Home » HP Manuals » Servers » HP 6125G » Manual Viewer

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 33

Specifying the shared keys for secure RADIUS communication

Add to My Manuals
Save this manual to your list of manuals

Page 33 highlights

Specifying the shared keys for secure RADIUS communication The RADIUS client and RADIUS server use the MD5 algorithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption. They must use the same key for the same type of communication. A shared key configured in this task is for all servers of the same type (accounting or authentication) in the scheme, and has a lower priority than a shared key configured individually for a RADIUS server. To specify a shared key for secure RADIUS communication: Step Command 1. Enter system view. system-view 2. Enter RADIUS scheme view. radius scheme radius-scheme-name 3. Specify a shared key for secure RADIUS key { accounting | authentication/authorization or authentication [ cipher | accounting communication. simple ] } key Remarks N/A N/A No shared key is specified by default. NOTE: A shared key configured on the switch must be the same as that configured on the RADIUS server. Specifying the VPN to which the servers belong After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN. To specify a VPN for a RADIUS scheme: Step 1. Enter system view. 2. Enter RADIUS scheme view. 3. Specify a VPN for the RADIUS scheme. Command system-view radius scheme radius-scheme-name vpn-instance vpn-instance-name Setting the username format and traffic statistics units A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP domain the user belongs to and is used by the switch to determine which users belong to which ISP domains. However, some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name. In this case, the switch must remove the domain name of each username before sending the username. You can set the username format on the switch for this purpose. The switch periodically sends accounting updates to RADIUS accounting servers to report the traffic statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows and that for packets on the switch are consistent with those on the RADIUS server. Follow these guidelines when you set the username format and the traffic statistics units for a RADIUS scheme: • If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain. Otherwise, users using the same username but in different ISP domains are considered the same user. 23

