HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 7

v

Configuring CRL-checking-disabled PKI certificate verification ······································································ 165

Destroying a local RSA key pair ································································································································ 165

Deleting a certificate ···················································································································································· 166

Configuring an access control policy ························································································································ 166

Displaying and maintaining PKI ································································································································· 166

PKI configuration examples········································································································································· 167

Certificate request from an RSA Keon CA server ···························································································· 167

Certificate request from a Windows 2003 CA server ···················································································· 170

Certificate attribute access control policy configuration example ································································· 173

Troubleshooting PKI ····················································································································································· 175

Failed to retrieve a CA certificate······················································································································ 175

Failed to request a local certificate ··················································································································· 175

Failed to retrieve CRLs ········································································································································ 176

Configuring SSH2.0 ··············································································································································· 177

Overview······································································································································································· 177

SSH operation ····················································································································································· 177

SSH connection across VPNs ····························································································································· 179

Configuring the switch as an SSH server ·················································································································· 180

SSH server configuration task list ······················································································································ 180

Generating DSA or RSA key pairs ···················································································································· 180

Enabling the SSH server function······················································································································· 181

Configuring the user interfaces for SSH clients ································································································ 181

Configuring a client public key·························································································································· 182

Configuring an SSH user ···································································································································· 183

Setting the SSH management parameters ········································································································ 184

Setting the DSCP value for packets sent by the SSH server

············································································ 185

Configuring the switch as an SSH client ··················································································································· 185

SSH client configuration task list························································································································ 185

Specifying a source IP address/interface for the SSH client ·········································································· 185

Configuring whether first-time authentication is supported ············································································· 186

Establishing a connection between the SSH client and server ······································································· 187

Setting the DSCP value for packets sent by the SSH client ············································································· 187

Displaying and maintaining SSH ······························································································································· 188

SSH server configuration examples ··························································································································· 188

When the switch acts as a server for password authentication ····································································· 188

When the switch acts as a server for publickey authentication ····································································· 190

SSH client configuration examples····························································································································· 195

When switch acts as client for password authentication ················································································ 195

When switch acts as client for publickey authentication ················································································ 198

Configuring SFTP····················································································································································· 201

Overview······································································································································································· 201

Configuring the switch as an SFTP server ················································································································· 201

Enabling the SFTP server ···································································································································· 201

Configuring the SFTP connection idle timeout period ····················································································· 201

Configuring the switch as an SFTP client

··················································································································· 202

Specifying a source IP address or interface for the SFTP client······································································ 202

Establishing a connection to the SFTP server···································································································· 202

Working with SFTP directories ··························································································································· 203

Working with SFTP files ······································································································································ 204

Displaying help information ······························································································································· 204

Terminating the connection to the remote SFTP server ···················································································· 205

Setting the DSCP value for packets sent by the SFTP client ············································································ 205

SFTP client configuration example ····························································································································· 205

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 7

Setting the DSCP value for packets sent by the SSH server, Configuring the switch as an SFTP client, v

