HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui
HP 6125G Manual
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6125G manual content summary:
- HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 1
HP 6125 Blade Switch Series Security Configuration Guide Part number: 5998-3160 Software version: Release 2103 Document version: 6W100-20120907 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 2
, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 3
users by a RADIUS server 51 Level switching authentication for Telnet users by an HWTACACS server 58 RADIUS authentication and authorization for Telnet users by a switch 61 Troubleshooting AAA 63 Troubleshooting RADIUS 63 Troubleshooting Configuring 802.1X 74 HP implementation of 802.1X 74 i - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 4
.1X Auth-Fail VLAN 88 Configuration guidelines 88 Configuration prerequisites 88 Configuration procedure 88 Configuring an 802.1X critical VLAN 89 Configuration guidelines 89 Configuration prerequisites 89 Configuration procedure 89 Specifying supported domain name delimiters 90 Displaying - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 5
fast deployment 99 EAD fast deployment configuration example 100 Network requirements 100 Configuration procedure 101 Verifying the configuration 101 Troubleshooting EAD fast deployment 102 Web browser users cannot be correctly redirected 102 Configuring MAC authentication 103 Overview 103 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 6
136 Configuring password control 137 Overview 137 Password control configuration task list 139 Configuring password control 140 Enabling password control 140 Setting global password control parameters 141 Setting user group password control parameters 142 Setting local user password control - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 7
supported 186 Establishing a connection between the SSH client and server 187 Setting the DSCP value for packets sent by the SSH client 187 Displaying and maintaining SSH 188 SSH server configuration examples 188 When the switch acts as a server for password authentication 188 When the switch - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 8
mechanism 216 SSL protocol stack 216 Configuration task list 217 Configuring an SSL server policy 217 SSL server policy configuration example 219 Configuring an SSL client policy 220 Displaying and maintaining SSL 221 Troubleshooting SSL 221 Configuring TCP attack protection 223 Overview - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 9
and maintaining MFF 263 MFF configuration examples 263 Auto-mode MFF configuration example in a tree network 263 Auto-mode MFF configuration example in a ring network 265 Manual-mode MFF configuration example in a tree network 267 Manual-mode MFF configuration example in a ring network 268 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 10
Support and other resources 270 Contacting HP 270 Subscription service 270 Related information 270 Documents 270 Websites 270 Conventions 271 Index 273 viii - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 11
on the switch. • Accounting-Records all user network service usage information, including the service type, configure an authentication server. If network usage information is needed, you must also configure an accounting server. AAA can be implemented through multiple protocols. The switch supports - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 12
. RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS provides access authentication and authorization services, and its accounting function collects and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 13
request that carries the user's username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism, the retransmission mechanism - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 14
Description From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port. From the server to the client. If all - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 15
specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may attributes No. Attribute 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 7 Framed-Protocol 8 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 16
-Identifier 33 Proxy-State 34 Login-LAT-Service 35 Login-LAT-Node 36 Login-LAT- -Data 75 Password-Retry 76 Prompt 77 Connect-Info 78 Configuration-Token 79 information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes." • Vendor-Type- - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 17
level and authorized by the HWTACACS server. Does not support authorization of configuration commands. Which commands a user can use solely depends on the level of the user. A user can use all the commands at, or lower than, the user level. Basic HWTACACS message exchange process The following - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 18
message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 4) Request for username 5) The user inputs the username 8) Request for password 9) The user inputs the password 14) The user logs in successfully 17) The user logs off 2) Start-authentication - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 19
or userid Username contains Yes @domain-name? No Use the AAA methods and attributes of the default domain for the user Use the AAA methods and attributes of domain domain-name for the user The authentication, authorization, and accounting of a user depends on the AAA methods configured for the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 20
information about command accounting, see Fundamentals Configuration Guide. • Level switching authentication-Allows the authentication server to authenticate users who perform privilege level switching. As long as passing level switching authentication, users can switch their user privilege levels - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 21
attributes Commonly used standard RADIUS attributes No. Attribute 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 7 Framed-Protocol 8 Framed-IP-Address 11 Filter-ID 12 Framed-MTU 14 Login-IP-Host 15 Login-Service 18 Reply-Message 26 Vendor-Specific 27 Session - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 22
IEEE 802.11. • 201-VLAN. • 202-ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201. Used for used when RADIUS supports EAP authentication. String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub- - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 23
No. Sub-attribute 15 Remanent_Volume 20 Command 24 Control_Identifier 25 Result_Code 26 Connect_ID succeeded. Any other value means the operation failed. Index of the user connection. Working directory of the FTP user. For an FTP user, when the RADIUS client acts as the FTP server, this attribute - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 24
-Configure local users and the related attributes, including the usernames and passwords of the users to be authenticated. { Remote authentication-Configure the required RADIUS and HWTACACS schemes. You must configure user attributes on the servers accordingly. 2. Configure AAA methods for the users - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 25
local users and configure user attributes on the switch. The local users and attributes are stored in the local user database on the switch. A local user is uniquely identified by a username. Configurable local user attributes are as follows: • Service type: Types of services that the user can - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 26
you control the security of local users' passwords. Password control attributes include password aging time, minimum password length, and password composition policy. You can configure a password control attribute in system view, user group view, or local user view, making the attribute effective - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 27
, configure a password for each local user. If none of the parameters is specified, you enter the interactive mode to set a plaintext password. This interactive mode is supported only on switches that support the password control feature. 4. Specify the service types for the local user. service - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 28
set by default. 12. Assign the local user to a user group. group group-name Optional. By default, a local user belongs to the default user group system. • For more information about password control configuration commands, see Security Command Reference. • If the user interface authentication - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 29
-guest Optional. By default, the guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group. NOTE: For more information about password control attributes configuration commands, see Security Command Reference. Displaying - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 30
to which the servers belong Setting the username format and traffic statistics units Setting the supported RADIUS server type Setting the maximum performing other RADIUS configurations, follow these steps to create a RADIUS scheme and enter RADIUS scheme view: Step Command 1. Enter system view - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 31
critical VLAN feature, so that the switch can trigger 802.1X authentication for users in the critical VLAN immediately on username name [ interval interval ] | vpn-instance vpn-instance-name ] * N/A Configure at least one command. No authentication/authorizat ion server is specified by default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 32
users, the switch can no longer send real-time accounting requests and stop-accounting requests for the users Configure at least one 3. Specify RADIUS accounting vpn-instance-name ] * command. servers. • Specify a secondary RADIUS accounting No accounting server is server: specified by default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 33
. Command system-view radius scheme radius-scheme-name vpn-instance vpn-instance-name Setting the username format and traffic statistics units A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP domain the user belongs to and is used by the switch - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 34
• For level switching authentication, the user-name-format keep-original and user-name-format without-domain commands produce the same results. They make sure usernames sent to the RADIUS server carry no ISP domain name. To set the username format and the traffic statistics units for a RADIUS scheme - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 35