Section	Page
Title Page	1
Security Configuration Guide	3
Configuring AAA	11
AAA overview	11
RADIUS	12
Client/server model	12
Security and authentication mechanisms	12
Basic RADIUS message exchange process	12
RADIUS packet format	13
Extended RADIUS attributes	16
HWTACACS	17
Differences between HWTACACS and RADIUS	17
Basic HWTACACS message exchange process	17
Domain-based user management	19
AAA for MPLS L3VPNs	20
Protocols and standards	20
RADIUS attributes	21
Commonly used standard RADIUS attributes	21
HP proprietary RADIUS sub-attributes	22
AAA configuration considerations and task list	24
Configuring AAA schemes	25
Configuring local users	25
Local user configuration task list	26
Configuring local user attributes	26
Configuring user group attributes	28
Displaying and maintaining local users and local user groups	29
Configuring RADIUS schemes	30
RADIUS scheme configuration task list	30
Creating a RADIUS scheme	30
Specifying the RADIUS authentication/authorization servers	31
Specifying the RADIUS accounting servers and the relevant parameters	31
Specifying the shared keys for secure RADIUS communication	33
Specifying the VPN to which the servers belong	33
Setting the username format and traffic statistics units	33
Setting the supported RADIUS server type	34
Setting the maximum number of RADIUS request transmission attempts	34
Setting the status of RADIUS servers	35
Specifying the source IP address for outgoing RADIUS packets	36
Setting timers for controlling communication with RADIUS servers	37
Configuring RADIUS accounting-on	38
Configuring the IP address of the security policy server	39
Configuring interpretation of RADIUS class attribute as CAR parameters	39
Enabling the trap function for RADIUS	40
Enabling the RADIUS listening port of the RADIUS client	40
Setting the DSCP value for RADIUS protocol packets	40
Displaying and maintaining RADIUS	41
Configuring HWTACACS schemes	41
HWTACACS configuration task list	41
Creating an HWTACACS scheme	42
Specifying the HWTACACS authentication servers	42
Specifying the HWTACACS authorization servers	43
Specifying the HWTACACS accounting servers and the relevant parameters	43
Specifying the shared keys for secure HWTACACS communication	44
Specifying the VPN to which the servers belong	45
Setting the username format and traffic statistics units	45
Specifying a source IP address for outgoing HWTACACS packets	46
Setting timers for controlling communication with HWTACACS servers	47
Displaying and maintaining HWTACACS	47
Configuring AAA methods for ISP domains	48
Configuration prerequisites	48
Creating an ISP domain	48
Configuring ISP domain attributes	49
Configuring AAA authentication methods for an ISP domain	50
Configuring AAA authorization methods for an ISP domain	52
Configuring AAA accounting methods for an ISP domain	53
Tearing down user connections	54
Configuring a NAS ID-VLAN binding	55
Displaying and maintaining AAA	55
AAA configuration examples	55
AAA for Telnet users by an HWTACACS server	55
Network requirements	55
Configuration procedure	56
AAA for Telnet users by separate servers	57
Network requirements	57
Configuration procedure	57
Authentication/authorization for SSH/Telnet users by a RADIUS server	58
Network requirements	58
Configuring the RADIUS server	58
Configuring the switch	60
Verifying the configuration	61
AAA for 802.1X users by a RADIUS server	61
Network requirements	61
Configuration prerequisites	62
Configuring the RADIUS server	62
Configuring the switch	66
Verifying the configuration	67
Level switching authentication for Telnet users by an HWTACACS server	68
Network requirements	68
Configuration considerations	68
Configuration procedure	68
RADIUS authentication and authorization for Telnet users by a switch	71
Network requirements	71
Configuration procedure	72
Troubleshooting AAA	73
Troubleshooting RADIUS	73
Symptom 1	73
Analysis	73
Solution	73
Symptom 2	73
Analysis	74
Solution	74
Symptom 3	74
Analysis	74
Solution	74
Troubleshooting HWTACACS	74
802.1X overview	75
802.1X architecture	75
Controlled/uncontrolled port and port authorization status	75
802.1X-related protocols	76
Packet formats	77
EAP packet format	77
EAPOL packet format	77
EAP over RADIUS	78
EAP-Message	78
Message-Authenticator	78
Initiating 802.1X authentication	78
802.1X client as the initiator	78
Access device as the initiator	79
802.1X authentication procedures	79
A comparison of EAP relay and EAP termination	80
EAP relay	80
EAP termination	83
Configuring 802.1X	84
HP implementation of 802.1X	84
Access control methods	84
Using 802.1X authentication with other features	84
VLAN assignment	84
Guest VLAN	85
Auth-Fail VLAN	86
Critical VLAN	87
ACL assignment	89
Configuration prerequisites	89
802.1X configuration task list	89
Enabling 802.1X	90
Configuration guidelines	90
Configuration procedure	90
Enabling EAP relay or EAP termination	90
Setting the port authorization state	91
Specifying an access control method	92
Setting the maximum number of concurrent 802.1X users on a port	92
Setting the maximum number of authentication request attempts	92
Setting the 802.1X authentication timeout timers	93
Configuring the online user handshake function	93
Configuration guidelines	94
Configuration procedure	94
Configuring the authentication trigger function	94
Configuration guidelines	94
Configuration procedure	95
Specifying a mandatory authentication domain on a port	95
Configuring the quiet timer	95
Enabling the periodic online user re-authentication function	96
Configuration guidelines	96
Configuration procedure	96
Configuring an 802.1X guest VLAN	97
Configuration guidelines	97
Configuration prerequisites	97
Configuration procedure	97
Configuring an 802.1X Auth-Fail VLAN	98
Configuration guidelines	98
Configuration prerequisites	98