Page 7 highlights

Section	Page
Title Page	1
Security Configuration Guide	3
Configuring AAA	11
AAA overview	11
RADIUS	12
Client/server model	12
Security and authentication mechanisms	12
Basic RADIUS message exchange process	12
RADIUS packet format	13
Extended RADIUS attributes	16
HWTACACS	17
Differences between HWTACACS and RADIUS	17
Basic HWTACACS message exchange process	17
Domain-based user management	19
AAA for MPLS L3VPNs	20
Protocols and standards	20
RADIUS attributes	21
Commonly used standard RADIUS attributes	21
HP proprietary RADIUS sub-attributes	22
AAA configuration considerations and task list	24
Configuring AAA schemes	25
Configuring local users	25
Local user configuration task list	26
Configuring local user attributes	26
Configuring user group attributes	28
Displaying and maintaining local users and local user groups	29
Configuring RADIUS schemes	30
RADIUS scheme configuration task list	30
Creating a RADIUS scheme	30
Specifying the RADIUS authentication/authorization servers	31
Specifying the RADIUS accounting servers and the relevant parameters	31
Specifying the shared keys for secure RADIUS communication	33
Specifying the VPN to which the servers belong	33
Setting the username format and traffic statistics units	33
Setting the supported RADIUS server type	34
Setting the maximum number of RADIUS request transmission attempts	34
Setting the status of RADIUS servers	35
Specifying the source IP address for outgoing RADIUS packets	36
Setting timers for controlling communication with RADIUS servers	37
Configuring RADIUS accounting-on	38
Configuring the IP address of the security policy server	39
Configuring interpretation of RADIUS class attribute as CAR parameters	39
Enabling the trap function for RADIUS	40
Enabling the RADIUS listening port of the RADIUS client	40
Setting the DSCP value for RADIUS protocol packets	40
Displaying and maintaining RADIUS	41
Configuring HWTACACS schemes	41
HWTACACS configuration task list	41
Creating an HWTACACS scheme	42
Specifying the HWTACACS authentication servers	42
Specifying the HWTACACS authorization servers	43
Specifying the HWTACACS accounting servers and the relevant parameters	43
Specifying the shared keys for secure HWTACACS communication	44
Specifying the VPN to which the servers belong	45
Setting the username format and traffic statistics units	45
Specifying a source IP address for outgoing HWTACACS packets	46
Setting timers for controlling communication with HWTACACS servers	47
Displaying and maintaining HWTACACS	47
Configuring AAA methods for ISP domains	48
Configuration prerequisites	48
Creating an ISP domain	48
Configuring ISP domain attributes	49
Configuring AAA authentication methods for an ISP domain	50
Configuring AAA authorization methods for an ISP domain	52
Configuring AAA accounting methods for an ISP domain	53
Tearing down user connections	54
Configuring a NAS ID-VLAN binding	55
Displaying and maintaining AAA	55
AAA configuration examples	55
AAA for Telnet users by an HWTACACS server	55
Network requirements	55
Configuration procedure	56
AAA for Telnet users by separate servers	57
Network requirements	57
Configuration procedure	57
Authentication/authorization for SSH/Telnet users by a RADIUS server	58
Network requirements	58
Configuring the RADIUS server	58
Configuring the switch	60
Verifying the configuration	61
AAA for 802.1X users by a RADIUS server	61
Network requirements	61
Configuration prerequisites	62
Configuring the RADIUS server	62
Configuring the switch	66
Verifying the configuration	67
Level switching authentication for Telnet users by an HWTACACS server	68
Network requirements	68
Configuration considerations	68
Configuration procedure	68
RADIUS authentication and authorization for Telnet users by a switch	71
Network requirements	71
Configuration procedure	72
Troubleshooting AAA	73
Troubleshooting RADIUS	73
Symptom 1	73
Analysis	73
Solution	73
Symptom 2	73
Analysis	74
Solution	74
Symptom 3	74
Analysis	74
Solution	74
Troubleshooting HWTACACS	74
802.1X overview	75
802.1X architecture	75
Controlled/uncontrolled port and port authorization status	75
802.1X-related protocols	76
Packet formats	77
EAP packet format	77
EAPOL packet format	77
EAP over RADIUS	78
EAP-Message	78
Message-Authenticator	78
Initiating 802.1X authentication	78
802.1X client as the initiator	78
Access device as the initiator	79
802.1X authentication procedures	79
A comparison of EAP relay and EAP termination	80
EAP relay	80
EAP termination	83
Configuring 802.1X	84
HP implementation of 802.1X	84
Access control methods	84
Using 802.1X authentication with other features	84
VLAN assignment	84
Guest VLAN	85
Auth-Fail VLAN	86
Critical VLAN	87
ACL assignment	89
Configuration prerequisites	89
802.1X configuration task list	89
Enabling 802.1X	90
Configuration guidelines	90
Configuration procedure	90
Enabling EAP relay or EAP termination	90
Setting the port authorization state	91
Specifying an access control method	92
Setting the maximum number of concurrent 802.1X users on a port	92
Setting the maximum number of authentication request attempts	92
Setting the 802.1X authentication timeout timers	93
Configuring the online user handshake function	93