attempts. Command system-view radius scheme radius-scheme-name retry retry-times Remarks N/A N/A Optional. The default setting is in active state (a secondary server configured earlier has a higher priority). If the secondary server is unreachable, the switch changes the server's status to blocked - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 36
"Setting timers for controlling communication with HWTACACS servers." By default, the switch sets the status of all RADIUS servers to active. In : • The server status set by the state command cannot be saved to the configuration file. After the switch restarts, the status of each server is restored - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 37
server for online users. To implement real-time accounting, the switch must periodically send real-time accounting packets to the accounting server for online users. To set timers for controlling communication with RADIUS servers: Step 1. Enter system view. Command system-view 27 Remarks - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 38
is 5 minutes. Optional. The default real-time accounting timer is 12 minutes. • For a type of users, the maximum number of transmission attempts be timed out while the switch is trying to find an available server. • When a number of secondary servers are configured, the client connections of access - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 39
. To configure the switch to interpret the RADIUS class attribute as CAR parameters: Step 1. Enter system view. 2. Enter RADIUS scheme view. 3. Interpret the class attribute as CAR parameters. Command system-view radius scheme radius-scheme-name attribute 25 car Remarks N/A N/A By default, RADIUS - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 40
failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server. To enable the trap function for RADIUS: Step 1. Enter system view. 2. Enable the trap function for RADIUS. Command system-view radius trap { accounting-server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 41
default, the DSCP value in IPv6 RADIUS protocol packets is 0. Task Display the configuration for which no responses have been receive. Command Remarks display radius scheme [ radius-scheme stop-time | user-name user-name } [ slot slot-number ] Available in user view Configuring HWTACACS schemes - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 42
servers belong Setting the username format and traffic statistics Command 1. Enter system view. system-view 2. Create an HWTACACS scheme and enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name Remarks N/A Not defined by default. NOTE: • Up to 16 HWTACACS schemes can be configured - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 43
authentication server: secondary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. No authentication server is specified by default. Specifying the HWTACACS authorization servers You can specify one primary authorization server and up to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 44
configured limit. In the latter case, the switch does not support accounting for FTP users. To specify Configure at least one command. No accounting server is specified by default. stop-accounting-buffer enable Optional. Enabled by default. retry stop-accounting retry-times Optional. The default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 45
HWTACACS server does not support a username that carries the domain name, configure the switch to remove the domain name before sending the username to the server. • For level switching authentication, the user-name-format keep-original and user-name-format without-domain commands produce the same - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 46
Step 3. Set the format for usernames sent to the HWTACACS servers. Command user-name-format { keep-original | with-domain | without-domain } Remarks Optional. By default, the ISP domain name is included in a username. 4. Specify the unit for data flows or packets sent to the HWTACACS servers. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 47
a source IP address for outgoing HWTACACS packets. Command nas-ip ip-address Remarks By default, the IP address of the outbound interface is used as the source IP address. Setting timers for controlling communication with HWTACACS servers The switch uses the following timers to control the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 48
multiple ISPs, the switch may connect users of different ISPs, and users of different ISPs may have different user attributes, such as different username and password structures, different service types, and different rights. To distinguish the users of different ISPs, configure ISP domains, and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 49
the undo domain default enable command. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes for all users in the domain: • Domain status: By placing the ISP domain to the active or blocked state, you allow or deny network service requests from users in the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 50
. Disabled by default. This command is effective for only LAN users. Optional. Disabled by default. Optional. By default, an ISP domain has no default authorization user profile. NOTE: • For more information about user profiles, see "Configuring a user profile." • A self-service RADIUS server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 51
references an HWTACACS scheme, the switch uses the login username of a user for level switching authentication of the user by default. If the method for level switching authentication references a RADIUS scheme, the system uses the username configured for the corresponding privilege level on - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 52
service types. Follow these guidelines when you configure AAA authorization methods for an ISP domain: • The authorization method specified with the authorization default command is for all types of users in an authorization method configuration command, the switch has no backup authorization method - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 53
or service types. Follow these guidelines when you configure AAA accounting methods for an ISP domain: • If you configure the accounting optional command, the limit on the number of local user connections is not effective. • The accounting method specified with the accounting default command is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 54
configuration command, the switch has no backup accounting method and performs only local accounting or does not perform any accounting. • Accounting is not supported for FTP services. To configure The default accounting method is used by default. 7. Specify the accounting method for login users. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 55
HWTACACS server to provide authentication, authorization, and accounting services for Telnet users. Set the shared keys for secure communication with the HWTACACS server to expert. Configure the switch to remove the domain name from a username before sending the username to the HWTACACS server. 45 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 56
to remove the domain name from a username before sending the username to the HWTACACS server. [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 57
2. Verify the configuration: Telnet to the switch as a user and enter the correct username and password. You pass authentication and log in to the switch. Issuing the display connection command on the switch, you can see information about the user connection. AAA for Telnet users by separate servers - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 58
login radius-scheme rd [Switch-isp-bbb] quit 2. Verify the configuration: Telnet to the switch as a user and enter the username hello@bbb and the correct password. You pass authentication and log in to the switch. Issuing the display connection command on the switch, you can see information - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 59
the navigation tree. b. Click Add. c. Configure the following parameters: Enter hello@bbb as the username and set the password. Select SSH as the service type. Set the EXEC privilege level to 3. This value identifies the privilege level of the SSH user after login and defaults to 0. Specify the IP - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 60
-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure the switch to use AAA for SSH users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 61
should be able to use the configured account to access the user interface of the switch and can access the demands of level 0 through level 3. . # Use the display connection command to view the connection information on the switch. [Switch] display connection Index=1 ,Username=hello@bbb IP=192.168 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 62
and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP as the access device type. Select the switch from the device list or manually add the switch whose IP address is 10.1.1.2. Leave the default settings in other fields. d. Click OK. NOTE: The IP - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 63
. In the Basic Plan Settings field, configure to charge the fixed fee of 120 dollars per month. In the Service Usage Limit field, set the Usage Threshold to 120 hours, allowing the user to access the Internet for up to 120 hours per month. Leave the default settings in other fields. d. Click OK - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 64
parameters: Enter Dot1x auth as the service name and bbb as the service suffix. The service suffix indicates the authentication domain for 802.1X users. When the service suffix is configured, you must configure the switch to keep the domain names of usernames to be sent to the RADIUS server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 65
users: a. Click the User tab, and select All Access Users from the navigation tree. b. Click Add. c. Configure the following parameters: Select the user test, or add the user if it does not exist. Enter dot1x as the account name and set the password. Select the access service Dot1x auth. Configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 66
to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit 2. Configure an authentication domain: # Create an ISP domain named bbb and enter its view. [Switch] domain bbb # Configure the ISP domain to use RADIUS - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 67
the requirement.) [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration When you use HP iNode client, no advanced authentication options are required, and the user can pass authentication after entering username dot1x@bbb and the correct password in the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 68