Configuration procedure	98
Configuring an 802.1X critical VLAN	99
Configuration guidelines	99
Configuration prerequisites	99
Configuration procedure	99
Specifying supported domain name delimiters	100
Displaying and maintaining 802.1X	100
802.1X authentication configuration example	100
Network requirements	100
Configuration procedure	101
Verifying the configuration	103
802.1X with guest VLAN and VLAN assignment configuration example	103
Network requirements	103
Configuration procedure	104
Verifying the configuration	105
802.1X with ACL assignment configuration example	106
Network requirements	106
Configuration procedure	106
Verifying the configuration	107
Configuring EAD fast deployment	108
Overview	108
Free IP	108
URL redirection	108
Configuration prerequisites	108
Configuring a free IP	108
Configuring the redirect URL	109
Setting the EAD rule timer	109
Displaying and maintaining EAD fast deployment	109
EAD fast deployment configuration example	110
Network requirements	110
Configuration procedure	111
Verifying the configuration	111
Troubleshooting EAD fast deployment	112
Web browser users cannot be correctly redirected	112
Symptom	112
Analysis	112
Solution	112
Configuring MAC authentication	113
Overview	113
User account policies	113
Authentication approaches	113
MAC authentication timers	114
Using MAC authentication with other features	114
VLAN assignment	114
ACL assignment	114
Configuration task list	114
Basic configuration for MAC authentication	115
Configuring MAC authentication globally	115
Configuring MAC authentication on a port	115
Specifying a MAC authentication domain	116
Displaying and maintaining MAC authentication	116
MAC authentication configuration examples	117
Local MAC authentication configuration example	117
Network requirements	117
Configuration procedure	117
Verifying the configuration	118
RADIUS-based MAC authentication configuration example	118
Network requirements	118
Configuration procedure	119
Verifying the configuration	120
ACL assignment configuration example	120
Network requirements	120
Configuration procedure	121
Verifying the configuration	122
Configuring port security	123
Overview	123
Port security features	123
NTK	123
Intrusion protection	123
Port security traps	123
Port security modes	123
Controlling MAC address learning	125
Performing 802.1X authentication	125
Performing MAC authentication	125
Performing a combination of MAC authentication and 802.1X authentication	125
Working with guest VLAN and Auth-Fail VLAN	126
Configuration task list	126
Enabling port security	126
Setting port security's limit on the number of MAC addresses on a port	127
Setting the port security mode	127
Configuration prerequisites	128
Configuration procedure	128
Configuring port security features	128
Configuring NTK	128
Configuring intrusion protection	129
Enabling port security traps	129
Configuring secure MAC addresses	130
Configuration prerequisites	131
Configuration procedure	131
Ignoring authorization information	132
Displaying and maintaining port security	132
Port security configuration examples	133
Configuring the autoLearn mode	133
Network requirements	133
Configuration procedure	133
Verifying the configuration	133
Configuring the userLoginWithOUI mode	135
Network requirements	135
Configuration procedure	136
Verifying the configuration	136
Configuring the macAddressElseUserLoginSecure mode	139
Network requirements	139
Configuration procedure	139
Verifying the configuration	140
Troubleshooting port security	142
Cannot set the port security mode	142
Symptom	142
Analysis	142
Solution	142
Cannot configure secure MAC addresses	142
Symptom	142
Analysis	143
Solution	143
Cannot change port security mode when a user is online	143
Symptom	143
Analysis	143
Solution	143
Configuring a user profile	144
Overview	144
User profile configuration task list	144
Creating a user profile	144
Applying a QoS policy	145
Enabling a user profile	145
Displaying and maintaining user profiles	146
Configuring password control	147
Overview	147
Password control configuration task list	149
Configuring password control	150
Enabling password control	150
Setting global password control parameters	151
Setting user group password control parameters	152
Setting local user password control parameters	152
Setting super password control parameters	153
Setting a local user password in interactive mode	154
Displaying and maintaining password control	154
Password control configuration example	154
Network requirements	154
Configuration procedure	155
Verifying the configuration	156
Managing public keys	157
Overview	157
Configuration task list	157
Creating a local asymmetric key pair	158
Displaying or exporting the local host public key	158
Displaying and recording the host public key information	159
Displaying the host public key in a specific format and saving it to a file	159
Exporting the host public key in a specific format to a file	159
Destroying a local asymmetric key pair	160
Specifying the peer public key on the local device	160
Displaying and maintaining public keys	161
Public key configuration examples	161
Manually specifying the peer public key on the local device	161
Network requirements	161
Configuration procedure	161
Importing a peer public key from a public key file	163
Network requirements	163
Configuration procedure	163
Configuring PKI	166
Overview	166
PKI terms	166
PKI architecture	167
PKI operation	167
PKI applications	168
PKI configuration task list	168
Configuring an entity DN	169
Configuring a PKI domain	170
Configuration guidelines	171
Configuration procedure	171
Submitting a PKI certificate request	171
Submitting a certificate request in auto mode	172
Submitting a certificate request in manual mode	172
Configuration guidelines	172
