in the public key file to a string in PKCS format.
297
To import a client's host public key from the public key file:
Step
Command
1.
system-view
2.
For local authentication, configure a local user account by using the local-user command.
For remote authentication, configure an SSH user account on an authentication server, for example,
a RADIUS server.
If the authentication method is password, you do not need to create an SSH user. However, if you want
to display all SSH users, including the password-only SSH users, for centralized management, you can
use this command to create them. If such an SSH user has been created, make sure you have specified
the correct service type and authentication method.
You can specify one of the following authentication methods for the SSH user:
{
For all authentication methods except password authentication, you must specify a client's host
public key or digital certificate.
{
Password-publickey authenticationAs an SSH2.0 user, the user must pass both password and
publickey authentication. As an SSH1 user, the user must pass either password or publickey
authentication.
For a client that directly sends the user's public key information to the server, you must specify
the client's host public key on the server. The specified client's host public key must already exist.
For more information about public keys, see "Configuring a client's host public key."
For a client that sends the user's public key information to the server through a digital certificate,
you must specify the PKI domain on the server. This PKI domain verifies the client certificate. To
make sure the authorized SSH users can pass the authentication, the specified PKI domain must
have the correct CA certificate. For more information about configuring a PKI domain, see
"Configuring PKI."
The command level accessible to an SSH user depends on the authentication method:
{
If the authentication method is password, the command level accessible to the SSH user is
authorized by AAA.
SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or
all.
For an SFTP SSH user, the working folder depends on the authentication method:
{
{
If you change the authentication method or public key for a logged-in SSH user, the change takes
effect on the user at the next login.
Configuration procedure
To configure an SSH user and specify the service type and authentication method:
Step
1.
Command
Enter system view.
system-view
Create an SSH user, and specify the service type and authentication
2.
Create an SSH user, and specify the service type and authentication
Command
Remarks
N/A
1.
system-view
2.
Optional.
By default, the SSH server supports
SSH1 clients.
Optional.
3.
4.
299
Step
Command
Remarks
Optional.
The default setting is 3.
5.
6.
Remarks
Optional.
Optional.
Required.
Ensuring the communication between the Stelnet client and the Stelnet server.
Command
Enter system
view.
Remarks
N/A
system-view
300
Step
Command
Remarks
2.
To enable the client to access the server, you must complete the following tasks in advance:
a. Configure the server's host public key locally.
b. Specify the public key name for authentication on the client.
If first-time authentication is enabled, the client accesses the server, and saves the server's host
public key on the client. When accessing the server next time, the client uses the locally saved
server's host public key to authenticate the server.
In a secure network, enabling first-time authentication simplifies client configuration, but it also brings
potential security risks.
Command
Remarks
N/A
1.
system-view
2.
Enable first-time
authentication.
Optional.
Enabled by default.
Command
Remarks
1.
system-view
N/A
2.
Disable first-time
authentication.
Enabled by default.
3.
4.
N/A
301
Command
Remarks
Establish a connection
to an Stelnet server.
In non-FIPS mode:
ssh2 server [ port-number ] [ identity-key { dsa |
rsa } | prefer-compress { zlib | zlib-openssh } |
prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 |
sha1-96 } | prefer-kex { dh-group-exchange |
dh-group1 | dh-group14 } | prefer-stoc-cipher
{ 3des | aes128 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In non-FIPS mode:
ssh2 server [ port-number ] [ identity-key rsa |
prefer-ctos-cipher { aes128 | aes256 } |
prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex
dh-group14 | prefer-stoc-cipher { aes128 |
aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *
In FIPS mode:
ssh2 ipv6 server [ port-number ] [ identity-key { dsa
| rsa } | prefer-compress { zlib | zlib-openssh }
|prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 |
sha1-96 } | prefer-kex { dh-group-exchange |
dh-group1 | dh-group14 } | prefer-stoc-cipher
{ 3des | aes128 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ identity-key rsa |
prefer-ctos-cipher { aes128 | aes256 } |
prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex
dh-group14 | prefer-stoc-cipher { aes128 |
aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *
302
Remarks
Optional.
Optional.
Required.
Optional.
Optional.
Optional.
Optional.
Ensuring the communication between the SFTP client and the SFTP server.
Enter system
view.
Command
Remarks
system-view
N/A
Specify a source
IP address or
interface for
SFTP packets.
After the connection is established, you can directly enter SFTP client view on the server to perform
directory and file operations.
To establish a connection to an SFTP server:
Task
Command
Remarks
Establish a connection
to an SFTP server and
enter SFTP client view.
In non-FIPS mode:
sftp server [ port-number ] [ identity-key { dsa |
rsa } | prefer-compress { zlib | zlib-openssh }
|prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 |
sha1-96 } | prefer-kex { dh-group-exchange |
dh-group1 | dh-group14 } | prefer-stoc-cipher
{ 3des | aes128 | des } | prefer-stoc-hmac
{ md5 | md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
sftp server [ port-number ] [ identity-key rsa |
prefer-ctos-cipher { aes128 | aes256 } |
prefer-ctos-hmac { sha1 | sha1-96 } |
prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 |
sha1-96 } ] *
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ identity-key
{ dsa | rsa } | prefer-compress { zlib |
zlib-openssh } | prefer-ctos-cipher { 3des |
aes128 | des } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 |
dh-group14 } | prefer-stoc-cipher { 3des |
aes128 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ identity-key rsa
| prefer-ctos-cipher { aes128 | aes256 } |
prefer-ctos-hmac { sha1 | sha1-96 } |
prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 |
sha1-96 } ] *
Command
Remarks
1.
N/A
2.
cd [ remote-path ]
Optional.
3.
cdup
Optional.
304
Step
Command
Remarks
Optional.
4.
pwd
5.
dir [ -a | -l ] [ remote-path ]
ls [ -a | -l ] [ remote-path ]
6.
Optional.
7.
mkdir remote-path
Optional.
8.
rmdir remote-path&<1-10>
Optional.
Command
Remarks
Optional.
The dir command functions as the
ls command.
N/A
2.
Optional.
3.
Optional.
4.
Optional.
5.
dir [ -a | -l ] [ remote-path ]
ls [ -a | -l ] [ remote-path ]
6.
delete remote-file&<1-10>
remove remote-file&<1-10>
Optional.
The dir command functions as the
ls command.
Optional.
The delete command functions as
the remove command.
Command
1.
2.
Command
Remarks
1.
N/A
2.
bye
exit
quit
Remarks
Optional.
Required.
306
Command
Upload a file to the SCP server:
{
In non-FIPS mode:
scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ]
identity-key { dsa | rsa } | [ prefer-compress { zlib | zlib-openssh } |
prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } |
prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ]
[ identity-key rsa | prefer-compress { zlib | zlib-openssh } |
prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 }
| prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } |
prefer-stoc-hmac { sha1 | sha1-96 } ] *
In non-FIPS mode:
scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ]
[ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } |
prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } |
prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ]
[ identity-key rsa | prefer-compress { zlib | zlib-openssh } |
prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 }
| prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } |
prefer-stoc-hmac { sha1 | sha1-96 } ] *
Command
Remarks
307
Task
Command
Remarks
You can log in to the AC through the Stelnet client (SSH2) that runs on the client.
The username and password of the client are saved on the AC.
308
Configuration procedure
1.
b. Continuously move the mouse and do not place the mouse over the green progress bar shown
in Figure 109. Otherwise, the progress bar stops moving and the key pair generating progress
stops.
309
c. After the key pair is generated, click Save public key to save the public key.
A file saving window appears.
Figure 110 Saving the RSA key pair on the client
310
# Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the
destination address for SSH connection.
[AC] interface vlan-interface 2
[AC-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[AC-Vlan-interface2] quit
# Create an SSH user client001. Specify the service type as stelnet and the authentication method
as password for the user. By default, password authentication is used if no SSH user is created.
[AC] ssh user client001 service-type stelnet authentication-type password
3.
311
b. In the Host Name (or IP address) filed, enter the IP address 192.168.1.40 of the Stelnet server.
c. Click Open to connect to the server.
If the connection is successfully established, the system notifies you to enter the username and
password. After entering the username (client001) and password (aabbcc), you can enter the
CLI of the server.
You can log in to the AC through the Stelnet client (SSH2) that runs on the client.
The AC acts as the Stelnet server, and uses publickey authentication and the RSA public key
algorithm.
312
Configuration considerations
In the server configuration, the client public key is required. Use the client software to generate the RSA
key pair on the client before configuring the Stelnet server.
The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following
example uses PuTTY version 0.58 on the Stelnet client.
Configuration procedure
1.
b. Continuously move the mouse and do not place the mouse over the green progress bar shown
in Figure 114. Otherwise, the progress bar stops moving and the key pair generating progress
stops.
313
c. After the key pair is generated, click Save public key to save the public key.
A file saving window appears.
Figure 115 Saving the RSA key pair on the client
314
# Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the
destination address for SSH connection.
[AC] interface vlan-interface 2
[AC-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[AC-Vlan-interface2] quit
# Import the client's public key from file key.pub and name it Key001.
[AC] public-key peer Key001 import sshkey key.pub
# Create an SSH user client002. Specify the authentication method as publickey for the user, and
assign the public key Key001 to the user.
[AC] ssh user client002 service-type stelnet authentication-type publickey assign
publickey Key001
3.
315
b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.
c. Select Connection > SSH > Auth from the navigation tree.
d. Click Browse to bring up the file selection window, navigate to the private key file (private
in this example) and click OK.
316
You can log in to the switch through the Stelnet client that runs on AC.
The switch acts as the Stelnet server and uses password authentication.
317
Configuration procedure
1.
# Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the
destination address for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
# Create an SSH user client001. Specify the service type as stelnet and the authentication method
as password for the user.
[Switch] ssh user client001 service-type stelnet authentication-type password
2.
# Configure the host public key of the SSH server and name the key key1.
[AC] public-key peer key1
[AC-pkey-public-key] public-key-code begin
[AC-pkey-key-code]308201B73082012C06072A8648CE3804013082011F0281810
0D757262C4584C44C211F18BD96E5F0
[AC-pkey-key-code]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE
318
65BE6C265854889DC1EDBD13EC8B274
[AC-pkey-key-code]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0
6FD60FE01941DDD77FE6B12893DA76E
[AC-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3
68950387811C7DA33021500C773218C
[AC-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E
14EC474BAF2932E69D3B1F18517AD95
[AC-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02
492B3959EC6499625BC4FA5082E22C5
[AC-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E
88317C1BD8171D41ECB83E210C03CC9
[AC-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC
9B09EEF0381840002818000AF995917
[AC-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D
F257523777D033BEE77FC378145F2AD
[AC-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71
01F7C62621216D5A572C379A32AC290
[AC-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E
8716261214A5A3B493E866991113B2D
[AC-pkey-key-code]485348
[AC-pkey-key-code] public-key-code end
[AC-pkey-public-key] peer-public-key end
# Specify the host public key for the Stelnet server 192.168.1.40 as key1.
[AC] ssh client authentication server 192.168.1.40 assign publickey key1
[AC] quit
******************************************************************************
<Switch>
You can log in to the switch through the Stelnet client that runs on AC.
319
The switch acts as the Stelnet server and uses publickey authentication and the RSA public key
algorithm.
Configuration considerations
In the server configuration, the client public key is required. Use the client software to generate RSA key
pairs on the client before configuring the Stelnet server.
Configuration procedure
1.
# Transmit the public key file to the server through FTP or TFTP. (Details not shown.)
2.
# Configure an IP address for VLAN-interface 2. The SSH client uses this address as the destination
address for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
320
# Import the peer public key from the file key.pub, and name it Key001.
[Switch] public-key peer Key001 import sshkey key.pub
# Create an SSH user client002. Specify the authentication method as publickey for the user, and
assign the public key Key001 to the user.
[Switch] ssh user client002 service-type stelnet authentication-type publickey assign
publickey Key001
3.
******************************************************************************
<Switch>
Network requirements
As shown in Figure 120:
AC 1 acts as an SFTP client to log into AC 2 for file management and file transfer.
321
Configuration procedure
1.