for user privilege level switching authentication. { Configure the password for local privilege level switching authentication. 3. On the HWTACACS server, add the username and password for user privilege level switching authentication. Configuration procedure 1. Configure the switch: # Configure the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 69
user named test. [Switch] local-user test [Switch-luser-test] service-type telnet [Switch-luser-test] password simple aabbcc # Configure the user level of the Telnet user to 0 after user login. [Switch-luser-test] authorization-attribute level 0 [Switch-luser-test] quit # Configure the password - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 70
for the Telnet user 3. Verify the configuration: After you complete the configuration, the Telnet user should be able to telnet to the switch and use username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 commands. telnet 192.168 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 71
privilege level switch authentication Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Å Enter the password for local privilege level switch authentication User privilege level is 3, and only those commands can be - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 72
RADIUS server type as standard. When a switch is configured to serve as a RADIUS server, the server type must be set to standard. [SwitchA-isp-bbb] server-type standard [SwitchA-isp-bbb] quit # Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at login - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 73
key simple abc 4. Verify the configuration: After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A. Use the display connection command to view the connection information on Switch A. display connection Index=1 ,Username=aaa@bbb IP=192.168.1.2 IPv6 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 74
services are provided by different servers. Solution Check that: 1. The accounting port number is correctly set. 2. The authentication/authorization server and the accounting server are correctly configured on the NAS. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 75
securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the decisions. The authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a small LAN, you can also - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 76
to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 77
26 shows the EAPOL packet format. Figure 26 EAPOL packet format • PAE Ethernet type-Protocol type. It takes the value 0x888E for EAPOL. • Protocol of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 5 EAPOL packet types Value 0x00 0x01 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 78
contains an EAP packet. EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA." EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 27. The - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 79
support the multicast address, you must use an 802.1X client, the HP supports the following modes: • Multicast trigger mode-The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default method eap command to enable Password Authentication Protocol) PAP or (Password - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 80
Supports various EAP authentication methods. • The configuration and processing is simple on the network access device Works with any RADIUS server that supports client. • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication initiated by an HP iNode 802.1X - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 81
Figure 31 802.1X authentication procedure in EAP relay mode 1. When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. 2. The network access device responds with an Identity - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 82
the received encrypted password with the one after a certain number of consecutive handshake attempts (two by default), the network access device logs off the client. This enables timely release of the network resources used by 802.1X users that have abnormally gone offline. 13. The client can also - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 83
mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server. 73 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 84
control mode. For more information about VLAN configuration and MAC-based VLAN, see Layer 2-LAN Switching Configuration Guide. Access control Port-based MAC-based VLAN manipulation Assigns the VLAN to the port as the port VLAN ID (PVID). All subsequent 802.1X users can access the port VLAN without - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 85
and MAC-based VLAN, see Layer 2-LAN Switching Configuration Guide. 1. On a port that performs port-based access control Authentication status VLAN manipulation No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled Assigns the 802.1X guest VLAN to the port - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 86
by 802.1X access control mode. For more information about VLAN configuration and MAC-based VLAN, see Layer 2-LAN Switching Configuration Guide. 1. On a port that performs port-based access control Authentication status A user fails 802.1X authentication VLAN manipulation Assigns the Auth-Fail VLAN - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 87
authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see "Configuring AAA." For more information about VLAN configuration and MAC-based VLAN, see Layer 2-LAN Switching Configuration Guide. The way that the network - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 88
user to the server-assigned VLAN. If the authentication server assigns no VLAN, re-maps the MAC address of the user to the default or user-configured PVID on the port. A user action reinitialize command to configure the port to trigger 802.1X re-authentication when the port or an 802.1X user on the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 89
a mandatory authentication domain on a port Configuring the quiet timer Enabling the periodic online user re-authentication function Configuring an 802.1X guest VLAN Configuring an 802.1X Auth-Fail VLAN Configuring an 802.1X critical VLAN Specifying supported domain name delimiters Remarks Required - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 90
function cannot take effect on the port. For more information about voice VLANs, see Layer 2-LAN Switching Configuration Guide. • 802.1X is mutually exclusive with link aggregation and service loopback group configuration on a port. • Do not use the BPDU drop feature on an 802.1X-enabled port. The - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 91
If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take Ethernet interface view: a. interface interface-type interface-number b. dot1x port-control { authorized-force | auto | unauthorized-force } Remarks N/A Optional. Use either approach. By default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 92
.1X users for ports individually in Ethernet interface view or in bulk in system view. If different settings are configured for a port in both views, the setting configured later takes effect. To set the maximum number of concurrent 802.1X users on a port: Step 1. Enter system view. Command system - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 93
default is 100 seconds. Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 94
from being inappropriately torn down. Configuration procedure To configure the online user handshake function: Step 1. Enter system view. Command system-view 2. Set the handshake timer. dot1x timer handshake-period handshake-period-value 3. Enter Ethernet interface view. interface interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 95
both triggers on a port. Configuration procedure To configure the authentication trigger function on a port: Step Command 1. Enter system view. system-view 2. Set the username request timeout timer. dot1x timer tx-period tx-period-value 3. Enter Ethernet interface view. interface interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 96
in the original VLAN. Configuration procedure To enable the periodic online user re-authentication function: Step Command 1. Enter system view. system-view 2. Set the periodic re-authentication timer. dot1x timer reauth-period reauth-period-value 3. Enter Ethernet interface view. interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 97
Step 4. Enable periodic online user re-authentication. Command dot1x re-authenticate Remarks By default, the function is disabled. Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X guest VLAN: • You can configure only one 802.1X guest - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 98
for example, leaves the 802.1X guest VLAN and joins the Auth-Fail VLAN), ask 802.1X users to manually update their IP address so that they can access specific resources. • Use Table 7 when configuring multiple security features on a port. Table 7 Relationships of the 802.1X Auth-Fail VLAN with other - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 99
VLAN function, see Layer 2-LAN Switching Configuration Guide. Configuration procedure To configure an 802.1X critical VLAN: Step 1. Enter system view. 2. Enter Layer 2 Ethernet interface view. 3. Configure an 802.1X critical VLAN on the port. Command system-view interface interface-type interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 100
system view. Command system-view 2. Specify a set of domain name delimiters for 802.1X users. dot1x domain-delimiter string Remarks N/A Optional. By default, only the at sign (@) delimiter is supported. NOTE: If you configure the access device to include the domain name in the username sent to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 101
access device: # Add a local user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.) system-view [Device] local-user localuser [Device-luser-localuser] service-type lan-access [Device - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 102
the ISP domain name from the username sent to the RADIUS servers. [Device-radius-radius1] user-name-format without-domain [Device- the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain. [Device] domain default enable aabbcc.net 7. Configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 103
Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 104
Security Command Reference. 1. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown.) 2. Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 105
username sent to the RADIUS server. [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit 5. Configure By default, the configuration Use the display dot1x interface gigabitethernet 1/0/2 command to verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2. If no user - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 106