Configuration procedure	173
Retrieving a certificate manually	173
Configuration guidelines	173
Configuration procedure	174
Configuring PKI certificate verification	174
Configuration guidelines	174
Configuring CRL-checking-enabled PKI certificate verification	174
Configuring CRL-checking-disabled PKI certificate verification	175
Destroying a local RSA key pair	175
Deleting a certificate	176
Configuring an access control policy	176
Displaying and maintaining PKI	176
PKI configuration examples	177
Certificate request from an RSA Keon CA server	177
Network requirements	177
Configuring the CA server	177
Configuring the switch	178
Verifying the configuration	179
Certificate request from a Windows 2003 CA server	180
Network requirements	180
Configuring the CA server	180
Configuring the switch	181
Verifying the configuration	182
Certificate attribute access control policy configuration example	183
Network requirements	183
Configuration procedure	184
Troubleshooting PKI	185
Failed to retrieve a CA certificate	185
Symptom	185
Analysis	185
Solution	185
Failed to request a local certificate	185
Symptom	185
Analysis	185
Solution	186
Failed to retrieve CRLs	186
Symptom	186
Analysis	186
Solution	186
Configuring SSH2.0	187
Overview	187
SSH operation	187
Version negotiation	187
Key and algorithm negotiation	188
Authentication	188
Session request	189
Interaction	189
SSH connection across VPNs	189
Configuring the switch as an SSH server	190
SSH server configuration task list	190
Generating DSA or RSA key pairs	190
Configuration guidelines	190
Configuration procedure	191
Enabling the SSH server function	191
Configuring the user interfaces for SSH clients	191
Configuration guidelines	191
Configuration procedure	191
Configuring a client public key	192
Configuring a client public key manually	192
Importing a client public key from a public key file	193
Configuring an SSH user	193
Configuration guidelines	193
Configuration procedure	194
Setting the SSH management parameters	194
Setting the DSCP value for packets sent by the SSH server	195
Configuring the switch as an SSH client	195
SSH client configuration task list	195
Specifying a source IP address/interface for the SSH client	195
Configuring whether first-time authentication is supported	196
Enabling the switch to support first-time authentication	196
Disabling first-time authentication	196
Establishing a connection between the SSH client and server	197
Setting the DSCP value for packets sent by the SSH client	197
Displaying and maintaining SSH	198
SSH server configuration examples	198
When the switch acts as a server for password authentication	198
Network requirements	198
Configuration procedure	198
When the switch acts as a server for publickey authentication	200
Network requirements	200
Configuration procedure	201
SSH client configuration examples	205
When switch acts as client for password authentication	205
Network requirements	205
Configuration procedure	205
When switch acts as client for publickey authentication	208
Network requirements	208
Configuration procedure	208
Configuring SFTP	211
Overview	211
Configuring the switch as an SFTP server	211
Enabling the SFTP server	211
Configuring the SFTP connection idle timeout period	211
Configuring the switch as an SFTP client	212
Specifying a source IP address or interface for the SFTP client	212
Establishing a connection to the SFTP server	212
Working with SFTP directories	213
Working with SFTP files	214
Displaying help information	214
Terminating the connection to the remote SFTP server	215
Setting the DSCP value for packets sent by the SFTP client	215
SFTP client configuration example	215
Network requirements	215
Configuration procedure	216
SFTP server configuration example	219
Network requirements	219
Configuration procedure	219
Configuring SCP	222
Overview	222
Configuring the switch as an SCP server	222
Configuring the switch as the SCP client	223
SCP client configuration example	223
Network requirements	223
Configuration procedure	224
SCP server configuration example	224
Network requirements	224
Configuration procedure	224
Configuring SSL	226
Overview	226
SSL security mechanism	226
SSL protocol stack	226
Configuration task list	227
Configuring an SSL server policy	227
SSL server policy configuration example	229
Network requirements	229
Configuration considerations	229
Configuration procedure	229
Configuring an SSL client policy	230
Displaying and maintaining SSL	231
Troubleshooting SSL	231
Symptom	231
Analysis	232
Solution	232
Configuring TCP attack protection	233
Overview	233
Enabling the SYN Cookie feature	233
Displaying and maintaining TCP attack protection	233
Configuring IP source guard	235
Overview	235
Static IP source guard entries	235
Dynamic IP source guard entries	235
Configuration task list	236
Configuring the IPv4 source guard function	236
Configuring IPv4 source guard on a port	236
Configuring a static IPv4 source guard entry	237
Setting the maximum number of IPv4 source guard entries	238
Displaying and maintaining IP source guard	238
IP source guard configuration examples	238
Static IPv4 source guard configuration example	238
Network requirements	238
Configuration procedure	239
Verifying the configuration	240
Dynamic IPv4 source guard using DHCP snooping configuration example	240
Network requirements	240
Configuration procedure	241
Verifying the configuration	241
Dynamic IPv4 source guard using DHCP relay configuration example	242
Network requirements	242
Configuration procedure	242
Verifying the configuration	242
Troubleshooting IP source guard	243
Symptom	243
Analysis	243
Solution	243
Configuring ARP attack protection	244
Overview	244
ARP attack protection configuration task list	244
Configuring ARP defense against IP packet attacks	245