# Configure an IP address for VLAN-interface 2. The client uses this address as the destination
address for SSH connection.
[AC2] interface vlan-interface 2
[AC2-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[AC2-Vlan-interface2] quit
# Configure the AC to authenticate SSH users by using password authentication, and provide
SFTP services.
[AC2] ssh user client001 service-type sftp authentication-type password
NOTE:
To use publickey authentication, configure the public key of AC 1 on AC 2. For configuration steps,
see "Publickey authentication enabled Stelnet server configuration example."
# Enable the SFTP server.
[AC2] sftp server enable
2.
<AC1> system-view
[AC1] interface vlan-interface 2
[AC1-Vlan-interface2] ip address 192.168.0.2 255.255.255.0
[AC1-Vlan-interface2] quit
[AC1] quit
# Establish a connection with the remote SFTP server and enter SFTP client view.
<AC1> sftp 192.168.0.1
Input Username: client001
Trying 192.168.0.1 ...
Press CTRL+K to abort
Connected to 192.168.0.1 ...
<sftp-client>
# Display files under the current directory of the server, delete the file z, and verify the result.
<sftp-client> dir
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
0 Sep 01 08:00 z
End of file
Success
<sftp-client> delete z
The following File will be deleted:
/z
Are you sure to delete it? [Y/N]:y
This operation may take a long time. Please wait...
Success
File successfully Removed
<sftp-client> dir
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
End of file
Success
323
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
End of file
Success
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
End of file
Success
# Download the pubkey2 file from the server and save it as local file public.
<sftp-client> get pubkey2 public
Remote
file:/pubkey2 --->
End of file
Success
Downloading file successfully ended
# Upload a local file pu to the server, save it as puk, and verify the result.
<sftp-client> put pu puk
Local file:pu --->
Success
Uploading file successfully ended
<sftp-client> dir
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
drwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
-rwxrwxrwx
1 noone
nogroup
End of file
Success
<sftp-client>
324
Network requirements
As shown in Figure 121:
Configuration procedure
1.
# Configure an IP address for VLAN-interface 2. The client uses this address as the destination
address for SCP connection.
[AC2] interface vlan-interface 2
[AC2-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[AC2-Vlan-interface2] quit
325
# Create an SSH user client001. Specify the service type as scp and authentication method as
password for the user. By default, password authentication is used if no SSH user is created.
[AC2] ssh user client001 service-type scp authentication-type password
2.
3.
Connect to the SCP server, download the file remote.bin from the server, and save it locally with
the name local.bin.
<AC1> scp 192.168.0.1 get remote.bin local.bin
Username: client001
Trying 192.168.0.1 ...
Press CTRL+K to abort
Connected to 192.168.0.1 ...
326
Configuring SSL
Overview
Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based
application layer protocols such as HTTP. It is widely used in e-business and online banking to provide
secure data transmission over the Internet.
PrivacySSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric key
algorithm of RSA to encrypt the key to be used by the symmetric encryption algorithm.
IntegritySSL uses the key-based message authentication code (MAC) to verify message integrity.
A MAC algorithm transforms a message of any length to a fixed-length message. With the key, the
sender uses the MAC algorithm to compute the MAC value of a message. Then, the sender
appends the MAC value to the message and sends the result to the receiver. The receiver uses the
same key and MAC algorithm to compute the MAC value of the received message, and compares
the locally computed MAC value with that received. If the two values match, the receiver considers
the message intact. Otherwise, the receiver considers the message tampered with in transit and
discards the message.
For more information about symmetric key algorithms, asymmetric key algorithm RSA, and digital
signature, see "Managing public keys."
For more information about PKI, certificate, and CA, see "Configuring PKI."
327
SSL record protocolFragments data to be transmitted, computes and adds MAC to the data, and
encrypts the data before transmitting it to the peer end.
SSL handshake protocolNegotiates the cipher suite to be used for secure communication
(including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm),
securely exchanges the key between the server and client, and implements identity authentication
of the server and client. Through the SSL handshake protocol, a session is established between a
client and the server. A session consists of a set of parameters, including the session ID, peer
certificate, cipher suite, and master secret.
SSL change cipher spec protocolUsed for notification between the client and the server that the
subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite
and key.
SSL alert protocolEnables the SSL client and server to send alert messages to each other. An alert
message contains the alert severity level and a description.
Remarks
Required.
Optional.
Command
Remarks
1.
system-view
N/A
2.
N/A
328
Step
Command
Remarks
Optional.
By default, no PKI domain is
specified for an SSL server policy,
and the SSL server generates and
signs a certificate for itself and
does not obtain a certificate from a
CA server.
3.
pki-domain domain-name
In non-FIPS mode:
4.
ciphersuite
[ rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
In FIPS mode:
Optional.
By default, an SSL server policy
supports all cipher suites.
ciphersuite
[ dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha ] *
5.
Optional.
3600 seconds by default.
Optional.
6.
close-mode wait
7.
8.
Optional.
client-verify enable
329
Step
Command
Remarks
Optional.
9.
Disabled by default.
client-verify weaken
Command
Remarks
1.
system-view
N/A
2.
N/A
Optional.
No PKI domain is specified by
default.
3.
pki-domain domain-name
In non-FIPS mode:
4.
prefer-cipher
{ rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
In FIPS mode:
Optional.
rsa_rc4_128_md5 by default.
prefer-cipher
{ dhe_rsa_aes_128_cbc_sha d
dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
5.
330
Optional.
TLS 1.0 by default.
Step
6.
Command
Enable certificate-based SSL
server authentication.
server-verify enable
Remarks
Optional.
Enabled by default.
Displaying SSL
Task
Command
Remarks
Network requirements
Configure the AC to operate as an HTTP Security (HTTPS) server so that the client accesses the HTTPS
server through HTTPS. Configure a CA server to issue certificates.
Figure 124 Network diagram
331
Configuration procedure
1.
2.
3.
Associate HTTPS service with the SSL server policy and enable HTTPS service:
# Configure HTTPS service to use SSL server policy myssl.
[AC] ip https ssl-server-policy myssl
4.
For more information about PKI configuration commands and the public-key local create rsa command,
see Security Command Reference.
332
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure might result from the following causes:
The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate, or
the certificate is not trusted.
The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate, or the
certificate is not trusted.
1.
Issue the debugging ssl command and view the debugging information to locate the problem:
Solution
2.
If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate,
request one for it.
If the servers certificate cannot be trusted, install the root certificate of the CA that issued the
local certificate to the SSL server on the SSL client, or let the server request a certificate from the
CA that the SSL client trusts.
If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the
certificate cannot be trusted, request and install a certificate for the client.
Use the display ssl server-policy command to view the cipher suites that the SSL server policy
supports. If the server and the client have no matching cipher suite, use the ciphersuite command
to modify the cipher suite configuration of the SSL server.
333
2.
After receiving the SYN message, the target server establishes a TCP connection in
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3.
After receiving the SYN ACK message, the originator returns an ACK message, establishing the
TCP connection.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number
of SYN messages to the server to establish TCP connections, but they never make any response to SYN
ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in
heavy resource consumption and making the server unable to handle services correctly.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. The
server can establish a connection only after receiving an ACK message from the client. The server then
enters ESTABLISHED state. In this way, incomplete TCP connections can be avoided to protect the server
against SYN Flood attacks.
To enable the SYN Cookie feature:
Step
Command
Remarks
1.
system-view
N/A
2.
Enabled by default.
If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then,
if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically
becomes effective.
With the SYN Cookie feature enabled, only the maximum segment size (MSS) is negotiated during TCP
connection establishment, instead of the window's zoom factor and timestamp.
334
Command
Remarks
335
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to keep the receiving device busy with resolving target IP addresses until the CPU is
overloaded.
Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
Remarks
Configuring ARP
source suppression
Optional.
Enabling ARP
blackhole routing
Optional.
Remarks
Optional.
336
Task
Remarks
Optional.
The device sends a large number of ARP requests, overloading the target subnets.
The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such IP packet attacks, you can configure the following features:
ARP source suppressionStops resolving packets from a host if the upper limit on unresolvable IP
packets from the host is reached within an interval of 5 seconds. The device continues ARP
resolution when the interval elapses. This feature is applicable if the attack packets have the same
source addresses.
ARP blackhole routingCreates a blackhole route destined for an unresolvable IP address. The
device drops all matching packets until the blackhole route ages out. This feature is applicable
regardless of whether the attack packets have the same source addresses.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
10 by default.
Command
Remarks
system-view
N/A
Optional.
2.
337
Enabled by default.
The aging time for a blackhole
route is 25 seconds.
Command
Remarks
Configuration example
The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module
and might vary by device model.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
As shown in Figure 125, a LAN contains two areas: an R&D area in VLAN 10 and an office area in
VLAN 20. Each area connects to the gateway (AC) through an AP.
A large number of ARP requests are detected in the office area and are considered a consequence of an
IP flood attack. To prevent such attacks, configure ARP source suppression and ARP blackhole routing.
Figure 125 Network diagram
338
Configuration considerations
If the attack packets have the same source address, you can enable the ARP source suppression function
as follows:
1.
2.
Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5
seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.
If the attack packets have different source addresses, enable the ARP blackhole routing function on the
AC.
Configuration procedure
# Enable ARP source suppression and set the threshold to 100.
<AC> system-view
[AC] arp source-suppression enable
[AC] arp source-suppression limit 100
Command
Remarks
1.
system-view
N/A
2.
N/A
Disabled by default.
3.
FilterGenerates log messages and filters out subsequent ARP packets from that MAC address.
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed correctly.
You can exclude the MAC addresses of some gateways and servers from detection. This feature does not
inspect ARP packets from those devices even if they are attackers.
Only the ARP packets delivered to the CPU are checked.
To configure source MAC-based ARP attack detection:
Step
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
4.
Optional.
5.
Command
Remarks
340
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
As shown in Figure 126, the hosts access the Internet through a gateway (AC). If malicious users send a
large number of ARP requests to the gateway, the gateway might crash and cannot process requests from
the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
Figure 126 Network diagram
Configuration considerations
An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the
source MAC address. To prevent such attacks, configure the gateway as follows:
1.
Enable source MAC-based ARP attack detection and specify the handling method.
2.
3.
4.
Configuration procedure
# Enable source MAC-based ARP attack detection and specify the handling method.
<AC> system-view
[AC] arp source-mac filter
341
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
With the arp authorized enable command executed, an interface of a DHCP server (or a DHCP
relay agent) that does not support authorized ARP is disabled from dynamically learning ARP
entries and cannot generate authorized ARP entries.
342
Static ARP entries can overwrite authorized ARP entries, and authorized ARP entries can overwrite
dynamic ARP entries. But authorized ARP entries cannot overwrite static ARP entries, and dynamic
ARP entries cannot overwrite authorized ARP entries.
For more information about DHCP server and DHCP relay agent, see Layer 3 Configuration Guide.
To enable authorized ARP:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Disabled by default.
4.
Network requirements
Configure the DHCP server with an IP address pool of 10.1.1.0/24 on the AC.
Enable authorized ARP on VLAN-interface 10 of the AC to ensure user validity.
Configure the DHCP client to obtain an IP address from the DHCP server.
Figure 127 Network diagram
Configuration procedure
# Configure the client in VLAN 10 to connect the AC through the interface WLAN-ESS 0. (Details not
shown.)
# Configure DHCP.
<AC> system-view
343
# After the client obtains an IP address from the AC, display information about the authorized ARP entry
generated based on the lease.
[AC] display arp
Type: S-Static
D-Dynamic
A-Authorized
IP Address
MAC Address
VLAN ID
Interface
Aging Type
10.1.1.2
0000-8279-aa02
10
WLAN-DBSS5:52
N/A
The output shows that the AC assigned an IP address 10.1.1.2 to the client.
The client must use the IP address and MAC address in the authorized ARP entry to communicate with the
AC. Otherwise, the communication fails, and user validity is ensured.
Network requirements
Configure the device as a DHCP server with an IP address pool of 10.1.1.0/24.
Configure the AC as a DHCP relay agent. Enable authorized ARP on VLAN-interface 10 of the AC to
ensure user validity.