RADIUS configuration commands, see Security Command Reference. 1. Configure 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or a server-assigned VLAN. (Details not shown.) 2. Configure the RADIUS servers, user accounts - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 107
default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure 1/0/1 [Device-GigabitEthernet1/0/1] dot1x Verifying the configuration Use the user account to pass authentication, and then - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 108
Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control to auto. Configuring a free IP Follow these guidelines when you configure a free IP: • When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 109
. Command system-view 2. Configure the redirect URL. dot1x url url-string Remarks N/A By default, no redirect URL is configured. Setting the EAD rule timer EAD fast deployment automatically creates an ACL rule, or an EAD rule, to open access to the redirect URL for each redirected user seeking - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 110
so that all hosts must pass 802.1X authentication to access the network. To allow all intranet users to install and update 802.1X client program from a web server, configure the following: • Allow unauthenticated users to access the segment of 192.168.2.0/24, and to obtain IP address on the segment - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 111
services. Configuration procedure 1. Configure an IP address for each interface. (Details not shown.) 2. Configure DHCP relay: # Enable DHCP. system-view [Device] dhcp enable # Configure Verifying the configuration Use the display dot1x command to display the 802.1X configuration. After the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 112
service. Enter the external website address in dotted decimal notation, for example, 3.3.3.3 or http://3.3.3.3, in the address bar. Troubleshooting EAD fast deployment Web browser users cannot be correctly redirected Symptom Unauthenticated users URL does not provide web services. Solution 1. Enter a - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 113
mark it as a silent address. User account policies MAC authentication supports the following user account policies: • One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 114
, either the local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the authentication server, restores. If the authentication server assigns no VLAN - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 115
-authentication user-name-format 4. Configure the properties of MAC authentication user accounts. { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } Optional. By default, the username and password for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 116
: the interface-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step Command 1. Enter system view. system-view • (Approach 1) In system view - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 117
the device does not authenticate the user within 180 seconds. Figure 37 Network diagram Configuration procedure # Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address of the user host, and enable LAN access service for the account. system-view - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 118
enabled. User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx Fixed username:mac Fixed password:not configured Offline user passes authentication, use the display connection command to display the online user information. display connection Slot: 1 Index=29 ,Username - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 119
for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. 3. Configure the device: # Configure a RADIUS scheme default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 120
] mac-authentication timer quiet 180 # Specify username aaa and plaintext password 123456 for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 121
[Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication. [Sysname] mac-authentication domain 2000 # Configure the device to use MAC-based user accounts, and the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 122
00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration After the host passes authentication, perform the display connection command on the device to view online - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 123
authentication, HP recommends you configure 802. configurable). Port security traps You can configure the port security module to send traps for port security events such as login, logoff, and MAC authentication. These traps help you monitor user behaviors. Port security modes Port security supports - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 124
trapping action. The maximum number of users a port supports equals the maximum number of MAC addresses that 802.1X authentication Security mode noRestrictions (the default mode) In this mode, port security 802.1X users to be authenticated and serviced at the same time. A security mode - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 125
-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2-LAN Switching Configuration Guide. A port in secure mode allows only frames sourced from secure MAC addresses and manually configured MAC addresses to pass. Performing 802 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 126
priority as the Else keyword implies. For wired users, the port performs MAC authentication 30 seconds after support 802.1X authentication. For more information about the 802.1X guest VLAN and Auth-Fail VLAN on a port that performs MAC-based access control, see "Configuring 802.1X." Configuration - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 127
limit described in MAC address table configuration in the Layer 2-LAN Switching Configuration Guide. To set the maximum number of secure MAC addresses allowed on a port: Step Command 1. Enter system view. system-view 2. Enter Layer 2 Ethernet interface view. interface interface-type interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 128
system view. Command system-view 2. Set an OUI value for port-security oui oui-value index user authentication. index-value Remarks N/A Required for the userlogin-withoui mode. Not configured by default. To set multiple OUI values, repeat this step. 3. Enter Layer 2 Ethernet interface interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 129
: Step 1. Enter system view. 2. Enter Layer 2 Ethernet interface view. 3. Configure the NTK feature. Command system-view interface interface-type interface-number port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } Remarks N/A N/A By default, NTK is disabled on a port and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 130
security mode, or disable the port security feature. Manually added or automatically learned when the dynamic secure MAC function (port-security mac-address dynamic) is disabled. Sticky MAC addresses by default do not age out, but you can configure an aging timer or use the aging timer together - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 131
MAC aging timer. 3. Configure a secure MAC address. 4. Enter Layer 2 Ethernet interface view. 5. Enable inactivity aging. Command Remarks system-view N/A port vlan-id c. quit interface interface-type interface-number Optional. By default, secure MAC addresses do note age out, and you can remove - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 132
Step 6. Enable the dynamic secure MAC function. Command Remarks port-security mac-address dynamic Optional. By default, sticky MAC addresses can be saved to the configuration file, and once saved, can survive a device reboot. NOTE: You can display dynamic secure MAC addresses only by using the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 133
the autoLearn mode Network requirements See Figure 40. Configure port GigabitEthernet 1/0/1 on the Device, as follows: • Accept up to 64 users on the port without authentication. • Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the sticky MAC aging timer - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 134
to track the number of MAC addresses learned by the port, or use the display this command in Layer 2 Ethernet interface view to display the secure MAC addresses. system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] display this # interface GigabitEthernet1 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 135
server at an interval of 15 minutes, and sends usernames without domain names to the RADIUS server. Configure port GigabitEthernet 1/0/1 of the Device to: • Allow only one 802.1X user to be authenticated. • Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 136
[Device-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users. Specify that the ISP domain can contain up to 30 users. [Device] domain sun [Device-isp-sun] authentication default radius-scheme radsun [Device - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 137
the configuration of the ISP domain sun. display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 138
disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times 2 EAD quick deploy configuration: EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 139
802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 2048 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/ - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 140
Configure the device to use hyphenated, lowercased MAC addresses of users as the usernames and passwords for MAC authentication. [Device] mac-authentication user Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.) [ - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 141
Fixed username: mac Fixed password: not configured Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info: MAC Addr From Port Port Index - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 142
configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users port security mode by using the port-security port-mode command directly. Solution Set the port security mode to noRestrictions first - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 143
mode Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet1/0/1. Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 144
Perform configurations on the client, the device, and the authentication server, for example, username, password, authentication scheme, domain, and binding a user profile with a user. To create a user profile: Step 1. Enter system view. 2. Create a user profile, and enter its view. Command system - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 145