Configuration guidelines	94
Configuration procedure	94
Configuring the authentication trigger function	94
Configuration guidelines	94
Configuration procedure	95
Specifying a mandatory authentication domain on a port	95
Configuring the quiet timer	95
Enabling the periodic online user re-authentication function	96
Configuration guidelines	96
Configuration procedure	96
Configuring an 802.1X guest VLAN	97
Configuration guidelines	97
Configuration prerequisites	97
Configuration procedure	97
Configuring an 802.1X Auth-Fail VLAN	98
Configuration guidelines	98
Configuration prerequisites	98
Configuration procedure	98
Configuring an 802.1X critical VLAN	99
Configuration guidelines	99
Configuration prerequisites	99
Configuration procedure	99
Specifying supported domain name delimiters	100
Displaying and maintaining 802.1X	100
802.1X authentication configuration example	100
Network requirements	100
Configuration procedure	101
Verifying the configuration	103
802.1X with guest VLAN and VLAN assignment configuration example	103
Network requirements	103
Configuration procedure	104
Verifying the configuration	105
802.1X with ACL assignment configuration example	106
Network requirements	106
Configuration procedure	106
Verifying the configuration	107
Configuring EAD fast deployment	108
Overview	108
Free IP	108
URL redirection	108
Configuration prerequisites	108
Configuring a free IP	108
Configuring the redirect URL	109
Setting the EAD rule timer	109
Displaying and maintaining EAD fast deployment	109
EAD fast deployment configuration example	110
Network requirements	110
Configuration procedure	111
Verifying the configuration	111
Troubleshooting EAD fast deployment	112
Web browser users cannot be correctly redirected	112
Symptom	112
Analysis	112
Solution	112
Configuring MAC authentication	113
Overview	113
User account policies	113
Authentication approaches	113
MAC authentication timers	114
Using MAC authentication with other features	114
VLAN assignment	114
ACL assignment	114
Configuration task list	114
Basic configuration for MAC authentication	115
Configuring MAC authentication globally	115
Configuring MAC authentication on a port	115
Specifying a MAC authentication domain	116
Displaying and maintaining MAC authentication	116
MAC authentication configuration examples	117
Local MAC authentication configuration example	117
Network requirements	117
Configuration procedure	117
Verifying the configuration	118
RADIUS-based MAC authentication configuration example	118
Network requirements	118
Configuration procedure	119
Verifying the configuration	120
ACL assignment configuration example	120
Network requirements	120
Configuration procedure	121
Verifying the configuration	122
Configuring port security	123
Overview	123
Port security features	123
NTK	123
Intrusion protection	123
Port security traps	123
Port security modes	123
Controlling MAC address learning	125
Performing 802.1X authentication	125
Performing MAC authentication	125
Performing a combination of MAC authentication and 802.1X authentication	125
Working with guest VLAN and Auth-Fail VLAN	126
Configuration task list	126
Enabling port security	126
Setting port security's limit on the number of MAC addresses on a port	127
Setting the port security mode	127
Configuration prerequisites	128
Configuration procedure	128
Configuring port security features	128
Configuring NTK	128
Configuring intrusion protection	129
Enabling port security traps	129
Configuring secure MAC addresses	130
Configuration prerequisites	131
Configuration procedure	131
Ignoring authorization information	132
Displaying and maintaining port security	132
Port security configuration examples	133
Configuring the autoLearn mode	133
Network requirements	133
Configuration procedure	133
Verifying the configuration	133
Configuring the userLoginWithOUI mode	135
Network requirements	135
Configuration procedure	136
Verifying the configuration	136
Configuring the macAddressElseUserLoginSecure mode	139
Network requirements	139
Configuration procedure	139
Verifying the configuration	140
Troubleshooting port security	142
Cannot set the port security mode	142
Symptom	142
Analysis	142
Solution	142
Cannot configure secure MAC addresses	142
Symptom	142
Analysis	143
Solution	143
Cannot change port security mode when a user is online	143
Symptom	143
Analysis	143
Solution	143
Configuring a user profile	144
Overview	144
User profile configuration task list	144
Creating a user profile	144
Applying a QoS policy	145
Enabling a user profile	145
Displaying and maintaining user profiles	146
Configuring password control	147
Overview	147
Password control configuration task list	149
Configuring password control	150
Enabling password control	150
Setting global password control parameters	151
Setting user group password control parameters	152
Setting local user password control parameters	152
Setting super password control parameters	153
Setting a local user password in interactive mode	154
Displaying and maintaining password control	154
Password control configuration example	154
Network requirements	154
Configuration procedure	155
Verifying the configuration	156
Managing public keys	157
Overview	157
Configuration task list	157