Configure the client as a DHCP client to obtain an IP address.
344
DHCP Relay
DHCP Client
VLAN 10
10.1.1.1/24
AC
Switch
AP
Client
Configuration procedure
1.
2.
# After the client obtains the IP address from Switch, display information about the authorized ARP
entry generated based on the lease.
[AC] display arp
Type: S-Static
D-Dynamic
345
A-Authorized
IP Address
MAC Address
VLAN ID
Interface
Aging Type
10.1.1.2
0000-8279-aa02
10
WLAN-DBSS5:52
N/A
The output shows that the AC assigned an IP address 10.1.1.2 to the client.
The client must use the IP address and MAC address in the authorized ARP entry to communicate
with AC. Otherwise, the communication fails, and the user validity is ensured.
If both ARP packet validity check and user validity check are enabled, ARP packet validity check applies
first, and then user validity check applies.
ARP detection does not check ARP packets received from ARP trusted ports.
Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and
MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the
ARP packet is processed according to the rule.
2.
If no matching rule is found, the device compares the ARP packet's sender IP and MAC addresses
against the DHCP snooping entries and 802.1X security entries. If a match is found in any of the
entries, the ARP packet is considered valid and is forwarded.
3.
Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information,
see Layer 3 Configuration Guide.
802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and
uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X
security entry. The 802.1X client must be enabled to upload its IP address to the device. For more
information, see "Configuring 802.1X."
To configure user validity check:
Step
1.
2.
3.
Command
Remarks
system-view
N/A
vlan vlan-id
346
Optional.
Not configured by default.
N/A
Step
Command
Remarks
4.
Disabled by default.
5.
quit
N/A
6.
interface interface-type
interface-number
N/A
7.
Optional.
A port is an untrusted port
by default.
At least a user validity check rule, a DHCP snooping entry, or an 802.1X security entry must be available
to perform user validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded.
src-macChecks whether the sender MAC address in the message body is identical to the source
MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the
packet is discarded.
dst-macChecks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
ipChecks the sender and target IP addresses of ARP replies, and the sender IP address of ARP
requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding
packets are discarded.
Command
Remarks
1.
system-view
N/A
2.
vlan vlan-id
N/A
3.
Disabled by default.
4.
quit
N/A
5.
Disabled by default.
interface interface-type
interface-number
N/A
6.
7.
Optional.
arp detection trust
347
If the packets are ARP requests, they are forwarded through the trusted interface.
If the packets are ARP replies, they are forwarded according to their destination MAC address. If no
match is found in the MAC address table, they are forwarded through the trusted interface.
Command
Remarks
1.
system-view
N/A
2.
vlan vlan-id
N/A
3.
Disabled by default.
Command
Remarks
Network requirements
As shown in Figure 129:
Enable ARP detection in VLAN 10 to check user validity based on 802.1X entries.
Device
10.1.1.1/24
Radius server
DHCP snooping
Switch
AP1
Client 1
DHCP client
AC
AP2
Client 2
10.1.1.6
0001-0203-0607
Configuration procedure
1.
Add the port connecting the device on the switch to VLAN 10, and configure the IP address of
VLAN-interface 10 on the device. (Details not shown.)
2.
3.
Configure Client 1 and Client 2 as 802.1X clients and configure them to upload IP addresses for
ARP detection. (Details not shown.)
4.
5.
# Set the shared key to expert for the AC and the authentication server to exchange packets.
[AC-radius-rad] key authentication expert
# Set the shared key for the AC and the accounting server to exchange packets
[AC-radius-rad] key accounting expert
349
# Exclude the domain name from the username sent to the RADIUS server.
[AC-radius-rad] user-name-format without-domain
[AC-radius-rad] quit
# Configure RADIUS authentication, authorization, and accounting for LAN access users.
[AC-isp-imc] authentication lan-access radius-scheme rad
[AC-isp-imc] authorization lan-access radius-scheme rad
[AC-isp-imc] accounting lan-access radius-scheme rad
[AC-isp-imc] quit
# Configure a clear-type WLAN service template, set the service set identifier (SSID) to dot1x, and
bind the WLAN-ESS port to the template.
[AC] wlan service-template 1 crypto
[AC-wlan-st-1] ssid dot1x
[AC-wlan-st-1] bind wlan-ess 0
# Create AP template 2100 with the model MSM460-WW and serial number CN2AD330S8.
[AC] wlan ap 2100 model MSM460-WW
[AC-wlan-ap-2100] serial-id CN2AD330S8
# Bind the WLAN service template to radio 1, and enable the radio.
[AC-wlan-ap-2100] radio 1
350
[AC-wlan-ap-2100-radio-1] service-template 1
[AC-wlan-ap-2100-radio-1] radio enable
# The ports connecting the AC and APs reside in VLAN 1 by default. Configure the IP address for
the VLAN interface on the AC and APs. (Details not shown.)
# Enable ARP detection for VLAN 10 to check user validity based on 802.1X entries.
[AC] vlan 10
[AC-vlan10] arp detection enable
# Configure the upstream port as a trusted port. The downstream WLAN-ESS port uses the default
setting untrusted.
[AC-vlan10] interface ten-gigabitethernet 1/0/1
[AC-Ten-GigabitEthernet1/0/1] arp detection trust
[AC-Ten-GigabitEthernet1/0/1] quit
After the configuration, the AC checks ARP packets received on WLAN-ESS 0 against 802.1X
entries.
Network requirements
Configure Client 1 as a DHCP client. Configure Client 2's IP address 10.1.1.6 and MAC address
0001-0203-0607.
Enable user validity check and ARP packet validity check in VLAN 10.
351
Configuration procedure
1.
Add the port connecting the device on the switch to VLAN 10, and configure the IP address of
VLAN-interface 10 on the device. (Details not shown.)
2.
3.
4.
# Configure a clear-type WLAN service template, set the SSID to test, and bind the WLAN-ESS
interface to the template.
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid test
[AC-wlan-st-1] bind wlan-ess 0
[AC-wlan-st-1] service-template enable
# Create AP template 2100 with the model MSM460-WW and serial number CN2AD330S8.
[AC] wlan ap 2100 model MSM460-WW
[AC-wlan-ap-2100] serial-id CN2AD330S8
# Bind the WLAN service template to radio 1, and enable the radio.
[AC-wlan-ap-2100] radio 1
[AC-wlan-ap-2100-radio-1] service-template 1
352
# The ports connecting the AC and APs reside in VLAN 1 by default. Configure the IP address of
the VLAN interface on the AC and APs. (Details not shown.)
# Enable DHCP snooping.
<AC> system-view
[AC] dhcp-snooping
[AC] interface ten-gigabitethernet 1/0/1
[AC-Ten-GigabitEthernet1/0/1] dhcp-snooping trust
[AC-Ten-GigabitEthernet1/0/1] quit
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port
is an untrusted port by default).
[AC-vlan10] interface ten-gigabitethernet 1/0/1
[AC-Ten-GigabitEthernet1/0/1] arp detection trust
[AC-Ten-GigabitEthernet1/0/1] quit
After the configuration, the AC will first check the validity of ARP packets received on the
WLAN-ESS interface, and then check the ARP packets against DHCP snooping entries.
You can enable ARP gateway protection for up to eight gateways on a port.
Commands arp filter source and arp filter binding cannot be both configured on a port.
If ARP gateway protection works with ARP detection, ARP snooping, and ARP fast-reply, ARP
gateway protection applies first.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
Disabled by default.
353
Configuration example
The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module
and might vary by device model.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
As shown in Figure 131, Client 2 launches gateway spoofing attacks to the AC. As a result, traffic that the
AC intends to send to the gateway is sent to Client 2.
Configure the AC to block such attacks.
Figure 131 Network diagram
Gateway
Device
10.1.1.1/24
Switch
AP 1
Client 1
AC
AP 2
Client 2
Configuration procedure
# Configure the clients to connect the AC through interface WLAN-ESS 0. (Details not shown.)
# Configure ARP gateway protection on the AC.
<AC> system-view
[AC] interface wlan-ess 0
[AC-WLAN-ESS0] arp filter source 10.1.1.1
[AC-WLAN-ESS0] quit
After the configuration is complete, the AC discards the ARP packets whose source IP address is that of
the gateway.
354
The arp filter source and arp filter binding commands cannot be both configured on an interface.
If ARP filtering works with ARP detection, ARP snooping, and ARP fast-reply, ARP filtering applies
first.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Disabled by default.
Configuration example
The configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module
and might vary by device model.
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
As shown in Figure 132, the IP and MAC addresses of Client 1 are 10.1.1.2 and 000f-e349-1233. The IP
and MAC addresses of Client 2 are 10.1.1.3 and 000f-e349-1234.
Configure ARP filtering on GigabitEthernet 1/0/1 of the AC to permit ARP packets from the two hosts
only.
355
Configuration procedure
# Configure wireless services and the AP, and configure the radio port as WLAN-ESS 0. (Details not
shown.)
# Configure ARP filtering on the AC.
<AC> system-view
[AC] interface wlan-ess 0
[AC-WLAN-ESS0] arp filter binding 10.1.1.2 000f-e349-1233
[AC-WLAN-ESS0] arp filter binding 10.1.1.3 000f-e349-1234
After the configuration is complete, GigabitEthernet 1/0/1 permits ARP packets from Client 1 and Client
2, and discards other ARP packets.
356
Configuring IPsec
The term "router" in this document refers to both routers and routing-capable HP wireless products.
All HP wireless products support IPsec between ACs and APs. Only HP 830 series PoE+ unified
wired-WLAN switches support IPsec between ACs.
Overview
IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It transmits
data in a secure tunnel established between two endpoints.
IPsec provides the following security services in insecure network environments:
ConfidentialityThe sender encrypts packets before transmitting them over the Internet. This
protects the packets from being eavesdropped en route.
Data integrityThe receiver verifies the packets received from the sender to make sure they are not
tampered with during transmission.
Anti-replayThe receiver examines packets and drops outdated and duplicate packets.
Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and
maintenance.
Good compatibility. You can apply IPsec to all IP-based application systems and services without
modifying them.
Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility
and greatly enhances IP security.
IPsec includes a set of protocols, including Authentication Header (AH), Encapsulating Security Payload
(ESP), Internet Key Exchange (IKE), and algorithms for authentication and encryption. AH and ESP
provides security services and IKE performs automatic key exchange. For more information about IKE,
see "Configuring IKE."
Basic concepts
Security protocols
IPsec comes with two security protocols:
AH (protocol 51)Provides data origin authentication, data integrity, and anti-replay services by
adding an AH header to each IP packet. AH is suitable only for transmitting non-critical data
because it cannot prevent eavesdropping, although it can prevent data tampering. AH supports
authentication algorithms such as MD5 and SHA-1.
ESP (protocol 50)Provides data encryption as well as data origin authentication, data integrity,
and anti-replay services by inserting an ESP header and an ESP trailer in IP packets. Unlike AH, ESP
encrypts data before encapsulating the data to guarantee data confidentiality. ESP supports
357
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5
and SHA-1. The authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,
an IP packet is encapsulated first by ESP, and then by AH. Figure 133 shows the format of IPsec packets.
Security association
A security association is an agreement negotiated between two communicating parties called IPsec
peers. It includes a set of parameters for data protection, including security protocols, encapsulation
mode, authentication and encryption algorithms, and shared keys and their lifetime. SAs can be set up
manually or through IKE.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional
communication. If two peers want to use both AH and ESP to protect data flows between them, they
construct an independent SA for each protocol.
An SA is identified by a triplet, which consists of the security parameter index (SPI), destination IP address,
and security protocol identifier (AH or ESP).
An SPI is a 32-bit number for uniquely identifying an SA. It is transmitted in the AH/ESP header. A
manually configured SA requires an SPI to be specified manually for it. An IKE-created SA will have an
SPI generated at random.
A manually configured SA never ages out. An IKE created SA has a specific period of lifetime, which
comes in two types:
The SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates
a new SA, which takes over immediately after its creation.