policy) or remove it. • For information about QoS policy configurations, see ACL and QoS Configuration Guide. To apply a QoS policy: Step 1. Enter system view. Command system-view Remarks N/A 2. Enter user profile view. user-profile profile-name N/A 3. Apply a QoS policy. qos apply policy - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 146
Displaying and maintaining user profiles Task Display information about all the created user profiles. Command Remarks display user-profile [ | { begin | exclude | include } regular-expression ] Available in any view 136 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 147
Configuration Guide. • This function is not effective for a user who is prompted to change the password at the first login or a user whose password has just been aged out. • Password aging Password aging imposes a lifecycle on a user password. After the password aging time expires, the user - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 148
, the system takes action as configured: { Prohibiting the user from logging in until the user is removed from the password control blacklist manually. { Allowing the user to try continuously and removing the user from the password control blacklist when the user logs in to the system successfully - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 149
Authentication timeout management The authentication period is from when the server obtains the username to when the server finishes authenticating the user's password. If a Telnet user fails to log in within the configured period of time, the system tears down the connection. • Maximum account idle - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 150
All of the four password control functions are enabled by default. After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command. About the minimum password length: • When global password control is disabled - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 151
is that configured by the password-control length length command. About password history control: • When global password control is disabled, or when global password control is enabled but the password history control is disabled, the device does not record history passwords and allows a user to set - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 152
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a user group and enter user group view. user-group group-name N/A Optional 3. Configure the password aging time for the user group. password-control aging aging-time By default, the password aging time configured in - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 153
the commands at that level or lower levels. To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password. For more information on super passwords, see Fundamentals Configuration Guide. To set super password control - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 154
2. Create a local user and enter local user view. local-user user-name 3. Set the password for the local user in interactive mode. password Displaying and maintaining password control Task Command Remarks Display password control configuration information. display password-control [ super - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 155
-number 3 type-length 5 # Configure a super password. [Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 156
: 36 hours User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration information for super passwords. display password-control - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 157
digital signature. For information about SSH, SSL, and PKI, see "Configuring SSH2.0," "Configuring SSL," and "Configuring PKI." Configuration task list Public key configuration tasks enable you to manage the local asymmetric key pairs, and configure the peer host public keys on the local device. By - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 158
Task Configuring a local asymmetric key pair on the local device Creating a the RSA server key pair. To create a local asymmetric key pair: Step Command Remarks 1. Enter system view. system-view N/A By default, no asymmetric key pair is created. 2. Create a local asymmetric key pair - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 159
any view. Use at least one command. The display public-key local rsa public command displays both the RSA server and host public keys. Recording the RSA host public key is enough. After displaying the host public key, record the key information for manual configuration of the key on the peer device - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 160
. To import the host public key from a public key file to the local device: Step Command 1. Enter system view. system-view 2. Import the host public key from the public key file. public-key peer keyname import sshkey filename To manually configure the peer public key on the local device: 150 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 161
on the local device. Command Remarks display public-key Manually specify the host public key of Device A's public key pair on Device B. Figure 43 Network diagram Configuration procedure 1. Configure Device A; # Create local RSA key pairs on Device A, setting the modulus length to the default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 162
modulus[default = Configure Device B: # Configure the host public key of Device A's RSA key pairs on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A by using the display public-key local dsa public command - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 163
from the public key file to Device B. Figure 44 Network diagram Configuration procedure 1. Create key pairs on Device A and export the host Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. system-view [DeviceA] public-key local create rsa - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 164
create an FTP user with the username ftp, password 123, and user level 3. This user level guarantees that the user has the permission to perform FTP operations. [DeviceA] ftp server enable [DeviceA] local-user ftp [DeviceA-luser-ftp] password simple 123 [DeviceA-luser-ftp] service-type ftp [DeviceA - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 165
230 User logged in. [ftp] binary 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 166
Configuring A key problem with PKI is how to manage the public keys. PKI services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP for example, the username changes, the private key leaks, or the user stops the business. Revoking a certificate - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 167
of entities, a CA, a registration authority (RA) and a PKI repository. Figure 45 PKI architecture • Entity An entity is an end user of PKI products or services, such as a person, an organization, a device, or a process running on a computer. • CA A CA is a trusted authority responsible for issuing - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 168
the LDAP server or other distribution point to provide directory navigation service, and notifies the entity that the certificate is successfully issued. • Submitting a certificate request in manual mode Retrieving a certificate manually Configuring PKI certificate verification Destroying a local - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 169
1. Enter system view. 2. Create an entity and enter its view. Command system-view pki entity entity-name 3. Configure the common name for the entity. common-name name 4. Configure the country code for the entity. country country-code-str 5. Configure the FQDN for the entity. fqdn name-str - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 170
default. Optional. No organization is specified by default. Optional. No unit is specified by default. Optional. No state or province is specified by default only has local significance. A PKI domain configured on a switch is invisible to the CA and other switches, and each PKI domain has its own - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 171
auto and optional when the certificate request mode is manual. In the latter case, if you do not configure this command, the fingerprint of the root certificate must be verified manually. No fingerprint is configured by default. Submitting a PKI certificate request When requesting a certificate, an - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 172
the certificate request mode to auto. Command Remarks system-view N/A pki domain domain-name N/A certificate request mode auto [ key-length key-length | password Manual by default { cipher | simple } password ] * Submitting a certificate request in manual mode In manual mode, you must submit - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 173
request manually. Command system-view pki domain domain-name certificate request mode manual quit See "Retrieving a certificate manually" public-key local create rsa pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] Remarks N/A N/A Optional. Manual by default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 174
the CRL server. The CRL update period setting manually configured on the switch is prior to that carried in the CRLs. • The configuration made by the pki retrieval-crl domain command is not saved in the configuration file. Configuring CRL-checking-enabled PKI certificate verification Step 1. Enter - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 175
validity of a certificate. Command Remarks crl update-period hours Optional. By default, the CRL update period default. quit N/A See "Retrieving a certificate manually" N/A pki retrieval-crl domain domain-name N/A pki validate-certificate { ca | local } domain domain-name N/A Configuring - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 176
access control policy: Step 1. Enter system view. Command system-view Remarks N/A 2. Create a certificate attribute group and enter its view. pki certificate attribute-group group-name No certificate attribute group exists by default. 3. Configure an attribute rule for attribute id { alt - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 177
command to specify that the entity request a certificate from a CA. Certificate request from an RSA Keon CA server Network requirements The switch submits a local certificate request to the CA server. The switch acquires the CRLs for certificate verification. Figure 46 Network diagram Configuring - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 178
the configuration, make sure the system clock of the switch is synchronous to that of the CA, so that the switch can request certificates and retrieve CRLs properly. Configuring the switch 1. Configure the Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys 168 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 179