Creating a local asymmetric key pair	158
Displaying or exporting the local host public key	158
Displaying and recording the host public key information	159
Displaying the host public key in a specific format and saving it to a file	159
Exporting the host public key in a specific format to a file	159
Destroying a local asymmetric key pair	160
Specifying the peer public key on the local device	160
Displaying and maintaining public keys	161
Public key configuration examples	161
Manually specifying the peer public key on the local device	161
Network requirements	161
Configuration procedure	161
Importing a peer public key from a public key file	163
Network requirements	163
Configuration procedure	163
Configuring PKI	166
Overview	166
PKI terms	166
PKI architecture	167
PKI operation	167
PKI applications	168
PKI configuration task list	168
Configuring an entity DN	169
Configuring a PKI domain	170
Configuration guidelines	171
Configuration procedure	171
Submitting a PKI certificate request	171
Submitting a certificate request in auto mode	172
Submitting a certificate request in manual mode	172
Configuration guidelines	172
Configuration procedure	173
Retrieving a certificate manually	173
Configuration guidelines	173
Configuration procedure	174
Configuring PKI certificate verification	174
Configuration guidelines	174
Configuring CRL-checking-enabled PKI certificate verification	174
Configuring CRL-checking-disabled PKI certificate verification	175
Destroying a local RSA key pair	175
Deleting a certificate	176
Configuring an access control policy	176
Displaying and maintaining PKI	176
PKI configuration examples	177
Certificate request from an RSA Keon CA server	177
Network requirements	177
Configuring the CA server	177
Configuring the switch	178
Verifying the configuration	179
Certificate request from a Windows 2003 CA server	180
Network requirements	180
Configuring the CA server	180
Configuring the switch	181
Verifying the configuration	182
Certificate attribute access control policy configuration example	183
Network requirements	183
Configuration procedure	184
Troubleshooting PKI	185
Failed to retrieve a CA certificate	185
Symptom	185
Analysis	185
Solution	185
Failed to request a local certificate	185
Symptom	185
Analysis	185
Solution	186
Failed to retrieve CRLs	186
Symptom	186
Analysis	186
Solution	186
Configuring SSH2.0	187
Overview	187
SSH operation	187
Version negotiation	187
Key and algorithm negotiation	188
Authentication	188
Session request	189
Interaction	189
SSH connection across VPNs	189
Configuring the switch as an SSH server	190
SSH server configuration task list	190
Generating DSA or RSA key pairs	190
Configuration guidelines	190
Configuration procedure	191
Enabling the SSH server function	191
Configuring the user interfaces for SSH clients	191
Configuration guidelines	191
Configuration procedure	191
Configuring a client public key	192
Configuring a client public key manually	192
Importing a client public key from a public key file	193
Configuring an SSH user	193
Configuration guidelines	193
Configuration procedure	194
Setting the SSH management parameters	194
Setting the DSCP value for packets sent by the SSH server	195
Configuring the switch as an SSH client	195
SSH client configuration task list	195
Specifying a source IP address/interface for the SSH client	195
Configuring whether first-time authentication is supported	196
Enabling the switch to support first-time authentication	196
Disabling first-time authentication	196
Establishing a connection between the SSH client and server	197
Setting the DSCP value for packets sent by the SSH client	197
Displaying and maintaining SSH	198
SSH server configuration examples	198
When the switch acts as a server for password authentication	198
Network requirements	198
Configuration procedure	198
When the switch acts as a server for publickey authentication	200
Network requirements	200
Configuration procedure	201
SSH client configuration examples	205
When switch acts as client for password authentication	205
Network requirements	205
Configuration procedure	205
When switch acts as client for publickey authentication	208
Network requirements	208
Configuration procedure	208
Configuring SFTP	211
Overview	211
Configuring the switch as an SFTP server	211
Enabling the SFTP server	211
Configuring the SFTP connection idle timeout period	211
Configuring the switch as an SFTP client	212
Specifying a source IP address or interface for the SFTP client	212
Establishing a connection to the SFTP server	212
Working with SFTP directories	213
Working with SFTP files	214
Displaying help information	214
Terminating the connection to the remote SFTP server	215
Setting the DSCP value for packets sent by the SFTP client	215
SFTP client configuration example	215
Network requirements	215
Configuration procedure	216
SFTP server configuration example	219
Network requirements	219
Configuration procedure	219
Configuring SCP	222
Overview	222
Configuring the switch as an SCP server	222
Configuring the switch as the SCP client	223
SCP client configuration example	223
Network requirements	223
Configuration procedure	224
SCP server configuration example	224
Network requirements	224
Configuration procedure	224