Encapsulation modes
IPsec supports the following IP packet encapsulation modes:
Tunnel modeIPsec protects the entire IP packet, including both the IP header and the payload. It
uses the entire IP packet to calculate an AH or ESP header, and then encapsulates the original IP
packet and the AH or ESP header with a new IP header. If you use ESP, an ESP trailer is also
encapsulated. Typically, tunnel mode is used for protecting gateway-to-gateway communications.
Transport modeIPsec protects only the IP payload. It uses only the IP payload to calculate the AH
or ESP header, and inserts the calculated header between the original IP header and payload. If
you use ESP, an ESP trailer is also encapsulated. Typically, the transport mode is used for protecting
host-to-host or host-to-gateway communications.
NOTE:
IPsec between an AC and an AP supports only the tunnel mode.
Figure 133 shows how the security protocols encapsulate an IP packet in different encapsulation modes.
358
Authentication algorithms:
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length
digest for an arbitrary-length message. IPsec peers calculate message digests for each packet. If
the resulting digests are identical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:
{
{
MD5Takes a message of arbitrary length as input and produces a 128-bit message digest.
SHA-1Takes a message of a maximum length less than the 64th power of 2 in bits as input
and produces a 160-bit message digest.
Encryption algorithms:
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the device:
{
DESEncrypts a 64-bit plain text block with a 56-bit key. DES is the least secure but the fastest
algorithm. It is sufficient for general security requirements.
3DESEncrypts plain text data with three 56-bit DES keys. The key length totals up to 168 bits.
It provides moderate security strength and is slower than DES.
AESEncrypts plain text data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.
Manual modeIn this mode, you manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.
ISAKMP modeIn this mode, IKE automatically negotiates and maintains IPsec SAs for IPsec.
IPsec tunnel
An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel includes one or
more pairs of SAs.
359
Virtual router 2
Master
Backup
Failover link
Device B
Virtual router 1
nn
e
Device A
IP
se
c
tu
Internet
Device C
LAN
As shown in Figure 134, Device A and Device B form an IPsec stateful failover system and Device A is
elected the master in the VRRP group. When Device A works correctly, it establishes an IPsec tunnel to
Device C, and synchronizes its IPsec service data to Device B. The synchronized IPsec service data
includes the IKE SA, IPsec SAs, anti-replay sequence number and window, SA lifetime in bytes, and DPD
packet sequence number. Based on the IPsec service data, Device B creates standby IKE SA and standby
IPsec SAs to back up the active IKE SA and active IPsec SAs on Device A. When Device A fails, the VRRP
mechanism switches IPsec traffic from Device A to Device B. Because Device B has an instant copy of
Device A's IPsec service data, Device B can process IPsec traffic immediately to provide nonstop IPsec
service.
360
2.
Configure IPsec transform sets to specify the security protocols, and authentication and encryption
algorithms.
3.
Configure an IPsec policy group to associate data flows with the IPsec transform sets and specify
the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the
required keys, and the SA lifetime.
4.
Remarks
Configuring an ACL
Configuring an IPsec transform set
Required.
Optional.
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec configured.
Configuring an ACL
ACLs can be used to identify traffic. They are widely used in scenarios where traffic identification is
desired, such as QoS and IPsec.
Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is
a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches
both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0.
In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires
protection and continues to process it. If a deny statement is matched or no match is found, IPsec
considers that the packet does not require protection, and it delivers the packet to the next function
module.
Permit only data flows that need to be protected and use the any keyword with caution. With the
any keyword specified in a permit statement, all outbound traffic matching the permit statement is
protected by IPsec and all inbound IPsec packets matching the permit statement is received and
processed. However, all inbound non-IPsec packets are dropped. This causes all the inbound traffic
that does not need IPsec protection to be dropped.
Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be
careful with its matching scope and matching order relative to permit statements. The policies in an
IPsec policy group have different match priorities. ACL rule conflicts between them are prone to
cause mistreatment of packets. For example, when configuring a permit statement for an IPsec
policy to protect an outbound traffic flow, you must avoid the situation that the traffic flow matches
a deny statement in a higher priority IPsec policy. Otherwise, the packets are sent out as normal
packets. If they match a permit statement at the receiving end, they are dropped by IPsec.
The following configuration example shows how an improper statement causes unexpected packet
dropping. Only the ACL-related configurations are presented.
Router A connects the segment 1.1.2.0/24 and Router B connects the segment 3.3.3.0/24. On Router A,
apply the IPsec policy group test to the outbound interface of Router A. The IPsec policy group contains
two policies, test 1 and test 2. The ACLs referenced by the two policies each contain a rule that matches
traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy test 1 is a deny statement and the one
referenced in policy test 2 is a permit statement. Because test 1 is matched before test 2, traffic from
1.1.2.0/24 to 3.3.3.0/24 matches the deny statement and is sent as normal traffic. When the traffic
arrives at Router B, it is dropped if it matches a permit statement in the ACL referenced in the applied
IPsec policy.
Configure Router A:
acl number 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3000
ike-peer aa
transform-set 1
362
#
ipsec policy test 2 isakmp
security acl 3001
ike-peer bb
transform-set 1
Configure Router B:
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3001
ike-peer aa
transform-set 1
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of
the following requirements are met:
The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other
peer. As shown in Figure 136, the range specified by the ACL rule configured on Router A is covered
by its counterpart on Router B.
The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA
initiator, the negotiation request might be rejected because the matching traffic is beyond the scope
of the responder. As shown in Figure 136, the SA negotiation initiated by Host A to Host C is
accepted, but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.
363
Protection modes
Data flows can be protected in the following modes:
Standard modeOne tunnel protects one data flow. The data flow permitted by an ACL rule is
protected by one tunnel that is established solely for it.
Aggregation modeOne tunnel protects all data flows permitted by all the rules of an ACL. This
mode is configurable only in IPsec policies that use IKE negotiation.
Per-host modeOne tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one tunnel established solely for it. This mode is
configurable only in IPsec policies that use IKE negotiation.
For more information about ACL configuration, see ACL and QoS Configuration Guide.
To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec discards
the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For more
information about QoS classification rules, see ACL and QoS Configuration Guide.
Command
Remarks
1.
system-view
N/A
2.
ipsec transform-set
transform-set-name
3.
364
Optional.
ESP by default.
Step
Command
Remarks
Configure at least one command.
encapsulation-mode { transport |
tunnel }
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
Manual IPsec policyThe parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.
365
The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,
security algorithms, and encapsulation mode.
The remote IP address configured on the local end must be the same as the IP address of the remote
end.
At each end, configure parameters for both the inbound SA and the outbound SA and make sure
that different SAs use different SPIs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.
The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Command
Remarks
1.
system-view
N/A
2.
3.
4.
proposal proposal-name
5.
6.
7.
366
Step
Command
Remarks
Configure an authentication
key in hexadecimal for AH:
sa authentication-hex
{ inbound | outbound } ah
[ cipher string-key | simple
hex-key ]
Configure an authentication
key in characters for AH:
sa string-key { inbound |
outbound } ah [ cipher |
simple ] string-key
for ESP:
sa string-key { inbound |
outbound } esp [ cipher |
simple ] string-key
Configure an authentication
NOTE:
You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To
create an IKE-based IPsec policy, delete the manual IPsec policy, and then use IKE to configure an IPsec
policy.
Configure it by referencing an existing IPsec policy template with the parameters to be negotiated
configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA
negotiation, but it can respond to a negotiation request. The parameters not defined in the template
are determined by the initiator. This method applies to scenarios where the remote end's
information, such as the IP address, is unknown.
Before you configure an IKE-based IPsec policy, complete the following tasks:
Configure the ACLs and the IPsec transform sets for the IPsec policy.
Configure the IKE peer. For more information about IKE peer configuration, see "Configuring IKE."
The parameters for the local and remote ends must match.
To configure an IKE-based IPsec policy directly:
367
Step
Command
Remark
1.
system-view
N/A
2.
3.
connection-name name
4.
5.
transform-set
transform-set-name&<1-6>
6.
ike-peer peer-name
N/A
7.
Optional.
Optional.
By default, the global SA lifetime is
used.
Optional.
8.
9.
synchronization
anti-replay-interval inbound
inbound-number outbound
outbound-number
policy enable
quit
Optional.
11. Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional configuration: The ACL. Unlike the direct configuration, ACL configuration to be
referenced by an IPsec policy is optional. The responder without ACL configuration accepts the
initiator's ACL configuration.
368
Command
Remark
1.
system-view
N/A
2.
ipsec policy-template
template-name seq-number
3.
4.
transform-set
transform-set-name&<1-6>
5.
ike-peer peer-name
N/A
6.
Optional.
Optional.
By default, the global SA lifetime
settings are used.
Optional.
7.
synchronization
anti-replay-interval inbound
inbound-number outbound
outbound-number
8.
policy enable
9.
quit
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
By default, time-based SA lifetime
is 3600 seconds and traffic-based
SA lifetime is 1843200 kilobytes.
By default, no IPsec policy exists.
An IPsec policy can reference only one ACL. If you specify an ACL for an IPsec policy multiple times, the
most recent configuration takes effect.
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of
the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be
protected are dropped.
369
An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view.
When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer,
whichever are smaller.
You can set both the time-based SA lifetime and the traffic-based SA lifetime. Once the time-based
lifetime or traffic-based lifetime of an SA elapses, the SA is aged.
You cannot modify an IPsec policy created by referencing an IPsec policy template in IPsec policy view.
You can perform the modifications in IPsec policy template view.
You cannot directly modify the creation mode (direct creation or template-based creation) of an IPsec
policy. To do so, delete the IPsec policy, and then re-create the IPsec policy in the desired mode.
Command
1.
system-view
2.
3.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol,
only IPsec SAs negotiated by IKE support anti-replay checking.
IMPORTANT:
IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled.
A wider anti-replay window results in higher resource cost and more system performance degradation,
which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window
size that is as small as possible.
To configure IPsec anti-replay checking:
Step
Command
Remarks
N/A
1.
system-view
2.
3.
Optional.
Enabled by default.
Optional.
32 by default.
Command
Remarks
N/A
1.
system-view
2.
Optional.
Disabled by default.
The keepalive mechanism for IKE to maintain the link status of IKE SAs is not supported.
Support for this feature depends on the device model. For more information, see About the Configuration
Guides for HP Unified Wired-WLAN Products.
Configuration prerequisites
Before you configure IPsec stateful failover, complete the tasks in this section on the two devices.
1.
For more information about stateful failover, see High Availability Configuration Guide.
2.
Configure VRRP:
{
On each device, configure a VRRP group for the uplink interface and a VRRP group for the
downlink interface, and assign virtual IP addresses to the groups.
Set the priorities of the devices in the groups, making sure that one of the devices is the master
in both VRRP groups.
Configure the devices to operate in the same mode (preemption mode or non-preemptive mode)
in both VRRP groups. To deploy the preemption mode, set the preemption delay of the backup
device to 0 so the backup device can immediately take over when the priority of the master
comes down, and set the preemption delay of the backup to a bigger value such as 255
seconds so the master has enough time to synchronize IPsec service data with the backup device
after it recovers.
For more information about VRRP, see High Availability Configuration Guide.
3.
{
{
Create and configure the same IKE peers on the two devices. The local gateway addresses of
the IKE peers must be the virtual IP address of the uplink VRRP group.
Create and configure the same IPsec policies or IPsec profiles that use IKE on the two devices.
Apply the IPsec policies or IPsec profiles to the uplink interfaces on the two devices. If you
change the virtual IP address after applying the IPsec policy to an interface, be sure to re-apply
the IPsec policy to the interface.
Configuration procedure
To implement IPsec stateful failover on two devices, you must enable IPsec stateful failover on both
devices.
To configure IPsec stateful failover on a device:
Step
Command
Remarks
1.
system-view
N/A
2.
372
Command
Remarks
Clear SAs.
373
Configure stateful failover between AC 1 and AC 2. The ACs send heartbeat packets to each other
through the switch.
Set up an IPsec tunnel between AC 1 and the AP and an IPsec tunnel between AC 2 and the AP,
and set up connections based on the IPsec tunnels.