wait a while..... CRL retrieval success! # Request a local certificate manually. [Device] pki request-certificate domain torsa challenge-word Certificate is Saving the local certificate to device...... Done! Verifying the configuration # Display information about the retrieved local certificate. [ - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 180
Add/Remove Windows Components > Certificate Services. c. Click Next to begin the installation. 2. Install the SCEP add-on: Because a CA server running the Windows 2003 server does not support SCEP by default, you must install the SCEP add-on so that the switch can register and obtain its certificate - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 181
d. Specify the path for certificate service in the Local path text box. To avoid conflict with existing services, specify an available port number as the TCP port number of the default website. After completing the configuration, make sure the system clock of the switch is synchronous to that of the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 182
. Input the bits in the modulus [default = 1024]: Generating Keys 4. Apply for retrieval success. # Request a local certificate manually. [Device] pki request-certificate domain torsa certificate to device...... Done! Verifying the configuration # Display information about the retrieved local - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 183
information about the CA certificate. For more information about the display pki certificate ca domain command, see Security Command Reference. Certificate attribute access control policy configuration example Network requirements The client accesses the remote HTTP Secure (HTTPS) server through the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 184
Figure 48 Network diagram Configuration procedure The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see Fundamentals Configuration Guide. The PKI domain - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 185
for certificate request. • The system clock of the switch is not synchronized with that of the CA. Solution • Make sure the network connection is physically proper. • Check that the required commands are configured properly. • Use the ping command to verify that the RA server is reachable. • Specify - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 186
proper. Retrieve a CA certificate. Regenerate a key pair. Specify a trusted CA. Use the ping command to verify that the RA server is reachable. Specify the authority for certificate request. Configure the required entity DN parameters. Failed to retrieve CRLs Symptom Failed to retrieve CRLs - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 187
, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 188
. Authentication SSH supports the following authentication methods: • Password authentication-The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its username and password, encapsulates them into a password authentication request, and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 189
in configuration file, upload it to the server through Secure FTP (SFTP), and use it to restart the server. SSH connection across VPNs As shown in Figure 49, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the services of the two VPNs isolated. After an HP 6125 Blade switch - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 190
3-IP Routing Configuration Guide. Configuring the switch as an SSH server SSH server configuration task list Task Generating DSA or RSA key pairs Enabling the SSH server function Configuring the user interfaces for SSH clients Configuring a client public key Configuring an SSH user Setting the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 191
Command system-view ssh server enable Remarks N/A Disabled by default NOTE: When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time. Configuring the user interfaces for SSH clients An SSH client accesses the switch through a VTY user interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 192
. Command system-view user-interface vty number [ ending-number ] authentication-mode scheme 4. Configure the user interfaces to support SSH login. protocol inbound { all | ssh } Remarks N/A N/A By default, the authentication mode is password. Optional. All protocols are supported by default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 193
use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. Configuration guidelines When you perform the procedure in this section to configure an SSH user, follow these guidelines: You can set the service type to Stelnet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 194
Remarks system-view N/A • For Stelnet users: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } • For all users, SCP or SFTP users: Use either command. ssh user username service-type { all | scp | sftp - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 195
ssh server ipv6 dscp dscp-value SSH server. Configuring the switch as an SSH client SSH client configuration task list Task Specifying a source IP address/interface for the SSH client Configuring whether first-time authentication is supported Establishing a connection between the SSH client and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 196
2. Disable first-time authentication support. 3. Configure the server host public key. Command system-view undo ssh client first-time See "Configuring a client public key" Remarks N/A By default, first-time authentication is supported on a client. The method for configuring the server host public - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 197
sha1 | sha1-96 } ] * • For an IPv6 server: Use either command in user view. ssh2 ipv6 server [ port-number ] [ identity-key { dsa the ToS field is redefined as the differentiated services (DS) field, where a DSCP value for ssh client dscp dscp-value By default, the DSCP value is 16 in packets - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 198
) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after passing password authentication. Configure a username and password for the user on the switch. Figure 50 Network diagram Configuration procedure 1. Configure the SSH server: 188 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 199
user interfaces to support SSH. [Switch-ui-vty0-7] protocol inbound ssh [Switch-ui-vty0-7] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 200
username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server. When the switch a switch (the SSH server) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 201
, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SSH server. 1. Generate the RSA key pairs on the SSH client: a. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 53 Generating the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 202
Figure 54 Generating process b. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 55 Saving the key pair on the client 192 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 203
for the user interfaces to AAA. [Switch] user-interface vty 0 7 [Switch-ui-vty0-7] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-7] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-7] user privilege level 3 [Switch-ui-vty0 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 204
client002 as publickey, and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 3. Specify the private key file and establish a connection to the SSH server: a. Launch PuTTY.exe to enter - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 205
A (the SSH client) must pass password authentication to log in to Switch B (the SSH server) through the SSH protocol. Configure the username client001 and the password aabbcc for the SSH client on Switch B. Figure 58 Network diagram Configuration procedure 1. Configure the SSH server: # Generate the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 206
CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys # Generate a DSA key pair password. This step is optional. [SwitchB] ssh user client001 service-type stelnet authentication-type password 2. Establish a connection between the SSH client and the SSH server: # Configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 207
10.165.87.136. ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort password: After you enter the correct password, you can log in to Switch B successfully. { If the client does not support first-time authentication, perform the following configurations - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 208
Username: client001 Trying 10.165.87.136 Press CTRL+K to abort Connected to 10.165.87.136... Enter password: After you enter the correct password, you can log in to Switch B successfully. When switch key pair on the client before configuring the SSH server. 1. Configure the SSH client: # Create VLAN - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 209
Input the bits of the modulus[default = 1024]: Generating Keys # Enable the SSH server. [SwitchB] ssh server enable # Configure an IP address for VLAN- the user interfaces to support SSH. [SwitchB-ui-vty0-7] protocol inbound ssh # Set the user command privilege level to 3. [SwitchB-ui-vty0-7] user - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 210
[SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 3. Establish an SSH connection to the server 10.165.87.136. ssh2 10.165.87.136 Username: client002 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 211
more information about this function, see "Configuring SSH2.0." Configuring the switch as an SFTP server Before you configure this task, complete the following tasks: • Configure the SSH server. • Use the ssh user service-type command to set the service type of SSH users to sftp or all. For more - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 212
the SFTP connection idle timeout period. Command sftp server idle-timeout time-out-value Remarks Optional. 10 minutes by default. Configuring the switch as an SFTP client Specifying a source IP address or interface for the SFTP client You can configure a client to use only a specified source - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 213
prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * Use either command in • Establish a connection to the remote IPv6 SFTP user view. server and enter SFTP client view: sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 214
. • remove remote-file& Remarks Execute the command in user view. Optional. Optional. Optional. Optional. The dir command functions as the ls command. Optional. The delete command functions as the remove command. Displaying help information This configuration task will display a list of all - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 215