Configuring SSL	226
Overview	226
SSL security mechanism	226
SSL protocol stack	226
Configuration task list	227
Configuring an SSL server policy	227
SSL server policy configuration example	229
Network requirements	229
Configuration considerations	229
Configuration procedure	229
Configuring an SSL client policy	230
Displaying and maintaining SSL	231
Troubleshooting SSL	231
Symptom	231
Analysis	232
Solution	232
Configuring TCP attack protection	233
Overview	233
Enabling the SYN Cookie feature	233
Displaying and maintaining TCP attack protection	233
Configuring IP source guard	235
Overview	235
Static IP source guard entries	235
Dynamic IP source guard entries	235
Configuration task list	236
Configuring the IPv4 source guard function	236
Configuring IPv4 source guard on a port	236
Configuring a static IPv4 source guard entry	237
Setting the maximum number of IPv4 source guard entries	238
Displaying and maintaining IP source guard	238
IP source guard configuration examples	238
Static IPv4 source guard configuration example	238
Network requirements	238
Configuration procedure	239
Verifying the configuration	240
Dynamic IPv4 source guard using DHCP snooping configuration example	240
Network requirements	240
Configuration procedure	241
Verifying the configuration	241
Dynamic IPv4 source guard using DHCP relay configuration example	242
Network requirements	242
Configuration procedure	242
Verifying the configuration	242
Troubleshooting IP source guard	243
Symptom	243
Analysis	243
Solution	243
Configuring ARP attack protection	244
Overview	244
ARP attack protection configuration task list	244
Configuring ARP defense against IP packet attacks	245
Configuring ARP source suppression	245
Enabling ARP black hole routing	245
Displaying and maintaining ARP defense against IP packet attacks	246
Configuration example	246
Network requirements	246
Configuration considerations	247
Configuration procedure	247
Configuring ARP packet rate limit	247
Introduction	247
Configuration procedure	247
Configuring source MAC address based ARP attack detection	248
Configuration procedure	248
Displaying and maintaining source MAC address based ARP attack detection	248
Configuration example	249
Network requirements	249
Configuration considerations	249
Configuration procedure	249
Configuring ARP packet source MAC address consistency check	250
Introduction	250
Configuration procedure	250
Configuring ARP active acknowledgement	250
Introduction	250
Configuration procedure	250
Configuring ARP detection	251
Introduction	251
Configuring user validity check	251
Configuration guideliens	251
Configuration procedure	252
Configuring ARP packet validity check	252
Configuring ARP restricted forwarding	253
Displaying and maintaining ARP detection	253
User validity check configuration example	254
Network requirements	254
Configuration procedure	254
User validity check and ARP packet validity check configuration example	255
Network requirements	255
Configuration procedure	255
ARP restricted forwarding configuration example	256
Network requirements	256
Configuration procedure	257
Configuring ARP automatic scanning and fixed ARP	258
Configuration guidelines	258
Configuration procedure	259
Configuring ARP gateway protection	259
Configuration guidelines	259
Configuration procedure	259
Configuration example	260
Network requirements	260
Configuration procedure	260
Configuring ARP filtering	260
Configuration guidelines	261
Configuration procedure	261
Configuration example	261
Network requirements	261
Configuration procedure	261
Configuring ND attack defense	263
Overview	263
Enabling source MAC consistency check for ND packets	264
Configuring URPF	265
Overview	265
How URPF works	265
Configuring URPF	267
URPF configuration example	267
Network requirements	267
Configuration procedure	268
Configuring MFF	269
Overview	269
Basic concepts	270
User port	270
Network port	270
Operation modes	270
Manual mode	270
Automatic mode	271
Working mechanism	271
Protocols and standards	271
Configuring MFF	271
Configuration prerequisites	271
Enabling MFF	272
Configuring a network port	272
Enabling periodic gateway probe	272
Specifying the IP addresses of servers	272
Displaying and maintaining MFF	273
MFF configuration examples	273
Auto-mode MFF configuration example in a tree network	273
Network requirements	273
Configuration procedure	274
Auto-mode MFF configuration example in a ring network	275
Network requirements	275
Configuration procedure	275
Manual-mode MFF configuration example in a tree network	277
Network requirements	277
Configuration procedure	277
Manual-mode MFF configuration example in a ring network	278
Network requirements	278
Configuration procedure	278
Support and other resources	280
Contacting HP	280
Subscription service	280
Related information	280
Documents	280
Websites	280
Conventions	281
Command conventions	281
GUI conventions	281
Symbols	281
Network topology icons	282
Port numbering in examples	282

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Security Configuration Gui - Page 7

Setting the DSCP value for packets sent by the SSH server, Configuring the switch as an SFTP client, v

Page 7 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 7