374
Configuring AC 1
# Configure an IP address for VLAN-interface 1.
<AC1> system-view
[AC1] interface Vlan-interface 1
[AC1-Vlan-interface1] ip address 133.1.1.1 16
[AC1-Vlan-interface1] quit
# Enable stateful failover and set the stateful failover heartbeat interval.
[AC1] hot-backup enable
[AC1] hot-backup hellointerval 100
# Configure the IPsec transform set to use security protocol ESP, authentication algorithm SHA-1, and
encryption algorithm AES-CBC-128.
[AC1-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[AC1-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[AC1-ipsec-transform-set-tran1] quit
375
# Reference the IPsec transform set tran1 for the IPsec policy template.
[AC1-ipsec-policy-template-pt-1] transform-set tran1
# Specify the IKE peer peer1 for the IPsec policy template.
[AC1-ipsec-policy-template-pt-1] ike-peer peer1
[AC1-ipsec-policy-template-pt-1] quit
# Create an IPsec policy named map with the sequence number 1 by referencing IPsec policy template
pt.
[AC1] ipsec policy map 1 isakmp template pt
# Create an AP template named ap, specify the AP model and AP serial number, specify the IP address
of the backup AC, and configure the connection priority for the AP.
[AC1] wlan ap ap model MSM460-WW
[AC1-wlan-ap-ap] serial-id CN2AD330S8
[AC1-wlan-ap-ap] backup-ac ip 133.1.1.2
[AC1-wlan-ap-ap] priority level 7
# Configure the IPsec pre-shared key as plaintext 123456 for the AP.
[AC1-wlan-ap-ap-prvs] tunnel encryption ipsec pre-shared-key simple 123456
# After the AP comes online, save the AP configuration to the AP's configuration file.
[AC1-wlan-ap-ap-prvs] save wlan ap provision name ap
[AC1-wlan-ap-ap-prvs] quit
376
[AC1-wlan-ap-ap] quit
[AC1] quit
Configuring AC 2
# Configure an IP address for VLAN-interface 1.
<AC2> system-view
[AC2] interface vlan-interface 1
[AC2-Vlan-interface1] ip address 133.1.1.2 16
[AC2-Vlan-interface1] quit
# Enable stateful failover and set the stateful failover heartbeat interval.
[AC2] hot-backup enable
[AC2] hot-backup hellointerval 100
# Configure the IPsec transform set to use security protocol ESP, authentication algorithm SHA-1, and
encryption algorithm AES-CBC-128.
[AC2-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[AC2-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[AC2-ipsec-transform-set-tran1] quit
377
# Reference the IPsec transform set tran1 for the IPsec policy template.
[AC2-ipsec-policy-template-pt-1] transform-set tran1
# Specify the IKE peer peer1 for the IPsec policy template.
[AC2-ipsec-policy-template-pt-1] ike-peer peer1
[AC2-ipsec-policy-template-pt-1] quit
# Create an IPsec policy with named map with the sequence number 1 by referencing IPsec policy
template pt.
[AC2] ipsec policy map 1 isakmp template pt
# Create an AP template named ap , specify the AP model and AP serial number, specify the IP address
of the backup AC, and configure the connection priority for the AP.
[AC2] wlan ap ap model MSM460-WW
[AC2-wlan-ap-ap] serial-id CN2AD330S8
[AC2-wlan-ap-ap] backup-ac ip 133.1.1.1
[AC2-wlan-ap-ap] priority level 1
[AC2-wlan-ap-ap] quit
: 1
: 0
AP Profiles
State : I = Idle,
J = Join, JA = JoinAck,
C = Config, R = Run,
IL = ImageLoad
KU = KeyUpdate, KC = KeyCfm
--------------------------------------------------------------------------AP Name
State Model
Serial-ID
--------------------------------------------------------------------------ap
R/M
MSM460-WW
CN2AD330S8
--------------------------------------------------------------------------<AC1>
<AC2>display wlan ap all
Total Number of APs configured
: 1
378
: 0
AP Profiles
State : I = Idle,
J = Join, JA = JoinAck,
C = Config, R = Run,
IL = ImageLoad
KU = KeyUpdate, KC = KeyCfm
--------------------------------------------------------------------------AP Name
State Model
Serial-ID
--------------------------------------------------------------------------ap
R/B
MSM460-WW
CN2AD330S8
--------------------------------------------------------------------------<AC2>
# Execute the display ipsec sa command on each AC to display information about IPsec SAs.
<AC1> display ipsec sa
===============================
Interface: Vlan-interface1
path MTU: 1500
===============================
address: 133.1.1.1
port: 12223
port: 0
379
protocol: UDP
protocol: UDP
address: 133.1.1.1
port: 12222
port: 0
protocol: UDP
-----------------------------
380
protocol: UDP
address: 133.1.1.2
port: 12223
port: 0
protocol: UDP
protocol: UDP
address: 133.1.1.2
381
port: 12222
protocol: UDP
port: 0
protocol: UDP
# Execute the display ike sa command to display information about IKE SAs.
<AC1> display ike sa
total phase-1 SAs:
connection-id
peer
flag
phase
doi
status
----------------------------------------------------------------------60
133.1.1.33
RD
IPSEC
--
61
133.1.1.33
RD
IPSEC
--
62
133.1.1.33
RD
IPSEC
--
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<AC1>
peer
flag
phase
doi
status
----------------------------------------------------------------------117
133.1.1.33
RD
IPSEC
--
120
133.1.1.33
RD
IPSEC
--
121
133.1.1.33
RD
IPSEC
--
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<AC2>
382
After the IKE negotiation succeeds and IPsec SAs are successfully established, all packets between the AP
and the ACs are encrypted by IPsec.
383
Configuring IKE
Overview
Built on a framework defined by the Internet Security Association and Key Management Protocol
(ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services
for IPsec, simplifying the application, management, configuration and maintenance of IPsec
dramatically.
Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them,
and calculate shared keys. Even if a third party captures all exchanged data for calculating the keys, it
cannot calculate the keys.
NOTE:
Unless otherwise specified, IKE in this chapter refers to IKEv1.
Data authentication
Data authentication involves two concepts:
Identity protectionEncrypts the identity information with the generated keys before sending the
information.
DH
The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material,
and then use the material to calculate the shared keys. Due to the decryption complexity, a third party
cannot decrypt the keys even after intercepting all keying materials.
IKE operation
IKE negotiates keys and establishes SAs for IPsec in two phases:
1.
Phase 1The two peers establish an ISAKMP SA, a secure, authenticated channel for
communication. In this phase, two modes are available: main mode and aggressive mode.
2.
Phase 2Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec
SAs.
384
Send local
IKE policy
Peer 2
Confirmed policy
SA exchange
Receive the
policy
Search for
matched policy
Key generation
Receivers key
information
Key exchange
Algorithm
negotiation
Initiators policy
Identity
authentication
ID and authentication
data exchange
Perform ID/exchange
authentication
Perform ID/exchange
authentication
authentication data
As shown in Figure 138, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
Key exchangeUsed for exchanging the DH public value and other values like the random number.
Key data is generated in this stage.
ID and authentication data exchangeUsed for identity authentication and authentication of data
exchanged in phase 1.
The main difference between the main mode and the aggressive mode is that the aggressive mode does
not provide identity protection and exchanges only three messages, rather than three pairs. The main
mode provides identity protection, but it is slower.
IKE functions
IKE provides the following functions for IPsec:
Performs DH exchange when establishing an SA, making sure that each SA has a key independent
of other keys.
Automatically negotiates SAs when the sequence number in the AH or ESP header overflows,
making sure that IPsec provides the anti-replay service correctly by using the sequence number.
Identity authentication and management of peers influence IPsec deployment. A large-scale IPsec
deployment needs the support of CAs or other institutes that manage identity data centrally.
385
IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec.
IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec.
IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
The strength of the algorithms for IKE negotiation (the security protection level), including the
identity authentication method, encryption algorithm, authentication algorithm, and DH group.
Different algorithms provide different levels of protection. A stronger algorithm means more
resistance to decryption of protected data but requires more resources. Generally, the longer the key,
the stronger the algorithm.
The pre-shared key or the PKI domain the certificate belongs to. For more information about PKI
configuration, see "Configuring PKI."
To configure IKE:
Task
Remarks
Optional.
Optional.
Task
Remarks
Required.
Optional.
Optional.
Optional.
Optional.
2.
Command
Remarks
system-view
N/A
Optional.
In FIPS mode, both the IPsec SAs and the corresponding IKE SAs are renegotiated.
387
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
Optional.
3.
4.
5.
Specify an encryption
algorithm for the IKE
proposal.
encryption-algorithm { 3des-cbc |
aes-cbc [ key-length ] | des-cbc }
Specify an authentication
method for the IKE
proposal.
authentication-method
{ pre-share | rsa-signature }
Specify an authentication
algorithm for the IKE
proposal.
authentication-algorithm { md5 |
sha }
6.
7.
sa duration seconds
Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1. If you obtain
the IP address of the remote end dynamically and use pre-shared key authentication, HP
recommends setting the IKE negotiation mode of the local end to aggressive. When acting as the
IKE negotiation responder, the local end uses the IKE negotiation mode of the remote end.
Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When
acting as the responder, the local end uses the IKE proposals configured in system view for
negotiation.
388
Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature
authentication.
Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key
authentication, the ID type must be IP address for main mode IKE negotiation. It can be IP address,
FQDN, or user FQDN for aggressive mode IKE negotiation.
Specify the name or IP address of the local security gateway. You perform this task only when you
want to specify a special address, a loopback interface address, for example, as the local security
gateway address.
Specify the name or IP address of the remote security gateway. For the local end to initiate IKE
negotiation, you must specify the name or IP address of the remote security gateway on the local
end so the local end can find the remote end.
Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure NAT
traversal at the two ends of the IPsec tunnel, because one end might use a public address while the
other end uses a private address.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
Optional.
exchange-mode { aggressive | main }
4.
proposal proposal-number&<1-6>
5.
Configure a pre-shared
key for pre-shared key
authentication or specify a
PKI domain for digital
signature authentication.
389
Step
6.
Command
Select the ID type for IKE
negotiation phase 1.
Remarks
Optional.
By default, the ID type is IP.
Optional.
7.
local-name name
8.
9.
remote-name name
nat traversal
Disabled by default.
Optional.
10. Configure an IP address
for the local gateway.
local-address ip-address
remote-address { hostname
[ dynamic ] | low-ip-address
[ high-ip-address ] }
end:
local { multi-subnet |
single-subnet }
dpd dpd-name
390
NOTE:
After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
Command
Remarks
1.
system-view
N/A
2.
3.
Command
Remarks
1.
system-view
N/A
2.
20 seconds by default.
When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
391
2.
If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3.
If the local end receives no DPD acknowledgement within the DPD packet retransmission interval,
it retransmits the DPD hello.
4.
If the local end still receives no DPD acknowledgement after having made the maximum number of
retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA
and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic
than the keepalive mechanism, which exchanges messages periodically.
To configure a DPD detector:
Step
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
interval-time interval-time
4.
time-out time-out
Optional.
10 seconds by default.
Optional.
5 seconds by default.
Command
Remark
1.
system-view
N/A
2.
Enabled by default.
Command
Remarks
392
Task
Command
Remarks
Available in any view.
Troubleshooting IKE
When you configure parameters to establish an IPsec tunnel, enable IKE error debugging to locate
configuration problems:
<AC> debugging ike error
Proposal mismatch
Symptom
The proposals mismatch.
Analysis
The following is the debugging information:
got NOTIFY of type NO_PROPOSAL_CHOSEN
Or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
393
Solution
For the negotiation in phase 1, look up the IKE proposals for a match.
For the negotiation in phase 2, verify that the parameters of the IPsec policies applied on the interfaces
are matched, and that the referred IPsec transform sets have a match in protocol, encryption and
authentication algorithms.
Analysis
Sometimes this might happen if an IPsec tunnel cannot be established or there is no way to communicate
in the presence of an IPsec tunnel in an unstable network.
If ACLs of both parties are configured correctly, and proposals are also matched, the problem is usually
caused by the reboot of one router after the IPsec tunnel is established.
Solution
Use the display ike sa command to verify that both parties have established an SA in phase 1.
Use the display ipsec sa policy command to verify that the IPsec policy on the interface has
established IPsec SA.