user view. Use any of the commands. These three commands function in the same way. Setting the DSCP value for packets sent by the SFTP client A field in an IPv4 or IPv6 header contains 8 bits and is used to identify the service type of an IP packet. In an IPv4 packet, this field is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 216
a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys # Export the host public key to file pubkey. [ , transmit the public key file to the server through FTP or TFTP. 2. Configure the SFTP server: # Generate the RSA key pairs. system-view - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 217
default = 1024]: Generating Keys # Enable the SSH server. [SwitchB] ssh server enable # Enable the SFTP server. [SwitchB] sftp server enable # Configure SwitchB] ssh user client001 service-type sftp sftp 192.168.0.1 identity-key rsa Input Username: client001 Trying 192.168.0.1 ... Press - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 218
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub -rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z sftp-client> delete z The following File will be deleted: /z Are you sure to delete it? [Y/N]:y - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 219
switch for file management and file transfer. Use password authentication and configure the username client002 and the password aabbcc for the client on the switch. Figure 61 Network diagram Configuration procedure 1. Configure [default = 1024]: Generating Keys # Generate a DSA key pair. [Switch] - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 220
to support SSH. [Switch-ui-vty0-7] protocol inbound ssh [Switch-ui-vty0-7] quit # Configure a local user named client002 with the password being aabbcc and the service type being SSH. [Switch] local-user client002 [Switch-luser-client002] password simple aabbcc [Switch-luser-client002] service-type - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 221
Figure 62 SFTP client interface 211 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 222
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the SSH server. For more information, see the security guide for your switch. N/A 3. Create an SSH user for a ssh user username service-type { all | scp } SCP client, set the authentication-type { password | { any - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 223
in file fragments on the switch. You must manually delete them. SCP client configuration example Network requirements As shown in Figure 63, switch A acts as a client and download the file remote.bin from switch B. The user has the username test and uses the password authentication method. 213 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 224
an SSH connection to the switch. The user uses the username test and the password aabbcc. The username and password are saved on the switch for local authentication. Figure 64 Network diagram Configuration procedure # Generate the RSA key pairs. system-view [Switch] public-key local create - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 225
interfaces to support all protocols including SSH. [Switch-ui-vty0-7] protocol inbound all [Switch-ui-vty0-7] quit # Create a local user named test. [Switch] local-user test [Switch-luser-test] password simple aabbcc [Switch-luser-test] service-type ssh [Switch-luser-test] quit # Configure the SSH - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 226
Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based to be used by the symmetric encryption algorithm. • Authentication-SSL supports certificate-based identity authentication of the server and client by using the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 227
Hello message from a client supporting SSL 2.0 and SSL 3.0/TLS 1.0 and notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server. To configure an SSL server policy: Step 1. Enter system view. 2. Create an SSL server policy and enter its view. Command system-view ssl server-policy - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 228
must use this command to specify a PKI domain. For more information about PKI domain configuration, see "Configuring PKI." Optional. By default, an SSL server policy supports all cipher suites. Optional. 3,600 seconds by default. Optional. Not wait by default. Optional. The defaults are as follows - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 229
data is not eavesdropped or tampered with, configure the device so that users must use HTTPS (Hypertext Transfer Protocol configurations, make sure the switch, the host, and the CA server can reach each other. 1. Configure the HTTPS server (Device): # Create a PKI entity named en, and configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 230
CA server. The web interface of the switch should appear. After entering username usera and password 123, you should be able to log in to the web interface to access and manage the switch. For more information about PKI configuration commands, see "Configuring PKI." For more information about the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 231
command to specify a PKI domain for the client. For more information about PKI domain configuration, see "Configuring PKI." Optional. rsa_rc4_128_md5 by default. Optional. TLS 1.0 by default. Optional. Enabled by default in any view Troubleshooting SSL Symptom As the SSL server, the switch fails to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 232
command and view the debugging information to locate the problem: { If the SSL client is configured command to view the cipher suites that the SSL server policy supports. If the server and the client have no matching cipher suite, use the ciphersuite command to modify the cipher suite configuration - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 233
making the server unable to handle services normally. The SYN Cookie feature can configuration automatically becomes effective. For more information about MD5 authentication, see Layer 3-IP Routing Configuration Guide Command system-view tcp syn-cookie enable Remarks N/A Enabled by default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 234
Task Display current TCP connection state. Command Remarks display tcp status [ | { begin | exclude | include } regular-expression ] Available in any view 224 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 235
static IP source guard entry is configured manually. A port forwards a packet only when the source IP address and source MAC address of the packet exactly match an IP source guard entry on the port. IP source guard entries are suited to check the validity of access users, especially in LAN that has - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 236
. A user using an Services Configuration Guide. Configuration task list Complete the following tasks to configure IPv4 source guard: Task Configuring IPv4 source guard on a port Configuring configure a static binding entry, see "Configuring a static IPv4 source guard entry." • On a Layer 2 Ethernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 237
types of ports and interfaces: Layer 2 Ethernet ports and VLAN interfaces. Not configured by default. NOTE: Although dynamic IPv4 source guard entries overwrites the dynamic binding entry. To configure a static IPv4 binding entry on a port: Step Command Remarks 1. Enter system view. system - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 238
of IPv4 binding entries allowed on a port: Step 1. Enter system view. 2. Enter Layer 2 Ethernet interface view. 3. Configure the maximum number of IPv4 binding entries allowed on the port. Command system-view interface interface-type interface-number ip verify source max-entries number Remarks - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 239
communicate with Host A by using this IP address even if it uses another network adapter. Figure 69 Network diagram Configuration procedure 1. Configure Device A: # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 240
source guard entries. The output shows that the static IPv4 source guard entries are configured successfully. [DeviceA] display ip source binding static Total entries found: 2 MAC Address to pass. For information about DHCP server configuration, see Layer 3-IP Services Configuration Guide. 230 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 241
, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit 2. Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 242
] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit 2. Configure the DHCP relay agent: # Enable the DHCP service. [Switch] dhcp enable # Configure the IP address of the DHCP server. [Switch] dhcp relay server-group 1 ip 10.1.1.1 # Configure VLAN-interface 100 to operate in DHCP - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 243
192.168.0.1 VLAN Interface 100 Vlan100 Type DHCP-RLY Troubleshooting IP source guard Symptom Failed to configure static or dynamic IP source guard on a port. Analysis IP source guard is not supported on a port in an aggregation group or a service loopback group. Solution Remove the port from the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 244
chapter introduces multiple features to detect and prevent such attacks. ARP attack protection configuration task list Task Flood prevention User and gateway spoofing prevention Configuring ARP defense against IP packet attacks Configuring ARP source suppression Enabling ARP black hole routing - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 245
the route during the aging time of the black hole route. Configuring ARP source suppression Step Command 1. Enter system view. system-view 2. Enable ARP source suppression. five consecutive seconds. Remarks N/A Disabled by default. Optional. 10 by default. Enabling ARP black hole routing 235 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 246
system-view arp resolving-route enable Remarks N/A Optional. Enabled by default. Displaying and maintaining ARP defense against IP packet attacks Task Display the ARP source suppression configuration information. Command display arp source-suppression [ | { begin | exclude | include } regular - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 247
CPU on a switch. For example, if problem, you can configure ARP packet rate limit Ethernet interface/Layer 2 aggregate interface view. 3. Configure ARP packet rate limit. Command system-view interface interface-type interface-number arp rate-limit { disable | rate pps drop } Remarks N/A N/A By default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 248
and specify the detection mode. 3. Configure the threshold. 4. Configure the age timer for ARP attack detection entries. 5. Configure protected MAC addresses. Command system-view Remarks N/A arp anti-attack source-mac { filter | monitor } Disabled by default. arp anti-attack source-mac - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 249