Match case Limit results 1 per page

Specifying the shared keys for secure RADIUS communication

The RADIUS client and RADIUS server use the MD5 algorithm to authenticate packets exchanged

between them and use shared keys for packet authentication and user passwords encryption. They must

use the same key for the same type of communication.

A shared key configured in this task is for all servers of the same type (accounting or authentication) in

the scheme, and has a lower priority than a shared key configured individually for a RADIUS server.

To specify a shared key for secure RADIUS communication:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter RADIUS scheme view.

radius scheme

radius-scheme-name

N/A

Specify a shared key for secure RADIUS

authentication/authorization or

accounting communication.

key

{

accounting

authentication

[

cipher

simple

] }

key

No shared key is specified by

default.

NOTE:

A shared key configured on the switch must be the same as that configured on the RADIUS server.

Specifying the VPN to which the servers belong

After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers

specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server

for the scheme, the server belongs to the specific VPN.

To specify a VPN for a RADIUS scheme:

Step

Command

Enter system view.

system-view

Enter RADIUS scheme view.

radius scheme

radius-scheme-name

Specify a VPN for the RADIUS scheme.

vpn-instance

vpn-instance-name

Setting the username format and traffic statistics units

A username is usually in the format of

userid

isp-name

, where

isp-name

represents the name of the ISP

domain the user belongs to and is used by the switch to determine which users belong to which ISP

domains. However, some earlier RADIUS servers cannot recognize usernames that contain an ISP

domain name. In this case, the switch must remove the domain name of each username before sending

the username. You can set the username format on the switch for this purpose.

The switch periodically sends accounting updates to RADIUS accounting servers to report the traffic

statistics of online users. For normal and accurate traffic statistics, make sure the unit for data flows and

that for packets on the switch are consistent with those on the RADIUS server.

Follow these guidelines when you set the username format and the traffic statistics units for a RADIUS

scheme:

•

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply

the RADIUS scheme to more than one ISP domain. Otherwise, users using the same username but

in different ISP domains are considered the same user.

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Security Configuration Gui - Page 33

Specifying the shared keys for secure RADIUS communication

Page 33 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 33