If the two commands show that one party has an SA, but the other does not, use the reset ipsec sa
command to clear the IPsec SA that has no corresponding SA, use the reset ike sa command to
clear the IKE SA that has no corresponding IKE SA, and then trigger SA re-negotiation.
394
Configuring ALG
The term "router" in this document refers to both routers and routing-capable WX series access
controllers.
Application Level Gateway (ALG) processes the payload information of application layer packets to
make sure data connections can be established.
NAT typically translates only IP address and port information in packet headers and does not analyze
fields in application layer payloads. However, the packet payloads of some protocols may contain IP
address or port information, which may cause problems if not translated. For example, an FTP
application involves both data connection and control connection, and data connection establishment
dynamically depends on the payload information of the control connection.
ALG works with NAT or ASPF to implement the following functions:
Address translationResolves the source IP address, port, protocol type (TCP or UDP), and remote
IP address information in packet payloads.
Data connection detectionExtracts information required for data connection establishment and
establishing data connections for data exchange.
Application layer status checkingInspects the status of the application layer protocol in packets.
Packets with correct states have their status updated and are sent for further processing, whereas
packets with incorrect states are dropped.
DNS
FTP
ILS
MSN
NBT
PPTP
RTSP
SCCP
SIP
TFTP
ALG process
The following example describes the FTP operation of an ALG-enabled router.
395
As shown in Figure 140, the host on the external network accesses the FTP server on the internal network
in passive mode through the ALG-enabled router.
Figure 140 Network diagram for ALG-enabled FTP application in passive mode
Inside network
Outside network
NAT
Host
Router
FTP-ALG enabled
FTP server
FTP_CMD (PASV)
FTP_CMD (PASV)
FTP_EnterPassive (IP1, Port1)
ALG
IP1, Port1-------> IP2, Port2
FTP_EnterPassive (IP2, Port2)
FTP_Connet (IP2, Port2)
FTP_Connet (IP1, Port1)
2.
3.
4.
Exchanging data.
The host and the FTP server exchange data through the established data connection.
396
Enabling ALG
Step
Command
Remarks
1.
system-view
N/A
Enable ALG.
Optional.
2.
Network requirements
As shown in Figure 141, a company uses the private network segment 192.168.1.0/24, and has four
public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. The company wants to provide FTP
services to the outside.
Configure NAT and ALG on the AC so that hosts on the external network can access the FTP server on the
internal network.
Figure 141 Network diagram
Configuration procedure
# Configure the address pool and ACL.
<AC> system-view
[AC] nat address-group 1 5.5.5.9 5.5.5.11
[AC] acl number 2001
397
# Configure NAT.
[AC] interface vlan-interface 3
[AC-Vlan-interface3] nat outbound 2001 address-group 1
Network requirements
As shown in Figure 142, a company uses the private network segment 192.168.1.0/24, and has four
public network addresses: 5.5.5.1, 5.5.5.9, 5.5.5.10, and 5.5.5.11. SIP UA 1 is on the internal network
and SIP UA 2 is on the external network.
Configure NAT and ALG on the AC to enable SIP UA 1 and SIP UA 2 to communicate by using their
aliases, and to enable SIP UA 1 to select an IP address from the range 5.5.5.9 to 5.5.5.11 when
registering with the SIP server on the external network.
Figure 142 Network diagram
Configuration procedure
# Configure the address pool and ACL.
<AC> system-view
[AC] nat address-group 1 5.5.5.9 5.5.5.11
[AC] acl number 2001
[AC-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.255
[AC-acl-basic-2001] rule deny
[AC-acl-basic-2001] quit
# Configure NAT.
[AC] interface vlan-interface 3
398
Network requirements
As shown in Figure 143, a company using the private network segment 192.168.1.0/24 wants to provide
NBT services to the outside.
Configure NAT and ALG on the AC so that Host A uses 5.5.5.9 as its external IP address, the WINS
server uses 5.5.5.10 as its external IP address, and Host B can access the WINS server and Host A by
using host names.
Figure 143 Network diagram
Configuration procedure
# Configure a static NAT entry.
<AC> system-view
[AC] nat static 192.168.1.3 5.5.5.9
# Configure NAT.
[AC] interface vlan-interface 3
[AC-Vlan-interface3] nat outbound static
399
Configuring firewall
The term "router" in this document refers to both routers and routing-capable HP wireless products.
Overview
A firewall blocks unauthorized Internet access to a protected network while allowing internal network
users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used
to control access to the Internet, for example, to permit only specific hosts within the organization to
access the Internet. Many of today's firewalls offer additional features, such as identity authentication
and encryption.
Another application of firewall is to protect the mainframe and important resources (such as data) on
internal networks. Any access to protected data is filtered by the firewall, even if the access is initiated by
a user within the internal network.
The device mainly implements three categories of firewalls:
Address translation
This chapter focuses on ACL packet-filter firewall and ASPF. For more information about address
translation, see "Configuring NAT."
Source address
Destination address
The firewall compares the head information against the preset ACL rules and processes the packet based
on the comparison result.
An ACL packet-filter is a static firewall. It cannot solve the following issues:
For multi-channel application layer protocols, such as FTP and H.323, the values of some security
policy parameters are unpredictable.
ICMP attacks cannot be prevented because not all faked ICMP error messages from the network
can be recognized.
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first
packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a network, the
400
non-SYN packets of existing TCP connections passing the firewall for the first time are dropped,
breaking the existing TCP connections.
ASPF
ASPF was proposed to address the issues that a static firewall cannot solve. An ASPF implements
application layer and transport specific, namely status-based, packet filtering. An ASPF can detect
application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, and H.323 (Q.931,
H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following functions:
Application layer protocol inspectionASPF checks the application layer information of packets,
such as the protocol type and port number, and monitors the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network, thus defending the internal network against attacks.
Transport layer protocol inspection (generic TCP and UDP inspection)ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Port to Application Mapping (PAM)Allows you to specify port numbers other than the standard
ones for application layer protocols.
ICMP error message inspectionASPF checks the connection information carried in an ICMP error
message. If the information does not match the connection, the ASPF processes the packet as
configured, for example, it discards the packet.
First packet inspection for TCP connectionASPF checks the first packet over a TCP connection. If
the first packet over a TCP connection is not a SYN packet, the ASPF will discard the packet.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
PAM
While application layer protocols use the standard port numbers for communication, PAM allows
you to define a set of new port numbers for different applications, and provides mechanisms to
maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
{
WAN
Return packets of
the session are
permitted to pass
Client B
Router
Server
Protected network
ASPF implements the application layer protocol inspection function in cooperation with the session
management and ALG features. After detecting the first packet of a session, ASPF matches the packet
with the configured policy and sends the result to the session management feature, which is responsible
for session information database establishment and session status maintenance. Then, the ASPF
processes subsequent packets of the session based on session status information returned by the session
management feature.
For information about session management, see "Managing sessions." For information about ALG, see
"Configuring ALG."
402
multi-channel application layer protocols like FTP and H.323, the deployment of TCP inspection without
application layer inspection will lead to failure of establishing a data connection.
Remarks
Required.
Optional.
Command
Remarks
1.
system-view
N/A
2.
firewall enable
Disabled by default.
Command
Remarks
system-view
N/A
2.
Disabled by default.
2.
Command
Remarks
system-view
N/A
Optional.
403
Command
Remarks
N/A
1.
system-view
2.
Optional.
By default, the firewall permits
packets to pass.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
By default, no ACL-based
packet-filter firewall is applied to
filter IPv4 packets on an interface.
You can apply only one IPv4 ACL
to filter packets in one direction of
an interface.
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
404
By default, no ACL-based
packet-filter firewall is applied to
filter IPv6 packets on an interface.
You can apply only one IPv6 ACL
to filter packets in one direction of
an interface.
Command
Remarks
1.
system-view
N/A
2.
user-profile user-profile-name
N/A
3.
Command
Remarks
405
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
As shown in Figure 145, the internal network of a company is connected to VLAN-interface 2 of the AC,
and the internal users access the Internet through VLAN-interface 3 of the AC.
The company provides WWW, FTP and Telnet services to the outside. The internal subnet of the company
is 129.1.1.0/24, on which the internal FTP server address is 129.1.1.1, the Telnet server address is 129.1.1.2,
and the internal WWW server address is 129.1.1.3. The public address of the company is 20.1.1.1. NAT
is enabled on the AC so that hosts on the internal network can access to the Internet and external hosts
can access the internal servers.
Configure the firewall feature to achieve the following aims:
Only specific users on the external network are allowed access to the internal servers.
This example assumes the specific external user is at 20.3.3.3.
Only specific hosts on the internal network are permitted to access the external network.
129.1.1.2/24
129.1.1.3/24
WWW server
Internal network
Vlan-int 2
129.1.1.5/24
Vlan-int 3
20.1.1.1/16
WAN
Internal host
AP
AC
External host
20.3.3.3/32
129.1.1.4/24
Configuration procedure
# Enable the firewall function on the AC.
<AC> system-view
[AC] firewall enable
# Configure rules to permit specific hosts to access external networks and permit internal servers to
access external networks.
[AC-acl-adv-3001] rule permit ip source 129.1.1.1 0
[AC-acl-adv-3001] rule permit ip source 129.1.1.2 0
[AC-acl-adv-3001] rule permit ip source 129.1.1.3 0
[AC-acl-adv-3001] rule permit ip source 129.1.1.4 0
# Configure a rule to permit specific data (only packets of which the port number is greater than 1024)
to get access to the internal network.
[AC-acl-adv-3002] rule permit tcp destination 20.1.1.1 0 destination-port gt 1024
[AC-acl-adv-3002] rule deny ip
[AC-acl-adv-3002] quit
Configuring an ASPF
ASPF configuration task list
Task
Remarks
Required.
Required.
Optional.
Command
Remarks
1.
system-view
N/A
2.
firewall enable
Disabled by default.
If you enable TCP or UDP inspection without configuring application layer protocol inspection,
some packets may fail to get a response. Therefore, enable application layer protocol inspection
together with TCP/UDP inspection.
In the case of a Telnet application, you only need to configure TCP inspection.
407
Command
Remarks
1.
system-view
N/A
2.
aspf-policy aspf-policy-number
N/A
3.
icmp-error drop
4.
Optional.
By default, ICMP error messages
are not dropped.
Optional.
tcp syn-check
Command
Remarks
1.
system-view
N/A
2.
interface interface-type
interface-number
N/A
3.
Command
Remarks
1.
system-view
N/A
2.
user-profile user-profile-name
N/A
408
Step
Apply an ASPF policy to the
user profile.
3.
Command
Remarks
2.
Command
Remarks
system-view
N/A
Not configured by default.
port-mapping application-name
port port-number [ acl acl-number ]
Command
Remarks
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
Configure an ASPF policy on the AC to drop ICMP error messages and non-SYN packets that are the first
packets over TCP connections.
This example applies to scenarios where local users need to access remote network services.
Figure 146 Network diagram
Configuration procedure
# Enable the firewall function on the AC.
<AC> system-view
[AC] firewall enable
# Configure ACL 3111 to prohibit all IP packets from entering the internal network. The ASPF will create
a TACL for packets permitted to pass the firewall.
[AC] acl number 3111
[AC-acl-adv-3111] rule deny ip
[AC-acl-adv-3111] quit
410
Managing sessions
Overview
Session management is a common feature designed to implement session-based services such as NAT
and ASPF. Session management regards packet exchanges at transport layer as sessions and updates
the session status, or ages sessions out according to information in the initiator or responder packet.
Session management allows multiple features to process the same service packet. Session management
can be applied for the follow purposes:
Persistent sessions.
Special packet match for the application layer protocols requiring port negotiation.
Resolution of ICMP error control packets and session match based on resolution results.
Supporting session creation, session status update and timeout time setting based on protocol state
for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets.
Supporting port mapping for application layer protocols and allowing application layer protocols
to use customized ports and adopt different session timeout time.
Supporting ICMP error packet mapping and allowing the system to search for original sessions
according to the payload of these packets.
411
Because error packets are generated due to host errors, the mapping can help speed up the aging
of the original sessions.