Task Command Remarks Display attacking MAC addresses detected by source MAC address based (Device). If malicious users send a large number of ARP requests to the gateway, the gateway may crash and cannot process requests from the clients. To solve this problem, configure source MAC address based - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 250
in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries. Configuration procedure To consistency check. Command system-view Remarks N/A arp anti-attack valid-check enable Disabled by default Configuring ARP active - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 251
and is discarded. For more information about voice VLANs and OUI MAC addresses, see Layer 2-LAN Switching Configuration Guide. Configuration guideliens Follow these guidelines when you configure user validity check: • Static IP source guard binding entries are created by using the ip source binding - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 252
Configuration procedure To configure user validity check: Step 1. Enter system view. 2. Set rules for user validity check. 3. Enter VLAN view. Command default. N/A N/A Optional. The port is an untrusted port by default. Configuring destination MAC address in the Ethernet header, the packet is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 253
by default. 6. Enter Layer 2 Ethernet port/Layer 2 aggregate interface view. interface interface-type interface-number N/A 7. Configure the performing the following configuration, make sure you have configured the arp detection enable command. To enable ARP any view Available in user view 243 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 254
configure Switch B to perform user validity check based on 802.1X security entries for connected hosts. Figure 74 Network diagram Configuration procedure 1. Add all the ports on Switch B into VLAN 10, and configure local access user test. [SwitchB] local-user test [SwitchB-luser-test] service-type - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 255
and GigabitEthernet 1/0/2, they are checked against 802.1X security entries. User validity check and ARP packet validity check configuration example Network requirements Configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 256
Host A as DHCP client, and Host B as user. (Details not shown.) 4. Configure Switch B: # Enable DHCP snooping. system-view [ -vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 257
dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure the DHCP client on Hosts A and B. (Details not shown.) 4. Configure Switch B. # Enable DHCP snooping, and configure GigabitEthernet 1/0/3 as a DHCP-trusted port. system-view [SwitchB] dhcp-snooping - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 258
from Host A can pass the check on Switch B and reach Host B. Port isolation fails. # Configure ARP restricted forwarding. [SwitchB] vlan 10 ARP entries have the same attributes as the manually configured static ARP entries. • Use the arp fixup command to change the existing dynamic ARP entries into - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 259
restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change all dynamic Configuration procedure To configure ARP gateway protection: Step 1. Enter system view. 2. Enter Layer 2 Ethernet interface view/Layer 2 aggregate interface view. Command - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 260
gateway. Command arp filter source ip-address Remarks Disabled by default Configuration example Network requirements As shown in Figure 77, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 261
: Step Command 1. Enter system view. system-view 2. Enter Layer 2 Ethernet interface view/Layer 2 aggregate interface interface interface-type view. interface-number 3. Configure an ARP filtering entry. arp filter binding ip-address mac-address Remarks N/A N/A Not configured by default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 262
[SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 263
five functions of the ND protocol, see Layer 3-IP Services Configuration Guide. The ND protocol implements its function by using five Switch Host A IP_ A MAC_ A Forged ND packets Host C IP_C MAC_C Forged ND packets Host B IP_B MAC_B All forged ND packets have two common features: • The Ethernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 264
IPv6 address and the source MAC address in the Ethernet frame header is invalid. To identify forged ND packets, HP developed the source MAC consistency check feature. Enabling Enable source MAC consistency check for ND packets. Command system-view ipv6 nd mac-check enable Remarks N/A Disabled by - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 265
Configuring URPF The term "router" in this feature refers to both routers and Layer 3 switches. Overview Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 266
Figure 81 URPF work flow 1. URPF checks the source address validity: { Discards packets with a broadcast source address. { Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 267
is discarded. Configuring URPF To configure URPF globally: Step 1. Enter system view. 2. Enable URPF check globally. Command system-view ip urpf strict } Remarks N/A Disabled by default NOTE: • The routing table size decreases by half when URPF is enabled on the HP 6125 Blade switches. • To - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 268
Configuration procedure 1. Enable URPF check on Switch A. system-view [SwitchA] ip urpf strict 2. Enable URPF check on Switch B. system-view [SwitchB] ip urpf strict 258 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 269
Layer 3 communication on the access switches. For information about DHCP snooping, see Layer 3-IP Services Configuration Guide. For information about ARP snooping, see Layer 3-IP Services Configuration Guide. For information about IP source guard, see "Configuring IP source guard.." For information - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 270
supported by user ports in the VLAN. You can add network ports to link aggregation groups, but cannot add user ports to link aggregation groups. For more information about link aggregation, see Layer 2-LAN Switching Configuration Guide. User port An MFF user of the default gateway. In manual mode, - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 271
receiving an ARP packet with a different source MAC address from the default gateway, the MFF device will replace the old MAC address with Configuring MFF Configuration prerequisites • In MFF automatic mode, enable DHCP snooping on the device and configure DHCP snooping trusted ports. • In MFF manual - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 272
mac-forced-forwarding network-port Remarks N/A N/A By default, the port is a user port. Enabling periodic gateway probe You can configure the MFF device to detect gateways periodically for the change of MAC addresses. This feature is supported by MFF manual mode and MFF automatic mode. The time - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 273
either manual or automatic MFF mode. The server can be a DHCP server, a server providing some other service, or default. Displaying and maintaining MFF Task Display MFF port configuration information. Display the MFF configuration information of a specified VLAN. Command Switch A and Switch B. 263 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 274
the IP address of VLAN-interface 1. [Device] interface Vlan-interface 1 [Device-Vlan-interface1] ip address 10.1.1.50 24 3. Configure Switch A: # Enable DHCP snooping. system-view [SwitchA] dhcp-snooping # Enable MFF in automatic mode. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 275
at Layer 2, and can communicate with each other through the gateway. MFF automatic mode is enabled on Switch A and Switch B. Figure 85 Network diagram Configuration procedure 1. Configure the IP address of VLAN-interface 1 on the gateway. system-view [Gateway] interface Vlan-interface - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 276
GigabitEthernet 1/0/3 as a DHCP snooping trusted port. [SwitchA-GigabitEthernet1/0/3] dhcp-snooping trust no-user-binding 4. Configure Switch B: # Enable DHCP snooping. system-view [SwitchB] dhcp-snooping # Enable STP. [SwitchB] stp enable # Enable MFF in automatic mode. [SwitchB] vlan - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 277
-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 3. Configure Switch A: # Configure manual-mode MFF. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan-100] mac - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 278
[SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port 4. Configure Switch B: # Configure manual-mode MFF. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 279
gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mac-forced-forwarding network-port 4. Configure Switch B: # Enable STP. [SwitchB] stp enable # Configure manual-mode MFF. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 280
HP A-Series Acronyms. Websites • HP.com http://www.hp.com • HP Networking http://www.hp.com/go/networking • HP manuals http://www.hp.com/support/manuals • HP download drivers and software http://www.hp.com/support/downloads • HP software depot http://www.software.hp.com • HP Education http://www.hp - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 281
Command conventions Convention Boldface Italic [ ] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * & # Description Bold text represents commands and menu items are in bold text. For example, the New User window appears; click OK. Multi-level menus are separated by angle - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 282
, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 283
online user handshake function,83 Configuring the quiet timer,85 Configuring the redirect URL,99 Configuring the switch as an SCP server,212 Configuring the switch as an SFTP client,202 Configuring the switch as an SFTP server,201 Configuring the switch as an SSH client,185 Configuring the switch as - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 284
,82 Specifying supported domain name delimiters,90 Specifying the peer public key on the local device,150 SSH client configuration examples,195 SSH server configuration examples,188 Submitting a PKI certificate request,161 T Tearing down user connections,44 Troubleshooting AAA,63 Troubleshooting EAD - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 285
URPF configuration example,257 User profile configuration task list,134 Using MAC authentication with other features,104 275
HP 6125 Blade Switch Series
Security
Configuration Guide
Part number: 5998-3160
Software version: Release 2103
Document version: 6W100-20120907