Supporting persistent sessions, which are kept alive for a long period of time.
Supporting session management of control channels and dynamic data channels of application
layer protocols, for example, FTP.
These tasks are mutually independent and can be configured in any order.
Command
Remarks
system-view
N/A
412
Step
Command
Remarks
This aging time setting is effective
on only the sessions that are being
established.
The default values are as follows:
2.
accelerate10 seconds.
fin30 seconds.
icmp-closed30 seconds.
icmp-open60 seconds.
rawip-open30 seconds.
rawip-ready60 seconds.
syn15 seconds.
tcp-est3600 seconds.
udp-open30 seconds.
udp-ready60 seconds.
Command
Remarks
system-view
N/A
Aging times set in this command
applies to only the sessions in the
READY/ESTABLISH state.
2.
dns60 seconds.
ftp3600 seconds.
msn3600 seconds.
qq60 seconds.
sip300 seconds.
processes only packets with correct checksums. Packets with incorrect checksums will be processed by
other services based on the session management.
IMPORTANT:
Checksum verification might degrade the device performance. Enable it with caution.
To enable checksum verification for protocol packets:
Step
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
2.
Command
Remarks
system-view
N/A
Command
Remarks
system-view
N/A
414
Step
Command
Remarks
2.
Command
Remarks
1.
system-view
N/A
2.
N/A
3.
(Required.) Enable
session logging.
Traffic-based loggingThe device outputs a session log when the traffic amount of a session
reaches a threshold. The traffic-based thresholds can be byte-based and packet-based. If you set
both thresholds, the last configuration takes effect.
If you set both time-based and traffic-based logging, the device outputs a session log when either
threshold is reached. After outputting a session log, the device resets the traffic counter and restarts the
interval for the session.
To set session logging thresholds:
Step
Command
Remarks
1.
system-view
N/A
2.
(Optional.) Set a
traffic-based logging type.
415
Command
Remarks
Clear sessions.
416
Java blocking
ActiveX blocking
Processing procedure
1.
After receiving a Web request, the device resolves the URL address in the request.
2.
The device matches the URL address against the configured filtering entries.
3.
If a match is found and the filtering action of the matched entry is permit, the device forwards the
request.
4.
If a match is found and the filtering action of the matched entry is deny, the device drops the Web
request and sends a TCP reset packet to both the client that sent the request and the server.
5.
If no match is found, the device forwards or drops the request, depending on the default filtering
action configured for URL address filtering.
Processing procedure
After the device receives a Web request that uses an IP address, it processes the request as follows:
If URL address filtering supports IP addresses, the device forwards the request. The device permits all
Web requests that use the websites' IP addresses to pass.
417
If URL address filtering does not support IP addresses, the device checks the ACL rules for URL
address filtering. If the ACL permits the IP address, the device forwards the request. Otherwise, the
device drops the request.
Processing procedure
After receiving a Web request containing URL parameters, the device obtains the parameters according
to the parameter transmission method and processes the request accordingly:
If the parameters are transmitted by a method other than GET, POST and PUT, the device directly
forwards the Web request.
If the parameters are transmitted by the method of GET, POST or PUT, the device obtains the URL
parameters from the Web request and compares the URL parameters against the configured
filtering entries. If a match is found, the device denies the request. Otherwise, the device forwards
the request.
Java blocking
Java blocking protects networks from Java applets attacks.
After the Java blocking function is enabled, all requests for Java applets of Web pages are filtered. If
Java applets in some Web pages are expected, configure ACL rules to permit requests to Java applets of
these Web pages.
Processing procedure
If the Java blocking function is enabled but no ACL is configured for it, the device replaces
suffixes .class and .jar with .block in all Web requests and then forwards the requests.
If the Java blocking function is enabled and an ACL is configured for it, the device uses ACL rules
to determine whether to replaces suffixes .class and .jar with .block in Web requests. If the
destination server in a Web request is a server permitted by the ACL, no replacement occurs and
the request is forwarded; otherwise, the suffix in the request is replaced with .block before the
request is forwarded.
In addition to the default suffixes .class and .jar, you can add Java blocking suffixes (filename
suffixes to be replaced in Web requests) through command lines.
418
ActiveX blocking
ActiveX blocking protects networks from being attacked by malicious ActiveX plugins.
After the ActiveX blocking function is enabled, requests for ActiveX plugins to all Web pages will be
filtered. If the ActiveX plugins in some Web pages are expected, you can configure ACL rules to permit
requests to the ActiveX plugins of these Web pages.
Processing procedure
If the ActiveX blocking function is enabled but no ACL is configured for it, the device replaces the
suffix .ocx with .block in all Web requests before forwarding the requests.
If the ActiveX blocking function is enabled and an ACL is configured for it, the device determines
whether to replaces suffix .ocx with .block in Web requests according to the ACL rules. If the
destination server in a Web request is a server permitted by the ACL, no replacement occurs and
the request is forwarded; otherwise, the suffix is replaced with .block and then the request is
forwarded.
In addition to the default suffix .ocx, you can add ActiveX blocking suffixes (that is, the filename
suffixes to be replaced in Web requests) through command lines.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
4.
N/A
5.
Optional.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
419
Step
Command
Remarks
Deny by default.
3.
Configure IP address-supported
URL address filtering.
4.
5.
Optional.
By default, no ACL is
specified for URL address
filtering.
Optional.
The source IP addresses specified in the ACL for URL address filtering must be the IP addresses of the
websites allowed to be accessed by using their IP addresses.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
N/A
4.
Optional.
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
4.
5.
Optional.
By default, no ACL is
specified for Java blocking.
Optional.
In the ACL for Java blocking, you need to configure the source IP addresses as the IP addresses of the
HTTP servers allowed to be accessed, and set the action to permit.
420
Command
Remarks
1.
system-view
N/A
2.
Disabled by default.
3.
Optional.
Optional.
4.
5.
By default, no ACL is
specified for ActiveX
blocking.
Optional.
In the ACL for ActiveX blocking, you need to configure the source IP addresses as the IP addresses of the
HTTP servers allowed to be accessed and set the action to permit.
Command
Remarks
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown.)
# Configure a NAT policy for the outbound interface.
<AC> system-view
[AC] acl number 2200
[AC-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255
[AC-acl-basic-2200] rule 1 deny source any
[AC-acl-basic-2200] quit
[AC] nat address-group 1 2.2.2.10 2.2.2.11
[AC] interface Vlan-interface 1
[AC-Vlan-interface1] nat outbound 2200 address-group 1
[AC-Vlan-interface1] quit
# Allow users to access only website www.webfit.com, and set the default filtering action to deny.
[AC] firewall http url-filter host url-address permit www.webflt.com
[AC] firewall http url-filter host default deny
422
After the configurations are completed, open a Web browser on a host in the LAN, enter website
http://www.webflt.com or http://3.3.3.3, and you can access this website correctly. Enter other
website addresses, and you are not allowed to access the corresponding websites.
# Display detailed information about URL address filtering.
[AC] display firewall http url-filter host verbose
URL-filter host is enabled.
Default method: deny.
The support for IP address: permit.
The configured ACL group is 2000.
There are 1 packet(s) being filtered.
There are 1 packet(s) being passed.
Match-Times
Keywords
-----------------------------------1
www.webflt.com
423
Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown.)
# Configure a NAT policy for the outbound interface.
<AC> system-view
[AC] acl number 2200
[AC-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255
[AC-acl-basic-2200] rule 1 deny source any
[AC-acl-basic-2200] quit
[AC] nat address-group 1 2.2.2.10 2.2.2.11
[AC] interface Vlan-interface 1
[AC-Vlan-interface1] nat outbound 2200 address-group 1
[AC-Vlan-interface1] quit
# Enable the URL parameter filtering function, and add URL parameter filtering entry group.
[AC] firewall http url-filter parameter enable
[AC] firewall http url-filter parameter keywords group
# Use the display firewall http url-filter parameter verbose command to display detailed URL parameter
filtering information.
[AC] display firewall http url-filter parameter verbose
URL-filter parameter is enabled.
There are 1 packet(s) being filtered.
There are 2 packet(s) being passed.
# Use the display firewall http url-filter parameter all command to display URL parameter filtering
information for all filtering entries.
[AC] display firewall http url-filter parameter all
SN
Match-Times
Keywords
-----------------------------------1
group
424
Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown.)
# Configure a NAT policy for the outbound interface.
<AC> system-view
[AC] acl number 2200
[AC-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255
[AC-acl-basic-2200] rule 1 deny source any
[AC-acl-basic-2200] quit
[AC] nat address-group 1 2.2.2.10 2.2.2.11
[AC] interface Vlan-interface 1
[AC-Vlan-interface1] nat outbound 2200 address-group 1
[AC-Vlan-interface1] quit
# Enable the Java blocking function, add blocking suffix keyword .js, and specify ACL 2100 for Java
blocking.
[AC] firewall http java-blocking enable
[AC] firewall http java-blocking suffix .js
[AC] firewall http java-blocking acl 2100
425
# Use the display firewall http java-blocking verbose command to display detailed Java blocking
information.
[AC] display firewall http java-blocking verbose
Java blocking is enabled.
The configured ACL group is 2100.
There are 0 packet(s) being filtered.
There are 1 packet(s) being passed.
# Use the display firewall http java-blocking all command to display Java blocking information for all
blocking suffix keywords.
[AC] display firewall http java-blocking all
SN
Match-Times
Keywords
-----------------------------------1
.CLASS
.JAR
.js
The output shows that there are three Java blocking suffix keywords, of which .CLASS and .JAR are the
default ones, and .js is a user-defined one and has been matched once.
When you try to add a URL address filtering entry or URL parameter filtering entry, the system
prompts you that no more entry can be added.
When you add a Java blocking or ActiveX blocking suffix keyword, the system prompts you that no
more keyword can be added.
Analysis
The number of URL address filtering entries, URL parameter filtering entries, Java blocking suffix keywords,
or ActiveX blocking suffix keywords has reached the upper limit.
Solution
If necessary, remove some configured entries or keywords before adding new ones.
Analysis
A URL address filtering entry can contain only 0 to 9, a to z, A to Z, dot (.), hyphen (-), underline (_), and
wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*). A URL parameter filtering entry can
contain only 0 to 9, a to z, A to Z, wildcards caret (^), dollar sign ($), ampersand (&), and asterisk (*),
and other ASCII characters with values between 31 and 127.
426
Solution
Make sure that all entered characters are valid.
Analysis
The wildcards for URL address filtering entries and those for URL parameter filtering entries have different
usage restrictions:
Table 16 Wildcards for URL address filtering entries
Wildcard
Meaning
Usage guidelines
&
Meaning
Usage guidelines
&
Solution
Use the wildcards correctly according to the above principles.
427
Analysis
A blocking suffix requires a dot (.) as part of it. If no dot or multiple dots are configured, the configuration
fails.
Solution
Configure a suffix keyword according to the description in the analysis.
Analysis
For URL address filtering, Java blocking and ActiveX blocking, ACLs permit access to servers in external
networks rather than hosts in the internal network. This is because the internal network is assumed to be
trusted.
Solution
Specify the IP address of the server in the external network as the source IP address in the ACL rule.
Analysis
By default, the URL address filtering function disables access by IP address. Web requests that use the IP
address to access the HTTP server will be filtered.
Solution
Configure an ACL to permit Web requests to the IP address of the HTTP server.
428
VLAN-based user isolationIsolates users in the same VLAN from accessing each other at Layer 2.
SSID-based user isolationIsolates users using the same SSID from accessing each other at Layer
2.
When an AC receives unicast, broadcast, or multicast packets from a wireless user to another
wireless user, the AC determines whether to isolate the two users based on the permitted MAC
address list.
When an AC receives unicast packets from a wireless user to a wired user, the AC determines
whether to isolate the two users based on the permitted MAC address list. However, the AC permits
all broadcast and multicast packets from a wireless user to a wired user.
When an AC receives unicast packets from a wired user to another wired user, the AC determines
whether to isolate the two users based on the permitted MAC address list. However, the AC permits
all broadcast and multicast packets from a wired user to another wired user.
When an AC receives unicast packets from a wired user to a wireless user, the AC determines
whether to isolate the two users based on the permitted MAC address list. The user-isolation permit
broadcast command setting determines whether the AC permits broadcast or multicast packets
(from a wired user to a wireless user).
For correct communication between users and the gateway, add the MAC address of the gateway to the
permitted MAC address list.
As shown in Figure 150, the wireless client, the wired server, and the wired host in VLAN 2 access the
Internet through the same gateway. When VLAN-based user isolation is enabled on the AC, the
following rules apply:
If you add only the MAC address of the gateway to the permitted MAC address list, the client, server,
and host are isolated at Layer 2. They can access the Internet.
If you add only the MAC address of the client to the permitted MAC address list, the client and the
server, and the client and the host, can access each other at Layer 2, but the server and the host
cannot.
If you add the MAC addresses of the gateway, the server, and the client to the permitted MAC
address list, the client, the server, and the host can access one another at Layer 2. They also can
access the Internet.
429
Command
Remarks
1.
system-view
N/A
2.
3.
430
Up to 16 permitted MAC
addresses can be configured for a
VLAN.
To avoid network disruption
caused by user isolation, add the
MAC address of the gateway to
the permitted MAC address list
and then enable user isolation.
Step
4.
Command
Permit broadcast and
multicast packets from a wired
user to a wireless user.
Remarks
Optional.
Command
Remarks
1.
system-view
N/A
2.
wlan service-template
service-template-number { clear |
crypto }
N/A
3.
Optional.
user-isolation enable
Command
Remarks
431
Network requirements
As shown in Figure 151, configure user isolation on the AC, so Client A, Client B, and Host A in VLAN 2
can access the Internet, but they cannot access one another at Layer 2.
Figure 151 Network diagram
Internet
Gateway
AC
AP
Host A
Client A
VLAN 2
Client B
Configuration procedure
1.
# Add the MAC address of the gateway to the permitted MAC address list of VLAN 2 so that Client
A, Client B, and Host A in VLAN 2 can access the Internet.
[AC] user-isolation vlan 2 permit-mac 000f-e212-7788
# Enable user isolation for VLAN 2 so that users in VLAN 2 cannot access each other at Layer 2.
[AC] user-isolation vlan 2 enable
2.
432
DHCPv6The AP obtains the complete IPv6 address assigned to the client in the DHCPv6 packets
exchanged between the DHCPv6 server and the client, and binds the IPv6 address with the MAC
address of the client. If the AP obtains the IPv6 address prefix assigned to the client, it cannot
generate the proper binding entry.
NDThe AP obtains the broadcast IPv6 address prefix in the router advertisement packets
exchanged between the router and the client, and binds the IPv6 address prefix with the MAC
address of the client.
For more information about DHCP, DHCPv6, and ND, see Layer 3 Configuration Guide.
After source IP address verification is enabled, the AP looks up the binding entries for received packets.
If the source MAC address and source IP address of a packet matches a binding entry, the AP forwards
the packet. Otherwise, the AP discards it. Figure 152 shows how source IP address verification works.
Figure 152 Source IP address verification process
For a client using an SSID configured with source IP address verification, if it accesses the network
through AP local authentication, the source IP address verification feature is effective but the IP-MAC
binding entry for the client cannot be displayed on the AC. If the client needs to roam to an AP of another
AC in the roaming group, the AC to which the client roams must be configured with source IP address
verification for the specified SSID. Otherwise, the client connection is lost. For more information about AP
local authentication and WLAN roaming, see WLAN Configuration Guide.
To configure source IP address verification:
Step
Command
Remarks
1.
system-view
N/A
2.
Configure a WLAN
service template.
wlan service-template
service-template-number { clear |
crypto }
N/A
3.
Enable source IP
address verification for
IPv4 clients.
ip verify source
Enable source IP
address verification for
IPv6 clients.
4.
Command
Displaying IPv4/IPv6
binding entries.
434
Eth1/1
Client 1
IP network
AC
Switch
Client 2
AP
Client 3
Configuration procedure
1.
# Create DHCP address pool 0, and assign network segment 10.1.1.0/24 to the address pool.
[DHCP] dhcp server ip-pool 0
[DHCP-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
2.
# Configure a WLAN service template, specify service as the SSID, and bind the WLAN-ESS
interface with the service template.
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid service
435
APID/RID
Type
Binding IP Address
-----------------------------------------------------------001d-0f31-87dd
1/2
DHCP
10.1.1.1
001c-f08f-f7f1
1/2
DHCP
10.1.1.2
------------------------------------------------------------
As shown in Figure 154, the clients access the network using the SSID "service", and the DHCPv6
server dynamically assigns IPv6 addresses for the clients.
Enable source IP address verification for the IPv6 clients using the SSID to prevent illegal access.
436
Eth1/1
Client 1
IP network
AC
Switch
AP
Client 2
Client 3
Configuration procedure
1.
# Create DHCPv6 address pool 1, and assign network segment 2001:2::/64 to the address pool.
[DHCPv6] ipv6 dhcp pool 1
[DHCPv6-dhcp6-pool-1] network 2001:2::/64
[DHCPv6-dhcp6-pool-1] quit
# Configure interface Ethernet 1/1 to operate in DHCPv6 server mode, and reference address
pool 1.
[DHCPv6-Ethernet1/1] ipv6 dhcp server apply pool 1
2.
# Configure a WLAN service template, specify service as the SSID, and bind the WLAN-ESS
interface with the service template.
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid service
437
APID/RID
Type
Binding IP Address
-----------------------------------------------------------001d-0f31-87dd
1/2
DHCPv6
2001:2::2
001c-f08f-f7f1
1/2
DHCPv6
2001:2::3
------------------------------------------------------------
438
Eth1/1
Client 1
IP network
AC
Switch
AP
Client 2
Client 3
Configuration procedure
1.
# Specify the address prefix to distribute as 2001::/64, with life time being 86400 seconds. The
preferred life time is 3600 seconds.
[Router-Ethernet1/1] ipv6 nd ra prefix 2001::/64 86400 3600
2.
# Configure a WLAN service template, specify service as the SSID, and bind the WLAN-ESS
interface with the service template.
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid service
439
APID/RID
Type
Binding IP Address
-----------------------------------------------------------001d-0f31-87dd
1/2
ND
2001::
001c-f08f-f7f1
1/2
ND
2001::
------------------------------------------------------------
440
Configuring FIPS
Overview
Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard
and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules.
FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4" from low to high. The device
supports Level 2.
Unless otherwise noted, in this document the term "FIPS" refers to FIPS 140-2.
FIPS self-tests
CAUTION:
If the device reboots repeatedly, it might be caused by software failures or hardware damages. Contact
HP Support to upgrade the software or repair the damaged hardware.
When the device operates in FIPS mode, it has self-test mechanisms, including power-up self-test and
conditional self-test, to ensure the correct operation of cryptography modules.
Power-up self-tests
The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed
cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is
already known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
The power-up self-test examines the cryptographic algorithms listed in Table 18.
Table 18 Power-up self-test list
Type
Operations
Tests the following algorithms:
Cryptographic algorithm
self-test
441
Type
Operations
Tests the following algorithms used by cryptographic engines:
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types:
Pair-wise consistency testThis test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If
the decryption is successful, the test succeeds. Otherwise, the test fails.
Continuous random number generator testThis test is run when a random number is generated.
If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test
can also be run when a DSA/RSA asymmetrical key-pair is generated.
Triggering self-tests
To examine whether the cryptography modules operate correctly, you can trigger a self-test on the
cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails,
the device automatically reboots.
To trigger a self-test:
Step
Command
1.
system-view
2.
Trigger a self-test.
fips self-test
Configuration considerations
To enter FIPS mode, follow these steps:
1.
2.
3.
Configure the username and password to log in to the device in FIPS mode. The password must
include at least 10 characters and must contain uppercase and lowercase letters, digits, and
special characters.
4.
5.
Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
442
6.
If you must enable both FIPS mode and the password control function, enable FIPS mode first.
If you must disable both FIPS mode and the password control function, disable password control
first.
After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP,
or FTP before you reboot the device.
Command
Remarks
1.
system-view
N/A
2.
Generated RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs have a
modulus length from 1024 to 2048 bits.
SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Command
When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings
are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the
switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch or an 870 appliance are Access interfaces in VLAN 1. When configuring the two
aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set
their link type to be the same.
Network requirements
As shown in Figure 156, Host connects to AC through a console port. Configure AC to operate in FIPS
mode, and create a local user for Host so that Host can log in to AC.
Figure 156 Network diagram
Configuration procedure
CAUTION:
After you enable FIPS mode, you must create a local user and its password before you reboot the device.
Otherwise, you cannot log in to the device. To log in to the device, reboot the device without the
configuration file (by ignoring or removing the configuration file) so that the device operates in non-FIPS
mode, and then make correct configurations.
# Enable the FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to
the next-startup configuration file, and then reboot to enter FIPS mode.
# Create a local user named test, and set its service type as terminal, privilege level as 3, and password
as AAbbcc1234%. The password is a string of at least 10 characters by default, and must contain both
uppercase and lowercase letters, digits, and special characters. (Use an interactive way to configure the
password for the local user. Enter password in local user view and follow the prompts to enter the
password.)
[Sysname] local-user test
[Sysname-luser-test] service-type terminal
[Sysname-luser-test] authorization-attribute level 3
[Sysname-luser-test] password
Password:***********
Confirm :***********
444
Login authentication
Username:test
Password:
Info: First logged in. For security reasons you will need to change your password.
Please enter your new password.
Password:**********
Confirm :**********
Updating user(s) information, please wait...........
<Sysname>
445
Bandwidth limit per protocolYou set a maximum bandwidth for packets of a specific protocol.
When the maximum bandwidth is exceeded, the packets are discarded.
Bandwidth limit per flowYou set a maximum bandwidth for each flow to ensure that the same
kind of requests from all users are fairly treated. Packets of the same protocol and from the same
user are considered as one flow. The system records the number of passed and dropped protocol
packets to help network administrators locate problems. Bandwidth limit per flow takes effect only
when bandwidth limit per protocol takes effect.
Command
Remarks
1.
system-view
N/A
2.
anti-attack enable
2.
Enable per-protocol
bandwidth limit.
Command
Remarks
system-view
N/A
Command
Remarks
system-view
N/A
Optional.
2.
anti-attack protocol
protocol threshold rate-limit
446
Command
Remarks
1.
system-view
N/A
2.
Device type
HP
11900/10500/7500
20G unified
wired-WLAN module
HP 850 Unified
Wired-WLAN
Appliance/ HP 870
unified wired-WLAN
appliance access
controller engine
Supported number of
flows
8192
1024
8192
NOTE:
Support for the number of flows varies by device model. The system automatically clears all flow entries
when the maximum number is reached.
Command
Remarks
447
Error messages
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
For related documentation, navigate to the Networking section, and select a networking category.
For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
HP.com http://www.hp.com
HP Networking http://www.hp.com/go/networking
HP manuals http://www.hp.com/support/manuals
HP Education http://www.hp.com/learn
448
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
NOTE
TIP
449
450
Index
ABCDEFHILMNOPRSTUVW
Configuring ARP active acknowledgement,342
ALG process,395
Configuration considerations,442
Configuration prerequisites,150
Configuration prerequisites,107
Configuring an ASPF,407
Contacting HP,448
Conventions,449
Creating a local asymmetric key pair,262
FIPS compliance,20
FIPS compliance,294
FIPS compliance,252
FIPS self-tests,441
HP implementation of 802.1X,105
Displaying SSL,331
Displaying TCP attack protection,335
Overview,138
Obtaining certificates,278
Overview,216
Overview,292
Overview,357
Overview,336
Overview,327
Overview,334
Overview,417
Overview,384
452
Overview,411
Overview,400
Overview,433
Overview,6
Overview,441
Overview,271
Overview,248
Overview,250
Overview,123
P
Related information,448
Removing a certificate,280
Requesting a certificate,276
Troubleshooting AAA,93
Troubleshooting IKE,393
Troubleshooting PKI,290
Troubleshooting portal,215
Troubleshooting SSL,333
V
Verifying PKI certificates,279
453